Edit tour

Windows Analysis Report
Ta62k9weDV.exe

Overview

General Information

Sample Name:	Ta62k9weDV.exe
Analysis ID:	717105
MD5:	d68ce542ec367e67f667b75d491cf032
SHA1:	5833c8f3b5c907236e2ca2734b99d9bd0f1a5a36
SHA256:	b65f37c2f7def47bd57ae2837b9c422113da608c3b37a80f62e0332fb717546f
Tags:	exe
Infos:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

Uses 32bit PE files

PE file does not import any functions

Drops PE files

Contains functionality to shutdown / reboot the system

Creates files inside the system directory

Binary contains a suspicious time stamp

Detected potential crypto function

Found evaded block containing many API calls

PE / OLE file has an invalid certificate

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

Ta62k9weDV.exe (PID: 5812 cmdline: C:\Users\user\Desktop\Ta62k9weDV.exe MD5: D68CE542EC367E67F667B75D491CF032)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\Demograph.tip	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.815524355.0000000002A70000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Ta62k9weDV.exe	ReversingLabs: Detection: 80%
Source: Ta62k9weDV.exe	Virustotal: Detection: 51%			Perma Link

Source: Ta62k9weDV.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fortrdelsers\Jrks\Glanslseste\Hingstens

Jump to behavior

Source: Ta62k9weDV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: f:\bluetooth8.0.1.57\sw\src\WIN8_Mainline\ExtArch\Bin\x64\Release\BtvStack.pdb source: BtvStack.exe.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.ValueTuple\net6.0-Release\System.ValueTuple.pdb source: System.ValueTuple.dll.1.dr

Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_00402B75 FindFirstFileW,	1_2_00402B75
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_00406719 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00406719
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_004065CF FindFirstFileW,FindClose,	1_2_004065CF

Source: Ta62k9weDV.exe, 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-1042.dll.1.dr, lang-9999.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Ta62k9weDV.exe, 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-1042.dll.1.dr, lang-9999.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Ta62k9weDV.exe, 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-1042.dll.1.dr, lang-9999.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Ta62k9weDV.exe, 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-1042.dll.1.dr, lang-9999.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Ta62k9weDV.exe, 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-1042.dll.1.dr, lang-9999.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Ta62k9weDV.exe, 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-1042.dll.1.dr, lang-9999.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Ta62k9weDV.exe, 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-1042.dll.1.dr, lang-9999.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Ta62k9weDV.exe, 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-1042.dll.1.dr, lang-9999.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Ta62k9weDV.exe, 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-1042.dll.1.dr, lang-9999.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Ta62k9weDV.exe, 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-1042.dll.1.dr, lang-9999.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Ta62k9weDV.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error...
Source: Ta62k9weDV.exe, 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-1042.dll.1.dr, lang-9999.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Ta62k9weDV.exe, 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-1042.dll.1.dr, lang-9999.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: Ta62k9weDV.exe, 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-1042.dll.1.dr, lang-9999.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: Ta62k9weDV.exe, 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-1042.dll.1.dr, lang-9999.dll.1.dr	String found in binary or memory: http://www.avast.com0/
Source: lang-1042.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: System.ValueTuple.dll.1.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: Ta62k9weDV.exe, 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-1042.dll.1.dr, lang-9999.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Code function: 1_2_00404B30 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_00404B30

Source: Ta62k9weDV.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: lang-9999.dll.1.dr	Static PE information: No import functions for PE file found
Source: lang-1042.dll.1.dr	Static PE information: No import functions for PE file found

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Code function: 1_2_004036FC EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

1_2_004036FC

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

File created: C:\Windows\resources\0409

Jump to behavior

Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_0040441E	1_2_0040441E
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_004075FE	1_2_004075FE
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_00406EA8	1_2_00406EA8
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_72B32351	1_2_72B32351

Source: Ta62k9weDV.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Process Stats: CPU usage > 98%

Source: Ta62k9weDV.exe	ReversingLabs: Detection: 80%
Source: Ta62k9weDV.exe	Virustotal: Detection: 51%

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

File read: C:\Users\user\Desktop\Ta62k9weDV.exe

Jump to behavior

Source: Ta62k9weDV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

1_2_004036FC

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

File created: C:\Users\user\AppData\Roaming\Bipersoner

Jump to behavior

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

File created: C:\Users\user\AppData\Local\Temp\nsm5B18.tmp

Jump to behavior

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/14@0/0

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Code function: 1_2_0040234F CoCreateInstance,

1_2_0040234F

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Code function: 1_2_00404085 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,EnableWindow,

1_2_00404085

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fortrdelsers\Jrks\Glanslseste\Hingstens

Jump to behavior

Source: Ta62k9weDV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: f:\bluetooth8.0.1.57\sw\src\WIN8_Mainline\ExtArch\Bin\x64\Release\BtvStack.pdb source: BtvStack.exe.1.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.ValueTuple\net6.0-Release\System.ValueTuple.pdb source: System.ValueTuple.dll.1.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\Demograph.tip, type: DROPPED
Source: Yara match	File source: 00000001.00000002.815524355.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: System.ValueTuple.dll.1.dr

Static PE information: 0xC5E61367 [Tue Mar 19 02:56:39 2075 UTC]

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Code function: 1_2_72B32351 GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_72B32351

Source: C:\Users\user\Desktop\Ta62k9weDV.exe	File created: C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\lang-9999.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	File created: C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	File created: C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\BtvStack.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	File created: C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\lang-1042.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	File created: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

RDTSC instruction interceptor: First address: 0000000002A71659 second address: 0000000002A71659 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F5DD5297935h 0x00000006 jmp 00007F5DD52979DAh 0x00000008 test dl, al 0x0000000a inc ebp 0x0000000b cmp cx, dx 0x0000000e inc ebx 0x0000000f cmp edx, 28DB2C51h 0x00000015 rdtsc

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Evaded block: after key decision

graph_1-4728

Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\lang-9999.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\BtvStack.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\lang-1042.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_00402B75 FindFirstFileW,	1_2_00402B75
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_00406719 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00406719
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_004065CF FindFirstFileW,FindClose,	1_2_004065CF

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

API call chain: ExitProcess graph end node

graph_1-4613

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Code function: 1_2_72B32351 GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_72B32351

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

1_2_004036FC

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	1 Windows Service	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Windows Service	1 Access Token Manipulation	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Timestomp	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Ta62k9weDV.exe	81%	ReversingLabs	Win32.Spyware.Guloader
Ta62k9weDV.exe	51%	Virustotal		Browse
Ta62k9weDV.exe	NaN%	Metadefender		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\BtvStack.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\BtvStack.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\BtvStack.exe	0%	Metadefender	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.avast.com0/	0%	URL Reputation	safe
http://www.avast.com0/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.avast.com0/	Ta62k9weDV.exe, 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-1042.dll.1.dr, lang-9999.dll.1.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_Error...	Ta62k9weDV.exe	false		high
https://github.com/dotnet/runtime	System.ValueTuple.dll.1.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	717105
Start date and time:	2022-10-06 01:20:10 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Ta62k9weDV.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@1/14@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 84.4% (good quality ratio 83.5%) Quality average: 85.8% Quality standard deviation: 22.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 45 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll	HF-2209869481.exe	Get hash	malicious	Browse
	HF-2209869481.exe	Get hash	malicious	Browse
	RFQ852352-006420025_rev001.exe	Get hash	malicious	Browse
	RFQ852352-006420025_rev001.exe	Get hash	malicious	Browse
	receipt_001546037_pdf.exe	Get hash	malicious	Browse
	receipt_001546037_pdf.exe	Get hash	malicious	Browse
	PROFORMA INVOICE.exe	Get hash	malicious	Browse
	PROFORMA INVOICE.exe	Get hash	malicious	Browse
	BESTELLUNG Nr. 6010551.exe	Get hash	malicious	Browse
	BESTELLUNG Nr. 6010551.exe	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.Injector.AOW.tr.14199.exe	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.Injector.AOW.tr.19074.exe	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.Injector.AOW.tr.14199.exe	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.Injector.AOW.tr.19074.exe	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.InjectorX-gen.1168.exe	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.InjectorX-gen.1168.exe	Get hash	malicious	Browse
	Request for Quotation (Taipei Medical Univers.exe	Get hash	malicious	Browse
	Request for Quotation (Taipei Medical Univers.exe	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.InjectorX-gen.7718.exe	Get hash	malicious	Browse
	Quote Request (University Of Chile) 09-14-20.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.974444797015433
Encrypted:	false
SSDEEP:	192:U4A1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6gn9Mw:UYR7SrtTv53tdtTgwF4SQbGPX36g9Mw
MD5:	637E1FA13012A78922B6E98EFC0B12E2
SHA1:	8012D44E42CD6D813EA63D5CCBF190FE72E3C778
SHA-256:	703E17D30A91775F8DDC2648B537FC846FAD6415589A503A4529C36F60A17439
SHA-512:	932ED6A52E89C4FA587A7C0C3903D69CF89A32DBD46ED8DCB251ABB6C15192D92B1F624C31F0E4BD3E9BF95FC1A55FDB7CEE9DD668E1B4F22DDB95786C063E96
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse
Joe Sandbox View:	Filename: HF-2209869481.exe, Detection: malicious, Browse Filename: HF-2209869481.exe, Detection: malicious, Browse Filename: RFQ852352-006420025_rev001.exe, Detection: malicious, Browse Filename: RFQ852352-006420025_rev001.exe, Detection: malicious, Browse Filename: receipt_001546037_pdf.exe, Detection: malicious, Browse Filename: receipt_001546037_pdf.exe, Detection: malicious, Browse Filename: PROFORMA INVOICE.exe, Detection: malicious, Browse Filename: PROFORMA INVOICE.exe, Detection: malicious, Browse Filename: BESTELLUNG Nr. 6010551.exe, Detection: malicious, Browse Filename: BESTELLUNG Nr. 6010551.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.Injector.AOW.tr.14199.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.Injector.AOW.tr.19074.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.Injector.AOW.tr.14199.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.Injector.AOW.tr.19074.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.InjectorX-gen.1168.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.InjectorX-gen.1168.exe, Detection: malicious, Browse Filename: Request for Quotation (Taipei Medical Univers.exe, Detection: malicious, Browse Filename: Request for Quotation (Taipei Medical Univers.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.InjectorX-gen.7718.exe, Detection: malicious, Browse Filename: Quote Request (University Of Chile) 09-14-20.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.]e..]e..]e......Ze......Ze..]e..Ie......Ye......\e......\e......\e..Rich]e..........................PE..L...^+.c.........."!.....$..........J........@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...{".......$.................. ..`.rdata.......@.......(..............@..@.data...D....P.......,..............@....reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\Ambulatoriums\Nrbutik\Cowbanes\GdkWin32-3.0.typelib

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1245
Entropy (8bit):	5.462849750105637
Encrypted:	false
SSDEEP:	24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5
MD5:	5343C1A8B203C162A3BF3870D9F50FD4
SHA1:	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D
SHA-256:	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
SHA-512:	E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">.. ..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="co

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\Azotes\Undfangelsestidspunktet\Semicrepe79\Bouchon.Tft

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	data
Category:	dropped
Size (bytes):	17420
Entropy (8bit):	7.987853014496246
Encrypted:	false
SSDEEP:	384:uEwEKzvS/nA2P33XQJGn9xGskEoaLiAXU7zNkE8GVwsb6lUn:uEwRO93XQJGmsk4LiUazgiulQ
MD5:	E6AA554EDC6AE606C1BD37B22C1A7DBD
SHA1:	33CA225AED62C095D7CBBAB08F6D64D873327ADD
SHA-256:	822CCF4597F0DB1C36D2DB1E4103695FB2E719FA3FE618C0C465A96FE82D4894
SHA-512:	E7A3EC9C979A8FC674FD6C62A8C15F2E95B03510F07EEA9A9685A3347EC5D4B242535FEE84E0D15A1FCB9CE69A95C13F66AFE6EA163ED877243EC748295172FE
Malicious:	false
Reputation:	low
Preview:	..z.V.I..=..]......b.`i%G...@H..9.....Ow.V.tW.s......)....?.b].Xd....gn....\|...\..Y.1@.+.he.v...5......^.z$X[,........P..#....o..$...AC.......S./a......K...B..z.\|.......S....x../.\|U.Y/..J.M.Z..z..b...A..M.k.....l..C..>...y.Nh...E.Q..uAa).....2........1..1.T.O....{.q-y..!.\|.3....j.G...U 5..A..'.p.....c..)+t.T.q..D[-.v4,.S* x...Wu(h...R...F...}.........:..7.w.U.9.p..u.Q.Q8K2q!.v+.fv..'...).]p....c......q...v.j..a.n3.a}..Y}.~...V....&.T>...:..5.......a.{0.....P?.I..K..........D.Cn=X..1.%.c.RP.'......eD..np.U.P.A.[(L..^... .;....Vk.. .O...^.O3.8......I...9.u...f..O..${.Q^!VY...&.,].H.w<...........f?...9.aY...]........,...Ff...+.$,.X:&D.b..5bD/..o.....3... =.....O..'...~....&..\|..uc[.......Jl.0.+.BW)#.d.......V...`C.U;.^.XH.D}T......5..1..G...j.F. .....#... )t35..U..p ...j...h.3(..dTJw.\|.40.XD....W..:'.^.8.z..^...... ....?..{J...9....J..oV.b..0.&.o...-S.#..."W....<h./..o.{.3.W..W..k....M......dXy...o.E[../fw......ll...iV.p...B...z..iE....%W

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\BtvStack.exe

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	134784
Entropy (8bit):	5.0976083386137345
Encrypted:	false
SSDEEP:	3072:lBpXgi+uHL7xlOu1u/3nJ7jOYlWcDXvXJP:lfXgi+uHPxYu8/3nJ7jOYlWw
MD5:	49B7481C3D50FAABAF07F775E077FD8B
SHA1:	A67F9193346DE1A223CFD6341AF224589D1026C7
SHA-256:	E74AE0A4F510AEB53D5E4785B62BE3F76E1ACEA302CC75963042BC3F9BEF8FC3
SHA-512:	7AEE06F1F2FEA6FBA7C1516EB95EC8415ADB712FAFA1BA90EEBDAFFAE73235B86C47F27E425DE1FC3EF36F75460472103C40708FE427B283896E2426E8AD6A10
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........2Fc.aFc.aFc.a.-TaGc.a].RaGc.a].faWc.a].gaLc.a).gaEc.a..uaRc.a].PaOc.aFc.a.c.a].ca@c.a].WaGc.a].VaGc.a].QaGc.aRichFc.a................PE..d......S.........."..........f.................@.............................@......&>....@.................................................(...,....0....... ...............0...... ...........................................................@....................text...o........................... ..`.rdata..,\.......^..................@..@.data...`...........................@....pdata....... ......................@..@.rsrc........0......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\Demograph.tip

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	data
Category:	dropped
Size (bytes):	97943
Entropy (8bit):	6.7302426785976435
Encrypted:	false
SSDEEP:	1536:pVBn5kf8cRPlQ3cpg2qPJ3P09dDPzyV60uPskkkkWU9lU4w0IR7Ub8:pV4UqPlQMi25dDTU9lkx1
MD5:	37647C9B79F3366556CE8BC7D626A48D
SHA1:	D4A7800599AE7A6C7B3F38ED1E5715F2924652E9
SHA-256:	BB737005CB6692FA072A9E1789E0AF79EFCFA917F426626992405D70159F096A
SHA-512:	821212145E685AEF33BE28C0BC78B5B5B473FF5319C692F544F429F565EE729790E3B0576C3C719F7A66C21908FC2B9272D210F33AA837B54D7498839CDF7130
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\Demograph.tip, Author: Joe Security
Reputation:	low
Preview:	e...hX..H(.9W..P.\|....U.Ad-.X..+..T^...u...>?c?.j..V....y...}`.'.2bm....A....[...{.w.P..........LA.e.............................................................................f....KJ..Q............................................................................f.r.F.5Tj.z..................................................@;.%..f.r.h.B.`.V................................................................^.e....:....[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[.f.a..s.t.H.T.p.......................................................................M.n..........k..................................-3.xh............................................f.`..4.>.........................................................q....Ev..<11111111111111111111111111111111111111111111111111111111111111111....f.g..*X.................................................I.ck........................................................................aC.....".s$+000000000000000000000000000000f..........Hh..

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\System.ValueTuple.dll

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15512
Entropy (8bit):	6.804083746928105
Encrypted:	false
SSDEEP:	384:mjCGc/2IWfGWql7/uPHRN7vRzWF//dJR9zt1:mjwiylTMvRzWF//dj9zf
MD5:	852CE23048161A42484C276C6BD8804F
SHA1:	DFBB4337C0B8DEDC65330786AA9FE30E3039C3E4
SHA-256:	B1DF7B8F18CA5FED0A75B3FEA989AF7B5CD00C9275BB2D5D2C6575D35A422ACD
SHA-512:	3B8B69F45C5ABCCFB3AB412A7677701DEE69CA61BB008E582EEC73DC8434E36D0ACEFBBFA05DFD6A57CC0BB5F15156C059CC95875466C9B65684EFE0060E6DA7
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g............."!..0..............)... ........@.. ..............................gt....`..................................)..O....@..d................(...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc...d....@......................@..@.reloc.......`......................@..B.................)......H........ ..(...................P ......................................^..~Q.).a..mw....?.....PG.\|....\...C....0.{7+.....t.A~.......u.>o..............bN.....&8...6...T:`T.v/..6Z.....].....BSJB............v4.0.30319......`...@...#~..........#Strings............#GUID...........#Blob......................3......................................]...............%...................C.....s...Q.z.....z.....z.....z...4.z.....z.....z.....z.....z...........i.................

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\checkbox_unchecked_disabled.png

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	279
Entropy (8bit):	6.905844347023734
Encrypted:	false
SSDEEP:	6:6v/lhPKJTwHN8v7TPYQjdlKuT4scGQgMwHKymyw6nXQz8ydp:6v/7i+EnPYyJTZCgxKKw14o
MD5:	73573DC24C96407A1D39B7C7DDEE0A09
SHA1:	494F335F482BB63693E132D9007BA14B93B5F13A
SHA-256:	CF64F5D6E32CA050AFFAC4DFBCE1D7EE56AF265A88B59F57ECF82411BD057868
SHA-512:	864DCDFEB2A95998A43CDFC19BDEBE0AFB056449DFBBB6A1FFA3A29BD37C276BC607F4A3231BDE86F21943D5F59E4BB614CA6BAA59E5A64759FCD31D3EB57363
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....IDATx..=..@...[.s5....S...A..U.#H.3fl.J...y.+y...7.4..#zv...c&....H:../.....M&G...:..o>....v..$....R..P....R.a...'z..:vt.%...N....Z.@:.............`u..'Y.."..R].E.........Aw.C.k..(.\u.w...1.jrX..o9.y.:.....2.f..=@.L3M....E.D5....IEND.B`.

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\emblem-shared-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	287
Entropy (8bit):	6.910770879396414
Encrypted:	false
SSDEEP:	6:6v/lhPyso9f2XmECnTcF64W2rnEvsAGMuTpyMO3exKxoQlbp:6v/7IV22EIQLjrnRTrDKbl1
MD5:	41B8FE6EB2295848349FC2421BB32B7A
SHA1:	FEC722FAE45DBD3D6A374D787364D320889DC0C0
SHA-256:	A44B90002A67F87D8B0D5F1FC9EBE74793D1A9BD5F3FB6B0A632E9F825DF8431
SHA-512:	E7A5B8D6CAF84C40952D7D3DD254AEFD4622A48D8DD7F73561DB8221E6D535E23CD12A8D68E20AE8A8CC6251A773EA6E2F4C1C211E06F81B5AD3996DCC15F781
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...NBA......=.....Ibmak..&RP..)(\|.}!m4@(...y.(.por1..{Or...93gw(.3L....hV.7....U....y...D;r.O..0.t......8.5....<.._.\....K.H..*R..U.!.s.O...%.P`a.[...4p.i.....Za...6...>.&,...>.#..2..6....7.....U......&....X..<......IEND.B`.

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\face-devilish.png

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	888
Entropy (8bit):	7.732925273250331
Encrypted:	false
SSDEEP:	12:6v/7MbFKFeR6MbBHV32Xg+Rcn5vAdNat0R86EUqykJR1u7jJ+IMH5KU9HwOJC/Gp:B/kMbB1cgMcxAuA8OqpP16J+bQW
MD5:	BCE06854D4F29AAC0898BE1777567967
SHA1:	9AE785BCF22704FC40CB56C914DD57372E98FA18
SHA-256:	47B0CFF567039F85E1187A26DF49BF7BAF80EB22C395BB066303AD361DD5ACCE
SHA-512:	69BACB18BD6EC4E3C30EB46163E088102E7A8F3BAB9835791E201F16C8855B08321DE5C522A6A291CC6F7897449861FB030871C8DDC5DF15DC1E5FD9A2DD9139
Malicious:	false
Preview:	.PNG........IHDR................a...?IDATx.].S....F.F.NU.wl.m..m.m.6.O.,uW.......PWW.b.Xz.u....l....8.....^......\|:.\|\......m....J..[...0..o.}....W??g......C.....~.i.H........v..y._-o..^==....H....(hmk.s..6h.s.u..wOI..-.h...7.}.....:Z..g..:..g...\.OI.3l.q..d..-.......7X.....j.%.\...]....p.^;.+.]......gAS.._.Ss..~.Yt...LP.-dC.......s....9.=x+...T2.......>j..VS.._..q...Jt.e.aD..d3E.&]F.>^j..O?...+W.(:E.55..r.,..C....xN..v.GS....d.\&..yDa......H.].4..........3ev]...4..#.....m4.(.B.b.s..P...W.R......s.c.....$.....9.}.../.b1d.h......8..RuZ)~.$.bw..z.3U..^)d .2gV..ke)$.T..W....mo`)).\u...!...+...cN.cN....D.......s~. ddl..X\|_.b.+V..w.K,....p....<.F+.E..4L...<W.<[~.)a...........S../..xPsm.... ;4A.Ac.$.../.f........?.....uA...8.,K./......j....a..J@h..*._261....p.. %...!.h...b.+.HT..L..x^@.)Q...`....].....p...p.....D1....q\|..a.2..g.!.....D....IEND.B`.

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\input-gaming-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	248
Entropy (8bit):	6.74996208017984
Encrypted:	false
SSDEEP:	6:6v/lhPyslQxKnANS+73/qZTJ3zhl63jYrw+caoebp:6v/7SxKn7+D/Kdl63OgXg
MD5:	5B1F2682384D7F36AE85CDFAF208DC02
SHA1:	2C242B59131157497CF1431AFA59388B9319CD79
SHA-256:	BF3AF624F9AF3875ED64F3FA8A4495C998EA724EE34465C5DE67A71CE924473E
SHA-512:	5947AE2D7674A5EC87CD83BB7DB818BE95DCE64B1ECCF6079060E307D9B6266C74FC45802F4580ED299F04B1777D2A87DDFE1DDE981BA9C5FF6431744FA3F545
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8..;..@.EO...."..0.Q..)U..kq#J:.:M,.O....J...=w~.7....^....@..4.Q.6.....\|........b.7..}.....\|p........,......../\|s.].z......h......y...I....E.:y.s...(#`.R....[5N...y....IEND.B`.

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\lang-1042.dll

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91656
Entropy (8bit):	5.8106295248914135
Encrypted:	false
SSDEEP:	1536:Nw/WmI1o8uwBL5pcPqY0AUY9fdl/SFfxHdT3/h9+1UCD8ux4:aJI1o8jLHcPqY0AUY9fdl/SbR3ZY8ux4
MD5:	E52C38D77E60B534B9F63F76F51DBE70
SHA1:	F81F9A726F2D7880CF02C098F9443E3DF72F5497
SHA-256:	A66EB9CAAD8387FE96030B8D464A561D76BA46E9B880E3A931E277020B2CF1DF
SHA-512:	8C8B80C4AB26A6BFE78DDEAA684C4616132960E9CAE07C374C86D9C80B16D205BCB2BA98CD51F70682F95D7B133EC6142128BB8724CC5A2A13991D8EABD99B89
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.@...R.@.P...R.Rich..R.................PE..L....\)b...........!.........D...............................................p............@.......................................... .. A...........F... ...........................................................................................rdata..p...........................@..@.rsrc... A... ...B..................@..@.....\)b........T........................rdata......T....rdata$zzzdbg.... ... ...rsrc$01.....@..P ...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\lang-9999.dll

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	99160
Entropy (8bit):	4.571793664727738
Encrypted:	false
SSDEEP:	1536:I+zgXuyQNvp+nIvbFuYPlqpg0pgLevXKrmFqYQvt7jUf:YdIvjlUxpgLevXKrmFqYO
MD5:	711208EB3AB7596C1BE6B9C10CDADCAE
SHA1:	38AB80C0FC4B75077F60BCC57D3C42F293758763
SHA-256:	0006F35934E72C2AA6B384DA1882308BCB9137BD40E5129FDF3BD065EA918D2B
SHA-512:	1BFED9978183C9B140B4C99DB36BB49A3F37B939EA5B382D7010EB2CCB812F5D779A74444B39FB8A160F9597254E481086AA9484FC5BEB9A4A63220773B838D4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.@...R.@.P...R.Rich..R.................PE..L....j^...........!.........`.......................................................q....@.......................................... ...\...........b..X!...........................................................................................rdata..p...........................@..@.rsrc....\... ...^..................@..@.....j^........T........................rdata......T....rdata$zzzdbg.... ..P....rsrc$01....P9...C...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\power-profile-performance-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	326
Entropy (8bit):	7.057304353938009
Encrypted:	false
SSDEEP:	6:6v/lhPysRXRioNQ2y02mfMq74Pv+0tLlhhayTHIue7V3leup:6v/7xXi2y2f3437ZhayTniVz
MD5:	FDE53BB8BBE68A0611C9860C480FDA85
SHA1:	EFFEF39DFFF6D3584D3772E62DBDF31FD55B88A2
SHA-256:	15B258273CBE2172ED1680DC27EEAB40D99BB4F144625C2022C2CEA983A76A8F
SHA-512:	3CC7271F35DFF6FCE63A044A2630988E8558143597A58FE42EB591949824D6C3C6EF100BB652C8E1B2D533CFE00B38B4EDCAEFD261A509588DB20E73B7C9205B
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...M.A...%V.P.....,Z ..b2..\|,..9.@.\|z.*.../...,.F...q...{..............j....(k.....s..D4F..q60...U.d.d.o.r/..f..<..nC..H0..4".58....1.KU.)........>...?.L41..1.za.i%....-.L[.d.nT......[....!.j..T...9.eC......[\|.~uF....o#.v..D.K.s....V..o.IUA.j......IEND.B`.

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\system-help.png

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	568
Entropy (8bit):	7.524994279543221
Encrypted:	false
SSDEEP:	12:6v/7oy22jLAgK5yDYMOow1txurnY3QRevxKvaMMAnpllsc:XcjLAgKcDYMdw1txurYh5KCqxsc
MD5:	2301264CADE42743EA8C8BB13C1CEC4E
SHA1:	65FF9922AD511C63E83FC20E94277796BC8F3A62
SHA-256:	E85C274EEA68B29FDB46507C6A529C4388946F8B50AD203C44F9C28E137DD773
SHA-512:	F844708E1BDA3A26DBD0F947D779242039A563CCE39C9D904BF8EE4A42BF74FA912BB99EEBD5640F597EA459BB1F497894819E111AB6E94861F7651E259BA329
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx......K.D......m.)+)..[..v....m.v.vwn..N...{t.....W..'...._.8.&...6.k.8.].L.A.K.M......{.k.YJ0.d.p...r'.R.E............UN4...../.o..#...`..\fM.....7{...T!Y..T..1V.JC...3..ZZP....l.8..o`...K..\.Y..}O...:....Y{....$Q(_7./X.(.......r.L..%..5cD...t7.U.^?...=K.P.Q....k.^.I.$q...8.J...M..j.4...5k......%P.]..A`yu..9.^.0..Y{.,...C....Xk)_3...yJ.'."N,}..f...H)...(..n..l.#...X...eXE.5k_.e.g.._!...G_O..)..(O.%9..#....Y{.w..8..e.......d.r.l...>~<*...M(y...A.]4v..y....^.x] ....\|~.`.}...#.:<'.+`....IEND.B`.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	5.57316141235501
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Ta62k9weDV.exe
File size:	604376
MD5:	d68ce542ec367e67f667b75d491cf032
SHA1:	5833c8f3b5c907236e2ca2734b99d9bd0f1a5a36
SHA256:	b65f37c2f7def47bd57ae2837b9c422113da608c3b37a80f62e0332fb717546f
SHA512:	46808581eb2b4d975e22f9c250c025218112b7288e40da42170c8ac40440e762654fa28bb54aab06f007bc3f5928ea799c5e79e24227796ad2f6ef778a0b9586
SSDEEP:	6144:IMrudbcDdn2cHWOgP2DSUPRAdEHgmOo466hWCt2uj0+7xeUs9aPYz/76H3/NUEgo:IfLc2jODXPRAdEeo22IYH9QHvNUED
TLSH:	0ED458956D1887BBED9D8C3752DFB6114E0F5F7E8AF013122E8476DA2D33D2384A604A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.<.L.o.L.o.L.op>.n.L.op>.n.L.op>.n.L.o.L.o.L.oa9.n.L.oa9Vo.L.oa9.n.L.oRich.L.o........PE..L....+.c.................r.........

File Icon


Icon Hash:	34746071796969b0

Static PE Info

General

Entrypoint:	0x4036fc
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63132B9B [Sat Sep 3 10:25:31 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3f91aceea750f765ef2ba5d9988e6a00

Authenticode Signature

Signature Valid:	false
Signature Issuer:	OU="Ternet Unanticipated ", E=Fascinationernes@prosencephalic.Py, O=Hedley, L=Wissous, S=\xcele-de-France, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	9/26/2022 12:27:56 PM 9/25/2025 12:27:56 PM
Subject Chain	OU="Ternet Unanticipated ", E=Fascinationernes@prosencephalic.Py, O=Hedley, L=Wissous, S=\xcele-de-France, C=FR
Version:	3
Thumbprint MD5:	6F1CC974ADB8D20524E3CA199191CA0D
Thumbprint SHA-1:	CFF9329090054D649E1427E70D07E6D58404EB1E
Thumbprint SHA-256:	4028FF6FCC01E623218240C498D051D5E90D428D85534174758E36D5B5293788
Serial:	B22424AC17ED0851

Entrypoint Preview

Instruction
sub esp, 000003ECh
push ebx
push ebp
push esi
push edi
xor ebx, ebx
mov edi, 00409528h
push 00008001h
mov dword ptr [esp+14h], ebx
mov ebp, ebx
call dword ptr [00409170h]
mov esi, dword ptr [004090ACh]
lea eax, dword ptr [esp+2Ch]
xorps xmm0, xmm0
mov dword ptr [esp+40h], ebx
push eax
movlpd qword ptr [esp+00000144h], xmm0
mov dword ptr [esp+30h], 0000011Ch
call esi
test eax, eax
jne 00007F5DD475CD59h
lea eax, dword ptr [esp+2Ch]
mov dword ptr [esp+2Ch], 00000114h
push eax
call esi
push 00000053h
pop eax
mov dl, 04h
mov byte ptr [esp+00000146h], dl
cmp word ptr [esp+40h], ax
jne 00007F5DD475CD33h
mov eax, dword ptr [esp+5Ah]
add eax, FFFFFFD0h
mov word ptr [esp+00000140h], ax
jmp 00007F5DD475CD2Dh
xor eax, eax
jmp 00007F5DD475CD14h
mov dl, byte ptr [esp+00000146h]
cmp dword ptr [esp+30h], 0Ah
jnc 00007F5DD475CD2Dh
movzx eax, word ptr [esp+38h]
mov dword ptr [esp+38h], eax
jmp 00007F5DD475CD26h
mov eax, dword ptr [esp+38h]
mov dword ptr [00435AF8h], eax
movzx eax, byte ptr [esp+30h]
shl ax, 0008h
movzx ecx, ax
movzx eax, byte ptr [esp+34h]
or ecx, eax
movzx eax, byte ptr [esp+00000140h]
shl ax, 0008h
shl ecx, 10h
movzx eax, word ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b0c	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x56c70	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x931f0	0x6e8	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7032	0x7200	False	0.6497395833333334	data	6.41220875237026	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x19a2	0x1a00	False	0.455078125	data	5.04107190530894	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x2ab00	0x200	False	0.30078125	data	2.035495984906757	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x36000	0x2e000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0x56c70	0x56e00	False	0.1786083633093525	data	3.1391377765501662	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x64280	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	English	United States
RT_ICON	0xa62a8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States
RT_ICON	0xb6ad0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States
RT_ICON	0xb9078	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States
RT_ICON	0xba120	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States
RT_DIALOG	0xba588	0x100	data	English	United States
RT_DIALOG	0xba688	0x11c	data	English	United States
RT_DIALOG	0xba7a8	0xc4	data	English	United States
RT_DIALOG	0xba870	0x60	data	English	United States
RT_GROUP_ICON	0xba8d0	0x4c	data	English	United States
RT_MANIFEST	0xba920	0x349	XML 1.0 document, ASCII text, with very long lines (841), with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyW, RegEnumValueW, RegQueryValueExW, RegSetValueExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, SetFileSecurityW, RegCreateKeyExW, RegOpenKeyExW
SHELL32.dll	ShellExecuteExW, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, SHGetSpecialFolderLocation
ole32.dll	OleInitialize, OleUninitialize, CoTaskMemFree, IIDFromString, CoCreateInstance
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	DispatchMessageW, wsprintfA, SystemParametersInfoW, SetClassLongW, GetWindowLongW, GetSysColor, ScreenToClient, SetCursor, GetWindowRect, TrackPopupMenu, AppendMenuW, EnableMenuItem, CreatePopupMenu, GetSystemMenu, GetSystemMetrics, IsWindowEnabled, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, CheckDlgButton, EndDialog, DialogBoxParamW, IsWindowVisible, SetWindowPos, CreateWindowExW, GetClassInfoW, PeekMessageW, CallWindowProcW, GetMessagePos, CharNextW, ExitWindowsEx, SetWindowTextW, SetTimer, CreateDialogParamW, DestroyWindow, LoadImageW, FindWindowExW, SetWindowLongW, InvalidateRect, ReleaseDC, GetDC, SetForegroundWindow, EnableWindow, GetDlgItem, ShowWindow, IsWindow, PostQuitMessage, SendMessageTimeoutW, SendMessageW, wsprintfW, FillRect, GetClientRect, EndPaint, BeginPaint, DrawTextW, DefWindowProcW, SetDlgItemTextW, GetDlgItemTextW, CharNextA, MessageBoxIndirectW, RegisterClassW, CharPrevW, LoadCursorW
GDI32.dll	SetBkMode, CreateBrushIndirect, GetDeviceCaps, SelectObject, DeleteObject, SetBkColor, SetTextColor, CreateFontIndirectW
KERNEL32.dll	WriteFile, GetLastError, WaitForSingleObject, GetExitCodeProcess, GetTempFileNameW, CreateFileW, CreateDirectoryW, WideCharToMultiByte, lstrlenW, lstrcpynW, GlobalLock, GlobalUnlock, CreateThread, GetDiskFreeSpaceW, CopyFileW, GetVersionExW, GetWindowsDirectoryW, ExitProcess, GetCurrentProcess, CreateProcessW, GetTempPathW, SetEnvironmentVariableW, GetCommandLineW, GetModuleFileNameW, GetTickCount, GetFileSize, MultiByteToWideChar, MoveFileW, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, lstrcmpiW, lstrcmpW, MulDiv, GlobalFree, GlobalAlloc, LoadLibraryExW, GetModuleHandleW, FreeLibrary, Sleep, CloseHandle, SetFileTime, SetFilePointer, SetFileAttributesW, ReadFile, GetShortPathNameW, GetFullPathNameW, GetFileAttributesW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, CompareFileTime, SearchPathW, SetCurrentDirectoryW, ExpandEnvironmentStringsW, RemoveDirectoryW, GetSystemDirectoryW, MoveFileExW, GetModuleHandleA, GetProcAddress, lstrcmpiA, lstrcpyA, lstrcatW, SetErrorMode

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: Ta62k9weDV.exePID: 5812, Parent PID: 3324

General

Target ID:	1
Start time:	01:21:01
Start date:	06/10/2022
Path:	C:\Users\user\Desktop\Ta62k9weDV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Ta62k9weDV.exe
Imagebase:	0x400000
File size:	604376 bytes
MD5 hash:	D68CE542EC367E67F667B75D491CF032
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.815524355.0000000002A70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Ta62k9weDV.exePID: 5812, Parent PID: 3324COMMON

Execution Graph

Execution Coverage:	22.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.6%
Total number of Nodes:	1546
Total number of Limit Nodes:	42

Executed Functions

Function 004036FC Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 416
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			_entry_() {
				char _v694;
				struct _SHFILEINFOW _v696;
				signed char _v700;
				intOrPtr _v930;
				struct _OSVERSIONINFOW _v976;
				long _v1004;
				struct _TOKEN_PRIVILEGES _v1016;
				intOrPtr _v1020;
				void* _v1024;
				int _v1028;
				intOrPtr _v1036;
				signed short* _v1048;
				signed int _t45;
				intOrPtr* _t58;
				signed int _t71;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t83;
				WCHAR* _t91;
				void* _t95;
				void* _t103;
				void* _t107;
				void* _t113;
				signed short _t124;
				intOrPtr* _t126;
				signed short _t128;
				void* _t131;
				intOrPtr* _t132;
				void* _t136;
				signed char _t137;
				void* _t140;
				WCHAR* _t141;
				int _t143;
				void* _t144;
				signed int _t149;
				void* _t153;
				signed int _t154;
				signed int _t155;
				signed char _t156;
				signed int _t158;
				signed short _t159;
				void* _t160;
				int _t161;
				CHAR* _t163;
				intOrPtr _t165;
				void* _t168;
				void* _t169;
				void* _t170;
				signed int _t173;
				signed int _t175;
				int _t176;

				_t161 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v1004 = 0;
				_t175 = 0; // executed
				SetErrorMode(0x8001); // executed
				asm("xorps xmm0, xmm0");
				_v976.szCSDVersion = 0;
				asm("movlpd [esp+0x144], xmm0");
				_v976.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v976) != 0) {
					_t156 = _v694;
				} else {
					_v976.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v976);
					_t136 = 0x53;
					_t156 = 4;
					_v694 = 4;
					if(_v976.szCSDVersion != _t136) {
						_t137 = 0;
					} else {
						_t137 = _v930 + 0xffffffd0;
					}
					_v700 = _t137;
				}
				if(_v976.dwMajorVersion >= 0xa) {
					_t45 = _v976.dwBuildNumber;
				} else {
					_t45 = _v976.dwBuildNumber & 0x0000ffff;
					_v976.dwBuildNumber = _t45;
				}
				 *0x435af8 = _t45;
				_t149 = ((_v976.dwMajorVersion & 0x000000ff) << 0x00000008 & 0x0000ffff | _v976.dwMinorVersion & 0x000000ff) << 0x00000010 | (_v700 & 0x000000ff) << 0x00000008 & 0x0000ffff | _t156 & 0x000000ff;
				 *0x435afc = _t149;
				if(_t149 >> 0x10 != 0x600) {
					_t132 = E004068E6(0);
					if(_t132 != 0) {
						 *_t132(0xc00);
					}
				}
				_t163 = "UXTHEME";
				do {
					E0040619E(_t163); // executed
					_t163 =  &(( &(_t163[1]))[lstrlenA(_t163)]);
				} while ( *_t163 != 0);
				E004068E6(0xb);
				 *0x4349f0 = E004068E6(9);
				_t58 = E004068E6(7);
				if(_t58 != 0) {
					_t58 =  *_t58(0x1e);
					if(_t58 != 0) {
						 *0x435afc =  *0x435afc | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(0); // executed
				 *0x435a60 = _t58;
				SHGetFileInfoW(0x4095b0, 0,  &_v696, 0x2b4, 0); // executed
				E00406B1A(0x434a00, L"NSIS Error");
				E00406B1A(L"\"C:\\Users\\alfons\\Desktop\\Ta62k9weDV.exe\"", GetCommandLineW());
				_t165 = 0x22;
				_t140 = 0x20;
				 *0x4349f4 = 0x400000;
				_v1036 = _t165;
				_t65 =  !=  ? _t140 : _t165;
				_t66 = ( !=  ? _t140 : _t165) & 0x0000ffff;
				_t68 =  ==  ?  &M00440002 : L"\"C:\\Users\\alfons\\Desktop\\Ta62k9weDV.exe\"";
				_t152 = CharNextW(E004065F6( ==  ?  &M00440002 : L"\"C:\\Users\\alfons\\Desktop\\Ta62k9weDV.exe\"", ( !=  ? _t140 : _t165) & 0x0000ffff));
				_v1048 = _t152;
				_t71 =  *_t152 & 0x0000ffff;
				if(_t71 == 0) {
					L40:
					_t141 = L"C:\\Users\\alfons\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t141);
					__eflags = E00403CA5(_t152, __eflags);
					if(__eflags != 0) {
						L43:
						DeleteFileW(L"1033"); // executed
						_t161 = E004033ED(__eflags, _t175);
						_t176 = 0;
						__eflags = _t161;
						if(_t161 != 0) {
							L71:
							_t143 = _v1028;
							L72:
							E004036D2();
							__imp__OleUninitialize();
							__eflags = _t161;
							if(_t161 == 0) {
								__eflags =  *0x435ad4;
								if( *0x435ad4 == 0) {
									L82:
									__eflags =  *0x435aec - 0xffffffff;
									ExitProcess(_t143);
									L74:
								}
								_t79 = OpenProcessToken(GetCurrentProcess(), 0x28,  &_v1024);
								__eflags = _t79;
								if(_t79 != 0) {
									LookupPrivilegeValueW(_t176, L"SeShutdownPrivilege",  &(_v1016.Privileges));
									_v1016.PrivilegeCount = 1;
									_v1004 = 2;
									AdjustTokenPrivileges(_v1024, _t176,  &_v1016, _t176, _t176, _t176);
								}
								_t80 = E004068E6(4);
								__eflags = _t80;
								if(_t80 == 0) {
									L80:
									_t81 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t81;
									if(_t81 != 0) {
										goto L82;
									}
									goto L81;
								} else {
									_t83 =  *_t80(_t176, _t176, _t176, 0x25, 0x80040002);
									__eflags = _t83;
									if(_t83 == 0) {
										L81:
										E00401533(9);
										goto L82;
									}
									goto L80;
								}
							}
							E00406AA8(_t161, 0x200010);
							ExitProcess(2);
							goto L74;
						}
						__eflags =  *0x435a04;
						if( *0x435a04 == 0) {
							L53:
							 *0x435aec =  *0x435aec | 0xffffffff;
							_t143 = E00405A3E();
							goto L72;
						}
						_t168 = E004065F6(L"\"C:\\Users\\alfons\\Desktop\\Ta62k9weDV.exe\"", 0);
						_t91 = L"\"C:\\Users\\alfons\\Desktop\\Ta62k9weDV.exe\"";
						while(1) {
							__eflags = _t168 - _t91;
							if(_t168 < _t91) {
								break;
							}
							__eflags =  *_t168 - 0x5f0020;
							if( *_t168 != 0x5f0020) {
								L48:
								_t168 = _t168 - 2;
								__eflags = _t168;
								continue;
							}
							__eflags =  *((intOrPtr*)(_t168 + 4)) - 0x3d003f;
							if( *((intOrPtr*)(_t168 + 4)) == 0x3d003f) {
								break;
							}
							goto L48;
						}
						_t161 = L"Error launching installer";
						__eflags = _t168 - _t91;
						if(__eflags < 0) {
							_t169 = E004064FC();
							lstrcatW(L"C:\\Users\\alfons\\AppData\\Local\\Temp\\", L"~nsu");
							__eflags = _t169;
							if(_t169 != 0) {
								lstrcatW(L"C:\\Users\\alfons\\AppData\\Local\\Temp\\", "A");
							}
							lstrcatW(L"C:\\Users\\alfons\\AppData\\Local\\Temp\\", L".tmp");
							_t95 = lstrcmpiW(L"C:\\Users\\alfons\\AppData\\Local\\Temp\\", L"C:\\Users\\alfons\\Desktop");
							__eflags = _t95;
							if(_t95 == 0) {
								L69:
								_t143 = _t176;
								goto L72;
							} else {
								_push(L"C:\\Users\\alfons\\AppData\\Local\\Temp\\");
								__eflags = _t169;
								if(_t169 == 0) {
									E00405E1E();
								} else {
									E00405E3E();
								}
								SetCurrentDirectoryW(L"C:\\Users\\alfons\\AppData\\Local\\Temp\\");
								__eflags = L"C:\\Users\\alfons\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane" - _t176; // 0x43
								if(__eflags == 0) {
									E00406B1A(L"C:\\Users\\alfons\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane", L"C:\\Users\\alfons\\Desktop");
								}
								E00406B1A(0x436000, _v1024);
								 *0x436800 = 0x41;
								_t170 = 0x1a;
								do {
									_push( *((intOrPtr*)( *0x435a10 + 0x120)));
									_push(0x42b538);
									E00405EBA();
									DeleteFileW(0x42b538);
									__eflags = _t161;
									if(_t161 != 0) {
										_t103 = CopyFileW(L"C:\\Users\\alfons\\Desktop\\Ta62k9weDV.exe", 0x42b538, 1);
										__eflags = _t103;
										if(_t103 != 0) {
											E0040623D(0x42b538, _t176);
											_push( *((intOrPtr*)( *0x435a10 + 0x124)));
											_push(0x42b538);
											E00405EBA();
											_t107 = E004066D6(0x42b538);
											__eflags = _t107;
											if(_t107 != 0) {
												CloseHandle(_t107);
												_t161 = _t176;
											}
										}
									}
									 *0x436800 =  *0x436800 + 1;
									_t170 = _t170 - 1;
									__eflags = _t170;
								} while (_t170 != 0);
								E0040623D(L"C:\\Users\\alfons\\AppData\\Local\\Temp\\", _t176);
								goto L69;
							}
						}
						 *_t168 = 0;
						_t171 = _t168 + 8;
						_t113 = E00406638(__eflags, _t168 + 8);
						__eflags = _t113;
						if(_t113 == 0) {
							goto L69;
						}
						E00406B1A(L"C:\\Users\\alfons\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane", _t171);
						E00406B1A(L"C:\\Users\\alfons\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane", _t171);
						_t161 = _t176;
						goto L53;
					}
					GetWindowsDirectoryW(_t141, 0x3fb);
					lstrcatW(_t141, L"\\Temp");
					__eflags = E00403CA5(_t152, __eflags);
					if(__eflags != 0) {
						goto L43;
					}
					GetTempPathW(0x3fc, _t141);
					lstrcatW(_t141, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t141);
					SetEnvironmentVariableW(L"TMP", _t141);
					__eflags = E00403CA5(_t152, __eflags);
					if(__eflags == 0) {
						_t176 = 0;
						__eflags = 0;
						goto L71;
					}
					goto L43;
				} else {
					_t173 = _t71;
					while(1) {
						_t124 = _t173 & 0x0000ffff;
						if(_t173 != _t140) {
							goto L21;
						} else {
							goto L20;
						}
						do {
							L20:
							_t152 =  &(_t152[1]);
							_t124 =  *_t152 & 0x0000ffff;
						} while (_t124 == _t140);
						L21:
						_t158 = _t124 & 0x0000ffff;
						if(_t124 == _v1020) {
							_t158 = _t152[1] & 0x0000ffff;
							_t131 = 0x22;
							_t140 = _t131;
						}
						_t25 =  &(_t152[1]); // 0x0
						_t126 =  !=  ? _t152 : _t25;
						if(_t158 != 0x2f) {
							L35:
							_t152 = E004065F6(_t126, _t140);
							_t144 = 0x22;
							_t128 =  *_t152 & 0x0000ffff;
							_t159 = _t128;
							if(_t128 == _t144) {
								_t152 =  &(_t152[1]);
								_t159 =  *_t152 & 0x0000ffff;
							}
							_t173 = _t159 & 0x0000ffff;
							if(_t159 == 0) {
								goto L40;
							} else {
								_t140 = 0x20;
								continue;
							}
						} else {
							_t126 = _t126 + 2;
							_t153 = 0x53;
							_t160 = 0x20;
							if( *_t126 == _t153) {
								_t155 =  *(_t126 + 2) & 0x0000ffff;
								if(_t155 == _t160 || _t155 == 0) {
									 *0x435ae0 = 1;
								}
							}
							if( *_t126 == 0x43004e &&  *(_t126 + 4) == 0x430052) {
								_t154 =  *(_t126 + 8) & 0x0000ffff;
								if(_t154 == _t160 || _t154 == 0) {
									_t175 = _t175 | 0x00000004;
								}
							}
							if( *((intOrPtr*)(_t126 - 4)) != 0x2f0020 ||  *_t126 != 0x3d0044) {
								goto L35;
							} else {
								_t152 = 0;
								 *((short*)(_t126 - 4)) = 0;
								__eflags = _t126 + 4;
								E00406B1A(L"C:\\Users\\alfons\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane", _t126 + 4);
								goto L40;
							}
						}
					}
				}
			}

0x00403708
0x00403712
0x00403716
0x00403718
0x00403728
0x0040372b
0x00403730
0x00403739
0x00403745
0x0040377e
0x00403747
0x0040374b
0x00403754
0x00403758
0x00403759
0x0040375b
0x00403767
0x0040377a
0x00403769
0x0040376d
0x0040376d
0x00403770
0x00403770
0x0040378a
0x00403797
0x0040378c
0x0040378c
0x00403791
0x00403791
0x0040379b
0x004037ca
0x004037d1
0x004037dd
0x004037e0
0x004037e7
0x004037ee
0x004037ee
0x004037e7
0x004037f0
0x004037f5
0x004037f6
0x00403803
0x00403805
0x0040380b
0x00403819
0x0040381e
0x00403825
0x00403829
0x0040382d
0x0040382f
0x0040382f
0x0040382d
0x00403836
0x0040383d
0x00403849
0x0040385c
0x0040386c
0x0040387d
0x00403890
0x00403893
0x00403897
0x004038a3
0x004038a7
0x004038aa
0x004038b3
0x004038c3
0x004038c5
0x004038c9
0x004038cf
0x004039aa
0x004039b0
0x004039bb
0x004039c2
0x004039c4
0x00403a1c
0x00403a27
0x00403a2f
0x00403a31
0x00403a33
0x00403a35
0x00403be6
0x00403be6
0x00403bea
0x00403bea
0x00403bef
0x00403bf5
0x00403bf7
0x00403c0c
0x00403c13
0x00403c91
0x00403c91
0x00403c06
0x00403c06
0x00403c06
0x00403c23
0x00403c29
0x00403c2b
0x00403c38
0x00403c45
0x00403c53
0x00403c5b
0x00403c5b
0x00403c63
0x00403c6d
0x00403c6f
0x00403c7d
0x00403c80
0x00403c86
0x00403c88
0x00000000
0x00000000
0x00000000
0x00403c71
0x00403c77
0x00403c79
0x00403c7b
0x00403c8a
0x00403c8c
0x00000000
0x00403c8c
0x00000000
0x00403c7b
0x00403c6f
0x00403bff
0x00403c06
0x00000000
0x00403c06
0x00403a3b
0x00403a41
0x00403aa6
0x00403aa6
0x00403ab2
0x00000000
0x00403ab2
0x00403a4e
0x00403a50
0x00403a6b
0x00403a6b
0x00403a6d
0x00000000
0x00000000
0x00403a57
0x00403a5d
0x00403a68
0x00403a68
0x00403a68
0x00000000
0x00403a68
0x00403a5f
0x00403a66
0x00000000
0x00000000
0x00000000
0x00403a66
0x00403a6f
0x00403a74
0x00403a76
0x00403ac8
0x00403aca
0x00403acf
0x00403ad1
0x00403add
0x00403add
0x00403aec
0x00403afb
0x00403b01
0x00403b03
0x00403be0
0x00403be0
0x00000000
0x00403b09
0x00403b09
0x00403b0e
0x00403b10
0x00403b19
0x00403b12
0x00403b12
0x00403b12
0x00403b23
0x00403b29
0x00403b30
0x00403b3c
0x00403b3c
0x00403b4a
0x00403b51
0x00403b5b
0x00403b5c
0x00403b61
0x00403b67
0x00403b6c
0x00403b76
0x00403b78
0x00403b7a
0x00403b88
0x00403b8e
0x00403b90
0x00403b98
0x00403ba2
0x00403ba8
0x00403bad
0x00403bb7
0x00403bbc
0x00403bbe
0x00403bc1
0x00403bc7
0x00403bc7
0x00403bbe
0x00403b90
0x00403bc9
0x00403bd0
0x00403bd0
0x00403bd0
0x00403bdb
0x00000000
0x00403bdb
0x00403b03
0x00403a7a
0x00403a7d
0x00403a81
0x00403a86
0x00403a88
0x00000000
0x00000000
0x00403a94
0x00403a9f
0x00403aa4
0x00000000
0x00403aa4
0x004039cc
0x004039d8
0x004039e2
0x004039e4
0x00000000
0x00000000
0x004039ec
0x004039f4
0x00403a05
0x00403a0d
0x00403a14
0x00403a16
0x00403be4
0x00403be4
0x00000000
0x00403be4
0x00000000
0x004038d5
0x004038d5
0x004038d7
0x004038d7
0x004038dd
0x00000000
0x00000000
0x00000000
0x00000000
0x004038df
0x004038df
0x004038df
0x004038e2
0x004038e5
0x004038ea
0x004038ed
0x004038f5
0x004038f7
0x004038fd
0x004038fe
0x004038fe
0x00403905
0x00403908
0x0040390f
0x0040396a
0x00403971
0x00403975
0x00403976
0x00403979
0x0040397e
0x00403980
0x00403983
0x00403983
0x00403986
0x0040398c
0x00000000
0x0040398e
0x00403990
0x00000000
0x00403990
0x00403911
0x00403913
0x00403916
0x00403919
0x0040391d
0x0040391f
0x00403926
0x0040392d
0x0040392d
0x00403926
0x0040393d
0x00403948
0x0040394f
0x00403956
0x00403956
0x0040394f
0x00403960
0x00000000
0x00403996
0x00403996
0x00403998
0x0040399c
0x004039a5
0x00000000
0x004039a5
0x00403960
0x0040390f
0x004038d7

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403718
GetVersionExW.KERNEL32 ref: 00403741
GetVersionExW.KERNEL32(?), ref: 00403754
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004037FC
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403836
OleInitialize.OLE32(00000000), ref: 0040383D
SHGetFileInfoW.SHELL32(004095B0,00000000,?,000002B4,00000000), ref: 0040385C
GetCommandLineW.KERNEL32(00434A00,NSIS Error), ref: 00403871
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Ta62k9weDV.exe",?,"C:\Users\user\Desktop\Ta62k9weDV.exe",00000000), ref: 004038BD
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004039BB
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004039CC
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039D8
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039EC
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004039F4
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403A05
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403A0D
DeleteFileW.KERNELBASE(1033), ref: 00403A27

Part of subcall function 004033ED: GetTickCount.KERNEL32 ref: 00403400
Part of subcall function 004033ED: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Ta62k9weDV.exe,00000400,?,?,?,?,?), ref: 0040341C

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403ACA
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00409600), ref: 00403ADD
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403AEC
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Ta62k9weDV.exe",00000000,00000000), ref: 00403AFB
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403B23
DeleteFileW.KERNEL32(0042B538,0042B538,?,00436000,?), ref: 00403B76
CopyFileW.KERNEL32(C:\Users\user\Desktop\Ta62k9weDV.exe,0042B538,00000001), ref: 00403B88
CloseHandle.KERNEL32(00000000,0042B538,0042B538,?,0042B538,00000000), ref: 00403BC1

Part of subcall function 00405E1E: CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CC9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,766DFAA0,004039C2), ref: 00405E26
Part of subcall function 00405E1E: GetLastError.KERNEL32 ref: 00405E30

OleUninitialize.OLE32(00000000), ref: 00403BEF
ExitProcess.KERNEL32 ref: 00403C06
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403C1C
OpenProcessToken.ADVAPI32(00000000), ref: 00403C23
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403C38
AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00403C5B
ExitWindowsEx.USER32(00000002,80040002), ref: 00403C80

Part of subcall function 004065F6: CharNextW.USER32(?,004038BC,"C:\Users\user\Desktop\Ta62k9weDV.exe",?,"C:\Users\user\Desktop\Ta62k9weDV.exe",00000000), ref: 0040660C

Strings

Error launching installer, xrefs: 00403A6F
\Temp, xrefs: 004039D2
Low, xrefs: 004039EE
"C:\Users\user\Desktop\Ta62k9weDV.exe", xrefs: 00403878, 004038AE, 004038B6, 00403A44, 00403A50
~nsu, xrefs: 00403ABE
.tmp, xrefs: 00403AE2
NSIS Error, xrefs: 00403862
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane, xrefs: 004039A0, 00403A8F, 00403B29, 00403B37
SeShutdownPrivilege, xrefs: 00403C32
C:\Users\user\AppData\Local\Temp\, xrefs: 004039B0, 004039B5, 004039CB, 004039D7, 004039E6, 004039F3, 004039FF, 00403A07, 00403AC3, 00403AD8, 00403AE7, 00403AF6, 00403B09, 00403B1E, 00403BD6
C:\Users\user\Desktop\Ta62k9weDV.exe, xrefs: 00403B83
TMP, xrefs: 00403A08
TEMP, xrefs: 00403A00
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane, xrefs: 00403A9A
C:\Users\user\Desktop, xrefs: 00403AF1, 00403B32
1033, xrefs: 00403A22
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403708
UXTHEME, xrefs: 004037F0, 004037F5, 004037FB

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Filelstrcat$DirectoryProcess$CharCurrentDeleteEnvironmentErrorExitNextPathTempTokenVariableVersionWindows$AdjustCloseCommandCopyCountCreateHandleInfoInitializeLastLineLookupModeModuleNameOpenPrivilegePrivilegesTickUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\Ta62k9weDV.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane$C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane$C:\Users\user\Desktop$C:\Users\user\Desktop\Ta62k9weDV.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 1152188737-3660384380
Opcode ID: a525dd75b22903d4bd79fbaf6cc3fb9b74ee5543d4fcd6c254fdcda9163020fa
Instruction ID: bd20618887128fe8ff831b6fc98b417d690d9367272f1fc6873584cad7b34aa2
Opcode Fuzzy Hash: a525dd75b22903d4bd79fbaf6cc3fb9b74ee5543d4fcd6c254fdcda9163020fa
Instruction Fuzzy Hash: 00D134B12043116AE7207F659C46B2B3AACAB4474EF41453FF586B62D2D7BC9D40CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00404B30 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00404B30() {
				struct HMENU__* _t63;
				WCHAR* _t64;
				int _t68;
				void* _t76;
				signed int _t78;
				short _t79;
				short _t80;
				int _t82;
				void* _t97;
				intOrPtr _t100;
				long _t114;
				struct HWND__* _t128;
				struct HWND__* _t130;
				struct HWND__* _t131;
				unsigned int _t132;
				int _t135;
				long _t136;
				int _t138;
				signed int _t140;
				short* _t141;
				int _t144;
				int _t148;
				void* _t149;
				long _t150;
				void* _t151;
				long _t152;
				void* _t153;

				_t128 =  *0x4349e8;
				_t136 =  *(_t153 + 0x64);
				if(_t136 != 0x110) {
					if(_t136 != 0x405) {
						if(_t136 != 0x111) {
							if(_t136 != 0x404) {
								if(_t136 != 0x7b ||  *(_t153 + 0x68) != _t128) {
									L14:
									return E0040575B(_t136,  *(_t153 + 0x6c),  *(_t153 + 0x6c));
								} else {
									_t144 = 0;
									_t148 = SendMessageW(_t128, 0x1004, 0, 0);
									 *(_t153 + 0x64) = _t148;
									if(_t148 <= 0) {
										L37:
										return 0;
									}
									_t63 = CreatePopupMenu();
									_push(0xffffffe1);
									_push(0);
									 *(_t153 + 0x70) = _t63;
									_t64 = E00405EBA();
									_t138 = 1;
									AppendMenuW( *(_t153 + 0x74), 0, 1, _t64);
									_t132 =  *(_t153 + 0x6c);
									_t135 = _t132;
									_t68 = _t132 >> 0x10;
									if(_t132 == 0xffffffff) {
										GetWindowRect(_t128, _t153 + 0x10);
										_t135 =  *(_t153 + 0x10);
										_t68 =  *(_t153 + 0x14);
									}
									if(TrackPopupMenu( *(_t153 + 0x80), 0x180, _t135, _t68, _t144,  *(_t153 + 0x64), _t144) == _t138) {
										 *(_t153 + 0x28) = _t144;
										 *(_t153 + 0x34) = 0x42bd48;
										 *((intOrPtr*)(_t153 + 0x38)) = 0x1000;
										do {
											_t148 = _t148 - 1;
											_t138 = _t138 + 2 + SendMessageW(_t128, 0x1073, _t148, _t153 + 0x20);
										} while (_t148 != 0);
										OpenClipboard(_t144);
										EmptyClipboard();
										_t149 = GlobalAlloc(0x42, _t138 + _t138);
										 *(_t153 + 0x64) = _t149;
										_t76 = GlobalLock(_t149);
										_t150 =  *(_t153 + 0x64);
										_t140 = _t76;
										do {
											 *(_t153 + 0x34) = _t140;
											_t78 = SendMessageW(_t128, 0x1073, _t144, _t153 + 0x20);
											_t141 = _t140 + _t78 * 2;
											_t79 = 0xd;
											 *_t141 = _t79;
											_t80 = 0xa;
											 *((short*)(_t141 + 2)) = _t80;
											_t140 = _t141 + 4;
											_t144 = _t144 + 1;
										} while (_t144 < _t150);
										_t151 =  *(_t153 + 0x60);
										GlobalUnlock(_t151);
										_push(_t151);
										_t82 = 0xd;
										SetClipboardData(_t82, ??);
										CloseClipboard();
									}
									goto L37;
								}
							}
							if( *0x4349ec == 0) {
								ShowWindow( *0x4349f8, 8);
								if( *0x435acc == 0) {
									E00405D3A( *((intOrPtr*)( *0x42dd4c + 0x34)), 0);
								}
								_push(1);
							} else {
								 *0x42bd44 = 2;
								_push(0x78);
							}
							E00405958();
							goto L14;
						}
						if( *(_t153 + 0x68) == 0x403) {
							ShowWindow( *0x4349e4, 0);
							ShowWindow(_t128, 8);
							E00405503(_t128);
						}
						goto L14;
					}
					_t97 = CreateThread(0, 0, E00405864, GetDlgItem( *(_t153 + 0x6c), 0x3ec), 0, _t153 + 0x64); // executed
					FindCloseChangeNotification(_t97); // executed
					goto L14;
				}
				 *(_t153 + 0x34) =  *(_t153 + 0x34) | 0xffffffff;
				 *(_t153 + 0x20) = 2;
				 *((intOrPtr*)(_t153 + 0x24)) = 0;
				 *((intOrPtr*)(_t153 + 0x2c)) = 0;
				 *((intOrPtr*)(_t153 + 0x30)) = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t100 =  *0x435a10;
				_t152 =  *(_t100 + 0x5c);
				 *(_t153 + 0x70) =  *(_t100 + 0x60);
				 *0x4349e4 = GetDlgItem( *(_t153 + 0x64), 0x403);
				 *0x4349c8 = GetDlgItem( *(_t153 + 0x64), 0x3ee);
				_t130 = GetDlgItem( *(_t153 + 0x64), 0x3f8);
				 *0x4349e8 = _t130;
				E00405503( *0x4349e4);
				 *0x4349cc = E00405835(4);
				 *0x4349d0 = 0;
				GetClientRect(_t130, _t153 + 0x10);
				 *(_t153 + 0x28) =  *((intOrPtr*)(_t153 + 0x18)) - GetSystemMetrics(2);
				SendMessageW(_t130, 0x1061, 0, _t153 + 0x20); // executed
				SendMessageW(_t130, 0x1036, 0x4000, 0x4000); // executed
				if(_t152 >= 0) {
					SendMessageW(_t130, 0x1001, 0, _t152);
					SendMessageW(_t130, 0x1026, 0, _t152);
				}
				_t114 =  *(_t153 + 0x68);
				if(_t114 >= 0) {
					SendMessageW(_t130, 0x1024, 0, _t114);
				}
				_push( *((intOrPtr*)( *(_t153 + 0x6c) + 0x30)));
				_push(0x1b);
				E0040551A( *(_t153 + 0x68));
				if(( *0x435a0c & 0x00000003) != 0) {
					ShowWindow( *0x4349e4, 0);
					if(( *0x435a0c & 0x00000002) != 0) {
						 *0x4349e4 = 0;
					} else {
						ShowWindow(_t130, 8);
					}
					E00405503( *0x4349c8);
				}
				_t131 = GetDlgItem( *(_t153 + 0x64), 0x3ec);
				SendMessageW(_t131, 0x401, 0, 0x75300000);
				if(( *0x435a0c & 0x00000004) != 0) {
					SendMessageW(_t131, 0x409, 0,  *(_t153 + 0x68));
					SendMessageW(_t131, 0x2001, 0, _t152);
				}
				goto L37;
			}

0x00404b34
0x00404b3d
0x00404b47
0x00404cdf
0x00404d2b
0x00404d5c
0x00404da7
0x00404d0d
0x00000000
0x00404db7
0x00404db7
0x00404dc7
0x00404dc9
0x00404dcf
0x00404ee5
0x00000000
0x00404ee5
0x00404dd5
0x00404ddb
0x00404ddd
0x00404dde
0x00404de2
0x00404dea
0x00404df1
0x00404df7
0x00404e00
0x00404e03
0x00404e07
0x00404e0f
0x00404e15
0x00404e19
0x00404e19
0x00404e39
0x00404e3f
0x00404e43
0x00404e4b
0x00404e53
0x00404e57
0x00404e69
0x00404e6b
0x00404e70
0x00404e76
0x00404e88
0x00404e8b
0x00404e8f
0x00404e95
0x00404e99
0x00404e9b
0x00404e9f
0x00404eab
0x00404eb3
0x00404eb6
0x00404eb7
0x00404ebc
0x00404ebd
0x00404ec1
0x00404ec4
0x00404ec5
0x00404ec9
0x00404ece
0x00404ed4
0x00404ed7
0x00404ed9
0x00404edf
0x00404edf
0x00000000
0x00404e39
0x00404da7
0x00404d65
0x00404d82
0x00404d8f
0x00404d9b
0x00404d9b
0x00404da0
0x00404d67
0x00404d67
0x00404d71
0x00404d71
0x00404d73
0x00000000
0x00404d73
0x00404d37
0x00404d47
0x00404d4c
0x00404d4f
0x00404d4f
0x00000000
0x00404d37
0x00404d00
0x00404d07
0x00000000
0x00404d07
0x00404b4d
0x00404b56
0x00404b68
0x00404b6c
0x00404b70
0x00404b74
0x00404b7e
0x00404b7f
0x00404b80
0x00404b81
0x00404b82
0x00404b87
0x00404b8d
0x00404b9c
0x00404bac
0x00404bb9
0x00404bbb
0x00404bc1
0x00404bcd
0x00404bd8
0x00404bde
0x00404bfc
0x00404c08
0x00404c17
0x00404c1b
0x00404c25
0x00404c2f
0x00404c2f
0x00404c31
0x00404c37
0x00404c41
0x00404c41
0x00404c47
0x00404c4a
0x00404c50
0x00404c5c
0x00404c65
0x00404c72
0x00404c7f
0x00404c74
0x00404c77
0x00404c77
0x00404c8b
0x00404c8b
0x00404ca5
0x00404cad
0x00404cb6
0x00404cc8
0x00404cd2
0x00404cd2
0x00000000

APIs

GetDlgItem.USER32 ref: 00404B91
GetDlgItem.USER32 ref: 00404BA1
GetClientRect.USER32 ref: 00404BDE
GetSystemMetrics.USER32 ref: 00404BE6
SendMessageW.USER32(00000000,00001061,00000000,00000002), ref: 00404C08
SendMessageW.USER32(00000000,00001036,00004000,00004000), ref: 00404C17
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00404C25
SendMessageW.USER32(00000000,00001026,00000000,?), ref: 00404C2F

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406070

SendMessageW.USER32(00000000,00001024,00000000,?), ref: 00404C41
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00404C65
ShowWindow.USER32(00000000,00000008), ref: 00404C77
GetDlgItem.USER32 ref: 00404C99
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00404CAD
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00404CC8
SendMessageW.USER32(00000000,00002001,00000000,?), ref: 00404CD2
ShowWindow.USER32(00000000), ref: 00404D47
ShowWindow.USER32(?,00000008), ref: 00404D4C
GetDlgItem.USER32 ref: 00404BB1

Part of subcall function 00405503: SendMessageW.USER32(00000028,?,00000001,00405338), ref: 00405511

GetDlgItem.USER32 ref: 00404CF2
CreateThread.KERNELBASE ref: 00404D00
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00404D07
ShowWindow.USER32(00000008), ref: 00404D82
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404DC1
CreatePopupMenu.USER32 ref: 00404DD5
AppendMenuW.USER32 ref: 00404DF1
GetWindowRect.USER32 ref: 00404E0F
TrackPopupMenu.USER32(?,00000180,?,?,00000000,?,00000000), ref: 00404E31
SendMessageW.USER32(?,00001073,00000000,?), ref: 00404E60
OpenClipboard.USER32(00000000), ref: 00404E70
EmptyClipboard.USER32 ref: 00404E76
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00404E82
GlobalLock.KERNEL32 ref: 00404E8F
SendMessageW.USER32(?,00001073,00000000,?), ref: 00404EAB
GlobalUnlock.KERNEL32(?), ref: 00404ECE
SetClipboardData.USER32 ref: 00404ED9
CloseClipboard.USER32 ref: 00404EDF

Strings

Waywort87 Setup: Installing, xrefs: 00404E43

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlocklstrcat
String ID: Waywort87 Setup: Installing
API String ID: 2449414213-679012682
Opcode ID: 7ec54c2a3a868982bb039b13d8fa38caacdb03059396a995cf16b9d83891ef8f
Instruction ID: b8a9fdf254180bfaf0004a99ba51f40fd9d2112bd445e4f5698f4cfe216f0b8a
Opcode Fuzzy Hash: 7ec54c2a3a868982bb039b13d8fa38caacdb03059396a995cf16b9d83891ef8f
Instruction Fuzzy Hash: 45A1BEB1604304BBE720AF61DD89F9B7FA9FFC4754F00092AF645A62E1C7789840CB69

Uniqueness

Uniqueness Score: -1.00%

Function 72B32351 Relevance: 18.7, APIs: 12, Instructions: 705
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E72B32351() {
				void _v4;
				void* _v8;
				signed short _v12;
				signed int _v16;
				WCHAR* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _v60;
				short* _t243;
				signed short* _t245;
				signed int _t246;
				signed int _t250;
				void* _t256;
				struct HINSTANCE__* _t257;
				signed int _t258;
				signed int _t260;
				void* _t261;
				signed short _t263;
				signed int _t267;
				void* _t268;
				signed int* _t269;
				void* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t284;
				signed int _t287;
				void* _t289;
				signed int _t290;
				void* _t294;
				signed int _t295;
				signed short* _t296;
				void* _t299;
				signed int _t306;
				signed int _t307;
				signed int _t311;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				short* _t320;
				signed int _t321;
				signed short* _t325;
				signed int _t327;
				WCHAR* _t328;
				signed short* _t329;
				signed int _t341;
				void* _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				void* _t349;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t355;
				void* _t356;
				void* _t357;
				void* _t358;
				void* _t359;
				signed int _t365;
				signed int _t370;
				void* _t371;
				signed int _t378;
				signed int _t379;
				signed int _t380;
				void* _t381;
				signed short* _t383;
				void* _t384;
				void* _t386;
				signed short* _t387;
				short* _t388;
				WCHAR* _t389;
				WCHAR* _t390;
				struct HINSTANCE__* _t391;
				signed int _t393;
				signed int _t394;
				signed short _t395;
				void _t396;
				void* _t398;
				void* _t403;
				signed int _t405;
				signed int _t407;
				signed int _t409;

				_t394 = 0;
				_v32 = 0;
				_v52 = 0;
				_t386 = 0;
				_v28 = 0;
				_v56 = 0;
				_v24 = 0;
				_v16 = 0;
				_v36 = 0;
				_t243 = E72B312F8();
				_v40 = _t243;
				_t320 = _t243;
				_v20 = E72B312F8();
				_t245 = E72B31593();
				_t325 = _t245;
				_v8 = _t245;
				_v60 = _t325;
				_t387 = _t245;
				_v44 = _t325;
				_v4 = 2;
				while(1) {
					_t378 = _t394;
					if(_t394 != 0 && _t386 == 0) {
						break;
					}
					_t395 =  *_t325 & 0x0000ffff;
					_t246 = _t395 & 0x0000ffff;
					_v12 = _t395;
					_t327 = _t246;
					if(_t327 == 0) {
						_t175 =  &_v52;
						 *_t175 = _v52 | 0xffffffff;
						__eflags =  *_t175;
						L132:
						_t396 = _v32;
						L133:
						_t379 = _t378;
						if(_t379 == 0) {
							 *_t320 = 0;
							__eflags = _t386;
							if(_t386 != 0) {
								_t380 = 0;
								__eflags = 0;
							} else {
								_t289 = GlobalAlloc(0x40, 0x1ca4); // executed
								_t386 = _t289;
								_t380 = 0;
								 *(_t386 + 0x1010) = 0;
								 *((intOrPtr*)(_t386 + 0x1014)) = 0;
							}
							 *(_t386 + 0x1008) = _t380;
							_t184 = _t386 + 8; // 0x8
							_t328 = _t184;
							 *(_t386 + 0x100c) = _t380;
							_t186 = _t386 + 0x808; // 0x808
							_t388 = _t186;
							 *_t328 = 0;
							 *_t388 = 0;
							 *_t386 = _t396;
							 *(_t386 + 4) = _t380;
							_t250 = _t396 - _t380;
							__eflags = _t250;
							if(_t250 == 0) {
								__eflags = _t320 - _v40;
								if(_t320 == _v40) {
									goto L157;
								}
								_t393 = _t380;
								GlobalFree(_t386);
								_push(_v40);
								_t386 = E72B3135A();
								__eflags = _t386;
								if(_t386 == 0) {
									goto L157;
								} else {
									goto L150;
								}
								while(1) {
									L150:
									_t280 =  *(_t386 + 0x1ca0);
									__eflags = _t280;
									if(_t280 == 0) {
										break;
									}
									_t393 = _t386;
									_t386 = _t280;
								}
								__eflags = _t393;
								if(_t393 != 0) {
									_t193 = _t393 + 0x1ca0;
									 *_t193 =  *(_t393 + 0x1ca0) & 0x00000000;
									__eflags =  *_t193;
								}
								_t281 =  *(_t386 + 0x1010);
								__eflags = _t281 & 0x00000008;
								if((_t281 & 0x00000008) == 0) {
									_t341 = 2;
									_t282 = _t281 | _t341;
									__eflags = _t282;
									 *(_t386 + 0x1010) = _t282;
								} else {
									_t386 = E72B31309(_t386);
									 *(_t386 + 0x1010) =  *(_t386 + 0x1010) & 0xfffffff5;
								}
								goto L157;
							} else {
								_t284 = _t250 - 1;
								__eflags = _t284;
								if(_t284 == 0) {
									L145:
									lstrcpyW(_t328, _v20);
									L146:
									_push(_v40);
									_push(_t388);
									L147:
									lstrcpyW();
									L157:
									_t329 = _v60;
									L158:
									_t320 = _v40;
									L159:
									_t394 = _v52;
									_t325 =  &(_t329[1]);
									_v60 = _t325;
									_t387 = _t325;
									_v44 = _t325;
									if(_t394 != 0xffffffff) {
										continue;
									}
									break;
								}
								_t287 = _t284 - 1;
								__eflags = _t287;
								if(_t287 == 0) {
									goto L146;
								}
								__eflags = _t287 != 1;
								if(_t287 != 1) {
									goto L157;
								}
								goto L145;
							}
						}
						_t381 = _t379 - 1;
						if(_t381 == 0) {
							_t290 = _v28;
							if(_v24 == _t381) {
								_t290 = _t290 - 1;
							}
							 *((intOrPtr*)(_t386 + 0x1014)) = _t290;
						}
						goto L157;
					}
					_t343 = _t327 - 0x23;
					if(_t343 == 0) {
						__eflags = _t387 - _v8;
						if(_t387 <= _v8) {
							_t344 = _v52;
							L31:
							__eflags = _v36;
							if(_v36 != 0) {
								L15:
								_t345 = _t344;
								__eflags = _t345;
								if(_t345 == 0) {
									_t383 = _v60;
									while(1) {
										__eflags = _t246 - 0x22;
										if(_t246 != 0x22) {
											break;
										}
										_t383 =  &(_t383[1]);
										__eflags = _v36;
										_v60 = _t383;
										_t387 = _t383;
										if(_v36 == 0) {
											__eflags = 1;
											_v36 = 1;
											L123:
											_t329 = _v60;
											 *_t320 =  *_t329;
											_t294 = 2;
											_t320 = _t320 + _t294;
											goto L159;
										}
										_t161 =  &_v36;
										 *_t161 = _v36 & 0x00000000;
										__eflags =  *_t161;
										_t246 =  *_t383 & 0x0000ffff;
									}
									__eflags = _t246 - 0x2a;
									if(_t246 == 0x2a) {
										_t295 = 2;
										_v32 = _t295;
										goto L157;
									}
									_t398 = 0x2d;
									__eflags = _t246 - _t398;
									if(_t246 == _t398) {
										L119:
										_t346 =  *_t383 & 0x0000ffff;
										__eflags = _t346 - _t398;
										if(_t346 != _t398) {
											L124:
											_t296 =  &(_t383[1]);
											_t384 = 0x3a;
											__eflags =  *_t296 - _t384;
											if( *_t296 != _t384) {
												goto L123;
											}
											__eflags = _t346 - _t398;
											if(_t346 == _t398) {
												goto L123;
											}
											__eflags = 1;
											_v32 = 1;
											L127:
											_t329 = _t296;
											_v60 = _t329;
											__eflags = _t320 - _v40;
											if(_t320 <= _v40) {
												 *_v20 = 0;
												goto L158;
											}
											_push(_v40);
											_push(_v20);
											 *_t320 = 0;
											goto L147;
										}
										_t296 =  &(_t387[1]);
										__eflags =  *_t296 - 0x3e;
										if( *_t296 != 0x3e) {
											goto L124;
										}
										_v32 = 3;
										goto L127;
									}
									_t349 = 0x3a;
									__eflags = _t246 - _t349;
									if(_t246 != _t349) {
										goto L123;
									}
									goto L119;
								}
								_t350 = _t345 - 1;
								__eflags = _t350;
								if(_t350 == 0) {
									_t321 = _v28;
									L51:
									_t299 = _t246 + 0xffffffde;
									__eflags = _t299 - 0x55;
									if(_t299 > 0x55) {
										goto L157;
									}
									_t77 = _t299 + 0x72b32c69; // 0x39000010
									switch( *((intOrPtr*)(( *_t77 & 0x000000ff) * 4 +  &M72B32BDD))) {
										case 0:
											__ecx = _v40;
											__ebx = _v60;
											_push(2);
											__edx = __bp & 0x0000ffff;
											_pop(__ebp);
											while(1) {
												__ebx = __ebx + 2;
												__eax =  *__ebx & 0x0000ffff;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L90;
												}
												L89:
												__eflags =  *(__ebx + 2) - __dx;
												if( *(__ebx + 2) != __dx) {
													L94:
													__ebp = _v40;
													__eax = 0;
													__eflags = 0;
													_v60 = __ebx;
													 *__ecx = __ax;
													__esi = E72B312E1(_v40);
													goto L95;
												}
												L90:
												__eflags = __ax;
												if(__ax == 0) {
													goto L94;
												}
												__eflags = __ax - __dx;
												if(__ax == __dx) {
													__ebx = __ebx + 2;
													__eflags = __ebx;
												}
												__ax =  *__ebx;
												 *__ecx = __ax;
												__ecx = __ecx + __ebp;
												__ebx = __ebx + 2;
												__eax =  *__ebx & 0x0000ffff;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L90;
												}
												goto L89;
											}
										case 1:
											L48:
											_v56 = 1;
											goto L157;
										case 2:
											_v56 = _v56 | 0xffffffff;
											goto L157;
										case 3:
											_v56 = _v56 & __edx;
											__eax = 0;
											_v48 = _v48 & __edx;
											__ebx = __ebx + 1;
											__eax = 1;
											_v28 = __ebx;
											_v24 = 1;
											goto L157;
										case 4:
											__eflags = _v48 - __edx;
											if(_v48 != __edx) {
												goto L157;
											}
											__eax = _v60;
											_push(2);
											_pop(__ecx);
											__eax = _v60 - __ecx;
											_v44 = _v60 - __ecx;
											__esi = E72B312F8();
											__eax =  &_v44;
											_push(__esi);
											__eax = E72B31BCF( &_v44);
											_push(__edx);
											_push(__eax);
											__eax = E72B3149E(__ecx);
											__esp = __esp + 0xc;
											goto L83;
										case 5:
											_v48 = _v48 + 1;
											goto L157;
										case 6:
											_push(7);
											goto L77;
										case 7:
											_push(0x19);
											goto L103;
										case 8:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L60;
										case 9:
											_push(0x15);
											goto L103;
										case 0xa:
											_push(0x16);
											goto L103;
										case 0xb:
											_push(0x18);
											goto L103;
										case 0xc:
											__eax = 0;
											__eflags = 0;
											_t105 = __eax + 1; // 0x1
											__edx = _t105;
											goto L72;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L63;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L78;
										case 0xf:
											__eax = 0;
											__eflags = 0;
											_t107 = __eax + 1; // 0x1
											__edx = _t107;
											goto L76;
										case 0x10:
											__eax = 0;
											__eflags = 0;
											_t101 = __eax + 1; // 0x1
											__edx = _t101;
											goto L67;
										case 0x11:
											_push(3);
											goto L77;
										case 0x12:
											_push(0x17);
											L103:
											_pop(__esi);
											goto L104;
										case 0x13:
											__eax =  &_v44;
											__eax = E72B31BCF( &_v44);
											_push(0xb);
											_pop(__esi);
											_t132 = __eax + 1; // 0x1
											__ecx = _t132;
											__eflags = _t132 - __esi;
											_push(1);
											_pop(__ecx);
											__esi =  >=  ? _t132 : __esi;
											__esi = __eax + __esi;
											__eflags = __esi;
											goto L83;
										case 0x14:
											__esi = __esi | 0xffffffff;
											goto L104;
										case 0x15:
											__eax = 0;
											__eflags = 0;
											_t102 = __eax + 1; // 0x1
											__edx = _t102;
											goto L70;
										case 0x16:
											__eax = 0;
											goto L78;
										case 0x17:
											__eax = 0;
											__eflags = 0;
											_t106 = __eax + 1; // 0x1
											__edx = _t106;
											goto L74;
										case 0x18:
											_t351 =  *((intOrPtr*)(_t386 + 0x1014));
											__eflags = _t351 - _t321;
											_push(1);
											_t302 =  <=  ? _t321 : _t351;
											_v56 = _v56 & 0;
											_v48 = _v48 & 0;
											_t322 =  <=  ? _t321 : _t351;
											_v28 =  <=  ? _t321 : _t351;
											_v32 - 3 = _t351 - (0 | _v32 == 0x00000003);
											_pop(_t305);
											_t400 =  !=  ? _t305 : _v24;
											_v24 =  !=  ? _t305 : _v24;
											goto L157;
										case 0x19:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											L60:
											_push(2);
											_pop(__ecx);
											_v56 = __ecx;
											goto L78;
										case 0x1a:
											L72:
											_push(5);
											goto L77;
										case 0x1b:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											L63:
											_push(3);
											_pop(__esi);
											_v56 = __esi;
											goto L78;
										case 0x1c:
											__eax = 0;
											__eax = 1;
											goto L78;
										case 0x1d:
											L76:
											_push(6);
											goto L77;
										case 0x1e:
											L67:
											_push(2);
											goto L77;
										case 0x1f:
											__eax =  &_v44;
											_t136 = E72B31BCF( &_v44) + 1; // 0x1
											__esi = _t136;
											L83:
											__ecx = _v44;
											_v60 = _v44;
											L95:
											__eflags = __esi;
											if(__esi == 0) {
												goto L157;
											}
											L104:
											__edx = _v48;
											0 = 1;
											_v24 = 1;
											__eflags = __edx;
											if(__edx != 0) {
												__eflags = __edx - 1;
												if(__edx == 1) {
													__eax = _v28;
													__eax = _v28 << 5;
													__eflags = __eax;
													 *(__eax + __edi + 0x102c) = __esi;
												}
												L111:
												__edx = __edx + 1;
												_v48 = __edx;
												goto L157;
											}
											__ebx = _v28;
											__ebx = _v28 << 5;
											__eax =  *(__ebx + __edi + 0x1030);
											__eflags = __eax - 0xffffffff;
											if(__eax <= 0xffffffff) {
												L107:
												__eax = GlobalFree(__eax);
												__edx = _v48;
												L108:
												 *(__ebx + __edi + 0x1030) = __esi;
												goto L111;
											}
											__eflags = __eax - 0x19;
											if(__eax <= 0x19) {
												goto L108;
											}
											goto L107;
										case 0x20:
											L70:
											_v16 = _v16 + 1;
											_push(4);
											goto L77;
										case 0x21:
											L74:
											_push(4);
											L77:
											_pop(__eax);
											L78:
											__ecx =  *(0x72b34094 + __eax * 4);
											0 = 1;
											__esi = __ebx;
											__esi = __ebx << 5;
											__edx =  ~__edx;
											_push(1);
											asm("sbb edx, edx");
											_v24 = 1;
											__edx = __edx & 0x00008000;
											__edx = __edx | __eax;
											0 = 1;
											 *(__esi + __edi + 0x1018) = __edx;
											__edx = _v56;
											__eflags = __ecx;
											__eax =  >  ? __ecx : 1;
											__eflags = __edx;
											_pop(__ecx);
											__eax =  <  ? __ecx :  >  ? __ecx : 1;
											 *((intOrPtr*)(__esi + __edi + 0x1028)) =  <  ? __ecx :  >  ? __ecx : 1;
											__eflags = __edx - __ecx;
											if(__edx == __ecx) {
												__eax =  &_v44;
												__eax = E72B31BCF( &_v44);
												__ecx = _v44;
												_v60 = _v44;
												_t119 = __eax + 1; // 0x1
												__edx = _t119;
												_v56 = __edx;
											}
											__ecx = __ebx + 0x81;
											 *(__esi + __edi + 0x101c) = __edx;
											__ecx = __ebx + 0x81 << 5;
											__edx = 0;
											 *((intOrPtr*)(__esi + __edi + 0x1030)) = 0;
											 *((intOrPtr*)(__esi + __edi + 0x102c)) = 0;
											 *((intOrPtr*)((__ebx + 0x81 << 5) + __edi)) = 0;
											goto L157;
										case 0x22:
											goto L157;
									}
								}
								_t352 = _t350 - 1;
								__eflags = _t352;
								if(_t352 == 0) {
									_t321 = 0;
									_v28 = 0;
									goto L51;
								}
								__eflags = _t352 != 1;
								if(_t352 != 1) {
									goto L123;
								}
								__eflags = _t246 - 0x6e;
								if(__eflags > 0) {
									_t306 = _t246 - 0x72;
									__eflags = _t306;
									if(_t306 == 0) {
										_push(4);
										L43:
										_pop(_t307);
										L44:
										_t354 =  *(_t386 + 0x1010);
										__eflags = _v56 - 1;
										if(_v56 != 1) {
											_t355 = _t354 &  !_t307;
											__eflags = _t355;
										} else {
											_t355 = _t354 | _t307;
										}
										 *(_t386 + 0x1010) = _t355;
										goto L48;
									}
									_t311 = _t306 - 1;
									__eflags = _t311;
									if(_t311 == 0) {
										_push(0x10);
										goto L43;
									}
									_t356 = 2;
									__eflags = _t311 != _t356;
									if(_t311 != _t356) {
										goto L157;
									}
									_push(0x40);
									goto L43;
								}
								if(__eflags == 0) {
									_push(8);
									goto L43;
								}
								_t313 = _t246 - 0x21;
								__eflags = _t313;
								if(_t313 == 0) {
									_v56 =  ~_v56;
									goto L157;
								}
								_t314 = _t313 - 0x11;
								__eflags = _t314;
								if(_t314 == 0) {
									_t307 = 0x100;
									goto L44;
								}
								_t315 = _t314 - 0x31;
								__eflags = _t315;
								if(_t315 == 0) {
									_t307 = 1;
									goto L44;
								}
								_t357 = 2;
								__eflags = _t315 != _t357;
								if(_t315 != _t357) {
									goto L157;
								}
								_push(0x20);
								goto L43;
							}
							_v52 = _v52 & 0x00000000;
							_t396 = 0;
							_v32 = 0;
							goto L133;
						}
						_t358 = _v60;
						_t403 = 0x3a;
						__eflags =  *((intOrPtr*)(_t358 - 2)) - _t403;
						_t344 = _v52;
						if( *((intOrPtr*)(_t358 - 2)) != _t403) {
							goto L31;
						}
						__eflags = _t344;
						if(_t344 == 0) {
							goto L15;
						}
						goto L31;
					}
					_t359 = _t343 - 5;
					if(_t359 == 0) {
						__eflags = _v36;
						if(_v36 == 0) {
							_v52 = 1;
							__eflags = _v32 - 3;
							_t370 = (0 | _v32 == 0x00000003) + 1;
							__eflags = _t370;
							_v28 = _t370;
						}
						_v56 = _v56 & 0x00000000;
						_t405 = _v36;
						__eflags = _t405;
						_t361 =  ==  ? _v56 : _v56;
						_v56 =  ==  ? _v56 : _v56;
						_v24 = _v24 & 0x00000000;
						__eflags = _t405;
						_t363 =  ==  ? _v24 : _v24;
						_v24 =  ==  ? _v24 : _v24;
						__eflags = _t405;
						_t365 = 0 | _t405 == 0x00000000;
						_v48 = _v48 & 0x00000000;
						__eflags = _v36;
						_t407 =  ==  ? _v48 : _v48;
						L13:
						_v48 = _t407;
						__eflags = _t365;
						if(_t365 != 0) {
							goto L132;
						}
						L14:
						_t344 = _v52;
						goto L15;
					}
					_t371 = _t359 - 1;
					if(_t371 == 0) {
						_t409 = _v36;
						__eflags = _t409;
						_t373 =  ==  ? _v4 : _v52;
						_v52 =  ==  ? _v4 : _v52;
						_v56 = _v56 & 0x00000000;
						__eflags = _t409;
						_t375 =  ==  ? _v56 : _v56;
						_v56 =  ==  ? _v56 : _v56;
						__eflags = _t409;
						_t365 = 0 | _t409 == 0x00000000;
						_v48 = _v48 & 0x00000000;
						__eflags = _v36;
						_t407 =  ==  ? _v48 : _v48;
						goto L13;
					}
					if(_t371 != 0x16) {
						goto L14;
					} else {
						_v52 = 3;
						_v56 = 1;
						goto L132;
					}
				}
				GlobalFree(_v8);
				GlobalFree(_v40);
				GlobalFree(_v20);
				if(_t386 == 0 ||  *(_t386 + 0x100c) != 0) {
					L185:
					return _t386;
				} else {
					_t256 =  *_t386 - 1;
					if(_t256 == 0) {
						_t221 = _t386 + 8; // 0x8
						_t389 = _t221;
						__eflags =  *_t389;
						if( *_t389 != 0) {
							_t257 = GetModuleHandleW(_t389);
							 *(_t386 + 0x1008) = _t257;
							__eflags = _t257;
							if(_t257 != 0) {
								L173:
								_t226 = _t386 + 0x808; // 0x808
								_t390 = _t226;
								_t258 = E72B31F7B(_t257, _t390);
								 *(_t386 + 0x100c) = _t258;
								__eflags = _t258;
								if(_t258 == 0) {
									_t261 = 0x23;
									__eflags =  *_t390 - _t261;
									if( *_t390 == _t261) {
										_t228 = _t386 + 0x80a; // 0x80a
										_t263 = E72B3135A();
										__eflags = _t263;
										if(_t263 != 0) {
											__eflags = _t263 & 0xffff0000;
											if((_t263 & 0xffff0000) == 0) {
												 *(_t386 + 0x100c) = GetProcAddress( *(_t386 + 0x1008), _t263 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v16;
								if(_v16 != 0) {
									L180:
									_t390[lstrlenW(_t390)] = 0x57;
									_t260 = E72B31F7B( *(_t386 + 0x1008), _t390);
									__eflags = _t260;
									if(_t260 == 0) {
										__eflags =  *(_t386 + 0x100c);
										L183:
										if(__eflags != 0) {
											goto L185;
										}
										L184:
										_t240 = _t386 + 4;
										 *_t240 =  *(_t386 + 4) | 0xffffffff;
										__eflags =  *_t240;
										goto L185;
									}
									L181:
									 *(_t386 + 0x100c) = _t260;
									goto L185;
								} else {
									__eflags =  *(_t386 + 0x100c);
									if( *(_t386 + 0x100c) != 0) {
										goto L185;
									}
									goto L180;
								}
							}
							_t257 = LoadLibraryW(_t389);
							 *(_t386 + 0x1008) = _t257;
							__eflags = _t257;
							if(_t257 == 0) {
								goto L184;
							}
							goto L173;
						}
						_t222 = _t386 + 0x808; // 0x808
						_t267 = E72B3135A();
						 *(_t386 + 0x100c) = _t267;
						__eflags = _t267;
						goto L183;
					}
					_t268 = _t256 - 1;
					if(_t268 == 0) {
						_t220 = _t386 + 0x808; // 0x808
						_t269 = _t220;
						__eflags =  *_t269;
						if( *_t269 == 0) {
							goto L185;
						}
						_push(_t269);
						_t260 = E72B3135A();
						goto L181;
					}
					if(_t268 != 1) {
						goto L185;
					}
					_t210 = _t386 + 8; // 0x8
					_t324 = _t210;
					_push(_t210);
					_t391 = E72B3135A();
					 *(_t386 + 0x1008) = _t391;
					if(_t391 == 0) {
						goto L184;
					}
					 *((intOrPtr*)(_t386 + 0x104c)) = 0;
					 *((intOrPtr*)(_t386 + 0x1050)) = E72B312E1(_t324);
					 *((intOrPtr*)(_t386 + 0x103c)) = 0;
					 *((intOrPtr*)(_t386 + 0x1048)) = 1;
					 *((intOrPtr*)(_t386 + 0x1038)) = 1;
					_t217 = _t386 + 0x808; // 0x808
					_t260 =  *(_t391->i + E72B3135A() * 4);
					goto L181;
				}
			}

0x72b32359
0x72b3235b
0x72b32360
0x72b32364
0x72b32366
0x72b3236a
0x72b3236e
0x72b32372
0x72b32376
0x72b3237a
0x72b3237f
0x72b32383
0x72b3238a
0x72b3238e
0x72b32393
0x72b32395
0x72b32399
0x72b3239d
0x72b3239f
0x72b323a3
0x72b323ab
0x72b323ab
0x72b323af
0x00000000
0x00000000
0x72b323b9
0x72b323bc
0x72b323c1
0x72b323c5
0x72b323c8
0x72b32911
0x72b32911
0x72b32911
0x72b32916
0x72b32916
0x72b3291a
0x72b3291a
0x72b3291d
0x72b32940
0x72b32943
0x72b32945
0x72b32966
0x72b32966
0x72b32947
0x72b3294e
0x72b32954
0x72b32956
0x72b32958
0x72b3295e
0x72b3295e
0x72b3296a
0x72b32970
0x72b32970
0x72b32973
0x72b32979
0x72b32979
0x72b3297f
0x72b32982
0x72b32987
0x72b32989
0x72b3298c
0x72b3298c
0x72b3298e
0x72b329b7
0x72b329bb
0x00000000
0x00000000
0x72b329be
0x72b329c0
0x72b329c6
0x72b329cf
0x72b329d2
0x72b329d4
0x00000000
0x00000000
0x00000000
0x00000000
0x72b329d6
0x72b329d6
0x72b329d6
0x72b329dc
0x72b329de
0x00000000
0x00000000
0x72b329e0
0x72b329e2
0x72b329e2
0x72b329e6
0x72b329e8
0x72b329ea
0x72b329ea
0x72b329ea
0x72b329ea
0x72b329f1
0x72b329f7
0x72b329f9
0x72b32a0f
0x72b32a10
0x72b32a10
0x72b32a12
0x72b329fb
0x72b32a01
0x72b32a04
0x72b32a04
0x00000000
0x72b32990
0x72b32990
0x72b32990
0x72b32993
0x72b3299f
0x72b329a4
0x72b329aa
0x72b329aa
0x72b329ae
0x72b329af
0x72b329af
0x72b32a18
0x72b32a18
0x72b32a1c
0x72b32a1c
0x72b32a20
0x72b32a20
0x72b32a24
0x72b32a27
0x72b32a2b
0x72b32a2d
0x72b32a34
0x00000000
0x00000000
0x00000000
0x72b32a34
0x72b32995
0x72b32995
0x72b32998
0x00000000
0x00000000
0x72b3299a
0x72b3299d
0x00000000
0x00000000
0x00000000
0x72b3299d
0x72b3298e
0x72b3291f
0x72b32922
0x72b32928
0x72b32930
0x72b32932
0x72b32932
0x72b32933
0x72b32933
0x00000000
0x72b32922
0x72b323ce
0x72b323d1
0x72b32502
0x72b32506
0x72b32522
0x72b32526
0x72b32526
0x72b3252b
0x72b324b8
0x72b324ba
0x72b324ba
0x72b324bc
0x72b32852
0x72b32870
0x72b32870
0x72b32873
0x00000000
0x00000000
0x72b32858
0x72b3285b
0x72b32860
0x72b32864
0x72b32866
0x72b328a9
0x72b328aa
0x72b328ae
0x72b328ae
0x72b328b7
0x72b328ba
0x72b328bb
0x00000000
0x72b328bb
0x72b32868
0x72b32868
0x72b32868
0x72b3286d
0x72b3286d
0x72b32875
0x72b32878
0x72b32907
0x72b32908
0x00000000
0x72b32908
0x72b32880
0x72b32881
0x72b32883
0x72b3288c
0x72b3288c
0x72b3288f
0x72b32892
0x72b328c2
0x72b328c2
0x72b328c7
0x72b328c8
0x72b328cb
0x00000000
0x00000000
0x72b328cd
0x72b328d0
0x00000000
0x00000000
0x72b328d4
0x72b328d5
0x72b328d9
0x72b328d9
0x72b328db
0x72b328df
0x72b328e3
0x72b328fd
0x00000000
0x72b328fd
0x72b328e5
0x72b328eb
0x72b328ef
0x00000000
0x72b328ef
0x72b32894
0x72b32897
0x72b3289b
0x00000000
0x00000000
0x72b3289d
0x00000000
0x72b3289d
0x72b32887
0x72b32888
0x72b3288a
0x00000000
0x00000000
0x00000000
0x72b3288a
0x72b324c2
0x72b324c2
0x72b324c5
0x72b325a7
0x72b325ab
0x72b325ab
0x72b325ae
0x72b325b1
0x00000000
0x00000000
0x72b325b7
0x72b325be
0x00000000
0x72b3278d
0x72b32791
0x72b32795
0x72b32797
0x72b3279a
0x72b3279b
0x72b3279b
0x72b3279e
0x72b327a1
0x72b327a4
0x00000000
0x00000000
0x72b327a6
0x72b327a6
0x72b327aa
0x72b327c3
0x72b327c3
0x72b327c7
0x72b327c7
0x72b327ca
0x72b327ce
0x72b327d7
0x00000000
0x72b327d7
0x72b327ac
0x72b327ac
0x72b327af
0x00000000
0x00000000
0x72b327b1
0x72b327b4
0x72b327b6
0x72b327b6
0x72b327b6
0x72b327b9
0x72b327bc
0x72b327bf
0x72b3279b
0x72b3279e
0x72b327a1
0x72b327a4
0x00000000
0x00000000
0x00000000
0x72b327a4
0x00000000
0x72b32593
0x72b32596
0x00000000
0x00000000
0x72b32618
0x00000000
0x00000000
0x72b325ff
0x72b32603
0x72b32605
0x72b32609
0x72b3260a
0x72b3260b
0x72b3260f
0x00000000
0x00000000
0x72b32757
0x72b3275b
0x00000000
0x00000000
0x72b32761
0x72b32765
0x72b32767
0x72b32768
0x72b3276a
0x72b32773
0x72b32775
0x72b32779
0x72b3277b
0x72b32781
0x72b32782
0x72b32783
0x72b32788
0x00000000
0x00000000
0x72b32716
0x00000000
0x00000000
0x72b32622
0x00000000
0x00000000
0x72b327f8
0x00000000
0x00000000
0x72b3262a
0x72b3262c
0x72b3262d
0x00000000
0x00000000
0x72b327e8
0x00000000
0x00000000
0x72b327ec
0x00000000
0x00000000
0x72b327f4
0x00000000
0x00000000
0x72b32676
0x72b32676
0x72b32678
0x72b32678
0x00000000
0x00000000
0x72b3263d
0x72b3263f
0x72b32640
0x00000000
0x00000000
0x72b32650
0x72b32652
0x72b32653
0x00000000
0x00000000
0x72b32688
0x72b32688
0x72b3268a
0x72b3268a
0x00000000
0x00000000
0x72b3265c
0x72b3265c
0x72b3265e
0x72b3265e
0x00000000
0x00000000
0x72b32665
0x00000000
0x00000000
0x72b327f0
0x72b327fa
0x72b327fa
0x00000000
0x00000000
0x72b3271f
0x72b32724
0x72b3272a
0x72b3272c
0x72b3272d
0x72b3272d
0x72b32730
0x72b32732
0x72b32734
0x72b32735
0x72b32738
0x72b32738
0x00000000
0x00000000
0x72b327e3
0x00000000
0x00000000
0x72b32669
0x72b32669
0x72b3266b
0x72b3266b
0x00000000
0x00000000
0x72b32626
0x00000000
0x00000000
0x72b3267f
0x72b3267f
0x72b32681
0x72b32681
0x00000000
0x00000000
0x72b325c5
0x72b325d1
0x72b325d3
0x72b325d5
0x72b325d8
0x72b325dc
0x72b325e0
0x72b325e4
0x72b325f0
0x72b325f2
0x72b325f3
0x72b325f6
0x00000000
0x00000000
0x72b32631
0x72b32633
0x72b32633
0x72b32634
0x72b32634
0x72b32636
0x72b32637
0x00000000
0x00000000
0x72b3267b
0x72b3267b
0x00000000
0x00000000
0x72b32644
0x72b32646
0x72b32646
0x72b32647
0x72b32647
0x72b32649
0x72b3264a
0x00000000
0x00000000
0x72b32657
0x72b32659
0x00000000
0x00000000
0x72b3268d
0x72b3268d
0x00000000
0x00000000
0x72b32661
0x72b32661
0x00000000
0x00000000
0x72b32747
0x72b32752
0x72b32752
0x72b3273a
0x72b3273a
0x72b3273e
0x72b327d9
0x72b327d9
0x72b327db
0x00000000
0x00000000
0x72b327fb
0x72b327fb
0x72b32801
0x72b32802
0x72b32806
0x72b32808
0x72b32836
0x72b32838
0x72b3283a
0x72b3283e
0x72b3283e
0x72b32841
0x72b32841
0x72b32848
0x72b32848
0x72b32849
0x00000000
0x72b32849
0x72b3280a
0x72b3280e
0x72b32811
0x72b32818
0x72b3281b
0x72b32822
0x72b32823
0x72b32829
0x72b3282d
0x72b3282d
0x00000000
0x72b3282d
0x72b3281d
0x72b32820
0x00000000
0x00000000
0x00000000
0x00000000
0x72b3266e
0x72b3266e
0x72b32672
0x00000000
0x00000000
0x72b32684
0x72b32684
0x72b3268f
0x72b3268f
0x72b32690
0x72b32690
0x72b32699
0x72b3269a
0x72b3269c
0x72b3269f
0x72b326a1
0x72b326a2
0x72b326a4
0x72b326a8
0x72b326ae
0x72b326b2
0x72b326b3
0x72b326ba
0x72b326be
0x72b326c0
0x72b326c3
0x72b326c5
0x72b326c6
0x72b326c9
0x72b326d0
0x72b326d2
0x72b326d4
0x72b326d9
0x72b326df
0x72b326e3
0x72b326e7
0x72b326e7
0x72b326ea
0x72b326ea
0x72b326ee
0x72b326f4
0x72b326fb
0x72b326fe
0x72b32700
0x72b32707
0x72b3270e
0x00000000
0x00000000
0x00000000
0x00000000
0x72b325be
0x72b324cb
0x72b324cb
0x72b324ce
0x72b3259f
0x72b325a1
0x00000000
0x72b325a1
0x72b324d4
0x72b324d7
0x00000000
0x00000000
0x72b324dd
0x72b324e0
0x72b32556
0x72b32556
0x72b32559
0x72b32573
0x72b32575
0x72b32575
0x72b32576
0x72b32576
0x72b3257f
0x72b32583
0x72b3258b
0x72b3258b
0x72b32585
0x72b32585
0x72b32585
0x72b3258d
0x00000000
0x72b3258d
0x72b3255b
0x72b3255b
0x72b3255e
0x72b3256f
0x00000000
0x72b3256f
0x72b32562
0x72b32563
0x72b32565
0x00000000
0x00000000
0x72b3256b
0x00000000
0x72b3256b
0x72b324e2
0x72b32552
0x00000000
0x72b32552
0x72b324e4
0x72b324e4
0x72b324e7
0x72b32549
0x00000000
0x72b32549
0x72b324e9
0x72b324e9
0x72b324ec
0x72b32542
0x00000000
0x72b32542
0x72b324ee
0x72b324ee
0x72b324f1
0x72b3253f
0x00000000
0x72b3253f
0x72b324f5
0x72b324f6
0x72b324f8
0x00000000
0x00000000
0x72b324fe
0x00000000
0x72b324fe
0x72b3252d
0x72b32532
0x72b32534
0x00000000
0x72b32534
0x72b32508
0x72b3250e
0x72b3250f
0x72b32516
0x72b3251a
0x00000000
0x00000000
0x72b3251c
0x72b3251e
0x00000000
0x00000000
0x00000000
0x72b32520
0x72b323d7
0x72b323da
0x72b32441
0x72b32446
0x72b3244b
0x72b32451
0x72b32459
0x72b32459
0x72b3245a
0x72b3245a
0x72b32462
0x72b32467
0x72b3246b
0x72b3246d
0x72b32472
0x72b3247a
0x72b3247f
0x72b32481
0x72b32486
0x72b3248c
0x72b32492
0x72b32495
0x72b3249a
0x72b3249f
0x72b324a4
0x72b324a4
0x72b324ac
0x72b324ae
0x00000000
0x00000000
0x72b324b4
0x72b324b4
0x00000000
0x72b324b4
0x72b323dc
0x72b323df
0x72b323fe
0x72b32402
0x72b32408
0x72b3240d
0x72b32415
0x72b3241a
0x72b3241c
0x72b32421
0x72b32427
0x72b3242d
0x72b32430
0x72b32435
0x72b3243a
0x00000000
0x72b3243a
0x72b323e4
0x00000000
0x72b323ea
0x72b323ec
0x72b323f5
0x00000000
0x72b323f5
0x72b323e4
0x72b32a44
0x72b32a4a
0x72b32a50
0x72b32a54
0x72b32bd0
0x72b32bd9
0x72b32a68
0x72b32a6a
0x72b32a6d
0x72b32af7
0x72b32af7
0x72b32afa
0x72b32afd
0x72b32b1a
0x72b32b20
0x72b32b26
0x72b32b28
0x72b32b3f
0x72b32b3f
0x72b32b3f
0x72b32b47
0x72b32b4c
0x72b32b54
0x72b32b56
0x72b32b5a
0x72b32b5b
0x72b32b5e
0x72b32b60
0x72b32b67
0x72b32b6d
0x72b32b6f
0x72b32b71
0x72b32b76
0x72b32b88
0x72b32b88
0x72b32b76
0x72b32b6f
0x72b32b5e
0x72b32b8e
0x72b32b92
0x72b32b9c
0x72b32ba4
0x72b32bb1
0x72b32bb8
0x72b32bba
0x72b32bc4
0x72b32bca
0x72b32bca
0x00000000
0x00000000
0x72b32bcc
0x72b32bcc
0x72b32bcc
0x72b32bcc
0x00000000
0x72b32bcc
0x72b32bbc
0x72b32bbc
0x00000000
0x72b32b94
0x72b32b94
0x72b32b9a
0x00000000
0x00000000
0x00000000
0x72b32b9a
0x72b32b92
0x72b32b2b
0x72b32b31
0x72b32b37
0x72b32b39
0x00000000
0x00000000
0x00000000
0x72b32b39
0x72b32aff
0x72b32b06
0x72b32b0c
0x72b32b12
0x00000000
0x72b32b12
0x72b32a73
0x72b32a76
0x72b32adc
0x72b32adc
0x72b32ae2
0x72b32ae5
0x00000000
0x00000000
0x72b32aeb
0x72b32aec
0x00000000
0x72b32af1
0x72b32a7b
0x00000000
0x00000000
0x72b32a81
0x72b32a81
0x72b32a84
0x72b32a8a
0x72b32a8c
0x72b32a95
0x00000000
0x00000000
0x72b32a9c
0x72b32aa7
0x72b32ab0
0x72b32ab6
0x72b32abc
0x72b32ac2
0x72b32ad5
0x00000000
0x72b32ad5

APIs

Part of subcall function 72B312F8: GlobalAlloc.KERNELBASE(00000040,?,72B311C4,-000000A0), ref: 72B31302

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 72B3294E
lstrcpyW.KERNEL32 ref: 72B329A4
lstrcpyW.KERNEL32 ref: 72B329AF
GlobalFree.KERNEL32 ref: 72B329C0
GlobalFree.KERNEL32 ref: 72B32A44
GlobalFree.KERNEL32 ref: 72B32A4A
GlobalFree.KERNEL32 ref: 72B32A50
GetModuleHandleW.KERNEL32(00000008), ref: 72B32B1A
LoadLibraryW.KERNEL32(00000008), ref: 72B32B2B
GetProcAddress.KERNEL32(?,?), ref: 72B32B82
lstrlenW.KERNEL32(00000808), ref: 72B32B9D

Memory Dump Source

Source File: 00000001.00000002.815605546.0000000072B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 72B30000, based on PE: true

Associated: 00000001.00000002.815592077.0000000072B30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815613549.0000000072B34000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815627139.0000000072B36000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72b30000_Ta62k9weDV.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 1042148487-0
Opcode ID: 7c304c0b45d6803ccfd45ae2f29315d495cb720ff1a6bd2b249681d566054593
Instruction ID: 320d61279bc33c8852b9bf65bc586cc8713ff1b27cb8a8a6f20634baacfb5eef
Opcode Fuzzy Hash: 7c304c0b45d6803ccfd45ae2f29315d495cb720ff1a6bd2b249681d566054593
Instruction Fuzzy Hash: 50429D71A083029FE31BCF2CC45075AB7F5FF88714F804A2EE59A96296E770D945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00406719 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406719(void* __eflags, WCHAR* _a4, signed char _a8) {
				short _v544;
				short _v546;
				struct _WIN32_FIND_DATAW _v592;
				signed int _v596;
				signed char _v600;
				signed int _v604;
				signed int _t27;
				void* _t40;
				signed int _t43;
				signed int _t46;
				signed int _t54;
				void* _t56;
				signed char _t57;
				signed int _t60;
				WCHAR* _t61;
				signed int _t64;
				void* _t66;

				_t57 = _a8;
				_t61 = _a4;
				_t60 = _t57 & 0x00000004;
				_t27 = E00406638(__eflags, _t61);
				_v600 = _t27;
				if((_t57 & 0x00000008) != 0) {
					_t54 = DeleteFileW(_t61); // executed
					asm("sbb eax, eax");
					_t56 =  ~_t54 + 1;
					 *0x435ac8 =  *0x435ac8 + _t56;
					return _t56;
				}
				_t64 = _t57 & 0x00000001;
				__eflags = _t64;
				_v600 = _t64;
				if(_t64 == 0) {
					L5:
					E00406B1A(0x42fdc0, _t61);
					__eflags = _t64;
					if(_t64 == 0) {
						E00406D10(_t61);
					} else {
						lstrcatW(0x42fdc0, L"\\*.*");
					}
					__eflags =  *_t61;
					if( *_t61 != 0) {
						L10:
						lstrcatW(_t61, 0x4092b0);
						goto L11;
					} else {
						__eflags =  *0x42fdc0 - 0x5c;
						if( *0x42fdc0 != 0x5c) {
							L11:
							_v604 =  &(_t61[lstrlenW(_t61)]);
							_t27 = FindFirstFileW(0x42fdc0,  &_v592); // executed
							_t66 = _t27;
							__eflags = _t66 - 0xffffffff;
							if(_t66 == 0xffffffff) {
								L27:
								__eflags = _v600;
								if(_v600 == 0) {
									goto L35;
								}
								_t27 = _v604;
								 *((short*)(_t27 - 2)) = 0;
								__eflags = _v596;
								if(_v596 == 0) {
									goto L33;
								}
								goto L29;
							}
							_t40 = 0x2e;
							do {
								__eflags = _v592.cFileName - _t40;
								if(_v592.cFileName != _t40) {
									L17:
									E00406B1A(_v604,  &(_v592.cFileName));
									__eflags = _v600 & 0x00000010;
									if(__eflags == 0) {
										_t43 = E00406585(__eflags, _t61, _t60);
										__eflags = _t43;
										if(_t43 != 0) {
											E00405D3A(0xfffffff2, _t61);
										} else {
											__eflags = _t60;
											if(_t60 == 0) {
												 *0x435ac8 =  *0x435ac8 + 1;
											} else {
												E00405D3A(0xfffffff1, _t61);
												E0040623D(_t61, 0);
											}
										}
									} else {
										__eflags = (_t57 & 0x00000003) - 3;
										if(__eflags == 0) {
											E00406719(__eflags, _t61, _t57);
										}
									}
									goto L25;
								}
								__eflags = _v546;
								if(_v546 == 0) {
									goto L25;
								}
								__eflags = _v546 - _t40;
								if(_v546 != _t40) {
									goto L17;
								}
								__eflags = _v544;
								if(_v544 == 0) {
									goto L25;
								}
								goto L17;
								L25:
								_t46 = FindNextFileW(_t66,  &_v592);
								__eflags = _t46;
								_t40 = 0x2e;
							} while (_t46 != 0);
							_t27 = FindClose(_t66);
							goto L27;
						}
						goto L10;
					}
				} else {
					__eflags = _t27;
					if(_t27 == 0) {
						L33:
						 *0x435ac8 =  *0x435ac8 + 1;
						L35:
						return _t27;
					}
					__eflags = _t57 & 0x00000002;
					if((_t57 & 0x00000002) == 0) {
						L29:
						_t27 = E004065CF(_t61);
						__eflags = _t27;
						if(_t27 == 0) {
							goto L35;
						}
						E00406556(_t61);
						_t27 = E00406585(__eflags, _t61, _t60 | 0x00000001);
						__eflags = _t27;
						if(_t27 != 0) {
							_t27 = E00405D3A(0xffffffe5, _t61);
							goto L35;
						}
						__eflags = _t60;
						if(_t60 == 0) {
							goto L33;
						}
						E00405D3A(0xfffffff1, _t61);
						_t27 = E0040623D(_t61, 0);
						goto L35;
					}
					goto L5;
				}
			}

0x00406720
0x00406728
0x00406733
0x00406736
0x0040673b
0x00406742
0x00406745
0x0040674d
0x0040674f
0x00406750
0x00000000
0x00406750
0x0040675e
0x0040675e
0x00406761
0x00406765
0x00406778
0x0040677e
0x00406783
0x0040678b
0x0040679c
0x0040678d
0x00406797
0x00406797
0x004067a3
0x004067a6
0x004067b2
0x004067b8
0x00000000
0x004067a8
0x004067a8
0x004067b0
0x004067ba
0x004067c4
0x004067d2
0x004067d8
0x004067da
0x004067dd
0x0040687b
0x0040687b
0x00406880
0x00000000
0x00000000
0x00406882
0x00406888
0x0040688c
0x00406890
0x00000000
0x00000000
0x00000000
0x00406890
0x004067e5
0x004067e6
0x004067e6
0x004067eb
0x00406804
0x0040680d
0x00406812
0x00406817
0x0040682d
0x00406832
0x00406834
0x00406858
0x00406836
0x00406836
0x00406838
0x0040684d
0x0040683a
0x0040683d
0x00406846
0x00406846
0x00406838
0x00406819
0x0040681e
0x00406820
0x00406824
0x00406824
0x00406820
0x00000000
0x00406817
0x004067ed
0x004067f3
0x00000000
0x00000000
0x004067f5
0x004067fa
0x00000000
0x00000000
0x004067fc
0x00406802
0x00000000
0x00000000
0x00000000
0x0040685d
0x00406863
0x0040686b
0x0040686d
0x0040686d
0x00406875
0x00000000
0x00406875
0x00000000
0x004067b0
0x00406767
0x00406767
0x00406769
0x004068c9
0x004068c9
0x004068d9
0x00000000
0x004068d9
0x0040676f
0x00406772
0x00406892
0x00406893
0x00406898
0x0040689a
0x00000000
0x00000000
0x0040689d
0x004068a9
0x004068ae
0x004068b0
0x004068d4
0x00000000
0x004068d4
0x004068b2
0x004068b4
0x00000000
0x00000000
0x004068b9
0x004068c2
0x00000000
0x004068c2
0x00000000
0x00406772

APIs

Part of subcall function 00406638: lstrlenW.KERNEL32(004305C0,00000000,004305C0,004305C0,00000000,?,?,0040673B,?,00000000,766DFAA0,?), ref: 0040668C
Part of subcall function 00406638: GetFileAttributesW.KERNEL32(004305C0,004305C0), ref: 0040669D

DeleteFileW.KERNELBASE(?,?,00000000,766DFAA0,?), ref: 00406745
lstrcatW.KERNEL32(0042FDC0,\*.*), ref: 00406797
lstrcatW.KERNEL32(?,004092B0), ref: 004067B8
lstrlenW.KERNEL32(?), ref: 004067BB
FindFirstFileW.KERNELBASE(0042FDC0,?), ref: 004067D2
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?), ref: 00406863
FindClose.KERNEL32(00000000), ref: 00406875

Strings

\*.*, xrefs: 0040678D

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: File$Find$lstrcatlstrlen$AttributesCloseDeleteFirstNext
String ID: \*.*
API String ID: 2636146433-1173974218
Opcode ID: ec35ec8144d1065000fb23a15f3631645bd2442b6bc3530db3f1337977a5d6e6
Instruction ID: dccc3e871a12a5ab9d695c44a96518fee9cafe6829caada924bdb8552f231abd
Opcode Fuzzy Hash: ec35ec8144d1065000fb23a15f3631645bd2442b6bc3530db3f1337977a5d6e6
Instruction Fuzzy Hash: 084106322067116AD7207B259C49A6B73A8EF41318F16893FF943F21D1E73C8D6586AF

Uniqueness

Uniqueness Score: -1.00%

Function 004065CF Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065CF(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x4321c0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4321c0;
			}

0x004065da
0x004065e3
0x00000000
0x004065f0
0x004065e6
0x00000000

APIs

FindFirstFileW.KERNELBASE(00000000,004321C0,00000000,0040667C,004305C0), ref: 004065DA
FindClose.KERNEL32(00000000), ref: 004065E6

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d9e00b7f11b8670b58f1de5a54c434da9086a4a904ca4075b7418d89ed5cb961
Instruction ID: 9bce445b90ad5ff1b83c175b3b927286731ee1a5929a82a3f0dae3cb9bd988e9
Opcode Fuzzy Hash: d9e00b7f11b8670b58f1de5a54c434da9086a4a904ca4075b7418d89ed5cb961
Instruction Fuzzy Hash: 64D012756051316BD70057787E0CC8B7F699F05330F158A36B066F11F5D7748C6196AC

Uniqueness

Uniqueness Score: -1.00%

Function 00402B75 Relevance: 1.5, APIs: 1, Instructions: 19
fileCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00402B75(void* __edi, void* __esi, struct _WIN32_FIND_DATAW _a136, void* _a172) {
				void* _v4;
				void* _t5;
				intOrPtr _t10;
				void* _t14;
				void* _t20;

				_t5 = FindFirstFileW(E0040303E(_t14, 2),  &_a136); // executed
				if(_t5 != 0xffffffff) {
					E0040661F(__esi, _t5);
					_push(_t20 + 0xb8);
					_push(__edi);
					E00406B1A();
					_t10 =  *((intOrPtr*)(_t20 + 0x10));
				} else {
					 *__esi = __ax;
					 *__edi = __ax;
					_t10 = 1;
				}
				 *0x435ac8 =  *0x435ac8 + _t10;
				return 0;
			}

0x00402b85
0x00402b8e
0x00402b9c
0x00402b6e
0x00402b6f
0x00401d46
0x00402ea1
0x00402b90
0x00402b92
0x00402857
0x0040170b
0x0040170b
0x00402ea5
0x00402eb7

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 00402B85

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 418b3747aa208848d22216286404bd5f33ecbcbc15520eeee9413542a938acf4
Instruction ID: 4ed41b4626080909459e48417ffb7120e43efe1e52fe46e4786edeb33a661726
Opcode Fuzzy Hash: 418b3747aa208848d22216286404bd5f33ecbcbc15520eeee9413542a938acf4
Instruction Fuzzy Hash: ADD0EC61414150A9D2606F71894DABA73ADAF45314F204A3EF156E50D1EAB85501973B

Uniqueness

Uniqueness Score: -1.00%

Function 00404F92 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00404F92(struct HWND__* _a4, int _a8, signed int _a12, long _a16) {
				signed int _v32;
				struct HWND__* _v40;
				void* _v84;
				void* _v88;
				signed int _t51;
				signed int _t53;
				intOrPtr _t55;
				struct HWND__* _t58;
				signed int _t67;
				int _t77;
				struct HWND__* _t113;
				struct HWND__* _t137;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				struct HWND__* _t142;
				signed int _t143;
				long _t146;
				int _t149;
				struct HWND__* _t156;
				void* _t159;

				_t137 = _a4;
				_t143 = _a8;
				if(_t143 == 0x110 || _t143 == 0x408) {
					_t139 = _a12;
					 *0x42dd48 = _t139;
					if(_t143 == 0x110) {
						 *0x4349f8 = _t137;
						 *0x42dd54 = GetDlgItem(_t137, 1);
						_t113 = GetDlgItem(_t137, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x42dd58 = _t113;
						E0040551A(_t137);
						SetClassLongW(_t137, 0xfffffff2,  *0x4349d8); // executed
						 *0x4349ec = E00401533(4);
						_t139 = 1;
						 *0x42dd48 = 1;
					}
					_t51 =  *0x40b014; // 0x0
					_t146 = (_t51 << 6) +  *0x435a20;
					if(_t51 < 0) {
						L38:
						E004054E8(0x40b);
						while(1) {
							_t140 =  *0x40b014; // 0x0
							_t53 =  *0x42dd48;
							_t141 = _t140 + _t53;
							_t146 = _t146 + (_t53 << 6);
							 *0x40b014 = _t141;
							_t55 =  *0x435a24;
							if(_t141 == _t55) {
								E00401533(1);
								_t55 =  *0x435a24;
								_t141 =  *0x40b014; // 0x0
							}
							if( *0x4349ec != 0 || _t141 >= _t55) {
								break;
							}
							_push( *((intOrPtr*)(_t146 + 0x24)));
							_push(0x445000);
							_a12 =  *((intOrPtr*)(_t146 + 0x14));
							E00405EBA();
							_push( *((intOrPtr*)(_t146 + 0x20)));
							_push(0xfffffc19);
							E0040551A(_t137);
							_push( *((intOrPtr*)(_t146 + 0x1c)));
							_push(0xfffffc1b);
							E0040551A(_t137);
							_push( *((intOrPtr*)(_t146 + 0x28)));
							_push(0xfffffc1a);
							E0040551A(_t137);
							_t142 = GetDlgItem(_t137, 3);
							_t67 = _v32;
							_v40 = _t142;
							if( *0x435acc != 0) {
								_t67 = _t67 & 0xfffffefd | 0x00000004;
								 *(_t159 + 0x2c) = _t67;
							}
							ShowWindow(_t142, _t67 & 0x00000008); // executed
							EnableWindow( *(_t159 + 0x28),  *(_t159 + 0x2c) & 0x00000100); // executed
							EnableWindow( *0x42dd54,  *(_t159 + 0x2c) & 0x00000002); // executed
							_t77 =  *(_t159 + 0x2c) & 0x00000004;
							 *(_t159 + 0x34) = _t77;
							EnableWindow( *0x42dd58, _t77);
							if( *(_t159 + 0x2c) == 0) {
								_push(1);
							} else {
								_push(0);
							}
							EnableMenuItem(GetSystemMenu(_t137, 0), 0xf060, ??);
							SendMessageW( *(_t159 + 0x30), 0xf4, 0, 1);
							if( *0x435acc == 0) {
								_push( *0x42dd54);
							} else {
								SendMessageW(_t137, 0x401, 2, 0);
								_push( *0x42dd58);
							}
							E00405503();
							E00406B1A("Waywort87 Setup: Installing", E00405D1B());
							_push( *((intOrPtr*)(_t146 + 0x18)));
							_push(0x42bd48 + lstrlenW("Waywort87 Setup: Installing") * 2);
							E00405EBA();
							SetWindowTextW(_t137, "Waywort87 Setup: Installing"); // executed
							_push(0);
							if(E00401399( *((intOrPtr*)(_t146 + 8))) != 0 ||  *_t146 == 0) {
								continue;
							} else {
								if( *(_t146 + 4) != 5) {
									DestroyWindow( *0x4349dc); // executed
									 *0x42dd4c = _t146;
									if( *_t146 <= 0) {
										L62:
										_t58 =  *0x4349dc;
										goto L63;
									}
									_t58 = CreateDialogParamW( *0x4349f4,  *_t146 +  *0x4349d4 & 0x0000ffff, _t137,  *(0x40b018 +  *(_t146 + 4) * 4), _t146); // executed
									 *0x4349dc = _t58;
									if(_t58 == 0) {
										goto L63;
									}
									_push( *((intOrPtr*)(_t146 + 0x2c)));
									_push(6);
									E0040551A(_t58);
									GetWindowRect(GetDlgItem(_t137, 0x3fa), _t159 + 0x10);
									ScreenToClient(_t137, _t159 + 0x10);
									SetWindowPos( *0x4349dc, 0,  *(_t159 + 0x20),  *(_t159 + 0x20), 0, 0, 0x15);
									_push(0);
									E00401399( *((intOrPtr*)(_t146 + 0xc)));
									if( *0x4349ec != 0) {
										goto L66;
									}
									ShowWindow( *0x4349dc, 8); // executed
									E004054E8(0x405);
									goto L62;
								}
								if( *0x435acc != 0) {
									goto L66;
								}
								if( *0x435ac0 != 0) {
									continue;
								}
								goto L66;
							}
						}
						DestroyWindow( *0x4349dc);
						 *0x4349f8 = 0;
						EndDialog(_t137,  *0x42bd44);
						goto L62;
					} else {
						if(_t139 != 1) {
							L37:
							if( *_t146 == 0) {
								goto L66;
							}
							goto L38;
						}
						_push(0);
						if(E00401399( *((intOrPtr*)(_t146 + 0x10))) == 0) {
							goto L37;
						}
						SendMessageW( *0x4349dc, 0x40f, 0, 1);
						return 0 |  *0x4349ec == 0x00000000;
					}
				} else {
					if(_t143 != 0x47) {
						if(_t143 != 5) {
							if(_t143 != 0x40d) {
								if(_t143 != 0x11) {
									if(_t143 != 0x111) {
										goto L29;
									}
									_t138 = _a12;
									_t149 = _a12 & 0x0000ffff;
									_a8 = _t149;
									_t156 = GetDlgItem(_a4, _t149);
									if(_t156 == 0) {
										L16:
										if(_t149 != 1) {
											if(_t149 != 3) {
												if(_t149 != 2) {
													L28:
													SendMessageW( *0x4349dc, 0x111, _a12, _a16);
													goto L29;
												}
												if( *0x435acc == 0) {
													if(E00401533(3) != 0) {
														goto L30;
													}
													 *0x42bd44 = 1;
													L26:
													_push(0x78);
													L27:
													E00405958();
													goto L30;
												}
												E00401533(_t149);
												 *0x42bd44 = _t149;
												goto L26;
											}
											if( *0x40b014 <= 0) {
												goto L28;
											}
											_push(0xffffffff);
											goto L27;
										}
										_push(1);
										goto L27;
									}
									SendMessageW(_t156, 0xf3, 0, 0);
									if(IsWindowEnabled(_t156) == 0) {
										L66:
										return 0;
									}
									_t149 = _a8;
									goto L16;
								}
								SetWindowLongW(_t137, 0, 0);
								return 1;
							}
							DestroyWindow( *0x4349dc);
							_t58 = _a12;
							 *0x4349dc = _t58;
							L63:
							if( *0x42bd40 == 0 && _t58 != 0) {
								ShowWindow(_t137, 0xa); // executed
								 *0x42bd40 = 1;
							}
							goto L66;
						}
						_t138 = _a12;
						asm("sbb eax, eax");
						ShowWindow( *0x42dd50,  ~(_t138 - 1) & _t143);
						if(_t138 == 2 && (GetWindowLongW(_a4, 0xfffffff0) & 0x21010000) == 0x1000000) {
							ShowWindow(_a4, 4);
						}
						goto L30;
					} else {
						SetWindowPos( *0x42dd50, _t137, 0, 0, 0, 0, 0x13);
						L29:
						_t138 = _a12;
						L30:
						return E0040575B(_t143, _t138, _a16);
					}
				}
			}

0x00404f9b
0x00404fa4
0x00404fab
0x00405133
0x0040513d
0x00405145
0x00405149
0x00405154
0x00405159
0x0040515b
0x0040515d
0x00405160
0x00405165
0x00405173
0x00405180
0x00405185
0x00405187
0x00405187
0x0040518d
0x00405199
0x004051a1
0x004051df
0x004051e4
0x004051e9
0x004051e9
0x004051ef
0x004051f4
0x004051f9
0x004051fb
0x00405201
0x00405208
0x0040520b
0x00405210
0x00405215
0x00405215
0x00405221
0x00000000
0x00000000
0x0040522f
0x00405235
0x0040523a
0x0040523e
0x00405243
0x00405246
0x0040524c
0x00405251
0x00405254
0x0040525a
0x0040525f
0x00405262
0x00405268
0x00405276
0x00405278
0x0040527c
0x00405286
0x0040528d
0x00405290
0x00405290
0x00405299
0x004052ad
0x004052c1
0x004052cb
0x004052d5
0x004052d9
0x004052e3
0x004052e8
0x004052e5
0x004052e5
0x004052e5
0x004052f7
0x00405308
0x00405314
0x0040532d
0x00405316
0x0040531f
0x00405325
0x00405325
0x00405333
0x00405343
0x00405348
0x0040535c
0x0040535d
0x00405368
0x0040536e
0x00405379
0x00000000
0x00405387
0x0040538b
0x004053b0
0x004053b6
0x004053be
0x00405489
0x00405489
0x00000000
0x00405489
0x004053e4
0x004053ea
0x004053f1
0x00000000
0x00000000
0x004053f7
0x004053fa
0x004053fd
0x00405414
0x00405420
0x00405439
0x0040543f
0x00405443
0x0040544e
0x00000000
0x00000000
0x00405458
0x00405463
0x00000000
0x00405463
0x00405393
0x00000000
0x00000000
0x0040539f
0x00000000
0x00000000
0x00000000
0x004053a5
0x00405379
0x00405470
0x0040547c
0x00405483
0x00000000
0x004051a3
0x004051a5
0x004051d7
0x004051d9
0x00000000
0x00000000
0x00000000
0x004051d9
0x004051a7
0x004051b2
0x00000000
0x00000000
0x004051c1
0x00000000
0x004051cf
0x00404fbd
0x00404fc0
0x00404fdf
0x00405035
0x00405054
0x0040506f
0x00000000
0x00000000
0x00405075
0x00405079
0x00405081
0x0040508b
0x0040508f
0x004050b4
0x004050b9
0x004050c1
0x004050d3
0x00405106
0x00405119
0x00000000
0x00405119
0x004050dc
0x004050f5
0x00000000
0x00000000
0x004050f7
0x004050fd
0x004050fd
0x004050ff
0x004050ff
0x00000000
0x004050ff
0x004050df
0x004050e4
0x00000000
0x004050e4
0x004050ca
0x00000000
0x00000000
0x004050cc
0x00000000
0x004050cc
0x004050bb
0x00000000
0x004050bb
0x0040509b
0x004050aa
0x004054aa
0x00000000
0x004054aa
0x004050b0
0x00000000
0x004050b0
0x0040505b
0x00000000
0x00405063
0x0040503d
0x00405043
0x00405047
0x0040548e
0x00405495
0x0040549e
0x004054a4
0x004054a4
0x00000000
0x00405495
0x00404fe1
0x00404ff0
0x00404ffb
0x00405000
0x00405028
0x00405028
0x00000000
0x00404fc2
0x00404fd1
0x0040511f
0x0040511f
0x00405123
0x00000000
0x00405129
0x00404fc0

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404FD1
ShowWindow.USER32(?), ref: 00404FFB
GetWindowLongW.USER32(?,000000F0), ref: 0040500C
ShowWindow.USER32(?,00000004), ref: 00405028
GetDlgItem.USER32 ref: 0040514F
GetDlgItem.USER32 ref: 00405159
KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00405173
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004051C1
GetDlgItem.USER32 ref: 00405270
ShowWindow.USER32(00000000,?), ref: 00405299
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004052AD
KiUserCallbackDispatcher.NTDLL(?), ref: 004052C1
EnableWindow.USER32(?), ref: 004052D9
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004052F0
EnableMenuItem.USER32 ref: 004052F7
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00405308
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040531F
lstrlenW.KERNEL32(Waywort87 Setup: Installing,?,Waywort87 Setup: Installing,00000000), ref: 00405350

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406070

SetWindowTextW.USER32(?,Waywort87 Setup: Installing), ref: 00405368

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

DestroyWindow.USER32(?,00000000), ref: 004053B0
CreateDialogParamW.USER32 ref: 004053E4

Part of subcall function 0040551A: SetDlgItemTextW.USER32 ref: 00405534

GetDlgItem.USER32 ref: 0040540D
GetWindowRect.USER32 ref: 00405414
ScreenToClient.USER32 ref: 00405420
SetWindowPos.USER32(00000000,?,?,00000000,00000000,00000015), ref: 00405439
ShowWindow.USER32(00000008,?,00000000), ref: 00405458

Part of subcall function 004054E8: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054FA

ShowWindow.USER32(?,0000000A), ref: 0040549E

Strings

Waywort87 Setup: Installing, xrefs: 0040533E, 0040534B, 00405362

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Window$Item$MessageSendShow$CallbackDispatcherUser$EnableMenuText$ClientCreateDestroyDialogLongParamRectScreenSystemlstrcatlstrlen
String ID: Waywort87 Setup: Installing
API String ID: 3983482075-679012682
Opcode ID: 435f8b6443fc9593ff644d9f9dc2a8e4b29ac0017c4218abb197986b28d4ffe3
Instruction ID: ac036152562477463cd4b906f759de02b60d47e3f23a7c23d24dd845f532a47a
Opcode Fuzzy Hash: 435f8b6443fc9593ff644d9f9dc2a8e4b29ac0017c4218abb197986b28d4ffe3
Instruction Fuzzy Hash: 39D19071A00A11BFDB206F61ED49A6B7BA8FB84355F00053AF506B62F1C7389851DF9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405A3E Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 225
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00405A3E() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				intOrPtr* _t21;
				short _t22;
				void* _t31;
				void* _t33;
				void* _t34;
				int _t35;
				int _t40;
				int _t41;
				int _t45;
				int _t59;
				short _t66;
				WCHAR* _t69;
				signed char _t73;
				signed short _t77;
				short _t81;
				void* _t82;
				void* _t84;
				signed int _t86;
				intOrPtr _t87;
				WCHAR* _t92;
				WCHAR* _t93;
				WCHAR* _t94;

				_t87 =  *0x435a10;
				_t21 = E004068E6(2);
				_t81 = 0x30;
				_t97 = _t21;
				if(_t21 == 0) {
					_t22 = 0x78;
					 *0x442002 = _t22;
					L"1033" = _t81;
					 *0x442004 = 0;
					E00406977(_t81, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x42bd48, 0);
					__eflags =  *0x42bd48; // 0x57
					if(__eflags == 0) {
						E00406977(_t81, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M00409684, 0x42bd48, 0);
					}
					lstrcatW(L"1033", 0x42bd48);
				} else {
					_t77 =  *_t21(); // executed
					E0040661F(L"1033", _t77 & 0x0000ffff);
				}
				E0040597F(_t97);
				_t94 = L"C:\\Users\\alfons\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane";
				 *0x435adc = 0x10000;
				 *0x435ac0 =  *0x435a0c & 0x00000020;
				if(E00406638(_t97, _t94) != 0) {
					L16:
					if(E00406638(_t106, _t94) == 0) {
						_push( *((intOrPtr*)(_t87 + 0x118)));
						_push(_t94);
						E00405EBA();
					}
					_t31 = LoadImageW( *0x4349f4, 0x67, 1, 0, 0, 0x8040); // executed
					_t82 = _t31;
					 *0x4349d8 = _t82;
					if( *((intOrPtr*)(_t87 + 0x50)) == 0xffffffff) {
						L22:
						__eflags = E00401533(0);
						if(__eflags != 0) {
							L32:
							_t33 = 2;
							return _t33;
						}
						_t34 = E0040597F(__eflags);
						__eflags =  *0x435ae0;
						if( *0x435ae0 != 0) {
							_t35 = E00405864(_t34, 0);
							__eflags = _t35;
							if(_t35 == 0) {
								E00401533(1);
								goto L20;
							}
							__eflags =  *0x4349ec;
							if( *0x4349ec == 0) {
								E00401533(2);
							}
							goto L32;
						}
						ShowWindow( *0x42dd50, 5); // executed
						_t40 = E0040619E("RichEd20"); // executed
						__eflags = _t40;
						if(_t40 == 0) {
							E0040619E("RichEd32");
						}
						_t41 = GetClassInfoW(0, L"RichEdit20W", 0x4349a0);
						__eflags = _t41;
						if(_t41 == 0) {
							GetClassInfoW(0, L"RichEdit", 0x4349a0);
							 *0x4349c4 = L"RichEdit20W";
							RegisterClassW(0x4349a0);
						}
						_t45 = DialogBoxParamW( *0x4349f4,  *0x4349d4 + 0x00000069 & 0x0000ffff, 0, E00404F92, 0); // executed
						E00403CF8(E00401533(5), 1);
						return _t45;
					} else {
						_t92 = L"_Nb";
						 *0x4349a4 = E00401000;
						 *0x4349b0 =  *0x4349f4;
						 *0x4349b4 = _t82;
						 *0x4349c4 = _t92;
						if(RegisterClassW(0x4349a0) != 0) {
							SystemParametersInfoW(0x30, 0,  &_v16, 0);
							_t59 = _v8 - _v16;
							__eflags = _t59;
							 *0x42dd50 = CreateWindowExW(0x80, _t92, 0, 0x80000000, _v16, _v12, _t59, _v4 - _v12, 0, 0,  *0x4349f4, 0);
							goto L22;
						}
						L20:
						return 0;
					}
				} else {
					_t86 =  *(_t87 + 0x48);
					_t99 = _t86;
					if(_t86 == 0) {
						goto L16;
					}
					_t83 =  *0x435a38;
					_t93 = 0x4339a0;
					E00406977( *0x435a38, _t99,  *((intOrPtr*)(_t87 + 0x44)),  *0x435a38 + _t86 * 2, _t83 +  *(_t87 + 0x4c) * 2, 0x4339a0, 0);
					_t66 =  *0x4339a0; // 0x43
					if(_t66 == 0) {
						goto L16;
					}
					_t84 = 0x22;
					if(_t66 == _t84) {
						_t93 = 0x4339a2;
						 *((short*)(E004065F6(0x4339a2, _t84))) = 0;
					}
					_t69 =  &(_t93[lstrlenW(_t93) + 0xfffffffc]);
					if(_t69 <= _t93 || lstrcmpiW(_t69, L".exe") != 0) {
						L15:
						E00406B1A(_t94, E00406556(_t93));
						goto L16;
					} else {
						_t73 = GetFileAttributesW(_t93);
						if(_t73 == 0xffffffff) {
							L14:
							E00406D10(_t93);
							goto L15;
						}
						_t106 = _t73 & 0x00000010;
						if((_t73 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00405a45
0x00405a4d
0x00405a56
0x00405a57
0x00405a59
0x00405a6f
0x00405a76
0x00405a85
0x00405a91
0x00405a97
0x00405a9c
0x00405aa3
0x00405ab6
0x00405ab6
0x00405ac1
0x00405a5b
0x00405a5b
0x00405a66
0x00405a66
0x00405ac6
0x00405ad0
0x00405ad8
0x00405ae3
0x00405aef
0x00405b87
0x00405b8f
0x00405b91
0x00405b97
0x00405b98
0x00405b98
0x00405bae
0x00405bb4
0x00405bbb
0x00405bcb
0x00405c4a
0x00405c50
0x00405c52
0x00405d04
0x00405d06
0x00000000
0x00405d06
0x00405c58
0x00405c5d
0x00405c63
0x00405cec
0x00405cf1
0x00405cf3
0x00405d11
0x00000000
0x00405d11
0x00405cf5
0x00405cfb
0x00405cff
0x00405cff
0x00000000
0x00405cfb
0x00405c71
0x00405c7c
0x00405c81
0x00405c83
0x00405c8a
0x00405c8a
0x00405c9c
0x00405c9e
0x00405ca0
0x00405ca9
0x00405cac
0x00405cb6
0x00405cb6
0x00405cd1
0x00405ce2
0x00000000
0x00405bcd
0x00405bd2
0x00405bd8
0x00405be2
0x00405be7
0x00405bed
0x00405bf8
0x00405c0a
0x00405c26
0x00405c26
0x00405c45
0x00000000
0x00405c45
0x00405bfa
0x00000000
0x00405bfa
0x00405af5
0x00405af5
0x00405af8
0x00405afa
0x00000000
0x00000000
0x00405b00
0x00405b06
0x00405b1b
0x00405b20
0x00405b29
0x00000000
0x00000000
0x00405b2d
0x00405b31
0x00405b34
0x00405b41
0x00405b41
0x00405b4d
0x00405b52
0x00405b7a
0x00405b82
0x00000000
0x00405b64
0x00405b65
0x00405b6e
0x00405b74
0x00405b75
0x00000000
0x00405b75
0x00405b70
0x00405b72
0x00000000
0x00000000
0x00000000
0x00405b72
0x00405b52

APIs

Part of subcall function 004068E6: GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,00403810,0000000B), ref: 004068F4
Part of subcall function 004068E6: GetProcAddress.KERNEL32(00000000), ref: 00406910

GetUserDefaultUILanguage.KERNELBASE(00000002,00000000,766DFAA0,00000000,766DF7F0), ref: 00405A5B

Part of subcall function 0040661F: wsprintfW.USER32 ref: 0040662C

lstrcatW.KERNEL32(1033,Waywort87 Setup: Installing), ref: 00405AC1
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane,1033,Waywort87 Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Waywort87 Setup: Installing,00000000,00000002,00000000), ref: 00405B45
lstrcmpiW.KERNEL32(-000000FC,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane,1033,Waywort87 Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Waywort87 Setup: Installing,00000000), ref: 00405B5A
GetFileAttributesW.KERNEL32(Call), ref: 00405B65
LoadImageW.USER32 ref: 00405BAE
RegisterClassW.USER32 ref: 00405BF3
SystemParametersInfoW.USER32 ref: 00405C0A
CreateWindowExW.USER32 ref: 00405C3F
ShowWindow.USER32(00000005,00000000), ref: 00405C71
GetClassInfoW.USER32 ref: 00405C9C
GetClassInfoW.USER32 ref: 00405CA9
RegisterClassW.USER32 ref: 00405CB6
DialogBoxParamW.USER32 ref: 00405CD1

Strings

Waywort87 Setup: Installing, xrefs: 00405A71, 00405A7C, 00405A9C, 00405AA6, 00405ABB
RichEdit, xrefs: 00405CA3
Control Panel\Desktop\ResourceLocale, xrefs: 00405A7E
RichEd20, xrefs: 00405C77
RichEdit20W, xrefs: 00405C96, 00405CAC
.exe, xrefs: 00405B54
RichEd32, xrefs: 00405C85
_Nb, xrefs: 00405BD2, 00405C39
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane, xrefs: 00405AD0, 00405AE2, 00405B81, 00405B87, 00405B97
1033, xrefs: 00405A61, 00405A85, 00405ABC
Call, xrefs: 00405B06, 00405B0F, 00405B20, 00405B74, 00405B7A
.DEFAULT\Control Panel\International, xrefs: 00405AAC

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$Waywort87 Setup: Installing$_Nb
API String ID: 606308-846033642
Opcode ID: a27ea127888db64f7d6294d20d6e234172cb57f21fc50ad571c48084d45d65b5
Instruction ID: 6fb6b78dff8dcbba7a007941f02a836e4a1cfbcf653c0408c2f56a309db5e394
Opcode Fuzzy Hash: a27ea127888db64f7d6294d20d6e234172cb57f21fc50ad571c48084d45d65b5
Instruction Fuzzy Hash: 7061E4B1201605BEE610AB75AD45F7B36ACEF80358F50453BF901B61E2DB79AC108F6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040154A Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 441
stringtimesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0040154A(void* _a4) {
				char _v548;
				struct _WIN32_FIND_DATAW _v596;
				void* _v620;
				void* _v624;
				void* _v638;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				int _v652;
				WCHAR* _v656;
				short _v660;
				short _v664;
				RECT* _v668;
				struct _FILETIME _v676;
				signed int _v680;
				int _v684;
				int _v688;
				signed int _v692;
				void _v696;
				int _v700;
				int _v704;
				int _v708;
				RECT* _v712;
				char _v716;
				signed int _v720;
				RECT* _v724;
				signed int _v728;
				WCHAR* _v732;
				int _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				void* _v752;
				int _v756;
				intOrPtr _v760;
				int _v764;
				void* _v768;
				int _v776;
				void* _v784;
				void* _v792;
				void* _v796;
				signed int _t453;
				char _t457;
				signed int _t459;
				signed int _t461;
				int _t466;

				_t459 = 7;
				_v700 =  *0x4349f8;
				memcpy( &_v696, _a4, _t459 << 2);
				_t461 = _v692;
				_t453 = _v688;
				_v652 = _t461;
				_v704 = (_t461 << 0xb) + 0x436000;
				 *0x40b104 =  &_v692;
				_t466 = _v696 + 0xfffffffe;
				_v716 = 0;
				_v708 = _t466;
				_v668 = _t453;
				_v712 = (_t453 << 0xb) + 0x436000;
				if(_t466 > 0x43) {
					L391:
					_t457 = _v716;
					L392:
					 *0x435ac8 =  *0x435ac8 + _t457;
					L393:
					return 0;
				}
				switch( *((intOrPtr*)(_v708 * 4 +  &M00402EBA))) {
					case 0:
						return _t461;
					case 1:
						_push(0);
						_push(__ecx);
						goto L4;
					case 2:
						 *0x4349ec =  *0x4349ec + 1;
						__eflags = __edx;
						if(__edx != 0) {
							PostQuitMessage(0);
						}
						goto L5;
					case 3:
						E004030FD(__ecx) = __eax - 1;
						_push(0);
						return __eax;
					case 4:
						_push(0);
						_push(__ecx);
						goto L10;
					case 5:
						__eax = E00403002(0);
						0 = 1;
						__eflags = __eax - 1;
						__ecx =  >  ? __eax : 1;
						Sleep( >  ? __eax : 1); // executed
						goto L391;
					case 6:
						__eax = SetForegroundWindow(__edx);
						goto L391;
					case 7:
						__edx =  *0x4349e4;
						__esi = ShowWindow;
						__eflags = __edx;
						if(__edx != 0) {
							__eax = ShowWindow(__edx, __eax);
							__ecx = _v692;
						}
						__eax =  *0x4349e8;
						__eflags = __eax;
						if(__eax != 0) {
							__eax = ShowWindow(__eax, __ecx);
						}
						goto L391;
					case 8:
						__eax = E0040303E(__edx, 0xfffffff0);
						__eax = SetFileAttributesW(__eax, _v692); // executed
						goto L27;
					case 9:
						__edi = E0040303E(__edx, 0xfffffff0);
						__eax = E00406BC5(__edi);
						__ebx = _v724;
						__esi = __eax;
						__eflags = __esi;
						if(__esi == 0) {
							L41:
							__eflags = _v688;
							_push("C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp\System.dll");
							if(_v688 == 0) {
								_push(0xfffffff5);
								goto L10;
							} else {
								_push(0xffffffe6);
								E00405D3A() = E00406B1A(L"C:\\Users\\alfons\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane", __edi);
								__eax = SetCurrentDirectoryW(__edi); // executed
								__eflags = __eax;
								if(__eax == 0) {
									_v716 = 0;
								}
								goto L391;
							}
						} else {
							goto L30;
						}
						L31:
						__eflags = _v684;
						if(_v684 == 0) {
							goto L34;
						}
						__eax = E004064FC();
						__eflags = __eax;
						if(__eax != 0) {
							__eax = E00405E3E(__edi); // executed
							L35:
							__eflags = __eax;
							if(__eax == 0) {
								L39:
								 *__esi = __bp;
								__esi = __esi + 2;
								__eflags = __bp;
								if(__bp != 0) {
									L30:
									__esi = E004065F6(__esi, 0x5c);
									__eax = 0;
									__ebp =  *__esi & 0x0000ffff;
									 *__esi = __ax;
									__eflags = __bp;
									if(__bp != 0) {
										goto L34;
									}
									goto L31;
								} else {
									_v716 = __ebx;
									goto L41;
								}
							}
							__eflags = __eax - 0xb7;
							if(__eax != 0xb7) {
								L38:
								__ebx =  &(__ebx[0]);
								__eflags = __ebx;
								goto L39;
							}
							__eax = GetFileAttributesW(__edi); // executed
							__eflags = __al & 0x00000010;
							if((__al & 0x00000010) != 0) {
								goto L39;
							}
							goto L38;
						}
						L34:
						__eax = E00405E1E(__edi);
						goto L35;
					case 0xa:
						__eax = E0040303E(__edx, 0);
						__eax = E004065CF(__eax);
						goto L176;
					case 0xb:
						__eax = _v684;
						__eflags = _v684;
						if(__eflags > 0) {
							__eax =  *(0x435a80 + __ecx * 4);
							 *(0x435ac0 + __ecx * 4) =  *(0x435a80 + __ecx * 4);
						} else {
							if(__eflags == 0) {
								__eax =  *(0x435ac0 + __ecx * 4);
								 *(0x435a80 + __ecx * 4) =  *(0x435ac0 + __ecx * 4);
							}
							0 = E00403002(1);
							__eax = _v692;
							 *(0x435ac0 + _v692 * 4) = __ecx;
						}
						goto L391;
					case 0xc:
						__ecx = _v684;
						_push(4);
						__edx =  *(0x435ac0 + __ecx * 4);
						__edx = __edx & _v680;
						 *(0x435ac0 + __ecx * 4) = __edx & _v680;
						__eax = 0;
						__eflags = __edx;
						_pop(__ecx);
						 ==  ? 0 : 0 =  *((intOrPtr*)(__esp + ( ==  ? 0 : 0) + 0x28));
						return  *((intOrPtr*)(__esp + ( ==  ? 0 : 0) + 0x28));
					case 0xd:
						_push( *((intOrPtr*)(0x435ac0 + __eax * 4)));
						goto L20;
					case 0xe:
						__esi = E0040303E(__edx, 0xffffffd0);
						__edi = E0040303E(__edx, 0xffffffdf);
						__eax = E0040303E(__edx, 0x13);
						__eax = MoveFileW(__esi, __edi); // executed
						__eflags = __eax;
						if(__eax == 0) {
							__eflags = _v684;
							if(_v684 == 0) {
								goto L28;
							}
							__eax = E004065CF(__esi);
							__eflags = __eax;
							if(__eax == 0) {
								goto L28;
							} else {
								__eax = E0040623D(__esi, __edi);
								_push("C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp\System.dll");
								_push(0xffffffe4);
								goto L10;
							}
						} else {
							_push("C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp\System.dll");
							_push(0xffffffe3);
							L10:
							__eax = E00405D3A();
							goto L391;
						}
					case 0xf:
						__edi = E0040303E(__edx, 0);
						__eax =  &_v716;
						__eax = GetFullPathNameW(__edi, 0x400, __esi,  &_v716);
						__eflags = __eax;
						if(__eax != 0) {
							__eax = _v712;
							__eflags = __eax - __edi;
							if(__eax <= __edi) {
								L57:
								__ebx = _v716;
								L58:
								__eflags = _v684 - __ebp;
								if(_v684 == __ebp) {
									__eax = GetShortPathNameW(__esi, __esi, 0x400);
								}
								goto L392;
							}
							__eflags =  *__eax - __bp;
							if( *__eax == __bp) {
								goto L57;
							}
							__eax = E004065CF(__edi);
							__eflags = __eax;
							if(__eax == 0) {
								goto L52;
							} else {
								__eflags = __eax;
								__eax = E00406B1A(_v712, __eax);
								goto L57;
							}
						}
						L52:
						0 = 1;
						__eax = 0;
						 *__esi = __ax;
						goto L58;
					case 0x10:
						__eax = E0040303E(__edx, 0xffffffff);
						__ecx =  &_v656;
						__eax = SearchPathW(0, __eax, 0, 0x400, __edi,  &_v656); // executed
						__eflags = __eax;
						if(__eax != 0) {
							goto L391;
						}
						goto L61;
					case 0x11:
						__eax = E0040303E(__edx, 0xffffffef);
						__eax = E00406A56(__ecx, __edi, __eax); // executed
						goto L27;
					case 0x12:
						__eax = E0040303E(__edx, 0x31);
						__ebx = _v696;
						__esi = __eax;
						__ebx = _v696 & 0x00000007;
						_v708 = __esi;
						_v716 = __ebx;
						__eax = E00406E03(__esi);
						__edi = L"Call";
						_push(__esi);
						__eflags = __eax;
						if(__eax == 0) {
							__eax = SetUserObjectSecurity(L"C:\\Users\\alfons\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane", ??, ??);
							__eax = lstrcatW(__eax, __edi);
						} else {
							_push(__edi);
							__eax = E00406B1A();
						}
						__eax = E00406D3D(__edi);
						__esi = 0;
						__esi = 1;
						__eflags = 1;
						do {
							__eflags = __ebx - 3;
							if(__ebx < 3) {
								L71:
								__eflags = __ebx;
								if(__ebx == 0) {
									__eax = E00406B9D(__edi);
								}
								__eax = 0;
								__eflags = __ebx - __esi;
								0 | __eflags != 0x00000000 = (__eflags != 0) + 1;
								__eax = E0040691B(__edi, 0x40000000, (__eflags != 0) + 1);
								_v716 = __eax;
								__eflags = __eax - 0xffffffff;
								if(__eax != 0xffffffff) {
									__esi = _v700;
									__eax = E00405D3A(0xffffffea, __esi);
									__ebx = _v712;
									 *0x435af4 =  *0x435af4 + 1;
									__eax = E00403148(_v688, __ebx, __ebp, __ebp);
									 *0x435af4 =  *0x435af4 - 1;
									__eflags = _v700 - 0xffffffff;
									_v728 = __eax;
									if(_v700 != 0xffffffff) {
										L83:
										 &_v676 = SetFileTime(0,  &_v676, __ebp,  &_v676); // executed
										L84:
										__eax = FindCloseChangeNotification(__ebx); // executed
										__eax = _v704;
										__eflags = __eax;
										if(__eax >= 0) {
											goto L391;
										}
										__eflags = __eax - 0xfffffffe;
										if(__eax != 0xfffffffe) {
											_push(0xffffffee);
											_push(__edi);
											__eax = E00405EBA();
										} else {
											_push(0xffffffe9);
											_push(__edi);
											E00405EBA() = lstrcatW(__edi, __esi);
										}
										_push(0x200010);
										_push(__edi);
										goto L89;
									}
									__eflags = _v676.dwHighDateTime - 0xffffffff;
									if(_v676.dwHighDateTime == 0xffffffff) {
										goto L84;
									}
									goto L83;
								} else {
									__eflags = __ebx;
									if(__ebx != 0) {
										__esi = _v700;
										__eax = E00405D3A(0xffffffe2, _v700);
										__ebx = 0;
										__eflags = _v716 - 2;
										goto L80;
									}
									goto L75;
								}
							}
							__eax = E004065CF(__edi);
							__ecx = __ebp;
							__eflags = __eax;
							if(__eax != 0) {
								__ecx =  &_v676;
								__eax = __eax + 0x14;
								__eflags = __eax;
								0 = __eax;
							}
							__ebx =  &(__ebx[0xffffffffffffffff]);
							__ebx = __ebx | 0x80000000;
							__ebx = __ebx & __ecx;
							__ebx =  ~__ebx;
							asm("sbb ebx, ebx");
							__ebx =  &(__ebx[0]);
							__eflags = __ebx;
							_v708 = __ebx;
							goto L71;
							L75:
							E00406B1A("C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp", 0x436000) = E00406B1A(0x436000, __edi);
							_push(_v684);
							_push("C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp\System.dll");
							E00405EBA() = E00406B1A(0x436000, "C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp");
							_v720 = _v720 >> 3;
							__eax = E00406AA8("C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp\System.dll", _v720 >> 3);
							__eax = __eax - 4;
							__eflags = __eax;
						} while (__eax == 0);
						__eax = __eax - 1;
						__eflags = __eax;
						if(__eax == 0) {
							 *0x435ac8 =  *0x435ac8 + 1;
							goto L393;
						}
						_push(__edi);
						_push(0xfffffffa);
						L4:
						__eax = E00405D3A();
						goto L5;
					case 0x13:
						_push(0);
						goto L91;
					case 0x14:
						__eax = E0040303E(__edx, 0x31);
						__eax = E00406AA8(__eax, _v696);
						__eflags = __eax;
						if(__eax == 0) {
							goto L28;
						}
						__eflags = __eax - _v684;
						if(__eax == _v684) {
							goto L122;
						}
						__eflags = __eax - _v676.dwLowDateTime;
						if(__eax != _v676.dwLowDateTime) {
							goto L391;
						}
						__eax = _v676.dwHighDateTime;
						return _v676.dwHighDateTime;
					case 0x15:
						_push(0xfffffff0);
						L91:
						E0040303E(__edx) = E00406719(__eflags, __eax, _v692);
						goto L391;
					case 0x16:
						__eax = E0040303E(__edx, 1);
						__eax = lstrlenW(__eax);
						goto L98;
					case 0x17:
						0 = E00403002(2);
						__esi = __edx;
						__ebp = E00403002(3);
						__eax = E0040303E(__edx, 1);
						_v712 = __eax;
						__eax = lstrlenW(__eax);
						__ecx = 0;
						__eflags = __esi;
						 *__edi = __cx;
						__ebx =  ==  ? __eax : __ebx;
						__eflags = __ebx;
						if(__ebx == 0) {
							goto L391;
						}
						__eflags = __ebp;
						if(__ebp >= 0) {
							L102:
							__eflags = __ebp - __eax;
							__ebp =  >  ? __eax : __ebp;
							_v708 = _v708 + __ebp * 2;
							__eax = E00406B1A(__edi, _v708 + __ebp * 2);
							__eflags = __ebx;
							if(__ebx < 0) {
								0 = 0 + lstrlenW(__edi);
								__eflags = __ebx;
							}
							__eax = 0;
							__eflags = __ebx;
							__eax =  >=  ? __ebx : 0;
							__ebx = _v716;
							__eflags = __eax - 0x400;
							if(__eax < 0x400) {
								__ecx = 0;
								 *(__edi + __eax * 2) = __cx;
							}
							goto L392;
						}
						__ebp = __ebp + __eax;
						__eflags = __ebp;
						if(__ebp < 0) {
							goto L391;
						}
						goto L102;
					case 0x18:
						__esi = E0040303E(__edx, 0x20);
						_push(E0040303E(__edx, 0x31));
						_push(__esi);
						__eflags = _v684;
						if(_v684 != 0) {
							__eax = lstrcmpW();
						} else {
							__eax = lstrcmpiW();
						}
						__eflags = __eax;
						if(__eax != 0) {
							goto L122;
						} else {
							goto L110;
						}
					case 0x19:
						__esi = 0;
						__esi = 1;
						0 = E0040303E(__edx, 1);
						__eax = ExpandEnvironmentStringsW(__ebx, __edi, 0x400);
						__eflags = __eax;
						if(__eax == 0) {
							L114:
							__eax = 0;
							__ebx = __esi;
							 *__edi = __ax;
							L116:
							__eax = 0;
							 *(__edi + 0x7fe) = __ax;
							goto L392;
						}
						__eflags = _v684;
						if(_v684 == 0) {
							L115:
							__ebx = _v716;
							goto L116;
						}
						__eax = lstrcmpW(__ebx, __edi);
						__eflags = __eax;
						if(__eax != 0) {
							goto L115;
						}
						goto L114;
					case 0x1a:
						__esi = _v676.dwHighDateTime;
						__edi = E00403002(0);
						__eax = E00403002(1);
						__eflags = _v676.dwHighDateTime;
						if(_v676.dwHighDateTime != 0) {
							__eflags = __edi - __eax;
							if(__eflags >= 0) {
								if(__eflags <= 0) {
									goto L110;
								}
								L124:
								__eax = _v676.dwLowDateTime;
								return _v676.dwLowDateTime;
							}
							L122:
							__eax = _v680;
							return _v680;
						}
						__eflags = __edi - __eax;
						if(__eflags < 0) {
							goto L122;
						}
						if(__eflags <= 0) {
							goto L110;
						}
						goto L124;
					case 0x1b:
						__ebx = 0;
						__ebx = 1;
						__esi = E00403002(1);
						0 = E00403002(2);
						__eax = _v680;
						__eflags = __eax - 0xd;
						if(__eax > 0xd) {
							L149:
							__ebx = _v716;
							L150:
							__eax = E0040661F(__edi, __esi);
							goto L392;
						}
						switch( *((intOrPtr*)(__eax * 4 +  &M00402FCA))) {
							case 0:
								__esi = __esi + __ecx;
								goto L149;
							case 1:
								__esi = __esi - __ecx;
								goto L149;
							case 2:
								__esi = __esi * __ecx;
								goto L149;
							case 3:
								__eflags = __ecx;
								if(__ecx == 0) {
									goto L132;
								}
								__eax = __esi;
								asm("cdq");
								_t103 = __eax % __ecx;
								__eax = __eax / __ecx;
								__edx = _t103;
								__esi = __eax;
								goto L133;
							case 4:
								__esi = __esi | __ecx;
								goto L149;
							case 5:
								__esi = __esi & __ecx;
								goto L149;
							case 6:
								__esi = __esi ^ __ecx;
								goto L149;
							case 7:
								__eax = 0;
								__eflags = __esi;
								__eax = 0 | __eflags == 0x00000000;
								__esi = __eflags == 0;
								goto L149;
							case 8:
								__eflags = __esi;
								if(__esi == 0) {
									goto L142;
								}
								goto L139;
							case 9:
								__eflags = __esi;
								if(__esi == 0) {
									L140:
									__esi = __ebp;
									goto L149;
								}
								L142:
								__eflags = __ecx;
								if(__ecx == 0) {
									goto L140;
								}
								L139:
								__esi = __ebx;
								goto L149;
							case 0xa:
								__eflags = __ecx;
								if(__ecx == 0) {
									L132:
									__esi = __ebp;
									L133:
									__ebx = 0;
									__eflags = __ecx;
									__ebx = 0 | __ecx == 0x00000000;
									goto L150;
								}
								__eax = __esi;
								asm("cdq");
								_t111 = __eax % __ecx;
								__eax = __eax / __ecx;
								__edx = _t111;
								__esi = _t111;
								goto L133;
							case 0xb:
								__esi = __esi << __cl;
								goto L149;
							case 0xc:
								__esi = __esi >> __cl;
								goto L149;
							case 0xd:
								__eflags = __esi;
								goto L149;
						}
					case 0x1c:
						__esi = E0040303E(__edx, 1);
						E00403002(2) = wsprintfW(__edi, __esi, __eax);
						__esp = __esp + 0x10;
						goto L391;
					case 0x1d:
						__ecx = _v684;
						__esi =  *0x40b100; // 0x0
						__eflags = __ecx;
						if(__ecx == 0) {
							__eflags = __eax;
							if(__eax == 0) {
								__eax = GlobalAlloc(0x40, 0x804);
								_push(_v692);
								__esi = __eax;
								_t118 = __esi + 4; // 0x4
								__eax = _t118;
								_push(_t118);
								__eax = E00405EBA();
								__eax =  *0x40b100; // 0x0
								 *__esi = __eax;
								 *0x40b100 = __esi;
								goto L391;
							}
							__eflags = __esi;
							if(__esi == 0) {
								goto L28;
							}
							_t116 = __esi + 4; // 0x4
							_t116 = E00406B1A(__edi, _t116);
							__eax =  *__esi;
							 *0x40b100 =  *__esi;
							__eax = GlobalFree(__esi);
							goto L391;
						} else {
							goto L153;
						}
						while(1) {
							L153:
							__ecx = __ecx - 1;
							__eflags = __esi;
							if(__esi == 0) {
								goto L158;
							}
							__esi =  *__esi;
							__eflags = __ecx;
							if(__ecx != 0) {
								continue;
							}
							__eflags = __esi;
							if(__esi == 0) {
								goto L158;
							}
							__esi = __esi + 4;
							__edi = L"Call";
							__eax = E00406B1A(__edi, __esi);
							__eax =  *0x40b100; // 0x0
							__eax = E00406B1A(__esi, __eax);
							__eax =  *0x40b100; // 0x0
							_push(__edi);
							__eax = __eax + 4;
							__eflags = __eax;
							_push(__eax);
							goto L157;
						}
						goto L158;
					case 0x1e:
						__esi = E00403002(3);
						_v712 = __esi;
						0 = E00403002(4);
						__eax = _v676.dwHighDateTime;
						__eflags = __al & 0x00000001;
						if((__al & 0x00000001) != 0) {
							__esi = E0040303E(__edx, 0x33);
							__eax = _v676.dwLowDateTime;
							_v716 = __esi;
						}
						__eflags = __al & 0x00000002;
						if((__al & 0x00000002) != 0) {
							0 = E0040303E(__edx, 0x44);
						}
						__eflags = _v696 - 0x21;
						_push(1);
						if(_v696 != 0x21) {
							__esi = E0040303E(__edx);
							__eax = E0040303E(__edx);
							__ecx = 0;
							__eflags =  *__eax - __bp;
							 !=  ? __eax : 0 = 0;
							__eflags =  *__esi - __bp;
							__ecx =  !=  ? __esi : 0;
							__eax = FindWindowExW(_v720, __ebx,  !=  ? __esi : 0,  !=  ? __eax : 0);
							goto L172;
						} else {
							_v712 = E00403002();
							__eax = E00403002(2);
							__ecx = _v676.dwHighDateTime;
							__ecx = _v676.dwHighDateTime >> 2;
							__eflags = __ecx;
							if(__ecx == 0) {
								__eax = SendMessageW(_v712, __eax, __esi, __ebx);
								L172:
								_v704 = __eax;
								L173:
								__eflags = _v692 - __ebp;
								if(_v692 < __ebp) {
									goto L391;
								}
								goto L98;
							}
							__edx =  &_v704;
							__eax =  ~__eax;
							asm("sbb ebx, ebx");
							__eax = _v704;
							_v716 = 0;
							goto L173;
						}
					case 0x1f:
						__eax = E00403002(0);
						__eax = IsWindow(__eax);
						L176:
						__eflags = __eax;
						if(__eax == 0) {
							L110:
							__eax = _v684;
							return _v684;
						}
						__eax = _v688;
						return _v688;
					case 0x20:
						__esi = E00403002(2);
						__eax = E00403002(1);
						__eax = GetDlgItem(__eax, __esi);
						goto L98;
					case 0x21:
						__esi =  *0x435a48;
						__esi =  *0x435a48 + __eax;
						E00403002(0) = SetWindowLongW(__eax, 0xffffffeb, __esi);
						goto L391;
					case 0x22:
						__eflags = _v680 & 0x00000100;
						if((_v680 & 0x00000100) == 0) {
							__eax = GetDlgItem(__edx, _v684);
						} else {
							__eax = E00403002(2);
						}
						__ebp = __eax;
						__eax = _v680;
						__ecx = __eax;
						__ebx = __eax;
						__ecx = __eax & 0x00000004;
						__ebx = __eax >> 0x1e;
						_v704 = __eax & 0x00000004;
						__esi = __eax;
						__ecx = __eax;
						__esi = __eax & 0x00000003;
						__ecx = __eax >> 0x1f;
						__ebx = __eax >> 0x0000001e & 0x00000001;
						_v708 = __eax >> 0x1f;
						__eflags = __eax & 0x00010000;
						if((__eax & 0x00010000) == 0) {
							__eax = _v688 & 0x0000ffff;
						} else {
							__eax = E0040303E(__edx, 0x11);
						}
						_v712 = __eax;
						 &_v652 = GetClientRect(__ebp,  &_v652);
						_v680 = _v680 & 0x0000fef0;
						_v640 = _v640 * 0;
						_v644 = _v644 * _v708;
						__eax = 0;
						__eflags = _v704;
						__eax =  !=  ?  *0x4349f4 : 0;
						0 = LoadImageW( !=  ?  *0x4349f4 : 0, _v712, __esi, _v644 * _v708, _v640 * 0, _v680 & 0x0000fef0);
						__eax = SendMessageW(__ebp, 0x172, __esi, __ebx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __esi;
							if(__esi == 0) {
								__eax = DeleteObject(__eax);
							}
						}
						__eflags = _v692;
						if(_v692 < 0) {
							goto L391;
						} else {
							_push(__ebx);
							goto L20;
						}
					case 0x23:
						__edi = GetDC(__edx);
						__esi = E00403002(2);
						__eax = GetDeviceCaps(__edi, 0x5a);
						__eax = MulDiv(__esi, __eax, 0x48);
						0x40d908->lfHeight = __eax;
						_v708 = ReleaseDC(_v708, __edi);
						__eax = E00403002(3);
						__ecx = _v684;
						_push(_v696);
						 *0x40d918 = __eax;
						__cl = __cl & 0x00000001;
						 *0x40d91f = 1;
						 *0x40d91c = __cl & 0x00000001;
						__al = __cl;
						__al = __cl & 0x00000002;
						__cl = __cl & 0x00000004;
						_push("Tahoma");
						 *0x40d91d = __al;
						 *0x40d91e = __cl;
						__eax = E00405EBA();
						__eax = CreateFontIndirectW(0x40d908);
						__ebp = _v724;
						_push(__eax);
						_push(_v724);
						goto L21;
					case 0x24:
						__esi = E00403002(0);
						_push(E00403002(1));
						_push(__esi);
						__eflags = _v680;
						if(_v680 != 0) {
							__eax = EnableWindow();
						} else {
							__eax = ShowWindow(); // executed
						}
						goto L391;
					case 0x25:
						0 = E0040303E(__edx, 0);
						__esi = E0040303E(__edx, 0x31);
						__edi = E0040303E(__edx, 0x22);
						E0040303E(__edx, 0x15) = E00405D3A(0xffffffec, "C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp\System.dll");
						__ecx = _v700;
						__eax = _v724;
						_v668 = _v724;
						__eax = 0;
						_v676.dwHighDateTime = _v700;
						__ecx = _v704;
						_v648 = __ecx;
						__eflags =  *__ebx - __bp;
						_v660 = __esi;
						__eax =  !=  ? __ebx : 0;
						_v664 =  !=  ? __ebx : 0;
						__eax = 0;
						__eflags =  *__edi - __bp;
						_v652 = L"C:\\Users\\alfons\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane";
						__eax =  !=  ? __edi : 0;
						_v656 =  !=  ? __edi : 0;
						__eax =  &_v676;
						__eax = E004069F3( &_v676);
						__eflags = __eax;
						if(__eax == 0) {
							goto L28;
						}
						__eflags = _v648 & 0x00000040;
						if((_v648 & 0x00000040) == 0) {
							goto L391;
						}
						__eax = E00406514(__ecx, _v596.dwFileAttributes);
						__eax = CloseHandle( *(__esp + 0x88));
						goto L198;
					case 0x26:
						__esi = E0040303E(__edx, 0);
						__eax = E00405D3A(0xffffffeb, __eax);
						__eax = E004066D6(__esi); // executed
						__ebx = _v732;
						__esi = __eax;
						__eflags = __esi;
						if(__esi == 0) {
							goto L28;
						}
						__eflags = _v684;
						if(_v684 != 0) {
							__eax = E00406514(__ecx, __esi);
							__eflags = _v692;
							if(_v692 < 0) {
								0 = 1;
								__eflags = __eax;
								_v716 = 0;
							} else {
								__eax = E0040661F(_v712, __eax);
							}
						}
						__eax = CloseHandle(__esi);
						goto L198;
					case 0x27:
						__eax = E0040303E(__edx, 2);
						0 = __eax;
						__eflags = __ebx;
						if(__ebx == 0) {
							__eax = 0;
							 *__edi = __ax;
							 *__esi = __ax;
							goto L28;
						}
						__eax = E0040661F(__esi, __ebx[0xa]);
						_push(__ebx[0xc]);
						goto L20;
					case 0x28:
						__eax = E0040303E(__edx, 0xffffffee);
						__ecx =  &_v656;
						_v660 = __eax;
						_push( &_v656);
						_push(__eax);
						__eax = E004068E6(0xa);
						__eax =  *__eax();
						__ecx = 0;
						_v724 = __eax;
						__ebx = 0;
						 *__edi = __cx;
						__ebx = 1;
						 *__esi = __cx;
						__eflags = __eax;
						if(__eax != 0) {
							__eax = GlobalAlloc(0x40, __eax);
							_v712 = __eax;
							__eflags = __eax;
							if(__eax != 0) {
								__esi = E004068E6(0xb);
								__eax = E004068E6(0xc);
								_push(_v720);
								_v716 = __eax;
								_push(_v724);
								_push(0);
								_push(_v676.dwHighDateTime);
								__eax =  *__esi();
								__eflags = __eax;
								if(__eax != 0) {
									__eax =  &_v688;
									_push( &_v688);
									__eax =  &_v692;
									_push( &_v692);
									_push(0x4092b0);
									_push(_v728);
									__eax = _v724();
									__eflags = __eax;
									if(__eax != 0) {
										__ecx = _v708;
										_v720 = E0040661F(__edi,  *((intOrPtr*)(_v708 + 8 + _v720 * 4)));
										__ecx = _v728;
										_v716 = E0040661F(_v760,  *((intOrPtr*)(_v716 + 0xc + _v728 * 4)));
										__ebx = 0;
									}
								}
								__eax = GlobalFree(_v728);
							}
						}
						goto L392;
					case 0x29:
						__esi = 0;
						__esi = 1;
						__ebx = 1;
						__eflags =  *0x435a60;
						if( *0x435a60 < 0) {
							_push("C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp\System.dll");
							_push(0xffffffe7);
							goto L230;
						}
						__edi = E0040303E(__edx, 0xfffffff0);
						_v712 = __edi;
						_v720 = E0040303E(__edx, 1);
						__eflags = _v684;
						if(_v684 == 0) {
							L218:
							__eax = LoadLibraryExW(__edi, __ebp, 8); // executed
							__edi = __eax;
							__eflags = __edi;
							if(__eflags == 0) {
								_push("C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp\System.dll");
								_push(0xfffffff6);
								goto L230;
							}
							L219:
							0 = E00406269(__eflags, __edi, _v712);
							_v716 = __ecx;
							__eflags = __ecx;
							if(__ecx == 0) {
								__eax = E00405D3A(0xfffffff7, _v712);
							} else {
								__ebx = __ebp;
								__eflags = _v684 - __ebp;
								if(_v684 == __ebp) {
									__eax = _v700;
									_push(0x40b000);
									_push(0x40b100);
									_push(0x436000);
									_push(0x400);
									_push(_v700);
									__eax =  *__ecx();
									__esp = __esp + 0x14;
								} else {
									__eax = E00405D3A(_v684, "C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp\System.dll");
									__eax = _v716();
									__eflags = __eax;
									if(__eax != 0) {
										__ebx = __esi;
									}
								}
							}
							__eflags = _v680 - __ebp;
							if(_v680 == __ebp) {
								__eax = E00403CD6(__edi);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = FreeLibrary(__edi);
								}
							}
							goto L392;
						}
						__eax = GetModuleHandleW(__edi); // executed
						__edi = __eax;
						__eflags = __edi;
						if(__eflags != 0) {
							goto L219;
						}
						__edi = _v708;
						goto L218;
					case 0x2a:
						_v656 = E0040303E(__edx, 0xfffffff0);
						__eax = E0040303E(__edx, 0xffffffdf);
						__ebx = __eax;
						_v716 = __eax;
						_v676.dwHighDateTime = E0040303E(__edx, 2);
						_v676.dwHighDateTime = E0040303E(__edx, 0xffffffcd);
						_v684 = E0040303E(__edx, 0x45);
						__eax = _v696;
						__eax = __eax & 0x00000fff;
						__edi = __eax;
						_v720 = __eax & 0x00000fff;
						__ecx = __eax;
						__ecx = __eax & 0x00008000;
						__eax = __eax >> 0x10;
						__edi = __edi >> 0xc;
						_v724 = __ecx;
						__edi = __edi & 0x00000007;
						_v688 = __eax;
						__eax = E00406E03(__ebx);
						__eflags = __eax;
						if(__eax == 0) {
							__eax = E0040303E(__edx, 0x21);
						}
						__eax =  &_v716;
						__esi = 0;
						_push(__eax);
						_push(0x409abc);
						__esi = 1;
						_push(1);
						_push(__ebp);
						_push(0x409adc);
						__imp__CoCreateInstance();
						__ebx = __eax;
						__eflags = __ebx;
						if(__ebx >= 0) {
							__eax = _v736;
							__edx =  &_v732;
							_push( &_v732);
							_push(0x409acc);
							_push(__eax);
							__ecx =  *__eax;
							0 = __eax;
							__eflags = __ebx;
							if(__ebx >= 0) {
								__eax =  *(__esp + 0x10);
								_push(_v740);
								_push(__eax);
								__ecx =  *__eax;
								0 = __eax;
								__eflags = _v744 - __ebp;
								if(_v744 == __ebp) {
									__eax = _v756;
									_push(L"C:\\Users\\alfons\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane");
									_push(__eax);
									__ecx =  *__eax;
									__eax =  *((intOrPtr*)( *__eax + 0x24))();
								}
								__eflags = __edi;
								if(__edi != 0) {
									__eax = _v756;
									_push(__edi);
									_push(__eax);
									__ecx =  *__eax;
									__eax =  *((intOrPtr*)( *__eax + 0x3c))();
								}
								__eax = _v756;
								_push(_v708);
								_push(__eax);
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 0x34))();
								__edx = _v704;
								__eflags = __edx->i - __bp;
								if(__edx->i != __bp) {
									__eax = _v764;
									_push( *((intOrPtr*)(__esp + 0x20)));
									_push(__edx);
									__ecx =  *__eax;
									_push(__eax);
									__eax =  *((intOrPtr*)( *__eax + 0x44))();
								}
								__eax = _v764;
								_push(_v708);
								_push(__eax);
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 0x2c))();
								__eax =  *(__esp + 0x10);
								_push(_v720);
								_push(__eax);
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 0x1c))();
								__eflags = __ebx;
								if(__ebx >= 0) {
									__eax = _v776;
									_push(__esi);
									_push(_v716);
									__ecx =  *__eax;
									_push(__eax);
									0 = __eax;
								}
								__eax = _v776;
								_push(__eax);
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 8))();
							}
							__eax =  *(__esp + 0x10);
							_push(__eax);
							__ecx =  *__eax;
							__eax =  *((intOrPtr*)( *__eax + 8))();
						}
						__ebx = 0 >> 0x1f;
						0xbadbac = 0xbadba0;
						__eax = E00405D3A(0xbadba0, "C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp\System.dll");
						__ebx = __ebx >> 0x1f;
						goto L392;
					case 0x2b:
						__esi = E0040303E(__edx, 0);
						__edi = E0040303E(__edx, 0x11);
						0 = E0040303E(__edx, 0x23);
						__eax = E004065CF(__esi);
						__eflags = __eax;
						if(__eax != 0) {
							__eax = _v700;
							_v652 = _v700;
							_v648 = 2;
							__eax = lstrlenW(__esi);
							__ecx = 0;
							 *(__esi + 2 + __eax * 2) = __cx;
							__eax = lstrlenW(__edi);
							__ecx = 0;
							 *(__edi + 2 + __eax * 2) = __cx;
							__ax = _v684;
							_v644 = __esi;
							_v640 = __edi;
							 *(__esp + 0x72) = __ebx;
							 *((short*)(__esp + 0x68)) = _v684;
							E00405D3A(0, __ebx) =  &_v660;
							__eax = SHFileOperationW( &_v660);
							__eflags = __eax;
							if(__eax == 0) {
								goto L391;
							}
						}
						__eax = E00405D3A(0xfffffff9, __ebp);
						goto L28;
					case 0x2c:
						__eflags = __ecx - 0xbadf00d;
						if(__ecx != 0xbadf00d) {
							L158:
							_push(0x200010);
							_push(0xffffffe8);
							_push(__ebp);
							_push(E00405EBA());
							L89:
							__eax = E00406AA8();
							L5:
							__eax = 0x7fffffff;
							return 0x7fffffff;
						}
						 *0x435ad4 =  *0x435ad4 + 1;
						goto L391;
					case 0x2d:
						__esi = 0;
						__edi = 0;
						__eflags = __ecx;
						if(__ecx != 0) {
							__ebp = E0040303E(__edx, 0);
							__eax = _v692;
						}
						__eflags = __eax;
						if(__eax != 0) {
							__esi = E0040303E(__edx, 0x11);
						}
						__eflags = _v676.dwLowDateTime - __edi;
						if(_v676.dwLowDateTime != __edi) {
							__edi = E0040303E(__edx, 0x22);
						}
						__eax = E0040303E(__edx, 0xffffffcd);
						__eax = WritePrivateProfileStringW(__ebp, __esi, __edi, __eax); // executed
						L27:
						__eflags = __eax;
						if(__eax != 0) {
							goto L391;
						}
						goto L28;
					case 0x2e:
						__ebx = 0;
						_v652 = 0xa;
						__ebx = 1;
						__edi = E0040303E(__edx, 1);
						__esi = E0040303E(__edx, 0x12);
						__eax = E0040303E(__edx, 0xffffffdd);
						__ebp = _v716;
						 &_v664 = GetPrivateProfileStringW(__edi, __esi,  &_v664, __ebp, 0x3ff,  &_v664); // executed
						_push(0xa);
						_pop(__eax);
						__eflags =  *__ebp - __ax;
						if( *__ebp != __ax) {
							goto L391;
						}
						__eax = 0;
						 *__ebp = __ax;
						goto L392;
					case 0x2f:
						__edi = 0;
						__edi = 1;
						__eflags = _v676.dwLowDateTime;
						if(__eflags != 0) {
							__eax = E0040303E(__edx, 0x22);
							_v680 = _v680 >> 1;
							__ecx = _v676.dwHighDateTime;
							__eax = E0040307C(_v676.dwHighDateTime, __eax, _v680 >> 1); // executed
							__edi = __eax;
						} else {
							__esi = E004030C1(__ecx, __edx, __eflags, 2);
							__eflags = __esi;
							if(__esi != 0) {
								__eax = E0040303E(__edx, 0x33);
								__edi = __eax;
								__eax = RegCloseKey(__esi);
							}
						}
						__ebx = 0;
						__eflags = __edi;
						__ebx = 0 | __edi != 0x00000000;
						goto L392;
					case 0x30:
						__eax = _v676.dwLowDateTime;
						_v708 = _v676.dwLowDateTime;
						__eax = _v676.dwHighDateTime;
						_v712 = _v676.dwHighDateTime;
						_v708 = E0040303E(__edx, 2);
						__eax = E0040303E(__edx, 0x11);
						__ecx =  &(_v676.dwHighDateTime);
						0 = 1;
						__ebx = 1;
						__eax = E00403023(_v660);
						__eax = E004062A5(__eflags, __eax, __eax, 0x100022,  &(_v676.dwHighDateTime)); // executed
						__edi = _v692;
						__ecx = 0;
						__eflags = __eax;
						__edi =  !=  ? 0 : _v692;
						_v680 = __edi;
						__eflags = __edi;
						if(__edi == 0) {
							goto L392;
						}
						__eax = _v708;
						__edi = 0x40c108;
						__eflags = __eax - 1;
						if(__eax != 1) {
							_push(4);
							_pop(__esi);
							__eflags = __eax - 1;
							if(__eax != 1) {
								__esi = 0;
								__eflags = __eax - 3;
								if(__eax == 3) {
									0 = E00403148(_v680, 0, 0x40c108, 0x1800);
								}
							} else {
								 *0x40c108 = E00403002(3);
							}
						} else {
							__eax = E0040303E(__edx, 0x23);
							0 = 2 + lstrlenW(0x40c108) * 2;
						}
						__esi = _v652;
						__eax = RegSetValueExW(__esi, _v704, __ebp, _v712, __edi, __esi); // executed
						__eax =  ~__eax;
						asm("sbb eax, eax");
						__eflags = 0;
						goto L274;
					case 0x31:
						__eax = E004030C1(__ecx, __edx, __eflags, 0x20019); // executed
						__esi = __eax;
						__eax = E0040303E(__edx, 0x33);
						__ecx = 0;
						 *__edi = __cx;
						__eflags = __esi;
						if(__esi == 0) {
							goto L28;
						}
						__ecx =  &_v652;
						_v652 = 0x800;
						__ecx =  &_v704;
						__eax = RegQueryValueExW(__esi, __eax, 0,  &_v704, __edi,  &_v652);
						__ecx = 0;
						__ecx = 1;
						__eflags = __eax;
						if(__eax != 0) {
							L282:
							__eax = 0;
							__ebx = __ecx;
							 *__edi = __ax;
							L274:
							__eax = RegCloseKey(__esi);
							goto L392;
						}
						__eflags = _v704 - 4;
						if(_v704 == 4) {
							__ebx = 0;
							__eflags = _v676.dwLowDateTime;
							__ebx = 0 | _v676.dwLowDateTime == 0x00000000;
							__eax = E0040661F(__edi,  *__edi);
							goto L274;
						}
						__eflags = _v704 - 1;
						if(_v704 == 1) {
							L280:
							__ebx = _v676.dwLowDateTime;
							__eax = 0;
							 *(__edi + 0x7fe) = __ax;
							goto L274;
						}
						__eflags = _v704 - 2;
						if(_v704 != 2) {
							goto L282;
						}
						goto L280;
					case 0x32:
						0 = E004030C1(__ecx, __edx, __eflags, 0x20019);
						__eax = E00403002(3);
						__ebx = _v720;
						__ecx = 0;
						 *__edi = __cx;
						__eflags = __esi;
						if(__esi == 0) {
							goto L28;
						}
						__ecx = 0x3ff;
						_v652 = 0x3ff;
						__eflags = _v676.dwLowDateTime;
						if(_v676.dwLowDateTime == 0) {
							__ecx =  &_v652;
							__eax = RegEnumValueW(__esi, __eax, __edi,  &_v652, 0, 0, 0, 0);
							0 = 1;
							__eflags = __eax;
							_v716 = 0;
						} else {
							__eax = RegEnumKeyW(__esi, __eax, __edi, 0x3ff);
						}
						__eax = 0;
						 *(__edi + 0x7fe) = __ax;
						__eax = RegCloseKey(__esi);
						goto L391;
					case 0x33:
						__eax = E00406C25(__edi);
						__eflags = __eax;
						if(__eax == 0) {
							goto L391;
						}
						__eax = CloseHandle(__eax);
						L198:
						goto L391;
					case 0x34:
						__eax = E0040303E(__edx, 0xffffffed);
						__eax = E0040691B(__eax, _v692, _v688);
						__eflags = __eax - 0xffffffff;
						if(__eax != 0xffffffff) {
							L98:
							_push(__eax);
							L20:
							_push(__edi);
							goto L21;
						}
						goto L291;
					case 0x35:
						__ecx = _v696;
						__eax = 0;
						__edx = _v684;
						__eflags = __ecx - 0x38;
						_v652 = __edx;
						__esi = 0x40b908;
						__eax = 0 | __eflags == 0x00000000;
						0 = 1;
						_v712 = __eflags == 0;
						__eflags = __edx;
						if(__edx == 0) {
							__eflags = __ecx - 0x38;
							if(__ecx != 0x38) {
								__eax = E0040303E(__edx, 0x11);
								__eax = lstrlenW(__eax);
								__eflags = __eax + __eax;
							} else {
								E0040303E(__edx, 0x21) = E00406469("C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp", 0x40b908, 0x400);
								__esi = lstrlenA(0x40b908);
							}
						} else {
							__eax = E00403002(1);
							_v712 = _v712 ^ 1;
							 *0x40b908 = __ax;
							__esi = (_v712 ^ 1) + 1;
						}
						__eflags =  *__edi - __bp;
						if( *__edi == __bp) {
							goto L392;
						} else {
							__edi = E00406C25(__edi);
							_v716 = _v716 | _v656;
							__eflags = _v716 | _v656;
							if((_v716 | _v656) != 0) {
								L301:
								__eax = E00406A0B(__ecx, __edi, "C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp\System.dll", __esi);
								__eflags = __eax;
								if(__eax != 0) {
									goto L391;
								}
								goto L392;
							}
							__eflags = _v680 - __ebp;
							if(_v680 == __ebp) {
								goto L301;
							}
							__eax = E00406484(__edi, __edi);
							__eflags = __eax;
							if(__eax < 0) {
								goto L392;
							}
							goto L301;
						}
					case 0x36:
						_push(2);
						_pop(__ecx);
						_v712 = 0;
						_v700 = __ecx;
						__eax = E00403002(__ecx);
						__ebx = 0;
						__ebx = 1;
						__eflags = __eax - 1;
						if(__eax < 1) {
							goto L391;
						}
						__ecx = 0x3ff;
						__eflags = __eax - 0x3ff;
						_v708 = __eax;
						__eflags =  *__edi - __bp;
						if( *__edi == __bp) {
							L327:
							__eax = _v712;
							__ecx = 0;
							__ebx = 0;
							__eflags = __eax;
							 *(__esi + __eax * 2) = __cx;
							L80:
							__ebx = __ebx & 0xffffff00 | __eflags == 0x00000000;
							goto L392;
						}
						_v668 = 0;
						0 = E00406C25(__edi);
						_v708 = __ecx;
						__eflags = _v712;
						if(_v712 <= 0) {
							goto L327;
						}
						_v664 = 0xd;
						__edi = 0;
						do {
							__eflags = _v696 - 0x39;
							if(_v696 != 0x39) {
								__eflags = _v680 - __ebp;
								if(_v680 != __ebp) {
									L320:
									__eax =  &_v660;
									__eax = E00406948(__ecx, __ecx,  &_v660, 2);
									__eflags = __eax;
									if(__eax == 0) {
										goto L327;
									}
									L321:
									__ecx = _v700;
									__eax = _v660;
									L322:
									__eflags = _v680 - __ebp;
									if(_v680 != __ebp) {
										L333:
										__ax & 0x0000ffff = E0040661F(__esi, __ax & 0x0000ffff);
										goto L393;
									}
									_push(0xd);
									_pop(__edx);
									__eflags = _v668 - __dx;
									_push(0xa);
									_pop(__edx);
									if(_v668 == __dx) {
										L328:
										__eflags = _v668 - __ax;
										if(_v668 == __ax) {
											L332:
											__eax = SetFilePointer(_v704, 0, __ebp, 0);
											goto L327;
										}
										__eflags = __ax - _v664;
										if(__ax == _v664) {
											L331:
											 *(__esi + __edi * 2) = __ax;
											_v712 = __edi;
											goto L327;
										}
										__eflags = __ax - __dx;
										if(__ax != __dx) {
											goto L332;
										}
										goto L331;
									}
									__eflags = _v668 - __dx;
									if(_v668 == __dx) {
										goto L328;
									}
									 *(__esi + __edi * 2) = __ax;
									__edi = __edi + 1;
									__eax = __ax & 0x0000ffff;
									_v712 = __edi;
									_v668 = __ax & 0x0000ffff;
									__eflags = __ax;
									if(__ax == 0) {
										goto L327;
									}
									goto L326;
								}
								__eflags = __edi;
								if(__edi != 0) {
									goto L320;
								}
								__eax = E00406484(__ecx, __ebp);
								__eflags = __eax;
								if(__eax < 0) {
									goto L327;
								}
								__ecx = _v704;
								goto L320;
							}
							_push(__ebp);
							__eax =  &_v656;
							_push( &_v656);
							_push(2);
							_pop(__eax);
							 &_v656 - _v680 =  &_v716;
							__eax = ReadFile(__ecx,  &_v716,  &_v656 - _v680, ??, ??); // executed
							__eflags = __eax;
							if(__eax == 0) {
								goto L327;
							}
							__ecx = _v656;
							_v700 = __ecx;
							__eflags = __ecx;
							if(__ecx == 0) {
								goto L327;
							}
							__eax = _v716 & 0x000000ff;
							_v660 = _v716 & 0x000000ff;
							__eflags = _v680 - __ebp;
							if(_v680 != __ebp) {
								goto L333;
							}
							 &_v660 =  &_v716;
							__eax = MultiByteToWideChar(__ebp, 8,  &_v716, __ecx,  &_v660, __ebx);
							__eflags = __eax;
							if(__eax != 0) {
								goto L321;
							}
							__ecx = _v700;
							__edx = __ecx;
							__edx =  ~__ecx;
							while(1) {
								_t351 =  &_v656;
								 *_t351 = _v656 - 1;
								__eflags =  *_t351;
								__eax = 0xfffd;
								_v660 = 0xfffd;
								if( *_t351 == 0) {
									goto L322;
								}
								__ecx = __ecx - 1;
								__edx =  &(__edx->i);
								_v700 = __ecx;
								_v652 = __edx;
								__eax = SetFilePointer(_v704, __edx, __ebp, __ebx); // executed
								 &_v660 =  &_v716;
								__eax = MultiByteToWideChar(__ebp, 8,  &_v716, _v656,  &_v660, __ebx);
								__ecx = _v700;
								__edx = _v652;
								__eflags = __eax;
								if(__eax == 0) {
									continue;
								}
								goto L321;
							}
							goto L322;
							L326:
							__ecx = _v704;
							__eflags = __edi - _v708;
						} while (__edi < _v708);
						goto L327;
					case 0x37:
						__eflags =  *__edi - __bp;
						asm("das");
						if(__eflags == 0) {
							goto L391;
						} else {
							__eax = E00403002(2);
							__eax = E00406C25(__edi);
							__eax = SetFilePointer(__eax, __eax, 0, _v680); // executed
							__eflags = _v692;
							if(_v692 < 0) {
								goto L391;
							}
							goto L337;
						}
					case 0x38:
						__eax = E00406C25(__edi);
						__eflags = __eax;
						if(__eax != 0) {
							__eax = FindClose(__eax);
						}
						goto L391;
					case 0x39:
						__eax = E00406C25(__esi);
						__eflags = __eax;
						if(__eax == 0) {
							L61:
							0 = 1;
							__eax = 0;
							 *__edi = __ax;
							goto L392;
						}
						__ecx =  &(_v596.ftCreationTime);
						__eax = FindNextFileW(__eax,  &(_v596.ftCreationTime));
						__eflags = __eax;
						if(__eax == 0) {
							goto L61;
						}
						goto L342;
					case 0x3a:
						__eax = E0040303E(__edx, 2);
						__ecx =  &_v596;
						__eax = FindFirstFileW(__eax,  &_v596); // executed
						__eflags = __eax - 0xffffffff;
						if(__eax != 0xffffffff) {
							__eax = E0040661F(__esi, __eax);
							L342:
							__eax =  &_v548;
							_push( &_v548);
							_push(__edi);
							goto L157;
						}
						__eax = 0;
						 *__esi = __ax;
						L291:
						__eax = 0;
						 *__edi = __ax;
						goto L28;
					case 0x3b:
						_v708 = 0xfffffd66;
						0 = E0040303E(__edx, 0xfffffff0);
						_v656 = __ebx;
						__eax = E00406E03(__ebx);
						__eflags = __eax;
						if(__eax == 0) {
							__eax = E0040303E(__edx, 0xffffffed);
						}
						__eax = E00406B9D(__ebx);
						__edi = E0040691B(__ebx, 0x40000000, 2);
						_v720 = __edi;
						__eflags = __edi - 0xffffffff;
						if(__edi == 0xffffffff) {
							L360:
							_push(0xfffffff3);
							_pop(__esi);
							__eflags = _v708 - __ebp;
							if(_v708 >= __ebp) {
								__ebx = _v716;
							} else {
								_push(0xffffffef);
								_pop(__esi);
								__eax = DeleteFileW(__ebx);
								0 = 1;
							}
							_push("C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp\System.dll");
							_push(__esi);
							L230:
							__eax = E00405D3A();
							goto L392;
						} else {
							__eax = _v688;
							_v664 = _v688;
							__eflags = _v684 - __ebp;
							if(_v684 == __ebp) {
								L359:
								_v724 = __eax;
								__eax = CloseHandle(__edi);
								goto L360;
							}
							__eax =  *0x435a08;
							_v712 = __eax;
							__esi = __eax;
							_v708 = __esi;
							__eflags = __esi;
							if(__esi == 0) {
								__eax = _v664;
								goto L359;
							}
							E00403131(__ebp) = E0040311B(__esi, _v716);
							__edi = GlobalAlloc(0x40, _v696);
							_v676.dwLowDateTime = __edi;
							__eflags = __edi;
							if(__edi == 0) {
								L357:
								__edi = _v704;
								__eax = E00406A0B(__ecx, __edi, __esi, _v712);
								GlobalFree(__esi) = __eax | 0xffffffff;
								goto L359;
							}
							__eax = E00403148(_v688, __ebp, __edi, _v684);
							__eflags =  *__edi;
							if( *__edi == 0) {
								L356:
								__eax = GlobalFree(_v664);
								goto L357;
							}
							__ebx = __esi;
							do {
								__esi =  *__edi;
								__eax =  *(__edi + 4);
								__edi = __edi + 8;
								__eax = E004066B4(__eax, __edi, __esi);
								__edi = __edi + __esi;
								__eflags =  *__edi;
							} while ( *__edi != 0);
							__ebx = _v652;
							__esi = _v708;
							goto L356;
						}
					case 0x3c:
						__eax = E00403002(0);
						__ebx = __eax;
						__eflags = __ebx -  *0x435a2c;
						if(__ebx >=  *0x435a2c) {
							goto L28;
						}
						__ecx = _v684;
						__edi = __ebx * 0x818;
						__edi = __ebx * 0x818 +  *0x435a28;
						__eflags = __ecx;
						if(__eflags < 0) {
							__eax = __eax | 0xffffffff;
							__eax = __eax - __ecx;
							__eflags = __eax;
							_v684 = __eax;
							if(__eax == 0) {
								_push(_v676.dwLowDateTime);
								__eax = __edi + 0x18;
								_push(__edi + 0x18);
								__eax = E00405EBA();
								_t421 = __edi + 8;
								 *_t421 =  *(__edi + 8) | 0x00000100;
								__eflags =  *_t421;
								__ecx = _v696;
							} else {
								0 = E00403002(1);
								_v688 = __ecx;
							}
							__eax = _v692;
							 *(__edi + _v692 * 4) = __ecx;
							__eflags = _v688 - __ebp;
							if(_v688 != __ebp) {
								__eax = E00401221(__ebx);
							}
							goto L391;
						}
						__eax =  *(__edi + __ecx * 4);
						if(__eflags != 0) {
							goto L337;
						}
						__eax = __edi + 0x18;
						_push(__edi + 0x18);
						_push(__esi);
						L157:
						__eax = E00406B1A();
						goto L391;
					case 0x3d:
						__edx = E00403002(0);
						__eflags = __edx - 0x20;
						if(__edx >= 0x20) {
							L28:
							0 = 1;
							goto L392;
						}
						__eflags = _v680;
						if(_v680 == 0) {
							__eax =  *0x435a10;
							__eflags = _v684;
							if(_v684 == 0) {
								_push( *((intOrPtr*)(__eax + 0x94 + __edx * 4)));
								_push(__esi);
								__eax = E00405EBA();
							} else {
								__ecx = _v688;
								 *((intOrPtr*)(__eax + 0x94 + __edx * 4)) = _v688;
							}
							goto L391;
						}
						__eflags = _v684;
						if(_v684 == 0) {
							__eax = E004011A0(0);
							L337:
							_push(__eax);
							_push(__esi);
							goto L21;
						}
						E00401290(__edx) = E004012DD(0, 0);
						goto L391;
					case 0x3e:
						__eax = _v680;
						__eax = _v680;
						__eflags = __eax;
						if(__eax == 0) {
							__edi = E004068E6(5);
							__eax = E0040303E(__edx, 0x22);
							__eflags = __edi;
							if(__edi == 0) {
								L388:
								0 = 1;
								__eax = 0;
								 *__esi = __ax;
								goto L392;
							}
							__ecx =  &_v652;
							_push( &_v652);
							_push(__eax);
							__imp__IIDFromString();
							__eflags = __eax;
							if(__eax < 0) {
								goto L388;
							}
							__eax =  &_v716;
							_push( &_v716);
							_push(0);
							_push(_v688);
							__eax =  &_v660;
							_push( &_v660);
							__eax =  *__edi();
							__eflags = __eax;
							if(__eax < 0) {
								goto L388;
							}
							__eax = E00406B1A(__esi, _v732);
							_push(_v740);
							__imp__CoTaskMemFree();
							goto L391;
						}
						__eax = __eax - 1;
						__eflags = __eax;
						if(__eax != 0) {
							goto L391;
						}
						__esi = E00403002(2);
						__eax = E00403002(4);
						__edx = __al & 0x000000ff;
						__eax = __eax >> 0x18;
						__ecx = 0x435ac0;
						__eflags = __esi;
						_v708 = 0;
						__ecx =  !=  ? __esi : 0x435ac0;
						 &_v708 = E004066B4( &_v708,  &_v708, __al & 0x000000ff);
						_push(_v720);
						_push(_v724);
						L21:
						__eax = E0040661F();
						goto L391;
					case 0x3f:
						goto L391;
					case 0x40:
						__eax =  *0x42bd40; // 0x1
						__eax = SendMessageW(__edx, 0xb, __eax, 0);
						__eflags = _v692;
						if(_v692 != 0) {
							_v700 = InvalidateRect(_v700, 0, 0);
						}
						goto L391;
				}
			}

0x00401565
0x0040156a
0x0040156e
0x00401570
0x00401579
0x0040158b
0x00401593
0x00401597
0x004015a3
0x004015a6
0x004015aa
0x004015b5
0x004015b9
0x004015bd
0x00402ea1
0x00402ea1
0x00402ea5
0x00402ea5
0x00402eab
0x00000000
0x00402eab
0x004015c7
0x00000000
0x00000000
0x00000000
0x004015d5
0x004015d6
0x00000000
0x00000000
0x004015e6
0x004015ec
0x004015ee
0x004015f1
0x004015f1
0x00000000
0x00000000
0x004015ff
0x00401600
0x00000000
0x00000000
0x0040160c
0x0040160d
0x00000000
0x00000000
0x00401619
0x00401621
0x00401622
0x00401624
0x00401628
0x00000000
0x00000000
0x00401634
0x00000000
0x00000000
0x004016c1
0x004016c7
0x004016cd
0x004016cf
0x004016d3
0x004016d5
0x004016d5
0x004016d9
0x004016de
0x004016e0
0x004016e8
0x004016e8
0x00000000
0x00000000
0x004016f1
0x004016fb
0x00000000
0x00000000
0x00401718
0x0040171b
0x00401720
0x00401724
0x00401726
0x00401728
0x00401784
0x00401784
0x00401789
0x0040178e
0x004017bb
0x00000000
0x00401790
0x00401790
0x0040179d
0x004017a3
0x004017a9
0x004017ab
0x004017b2
0x004017b2
0x00000000
0x004017ab
0x00000000
0x00000000
0x00000000
0x00401741
0x00401741
0x00401745
0x00000000
0x00000000
0x00401747
0x0040174c
0x0040174e
0x00401751
0x0040175e
0x0040175e
0x00401760
0x00401775
0x00401775
0x00401778
0x0040177b
0x0040177e
0x0040172a
0x00401732
0x00401734
0x00401736
0x00401739
0x0040173c
0x0040173f
0x00000000
0x00000000
0x00000000
0x00401780
0x00401780
0x00000000
0x00401780
0x0040177e
0x00401762
0x00401767
0x00401774
0x00401774
0x00401774
0x00000000
0x00401774
0x0040176a
0x00401770
0x00401772
0x00000000
0x00000000
0x00000000
0x00401772
0x00401758
0x00401759
0x00000000
0x00000000
0x004017c3
0x004017c9
0x00000000
0x00000000
0x0040163f
0x00401643
0x00401645
0x00401671
0x00401678
0x00401647
0x00401647
0x00401649
0x00401650
0x00401650
0x0040165f
0x00401661
0x00401665
0x00401665
0x00000000
0x00000000
0x00401684
0x00401688
0x0040168a
0x00401693
0x00401697
0x0040169e
0x004016a0
0x004016a2
0x004016a6
0x00000000
0x00000000
0x004016af
0x00000000
0x00000000
0x004017dc
0x004017e5
0x004017e7
0x004017ee
0x004017f4
0x004017f6
0x00401804
0x00401808
0x00000000
0x00000000
0x0040180f
0x00401814
0x00401816
0x00000000
0x0040181c
0x0040181e
0x00401823
0x00401828
0x00000000
0x00401828
0x004017f8
0x004017f8
0x004017fd
0x0040160e
0x0040160e
0x00000000
0x0040160e
0x00000000
0x00401835
0x00401837
0x00401843
0x00401849
0x0040184b
0x00401857
0x0040185b
0x0040185d
0x0040187b
0x0040187b
0x0040187f
0x0040187f
0x00401883
0x00401890
0x00401890
0x00000000
0x00401883
0x0040185f
0x00401862
0x00000000
0x00000000
0x00401865
0x0040186a
0x0040186c
0x00000000
0x0040186e
0x0040186e
0x00401876
0x00000000
0x00401876
0x0040186c
0x0040184d
0x0040184f
0x00401850
0x00401852
0x00000000
0x00000000
0x0040189d
0x004018a2
0x004018b0
0x004018b6
0x004018b8
0x00000000
0x00000000
0x00000000
0x00000000
0x004018cd
0x004018d4
0x00000000
0x00000000
0x004018e0
0x004018e5
0x004018e9
0x004018eb
0x004018ee
0x004018f3
0x004018f7
0x004018fc
0x00401901
0x00401902
0x00401904
0x00401914
0x00401920
0x00401906
0x00401906
0x00401907
0x00401907
0x00401926
0x0040192b
0x0040192d
0x0040192d
0x0040192e
0x0040192e
0x00401931
0x00401964
0x00401964
0x00401966
0x00401969
0x00401969
0x0040196e
0x00401970
0x00401975
0x0040197d
0x00401982
0x00401986
0x00401989
0x00401a18
0x00401a1f
0x00401a24
0x00401a28
0x00401a35
0x00401a3a
0x00401a40
0x00401a45
0x00401a49
0x00401a52
0x00401a5a
0x00401a60
0x00401a61
0x00401a67
0x00401a6b
0x00401a6d
0x00000000
0x00000000
0x00401a73
0x00401a76
0x00401a89
0x00401a8b
0x00401a8c
0x00401a78
0x00401a78
0x00401a7a
0x00401a82
0x00401a82
0x00401a91
0x00401a96
0x00000000
0x00401a96
0x00401a4b
0x00401a50
0x00000000
0x00000000
0x00000000
0x0040198f
0x0040198f
0x00401991
0x004019fd
0x00401a04
0x00401a09
0x00401a0b
0x00000000
0x00401a0b
0x00000000
0x00401991
0x00401989
0x00401934
0x00401939
0x0040193b
0x0040193d
0x0040193f
0x00401943
0x00401943
0x0040194e
0x0040194e
0x00401950
0x00401953
0x00401959
0x0040195b
0x0040195d
0x0040195f
0x0040195f
0x00401960
0x00000000
0x00401993
0x004019a8
0x004019ad
0x004019b1
0x004019c5
0x004019ce
0x004019d7
0x004019dc
0x004019dc
0x004019dc
0x004019e5
0x004019e5
0x004019e8
0x004019f2
0x00000000
0x004019f2
0x004019ea
0x004019eb
0x004015d7
0x004015d7
0x00000000
0x00000000
0x00401aa1
0x00000000
0x00000000
0x00401ab8
0x00401ac2
0x00401ac7
0x00401ac9
0x00000000
0x00000000
0x00401acf
0x00401ad3
0x00000000
0x00000000
0x00401ad9
0x00401add
0x00000000
0x00000000
0x00401ae3
0x00000000
0x00000000
0x00401aec
0x00401aa2
0x00401aac
0x00000000
0x00000000
0x00401af2
0x00401af8
0x00000000
0x00000000
0x00401b0c
0x00401b0e
0x00401b19
0x00401b1b
0x00401b21
0x00401b25
0x00401b2a
0x00401b2c
0x00401b2e
0x00401b31
0x00401b34
0x00401b36
0x00000000
0x00000000
0x00401b3c
0x00401b3e
0x00401b48
0x00401b48
0x00401b4a
0x00401b51
0x00401b56
0x00401b5b
0x00401b5d
0x00401b65
0x00401b65
0x00401b65
0x00401b67
0x00401b69
0x00401b6b
0x00401b6e
0x00401b72
0x00401b77
0x00401b7d
0x00401b7f
0x00401b7f
0x00000000
0x00401b77
0x00401b40
0x00401b40
0x00401b42
0x00000000
0x00000000
0x00000000
0x00000000
0x00401b91
0x00401b98
0x00401b99
0x00401b9a
0x00401b9e
0x00401ba8
0x00401ba0
0x00401ba0
0x00401ba0
0x00401bae
0x00401bb0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00401bbb
0x00401bbd
0x00401bc9
0x00401bcd
0x00401bd3
0x00401bd5
0x00401be9
0x00401be9
0x00401beb
0x00401bed
0x00401bf6
0x00401bf6
0x00401bf8
0x00000000
0x00401bf8
0x00401bd7
0x00401bdb
0x00401bf2
0x00401bf2
0x00000000
0x00401bf2
0x00401bdf
0x00401be5
0x00401be7
0x00000000
0x00000000
0x00000000
0x00000000
0x00401c04
0x00401c10
0x00401c12
0x00401c19
0x00401c1b
0x00401c25
0x00401c27
0x00401c32
0x00000000
0x00000000
0x00401c38
0x00401c38
0x00000000
0x00401c38
0x00401c29
0x00401c29
0x00000000
0x00401c29
0x00401c1d
0x00401c1f
0x00000000
0x00000000
0x00401c21
0x00000000
0x00000000
0x00000000
0x00000000
0x00401c41
0x00401c43
0x00401c4c
0x00401c55
0x00401c57
0x00401c5b
0x00401c5e
0x00401cd0
0x00401cd0
0x00401cd4
0x00401cd6
0x00000000
0x00401cd6
0x00401c60
0x00000000
0x00401c67
0x00000000
0x00000000
0x00401c6b
0x00000000
0x00000000
0x00401c6f
0x00000000
0x00000000
0x00401c74
0x00401c76
0x00000000
0x00000000
0x00401c78
0x00401c7a
0x00401c7b
0x00401c7b
0x00401c7b
0x00401c7d
0x00000000
0x00000000
0x00401c8c
0x00000000
0x00000000
0x00401c90
0x00000000
0x00000000
0x00401c94
0x00000000
0x00000000
0x00401c98
0x00401c9a
0x00401c9c
0x00401c9f
0x00000000
0x00000000
0x00401ca3
0x00401ca5
0x00000000
0x00000000
0x00000000
0x00000000
0x00401caf
0x00401cb1
0x00401cab
0x00401cab
0x00000000
0x00401cab
0x00401cb3
0x00401cb3
0x00401cb5
0x00000000
0x00000000
0x00401ca7
0x00401ca7
0x00000000
0x00000000
0x00401cb9
0x00401cbb
0x00401c81
0x00401c81
0x00401c83
0x00401c83
0x00401c85
0x00401c87
0x00000000
0x00401c87
0x00401cbd
0x00401cbf
0x00401cc0
0x00401cc0
0x00401cc0
0x00401cc2
0x00000000
0x00000000
0x00401cc6
0x00000000
0x00000000
0x00401cca
0x00000000
0x00000000
0x00401cce
0x00000000
0x00000000
0x00000000
0x00401ce9
0x00401cf3
0x00401cf9
0x00000000
0x00000000
0x00401d01
0x00401d05
0x00401d0b
0x00401d0d
0x00401d63
0x00401d65
0x00401d93
0x00401d99
0x00401d9d
0x00401d9f
0x00401d9f
0x00401da2
0x00401da3
0x00401da8
0x00401dad
0x00401daf
0x00000000
0x00401daf
0x00401d67
0x00401d69
0x00000000
0x00000000
0x00401d6f
0x00401d74
0x00401d79
0x00401d7c
0x00401d81
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d0f
0x00401d0f
0x00401d0f
0x00401d10
0x00401d12
0x00000000
0x00000000
0x00401d14
0x00401d16
0x00401d18
0x00000000
0x00000000
0x00401d1a
0x00401d1c
0x00000000
0x00000000
0x00401d1e
0x00401d21
0x00401d28
0x00401d2d
0x00401d37
0x00401d3c
0x00401d41
0x00401d42
0x00401d42
0x00401d45
0x00000000
0x00401d45
0x00000000
0x00000000
0x00401dc1
0x00401dc5
0x00401dce
0x00401dd0
0x00401dd6
0x00401dd8
0x00401de1
0x00401de3
0x00401de7
0x00401de7
0x00401deb
0x00401ded
0x00401df6
0x00401df6
0x00401df8
0x00401dfd
0x00401dff
0x00401e57
0x00401e59
0x00401e5e
0x00401e60
0x00401e67
0x00401e69
0x00401e6c
0x00401e75
0x00000000
0x00401e01
0x00401e08
0x00401e0c
0x00401e13
0x00401e17
0x00401e1a
0x00401e1c
0x00401e48
0x00401e7b
0x00401e7b
0x00401e7f
0x00401e7f
0x00401e83
0x00000000
0x00000000
0x00000000
0x00401e89
0x00401e1e
0x00401e32
0x00401e34
0x00401e36
0x00401e3b
0x00000000
0x00401e3b
0x00000000
0x00401e8f
0x00401e96
0x00401e9c
0x00401e9c
0x00401e9e
0x00401bb2
0x00401bb2
0x00000000
0x00401bb2
0x00401ea4
0x00000000
0x00000000
0x00401eb6
0x00401eb8
0x00401ec1
0x00000000
0x00000000
0x00401ecc
0x00401ed3
0x00401edf
0x00000000
0x00000000
0x00401eea
0x00401ef2
0x00401f03
0x00401ef4
0x00401ef6
0x00401efb
0x00401f09
0x00401f0b
0x00401f0f
0x00401f11
0x00401f13
0x00401f16
0x00401f19
0x00401f1d
0x00401f1f
0x00401f21
0x00401f24
0x00401f27
0x00401f2a
0x00401f2e
0x00401f33
0x00401f3e
0x00401f35
0x00401f37
0x00401f37
0x00401f43
0x00401f4d
0x00401f57
0x00401f61
0x00401f69
0x00401f6f
0x00401f71
0x00401f7a
0x00401f88
0x00401f92
0x00401f98
0x00401f9a
0x00401f9c
0x00401f9e
0x00401fa1
0x00401fa1
0x00401f9e
0x00401fa7
0x00401fac
0x00000000
0x00401fb2
0x00401fb2
0x00000000
0x00401fb2
0x00000000
0x00401fc1
0x00401fce
0x00401fd0
0x00401fd8
0x00401fe0
0x00401feb
0x00401ff3
0x00401ff9
0x00401ffd
0x00402001
0x00402008
0x0040200a
0x00402011
0x00402016
0x00402018
0x0040201a
0x0040201d
0x00402022
0x00402027
0x0040202d
0x00402037
0x0040203d
0x00402041
0x00402042
0x00000000
0x00000000
0x00402050
0x00402059
0x0040205a
0x0040205b
0x0040205f
0x0040206c
0x00402061
0x00402061
0x00402061
0x00000000
0x00000000
0x0040207f
0x00402088
0x00402091
0x0040209f
0x004020a4
0x004020a8
0x004020ac
0x004020b0
0x004020b2
0x004020b6
0x004020ba
0x004020be
0x004020c1
0x004020c5
0x004020c8
0x004020cc
0x004020ce
0x004020d1
0x004020d9
0x004020dc
0x004020e0
0x004020e5
0x004020ea
0x004020ec
0x00000000
0x00000000
0x004020f2
0x004020f7
0x00000000
0x00000000
0x00402104
0x00402110
0x00000000
0x00000000
0x00402121
0x00402126
0x0040212c
0x00402131
0x00402135
0x00402137
0x00402139
0x00000000
0x00000000
0x0040213f
0x00402143
0x00402146
0x0040214b
0x0040214f
0x0040215f
0x00402160
0x00402165
0x00402151
0x00402156
0x00402156
0x0040214f
0x00402110
0x00000000
0x00000000
0x0040216e
0x00402179
0x0040217b
0x0040217d
0x00402190
0x00402192
0x00402195
0x00000000
0x00402195
0x00402183
0x00402188
0x00000000
0x00000000
0x0040219f
0x004021a4
0x004021a8
0x004021ac
0x004021ad
0x004021b0
0x004021b5
0x004021b7
0x004021b9
0x004021bd
0x004021bf
0x004021c2
0x004021c3
0x004021c6
0x004021c8
0x004021d1
0x004021d7
0x004021db
0x004021dd
0x004021ec
0x004021ee
0x004021f3
0x004021f7
0x004021fb
0x004021ff
0x00402200
0x00402204
0x00402206
0x00402208
0x0040220a
0x0040220e
0x0040220f
0x00402213
0x00402214
0x00402219
0x0040221d
0x00402221
0x00402223
0x00402225
0x00402232
0x00402237
0x00402247
0x0040224c
0x0040224c
0x00402223
0x00402252
0x00402252
0x004021dd
0x00000000
0x00000000
0x0040225d
0x0040225f
0x00402260
0x00402262
0x00402268
0x0040233e
0x00402343
0x00000000
0x00402343
0x00402275
0x00402278
0x00402281
0x00402285
0x00402289
0x0040229c
0x004022a0
0x004022a6
0x004022a8
0x004022aa
0x00402335
0x0040233a
0x00000000
0x0040233a
0x004022b0
0x004022ba
0x004022bc
0x004022c0
0x004022c2
0x0040230c
0x004022c4
0x004022c4
0x004022c6
0x004022ca
0x004022e6
0x004022ea
0x004022ef
0x004022f4
0x004022f9
0x004022fe
0x004022ff
0x00402301
0x004022cc
0x004022d5
0x004022da
0x004022de
0x004022e0
0x004022e2
0x004022e2
0x004022e0
0x004022ca
0x00402311
0x00402315
0x0040231c
0x00402321
0x00402323
0x0040232a
0x0040232a
0x00402323
0x00000000
0x00402315
0x0040228c
0x00402292
0x00402294
0x00402296
0x00000000
0x00000000
0x00402298
0x00000000
0x00000000
0x00402358
0x0040235c
0x00402361
0x00402365
0x00402370
0x0040237b
0x00402384
0x00402388
0x0040238e
0x00402394
0x00402396
0x0040239a
0x0040239c
0x004023a2
0x004023a5
0x004023a9
0x004023ad
0x004023b0
0x004023b4
0x004023b9
0x004023bb
0x004023bf
0x004023bf
0x004023c4
0x004023c8
0x004023ca
0x004023cb
0x004023d0
0x004023d1
0x004023d2
0x004023d3
0x004023d8
0x004023de
0x004023e0
0x004023e2
0x004023e8
0x004023ec
0x004023f0
0x004023f1
0x004023f6
0x004023f7
0x004023fb
0x004023fd
0x004023ff
0x00402405
0x00402409
0x0040240d
0x0040240e
0x00402413
0x00402415
0x00402419
0x0040241b
0x0040241f
0x00402424
0x00402425
0x00402427
0x00402427
0x0040242a
0x0040242c
0x0040242e
0x00402432
0x00402433
0x00402434
0x00402436
0x00402436
0x00402439
0x0040243d
0x00402441
0x00402442
0x00402444
0x00402447
0x0040244b
0x0040244e
0x00402450
0x00402454
0x00402458
0x00402459
0x0040245b
0x0040245c
0x0040245c
0x0040245f
0x00402463
0x00402467
0x00402468
0x0040246a
0x0040246d
0x00402471
0x00402475
0x00402476
0x00402478
0x0040247b
0x0040247d
0x0040247f
0x00402483
0x00402484
0x00402488
0x0040248a
0x0040248e
0x0040248e
0x00402490
0x00402494
0x00402495
0x00402497
0x00402497
0x0040249a
0x0040249e
0x0040249f
0x004024a1
0x004024a1
0x004024a6
0x004024b1
0x004024b5
0x004024ba
0x00000000
0x00000000
0x004024ca
0x004024d3
0x004024db
0x004024dd
0x004024e2
0x004024e4
0x004024f3
0x004024f8
0x004024fc
0x00402504
0x00402509
0x0040250c
0x00402511
0x00402516
0x0040251a
0x0040251f
0x00402524
0x00402528
0x0040252c
0x00402530
0x0040253a
0x0040253f
0x00402545
0x00402547
0x00000000
0x00000000
0x0040254d
0x004024e9
0x00000000
0x00000000
0x0040254f
0x00402555
0x00401d50
0x00401d50
0x00401d55
0x00401d57
0x00401d5d
0x00401a97
0x00401a97
0x004015dc
0x004015dc
0x00000000
0x004015dc
0x0040255b
0x00000000
0x00000000
0x00402566
0x00402568
0x0040256a
0x0040256c
0x00402574
0x00402576
0x00402576
0x0040257a
0x0040257c
0x00402585
0x00402585
0x00402587
0x0040258b
0x00402594
0x00402594
0x00402598
0x004025a1
0x00401701
0x00401701
0x00401703
0x00000000
0x00000000
0x00000000
0x00000000
0x004025ac
0x004025ae
0x004025b6
0x004025bf
0x004025c8
0x004025ca
0x004025cf
0x004025e1
0x004025e7
0x004025e9
0x004025ea
0x004025ee
0x00000000
0x00000000
0x004025f4
0x004025f6
0x00000000
0x00000000
0x004025ff
0x00402601
0x00402602
0x00402606
0x00402631
0x0040263a
0x0040263d
0x00402643
0x00402648
0x00402608
0x0040260f
0x00402611
0x00402613
0x00402617
0x00402625
0x00402627
0x00402627
0x00402613
0x0040264a
0x0040264c
0x0040264e
0x00000000
0x00000000
0x00402656
0x0040265a
0x0040265e
0x00402664
0x0040266f
0x00402673
0x00402678
0x00402689
0x0040268a
0x0040268c
0x00402692
0x00402697
0x0040269b
0x0040269d
0x0040269f
0x004026a2
0x004026a6
0x004026a8
0x00000000
0x00000000
0x004026ae
0x004026b2
0x004026b7
0x004026b9
0x004026d1
0x004026d3
0x004026d4
0x004026d6
0x004026e7
0x004026e9
0x004026ec
0x004026fe
0x004026fe
0x004026d8
0x004026e0
0x004026e0
0x004026bb
0x004026bd
0x004026c8
0x004026c8
0x00402701
0x00402710
0x00402716
0x00402718
0x0040271a
0x00000000
0x00000000
0x0040272d
0x00402734
0x00402736
0x0040273b
0x0040273d
0x00402740
0x00402742
0x00000000
0x00000000
0x00402748
0x0040274c
0x00402756
0x0040275e
0x00402764
0x00402766
0x00402767
0x00402769
0x004027a4
0x004027a4
0x004027a6
0x004027a8
0x0040271c
0x0040271d
0x00000000
0x0040271d
0x0040276b
0x00402770
0x00402790
0x00402792
0x00402797
0x0040279a
0x00000000
0x0040279a
0x00402772
0x00402776
0x0040277f
0x0040277f
0x00402783
0x00402785
0x00000000
0x00402785
0x00402778
0x0040277d
0x00000000
0x00000000
0x00000000
0x00000000
0x004027bc
0x004027be
0x004027c3
0x004027c8
0x004027ca
0x004027cd
0x004027cf
0x00000000
0x00000000
0x004027d5
0x004027da
0x004027de
0x004027e2
0x004027f4
0x004027fc
0x00402804
0x00402805
0x0040280a
0x004027e4
0x004027e8
0x004027e8
0x0040280e
0x00402811
0x00402818
0x00000000
0x00000000
0x00402824
0x00402829
0x0040282b
0x00000000
0x00000000
0x00402110
0x00402110
0x00000000
0x00000000
0x00402839
0x00402847
0x0040284c
0x0040284f
0x00401afd
0x00401afd
0x004016b6
0x004016b6
0x00000000
0x004016b6
0x00000000
0x00000000
0x0040285f
0x00402863
0x00402865
0x00402869
0x0040286c
0x00402870
0x00402875
0x0040287a
0x0040287b
0x0040287f
0x00402881
0x00402899
0x0040289c
0x004028c5
0x004028cb
0x004028d2
0x0040289e
0x004028b0
0x004028bf
0x004028bf
0x00402883
0x00402884
0x0040288d
0x0040288f
0x00402896
0x00402896
0x004028d4
0x004028d7
0x00000000
0x004028dd
0x004028e3
0x004028e9
0x004028e9
0x004028ed
0x00402904
0x0040290b
0x00402910
0x00402912
0x00000000
0x00000000
0x00000000
0x00402918
0x004028ef
0x004028f3
0x00000000
0x00000000
0x004028f7
0x004028fc
0x004028fe
0x00000000
0x00000000
0x00000000
0x004028fe
0x00000000
0x0040291d
0x0040291f
0x00402921
0x00402925
0x00402929
0x0040292e
0x00402930
0x00402932
0x00402934
0x00000000
0x00000000
0x0040293a
0x0040293f
0x00402944
0x00402948
0x0040294b
0x00402aa2
0x00402aa2
0x00402aa6
0x00402aa8
0x00402aaa
0x00402aac
0x00401a10
0x00401a10
0x00000000
0x00401a10
0x00402952
0x0040295b
0x0040295d
0x00402961
0x00402965
0x00000000
0x00000000
0x0040296b
0x00402973
0x00402975
0x00402975
0x0040297a
0x00402a33
0x00402a37
0x00402a4c
0x00402a4e
0x00402a54
0x00402a59
0x00402a5b
0x00000000
0x00000000
0x00402a5d
0x00402a5d
0x00402a61
0x00402a65
0x00402a65
0x00402a69
0x00402ae4
0x00402ae9
0x00000000
0x00402ae9
0x00402a6b
0x00402a6d
0x00402a6e
0x00402a73
0x00402a75
0x00402a76
0x00402ab5
0x00402ab5
0x00402aba
0x00402ad3
0x00402adc
0x00000000
0x00402adc
0x00402abc
0x00402ac1
0x00402ac8
0x00402ac8
0x00402acd
0x00000000
0x00402acd
0x00402ac3
0x00402ac6
0x00000000
0x00000000
0x00000000
0x00402ac6
0x00402a78
0x00402a7d
0x00000000
0x00000000
0x00402a7f
0x00402a83
0x00402a84
0x00402a87
0x00402a8b
0x00402a8f
0x00402a92
0x00000000
0x00000000
0x00000000
0x00402a92
0x00402a39
0x00402a3b
0x00000000
0x00000000
0x00402a3f
0x00402a44
0x00402a46
0x00000000
0x00000000
0x00402a48
0x00000000
0x00402a48
0x00402980
0x00402981
0x00402985
0x00402986
0x00402988
0x0040298e
0x00402994
0x0040299a
0x0040299c
0x00000000
0x00000000
0x004029a2
0x004029a6
0x004029aa
0x004029ac
0x00000000
0x00000000
0x004029b2
0x004029b7
0x004029bb
0x004029bf
0x00000000
0x00000000
0x004029cc
0x004029d4
0x004029da
0x004029dc
0x00000000
0x00000000
0x004029de
0x004029e2
0x004029e4
0x004029e6
0x004029e6
0x004029e6
0x004029e6
0x004029eb
0x004029f0
0x004029f4
0x00000000
0x00000000
0x004029f7
0x004029f8
0x004029ff
0x00402a03
0x00402a07
0x00402a17
0x00402a1f
0x00402a25
0x00402a29
0x00402a2d
0x00402a2f
0x00000000
0x00000000
0x00000000
0x00402a31
0x00000000
0x00402a94
0x00402a94
0x00402a98
0x00402a98
0x00000000
0x00000000
0x00402af3
0x00402af5
0x00402af6
0x00000000
0x00402afc
0x00402afe
0x00402b0b
0x00402b11
0x00402b17
0x00402b1b
0x00000000
0x00000000
0x00000000
0x00402b1b
0x00000000
0x00402b29
0x00402b2e
0x00402b30
0x00402b37
0x00402b37
0x00000000
0x00000000
0x00402b43
0x00402b48
0x00402b4a
0x004018be
0x004018c0
0x004018c1
0x004018c3
0x00000000
0x004018c3
0x00402b50
0x00402b59
0x00402b5f
0x00402b61
0x00000000
0x00000000
0x00000000
0x00000000
0x00402b77
0x00402b7c
0x00402b85
0x00402b8b
0x00402b8e
0x00402b9c
0x00402b67
0x00402b67
0x00402b6e
0x00402b6f
0x00000000
0x00402b6f
0x00402b90
0x00402b92
0x00402855
0x00402855
0x00402857
0x00000000
0x00000000
0x00402ba5
0x00402bb2
0x00402bb5
0x00402bb9
0x00402bbe
0x00402bc0
0x00402bc4
0x00402bc4
0x00402bca
0x00402bdc
0x00402bde
0x00402be2
0x00402be5
0x00402cb7
0x00402cb7
0x00402cb9
0x00402cba
0x00402cbe
0x00402ccf
0x00402cc0
0x00402cc0
0x00402cc2
0x00402cc4
0x00402ccc
0x00402ccc
0x00402cd3
0x00402cd8
0x00402345
0x00402345
0x00000000
0x00402beb
0x00402beb
0x00402bef
0x00402bf3
0x00402bf7
0x00402ca3
0x00402cad
0x00402cb1
0x00000000
0x00402cb1
0x00402bfd
0x00402c05
0x00402c0f
0x00402c11
0x00402c15
0x00402c17
0x00402c9f
0x00000000
0x00402c9f
0x00402c28
0x00402c39
0x00402c3b
0x00402c3f
0x00402c41
0x00402c84
0x00402c88
0x00402c8e
0x00402c9a
0x00000000
0x00402c9a
0x00402c4d
0x00402c52
0x00402c55
0x00402c7a
0x00402c7e
0x00000000
0x00402c7e
0x00402c57
0x00402c59
0x00402c59
0x00402c5b
0x00402c5e
0x00402c66
0x00402c6b
0x00402c6d
0x00402c6d
0x00402c72
0x00402c76
0x00000000
0x00402c76
0x00000000
0x00402cdf
0x00402ce4
0x00402ce7
0x00402ced
0x00000000
0x00000000
0x00402cf3
0x00402cf7
0x00402cfd
0x00402d03
0x00402d05
0x00402d1a
0x00402d1d
0x00402d1d
0x00402d1f
0x00402d23
0x00402d35
0x00402d39
0x00402d3c
0x00402d3d
0x00402d42
0x00402d42
0x00402d42
0x00402d49
0x00402d25
0x00402d2d
0x00402d2f
0x00402d2f
0x00402d4d
0x00402d51
0x00402d54
0x00402d58
0x00402d5f
0x00402d5f
0x00000000
0x00402d58
0x00402d07
0x00402d0a
0x00000000
0x00000000
0x00402d10
0x00402d13
0x00402d14
0x00401d46
0x00401d46
0x00000000
0x00000000
0x00402d6f
0x00402d72
0x00402d75
0x00401709
0x0040170b
0x00000000
0x0040170b
0x00402d7b
0x00402d7f
0x00402da4
0x00402da9
0x00402dad
0x00402dbf
0x00402dc6
0x00402dc7
0x00402daf
0x00402daf
0x00402db3
0x00402db3
0x00000000
0x00402dad
0x00402d81
0x00402d85
0x00402d9a
0x00402b21
0x00402b21
0x00402b22
0x00000000
0x00402b22
0x00402d8f
0x00000000
0x00000000
0x00402dd1
0x00402dd5
0x00402dd5
0x00402dd7
0x00402e2c
0x00402e2e
0x00402e33
0x00402e35
0x00402e72
0x00402e74
0x00402e75
0x00402e77
0x00000000
0x00402e77
0x00402e37
0x00402e3b
0x00402e3c
0x00402e3d
0x00402e43
0x00402e45
0x00000000
0x00000000
0x00402e47
0x00402e4b
0x00402e4c
0x00402e4d
0x00402e51
0x00402e55
0x00402e56
0x00402e58
0x00402e5a
0x00000000
0x00000000
0x00402e61
0x00402e66
0x00402e6a
0x00000000
0x00402e6a
0x00402dd9
0x00402dd9
0x00402ddc
0x00000000
0x00000000
0x00402deb
0x00402ded
0x00402df3
0x00402df7
0x00402dfa
0x00402dff
0x00402e01
0x00402e06
0x00402e11
0x00402e16
0x00402e1a
0x004016b7
0x004016b7
0x00000000
0x00000000
0x00000000
0x00000000
0x00402e7c
0x00402e88
0x00402e8e
0x00402e92
0x00402e9b
0x00402e9b
0x00000000
0x00000000

APIs

PostQuitMessage.USER32(00000000), ref: 004015F1
Sleep.KERNELBASE(00000001,?,00000000,00000000), ref: 00401628
SetForegroundWindow.USER32(?,?,00000000,00000000), ref: 00401634
ShowWindow.USER32(?,00000000,?,?,00000000,00000000), ref: 004016D3
ShowWindow.USER32(?,?,?,?,00000000,00000000), ref: 004016E8
SetFileAttributesW.KERNELBASE(00000000,?,000000F0,?,?,00000000,00000000), ref: 004016FB
GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0,?,?,00000000,00000000), ref: 0040176A
SetCurrentDirectoryW.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane,00000000,000000E6,C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll), ref: 004017A3
MoveFileW.KERNEL32(00000000,00000000), ref: 004017EE
GetFullPathNameW.KERNEL32(00000000,00000400,00000000,?,00000000,000000E3,C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll,?,?,00000000,00000000), ref: 00401843
GetShortPathNameW.KERNEL32 ref: 00401890
SearchPathW.KERNELBASE(00000000,00000000,00000000,00000400,00000000,?,000000FF,?,?,00000000,00000000), ref: 004018B0
SetUserObjectSecurity.USER32 ref: 00401914
lstrcatW.KERNEL32(00000000,00000000), ref: 00401920
CompareFileTime.KERNEL32(-00000014,00000000,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane,00000000,00000000,00000031,00000000,00000000,000000EF), ref: 00401948
SetFileTime.KERNELBASE(00000000,000000FF,00000000,000000FF,?,00000000,00000000,00000000,000000EA,00000000,Call,40000000,00000001,Call,00000000), ref: 00401A5A
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401A61
lstrcatW.KERNEL32(Call,00000000), ref: 00401A82

Strings

C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll, xrefs: 00401789, 004017F8, 00401823, 004019B1, 004019D2
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane, xrefs: 00401798, 0040190E
C:\Users\user\AppData\Local\Temp\nsb72B8.tmp, xrefs: 00401998, 004019BB
Call, xrefs: 004018FC, 00401906, 00401913, 00401925, 00401933, 00401968, 0040197C, 004019A2, 004019EA, 00401A7A, 00401A81, 00401A8B, 00401A96

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: File$PathWindow$AttributesNameShowTimelstrcat$ChangeCloseCompareCurrentDirectoryFindForegroundFullMessageMoveNotificationObjectPostQuitSearchSecurityShortSleepUser
String ID: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp$C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll$C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane$Call
API String ID: 1977429558-4091494395
Opcode ID: db1ce9060cecfb2e0718cc752e6bbe8ceafac46b7366c05d7717f681698771ae
Instruction ID: 8c1cf908ae02b995a3a41f7ffac76b054db7533a66b8d62ade7f549c41348504
Opcode Fuzzy Hash: db1ce9060cecfb2e0718cc752e6bbe8ceafac46b7366c05d7717f681698771ae
Instruction Fuzzy Hash: 38D10870604301BBD710AF26CD85E2B76A8EF85359F204A3FF452B62E1D77CD9019A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004033ED Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 178
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E004033ED(void* __eflags, signed int _a4) {
				char _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				long _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				long _t35;
				void* _t45;
				intOrPtr* _t49;
				long _t50;
				void* _t56;
				intOrPtr _t64;
				struct HINSTANCE__* _t70;
				signed int _t72;
				void* _t73;
				void* _t76;
				intOrPtr _t78;
				long _t80;
				long _t83;
				long _t86;
				void* _t87;
				void* _t88;

				_t80 = 0;
				_t70 = 0;
				_v32 = 0;
				_v36 = 0;
				_t35 = GetTickCount();
				_t84 = L"C:\\Users\\alfons\\Desktop\\Ta62k9weDV.exe";
				 *0x435a00 = _t35 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\alfons\\Desktop\\Ta62k9weDV.exe", 0x400);
				_t88 = E0040691B(_t84, 0x80000000, 3);
				 *0x40b010 = _t88;
				if(_t88 == 0xffffffff) {
					return L"Error launching installer";
				}
				_t85 = L"C:\\Users\\alfons\\Desktop";
				E00406B1A(L"C:\\Users\\alfons\\Desktop", _t84);
				E00406B1A(0x444000, E00406D10(_t85));
				_t86 = GetFileSize(_t88, 0);
				 *0x40d968 = _t86;
				if(_t86 == 0) {
					L21:
					E00403389(1);
					_pop(_t73);
					if( *0x435a08 == 0) {
						L32:
						return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
					}
					if(_t70 == 0) {
						L25:
						_t45 = GlobalAlloc(0x40, _v8); // executed
						_t87 = _t45;
						E00403131( *0x435a08 + 0x1c);
						if(E00403148(0xffffffff, 0, _t87, _v12) != _v28) {
							goto L32;
						}
						 *0x435a10 = _t87;
						 *0x435a0c =  *_t87;
						if((_v28 & 0x00000001) != 0) {
							 *0x435a04 =  *0x435a04 + 1;
						}
						_t76 = 8;
						_t31 = _t87 + 0x44; // 0x44
						_t49 = _t31;
						do {
							_t49 = _t49 - 8;
							 *_t49 =  *_t49 + _t87;
							_t76 = _t76 - 1;
						} while (_t76 != 0);
						_t50 = SetFilePointer(_t88, 0, 0, 1); // executed
						 *(_t87 + 0x3c) = _t50;
						_t34 = _t87 + 4; // 0x4
						E004066B4(0x435a20, _t34, 0x40);
						return 0;
					}
					E00403131( *0x40d96c);
					_t56 = E00406948(_t73,  *0x40b010,  &_v0, 4); // executed
					if(_t56 == 0 || _t80 != _a4) {
						goto L32;
					} else {
						goto L25;
					}
				}
				_t72 = _a4;
				while(1) {
					_t82 =  !=  ? 0x8000 : 0x200;
					_t83 =  <  ? _t86 :  !=  ? 0x8000 : 0x200;
					if(E0040311B(0x417538, 0x200) == 0) {
						break;
					}
					if( *0x435a08 != 0) {
						if((_t72 & 0x00000002) == 0) {
							E00403389(0);
						}
						L17:
						if(_t86 <  *0x40d968) {
							_v44 = E00406E3C(_v32, 0x417538, _t83);
						}
						 *0x40d96c =  *0x40d96c + _t83;
						_t86 = _t86 - _t83;
						if(_t86 != 0) {
							continue;
						} else {
							L20:
							_t80 = _v32;
							_t22 =  &_v36; // 0x417538
							_t70 =  *_t22;
							goto L21;
						}
					}
					E004066B4( &_v28, 0x417538, 0x1c);
					if((_v40 & 0xfffffff0) == 0 && _v24 == 0xdeadbeef && _v12 == 0x74736e49 && _v16 == 0x74666f73 && _v20 == 0x6c6c754e) {
						_t64 =  *0x40d96c; // 0x931e6
						_t72 = _t72 | _v28;
						_t78 = _v4;
						 *0x435a08 = _t64;
						 *0x435ae0 =  *0x435ae0 | _t72 & 0x00000002;
						if(_t78 > _t86) {
							goto L32;
						}
						if((_t72 & 0x0000000c) == 4) {
							goto L20;
						}
						_v36 = _v36 + 1;
						_t86 = _t78 - 4;
						if(0x200 > _t86) {
							_t83 = _t86;
						}
					}
					goto L17;
				}
				E00403389(1);
				goto L32;
			}

0x004033f4
0x004033f6
0x004033f8
0x004033fc
0x00403400
0x0040340b
0x00403417
0x0040341c
0x0040342f
0x00403431
0x0040343a
0x00000000
0x0040343c
0x00403447
0x0040344d
0x0040345e
0x0040346c
0x0040346e
0x00403476
0x00403572
0x00403574
0x00403580
0x00403581
0x00403640
0x00000000
0x00403640
0x00403589
0x004035ba
0x004035c0
0x004035cc
0x004035d2
0x004035ea
0x00000000
0x00000000
0x004035f1
0x004035f9
0x004035fe
0x00403600
0x00403600
0x00403608
0x00403609
0x00403609
0x0040360c
0x0040360c
0x0040360f
0x00403611
0x00403611
0x0040361b
0x00403621
0x00403624
0x0040362f
0x00000000
0x00403634
0x00403591
0x004035a3
0x004035aa
0x00000000
0x00000000
0x00000000
0x00000000
0x004035aa
0x0040347c
0x00403480
0x00403491
0x00403496
0x004034a6
0x00000000
0x00000000
0x004034b3
0x00403537
0x0040353b
0x00403540
0x00403541
0x00403547
0x00403558
0x00403558
0x0040355c
0x00403562
0x00403564
0x00000000
0x0040356a
0x0040356a
0x0040356a
0x0040356e
0x0040356e
0x00000000
0x0040356e
0x00403564
0x004034c1
0x004034ce
0x004034f8
0x004034fd
0x00403501
0x00403505
0x0040350f
0x00403517
0x00000000
0x00000000
0x00403523
0x00000000
0x00000000
0x00403525
0x00403529
0x0040352e
0x00403530
0x00403530
0x0040352e
0x00000000
0x004034ce
0x0040363a
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00403400
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Ta62k9weDV.exe,00000400,?,?,?,?,?), ref: 0040341C

Part of subcall function 0040691B: GetFileAttributesW.KERNELBASE(00000003,0040342F,C:\Users\user\Desktop\Ta62k9weDV.exe,80000000,00000003,?,?,?,?,?), ref: 0040691F
Part of subcall function 0040691B: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000,?,?,?,?,?), ref: 0040693F

GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ta62k9weDV.exe,C:\Users\user\Desktop\Ta62k9weDV.exe,80000000,00000003,?,?,?,?,?), ref: 00403466
GlobalAlloc.KERNELBASE(00000040,?,?,?,?,?,?), ref: 004035C0

Strings

Error launching installer, xrefs: 0040343C
Null, xrefs: 004034EE
8uA, xrefs: 0040356E
1, xrefs: 004034F8, 0040355C
C:\Users\user\Desktop, xrefs: 00403447, 0040344C, 00403452
soft, xrefs: 004034E4
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004033F3
Inst, xrefs: 004034DA
C:\Users\user\Desktop\Ta62k9weDV.exe, xrefs: 0040340B, 00403415, 00403429, 00403446
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403640

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: 8uA$C:\Users\user\Desktop$C:\Users\user\Desktop\Ta62k9weDV.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$1
API String ID: 2803837635-2011116195
Opcode ID: b1b98763bb0db303c7b3231907fd55efb5170903535a500b48b663575e7cf9bd
Instruction ID: 38a706e546d8de2da2def33f7086105d1948706aa1bd56b4a23ee49e5693a868
Opcode Fuzzy Hash: b1b98763bb0db303c7b3231907fd55efb5170903535a500b48b663575e7cf9bd
Instruction Fuzzy Hash: 0A51B171504310BFD720AF21DD81B1B7BA8AB4471AF10093FFA55B72E1C7789A848BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405EBA Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00405EBA() {
				signed int _t33;
				WCHAR* _t35;
				void* _t39;
				void* _t40;
				short _t41;
				signed int _t46;
				void* _t48;
				int _t49;
				void* _t58;
				signed int _t59;
				signed int _t60;
				signed int _t65;
				WCHAR* _t78;
				signed char* _t80;
				signed int _t84;
				signed int _t85;
				WCHAR* _t90;
				short _t91;
				WCHAR* _t93;
				void* _t96;
				signed int _t101;
				signed int _t103;
				signed char* _t107;
				signed int _t110;
				void* _t111;

				_t33 =  *(_t111 + 8);
				if(_t33 < 0) {
					_t33 =  *( *0x4349e0 - 4 + _t33 * 4);
				}
				_t90 = 0x4339a0;
				_t78 =  *(_t111 + 0x1c);
				_t107 =  *0x435a38 + _t33 * 2;
				_t93 = 0x4339a0;
				if(_t78 >= 0x4339a0 && _t78 - 0x4339a0 >> 1 < 0x800) {
					_t93 = _t78;
					_t78 = 0;
					 *((intOrPtr*)(_t111 + 0x24)) = 0;
				}
				_t84 =  *_t107 & 0x0000ffff;
				if(_t84 == 0) {
					L41:
					 *_t93 = 0;
					if(_t78 == 0) {
						_t35 = _t90;
					} else {
						_t35 = E00406B1A(_t78, _t90);
					}
					return _t35;
				} else {
					_t96 = 2;
					while(1) {
						_t80 = _t107;
						if((_t93 - _t90 & 0xfffffffe) >= 0x800) {
							break;
						}
						_t91 = _t84 & 0x0000ffff;
						_t107 =  &(_t107[_t96]);
						_t39 = 4;
						if(_t91 >= _t39) {
							if(__eflags != 0) {
								 *_t93 = _t91;
							} else {
								_t41 =  *_t107;
								_t107 =  &(_t80[4]);
								 *_t93 = _t41;
							}
							_t40 = _t96;
							L39:
							_t84 =  *_t107 & 0x0000ffff;
							_t93 = _t93 + _t40;
							_t90 = 0x4339a0;
							if(_t84 != 0) {
								continue;
							}
							break;
						}
						_t85 =  *_t107 & 0x000000ff;
						_t101 = (_t80[3] & 0x0000007f) << 0x00000007 |  *_t107 & 0x0000007f;
						 *(_t111 + 0x18) = _t85;
						 *(_t111 + 0x14) = _t85 | 0x00008000;
						_t46 = _t107[1] & 0x000000ff;
						_t107 =  &(_t80[4]);
						 *(_t111 + 0x20) = _t46;
						 *(_t111 + 0x20) = _t46 | 0x00008000;
						_t48 = 2;
						 *(_t111 + 0x10) = _t107;
						if(_t91 != _t48) {
							__eflags = _t91 - 3;
							if(_t91 != 3) {
								__eflags = _t91 - 1;
								if(__eflags == 0) {
									_push( !_t101);
									_push(_t93);
									E00405EBA();
								}
							} else {
								__eflags = _t101 - 0x1d;
								if(__eflags != 0) {
									E00406B1A(_t93, (_t101 << 0xb) + 0x436000);
									__eflags = _t101 - 0x15 - 7;
									if(__eflags < 0) {
										E00406D3D(_t93);
									}
								} else {
									E0040661F(_t93,  *0x4349f8);
								}
							}
							L34:
							_t49 = lstrlenW(_t93);
							_t40 = _t49 + _t49;
							_t96 = 2;
							goto L39;
						}
						_t58 = 4;
						_t110 =  !=  ? _t58 : _t48;
						_t121 = _t85;
						if(_t85 >= 0) {
							__eflags = _t85 - 0x25;
							if(_t85 != 0x25) {
								__eflags = _t85 - 0x24;
								if(_t85 != 0x24) {
									do {
										_t59 =  *0x4349f0;
										_t110 = _t110 - 1;
										__eflags = _t59;
										if(_t59 == 0) {
											L19:
											_t60 = _t111 + 0x2c;
											_push(_t60);
											_push( *((intOrPtr*)(_t111 + 0x18 + _t110 * 4)));
											_push( *0x4349f8);
											L0040802C();
											__eflags = _t60;
											if(_t60 != 0) {
												goto L21;
											}
											__imp__SHGetPathFromIDListW( *((intOrPtr*)(_t111 + 0x30)), _t93);
											__imp__CoTaskMemFree( *(_t111 + 0x2c));
											__eflags = _t60;
											if(_t60 != 0) {
												break;
											}
											goto L21;
										}
										_t65 =  *_t59( *0x4349f8,  *((intOrPtr*)(_t111 + 0x20 + _t110 * 4)), 0, 0, _t93); // executed
										__eflags = _t65;
										if(_t65 == 0) {
											break;
										}
										goto L19;
										L21:
										 *_t93 = 0;
										__eflags = _t110;
									} while (_t110 != 0);
									L22:
									_t103 =  *(_t111 + 0x20);
									goto L23;
								}
								GetWindowsDirectoryW(_t93, 0x400);
								goto L22;
							}
							GetSystemDirectoryW(_t93, 0x400);
							goto L22;
						} else {
							E00406977(_t85 & 0x0000003f, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x435a38 + (_t85 & 0x0000003f) * 2, _t93, _t85 & 0x00000040); // executed
							_t103 =  *(_t111 + 0x20);
							if( *_t93 == 0) {
								_push(_t103);
								_push(_t93);
								E00405EBA();
							}
							L23:
							if( *_t93 != 0 && _t103 == 0x1a) {
								lstrcatW(_t93, L"\\Microsoft\\Internet Explorer\\Quick Launch");
							}
							E00406D3D(_t93);
							_t107 =  *(_t111 + 0x10);
							goto L34;
						}
					}
					_t78 =  *(_t111 + 0x28);
					goto L41;
				}
			}

0x00405eba
0x00405ec3
0x00405ed4
0x00405ed4
0x00405edc
0x00405ee2
0x00405ee7
0x00405eed
0x00405ef1
0x00405f00
0x00405f02
0x00405f04
0x00405f04
0x00405f08
0x00405f0f
0x00406103
0x00406105
0x0040610a
0x00406115
0x0040610c
0x0040610e
0x0040610e
0x0040611d
0x00405f15
0x00405f18
0x00405f19
0x00405f1b
0x00405f27
0x00000000
0x00000000
0x00405f2f
0x00405f32
0x00405f34
0x00405f38
0x004060d7
0x004060e5
0x004060d9
0x004060d9
0x004060dd
0x004060e0
0x004060e0
0x004060e8
0x004060ea
0x004060ea
0x004060ee
0x004060f0
0x004060f8
0x00000000
0x00000000
0x00000000
0x004060f8
0x00405f49
0x00405f53
0x00405f55
0x00405f60
0x00405f64
0x00405f68
0x00405f6b
0x00405f76
0x00405f7a
0x00405f7b
0x00405f82
0x00406082
0x00406085
0x004060bb
0x004060be
0x004060c2
0x004060c3
0x004060c4
0x004060c4
0x00406087
0x00406087
0x0040608a
0x004060a6
0x004060ae
0x004060b1
0x004060b4
0x004060b4
0x0040608c
0x00406093
0x00406093
0x0040608a
0x004060c9
0x004060ca
0x004060d2
0x004060d4
0x00000000
0x004060d4
0x00405f93
0x00405f94
0x00405f97
0x00405f99
0x00405fd9
0x00405fdc
0x00405fec
0x00405fef
0x00405fff
0x00405fff
0x00406004
0x00406005
0x00406007
0x0040601e
0x0040601e
0x00406022
0x00406023
0x00406027
0x0040602d
0x00406032
0x00406034
0x00000000
0x00000000
0x0040603b
0x00406047
0x0040604d
0x0040604f
0x00000000
0x00000000
0x00000000
0x0040604f
0x00406018
0x0040601a
0x0040601c
0x00000000
0x00000000
0x00000000
0x00406051
0x00406053
0x00406056
0x00406056
0x0040605a
0x0040605a
0x00000000
0x0040605a
0x00405ff7
0x00000000
0x00405ff7
0x00405fe4
0x00000000
0x00405f9b
0x00405fb9
0x00405fc3
0x00405fc7
0x00405fcd
0x00405fce
0x00405fcf
0x00405fcf
0x0040605e
0x00406063
0x00406070
0x00406070
0x00406077
0x0040607c
0x00000000
0x0040607c
0x00405f99
0x004060fe
0x00000000
0x00406102

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00405FE4

Part of subcall function 00406B1A: lstrcpynW.KERNEL32(?,?,00000400,00403871,00434A00,NSIS Error), ref: 00406B27

Part of subcall function 00406D3D: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,766DFAA0,004039C2), ref: 00406DB2
Part of subcall function 00406D3D: CharNextW.USER32(?,?,?,00000000), ref: 00406DC1
Part of subcall function 00406D3D: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,766DFAA0,004039C2), ref: 00406DC6
Part of subcall function 00406D3D: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,766DFAA0,004039C2), ref: 00406DDE

GetWindowsDirectoryW.KERNEL32(Call,00000400,Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll,?,?,?,?,?,00000000,?,?), ref: 00405FF7
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406070
lstrlenW.KERNEL32(Call,Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll,?,?,?,?,?,00000000,?,?), ref: 004060CA

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00405FAF
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040606A
Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll, xrefs: 00405F15
Call, xrefs: 00405EDC, 00405FAA, 00405FCE, 00405FE3, 00405FF6, 00406009, 00406036, 0040606F, 00406076, 00406092, 004060A5, 004060B3, 004060C3, 004060C9, 004060F0, 0040610C

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Char$Next$Directory$PrevSystemWindowslstrcatlstrcpynlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4187626192-1238835803
Opcode ID: 311af7c87eb71035c8d5b2a7baacc15b69a4590f910f25a3f4acb13c9fbad21a
Instruction ID: 8c51b57b95ad5d2f56c6428f73255cfba4eda90222275d8884e674a65d57f274
Opcode Fuzzy Hash: 311af7c87eb71035c8d5b2a7baacc15b69a4590f910f25a3f4acb13c9fbad21a
Instruction Fuzzy Hash: 05611471240216ABDB20AF248C40A7B76A5EF99314F12453FF942FB2D1D77CD9218B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D3A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00405D3A(signed int _a4, WCHAR* _a8) {
				WCHAR* _v40;
				long _v52;
				int _v56;
				void* _v60;
				void* _t18;
				signed int _t19;
				long _t20;
				signed char _t29;
				signed int _t35;
				WCHAR* _t39;
				WCHAR* _t40;
				struct HWND__* _t43;

				_t43 =  *0x4349e8;
				if(_t43 == 0) {
					return _t18;
				}
				_t29 =  *0x435af4;
				_t35 = _t29 & 0x00000001;
				if(_t35 == 0) {
					_push(_a4);
					_push(0x42ed78);
					E00405EBA();
				}
				_t19 = lstrlenW(0x42ed78);
				_t39 = _a8;
				_a4 = _t19;
				if(_t39 == 0) {
					_t40 = 0x42ed78;
					goto L7;
				} else {
					_t19 = lstrlenW(_t39) + _a4;
					if(_t19 >= 0x1000) {
						L13:
						return _t19;
					}
					_t40 = 0x42ed78;
					_t19 = lstrcatW(0x42ed78, _t39);
					L7:
					if((_t29 & 0x00000004) == 0) {
						_t19 = SetWindowTextW( *0x4349c8, _t40); // executed
					}
					if((_t29 & 0x00000002) == 0) {
						_v40 = _t40;
						_v60 = 1;
						_t20 = SendMessageW(_t43, 0x1004, 0, 0); // executed
						_v52 = 0;
						_v56 = _t20 - _t35;
						SendMessageW(_t43, 0x104d - _t35, 0,  &_v60); // executed
						_t19 = SendMessageW(_t43, 0x1013, _v56, 0); // executed
					}
					if(_t35 != 0) {
						_t19 = _a4;
						0x42ed78[_t19] = 0;
					}
					goto L13;
				}
			}

0x00405d3e
0x00405d46
0x00405e1b
0x00405e1b
0x00405d4d
0x00405d5c
0x00405d5f
0x00405d61
0x00405d65
0x00405d66
0x00405d66
0x00405d6c
0x00405d71
0x00405d75
0x00405d7b
0x00405da0
0x00000000
0x00405d7d
0x00405d83
0x00405d8c
0x00405e14
0x00000000
0x00405e16
0x00405d93
0x00405d99
0x00405da5
0x00405da8
0x00405db1
0x00405db1
0x00405dba
0x00405dbe
0x00405dd0
0x00405dd8
0x00405ddc
0x00405de0
0x00405df3
0x00405e00
0x00405e00
0x00405e04
0x00405e06
0x00405e0c
0x00405e0c
0x00000000
0x00405e04

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll,?,00000000,?,?), ref: 00405D6C
lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll,?,00000000,?,?), ref: 00405D7E
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll,?), ref: 00405D99
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll), ref: 00405DB1
SendMessageW.USER32(?), ref: 00405DD8
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DF3
SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E00

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406070

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll, xrefs: 00405D57, 00405D65, 00405D6B, 00405D93, 00405D98, 00405DA0, 00405DAA

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$TextWindow
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll
API String ID: 1759915248-3032424562
Opcode ID: ceb28205faf147af3908885d1a7d22d6de82ef9b87b173db114e6d635282a543
Instruction ID: 65e3057419f119a88936ccc655a9da3a15af0d16a1f773064a71e2051a7db8da
Opcode Fuzzy Hash: ceb28205faf147af3908885d1a7d22d6de82ef9b87b173db114e6d635282a543
Instruction Fuzzy Hash: D121C2B2A056206BD310AB59DC44AABBBDCEF94710F45043FB984A3291C7B89D404AED

Uniqueness

Uniqueness Score: -1.00%

Function 00403148 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00403148(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v124;
				short _v132;
				intOrPtr _v136;
				signed int _v140;
				int _v144;
				intOrPtr _v148;
				long _v152;
				signed int _v156;
				signed int _v160;
				void* _t39;
				void* _t40;
				signed int _t41;
				void* _t45;
				long _t47;
				signed int _t50;
				intOrPtr _t52;
				intOrPtr _t53;
				long _t55;
				long _t56;
				void* _t57;
				intOrPtr _t71;
				signed int _t73;
				intOrPtr _t74;
				void* _t76;
				signed int _t77;
				intOrPtr _t81;
				int _t82;
				signed int* _t83;

				_t83 =  &_v156;
				_t72 = _a4;
				_t74 = _a12;
				_t71 =  !=  ? _a16 : 0x8000;
				_t77 = 0;
				_t37 =  !=  ? _t74 : 0x423538;
				_v144 =  !=  ? _t74 : 0x423538;
				if(_a4 >= 0) {
					E00403131( *0x435a58 + _t72);
				}
				_t39 = E00406948(_t72,  *0x40b010,  &_v156, 4); // executed
				if(_t39 == 0) {
					L31:
					_push(0xfffffffd);
					goto L32;
				} else {
					_t41 = _v156;
					if(_t41 >= 0) {
						if(_t74 != 0) {
							_t77 =  <  ? _t41 : _a16;
							if(E0040311B(_t74, _t77) != 0) {
								L20:
								return _t77;
							}
							goto L31;
						}
						if(_t41 <= 0) {
							goto L20;
						}
						while(1) {
							_t76 =  <  ? _t41 : _t71;
							if(E0040311B(0x41f538, _t76) == 0) {
								goto L31;
							}
							_t45 = E00406A0B(_t72, _a8, 0x41f538, _t76); // executed
							if(_t45 == 0) {
								L29:
								_push(0xfffffffe);
								L32:
								_pop(_t40);
								return _t40;
							}
							_t77 = _t77 + _t76;
							_t41 = _v156 - _t76;
							_v156 = _t41;
							if(_t41 > 0) {
								continue;
							}
							goto L20;
						}
						goto L31;
					}
					_t47 = GetTickCount();
					 *0x40dea4 =  *0x40dea4 & _t77;
					 *0x40dea0 =  *0x40dea0 & _t77;
					_v152 = _t47;
					 *0x417530 = 0x40f528;
					 *0x41752c = 0x40f528;
					_t50 = _v156 & 0x7fffffff;
					 *0x40d988 = 8;
					_t73 = _t50;
					 *0x417528 = 0x417528;
					_v140 = _t50;
					_v156 = _t73;
					if(_t50 <= 0) {
						goto L20;
					} else {
						goto L5;
					}
					while(1) {
						L5:
						_t81 =  <  ? _t73 : 0x4000;
						if(E0040311B(0x41f538, 0x4000) == 0) {
							goto L31;
						}
						_v156 = _v156 - 0x4000;
						 *0x40d97c = _t81;
						_t82 = _v144;
						 *0x40d978 = 0x41f538;
						while(1) {
							_push(0x40d978);
							 *0x40d980 = _t82;
							 *0x40d984 = _t71;
							_t52 = E0040728E();
							_v136 = _t52;
							if(_t52 < 0) {
								break;
							}
							_t53 =  *0x40d980; // 0x423538
							_v152 = _t53 - _t82;
							_t55 = GetTickCount();
							_t73 = _v160;
							_v140 = _t55;
							if(( *0x435af4 & 0x00000001) != 0 && (_t55 - _v156 > 0xc8 || _t73 == 0)) {
								wsprintfW( &_v132, L"... %d%%", MulDiv(_v144 - _t73, 0x64, _v144));
								_t83 =  &(_t83[3]);
								E00405D3A(0,  &_v124);
								_t73 = _v160;
								_v156 = _v140;
							}
							_t56 = _v152;
							if(_t56 == 0) {
								if(_t73 > 0) {
									goto L5;
								}
								goto L20;
							} else {
								if(_t74 != 0) {
									_t82 =  *0x40d980; // 0x423538
									_t71 = _t71 - _t56;
									_v148 = _t82;
									L17:
									_t77 = _t77 + _t56;
									if(_v136 != 1) {
										continue;
									}
									goto L20;
								}
								_t57 = E00406A0B(_t73, _a4, _t82, _t56); // executed
								if(_t57 == 0) {
									goto L29;
								}
								_t56 = _v152;
								goto L17;
							}
						}
						_push(0xfffffffc);
						goto L32;
					}
					goto L31;
				}
			}

0x00403148
0x0040314e
0x0040315e
0x0040316c
0x00403174
0x00403178
0x0040317b
0x00403181
0x0040318b
0x0040318b
0x0040319d
0x004031a4
0x00403379
0x00403379
0x00000000
0x004031aa
0x004031aa
0x004031b0
0x0040331d
0x0040336b
0x00403377
0x00403313
0x00000000
0x00403313
0x00000000
0x00403377
0x00403321
0x00000000
0x00000000
0x00403328
0x0040332c
0x00403338
0x00000000
0x00000000
0x00403343
0x0040334a
0x0040335e
0x0040335e
0x0040337b
0x0040337b
0x00000000
0x0040337b
0x00403350
0x00403352
0x00403354
0x0040335a
0x00000000
0x00000000
0x00000000
0x0040335c
0x00000000
0x00403328
0x004031b6
0x004031bc
0x004031c2
0x004031c8
0x004031d1
0x004031d6
0x004031df
0x004031e4
0x004031ee
0x004031f0
0x004031fa
0x004031fe
0x00403202
0x00000000
0x00000000
0x00000000
0x00000000
0x00403208
0x00403208
0x0040320f
0x0040321f
0x00000000
0x00000000
0x00403225
0x00403229
0x0040322f
0x00403233
0x0040323d
0x0040323d
0x00403242
0x00403248
0x0040324e
0x00403253
0x00403259
0x00000000
0x00000000
0x0040325f
0x00403266
0x0040326a
0x00403277
0x0040327b
0x0040327f
0x004032ab
0x004032b1
0x004032bb
0x004032c4
0x004032c8
0x004032c8
0x004032cc
0x004032d2
0x0040330d
0x00000000
0x00000000
0x00000000
0x004032d4
0x004032d6
0x004032f0
0x004032f6
0x004032f8
0x004032fc
0x004032fc
0x00403303
0x00000000
0x00000000
0x00000000
0x00403309
0x004032e1
0x004032e8
0x00000000
0x00000000
0x004032ea
0x00000000
0x004032ea
0x004032d2
0x00403317
0x00000000
0x00403317
0x00000000
0x00403208

APIs

GetTickCount.KERNEL32 ref: 004031B6
GetTickCount.KERNEL32 ref: 0040326A
MulDiv.KERNEL32(?,00000064,?), ref: 0040329A
wsprintfW.USER32 ref: 004032AB

Part of subcall function 00403131: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004035D7,?,?,?,?,?,?), ref: 0040313F

Strings

85B, xrefs: 00403242, 0040325F, 004032F0
... %d%%, xrefs: 004032A5
85B, xrefs: 00403155

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CountTick$FilePointerwsprintf
String ID: ... %d%%$85B$85B
API String ID: 999035486-2772677642
Opcode ID: 2ba54163d51c3a8551e8519958d675213576959048d36eb55140e7cadd9fce55
Instruction ID: e2bf7c2ae867e5e0c149cd35682d72f4c4d2633ef795981e2bf4a0daba4be17b
Opcode Fuzzy Hash: 2ba54163d51c3a8551e8519958d675213576959048d36eb55140e7cadd9fce55
Instruction Fuzzy Hash: 355180716083019BD710DF69DD84A2BBBE8AB84756F10493FFC54E7291DB38DE088B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040291D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E0040291D(void* __edi, void* __esi, signed int __ebp, void* _a4, void* _a8, void* _a12, char _a16, signed int _a20, long _a24, void* _a28, long _a32, intOrPtr _a36, void* _a48, intOrPtr _a52, void* _a56, signed int _a64, intOrPtr _a68, short _a72, int _a76) {
				signed int _t61;
				long _t63;
				void* _t73;

				_t63 = 2;
				_a20 = __ebp;
				_a32 = _t63;
				_t73 = E00403002(_t63) - 1;
				if(_t73 < 0) {
					_t61 = _a16;
					goto L33;
				} else {
					__ecx = 0x3ff;
					_a24 = __eax;
					if( *__edi == __bp) {
						L25:
						__eax = _a20;
						__ecx = 0;
						__ebx = 0;
						 *((short*)(__esi + _a20 * 2)) = __cx;
						_t61 = 0 | _t73 == 0x00000000;
						L33:
						 *0x435ac8 =  *0x435ac8 + _t61;
					} else {
						_a64 = __ebp;
						__ecx = E00406C25(__edi);
						_a24 = __ecx;
						if(_a20 > __ebp) {
							_a68 = 0xd;
							__edi = __ebp;
							do {
								if(_a36 != 0x39) {
									if(_a52 != __ebp || __edi != 0) {
										L18:
										__eax =  &_a72;
										if(E00406948(__ecx, __ecx,  &_a72, 2) == 0) {
											goto L25;
										} else {
											goto L19;
										}
									} else {
										if(E00406484(__ecx, __ebp) < 0) {
											goto L25;
										} else {
											__ecx = _a28;
											goto L18;
										}
									}
								} else {
									_push(__ebp);
									__eax =  &_a76;
									_push( &_a76);
									__eax = 2;
									 &_a76 - _a52 =  &_a16;
									__eax = ReadFile(__ecx,  &_a16,  &_a76 - _a52, ??, ??); // executed
									if(__eax == 0) {
										goto L25;
									} else {
										__ecx = _a76;
										_a32 = __ecx;
										if(__ecx == 0) {
											goto L25;
										} else {
											__eax = _a16 & 0x000000ff;
											_a72 = _a16 & 0x000000ff;
											if(_a52 != __ebp) {
												L31:
												__ax & 0x0000ffff = E0040661F(__esi, __ax & 0x0000ffff);
											} else {
												 &_a72 =  &_a16;
												if(MultiByteToWideChar(__ebp, 8,  &_a16, __ecx,  &_a72, __ebx) != 0) {
													L19:
													__ecx = _a32;
													__eax = _a72;
												} else {
													__ecx = _a32;
													__edx = __ecx;
													__edx =  ~__ecx;
													while(1) {
														_t22 =  &_a76;
														 *_t22 = _a76 - 1;
														__eax = 0xfffd;
														_a72 = 0xfffd;
														if( *_t22 == 0) {
															goto L20;
														}
														__ecx = __ecx - 1;
														__edx = __edx + 1;
														_a32 = __ecx;
														 *(__esp + 0x60) = __edx;
														__eax = SetFilePointer(_a28, __edx, __ebp, __ebx); // executed
														 &_a72 =  &_a16;
														__eax = MultiByteToWideChar(__ebp, 8,  &_a16, _a76,  &_a72, __ebx);
														__ecx = _a32;
														__edx =  *(__esp + 0x50);
														if(__eax == 0) {
															continue;
														} else {
															goto L19;
														}
														goto L20;
													}
												}
												L20:
												if(_a52 != __ebp) {
													goto L31;
												} else {
													__edx = 0xd;
													__edx = 0xa;
													if(_a64 == __dx || _a64 == __dx) {
														if(_a64 == __ax || __ax != _a68 && __ax != __dx) {
															__eax = SetFilePointer(_a28, __ecx, __ebp, __ebx);
														} else {
															 *(__esi + __edi * 2) = __ax;
															_a20 = __edi;
														}
														goto L25;
													} else {
														 *(__esi + __edi * 2) = __ax;
														__edi = __edi + 1;
														__eax = __ax & 0x0000ffff;
														_a20 = __edi;
														_a64 = __ax & 0x0000ffff;
														if(__ax == 0) {
															goto L25;
														} else {
															goto L24;
														}
													}
												}
											}
										}
									}
								}
								goto L34;
								L24:
								__ecx = _a28;
							} while (__edi < _a24);
						}
						goto L25;
					}
				}
				L34:
				return 0;
			}

0x0040291f
0x00402921
0x00402925
0x00402932
0x00402934
0x00402ea1
0x00000000
0x0040293a
0x0040293a
0x00402944
0x0040294b
0x00402aa2
0x00402aa2
0x00402aa6
0x00402aa8
0x00402aac
0x00401a10
0x00402ea5
0x00402ea5
0x00402951
0x00402952
0x0040295b
0x0040295d
0x00402965
0x0040296b
0x00402973
0x00402975
0x0040297a
0x00402a37
0x00402a4c
0x00402a4e
0x00402a5b
0x00000000
0x00000000
0x00000000
0x00000000
0x00402a3d
0x00402a46
0x00000000
0x00402a48
0x00402a48
0x00000000
0x00402a48
0x00402a46
0x00402980
0x00402980
0x00402981
0x00402985
0x00402988
0x0040298e
0x00402994
0x0040299c
0x00000000
0x004029a2
0x004029a2
0x004029a6
0x004029ac
0x00000000
0x004029b2
0x004029b2
0x004029b7
0x004029bf
0x00402ae4
0x00402ae9
0x004029c5
0x004029cc
0x004029dc
0x00402a5d
0x00402a5d
0x00402a61
0x004029de
0x004029de
0x004029e2
0x004029e4
0x004029e6
0x004029e6
0x004029e6
0x004029eb
0x004029f0
0x004029f4
0x00000000
0x00000000
0x004029f7
0x004029f8
0x004029ff
0x00402a03
0x00402a07
0x00402a17
0x00402a1f
0x00402a25
0x00402a29
0x00402a2f
0x00000000
0x00402a31
0x00000000
0x00402a31
0x00000000
0x00402a2f
0x004029e6
0x00402a65
0x00402a69
0x00000000
0x00402a6b
0x00402a6d
0x00402a75
0x00402a76
0x00402aba
0x00402adc
0x00402ac8
0x00402ac8
0x00402acd
0x00402acd
0x00000000
0x00402a7f
0x00402a7f
0x00402a83
0x00402a84
0x00402a87
0x00402a8b
0x00402a92
0x00000000
0x00000000
0x00000000
0x00000000
0x00402a92
0x00402a76
0x00402a69
0x004029bf
0x004029ac
0x0040299c
0x00000000
0x00402a94
0x00402a94
0x00402a98
0x00402975
0x00000000
0x00402965
0x0040294b
0x00402eab
0x00402eb7

APIs

ReadFile.KERNELBASE(00000000,?,?,?), ref: 00402994
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004029D4
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402A07
MultiByteToWideChar.KERNEL32(?,00000008,?,?,00000001,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402A1F
SetFilePointer.KERNEL32(?,?,?,00000001,00000000,?,00000002), ref: 00402ADC

Strings

9, xrefs: 00402975

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: File$ByteCharMultiPointerWide$Read
String ID: 9
API String ID: 1439708474-2366072709
Opcode ID: 9f93ca41379e5358701e9762d9d73a54771f02cb738d955fe51c94385f5bda32
Instruction ID: c0364eb4a24137c8a00bba018ae5694ccc63d4c43f2b92d4ab62ccb683855c39
Opcode Fuzzy Hash: 9f93ca41379e5358701e9762d9d73a54771f02cb738d955fe51c94385f5bda32
Instruction Fuzzy Hash: FD513B71618301AFD724DF11CA48A2BB7E8BFD5304F00483FF985A62D1DBB9D9458B66

Uniqueness

Uniqueness Score: -1.00%

Function 0040619E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040619E(intOrPtr _a4) {
				short _v576;
				int _t8;
				void* _t9;
				struct HINSTANCE__* _t13;
				void* _t14;
				void* _t19;

				_t8 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t8 > 0x104 || _t8 == 0) {
					_t9 = 0;
					goto L5;
				} else {
					_t9 = _t8 + _t8;
					if( *((short*)(_t19 + _t9 - 0x23e)) == 0x5c) {
						L5:
						_t14 = 0x4092b2;
					} else {
						_t14 = 0x4092b0;
					}
				}
				wsprintfW(_t9 +  &_v576, L"%s%S.dll", _t14, _a4);
				_t13 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t13;
			}

0x004061b5
0x004061be
0x004061d8
0x00000000
0x004061c4
0x004061c4
0x004061cf
0x004061da
0x004061da
0x004061d1
0x004061d1
0x004061d1
0x004061cf
0x004061f1
0x00406205
0x0040620c

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004061B5
wsprintfW.USER32 ref: 004061F1
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406205

Strings

\, xrefs: 004061C6
%s%S.dll, xrefs: 004061EB
UXTHEME, xrefs: 004061AD

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: f1f7e37c5f37630b72f6845fbd57869b2fc528f3cdafd86d5b2e789551c5bd10
Instruction ID: 46fd840fe6511d7ccc003e1cb9660209246fe71c7ecdf6ea51a48f4d7cc48468
Opcode Fuzzy Hash: f1f7e37c5f37630b72f6845fbd57869b2fc528f3cdafd86d5b2e789551c5bd10
Instruction Fuzzy Hash: 93F0BB7160022467DB10A764DC0DB9A36ACEB00304F50447AA906F61C2E77CDE54C79C

Uniqueness

Uniqueness Score: -1.00%

Function 00406A56 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406A56(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				signed int _t12;
				WCHAR* _t15;
				signed int _t17;
				void* _t21;
				WCHAR* _t24;

				_t24 = _a4;
				_t21 = 0x64;
				while(1) {
					_t21 = _t21 - 1;
					_v12 = 0x73006e;
					_v8 = 0x61;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_v8 = _v8 + _t12 % _t17;
					_t15 = GetTempFileNameW(_a8,  &_v12, 0, _t24); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t21 != 0) {
						continue;
					} else {
						 *_t24 = _t15;
					}
					L5:
					return _t15;
				}
				_t15 = _t24;
				goto L5;
			}

0x00406a5c
0x00406a62
0x00406a63
0x00406a63
0x00406a64
0x00406a6b
0x00406a72
0x00406a7a
0x00406a80
0x00406a8d
0x00406a95
0x00000000
0x00000000
0x00406a99
0x00000000
0x00406a9b
0x00406a9b
0x00406a9b
0x00406aa2
0x00406aa5
0x00406aa5
0x00406aa0
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00406A72
GetTempFileNameW.KERNELBASE(?,0073006E,00000000,?,?,?,00000000,00403CD4,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,766DFAA0,004039C2), ref: 00406A8D

Strings

a, xrefs: 00406A6B
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406A5F
C:\Users\user\AppData\Local\Temp\, xrefs: 00406A5B
n, xrefs: 00406A64

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$a$n
API String ID: 1716503409-1137806429
Opcode ID: 9de58611c99d9c927524e8b5e5d4063ad7aa9c56d54475759094ed59cc3f2f7a
Instruction ID: ceede72bcc8b9f9399702d6205d38d242a1142e8e26f45c6d668c419d088e7be
Opcode Fuzzy Hash: 9de58611c99d9c927524e8b5e5d4063ad7aa9c56d54475759094ed59cc3f2f7a
Instruction Fuzzy Hash: E9F05E72700208BBEB149F55DC09BDE7779EF91B14F14803BEA41BA180E3F45E5487A4

Uniqueness

Uniqueness Score: -1.00%

Function 0040141E Relevance: 7.6, APIs: 5, Instructions: 82
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E0040141E(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v4;
				void* _v8;
				short _v524;
				int _v528;
				void* _v532;
				void* _v536;
				void* _v544;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t43;
				signed int _t45;

				_t45 = _a12 & 0x00000300;
				_t43 = _a12 & 0x00000001;
				_t27 = E004062D8(__eflags, _a4, _a8, _t45 | 0x00000009,  &_v532); // executed
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v524);
						_push(0);
						while(RegEnumKeyW(_v532, ??, ??, ??) == 0) {
							__eflags = _t43;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v532);
								return 0x3eb;
							}
							_t33 = E0040141E(__eflags, _v532,  &_v524, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v524);
							_push(_t43);
						}
						RegCloseKey(_v532);
						_t35 = E004068E6(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t45, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v528 = 0;
					if(RegEnumValueW(_v532, 0,  &_v524,  &_v528, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00401438
0x00401441
0x00401456
0x0040145d
0x0040146d
0x00401493
0x00401493
0x0040149c
0x0040149d
0x004014ce
0x004014a6
0x004014a8
0x00401503
0x00401507
0x00000000
0x0040150d
0x004014ba
0x004014bf
0x004014c1
0x00000000
0x00000000
0x004014c3
0x004014cc
0x004014cd
0x004014cd
0x004014dc
0x004014e4
0x004014eb
0x00000000
0x00401525
0x00000000
0x004014fb
0x00401477
0x00401491
0x00000000
0x00000000
0x00000000
0x00401491
0x00401530

APIs

RegEnumValueW.ADVAPI32 ref: 00401486
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014D2
RegCloseKey.ADVAPI32(?), ref: 004014DC
RegDeleteKeyW.ADVAPI32(?,?), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401507

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 30017b8bd83a5a7471793a7c8ba9a53ddb3d91c26afeeaccdb12cfd0c7e39771
Instruction ID: 21b5a5252aa063403de6f9026dc2c812d9767c74370f87ead0cd0c39fa3adcf8
Opcode Fuzzy Hash: 30017b8bd83a5a7471793a7c8ba9a53ddb3d91c26afeeaccdb12cfd0c7e39771
Instruction Fuzzy Hash: 3F218032108244BBD7219F51DC08FABBBADEFD9344F01043AF989A11B0D3399A14DA6A

Uniqueness

Uniqueness Score: -1.00%

Function 72B3167A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E72B3167A(void* __ebx, void* __edx, void* __edi, void* __esi) {
				void* _t37;
				intOrPtr _t43;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t55;
				void* _t56;
				signed char _t62;
				signed int _t64;
				signed int _t66;
				struct HINSTANCE__* _t71;
				void* _t72;
				void* _t80;
				void* _t84;
				void* _t85;
				void* _t87;

				_t80 = __esi;
				_t72 = __edi;
				_t55 = __ebx;
				 *0x72b35040 =  *((intOrPtr*)(_t87 + 8));
				 *0x72b3503c =  *((intOrPtr*)(_t87 + 0x94));
				 *0x72b35038 =  *((intOrPtr*)(_t87 + 0x90));
				 *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x9c)) + 0xc))( *0x72b35014, E72B3132B, _t84);
				_push(1);
				_t37 = E72B32351();
				_t85 = _t37;
				if(_t85 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t85 + 4)) != 1) {
						E72B31FCB(_t85);
					}
					E72B32049(_t85);
					if( *((intOrPtr*)(_t85 + 4)) == 0xffffffff) {
						L14:
						if(( *(_t85 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t85 + 4)) == 0) {
								_t37 = E72B32209(_t85);
							} else {
								_push(_t55);
								_push(_t80);
								_push(_t72);
								_t64 = 8;
								_t14 = _t85 + 0x1018; // 0x1018
								_t56 = _t14;
								memcpy(_t87 + 0x14, _t56, _t64 << 2);
								_t43 = E72B31F1E(_t85, _t87 + 0x30);
								 *(_t85 + 0x1034) =  *(_t85 + 0x1034) & 0x00000000;
								 *((intOrPtr*)(_t85 + 0x1020)) = _t43;
								 *_t56 = 4;
								E72B32209(_t85);
								_t66 = 8;
								_t37 = memcpy(_t56, _t87 + 0x28, _t66 << 2);
							}
						} else {
							E72B32209(_t85);
							_t37 = GlobalFree(E72B315EB(E72B31668(_t85)));
						}
						if( *((intOrPtr*)(_t85 + 4)) != 1) {
							E72B3200D(_t85);
							_t62 =  *(_t85 + 0x1010);
							_t37 = _t62;
							if((_t62 & 0x00000040) != 0 &&  *_t85 == 1) {
								_t71 =  *(_t85 + 0x1008);
								if(_t71 != 0) {
									FreeLibrary(_t71);
									_t37 =  *(_t85 + 0x1010);
								}
							}
							if((_t37 & 0x00000020) != 0) {
								_t37 = E72B315C5( *0x72b3502c);
							}
						}
						if(( *(_t85 + 0x1010) & 0x00000002) == 0) {
							_t37 = GlobalFree(_t85);
						}
						goto L28;
					}
					_t49 =  *_t85;
					if(_t49 == 0) {
						if( *((intOrPtr*)(_t85 + 4)) != 1) {
							goto L14;
						}
						E72B32F9F(_t85);
						L12:
						_t85 = _t49;
						L13:
						goto L14;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						L8:
						_t49 = E72B32D14(_t85); // executed
						goto L12;
					}
					_t51 = _t50 - 1;
					if(_t51 == 0) {
						_push(_t85);
						E72B317F7();
						goto L13;
					}
					if(_t51 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x72b3167a
0x72b3167a
0x72b3167a
0x72b31684
0x72b31690
0x72b3169d
0x72b316b4
0x72b316b7
0x72b316b9
0x72b316be
0x72b316c3
0x72b317ef
0x72b317f6
0x72b316c9
0x72b316cd
0x72b316d0
0x72b316d5
0x72b316d7
0x72b316e1
0x72b31719
0x72b31720
0x72b31744
0x72b31792
0x72b31746
0x72b31746
0x72b31747
0x72b31748
0x72b3174b
0x72b31750
0x72b31750
0x72b3175d
0x72b31760
0x72b31765
0x72b3176d
0x72b31773
0x72b31779
0x72b31789
0x72b3178a
0x72b3178e
0x72b31722
0x72b31723
0x72b31738
0x72b31738
0x72b3179c
0x72b3179f
0x72b317a5
0x72b317ab
0x72b317b0
0x72b317b8
0x72b317c0
0x72b317c3
0x72b317c9
0x72b317c9
0x72b317c0
0x72b317d1
0x72b317d9
0x72b317de
0x72b317d1
0x72b317e6
0x72b317e9
0x72b317e9
0x00000000
0x72b317e6
0x72b316e6
0x72b316e9
0x72b3170e
0x00000000
0x00000000
0x72b31711
0x72b31716
0x72b31716
0x72b31718
0x00000000
0x72b31718
0x72b316eb
0x72b316ee
0x72b316fa
0x72b316fb
0x00000000
0x72b316fb
0x72b316f0
0x72b316f3
0x72b31702
0x72b31703
0x00000000
0x72b31703
0x72b316f8
0x00000000
0x00000000
0x00000000
0x72b316f8

APIs

Part of subcall function 72B32351: GlobalFree.KERNEL32 ref: 72B32A44
Part of subcall function 72B32351: GlobalFree.KERNEL32 ref: 72B32A4A
Part of subcall function 72B32351: GlobalFree.KERNEL32 ref: 72B32A50

GlobalFree.KERNEL32 ref: 72B31738
FreeLibrary.KERNEL32(?), ref: 72B317C3
GlobalFree.KERNEL32 ref: 72B317E9

Part of subcall function 72B31FCB: GlobalAlloc.KERNEL32(00000040,?), ref: 72B31FFA

Part of subcall function 72B317F7: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,72B31708,00000000), ref: 72B3189A

Part of subcall function 72B31F1E: wsprintfW.USER32 ref: 72B31F51

Strings

pIhv, xrefs: 72B317C3

Memory Dump Source

Source File: 00000001.00000002.815605546.0000000072B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 72B30000, based on PE: true

Associated: 00000001.00000002.815592077.0000000072B30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815613549.0000000072B34000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815627139.0000000072B36000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72b30000_Ta62k9weDV.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID: pIhv
API String ID: 3962662361-561183849
Opcode ID: a180a55b68e29e8279692bc8ca335e3eea14a0abca1997fa17ff63db353272b1
Instruction ID: 600b0173eea910a9f648f202a86683729aa6e7a84ccf2be8c4c14303c435b4af
Opcode Fuzzy Hash: a180a55b68e29e8279692bc8ca335e3eea14a0abca1997fa17ff63db353272b1
Instruction Fuzzy Hash: F341D2B2410248EFD7239F2CCC84B8E3BBCFB84354F945419F84A8A187EB75A549C650

Uniqueness

Uniqueness Score: -1.00%

Function 0040225D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81
libraryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0040225D(void* __ebp, void* _a4, void* _a8, intOrPtr _a12, intOrPtr* _a16, WCHAR* _a20, void* _a28, intOrPtr _a32, signed int _a48) {
				void* _v0;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t26;
				void* _t27;
				intOrPtr* _t29;
				void* _t30;
				WCHAR* _t32;
				struct HINSTANCE__* _t33;
				void* _t37;
				void* _t39;

				_t37 = __ebp;
				_t27 = 1;
				if( *0x435a60 < __ebp) {
					_push("C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp\System.dll");
					_push(0xffffffe7);
					L16:
					E00405D3A();
					L17:
					 *0x435ac8 =  *0x435ac8 + _t27;
					return 0;
				}
				_t32 = E0040303E(_t30, 0xfffffff0);
				_a20 = _t32;
				_a12 = E0040303E(_t30, 1);
				if(_a48 == __ebp) {
					L4:
					_t17 = LoadLibraryExW(_t32, _t37, 8); // executed
					_t33 = _t17;
					_t44 = _t33;
					if(_t33 == 0) {
						_push("C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp\System.dll");
						_push(0xfffffff6);
						goto L16;
					}
					L5:
					_t29 = E00406269(_t44, _t33, _a20);
					_a16 = _t29;
					if(_t29 == 0) {
						E00405D3A(0xfffffff7, _a20);
					} else {
						_t27 = _t37;
						if(_a48 == _t27) {
							 *_t29(_a32, 0x400, 0x436000, 0x40b100, 0x40b000);
							_t39 = _t39 + 0x14;
						} else {
							E00405D3A(_a48, "C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp\System.dll");
							if(_a16() != 0) {
								_t27 = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 + 0x34)) == _t37 && E00403CD6(_t33) != 0) {
						FreeLibrary(_t33);
					}
					goto L17;
				}
				_t26 = GetModuleHandleW(_t32); // executed
				_t33 = _t26;
				if(_t33 != 0) {
					goto L5;
				}
				_t32 =  *(_t39 + 0x18);
				goto L4;
			}

0x0040225d
0x00402260
0x00402268
0x0040233e
0x00402343
0x00402345
0x00402345
0x00402ea5
0x00402ea5
0x00402eb7
0x00402eb7
0x00402275
0x00402278
0x00402281
0x00402289
0x0040229c
0x004022a0
0x004022a6
0x004022a8
0x004022aa
0x00402335
0x0040233a
0x00000000
0x0040233a
0x004022b0
0x004022ba
0x004022bc
0x004022c2
0x0040230c
0x004022c4
0x004022c4
0x004022ca
0x004022ff
0x00402301
0x004022cc
0x004022d5
0x004022e0
0x004022e2
0x004022e2
0x004022e0
0x004022ca
0x00402315
0x0040232a
0x0040232a
0x00000000
0x00402315
0x0040228c
0x00402292
0x00402296
0x00000000
0x00000000
0x00402298
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040228C

Part of subcall function 00405D3A: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll,?,00000000,?,?), ref: 00405D6C
Part of subcall function 00405D3A: lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll,?,00000000,?,?), ref: 00405D7E
Part of subcall function 00405D3A: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll,?), ref: 00405D99
Part of subcall function 00405D3A: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll), ref: 00405DB1
Part of subcall function 00405D3A: SendMessageW.USER32(?), ref: 00405DD8
Part of subcall function 00405D3A: SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DF3
Part of subcall function 00405D3A: SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E00

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004022A0
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040232A

Strings

C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll, xrefs: 004022CC, 00402335, 0040233E

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll
API String ID: 334405425-1821568989
Opcode ID: ef58e730e87b036fb3bb273f3d25c6645116cf6908839c118768283bfaa69e59
Instruction ID: aa6b704e5079027a8c34e107c1f377ebbd1d9565507d54c53cf3a7cdcd1ba86e
Opcode Fuzzy Hash: ef58e730e87b036fb3bb273f3d25c6645116cf6908839c118768283bfaa69e59
Instruction Fuzzy Hash: C3210632648701ABD710AF618E8DA3F76A4ABD8721F20013FF941B12D1DBBC9801979F

Uniqueness

Uniqueness Score: -1.00%

Function 00402656 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00402656(int _a20, intOrPtr _a24, intOrPtr _a40, intOrPtr _a52, intOrPtr _a56, char _a60, intOrPtr _a72) {
				void* _v0;
				void* _v4;
				void* _v8;
				void* _t20;
				intOrPtr _t24;
				signed int _t25;
				signed int _t32;
				void* _t37;
				intOrPtr _t39;
				int _t45;
				void* _t46;
				int _t47;
				void* _t49;
				void* _t51;

				_a24 = _a56;
				_a20 = _a60;
				_a24 = E0040303E(_t37, 2);
				_t20 = E0040303E(_t37, 0x11);
				_t32 = 1;
				E004062A5(_t51, E00403023(_a72), _t20, 0x100022,  &_a60); // executed
				_t39 =  !=  ? 0 : _a40;
				_a52 = _t39;
				if(_t39 != 0) {
					_t24 = _a24;
					if(_t24 != 1) {
						_t45 = 4;
						__eflags = _t24 - 1;
						if(_t24 != 1) {
							_t45 = _t47;
							__eflags = _t24 - 3;
							if(_t24 == 3) {
								_t45 = E00403148(_a52, _t47, 0x40c108, 0x1800);
							}
						} else {
							 *0x40c108 = E00403002(3);
						}
					} else {
						E0040303E(_t37, 0x23);
						_t45 = 2 + lstrlenW(0x40c108) * 2;
					}
					_t46 =  *(_t49 + 0x54);
					_t25 = RegSetValueExW(_t46,  *(_t49 + 0x2c), _t47, _a20, 0x40c108, _t45); // executed
					asm("sbb eax, eax");
					_t32 = _t32 &  ~_t25;
					RegCloseKey(_t46);
				}
				 *0x435ac8 =  *0x435ac8 + _t32;
				return 0;
			}

0x0040265a
0x00402664
0x0040266f
0x00402673
0x0040268a
0x00402692
0x0040269f
0x004026a2
0x004026a8
0x004026ae
0x004026b9
0x004026d3
0x004026d4
0x004026d6
0x004026e7
0x004026e9
0x004026ec
0x004026fe
0x004026fe
0x004026d8
0x004026e0
0x004026e0
0x004026bb
0x004026bd
0x004026c8
0x004026c8
0x00402701
0x00402710
0x00402718
0x0040271a
0x0040271d
0x0040271d
0x00402ea5
0x00402eb7

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb72B8.tmp,00000023,?,00000011,00000002), ref: 004026C3
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsb72B8.tmp,?,?,00000011,00000002), ref: 00402710
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsb72B8.tmp,?,?,00000011,00000002), ref: 0040271D

Strings

C:\Users\user\AppData\Local\Temp\nsb72B8.tmp, xrefs: 004026B2, 004026C2, 004026E0, 004026F3, 00402705

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp
API String ID: 2655323295-484596474
Opcode ID: 8edcd19f25d8d05edf2d8148b6cc1e24fb060151bf47dec0a3455c4438ded43c
Instruction ID: b85799c5b09c0d4e5107b9a6a50aeda658419008c73e2f9c6ba38a7de01b1a8e
Opcode Fuzzy Hash: 8edcd19f25d8d05edf2d8148b6cc1e24fb060151bf47dec0a3455c4438ded43c
Instruction Fuzzy Hash: CF21D072608311ABD711AFA5CC85B2FBBE8EB98760F10093EF541F71C1C7B99901879A

Uniqueness

Uniqueness Score: -1.00%

Function 004068E6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004068E6(signed int _a4) {
				struct HINSTANCE__* _t6;
				signed int _t8;

				_t8 = _a4;
				_t9 =  *(0x40b030 + _t8 * 8);
				_t6 = GetModuleHandleA( *(0x40b030 + _t8 * 8));
				if(_t6 != 0) {
					L2:
					return GetProcAddress(_t6,  *(0x40b034 + _t8 * 8));
				}
				_t6 = E0040619E(_t9); // executed
				if(_t6 != 0) {
					goto L2;
				}
				return _t6;
			}

0x004068e8
0x004068ec
0x004068f4
0x004068fc
0x00406908
0x00000000
0x00406910
0x004068ff
0x00406906
0x00000000
0x00000000
0x00406918

APIs

GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,00403810,0000000B), ref: 004068F4
GetProcAddress.KERNEL32(00000000), ref: 00406910

Part of subcall function 0040619E: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004061B5
Part of subcall function 0040619E: wsprintfW.USER32 ref: 004061F1
Part of subcall function 0040619E: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406205

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 004068E7
UXTHEME, xrefs: 004068E6, 004068F3, 004068FE

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID: Error writing temporary file. Make sure your temp folder is valid.$UXTHEME
API String ID: 2547128583-890815371
Opcode ID: 08f22430275ebaf4ce71005d419f066f02b7a6b81224d03b75b5b8ff4b37f54b
Instruction ID: 085141bfa328d30a19c357711f10e0b2ef6edf17adcd8b925e9f05de384a5053
Opcode Fuzzy Hash: 08f22430275ebaf4ce71005d419f066f02b7a6b81224d03b75b5b8ff4b37f54b
Instruction Fuzzy Hash: 00D02B316012159BDB001F22AE0C94F771DEEA67907020032F501F6231E334DC21C5FC

Uniqueness

Uniqueness Score: -1.00%

Function 00405E3E Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E3E(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				short _t17;
				int _t21;
				long _t23;

				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_t17 = 4;
				_v36.Control = _t17;
				_v36.Owner = 0x409760;
				_v36.Group = 0x409760;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Dacl = 0x409750;
				_v16.nLength = 0xc;
				_t21 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t21 != 0) {
					L3:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) == 0) {
						return GetLastError();
					}
					goto L3;
				}
				return _t23;
			}

0x00405e44
0x00405e48
0x00405e4e
0x00405e4f
0x00405e58
0x00405e5b
0x00405e61
0x00405e6b
0x00405e71
0x00405e78
0x00405e7f
0x00405e87
0x00405eac
0x00000000
0x00405eac
0x00405e89
0x00405e94
0x00405eaa
0x00000000
0x00405eb0
0x00000000
0x00405eaa
0x00405eb7

APIs

CreateDirectoryW.KERNELBASE(00000000,?), ref: 00405E7F
GetLastError.KERNEL32 ref: 00405E89
SetFileSecurityW.ADVAPI32(00000000,80000007,00000001), ref: 00405EA2
GetLastError.KERNEL32 ref: 00405EB0

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: 03bab9027c0db145622c505044cc12d7385c4ed912075bcffeefb87771bfe4ea
Instruction ID: 6ae0cafa5f15e980fc825a914f3c6ead540d2f1400f747b3271702dfe1e84024
Opcode Fuzzy Hash: 03bab9027c0db145622c505044cc12d7385c4ed912075bcffeefb87771bfe4ea
Instruction Fuzzy Hash: 3F01D675D00209EBEB009FA0D948BEFBBB9EB14315F104526E949F2291E7789A44CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00406977 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406977(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, short* _a12, char* _a16, int _a20) {
				void* _v8;
				int _v12;
				void* _t20;
				char _t21;
				long _t24;
				char* _t28;

				_v12 = 0x800;
				asm("sbb eax, eax");
				_t20 = E004062D8(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_v8); // executed
				_t28 = _a16;
				if(_t20 != 0) {
					L4:
					_t21 = 0;
					 *_t28 = 0;
				} else {
					_t24 = RegQueryValueExW(_v8, _a12, 0,  &_a20, _t28,  &_v12); // executed
					RegCloseKey(_v8); // executed
					_t21 = 0;
					_t28[0x7fe] = 0;
					if(_t24 != 0 || _a20 != 1 && _a20 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406980
0x0040698d
0x004069a0
0x004069a5
0x004069aa
0x004069e9
0x004069e9
0x004069eb
0x004069ac
0x004069be
0x004069c9
0x004069cf
0x004069d3
0x004069db
0x00000000
0x00000000
0x004069db
0x004069f0

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,00000800,?,00000800,?,?,?,Call,00000000,00000000,00000002,00405FBE), ref: 004069BE
RegCloseKey.KERNELBASE(?), ref: 004069C9

Strings

Call, xrefs: 0040697C

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: ef5c50818b295da6df722ea66ea55a7044f0b077f586aae140e4b9602ce783b5
Instruction ID: a3e06d51c6875ee3f629547af2dd4b96d71687c661178dbbbd55dab6437f425a
Opcode Fuzzy Hash: ef5c50818b295da6df722ea66ea55a7044f0b077f586aae140e4b9602ce783b5
Instruction Fuzzy Hash: D3010C7651010ABBDB218FA4DC06AEF7BA8EF45344F110126B901E2160D275DE60DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00405E1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E1E(WCHAR* _a4) {
				int _t2;
				long _t5;

				_t5 = 0;
				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					_t5 = GetLastError();
				}
				return _t5;
			}

0x00405e1f
0x00405e26
0x00405e2e
0x00405e36
0x00405e36
0x00405e3b

APIs

CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CC9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,766DFAA0,004039C2), ref: 00405E26
GetLastError.KERNEL32 ref: 00405E30

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E1E

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1375471231-823278215
Opcode ID: 8059bd01f3cb96d00b90c150394375a165c75bb7fcfbb43778e4f95d7889324c
Instruction ID: 407710f282aa9913273e94a45afee278ff037c1c447fef60eab8b448319c413c
Opcode Fuzzy Hash: 8059bd01f3cb96d00b90c150394375a165c75bb7fcfbb43778e4f95d7889324c
Instruction Fuzzy Hash: 56C012326050309BC3201B69AD0CA87BE94EB906A13018635B989E2220D2308C008AE8

Uniqueness

Uniqueness Score: -1.00%

Function 72B31A4A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x72b35014 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x72b3501c, 4, 0x40, 0x72b35034); // executed
					 *0x72b3501c = 0xc2;
					 *0x72b35034 = 0;
					 *0x72b35030 = 0;
					 *0x72b3502c = 0;
					 *0x72b35028 = 0;
					 *0x72b35024 = 0;
					 *0x72b35020 = 0;
					 *0x72b3501e = 0;
				}
				return 1;
			}

0x72b31a53
0x72b31a58
0x72b31a68
0x72b31a70
0x72b31a77
0x72b31a7d
0x72b31a83
0x72b31a89
0x72b31a8f
0x72b31a95
0x72b31a9b
0x72b31a9b
0x72b31aa4

APIs

VirtualProtect.KERNELBASE(72B3501C,00000004,00000040,72B35034), ref: 72B31A68

Strings

`ghv, xrefs: 72B31A68

Memory Dump Source

Source File: 00000001.00000002.815605546.0000000072B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 72B30000, based on PE: true

Associated: 00000001.00000002.815592077.0000000072B30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815613549.0000000072B34000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815627139.0000000072B36000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72b30000_Ta62k9weDV.jbxd

Similarity

API ID: ProtectVirtual
String ID: `ghv
API String ID: 544645111-1136181276
Opcode ID: 00cea5f8653e7ed67b4069ee5c332ec615de472b5391dc3e2924486e14895d5d
Instruction ID: 38158d0fb5bc51ab014f33e9e06b97f6430c07cb93f8520fe13c94ec03468159
Opcode Fuzzy Hash: 00cea5f8653e7ed67b4069ee5c332ec615de472b5391dc3e2924486e14895d5d
Instruction Fuzzy Hash: 3AF0AC76A99341DAD33A8F1A95C570D3FE0F71D385B60492EF699DB342C33281019B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00402728 Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402728(short* __edi, void* _a20, void* _a48, void* _a72) {
				int* __ebp;
				void* _t12;
				void* _t18;
				void* _t20;
				void* _t28;

				_t12 = E004030C1(_t18, _t20, _t28, 0x20019); // executed
				E0040303E(_t20, 0x33);
				 *__edi = 0;
				if(_t12 != 0) {
					__ecx = __esp + 0x50;
					 *(__esp + 0x50) = 0x800;
					__ecx = __esp + 0x24;
					__eax = RegQueryValueExW(__esi, __eax, __ebp, __esp + 0x24, __edi, __esp + 0x50);
					0 = 1;
					__eflags = __eax;
					if(__eax != 0) {
						L9:
						__eax = 0;
						 *__edi = __ax;
						goto L2;
					} else {
						__eflags =  *((intOrPtr*)(__esp + 0x1c)) - 4;
						if( *((intOrPtr*)(__esp + 0x1c)) == 4) {
							__eflags =  *(__esp + 0x3c);
							__eax = E0040661F(__edi,  *__edi);
							goto L2;
						} else {
							__eflags =  *((intOrPtr*)(__esp + 0x1c)) - 1;
							if( *((intOrPtr*)(__esp + 0x1c)) == 1) {
								L7:
								__eax = 0;
								__edi[0x7fe] = __ax;
								L2:
								__eax = RegCloseKey(__esi);
								goto L10;
							} else {
								__eflags =  *((intOrPtr*)(__esp + 0x1c)) - 2;
								if( *((intOrPtr*)(__esp + 0x1c)) != 2) {
									goto L9;
								} else {
									goto L7;
								}
							}
						}
					}
					L11:
					return 0;
				}
				L10:
				 *0x435ac8 =  *0x435ac8 + 1;
				goto L11;
			}

0x0040272d
0x00402736
0x0040273d
0x00402742
0x00402748
0x0040274c
0x00402756
0x0040275e
0x00402766
0x00402767
0x00402769
0x004027a4
0x004027a4
0x004027a8
0x00000000
0x0040276b
0x0040276b
0x00402770
0x00402792
0x0040279a
0x00000000
0x00402772
0x00402772
0x00402776
0x0040277f
0x00402783
0x00402785
0x0040271c
0x0040271d
0x00000000
0x00402778
0x00402778
0x0040277d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040277d
0x00402776
0x00402770
0x00402eab
0x00402eb7
0x00402eb7
0x00402ea5
0x00402ea5
0x00000000

APIs

RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsb72B8.tmp,?,?,00000011,00000002), ref: 0040271D
RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040275E

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 1d42ab8b4145a25c79b294e04f02a9cb00a7c1bb6d884b11203412bb77f2baf5
Instruction ID: fb228a38f7146265a3f721d89abc8bf78f6fe6bd0b338e84b9d16a0e51430f88
Opcode Fuzzy Hash: 1d42ab8b4145a25c79b294e04f02a9cb00a7c1bb6d884b11203412bb77f2baf5
Instruction Fuzzy Hash: 5C11C235658302AFD7149FA4D98863BB3A4EF84315F10093FF102A21D1D7B85909CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00401399 Relevance: 3.0, APIs: 2, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401399(signed int _a4) {
				signed int _t10;
				int _t12;
				void* _t16;
				signed int _t17;
				void* _t18;
				signed int _t20;
				void* _t21;

				_t20 = _a4;
				if(_t20 < 0) {
					L10:
					return 0;
				}
				while(1) {
					_t6 =  *0x435a30 + _t20 * 0x1c;
					if( *((intOrPtr*)( *0x435a30 + _t20 * 0x1c)) == 1) {
						goto L10;
					}
					if(E0040154A(_t6) == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t16 = E004030FD(_t7);
					if(_t16 != 0) {
						_t17 = _t16 - 1;
						_t10 = _t20;
						_t20 = _t17;
						_t18 = _t17 - _t10;
					} else {
						_t18 = _t16 + 1;
						_t20 = _t20 + 1;
					}
					if( *((intOrPtr*)(_t21 + 0x10)) != 0) {
						_t12 =  *0x4349d0 + _t18;
						 *0x4349d0 = _t12;
						SendMessageW( *(_t21 + 0x1c), 0x402, MulDiv(_t12, 0x7530,  *0x4349cc), 0); // executed
					}
					if(_t20 >= 0) {
						continue;
					} else {
						goto L10;
					}
				}
				goto L10;
			}

0x0040139a
0x004013a1
0x00401413
0x00000000
0x00401413
0x004013a8
0x004013b0
0x004013b5
0x00000000
0x00000000
0x004013bf
0x00000000
0x0040141a
0x004013c7
0x004013cb
0x004013d1
0x004013d2
0x004013d4
0x004013d6
0x004013cd
0x004013cd
0x004013ce
0x004013ce
0x004013dd
0x004013ec
0x004013f4
0x00401409
0x00401409
0x00401411
0x00000000
0x00000000
0x00000000
0x00000000
0x00401411
0x00000000

APIs

MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6e7d67269c197b40b003dd71ad8670726c572316c8dc3490559f09bac35d8640
Instruction ID: 538a9e804dfe71f8462b772bc95ac31ea7b37d3b99b6caf0eca62282663b68d4
Opcode Fuzzy Hash: 6e7d67269c197b40b003dd71ad8670726c572316c8dc3490559f09bac35d8640
Instruction Fuzzy Hash: 4701D472A152309BD7196F28AC09B6B3699AB80711F15453AF901F72F1D2B89C018758

Uniqueness

Uniqueness Score: -1.00%

Function 004025FF Relevance: 3.0, APIs: 2, Instructions: 40
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004025FF(void* __ebp, signed int _a52, intOrPtr _a56, intOrPtr _a60) {
				long _t7;
				signed int _t14;
				void* _t16;
				void* _t20;
				long _t22;
				void* _t25;

				_t22 = 1;
				_t30 = _a56 - __ebp;
				if(_a56 != __ebp) {
					_t7 = E0040307C(_a60, E0040303E(_t20, 0x22), _a52 >> 1); // executed
					_t22 = _t7;
				} else {
					_t25 = E004030C1(_t16, _t20, _t30, 2);
					if(_t25 != 0) {
						_t22 = RegDeleteValueW(_t25, E0040303E(_t20, 0x33));
						RegCloseKey(_t25);
					}
				}
				_t14 = 0 | _t22 != 0x00000000;
				 *0x435ac8 =  *0x435ac8 + _t14;
				return 0;
			}

0x00402601
0x00402602
0x00402606
0x00402643
0x00402648
0x00402608
0x0040260f
0x00402613
0x00402625
0x00402627
0x00402627
0x00402613
0x0040264e
0x00402ea5
0x00402eb7

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040261E
RegCloseKey.ADVAPI32(00000000), ref: 00402627

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 324bf70aa83da3cc8c88ee0ac58f0f218d6888d112ffb8df115b361c504563c9
Instruction ID: 5f348ce6c2db00307db5fd01af11d87f06065e179f09fd272fc5be425d392e88
Opcode Fuzzy Hash: 324bf70aa83da3cc8c88ee0ac58f0f218d6888d112ffb8df115b361c504563c9
Instruction Fuzzy Hash: 29F02433545601B7E310ABA49C4AA7E766DABD03A2F10053FFA02A61C5CA7E8C42822D

Uniqueness

Uniqueness Score: -1.00%

Function 00402048 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00402061
EnableWindow.USER32(00000000,00000000), ref: 0040206C

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 463400b56811a7c13ea037226f78c2a66b88d1b796af0464d73bb1f96cdb645b
Instruction ID: fdac18c2d6c3cf3b828b417e97f1a58467e7a2ecdc8cc8e73c20e1074f32c310
Opcode Fuzzy Hash: 463400b56811a7c13ea037226f78c2a66b88d1b796af0464d73bb1f96cdb645b
Instruction Fuzzy Hash: 66E02672548300AFE314AF20E84E96AB768FB40326F20083FF900A40C2C77D2C40876E

Uniqueness

Uniqueness Score: -1.00%

Function 004066D6 Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004066D6(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42fd78->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42fd78,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004066dc
0x004066ff
0x00406707
0x0040670c
0x00000000
0x00406712
0x00406716

APIs

CreateProcessW.KERNELBASE ref: 004066FF
CloseHandle.KERNEL32(?), ref: 0040670C

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 56b83460f623c560f9136c4b0375a20ff073fe194eb282a2dd1e719b426acf2b
Instruction ID: 0c6c23135c748ad7b6e02b48b863ea359631b5b673f9ca8adb803affa24eb5bb
Opcode Fuzzy Hash: 56b83460f623c560f9136c4b0375a20ff073fe194eb282a2dd1e719b426acf2b
Instruction Fuzzy Hash: F3E04FF0600619BFFB009B64EC09F7B777CEB40204F904435BD11E6151E3749C148A78

Uniqueness

Uniqueness Score: -1.00%

Function 0040691B Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040691B(WCHAR* _a4, long _a8, long _a12) {
				long _t5;
				void* _t7;

				_t5 = GetFileAttributesW(_a4); // executed
				_t6 =  ==  ? 0 : _t5;
				_t7 = CreateFileW(_a4, _a8, 1, 0, _a12,  ==  ? 0 : _t5, 0); // executed
				return _t7;
			}

0x0040691f
0x0040692c
0x0040693f
0x00406945

APIs

GetFileAttributesW.KERNELBASE(00000003,0040342F,C:\Users\user\Desktop\Ta62k9weDV.exe,80000000,00000003,?,?,?,?,?), ref: 0040691F
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000,?,?,?,?,?), ref: 0040693F

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 29eaa5c778d4abe525d16e25b35aaa524ea266b59eab42b9d8fe5f4f647b10db
Instruction ID: d43685c7aa133134ae341259a1979053aa5ebee8cfee21dedca447a2e346f0f1
Opcode Fuzzy Hash: 29eaa5c778d4abe525d16e25b35aaa524ea266b59eab42b9d8fe5f4f647b10db
Instruction Fuzzy Hash: 77D09E71218202AEEF055F20DE4AF1FBA65EF84710F104A2CF6A6D40F0D6718C24AA11

Uniqueness

Uniqueness Score: -1.00%

Function 00406B9D Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406B9D(WCHAR* _a4) {
				signed int _t3;
				signed int _t8;

				_t3 = GetFileAttributesW(_a4); // executed
				_t8 = _t3;
				if(_t8 != 0xffffffff) {
					SetFileAttributesW(_a4, _t8 & 0xfffffffe);
				}
				return _t8;
			}

0x00406ba2
0x00406ba8
0x00406bad
0x00406bb9
0x00406bb9
0x00406bc2

APIs

GetFileAttributesW.KERNELBASE(?,?,00406591,?,?,00000000,004068AE,?,?,?,?), ref: 00406BA2
SetFileAttributesW.KERNEL32(?,00000000), ref: 00406BB9

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a418f70179c15550a51c69d56742fce75144ee9ce949d273047196127aa882e5
Instruction ID: 2641cd0fcf7a615d2272f2c652f3c677170a534def33f5957a60d90ba1304b54
Opcode Fuzzy Hash: a418f70179c15550a51c69d56742fce75144ee9ce949d273047196127aa882e5
Instruction Fuzzy Hash: 11D0A7712040316BC6042738DC0C45ABA56DB853707018735F9F6A22F1D7300C2186D4

Uniqueness

Uniqueness Score: -1.00%

Function 72B32D14 Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E72B32D14(intOrPtr _a4) {
				signed int _v8;
				void* __ebx;
				void* _t28;
				void* _t29;
				int _t33;
				void* _t37;
				void* _t44;
				void* _t47;
				signed int _t53;
				void* _t58;
				intOrPtr _t64;
				intOrPtr _t67;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t75;
				signed int _t78;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				intOrPtr _t86;
				intOrPtr _t87;

				if( *0x72b35024 != 0 && E72B31BC1(_a4) == 0) {
					 *0x72b35030 = _t86;
					if( *0x72b35034 != 0) {
						_t86 =  *0x72b35034;
					} else {
						E72B33250(E72B31C43());
						 *0x72b35034 = _t86;
					}
				}
				_t28 = E72B31C49(_a4);
				_t87 = _t86 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E72B31BBB();
					_t67 = _a4;
					_t74 =  *0x72b35028;
					 *((intOrPtr*)(_t29 + _t67)) = _t74;
					 *0x72b35028 = _t67;
					E72B31C5A();
					_t33 = EnumWindows(??, ??); // executed
					 *0x72b35000 = _t33;
					 *0x72b35004 = _t74;
					if( *0x72b35024 != 0 && E72B31BC1( *0x72b35028) == 0) {
						 *0x72b35034 = _t87;
						_t87 =  *0x72b35030;
					}
					_t75 =  *0x72b35028;
					_a4 = _t75;
					 *0x72b35028 =  *((intOrPtr*)(E72B31BBB() + _t75));
					_t37 = E72B31BAD(_t75);
					_pop(_t76);
					if(_t37 != 0) {
						_t37 = E72B31C49(_t76);
						if(_t37 > 0) {
							_push(_t37);
							_push(E72B31C54() + _a4 + _v8);
							_push(E72B31C64());
							if( *0x72b35024 <= 0 || E72B31BC1(_a4) != 0) {
								_pop(_t81);
								_pop(_t44);
								if( *((intOrPtr*)(_t44 + _t81)) == 2) {
								}
								_pop(_t76);
								_t37 = _t44 + _v8;
								asm("loop 0xfffffff5");
							} else {
								_pop(_t82);
								_pop(_t47);
								_t78 =  *(_t47 + _t82);
								_t64 =  *0x72b35034;
								_t76 = _t64 + _t78 * 4;
								 *0x72b35034 = _t64 + _t78 * 4;
								_t37 = _t47 + _v8;
								asm("loop 0xffffffeb");
							}
						}
					}
					if( *0x72b35028 == 0) {
						 *0x72b35034 = 0;
					}
					_push( *0x72b35004);
					E72B32CBF(_t37, _t64, _t76, _a4,  *0x72b35000);
					return _a4;
				}
				_push(E72B31C54() + _a4);
				_t53 = E72B31C60();
				_v8 = _t53;
				_t72 = _t28;
				_push(_t65 + _t53 * _t72);
				_t64 = E72B31CC3();
				_t80 = E72B31CBF();
				_t83 = E72B31C64();
				_t58 = _t72;
				if( *((intOrPtr*)(_t58 + _t83)) == 2) {
					_push( *((intOrPtr*)(_t58 + _t64)));
				}
				_push( *((intOrPtr*)(_t58 + _t80)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x72b32d24
0x72b32d35
0x72b32d42
0x72b32d56
0x72b32d44
0x72b32d49
0x72b32d4e
0x72b32d4e
0x72b32d42
0x72b32d5f
0x72b32d64
0x72b32d6a
0x72b32dae
0x72b32dae
0x72b32db3
0x72b32db8
0x72b32dbe
0x72b32dc0
0x72b32dc6
0x72b32dd3
0x72b32dd5
0x72b32dda
0x72b32de7
0x72b32dfa
0x72b32e00
0x72b32e06
0x72b32e07
0x72b32e0d
0x72b32e19
0x72b32e1f
0x72b32e27
0x72b32e28
0x72b32e2b
0x72b32e36
0x72b32e38
0x72b32e44
0x72b32e4a
0x72b32e52
0x72b32e7e
0x72b32e7f
0x72b32e85
0x72b32e85
0x72b32e88
0x72b32e89
0x72b32e8c
0x72b32e62
0x72b32e62
0x72b32e63
0x72b32e65
0x72b32e68
0x72b32e6e
0x72b32e71
0x72b32e77
0x72b32e7a
0x72b32e7a
0x72b32e52
0x72b32e36
0x72b32e95
0x72b32e97
0x72b32e97
0x72b32ea1
0x72b32eb0
0x72b32ebe
0x72b32ebe
0x72b32d75
0x72b32d76
0x72b32d7b
0x72b32d7f
0x72b32d84
0x72b32d98
0x72b32d99
0x72b32d9a
0x72b32d9c
0x72b32da1
0x72b32da3
0x72b32da3
0x72b32da6
0x72b32dac
0x00000000

APIs

EnumWindows.USER32(?), ref: 72B32DD3

Memory Dump Source

Source File: 00000001.00000002.815605546.0000000072B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 72B30000, based on PE: true

Associated: 00000001.00000002.815592077.0000000072B30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815613549.0000000072B34000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815627139.0000000072B36000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72b30000_Ta62k9weDV.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 827ed4d45aeacce9add402fbff4b18bbef4208a41034ef7630f443fa397ffb4f
Instruction ID: fe12a2ea54139e372646761240ba9625f279ffe357eac886e601c387f10f1019
Opcode Fuzzy Hash: 827ed4d45aeacce9add402fbff4b18bbef4208a41034ef7630f443fa397ffb4f
Instruction Fuzzy Hash: 3F4183B68402089FD7239F6DDAC1B8D3FB9EB48394FB0582AE5049B113EA35D841DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 004025AC Relevance: 1.5, APIs: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004025AC(void* _a4, WCHAR* _a16, short _a68, intOrPtr _a80) {
				WCHAR* _t5;
				WCHAR* _t6;
				WCHAR* _t7;
				void* _t10;
				WCHAR* _t14;
				void* _t16;
				WCHAR* _t21;

				_a80 = 0xa;
				_t14 = 1;
				_t5 = E0040303E(_t16, 1);
				_t6 = E0040303E(_t16, 0x12);
				_t7 = E0040303E(_t16, 0xffffffdd);
				_t21 = _a16;
				GetPrivateProfileStringW(_t5, _t6,  &_a68, _t21, 0x3ff, _t7); // executed
				_t10 = 0xa;
				if( *_t21 != _t10) {
					_t14 = _a16;
				} else {
					 *_t21 = 0;
				}
				 *0x435ac8 =  *0x435ac8 + _t14;
				return 0;
			}

0x004025ae
0x004025b6
0x004025b8
0x004025c1
0x004025ca
0x004025cf
0x004025e1
0x004025e9
0x004025ee
0x00402ea1
0x004025f4
0x004025f6
0x004025f6
0x00402ea5
0x00402eb7

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,000003FF,00000000), ref: 004025E1

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: e8e1ac1a0b4b7baf2cbfffd2cb35931e42492f711062094e30c6c1d024b2ac51
Instruction ID: ca7729e569941477bac25a737720eb0af98943c80a75a6d3102d76ed2cf5914b
Opcode Fuzzy Hash: e8e1ac1a0b4b7baf2cbfffd2cb35931e42492f711062094e30c6c1d024b2ac51
Instruction Fuzzy Hash: 00F0B4326443446BD310EFA1DC84A6AB39CFB84365F104A3BFA15DB1C1E7B899058366

Uniqueness

Uniqueness Score: -1.00%

Function 00402566 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402566(void* __ecx, WCHAR* __ebp, void* _a12, intOrPtr _a40, intOrPtr _a56) {
				int _t4;
				intOrPtr _t9;
				void* _t13;
				WCHAR* _t14;
				WCHAR* _t16;
				WCHAR* _t18;
				void* _t20;

				_t18 = __ebp;
				_t16 = __ebp;
				_t14 = __ebp;
				if(__ecx != 0) {
					__ebp = E0040303E(__edx, __ebp);
				}
				if(_t4 != 0) {
					_t16 = E0040303E(_t13, 0x11);
				}
				if(_a56 != _t14) {
					_t14 = E0040303E(_t13, 0x22);
				}
				_t4 = WritePrivateProfileStringW(_t18, _t16, _t14, E0040303E(_t13, 0xffffffcd)); // executed
				if(_t4 != 0) {
					_t9 =  *((intOrPtr*)(_t20 + 0x10));
				} else {
					_t9 = 1;
				}
				 *0x435ac8 =  *0x435ac8 + _t9;
				return 0;
			}

0x00402566
0x00402566
0x00402568
0x0040256c
0x00402574
0x00402576
0x0040257c
0x00402585
0x00402585
0x0040258b
0x00402594
0x00402594
0x004025a1
0x00401703
0x00402ea1
0x00401709
0x0040170b
0x0040170b
0x00402ea5
0x00402eb7

APIs

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 004025A1

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 9af0a1d878fae9e3e89ffa2e9034ec420723555003de84cdee57c9f052185a13
Instruction ID: f65784f0cf837312192d28317bace7b0ee78b13f5a7e28397f60b6fd89985110
Opcode Fuzzy Hash: 9af0a1d878fae9e3e89ffa2e9034ec420723555003de84cdee57c9f052185a13
Instruction Fuzzy Hash: 90E09A32505254BAD6703A738C09B2B299C5B407A2B64023FB806B22CAE9F98E01812D

Uniqueness

Uniqueness Score: -1.00%

Function 00402AF5 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00402AF5(void* __eflags, intOrPtr _a16, intOrPtr _a40, long _a52) {
				void* __edi;
				void* __esi;
				LONG* __ebp;
				intOrPtr _t6;

				asm("das");
				if(__eflags != 0) {
					__eax = E00403002(2);
					__eax = E00406C25(__edi);
					__eax = SetFilePointer(__eax, __eax, __ebp, _a52); // executed
					__eflags = _a40 - __ebp;
					if(_a40 >= __ebp) {
						_push(__eax);
						E0040661F();
					}
				}
				_t6 = _a16;
				 *0x435ac8 =  *0x435ac8 + _t6;
				return 0;
			}

0x00402af5
0x00402af6
0x00402afe
0x00402b0b
0x00402b11
0x00402b17
0x00402b1b
0x00402b21
0x004016b7
0x004016b7
0x00402b1b
0x00402ea1
0x00402ea5
0x00402eb7

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402B11

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7f3c9236b8feace5d63155e2ab4110c41a4624875c48bb8d285f5a6b1831d61d
Instruction ID: 511448bb44b16b4c3bf5c6e9e6dce24c9e36f35aa22cbfff603521d9bfcae4f3
Opcode Fuzzy Hash: 7f3c9236b8feace5d63155e2ab4110c41a4624875c48bb8d285f5a6b1831d61d
Instruction Fuzzy Hash: 91E0DF722452007FE300AB11ED8AC3FB71CEB80319F04083FF904E40C1C23E2800866A

Uniqueness

Uniqueness Score: -1.00%

Function 00406948 Relevance: 1.5, APIs: 1, Instructions: 24
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406948(void* __ecx, void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t7;
				long _t11;
				struct _OVERLAPPED* _t14;

				_t11 = _a12;
				_t14 = 0;
				_t7 = ReadFile(_a4, _a8, _t11,  &_v8, 0); // executed
				if(_t7 != 0 && _t11 == _v8) {
					_t14 = 1;
				}
				return _t14;
			}

0x0040694e
0x00406954
0x0040695f
0x00406967
0x0040696e
0x0040696e
0x00406974

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,004031A2,00000004,00000004,00000000,00000000,00000000,00000000), ref: 0040695F

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 2db7c5b5d383cb428e65bf87e114ea6cc39ae6a838efe8624f6ef6c49ed421ec
Instruction ID: 496ccccc8c492c243bc388fe3eb656b5cfb520ee4410d2fb8332981663b8a2fe
Opcode Fuzzy Hash: 2db7c5b5d383cb428e65bf87e114ea6cc39ae6a838efe8624f6ef6c49ed421ec
Instruction Fuzzy Hash: 38E04672200229BBCF209B9ADC08D9FBFADEE957A07024026B805A3110D270EE21C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 00406A0B Relevance: 1.5, APIs: 1, Instructions: 24
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406A0B(void* __ecx, void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t7;
				long _t11;
				struct _OVERLAPPED* _t14;

				_t11 = _a12;
				_t14 = 0;
				_t7 = WriteFile(_a4, _a8, _t11,  &_v8, 0); // executed
				if(_t7 != 0 && _t11 == _v8) {
					_t14 = 1;
				}
				return _t14;
			}

0x00406a11
0x00406a17
0x00406a22
0x00406a2a
0x00406a31
0x00406a31
0x00406a37

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,?,0041F538,00403348,?,0041F538,?,0041F538,?,00000004), ref: 00406A22

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: df327e9a7695e02a5bae04bfea65e0978199b1218c5bef36048a46936c94f75f
Instruction ID: 40df579de253d7cbce13811cecf730e98513d225cd3d08ff0a4c9fddec416105
Opcode Fuzzy Hash: df327e9a7695e02a5bae04bfea65e0978199b1218c5bef36048a46936c94f75f
Instruction Fuzzy Hash: F9E0BF32600129BBCF205B5ADC04E9FFF6DEE926A07114026F905A2150E670EE11DAE4

Uniqueness

Uniqueness Score: -1.00%

Function 004062A5 Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062A5(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406120(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExW(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004062af
0x004062b6
0x004062ce
0x00000000
0x004062ce
0x004062ba
0x00000000

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?), ref: 004062CE

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9d74b961b3018e30b71e857dcddf3078069952a5892463cd94a54035f436c205
Instruction ID: 8015555a5faba5d47a7295c794b4dc45a0f837954a803b2f281cb622c6ff763f
Opcode Fuzzy Hash: 9d74b961b3018e30b71e857dcddf3078069952a5892463cd94a54035f436c205
Instruction Fuzzy Hash: 38E0B6B201020ABEEF096F90DC0ADBB7A5DEB08310F00492EFA0694091E6B5AD30A634

Uniqueness

Uniqueness Score: -1.00%

Function 004062D8 Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062D8(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406120(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004062e2
0x004062e9
0x004062fc
0x00000000
0x004062fc
0x004062ed
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,?,00000000,00000800,?,?,004069A5,00000800,?,?,?,Call,00000000,00000000), ref: 004062FC

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6046d274b78c3224a6ad722eb80787644d3a57436a5b6bc7b2547111f35c777e
Instruction ID: 212ff8f8ceecf1c7f7b975949926931c9c9ff354a47ded1b1035142b567bad43
Opcode Fuzzy Hash: 6046d274b78c3224a6ad722eb80787644d3a57436a5b6bc7b2547111f35c777e
Instruction Fuzzy Hash: 81D0123204020EBBDF116F909D05FAB3B2DAB08340F004436FE06A4091D775D930A758

Uniqueness

Uniqueness Score: -1.00%

Function 004054E8 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004054E8(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x4349dc;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004054e8
0x004054ef
0x004054fa
0x00000000
0x004054fa
0x00405500

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054FA

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e4e95d0fddce0dc824c6f013e603094366fa7490cb3008435431beda4080c4b1
Instruction ID: f4f70a023dfa60edfff8c312ec9360925e699ce3f775cceab6ab340ddbd6ed3a
Opcode Fuzzy Hash: e4e95d0fddce0dc824c6f013e603094366fa7490cb3008435431beda4080c4b1
Instruction Fuzzy Hash: BFC04C716402407ADA109B619D09F477755AB90700F5094257200E51E4D674F410CA1C

Uniqueness

Uniqueness Score: -1.00%

Function 00405503 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405503(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x4349f8, 0x28, _a4, 1); // executed
				return _t2;
			}

0x00405511
0x00405517

APIs

SendMessageW.USER32(00000028,?,00000001,00405338), ref: 00405511

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0b1b9ea5971de38bd84785100290da62d9cd6102021a2a242e6f148554a4776c
Instruction ID: 6de71dbe5e5d375af2ff60806ac132807507260846fa189ddd953f73e58556b8
Opcode Fuzzy Hash: 0b1b9ea5971de38bd84785100290da62d9cd6102021a2a242e6f148554a4776c
Instruction Fuzzy Hash: 5EB092B5181201BADA919B10DD09F8A7B62ABA4702F028564B200640B0C7B214A0DB18

Uniqueness

Uniqueness Score: -1.00%

Function 00403131 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403131(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40b010, _a4, 0, 0); // executed
				return _t2;
			}

0x0040313f
0x00403145

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004035D7,?,?,?,?,?,?), ref: 0040313F

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 05fd317d58219744d4d36f9992a09dc30e109d4b8129d559949c0663f1233a42
Instruction ID: 0f2f3f991563ac80fd27f5aa645e2e28db5cd0803139906cd9636725fed969f3
Opcode Fuzzy Hash: 05fd317d58219744d4d36f9992a09dc30e109d4b8129d559949c0663f1233a42
Instruction Fuzzy Hash: D2B01231240200BFEA214F00DE0AF067B21F7D0700F10C830B360780F183711460EB4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040211B Relevance: 1.3, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040211B(void* _a24, void* _a32) {
				void* _v0;
				void* _v4;
				void* __ebp;
				void* _t9;
				void* _t15;
				void* _t20;

				_t17 = E0040303E(_t15, _t20);
				E00405D3A(0xffffffeb, _t7);
				_t9 = E004066D6(_t17); // executed
				if(_t9 != 0) {
					if( *((intOrPtr*)(__esp + 0x30)) != __ebp) {
						__eax = E00406514(__ecx, __esi);
						if( *((intOrPtr*)(__esp + 0x2c)) < __ebp) {
							0 = 1;
							 *((intOrPtr*)(__esp + 0x10)) = __ebx;
						} else {
							__eax = E0040661F( *((intOrPtr*)(__esp + 0x18)), __eax);
						}
					}
					_push(__esi);
					__eax = CloseHandle();
					__ebx =  *((intOrPtr*)(__esp + 0x10));
				}
				 *0x435ac8 =  *0x435ac8 + 1;
				return 0;
			}

0x00402121
0x00402126
0x0040212c
0x00402139
0x00402143
0x00402146
0x0040214f
0x0040215f
0x00402165
0x00402151
0x00402156
0x00402156
0x0040214f
0x00402169
0x00402110
0x00402ea1
0x00402ea1
0x00402ea5
0x00402eb7

APIs

Part of subcall function 00405D3A: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll,?,00000000,?,?), ref: 00405D6C
Part of subcall function 00405D3A: lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll,?,00000000,?,?), ref: 00405D7E
Part of subcall function 00405D3A: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll,?), ref: 00405D99
Part of subcall function 00405D3A: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll), ref: 00405DB1
Part of subcall function 00405D3A: SendMessageW.USER32(?), ref: 00405DD8
Part of subcall function 00405D3A: SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DF3
Part of subcall function 00405D3A: SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E00

Part of subcall function 004066D6: CreateProcessW.KERNELBASE ref: 004066FF
Part of subcall function 004066D6: CloseHandle.KERNEL32(?), ref: 0040670C

CloseHandle.KERNEL32(?,?), ref: 00402110

Part of subcall function 00406514: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040651E
Part of subcall function 00406514: GetExitCodeProcess.KERNEL32 ref: 00406548

Part of subcall function 0040661F: wsprintfW.USER32 ref: 0040662C

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 882677aa00bba72a8284b2112c1c206fef535646b8e7bbfe774034422b24b4ca
Instruction ID: ffb54da432574bf9da0ba630d69bdc1efbc191342e5e665899b832719b8482a7
Opcode Fuzzy Hash: 882677aa00bba72a8284b2112c1c206fef535646b8e7bbfe774034422b24b4ca
Instruction Fuzzy Hash: 50F0C8356093519BD310AF61DD8982FB298FF85359B100A3FFA52B51D2C77C4D068AAF

Uniqueness

Uniqueness Score: -1.00%

Function 72B312F8 Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72B312F8() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x72b35040 +  *0x72b35040); // executed
				return _t3;
			}

0x72b31302
0x72b31308

APIs

GlobalAlloc.KERNELBASE(00000040,?,72B311C4,-000000A0), ref: 72B31302

Memory Dump Source

Source File: 00000001.00000002.815605546.0000000072B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 72B30000, based on PE: true

Associated: 00000001.00000002.815592077.0000000072B30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815613549.0000000072B34000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815627139.0000000072B36000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72b30000_Ta62k9weDV.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: a51891936c4f1b702e64f714953096c2bd41a6c58f0b8e7d10bc6dda3c919df8
Instruction ID: 11e0e34082e85b6c3de0c185ffe54de94a0a7a7acef1b0d88655b225bb2cbcf6
Opcode Fuzzy Hash: a51891936c4f1b702e64f714953096c2bd41a6c58f0b8e7d10bc6dda3c919df8
Instruction Fuzzy Hash: BBB002F27C01005FEE509755DE5AF393664F744745F640454F605D7142D57558108A55

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040441E Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 576
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E0040441E(struct HWND__* _a4, signed int _a8, long _a12, signed int _a16) {
				struct HWND__* _v0;
				signed int* _v40;
				void* _v44;
				signed int _v48;
				long _v52;
				void* _v56;
				signed int _v60;
				int _v64;
				struct HWND__* _v68;
				struct HWND__* _v72;
				void* _v76;
				struct HWND__* _v80;
				void* _v84;
				struct HWND__* _v88;
				intOrPtr _v96;
				void* _v100;
				void* _v104;
				struct HWND__* _v108;
				signed int _t158;
				signed int _t159;
				int _t160;
				void* _t167;
				void* _t170;
				long _t175;
				void* _t198;
				void* _t199;
				int _t209;
				intOrPtr _t214;
				signed int _t215;
				signed int _t216;
				void* _t235;
				void* _t238;
				intOrPtr _t245;
				intOrPtr _t253;
				long _t257;
				void* _t263;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				long _t279;
				long _t280;
				int _t282;
				signed int _t283;
				signed int _t285;
				signed int _t288;
				int _t293;
				signed int _t296;
				void* _t301;
				int _t302;
				void* _t303;
				void* _t306;
				signed int _t307;
				long _t311;
				struct HWND__* _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t319;
				signed int _t320;
				struct HWND__* _t321;
				int _t326;
				struct HWND__* _t327;
				intOrPtr* _t329;
				struct HWND__* _t330;
				signed int _t333;
				int _t334;
				int _t336;
				long _t337;
				intOrPtr _t338;
				signed int* _t340;
				struct HWND__* _t342;
				long _t343;
				void* _t344;
				long _t345;
				signed int _t346;
				struct HWND__* _t347;
				int _t348;
				int _t349;
				void* _t350;
				struct HWND__* _t352;
				struct HWND__* _t354;
				struct HWND__** _t355;

				_t355 =  &_v80;
				_t330 = _a4;
				_v68 = GetDlgItem(_t330, 0x3f9);
				_t347 = GetDlgItem(_t330, 0x408);
				_v72 =  *0x435a28;
				_v64 =  *0x435a10;
				_v80 = _t347;
				if(_a8 != 0x110) {
					L24:
					_t282 =  !=  ? _a8 : 0x40f;
					_v60 = 0x40f;
					_t158 =  !=  ? _a12 : 0;
					_a12 = _t158;
					_t333 =  !=  ? _a16 : 1;
					if(0x40f == 0x4e) {
						L26:
						if(_t282 == 0x413) {
							L28:
							_t320 = _t333;
							_t275 = _t158;
							_t348 = _t282;
							if(( *0x435a0c & 0x00000200) == 0 && (_t282 == 0x413 ||  *((intOrPtr*)(_t333 + 8)) == 0xfffffffe)) {
								_t313 = E004056DA(_v80, 0 | _t282 != 0x413);
								_t320 = _t333;
								_a8 = _t313;
								_t275 = _a4;
								_t348 = _v68;
								if(_t313 >= 0) {
									_t314 = _t313 * 0x818;
									_a8 = _t314;
									_t315 =  *(_t314 + _v72 + 8);
									_t320 = _t333;
									if((_t315 & 0x00000010) == 0) {
										if((_t315 & 0x00000040) == 0) {
											_t316 = _t315 ^ 1;
										} else {
											_t316 =  ==  ? (_t315 ^ 0x00000080) & 0xfffffffe : _t315 ^ 0x00000080 | 0x00000001;
										}
										_t278 = _a16;
										 *(_a8 + _v72 + 8) = _t316;
										E00401221(_t278);
										_t275 = _t278 + 1;
										_t320 =  !( *0x435a0c >> 8) & 1;
										_t348 = 0x40f;
									}
								}
							}
							if(_t333 != 0) {
								_t214 =  *((intOrPtr*)(_t333 + 8));
								if(_t214 == 0xfffffe3d) {
									SendMessageW(_v80, 0x419, 0,  *(_t333 + 0x5c));
									_t214 =  *((intOrPtr*)(_t333 + 8));
								}
								if(_t214 == 0xfffffe39) {
									_t296 =  *(_t333 + 0x5c) * 0x818;
									_t312 = _v72;
									_t215 =  *(_t296 + _t312 + 8);
									if( *((intOrPtr*)(_t333 + 0xc)) != 2) {
										_t216 = _t215 & 0xffffffdf;
									} else {
										_t216 = _t215 | 0x00000020;
									}
									 *(_t296 + _t312 + 8) = _t216;
								}
							}
							L45:
							_t159 = _t275;
							_t283 = _t320;
							_a16 = _t159;
							_t334 = _t348;
							_a8 = _t283;
							_t306 = 8;
							if(_t348 != 0x111) {
								_t320 = _t283;
								_t275 = _t159;
								_t349 = _t334;
								if(_t334 != 0x200) {
									_t160 = _t349;
									if(_t349 != 0x40b) {
										_a8 = _t320;
										_t349 = _t160;
										_v60 = _t275;
										_a16 = _t349;
										if(_t160 != 0x40f) {
											L88:
											if(_t349 == 0x420 && ( *0x435a0c & 0x00000100) != 0) {
												_t336 =  ==  ? _t306 : 0;
												ShowWindow(_v80, _t336);
												ShowWindow(GetDlgItem(_a4, 0x3fe), _t336);
											}
											L91:
											return E0040575B(_t349, _t275, _t320);
										}
										_t337 = 0;
										L63:
										E004012DD(_t337, _t337);
										if(_t275 != 0) {
											_t196 =  ==  ? _t275 : _t275 - 1;
											_push( ==  ? _t275 : _t275 - 1);
											_push(8);
											E004054B6();
										}
										if(_t320 == 0) {
											L71:
											E004012DD(_t337, _t337);
											_t285 =  *0x435a2c;
											_t167 =  *0x42ed6c; // 0x0
											_a4 = _t337;
											_t338 =  *0x435a28;
											_v52 = 0xf030;
											if(_t285 <= 0) {
												L83:
												if( *0x435afe == 0x400) {
													InvalidateRect(_v80, 0, 1);
												}
												if( *((intOrPtr*)( *0x4349e0 + 0x10)) != 0) {
													_t170 = E00405835(5);
													_push(0);
													E00405560(_t285, 0x3ff, 0xfffffffb, _t170);
												}
												_t306 = 8;
												goto L88;
											}
											_t276 = _a12;
											_t340 = _t338 + 8;
											_t321 = _v80;
											_t350 = _t167;
											do {
												_t175 =  *((intOrPtr*)(_t350 + _t276 * 4));
												_a12 = _t175;
												if(_t175 != 0) {
													_t307 =  *_t340;
													_v52 = _t175;
													_v56 = 8;
													if((_t307 & 0x00000100) != 0) {
														_v56 = 9;
														_v40 =  &(_t340[4]);
														 *_t340 =  *_t340 & 0xfffffeff;
														_a12 = _v52;
													}
													if((_t307 & 0x00000040) == 0) {
														_t288 = (_t307 & 1) + 1;
														if((_t307 & 0x00000010) != 0) {
															_t288 = _t288 + 3;
														}
													} else {
														_t288 = 3;
													}
													_v48 = (_t288 << 0x0000000b | _t307 & 0x00000008) + (_t288 << 0x0000000b | _t307 & 0x00000008) | _t307 & 0x00000020;
													SendMessageW(_t321, 0x1102, (_t307 >> 0x00000005 & 1) + 1, _a12);
													SendMessageW(_t321, 0x113f, 0,  &_v56);
													_t285 =  *0x435a2c;
												}
												_t276 = _t276 + 1;
												_t340 =  &(_t340[0x206]);
											} while (_t276 < _t285);
											_t320 = _a8;
											_t275 = _v60;
											_t349 = _a16;
											goto L83;
										} else {
											_t320 = E004011A0( *0x42ed6c);
											_a4 = _t320;
											E00401290(_t320);
											_t293 = _t337;
											_t311 = _t337;
											if(_t320 <= 0) {
												L70:
												SendMessageW(_v68, 0x14e, _t293, _t337);
												_t349 = 0x420;
												_a16 = 0x420;
												goto L71;
											}
											do {
												_t116 = _t293 + 1; // 0x1
												_t194 =  ==  ? _t293 : _t116;
												_t311 = _t311 + 1;
												_t293 =  ==  ? _t293 : _t116;
											} while (_t311 < _t320);
											_t337 = 0;
											goto L70;
										}
									}
									_t198 =  *0x42ed70; // 0x0
									if(_t198 != 0) {
										ImageList_Destroy(_t198);
									}
									_t199 =  *0x42ed6c; // 0x0
									if(_t199 != 0) {
										GlobalFree(_t199);
									}
									 *0x42ed70 = 0;
									 *0x42ed6c = 0;
									 *0x435ab8 = 0;
									goto L91;
								}
								SendMessageW(_v80, 0x200, 0, 0);
								_t320 = _a8;
								_t275 = _a16;
								goto L91;
							}
							if(_t275 != 0x3f9 || _t275 >> 0x10 != 1) {
								goto L91;
							} else {
								_t342 = _v68;
								_t209 = SendMessageW(_t342, 0x147, 0, 0);
								if(_t209 == 0xffffffff) {
									goto L91;
								}
								_t277 = SendMessageW;
								_t343 = SendMessageW(_t342, 0x150, _t209, 0);
								if(_t343 == 0xffffffff ||  *((intOrPtr*)(_v64 + 0x94 + _t343 * 4)) == 0) {
									_t343 = 0x20;
								}
								E00401290(_t343);
								_t337 = 0;
								SendMessageW(_v0, 0x420, 0, _t343);
								_t275 = _t277 | 0xffffffff;
								_a4 = 0;
								_t349 = 0x40f;
								_v64 = _t275;
								_t320 = 0;
								_a12 = 0x40f;
								goto L63;
							}
						}
						_t320 = _t333;
						_t275 = _t158;
						_t348 = _t282;
						if( *((intOrPtr*)(_t333 + 4)) != 0x408) {
							goto L45;
						}
						goto L28;
					}
					_t320 = 1;
					_t275 = _t158;
					_t348 = 0x40f;
					if(0x40f != 0x413) {
						goto L45;
					}
					goto L26;
				} else {
					_v76 = 0;
					_t326 = 2;
					 *0x435ab8 = _t330;
					 *0x42ed6c = GlobalAlloc(0x40,  *0x435a2c << 2);
					_t235 = LoadImageW( *0x4349f4, 0x6e, 0, 0, 0, 0);
					 *0x42ed68 =  *0x42ed68 | 0xffffffff;
					_t344 = _t235;
					 *0x42dd64 = SetWindowLongW(_t347, 0xfffffffc, E004058D0);
					_t238 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42ed70 = _t238;
					ImageList_AddMasked(_t238, _t344, 0xff00ff);
					SendMessageW(_t347, 0x1109, _t326,  *0x42ed70);
					if(SendMessageW(_t347, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_t347, 0x111b, 0x10, 0);
					}
					DeleteObject(_t344);
					_t352 = _v72;
					_t301 = 0;
					_t345 = 0;
					do {
						_t245 =  *((intOrPtr*)(_v68 + 0x94 + _t345 * 4));
						if(_t245 != 0) {
							_push(_t245);
							_push(_t301);
							SendMessageW(_t352, 0x151, SendMessageW(_t352, 0x143, 0, E00405EBA()), _t345);
							_t270 =  ==  ? _t326 : 0;
							_t301 = 0;
							_t326 =  ==  ? _t326 : 0;
						}
						_t345 = _t345 + 1;
					} while (_t345 < 0x21);
					_t279 = _a12;
					_v64 = _t326;
					_push( *((intOrPtr*)(_t279 + 0x30 + _t326 * 4)));
					_push(0x15);
					E0040551A(_v0);
					_push( *((intOrPtr*)(_t279 + 0x34 + _t326 * 4)));
					_push(0x16);
					E0040551A(_v0);
					_t354 = _v108;
					_t302 = 0;
					_t280 = 0;
					_t346 = 0;
					if( *0x435a2c <= 0) {
						L19:
						SetWindowLongW(_t354, 0xfffffff0, GetWindowLongW(_t354, 0xfffffff0) & 0xfffffffb);
						goto L20;
					} else {
						_t329 = _t355[6] + 0x18;
						do {
							if( *_t329 == _t302) {
								L16:
								_t253 = _v96;
								goto L17;
							}
							_t319 = 0x20;
							_v76 = _t280;
							_v72 = 0xffff0002;
							_v68 = 0xd;
							_v56 = _t319;
							_t355[0x15] = _t346;
							_v52 = _t329;
							_v60 =  *(_t329 - 0x10) & _t319;
							if(( *(_t329 - 0x10) & 0x00000002) == 0) {
								if(( *(_t329 - 0x10) & 0x00000004) == 0) {
									_t257 = SendMessageW(_t354, 0x1132, _t302,  &_v76);
									_t303 =  *0x42ed6c; // 0x0
									 *(_t303 + _t346 * 4) = _t257;
								} else {
									_t280 = SendMessageW(_t354, 0x110a, 3, _t280);
								}
								_t302 = 0;
								goto L16;
							}
							_v68 = 0x4d;
							_t355[0x14] = 1;
							_t280 = SendMessageW(_t354, 0x1132, _t302,  &_v76);
							_t263 =  *0x42ed6c; // 0x0
							 *(_t263 + _t346 * 4) = _t280;
							_t253 = 1;
							_t302 = 0;
							_v96 = 1;
							L17:
							_t346 = _t346 + 1;
							_t329 = _t329 + 0x818;
						} while (_t346 <  *0x435a2c);
						if(_t253 != 0) {
							L20:
							if(_v80 != 0) {
								_push(_t354);
							} else {
								_t327 = _v88;
								ShowWindow(_t327, 5);
								_push(_t327);
							}
							E00405503();
							goto L24;
						}
						goto L19;
					}
				}
			}

0x0040441e
0x0040442f
0x0040443e
0x0040444a
0x00404451
0x0040445a
0x00404468
0x0040446c
0x00404698
0x004046a4
0x004046af
0x004046b3
0x004046bb
0x004046c3
0x004046ce
0x004046de
0x004046e0
0x004046f5
0x004046ff
0x00404701
0x00404703
0x00404705
0x0040472e
0x00404734
0x00404736
0x0040473a
0x0040473c
0x00404740
0x00404746
0x0040474c
0x00404750
0x00404754
0x00404759
0x0040475e
0x0040477b
0x00404760
0x00404773
0x00404773
0x00404785
0x0040478a
0x0040478e
0x004047a1
0x004047a2
0x004047a4
0x004047a4
0x00404759
0x00404740
0x004047ab
0x004047ad
0x004047b5
0x004047c6
0x004047cc
0x004047cc
0x004047d4
0x004047d6
0x004047e1
0x004047e5
0x004047e9
0x004047f0
0x004047eb
0x004047eb
0x004047eb
0x004047f3
0x004047f3
0x004047d4
0x004047f7
0x004047f7
0x004047f9
0x004047fb
0x004047ff
0x00404801
0x00404807
0x0040480e
0x004048a9
0x004048ab
0x004048b2
0x004048b6
0x004048d4
0x004048dc
0x00404914
0x00404918
0x0040491a
0x0040491e
0x00404927
0x00404ae0
0x00404ae6
0x00404af9
0x00404b01
0x00404b18
0x00404b18
0x00404b1e
0x00404b2d
0x00404b2d
0x0040492d
0x0040492f
0x00404931
0x00404938
0x00404940
0x00404943
0x00404944
0x00404946
0x00404946
0x0040494d
0x004049a3
0x004049a5
0x004049aa
0x004049b0
0x004049b5
0x004049b9
0x004049bf
0x004049c9
0x00404a9f
0x00404aad
0x00404ab8
0x00404ab8
0x00404ac6
0x00404aca
0x00404acf
0x00404ad8
0x00404ad8
0x00404adf
0x00000000
0x00404adf
0x004049cf
0x004049d3
0x004049d6
0x004049da
0x004049dc
0x004049dc
0x004049e0
0x004049e6
0x004049ec
0x004049ee
0x004049f2
0x00404a00
0x00404a05
0x00404a0d
0x00404a11
0x00404a1b
0x00404a1b
0x00404a22
0x00404a30
0x00404a34
0x00404a36
0x00404a36
0x00404a24
0x00404a26
0x00404a26
0x00404a56
0x00404a64
0x00404a78
0x00404a7e
0x00404a7e
0x00404a84
0x00404a85
0x00404a8b
0x00404a93
0x00404a97
0x00404a9b
0x00000000
0x0040494f
0x0040495a
0x0040495d
0x00404961
0x00404966
0x00404968
0x0040496c
0x00404989
0x00404994
0x0040499a
0x0040499f
0x00000000
0x0040499f
0x00404972
0x0040497a
0x0040497d
0x00404980
0x00404981
0x00404983
0x00404987
0x00000000
0x00404987
0x0040494d
0x004048de
0x004048e5
0x004048e8
0x004048e8
0x004048ee
0x004048f5
0x004048f8
0x004048f8
0x00404900
0x00404905
0x0040490a
0x00000000
0x0040490a
0x004048c1
0x004048c7
0x004048cb
0x00000000
0x004048cb
0x0040481c
0x00000000
0x00404833
0x00404833
0x00404841
0x0040484a
0x00000000
0x00000000
0x00404850
0x00404862
0x00404867
0x00404878
0x00404878
0x0040487a
0x00404880
0x0040488c
0x0040488e
0x00404891
0x00404895
0x0040489a
0x0040489e
0x004048a0
0x00000000
0x004048a0
0x0040481c
0x004046e9
0x004046eb
0x004046ed
0x004046ef
0x00000000
0x00000000
0x00000000
0x004046ef
0x004046d0
0x004046d2
0x004046d4
0x004046d8
0x00000000
0x00000000
0x00000000
0x00404472
0x00404472
0x0040447d
0x00404484
0x00404490
0x004044a3
0x004044a9
0x004044b0
0x004044c0
0x004044d0
0x004044dd
0x004044e2
0x004044f5
0x00404506
0x00404513
0x00404513
0x00404516
0x0040451c
0x00404520
0x00404522
0x00404524
0x00404528
0x00404531
0x00404533
0x00404534
0x0040454e
0x00404555
0x00404558
0x0040455a
0x0040455a
0x0040455c
0x0040455d
0x00404562
0x0040456a
0x0040456e
0x00404572
0x00404575
0x0040457a
0x0040457e
0x00404581
0x00404586
0x0040458a
0x0040458c
0x0040458e
0x00404596
0x00404665
0x00404675
0x00000000
0x0040459c
0x004045a0
0x004045a3
0x004045a6
0x0040464a
0x0040464a
0x00000000
0x0040464a
0x004045b1
0x004045b4
0x004045bc
0x004045c4
0x004045cc
0x004045d0
0x004045d4
0x004045d8
0x004045dc
0x00404618
0x00404639
0x0040463f
0x00404645
0x0040461a
0x00404629
0x00404629
0x00404648
0x00000000
0x00404648
0x004045e0
0x004045e9
0x004045ff
0x00404601
0x00404606
0x0040460b
0x0040460c
0x0040460e
0x0040464e
0x0040464e
0x0040464f
0x00404655
0x00404663
0x0040467b
0x00404680
0x00404692
0x00404682
0x00404682
0x00404689
0x0040468f
0x0040468f
0x00404693
0x00000000
0x00404693
0x00000000
0x00404663
0x00404596

APIs

GetDlgItem.USER32 ref: 00404436
GetDlgItem.USER32 ref: 00404442
GlobalAlloc.KERNEL32(00000040,?), ref: 0040448A
LoadImageW.USER32 ref: 004044A3
SetWindowLongW.USER32 ref: 004044BA
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004044D0
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004044E2
SendMessageW.USER32(00000000,00001109,00000002), ref: 004044F5
SendMessageW.USER32(00000000,0000111C,00000000,00000000), ref: 00404501
SendMessageW.USER32(00000000,0000111B,00000010,00000000), ref: 00404513
DeleteObject.GDI32(00000000), ref: 00404516
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404544
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040454E
SendMessageW.USER32(?,00001132,00000000,?), ref: 004045F9
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404623
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404639
GetWindowLongW.USER32(?,000000F0), ref: 00404668
SetWindowLongW.USER32 ref: 00404675
ShowWindow.USER32(?,00000005), ref: 00404689
SendMessageW.USER32(?,00000419,00000000,?), ref: 004047C6
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404841
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404860
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040488C
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004048C1
ImageList_Destroy.COMCTL32(00000000), ref: 004048E8
GlobalFree.KERNEL32 ref: 004048F8

Strings

M, xrefs: 004045E0

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend$ImageWindow$List_Long$GlobalItem$AllocCreateDeleteDestroyFreeLoadMaskedObjectShow
String ID: M
API String ID: 1688767230-3664761504
Opcode ID: 593f695f4e0e7a559147944b019e1e190396842a77f5fef561b0bfd50dce2793
Instruction ID: 0c70e663620b203d4295ddec51a1238c6828a203a6db769dd6a487d059f7c121
Opcode Fuzzy Hash: 593f695f4e0e7a559147944b019e1e190396842a77f5fef561b0bfd50dce2793
Instruction Fuzzy Hash: D812CEB1604301AFD7209F24DC85A6BB7E9EBC8314F104A3EFA95E72E1D7789C018B59

Uniqueness

Uniqueness Score: -1.00%

Function 00404085 Relevance: 31.8, APIs: 11, Strings: 7, Instructions: 281
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00404085(void* __ebx, void* __ebp, struct HWND__* _a4, unsigned int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v4;
				WCHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				signed int _v28;
				struct HWND__* _v32;
				unsigned int _v36;
				signed int _v40;
				long _v48;
				unsigned int _v52;
				signed int _v56;
				long _v64;
				long _v68;
				long _v72;
				unsigned int _v92;
				unsigned int _v96;
				unsigned int _t59;
				unsigned int _t61;
				unsigned int _t63;
				unsigned int _t65;
				unsigned int _t70;
				intOrPtr _t72;
				signed int _t85;
				unsigned int _t86;
				unsigned int _t89;
				signed int _t90;
				unsigned int _t92;
				unsigned int _t95;
				int _t98;
				unsigned int _t103;
				unsigned int _t108;
				unsigned int _t110;
				WCHAR* _t116;
				signed int _t117;
				unsigned int _t118;
				unsigned int _t120;
				short* _t122;
				struct HWND__* _t123;
				struct HWND__* _t124;
				unsigned int _t125;
				void* _t128;
				unsigned int _t134;
				unsigned int _t135;
				WCHAR* _t138;
				unsigned int _t139;
				void* _t140;
				unsigned int _t141;
				unsigned int _t142;
				intOrPtr _t143;
				unsigned int _t147;
				struct HWND__* _t149;
				long* _t150;

				_t150 =  &_v72;
				_t125 =  *0x42dd4c;
				_t135 = _a8;
				_t138 = ( *(_t125 + 0x3c) << 0xb) + 0x436000;
				_v52 = _t125;
				if(_t135 != 0x40b) {
					__eflags = _t135 - 0x110;
					if(_t135 != 0x110) {
						__eflags = _t135 - 0x111;
						if(_t135 != 0x111) {
							L19:
							_t59 = _t135;
							__eflags = _t135 - 0x40f;
							if(__eflags == 0) {
								L21:
								_v56 = 0;
								E00406A3A(0x3fb, _t138);
								_t61 = E00406638(__eflags, _t138);
								_t116 = 0x42e568;
								_t147 = 1;
								__eflags = _t61;
								_t127 =  ==  ? 1 : 0;
								_v4 =  ==  ? 1 : 0;
								E00406B1A(0x42e568, _t138);
								_t63 = E004068E6(1);
								_v96 = _t63;
								__eflags = _t63;
								if(_t63 == 0) {
									L28:
									E00406B1A(_t116, _t138);
									_t65 = E00406BC5(_t116);
									__eflags = _t65;
									if(_t65 != 0) {
										__eflags = 0;
										 *_t65 = 0;
									}
									_t70 = GetDiskFreeSpaceW(_t116,  &_v68,  &_v64,  &_v72,  &_v48);
									__eflags = _t70;
									if(_t70 == 0) {
										_t139 = _v36;
										_t117 = _v40;
										_t147 = _v56;
										goto L35;
									} else {
										_t85 = MulDiv(_v68 * _v64, _v72, 0x400);
										asm("cdq");
										_t117 = _t85;
										_t139 = _t134;
										L33:
										_v40 = _t117;
										_v36 = _t139;
										L35:
										_t128 = E00405835(5);
										__eflags = _t147;
										if(_t147 == 0) {
											L40:
											_t118 = _a8;
											L41:
											_t72 =  *0x4349e0;
											__eflags =  *(_t72 + 0x10);
											if( *(_t72 + 0x10) != 0) {
												_push(0);
												E00405560(_t128, 0x3ff, 0xfffffffb, _t128);
												__eflags = _t147;
												if(_t147 == 0) {
													SetDlgItemTextW(_t150[0x19], 0x400, 0x4095b0);
												} else {
													_push(_v40);
													E00405560(_t128, 0x400, 0xfffffffc, _t150[0xd]);
												}
											}
											 *0x435ae4 = _t118;
											__eflags = _t118;
											if(_t118 == 0) {
												_t118 = E00401533(7);
											}
											_t140 = 0;
											__eflags =  *(_v52 + 0x14) & 0x00000400;
											_t141 =  ==  ? _t118 : _t140;
											__eflags = _t141;
											EnableWindow( *0x42dd54, 0 | _t141 == 0x00000000);
											__eflags = _t141;
											if(_t141 == 0) {
												__eflags =  *0x42dd60 - _t141;
												if( *0x42dd60 == _t141) {
													E0040553C();
												}
											}
											 *0x42dd60 =  *0x42dd60 & 0x00000000;
											__eflags =  *0x42dd60;
											goto L51;
										}
										__eflags = _t139;
										if(__eflags > 0) {
											goto L40;
										}
										if(__eflags < 0) {
											L39:
											_t118 = 2;
											goto L41;
										}
										__eflags = _t117 - _t128;
										if(_t117 >= _t128) {
											goto L40;
										}
										goto L39;
									}
								}
								_t120 = 0;
								__eflags = 0;
								while(1) {
									_t86 =  *_t63(0x42e568,  &_v40,  &_v64,  &_v48);
									__eflags = _t86;
									if(_t86 != 0) {
										break;
									}
									__eflags = _t120;
									if(_t120 != 0) {
										 *_t120 = _t86;
									}
									_t122 = E00406D10(0x42e568);
									 *_t122 = 0;
									_t120 = _t122 - 2;
									_t89 = 0x5c;
									 *_t120 = _t89;
									_t63 = _v92;
									__eflags = _t120 - 0x42e568;
									if(_t120 != 0x42e568) {
										continue;
									} else {
										_t116 = 0x42e568;
										goto L28;
									}
								}
								_t142 = _v52;
								_t117 = (_t142 << 0x00000020 | _v56) >> 0xa;
								_t139 = _t142 >> 0xa;
								__eflags = _t139;
								goto L33;
							}
							__eflags = _t59 - 0x405;
							if(__eflags != 0) {
								goto L51;
							}
							goto L21;
						}
						_t134 = _a12;
						_t90 = _t134 & 0x0000ffff;
						__eflags = _t90 - 0x3fb;
						if(_t90 != 0x3fb) {
							_t134 = 0x3e9;
							__eflags = _t90 - 0x3e9;
							if(_t90 != 0x3e9) {
								goto L19;
							}
							_t123 = _a4;
							_v28 = 0;
							_v4 = 0;
							_v32 = _t123;
							_v24 = 0x42bd48;
							_v12 = E00404F33;
							_v8 = _t138;
							_v28 = E00405EBA();
							_t92 =  &_v40;
							_v24 = 0x41;
							__imp__SHBrowseForFolderW(_t92, 0x42dd68,  *((intOrPtr*)(_t125 + 0x38)));
							__eflags = _t92;
							if(__eflags == 0) {
								L11:
								_t135 = 0x40f;
								goto L21;
							}
							__imp__CoTaskMemFree(_t92);
							E00406556(_t138);
							_t95 =  *( *0x435a10 + 0x11c);
							__eflags = _t95;
							if(_t95 != 0) {
								__eflags = _t138 - L"C:\\Users\\alfons\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane";
								if(_t138 == L"C:\\Users\\alfons\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane") {
									_push(_t95);
									_push(0);
									E00405EBA();
									_t98 = lstrcmpiW("Call", "Waywort87 Setup: Installing");
									__eflags = _t98;
									if(_t98 != 0) {
										lstrcatW(_t138, "Call");
									}
								}
							}
							 *0x42dd60 =  *0x42dd60 + 1;
							__eflags =  *0x42dd60;
							SetDlgItemTextW(_t123, 0x3fb, _t138);
							goto L19;
						}
						__eflags = _t134 >> 0x10 - 0x300;
						if(__eflags != 0) {
							goto L19;
						}
						goto L11;
					} else {
						_t124 = _a4;
						_t149 = GetDlgItem(_t124, 0x3fb);
						_t103 = E00406E03(_t138);
						__eflags = _t103;
						if(_t103 != 0) {
							_t110 = E00406BC5(_t138);
							__eflags = _t110;
							if(_t110 == 0) {
								E00406556(_t138);
							}
						}
						 *0x4349dc = _t124;
						SetWindowTextW(_t149, _t138);
						_t143 = _a16;
						_push( *((intOrPtr*)(_t143 + 0x34)));
						_push(1);
						E0040551A(_t124);
						_push( *((intOrPtr*)(_t143 + 0x30)));
						_push(0x14);
						E0040551A(_t124);
						E00405503(_t149);
						_t108 = E004068E6(8);
						__eflags = _t108;
						if(_t108 != 0) {
							 *_t108(_t149, 1);
						}
						L51:
						goto L52;
					}
				} else {
					E00406A3A(0x3fb, _t138);
					E00406D3D(_t138);
					L52:
					return E0040575B(_t135, _a12, _a16);
				}
			}

0x00404085
0x00404088
0x00404090
0x0040409a
0x004040a0
0x004040aa
0x004040c4
0x004040ca
0x00404146
0x0040414c
0x00404231
0x00404231
0x00404233
0x00404239
0x00404246
0x0040424c
0x00404250
0x00404256
0x0040425d
0x00404264
0x00404265
0x00404268
0x0040426c
0x00404270
0x00404276
0x0040427b
0x0040427f
0x00404281
0x004042d5
0x004042d7
0x004042dd
0x004042e2
0x004042e4
0x004042e6
0x004042e8
0x004042e8
0x00404300
0x00404306
0x00404308
0x00404343
0x00404347
0x0040434b
0x00000000
0x0040430a
0x0040431d
0x00404323
0x00404324
0x00404326
0x00404339
0x00404339
0x0040433d
0x0040434f
0x00404356
0x00404358
0x0040435a
0x0040436b
0x0040436b
0x0040436f
0x0040436f
0x00404374
0x00404378
0x0040437a
0x00404384
0x00404389
0x0040438b
0x004043b1
0x0040438d
0x0040438d
0x0040439c
0x0040439c
0x0040438b
0x004043b6
0x004043bc
0x004043be
0x004043c7
0x004043c7
0x004043cf
0x004043d0
0x004043d7
0x004043dc
0x004043e8
0x004043ee
0x004043f0
0x004043f2
0x004043f8
0x004043fa
0x004043fa
0x004043f8
0x004043ff
0x004043ff
0x00000000
0x004043ff
0x0040435c
0x0040435e
0x00000000
0x00000000
0x00404360
0x00404366
0x00404368
0x00000000
0x00404368
0x00404362
0x00404364
0x00000000
0x00000000
0x00000000
0x00404364
0x00404308
0x00404283
0x00404283
0x00404285
0x00404299
0x0040429b
0x0040429d
0x00000000
0x00000000
0x004042a3
0x004042a5
0x004042a7
0x004042a7
0x004042b4
0x004042ba
0x004042bd
0x004042c0
0x004042c1
0x004042c4
0x004042c8
0x004042ce
0x00000000
0x004042d0
0x004042d0
0x00000000
0x004042d0
0x004042ce
0x0040432e
0x00404332
0x00404336
0x00404336
0x00000000
0x00404336
0x0040423b
0x00404240
0x00000000
0x00000000
0x00000000
0x00404240
0x00404152
0x00404156
0x00404159
0x0040415c
0x0040417b
0x00404180
0x00404183
0x00000000
0x00000000
0x0040418c
0x00404195
0x00404199
0x0040419d
0x004041a1
0x004041a9
0x004041b1
0x004041ba
0x004041be
0x004041c3
0x004041cb
0x004041d1
0x004041d3
0x00404171
0x00404171
0x00000000
0x00404171
0x004041d6
0x004041dd
0x004041e7
0x004041ed
0x004041ef
0x004041f1
0x004041f7
0x004041f9
0x004041fa
0x004041fb
0x0040420a
0x00404210
0x00404212
0x0040421a
0x0040421a
0x00404212
0x004041f7
0x0040421f
0x0040421f
0x0040422c
0x00000000
0x0040422c
0x00404168
0x0040416b
0x00000000
0x00000000
0x00000000
0x004040cc
0x004040cc
0x004040dd
0x004040df
0x004040e4
0x004040e6
0x004040e9
0x004040ee
0x004040f0
0x004040f3
0x004040f3
0x004040f0
0x004040fa
0x00404100
0x00404106
0x0040410a
0x0040410d
0x00404110
0x00404115
0x00404118
0x0040411b
0x00404121
0x00404128
0x0040412d
0x0040412f
0x00404138
0x00404138
0x00404406
0x00000000
0x00404407
0x004040ac
0x004040b2
0x004040b8
0x00404408
0x0040441b
0x0040441b

APIs

GetDlgItem.USER32 ref: 004040D6
SetWindowTextW.USER32(00000000,?), ref: 00404100

Part of subcall function 00406A3A: GetDlgItemTextW.USER32(?,?,00000400,00404F4C), ref: 00406A4D

Part of subcall function 00406D3D: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,766DFAA0,004039C2), ref: 00406DB2
Part of subcall function 00406D3D: CharNextW.USER32(?,?,?,00000000), ref: 00406DC1
Part of subcall function 00406D3D: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,766DFAA0,004039C2), ref: 00406DC6
Part of subcall function 00406D3D: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,766DFAA0,004039C2), ref: 00406DDE

Strings

Waywort87 Setup: Installing, xrefs: 004041A1, 00404200
hB, xrefs: 004042C8
A, xrefs: 004041C3
hB, xrefs: 0040425D
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane, xrefs: 004041F1
Call, xrefs: 00404205, 00404214
hB, xrefs: 004042D0

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Char$Next$ItemText$PrevWindow
String ID: A$C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane$Call$Waywort87 Setup: Installing$hB$hB$hB
API String ID: 4089110348-85565510
Opcode ID: 67f0241dfe840fb746c4c22d524f7960e15f62eb2687287e958e8c1ad4191570
Instruction ID: 78a62133d8830c36d5793369ed94498114b99b2b12e517e73a25645684f3fa2c
Opcode Fuzzy Hash: 67f0241dfe840fb746c4c22d524f7960e15f62eb2687287e958e8c1ad4191570
Instruction Fuzzy Hash: BD91BFB1704311ABD720AF658C81B6B76A8AF94744F41483EFB42B62D1D77CD9018BAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040234F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134
comCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040234F(void* _a4, signed int _a8, signed int _a12, char _a16, signed int _a36, signed int _a44, intOrPtr _a48, intOrPtr _a60, intOrPtr _a76) {
				char _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v24;
				void* _v28;
				intOrPtr* _v32;
				void* _v36;
				intOrPtr* _v40;
				void* _v48;
				void* _v56;
				void* _v64;
				void* _v68;
				signed int _t46;
				unsigned int _t49;
				intOrPtr* _t56;
				intOrPtr* _t58;
				intOrPtr* _t60;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				unsigned int _t80;
				unsigned int _t81;
				void* _t98;
				intOrPtr* _t100;
				signed int _t103;
				void* _t108;
				void* _t110;

				_a76 = E0040303E(_t98, 0xfffffff0);
				_a16 = E0040303E(_t98, 0xffffffdf);
				_a60 = E0040303E(_t98, 2);
				_a60 = E0040303E(_t98, 0xffffffcd);
				_a48 = E0040303E(_t98, 0x45);
				_t46 = _a36;
				_a12 = _t46 & 0x00000fff;
				_a8 = _t46 & 0x00008000;
				_t103 = _t46 >> 0x0000000c & 0x00000007;
				_a44 = _t46 >> 0x10;
				if(E00406E03(_t42) == 0) {
					E0040303E(_t98, 0x21);
				}
				_t49 =  &_a16;
				__imp__CoCreateInstance(0x409adc, _t108, 1, 0x409abc, _t49);
				_t80 = _t49;
				if(_t80 >= 0) {
					_t56 =  *((intOrPtr*)(_t110 + 0x10));
					_t80 =  *((intOrPtr*)( *_t56))(_t56, 0x409acc,  &_v0);
					if(_t80 >= 0) {
						_t60 =  *((intOrPtr*)(_t110 + 0x10));
						_t80 =  *((intOrPtr*)( *_t60 + 0x50))(_t60, _v8);
						if(_v12 == _t108) {
							_t76 = _v24;
							 *((intOrPtr*)( *_t76 + 0x24))(_t76, L"C:\\Users\\alfons\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane");
						}
						if(_t103 != 0) {
							_t74 = _v24;
							 *((intOrPtr*)( *_t74 + 0x3c))(_t74, _t103);
						}
						_t62 = _v24;
						 *((intOrPtr*)( *_t62 + 0x34))(_t62,  *((intOrPtr*)(_t110 + 0x40)));
						_t100 =  *((intOrPtr*)(_t110 + 0x4c));
						if( *_t100 != _t108) {
							_t72 = _v32;
							 *((intOrPtr*)( *_t72 + 0x44))(_t72, _t100,  *((intOrPtr*)(_t110 + 0x20)));
						}
						_t64 = _v32;
						 *((intOrPtr*)( *_t64 + 0x2c))(_t64,  *((intOrPtr*)(_t110 + 0x48)));
						_t66 = _v40;
						 *((intOrPtr*)( *_t66 + 0x1c))(_t66, _a12);
						if(_t80 >= 0) {
							_t70 =  *((intOrPtr*)(_t110 + 0x14));
							_t80 =  *((intOrPtr*)( *_t70 + 0x18))(_t70, _a16, 1);
						}
						_t68 =  *((intOrPtr*)(_t110 + 0x14));
						 *((intOrPtr*)( *_t68 + 8))(_t68);
					}
					_t58 =  *((intOrPtr*)(_t110 + 0x10));
					 *((intOrPtr*)( *_t58 + 8))(_t58);
				}
				E00405D3A((_t80 >> 0x0000001f & 0xfffffffc) - 0xc, "C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp\System.dll");
				_t81 = _t80 >> 0x1f;
				 *0x435ac8 =  *0x435ac8 + _t81;
				return 0;
			}

0x00402358
0x00402365
0x00402370
0x0040237b
0x00402384
0x00402388
0x00402396
0x004023a9
0x004023ad
0x004023b0
0x004023bb
0x004023bf
0x004023bf
0x004023c4
0x004023d8
0x004023de
0x004023e2
0x004023e8
0x004023fb
0x004023ff
0x00402405
0x00402413
0x00402419
0x0040241b
0x00402427
0x00402427
0x0040242c
0x0040242e
0x00402436
0x00402436
0x00402439
0x00402444
0x00402447
0x0040244e
0x00402450
0x0040245c
0x0040245c
0x0040245f
0x0040246a
0x0040246d
0x00402478
0x0040247d
0x0040247f
0x0040248e
0x0040248e
0x00402490
0x00402497
0x00402497
0x0040249a
0x004024a1
0x004024a1
0x004024b5
0x004024ba
0x00402ea5
0x00402eb7

APIs

CoCreateInstance.OLE32(00409ADC,?,00000001,00409ABC,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004023D8

Strings

C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll, xrefs: 004024AC
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane, xrefs: 0040241F

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll$C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane
API String ID: 542301482-1038601001
Opcode ID: bc0662a52d98e10143171a3c355a99e9a72edb8270824da348fbf334a5ed34ad
Instruction ID: 400f91c807c924ebcba0c57f4558c7b9259f909ea30478445bd8bb36a2d5bedd
Opcode Fuzzy Hash: bc0662a52d98e10143171a3c355a99e9a72edb8270824da348fbf334a5ed34ad
Instruction Fuzzy Hash: 5E414C72604341AFC700DFA5C888A1BBBE9FF89315F14092EF655DB291DB79D805CB16

Uniqueness

Uniqueness Score: -1.00%

Function 004075FE Relevance: .4, Instructions: 410
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E004075FE(signed int* __ebx, signed int __edi, signed int __esi) {
				signed int _t447;
				signed int _t450;
				void* _t460;
				signed int _t461;
				signed int _t466;
				signed int _t467;
				void* _t469;
				signed int _t470;
				signed int _t475;
				signed int _t476;
				unsigned int _t505;
				void* _t513;
				signed int _t526;
				signed int _t531;
				signed int _t532;
				signed int _t533;
				signed int _t539;
				signed int _t544;
				signed int _t545;
				void* _t546;
				signed int _t547;
				unsigned int _t555;
				signed int _t559;
				signed int* _t567;
				signed int _t572;
				signed int _t574;
				signed int _t576;
				signed int _t595;
				void* _t602;
				signed int _t604;
				signed int _t607;
				signed char _t608;
				signed char* _t609;
				signed int _t611;
				signed int _t614;
				signed int _t615;
				void* _t616;
				unsigned int _t619;
				unsigned int _t625;
				signed int* _t629;
				signed char _t634;
				signed char _t635;
				signed char** _t637;
				void* _t638;
				signed int _t639;
				unsigned int _t644;
				signed int _t646;
				signed int _t647;
				unsigned int _t651;
				signed int _t652;
				void* _t657;

				L0:
				while(1) {
					L0:
					_t652 = __esi;
					_t647 = __edi;
					_t567 = __ebx;
					_t637 =  *(_t657 + 0x48);
					L56:
					while(_t652 < 0xe) {
						if(_t447 == 0) {
							L189:
							 *(_t657 + 0x1c) =  *(_t657 + 0x1c) & 0x00000000;
							_t567[0x147] = _t647;
							_t567[0x146] = _t652;
							_t637[1] = _t637[1] & 0x00000000;
							L196:
							 *_t637 =  *(_t657 + 0x14);
							_t567[0x26ea] =  *(_t657 + 0x18);
							L00407FBE(_t637);
							_t450 =  *(_t657 + 0x1c);
							L197:
							return _t450;
						}
						L55:
						 *(_t657 + 0x10) = _t447 - 1;
						_t647 = _t647 | ( *( *(_t657 + 0x14)) & 0x000000ff) << _t652;
						 *(_t657 + 0x14) =  &(( *(_t657 + 0x14))[1]);
						_t447 =  *(_t657 + 0x10);
						_t652 = _t652 + 8;
					}
					_t572 = _t647 & 0x00003fff;
					_t567[1] = _t572;
					if((_t572 & 0x0000001f) > 0x1d || (_t572 & 0x000003e0) > 0x3a0) {
						L186:
						_t567[0x146] = _t652;
						 *_t567 = 0x11;
						_t567[0x147] = _t647;
						_t637[1] =  *(_t657 + 0x10);
						goto L196;
					} else {
						L59:
						_t652 = _t652 - 0xe;
						_t647 = _t647 >> 0xe;
						_t567[2] = _t567[2] & 0x00000000;
						 *(_t657 + 0x20) = _t652;
						 *_t567 = 0xc;
						while(1) {
							L60:
							_t574 = _t567[2];
							_t637 =  *(_t657 + 0x48);
							L65:
							while(_t574 < (_t567[1] >> 0xa) + 4) {
								while(1) {
									L63:
									_t460 = 3;
									if(_t652 >= _t460) {
										break;
									}
									L61:
									_t461 =  *(_t657 + 0x10);
									if(_t461 == 0) {
										goto L189;
									}
									L62:
									 *(_t657 + 0x10) = _t461 - 1;
									_t647 = _t647 | ( *( *(_t657 + 0x14)) & 0x000000ff) << _t652;
									 *(_t657 + 0x14) =  &(( *(_t657 + 0x14))[1]);
									_t652 = _t652 + 8;
								}
								L64:
								_t466 = 7;
								_t576 = _t647;
								_t647 = _t647 >> 3;
								_t467 = _t567[2];
								_t96 = _t467 + 0x4099b0; // 0x121110
								 *(_t567 + 0xc +  *_t96 * 4) = _t576 & _t466;
								_t574 = _t567[2] + 1;
								_t469 = 3;
								_t652 = _t652 - _t469;
								_t567[2] = _t574;
								 *(_t657 + 0x20) = _t652;
							}
							_t638 = 0x13;
							if(_t574 >= _t638) {
								L68:
								_t470 = 7;
								 *(_t657 + 0x30) =  *(_t657 + 0x30) & 0x00000000;
								_t567[0x143] = _t470;
								_t475 = E00406EA8( &(_t567[3]), _t638, _t638, 0, 0,  &(_t567[0x144]),  &(_t567[0x143]),  &(_t567[0x148]), _t657 + 0x30);
								if(_t475 != 0 || _t567[0x143] == _t475) {
									L73:
									 *_t567 = 0x11;
									goto L22;
								} else {
									L70:
									_t567[2] = _t567[2] & _t475;
									 *_t567 = 0xd;
									L71:
									_t505 = _t567[1];
									_t637 =  *(_t657 + 0x48);
									 *(_t657 + 0x24) = _t505;
									if(_t567[2] >= (_t505 & 0x0000001f) + 0x102 + (_t505 >> 0x00000005 & 0x0000001f)) {
										L95:
										_t595 =  *(_t657 + 0x24);
										_t567[0x144] = _t567[0x144] & 0x00000000;
										 *(_t657 + 0x2c) =  *(_t657 + 0x2c) & 0x00000000;
										 *(_t657 + 0x30) = (_t595 & 0x0000001f) + 0x101;
										 *(_t657 + 0x2c) = 9;
										 *(_t657 + 0x28) = (_t595 >> 0x00000005 & 0x0000001f) + 1;
										 *(_t657 + 0x28) = 6;
										_t513 = E00406EA8( &(_t567[3]), (_t595 & 0x0000001f) + 0x101, 0x101, 0x4099c4, 0x409a04, _t657 + 0x48, _t657 + 0x30,  &(_t567[0x148]), _t657 + 0x2c);
										_t602 = 0xffffffff;
										_t476 =  ==  ? _t602 : _t513;
										if(_t476 != 0) {
											L187:
											_t637 =  *(_t657 + 0x48);
											L188:
											_t567[0x146] = _t652;
											_t567[0x147] = _t647;
											 *_t567 = 0x11;
											_t637[1] =  *(_t657 + 0x10);
											L195:
											 *(_t657 + 0x1c) = _t476 | 0xffffffff;
											goto L196;
										}
										L96:
										_t476 = E00406EA8( &(_t567[ *((intOrPtr*)(_t657 + 0x50)) + 3]),  *((intOrPtr*)(_t657 + 0x34)), 0, 0x409a44, 0x409a80, _t657 + 0x4c, _t657 + 0x28,  &(_t567[0x148]), _t657 + 0x2c);
										if(_t476 != 0) {
											goto L187;
										}
										L97:
										_t476 =  *(_t657 + 0x20);
										if(_t476 != 0 ||  *(_t657 + 0x30) <= 0x101) {
											L99:
											 *_t567 =  *_t567 & 0x00000000;
											_t567[4] = _t476;
											_t567[5] =  *(_t657 + 0x3c);
											_t567[4] =  *(_t657 + 0x28);
											_t567[6] =  *(_t657 + 0x40);
											L100:
											_t567[3] = _t567[4] & 0x000000ff;
											_t567[2] = _t567[5];
											_t526 =  *(_t657 + 0x10);
											 *_t567 = 1;
											L101:
											_t637 =  *(_t657 + 0x48);
											while(1) {
												L104:
												_t604 = _t567[3];
												if(_t652 >= _t604) {
													break;
												}
												L102:
												if(_t526 == 0) {
													goto L189;
												}
												L103:
												 *(_t657 + 0x10) = _t526 - 1;
												_t647 = _t647 | ( *( *(_t657 + 0x14)) & 0x000000ff) << _t652;
												 *(_t657 + 0x14) =  &(( *(_t657 + 0x14))[1]);
												_t526 =  *(_t657 + 0x10);
												_t652 = _t652 + 8;
											}
											L105:
											_t531 = _t567[2];
											_t607 =  *(0x40b0c0 + _t604 * 2) & 0x0000ffff & _t647;
											_t644 = _t531 + _t607 * 4;
											_t608 =  *(_t531 + 1 + _t607 * 4) & 0x000000ff;
											_t652 = _t652 - _t608;
											_t647 = _t647 >> _t608;
											_t609 = _t644;
											 *(_t657 + 0x30) = _t644;
											 *(_t657 + 0x20) = _t652;
											_t532 =  *_t609 & 0x000000ff;
											if(_t532 != 0) {
												L107:
												if((_t532 & 0x00000010) == 0) {
													L109:
													if((_t532 & 0x00000040) != 0) {
														L111:
														if((_t532 & 0x00000020) == 0) {
															L193:
															_t476 =  *(_t657 + 0x10);
															L194:
															_t637 =  *(_t657 + 0x48);
															 *_t567 = 0x11;
															_t567[0x147] = _t647;
															_t567[0x146] = _t652;
															_t637[1] = _t476;
															goto L195;
														}
														L112:
														_t533 = 7;
														 *_t567 = _t533;
														L22:
														L177:
														_t476 =  *(_t657 + 0x10);
														L178:
														_t639 = 0xf;
														L179:
														while( *_t567 <= _t639) {
															switch( *((intOrPtr*)( *_t567 * 4 +  &M00407F7E))) {
																case 0:
																	goto L100;
																case 1:
																	goto L101;
																case 2:
																	L113:
																	__edx =  *(__esp + 0x48);
																	while(1) {
																		L116:
																		__ecx = __ebx[2];
																		__eflags = __esi - __ecx;
																		if(__esi >= __ecx) {
																			break;
																		}
																		L114:
																		__eflags = __eax;
																		if(__eax == 0) {
																			goto L189;
																		}
																		L115:
																		__eax = __eax - 1;
																		__ecx = __esi;
																		 *(__esp + 0x10) = __eax;
																		 *(__esp + 0x14) =  *( *(__esp + 0x14)) & 0x000000ff;
																		__eax = ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		__edi = __edi | ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		 *(__esp + 0x14) =  *(__esp + 0x14) + 1;
																		__eax =  *(__esp + 0x10);
																		__esi = __esi + 8;
																		__eflags = __esi;
																	}
																	L117:
																	__eax =  *(0x40b0c0 + __ecx * 2) & 0x0000ffff;
																	__eax =  *(0x40b0c0 + __ecx * 2) & 0x0000ffff & __edi;
																	__edi = __edi >> __cl;
																	__ebx[1] = __ebx[1] + __eax;
																	__esi = __esi - __ecx;
																	__eflags = __esi;
																	__eax = __ebx[4] & 0x000000ff;
																	__ebx[3] = __ebx[4] & 0x000000ff;
																	__eax = __ebx[6];
																	__ebx[2] = __ebx[6];
																	_push(3);
																	_pop(__eax);
																	 *__ebx = __ebx[6];
																	__eax =  *(__esp + 0x10);
																	goto L118;
																case 3:
																	L118:
																	__edx =  *(__esp + 0x48);
																	while(1) {
																		L121:
																		__ecx = __ebx[3];
																		__eflags = __esi - __ecx;
																		if(__esi >= __ecx) {
																			break;
																		}
																		L119:
																		__eflags = __eax;
																		if(__eax == 0) {
																			goto L189;
																		}
																		L120:
																		__eax = __eax - 1;
																		__ecx = __esi;
																		 *(__esp + 0x10) = __eax;
																		 *(__esp + 0x14) =  *( *(__esp + 0x14)) & 0x000000ff;
																		__eax = ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		__edi = __edi | ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		 *(__esp + 0x14) =  *(__esp + 0x14) + 1;
																		__eax =  *(__esp + 0x10);
																		__esi = __esi + 8;
																		__eflags = __esi;
																	}
																	L122:
																	__ecx =  *(0x40b0c0 + __ecx * 2) & 0x0000ffff;
																	__eax = __ebx[2];
																	__eax = __ebx[2] + __ecx * 4;
																	__ecx =  *(__eax + 1) & 0x000000ff;
																	 *(__esp + 0x30) = __eax;
																	__esi = __esi - ( *(__eax + 1) & 0x000000ff);
																	__eax =  *__eax & 0x000000ff;
																	__edi = __edi >> __cl;
																	 *(__esp + 0x20) = __esi;
																	__eflags = __al & 0x00000010;
																	if((__al & 0x00000010) == 0) {
																		L124:
																		__eflags = __al & 0x00000040;
																		if((__al & 0x00000040) != 0) {
																			goto L193;
																		}
																		L125:
																		__ecx =  *(__esp + 0x30);
																		goto L110;
																	}
																	L123:
																	_push(0xf);
																	_pop(__ecx);
																	__eax = __eax & __ecx;
																	__ecx =  *(__esp + 0x30);
																	__ebx[2] = __eax;
																	__eax =  *(__ecx + 2) & 0x0000ffff;
																	__ebx[3] = __eax;
																	 *__ebx = 4;
																	goto L22;
																case 4:
																	L126:
																	__edx =  *(__esp + 0x48);
																	while(1) {
																		L129:
																		__ecx = __ebx[2];
																		__eflags = __esi - __ecx;
																		if(__esi >= __ecx) {
																			break;
																		}
																		L127:
																		__eflags = __eax;
																		if(__eax == 0) {
																			goto L189;
																		}
																		L128:
																		__eax = __eax - 1;
																		__ecx = __esi;
																		 *(__esp + 0x10) = __eax;
																		 *(__esp + 0x14) =  *( *(__esp + 0x14)) & 0x000000ff;
																		__eax = ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		__edi = __edi | ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		 *(__esp + 0x14) =  *(__esp + 0x14) + 1;
																		__eax =  *(__esp + 0x10);
																		__esi = __esi + 8;
																		__eflags = __esi;
																	}
																	L130:
																	__eax =  *(0x40b0c0 + __ecx * 2) & 0x0000ffff;
																	__eax =  *(0x40b0c0 + __ecx * 2) & 0x0000ffff & __edi;
																	__edi = __edi >> __cl;
																	__ebx[3] = __ebx[3] + __eax;
																	__esi = __esi - __ecx;
																	__eflags = __esi;
																	__ecx =  *(__esp + 0x18);
																	 *(__esp + 0x20) = __esi;
																	 *__ebx = 5;
																	goto L131;
																case 5:
																	L131:
																	__edx =  *(__esp + 0x48);
																	__ecx = __ecx - __ebx;
																	__eax = __ecx - __ebx - 0x1ba0;
																	__eflags = __ecx - __ebx - 0x1ba0 - __ebx[3];
																	if(__ecx - __ebx - 0x1ba0 >= __ebx[3]) {
																		__eax = __ecx;
																		__eax = __ecx - __ebx[3];
																		__eflags = __eax;
																	} else {
																		__ebx[0x26e8] = __ebx[0x26e8] - __ebx[3];
																		__ebx[0x26e8] - __ebx[3] - __ebx = __ebx[0x26e8] - __ebx[3] - __ebx + 0xffffe460;
																		__eax = __ebx[0x26e8] - __ebx[3] - __ebx + 0xffffe460 + __ecx;
																	}
																	__eflags = __ebx[1];
																	 *(__esp + 0x24) = __eax;
																	if(__ebx[1] != 0) {
																		do {
																			L135:
																			__eflags = __ebp;
																			if(__ebp != 0) {
																				goto L151;
																			}
																			L136:
																			__eflags = __ecx - __ebx[0x26e8];
																			if(__ecx != __ebx[0x26e8]) {
																				L142:
																				__ebx[0x26ea] = __ecx;
																				L00407FBE(__edx);
																				__ecx = __ebx[0x26ea];
																				__eax = __ebx[0x26e9];
																				__edx =  *(__esp + 0x48);
																				 *(__esp + 0x18) = __ecx;
																				__eflags = __ecx - __eax;
																				if(__ecx >= __eax) {
																					__eax = __ebx[0x26e8];
																					__ebp = __eax;
																					__ebp = __eax - __ecx;
																					__eflags = __ebp;
																				} else {
																					__ebp = __eax;
																					__eax =  *(__edx + 0x9bb0);
																					__ebp = __ebp - __ecx;
																					__ebp = __ebp - 1;
																				}
																				 *(__esp + 0x30) = __eax;
																				__eflags = __ecx - __eax;
																				if(__ecx == __eax) {
																					__eax =  &(__ebx[0x6e8]);
																					__eflags = __ebx[0x26e9] - __eax;
																					if(__ebx[0x26e9] != __eax) {
																						__ebp = __ebx[0x26e9];
																						__ecx = __eax;
																						 *(__esp + 0x18) = __ecx;
																						__eflags = __eax - __ebp;
																						if(__eax >= __ebp) {
																							__ebp =  *(__esp + 0x30);
																							__ebp =  *(__esp + 0x30) - __eax;
																							__eflags = __ebp;
																						} else {
																							__ebp = __ebp - __eax;
																							__ebp = __ebp - 1;
																						}
																					}
																				}
																				__eflags = __ebp;
																				if(__ebp == 0) {
																					goto L192;
																				} else {
																					goto L151;
																				}
																			}
																			L137:
																			__ebp = __ebx[0x26e9];
																			__eax =  &(__ebx[0x6e8]);
																			__eflags = __ebp - __eax;
																			if(__eflags == 0) {
																				goto L142;
																			}
																			L138:
																			__ecx = __eax;
																			if(__eflags <= 0) {
																				__ebp = __ebx[0x26e8];
																				__ebp = __ebx[0x26e8] - __eax;
																				__eflags = __ebp;
																			} else {
																				__ebp = __ebp - __eax;
																				__ebp = __ebp - 1;
																			}
																			__eflags = __ebp;
																			if(__ebp == 0) {
																				goto L142;
																			}
																			L151:
																			__eax =  *(__esp + 0x24);
																			__al =  *( *(__esp + 0x24));
																			 *__ecx = __al;
																			__ecx = __ecx + 1;
																			__eax =  *(__esp + 0x24);
																			__eax =  *(__esp + 0x24) + 1;
																			 *(__esp + 0x18) = __ecx;
																			__ebp = __ebp - 1;
																			 *(__esp + 0x24) = __eax;
																			__eflags = __eax - __ebx[0x26e8];
																			if(__eax == __ebx[0x26e8]) {
																				__eax =  &(__ebx[0x6e8]);
																				 *(__esp + 0x24) = __eax;
																			}
																			_t356 =  &(__ebx[1]);
																			 *_t356 = __ebx[1] - 1;
																			__eflags =  *_t356;
																		} while ( *_t356 != 0);
																	}
																	goto L154;
																case 6:
																	L155:
																	__edx =  *(__esp + 0x48);
																	__eflags = __ebp;
																	if(__ebp != 0) {
																		L171:
																		__al = __ebx[2];
																		 *__ecx = __al;
																		__ecx = __ecx + 1;
																		 *(__esp + 0x18) = __ecx;
																		__ebp = __ebp - 1;
																		L154:
																		 *__ebx =  *__ebx & 0x00000000;
																		goto L177;
																	}
																	L156:
																	__eflags = __ecx - __ebx[0x26e8];
																	if(__ecx != __ebx[0x26e8]) {
																		L162:
																		__ebx[0x26ea] = __ecx;
																		L00407FBE(__edx);
																		__ecx = __ebx[0x26ea];
																		__eax = __ebx[0x26e9];
																		__edx =  *(__esp + 0x48);
																		 *(__esp + 0x18) = __ecx;
																		__eflags = __ecx - __eax;
																		if(__ecx >= __eax) {
																			__eax = __ebx[0x26e8];
																			__ebp = __eax;
																			__ebp = __eax - __ecx;
																			__eflags = __ebp;
																		} else {
																			__ebp = __eax;
																			__eax =  *(__edx + 0x9bb0);
																			__ebp = __ebp - __ecx;
																			__ebp = __ebp - 1;
																		}
																		 *(__esp + 0x30) = __eax;
																		__eflags = __ecx - __eax;
																		if(__ecx == __eax) {
																			__eax =  &(__ebx[0x6e8]);
																			__eflags = __ebx[0x26e9] - __eax;
																			if(__ebx[0x26e9] != __eax) {
																				__ebp = __ebx[0x26e9];
																				__ecx = __eax;
																				 *(__esp + 0x18) = __ecx;
																				__eflags = __eax - __ebp;
																				if(__eax >= __ebp) {
																					__ebp =  *(__esp + 0x30);
																					__ebp =  *(__esp + 0x30) - __eax;
																					__eflags = __ebp;
																				} else {
																					__ebp = __ebp - __eax;
																					__ebp = __ebp - 1;
																				}
																			}
																		}
																		__eflags = __ebp;
																		if(__ebp == 0) {
																			goto L192;
																		} else {
																			goto L171;
																		}
																	}
																	L157:
																	__ebp = __ebx[0x26e9];
																	__eax =  &(__ebx[0x6e8]);
																	__eflags = __ebp - __eax;
																	if(__eflags == 0) {
																		goto L162;
																	}
																	L158:
																	__ecx = __eax;
																	if(__eflags <= 0) {
																		__ebp = __ebx[0x26e8];
																		__ebp = __ebx[0x26e8] - __eax;
																		__eflags = __ebp;
																	} else {
																		__ebp = __ebp - __eax;
																		__ebp = __ebp - 1;
																	}
																	__eflags = __ebp;
																	if(__ebp != 0) {
																		goto L171;
																	} else {
																		goto L162;
																	}
																case 7:
																	L172:
																	_push(7);
																	_pop(__ebp);
																	__eflags = __esi - __ebp;
																	if(__esi > __ebp) {
																		__esi = __esi - 8;
																		__eax = __eax + 1;
																		_t378 = __esp + 0x14;
																		 *_t378 =  *(__esp + 0x14) - 1;
																		__eflags =  *_t378;
																		 *(__esp + 0x20) = __esi;
																		 *(__esp + 0x10) = __eax;
																	}
																	goto L174;
																case 8:
																	L2:
																	_t641 =  *(_t657 + 0x48);
																	__eflags = _t652 - 3;
																	if(_t652 >= 3) {
																		L7:
																		_t652 = _t652 + 0xfffffffd;
																		_t478 = _t647 & 0x00000007;
																		_t647 = _t647 >> 3;
																		 *(_t657 + 0x30) = _t478;
																		__eflags = _t478 & 0x00000001;
																		_push(8);
																		_pop(_t479);
																		_t480 =  !=  ?  *((void*)(_t657 + 0x34)) : _t479;
																		_t567[0x145] =  !=  ?  *((void*)(_t657 + 0x34)) : _t479;
																		 *(_t657 + 0x2c) = _t647;
																		 *(_t657 + 0x20) = _t652;
																		_t483 =  *(_t657 + 0x30) >> 1;
																		__eflags = _t483;
																		if(_t483 == 0) {
																			L23:
																			_push(7);
																			 *_t567 = 9;
																			_pop(_t484);
																			_t647 = _t647 >> (_t652 & _t484);
																			_t652 = _t652 & 0xfffffff8;
																			 *(_t657 + 0x20) = _t652;
																			goto L22;
																		}
																		L8:
																		_t485 = _t483 - 1;
																		__eflags = _t485;
																		if(_t485 == 0) {
																			L13:
																			__eflags =  *0x432810;
																			if( *0x432810 != 0) {
																				L21:
																				_t486 =  *0x40b0e4; // 0x9
																				_t567[4] = _t486;
																				_t487 =  *0x40b0e8; // 0x5
																				_t567[4] = _t487;
																				_t488 =  *0x433098; // 0x432818
																				_t567[5] = _t488;
																				_t489 =  *0x43309c; // 0x433018
																				 *_t567 =  *_t567 & 0x00000000;
																				__eflags =  *_t567;
																				_t567[6] = _t489;
																				goto L22;
																			} else {
																				 *(_t657 + 0x28) =  *(_t657 + 0x28) & 0x00000000;
																				_t490 = 0;
																				__eflags = 0;
																				_push(7);
																				_pop(_t569);
																				do {
																					L15:
																					_push(8);
																					_pop(_t583);
																					__eflags = _t490 - 0x8f;
																					if(_t490 > 0x8f) {
																						__eflags = _t490 - 0x100;
																						if(_t490 >= 0x100) {
																							_push(8);
																							__eflags = _t490 - 0x118;
																							_pop(_t587);
																							_t583 =  <  ? _t569 : _t587;
																							__eflags = _t583;
																						} else {
																							_push(9);
																							_pop(_t583);
																						}
																					}
																					L19:
																					 *(0x433520 + _t490 * 4) = _t583;
																					_t490 = _t490 + 1;
																					__eflags = _t490 - 0x120;
																				} while (_t490 < 0x120);
																				_t567 =  *(_t657 + 0x38);
																				E00406EA8(0x433520, 0x120, 0x101, 0x4099c4, 0x409a04, 0x433098, 0x40b0e4, 0x432818, _t657 + 0x28);
																				_push(0x1e);
																				_pop(_t585);
																				_push(5);
																				_pop(_t493);
																				memset(0x433520, _t493, _t585 << 2);
																				_t657 = _t657 + 0xc;
																				E00406EA8(0x433520, 0x1e, 0, 0x409a44, 0x409a80, 0x43309c, 0x40b0e8, 0x432818, _t657 + 0x28);
																				_t647 =  *(_t657 + 0x2c);
																				 *0x432810 = 1;
																				goto L21;
																			}
																		}
																		L9:
																		_t497 = _t485 - 1;
																		__eflags = _t497;
																		if(_t497 == 0) {
																			 *_t567 = 0xb;
																			goto L177;
																		}
																		L10:
																		__eflags = _t497 == 1;
																		_t476 =  *(_t657 + 0x10);
																		if(_t497 == 1) {
																			goto L194;
																		} else {
																			goto L178;
																		}
																	} else {
																		_t588 =  *(_t657 + 0x14);
																		while(1) {
																			L4:
																			__eflags = _t476;
																			if(_t476 == 0) {
																				goto L181;
																			}
																			L5:
																			 *(_t657 + 0x10) = _t476 - 1;
																			_t503 = ( *_t588 & 0x000000ff) << _t652;
																			_t652 = _t652 + 8;
																			_t647 = _t647 | _t503;
																			_push(3);
																			_pop(_t504);
																			_t588 =  &(( *(_t657 + 0x14))[1]);
																			__eflags = _t652 - _t504;
																			_t476 =  *(_t657 + 0x10);
																			 *(_t657 + 0x14) = _t588;
																			if(_t652 < _t504) {
																				continue;
																			} else {
																				goto L7;
																			}
																		}
																		goto L181;
																	}
																case 9:
																	L24:
																	__edx =  *(__esp + 0x48);
																	__eflags = __esi - 0x20;
																	if(__esi >= 0x20) {
																		L29:
																		__eax = __di & 0x0000ffff;
																		__esi = 0;
																		__edi = 0;
																		__ebx[1] = __eax;
																		 *(__esp + 0x20) = 0;
																		__eflags = __eax;
																		if(__eax == 0) {
																			__eax = __ebx[0x145];
																		} else {
																			_push(0xa);
																			_pop(__eax);
																		}
																		 *__ebx = __eax;
																		goto L177;
																	}
																	L25:
																	__ecx =  *(__esp + 0x14);
																	while(1) {
																		L26:
																		__eflags = __eax;
																		if(__eax == 0) {
																			break;
																		}
																		L27:
																		 *(__esp + 0x10) = __eax;
																		__eax =  *__ecx & 0x000000ff;
																		__ecx = __esi;
																		__eax = __eax << __cl;
																		__esi = __esi + 8;
																		__ecx =  *(__esp + 0x14);
																		__edi = __edi | __eax;
																		__eax =  *(__esp + 0x10);
																		__ecx =  *(__esp + 0x14) + 1;
																		 *(__esp + 0x14) = __ecx;
																		__eflags = __esi - 0x20;
																		if(__esi < 0x20) {
																			continue;
																		}
																		L28:
																		__ecx =  *(__esp + 0x18);
																		goto L29;
																	}
																	L181:
																	_t567[0x147] = _t647;
																	_t567[0x146] = _t652;
																	_t393 =  &(_t641[1]);
																	 *_t393 = _t641[1] & 0x00000000;
																	__eflags =  *_t393;
																	 *_t641 = _t588;
																	_t567[0x26ea] =  *(_t657 + 0x18);
																	goto L182;
																case 0xa:
																	L33:
																	__edx =  *(__esp + 0x48);
																	__eflags = __eax;
																	if(__eax == 0) {
																		L185:
																		__eax =  *(__esp + 0x14);
																		__ebx[0x147] = __edi;
																		__ebx[0x146] = __esi;
																		 *(__edx + 4) =  *(__edx + 4) & 0x00000000;
																		 *__edx =  *(__esp + 0x14);
																		__ebx[0x26ea] = __ecx;
																		L182:
																		_push(_t641);
																		L183:
																		L00407FBE();
																		_t450 = 0;
																		goto L197;
																	}
																	L34:
																	__eflags = __ebp;
																	if(__ebp != 0) {
																		L51:
																		__edx =  *(__esp + 0x14);
																		__eflags = __ebp - __eax;
																		__esi = __eax;
																		__esi =  <  ? __ebp : __eax;
																		__eflags = __ebx[1] - __esi;
																		__esi =  <  ? __ebx[1] : __esi;
																		E004066B4(__ecx,  *(__esp + 0x14), __esi) =  *(__esp + 0x10);
																		__ebp = __ebp - __esi;
																		__ecx =  *(__esp + 0x18);
																		__eax =  *(__esp + 0x10) - __esi;
																		 *(__esp + 0x14) =  *(__esp + 0x14) + __esi;
																		__ecx =  *(__esp + 0x18) + __esi;
																		_t72 =  &(__ebx[1]);
																		 *_t72 = __ebx[1] - __esi;
																		__eflags =  *_t72;
																		__esi =  *(__esp + 0x20);
																		_push(0xf);
																		 *(__esp + 0x14) = __eax;
																		 *(__esp + 0x1c) = __ecx;
																		_pop(__edx);
																		if( *_t72 != 0) {
																			goto L179;
																		}
																		L52:
																		__eax = __ebx[0x145];
																		 *__ebx = __eax;
																		L53:
																		_t476 =  *(_t657 + 0x10);
																		goto L179;
																	}
																	L35:
																	__eflags = __ecx - __ebx[0x26e8];
																	if(__ecx != __ebx[0x26e8]) {
																		L41:
																		__ebx[0x26ea] = __ecx;
																		L00407FBE(__edx);
																		__ecx = __ebx[0x26ea];
																		__edx = __ebx[0x26e9];
																		__eax = __ebx[0x26e8];
																		 *(__esp + 0x18) = __ecx;
																		__eflags = __ecx - __edx;
																		if(__ecx >= __edx) {
																			__ebp = __eax;
																			__ebp = __eax - __ecx;
																			__eflags = __ebp;
																		} else {
																			__edx = __edx - __ecx;
																			__ebp = __edx - __ecx - 1;
																		}
																		__eflags = __ecx - __eax;
																		if(__ecx == __eax) {
																			__eax =  &(__ebx[0x6e8]);
																			__eflags = __edx - __eax;
																			if(__eflags != 0) {
																				__ecx = __eax;
																				 *(__esp + 0x18) = __ecx;
																				if(__eflags <= 0) {
																					__ebp = __ebx[0x26e8];
																					__ebp = __ebx[0x26e8] - __eax;
																					__eflags = __ebp;
																				} else {
																					__ebp = __edx - __eax - 1;
																				}
																			}
																		}
																		__eflags = __ebp;
																		if(__ebp == 0) {
																			L184:
																			__eax =  *(__esp + 0x48);
																			__edx =  *(__esp + 0x14);
																			__ebx[0x146] = __esi;
																			__esi =  *(__esp + 0x10);
																			__ebx[0x147] = __edi;
																			 *(__eax + 4) =  *(__esp + 0x10);
																			 *__eax =  *(__esp + 0x14);
																			__ebx[0x26ea] = __ecx;
																			_push(__eax);
																			goto L183;
																		} else {
																			L50:
																			__eax =  *(__esp + 0x10);
																			goto L51;
																		}
																	}
																	L36:
																	__ebp =  &(__ebx[0x6e8]);
																	 *(__esp + 0x24) =  &(__ebx[0x6e8]);
																	__ebp = __ebx[0x26e9];
																	__eflags = __ebp -  *(__esp + 0x24);
																	if(__eflags == 0) {
																		goto L41;
																	}
																	L37:
																	__ecx =  &(__ebx[0x6e8]);
																	 *(__esp + 0x18) = __ecx;
																	if(__eflags <= 0) {
																		__ebp = __ebx[0x26e8];
																		__ebp = __ebx[0x26e8] -  *(__esp + 0x24);
																		__eflags = __ebp;
																	} else {
																		__ebp = __ebp -  *(__esp + 0x24);
																		__ebp = __ebp - 1;
																	}
																	__eflags = __ebp;
																	if(__ebp != 0) {
																		goto L51;
																	} else {
																		goto L41;
																	}
																case 0xb:
																	goto L0;
																case 0xc:
																	L60:
																	_t574 = _t567[2];
																	_t637 =  *(_t657 + 0x48);
																	goto L65;
																case 0xd:
																	goto L71;
																case 0xe:
																	goto L194;
																case 0xf:
																	L174:
																	__edx =  *(__esp + 0x48);
																	__ebx[0x26ea] = __ecx;
																	L00407FBE( *(__esp + 0x48));
																	__ecx = __ebx[0x26ea];
																	__eax = __ebx[0x26e9];
																	 *(__esp + 0x18) = __ecx;
																	__eflags = __ecx - __eax;
																	if(__ecx < __eax) {
																		L191:
																		__edx =  *(__esp + 0x48);
																		L192:
																		 *(__esp + 0x1c) =  *(__esp + 0x1c) & 0x00000000;
																		__ebx[0x146] = __esi;
																		__esi =  *(__esp + 0x10);
																		__ebx[0x147] = __edi;
																		 *(__edx + 4) =  *(__esp + 0x10);
																		goto L196;
																	}
																	L175:
																	__ebp = __ebx[0x26e8];
																	__ebp = __ebx[0x26e8] - __ecx;
																	__eflags = __ecx - __eax;
																	if(__ecx != __eax) {
																		goto L191;
																	}
																	L176:
																	__eax = __ebx[0x145];
																	 *__ebx = __eax;
																	__eflags = __eax - 8;
																	if(__eax != 8) {
																		L190:
																		__edx =  *(__esp + 0x48);
																		__ebx[0x146] = __esi;
																		__esi =  *(__esp + 0x10);
																		__ebx[0x147] = __edi;
																		 *( *(__esp + 0x48) + 4) =  *(__esp + 0x10);
																		 *(__esp + 0x1c) = 1;
																		goto L196;
																	}
																	goto L177;
															}
														}
														goto L194;
													}
													L110:
													_t567[3] = _t532;
													_t567[2] = _t609 + (_t609[2] & 0x0000ffff) * 4;
													goto L22;
												}
												L108:
												_t639 = 0xf;
												_t567[2] = _t532 & _t639;
												_t567[1] = _t609[2] & 0x0000ffff;
												 *_t567 = 2;
												goto L53;
											}
											L106:
											_t567[2] = _t609[2] & 0x0000ffff;
											 *_t567 = 6;
											goto L22;
										} else {
											goto L187;
										}
									}
									L72:
									while(1) {
										L76:
										_t611 = _t567[0x143];
										if(_t652 < _t611) {
											break;
										}
										L77:
										_t544 = _t567[0x144];
										_t614 =  *(0x40b0c0 + _t611 * 2) & 0x0000ffff & _t647;
										_t545 =  *(_t544 + 2 + _t614 * 4) & 0x0000ffff;
										 *(_t657 + 0x24) =  *(_t544 + 1 + _t614 * 4) & 0x000000ff;
										_t637 =  *(_t657 + 0x48);
										 *(_t657 + 0x2c) = _t545;
										if(_t545 >= 0x10) {
											L79:
											if(_t545 != 0x12) {
												_t615 = _t545 - 0xe;
											} else {
												_t615 = 7;
											}
											 *(_t657 + 0x20) = _t615;
											_t616 = 0xb;
											_t546 = 3;
											_t617 =  !=  ? _t546 : _t616;
											_t547 =  *(_t657 + 0x20);
											 *(_t657 + 0x28) =  !=  ? _t546 : _t616;
											_t619 =  *(_t657 + 0x24) + _t547;
											 *(_t657 + 0x30) = _t619;
											if(_t652 >= _t619) {
												L86:
												_t651 = _t647 >>  *(_t657 + 0x24);
												 *(_t657 + 0x28) = ( *(0x40b0c0 + _t547 * 2) & 0x0000ffff & _t651) +  *(_t657 + 0x28);
												_t652 = _t652 - _t547 +  *(_t657 + 0x24);
												_t647 = _t651 >> _t547;
												_t625 = _t567[1];
												 *(_t657 + 0x20) = _t567[2];
												_t476 =  *(_t657 + 0x20) +  *(_t657 + 0x28);
												if(_t476 > (_t625 & 0x0000001f) + (_t625 >> 0x00000005 & 0x0000001f) + 0x102) {
													goto L188;
												}
												L87:
												_t476 =  *(_t657 + 0x20);
												if( *(_t657 + 0x2c) != 0x10) {
													L90:
													_t186 = _t657 + 0x2c;
													 *_t186 =  *(_t657 + 0x2c) & 0x00000000;
													L91:
													_t646 =  *(_t657 + 0x2c);
													_t629 =  &(_t567[_t476 + 3]);
													do {
														L92:
														_t476 = _t476 + 1;
														 *_t629 = _t646;
														_t192 = _t657 + 0x28;
														 *_t192 =  *(_t657 + 0x28) - 1;
														_t629 =  &(_t629[1]);
													} while ( *_t192 != 0);
													_t637 =  *(_t657 + 0x48);
													_t567[2] = _t476;
													L94:
													 *(_t657 + 0x20) = _t476;
													_t555 = _t567[1];
													 *(_t657 + 0x24) = _t555;
													if( *(_t657 + 0x20) < (_t555 & 0x0000001f) + 0x102 + (_t555 >> 0x00000005 & 0x0000001f)) {
														continue;
													}
													goto L95;
												}
												L88:
												if(_t476 < 1) {
													goto L188;
												}
												L89:
												 *(_t657 + 0x2c) =  *(_t567 + 8 + _t476 * 4);
												goto L91;
											} else {
												while(1) {
													L83:
													_t559 =  *(_t657 + 0x10);
													if(_t559 == 0) {
														goto L189;
													}
													L84:
													_t634 = _t652;
													 *(_t657 + 0x10) = _t559 - 1;
													_t652 = _t652 + 8;
													_t647 = _t647 | ( *( *(_t657 + 0x14)) & 0x000000ff) << _t634;
													 *(_t657 + 0x14) =  &(( *(_t657 + 0x14))[1]);
													if(_t652 <  *(_t657 + 0x30)) {
														continue;
													}
													L85:
													_t547 =  *(_t657 + 0x20);
													goto L86;
												}
												goto L189;
											}
										}
										L78:
										_t635 =  *(_t657 + 0x24);
										_t652 = _t652 - _t635;
										_t647 = _t647 >> _t635;
										 *(_t567 + 0xc + _t567[2] * 4) =  *(_t657 + 0x2c);
										_t567[2] = _t567[2] + 1;
										_t476 = _t567[2];
										goto L94;
									}
									L74:
									_t539 =  *(_t657 + 0x10);
									if(_t539 == 0) {
										goto L189;
									}
									L75:
									 *(_t657 + 0x10) = _t539 - 1;
									_t647 = _t647 | ( *( *(_t657 + 0x14)) & 0x000000ff) << _t652;
									 *(_t657 + 0x14) =  &(( *(_t657 + 0x14))[1]);
									_t652 = _t652 + 8;
									goto L76;
								}
							} else {
								goto L67;
							}
							do {
								L67:
								_t105 = _t567[2] + 0x4099b0; // 0x121110
								 *(_t567 + 0xc +  *_t105 * 4) =  *(_t567 + 0xc +  *_t105 * 4) & 0x00000000;
								_t567[2] = _t567[2] + 1;
							} while (_t567[2] < _t638);
							goto L68;
						}
					}
				}
			}

0x004075fe
0x004075fe
0x004075fe
0x004075fe
0x004075fe
0x004075fe
0x004075fe
0x00000000
0x00407629
0x00407606
0x00407ee0
0x00407ee0
0x00407ee5
0x00407eeb
0x00407ef1
0x00407f5a
0x00407f5e
0x00407f65
0x00407f6b
0x00407f70
0x00407f74
0x00407f7b
0x00407f7b
0x0040760c
0x0040760f
0x0040761c
0x0040761e
0x00407622
0x00407626
0x00407626
0x00407630
0x00407638
0x00407640
0x00407ea3
0x00407ea3
0x00407ead
0x00407eb3
0x00407eb9
0x00000000
0x00407658
0x00407658
0x00407658
0x0040765b
0x0040765e
0x00407662
0x00407666
0x0040766c
0x0040766c
0x0040766c
0x0040766f
0x00000000
0x004076c9
0x0040769a
0x0040769a
0x0040769c
0x0040769f
0x00000000
0x00000000
0x00407675
0x00407675
0x0040767b
0x00000000
0x00000000
0x00407681
0x00407684
0x00407691
0x00407693
0x00407697
0x00407697
0x004076a1
0x004076a3
0x004076a4
0x004076a6
0x004076ab
0x004076b0
0x004076b7
0x004076be
0x004076bf
0x004076c0
0x004076c2
0x004076c5
0x004076c5
0x004076d8
0x004076db
0x004076f4
0x004076f6
0x004076f7
0x00407702
0x00407722
0x00407729
0x00407764
0x00407764
0x00000000
0x00407733
0x00407733
0x00407733
0x00407736
0x0040773c
0x0040773c
0x00407741
0x00407745
0x0040775c
0x004078fc
0x004078fc
0x00407904
0x0040790d
0x00407920
0x00407926
0x0040792e
0x0040793d
0x0040795f
0x0040796b
0x0040796c
0x00407971
0x00407ec1
0x00407ec1
0x00407ec5
0x00407ec5
0x00407ecf
0x00407ed5
0x00407edb
0x00407f53
0x00407f56
0x00000000
0x00407f56
0x00407977
0x004079a9
0x004079b0
0x00000000
0x00000000
0x004079b6
0x004079b6
0x004079bc
0x004079cc
0x004079d0
0x004079d3
0x004079da
0x004079e1
0x004079e4
0x004079e7
0x004079eb
0x004079f1
0x004079f4
0x004079f8
0x004079fe
0x004079fe
0x00407a29
0x00407a29
0x00407a29
0x00407a2e
0x00000000
0x00000000
0x00407a04
0x00407a06
0x00000000
0x00000000
0x00407a0c
0x00407a0f
0x00407a1c
0x00407a1e
0x00407a22
0x00407a26
0x00407a26
0x00407a30
0x00407a38
0x00407a3b
0x00407a3d
0x00407a40
0x00407a45
0x00407a47
0x00407a49
0x00407a4b
0x00407a4f
0x00407a53
0x00407a58
0x00407a6c
0x00407a6e
0x00407a8e
0x00407a90
0x00407aa4
0x00407aa6
0x00407f36
0x00407f36
0x00407f3a
0x00407f3a
0x00407f3e
0x00407f44
0x00407f4a
0x00407f50
0x00000000
0x00407f50
0x00407aac
0x00407aae
0x00407aaf
0x00407473
0x00407e22
0x00407e22
0x00407e26
0x00407e28
0x00000000
0x00407e29
0x004072f1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ab6
0x00407ab6
0x00407ae1
0x00407ae1
0x00407ae1
0x00407ae4
0x00407ae6
0x00000000
0x00000000
0x00407abc
0x00407abc
0x00407abe
0x00000000
0x00000000
0x00407ac4
0x00407ac4
0x00407ac5
0x00407ac7
0x00407acf
0x00407ad2
0x00407ad4
0x00407ad6
0x00407ada
0x00407ade
0x00407ade
0x00407ade
0x00407ae8
0x00407ae8
0x00407af0
0x00407af2
0x00407af4
0x00407af7
0x00407af7
0x00407af9
0x00407afd
0x00407b00
0x00407b03
0x00407b06
0x00407b08
0x00407b09
0x00407b0b
0x00000000
0x00000000
0x00407b0f
0x00407b0f
0x00407b3a
0x00407b3a
0x00407b3a
0x00407b3d
0x00407b3f
0x00000000
0x00000000
0x00407b15
0x00407b15
0x00407b17
0x00000000
0x00000000
0x00407b1d
0x00407b1d
0x00407b1e
0x00407b20
0x00407b28
0x00407b2b
0x00407b2d
0x00407b2f
0x00407b33
0x00407b37
0x00407b37
0x00407b37
0x00407b41
0x00407b41
0x00407b49
0x00407b4e
0x00407b51
0x00407b55
0x00407b59
0x00407b5b
0x00407b5e
0x00407b60
0x00407b64
0x00407b66
0x00407b86
0x00407b86
0x00407b88
0x00000000
0x00000000
0x00407b8e
0x00407b8e
0x00000000
0x00407b8e
0x00407b68
0x00407b68
0x00407b6a
0x00407b6b
0x00407b6d
0x00407b71
0x00407b74
0x00407b78
0x00407b7b
0x00000000
0x00000000
0x00407b97
0x00407b97
0x00407bc2
0x00407bc2
0x00407bc2
0x00407bc5
0x00407bc7
0x00000000
0x00000000
0x00407b9d
0x00407b9d
0x00407b9f
0x00000000
0x00000000
0x00407ba5
0x00407ba5
0x00407ba6
0x00407ba8
0x00407bb0
0x00407bb3
0x00407bb5
0x00407bb7
0x00407bbb
0x00407bbf
0x00407bbf
0x00407bbf
0x00407bc9
0x00407bc9
0x00407bd1
0x00407bd3
0x00407bd5
0x00407bd8
0x00407bd8
0x00407bda
0x00407bde
0x00407be2
0x00000000
0x00000000
0x00407be8
0x00407be8
0x00407bee
0x00407bf0
0x00407bf5
0x00407bf8
0x00407c0e
0x00407c10
0x00407c10
0x00407bfa
0x00407c00
0x00407c05
0x00407c0a
0x00407c0a
0x00407c13
0x00407c17
0x00407c1b
0x00407c21
0x00407c21
0x00407c21
0x00407c23
0x00000000
0x00000000
0x00407c29
0x00407c29
0x00407c2f
0x00407c56
0x00407c57
0x00407c5d
0x00407c62
0x00407c68
0x00407c6e
0x00407c72
0x00407c76
0x00407c78
0x00407c87
0x00407c8d
0x00407c8f
0x00407c8f
0x00407c7a
0x00407c7a
0x00407c7c
0x00407c82
0x00407c84
0x00407c84
0x00407c91
0x00407c95
0x00407c97
0x00407c99
0x00407c9f
0x00407ca5
0x00407ca7
0x00407cad
0x00407caf
0x00407cb3
0x00407cb5
0x00407cbc
0x00407cc0
0x00407cc0
0x00407cb7
0x00407cb7
0x00407cb9
0x00407cb9
0x00407cb5
0x00407ca5
0x00407cc2
0x00407cc4
0x00000000
0x00000000
0x00000000
0x00000000
0x00407cc4
0x00407c31
0x00407c31
0x00407c37
0x00407c3d
0x00407c3f
0x00000000
0x00000000
0x00407c41
0x00407c41
0x00407c43
0x00407c4a
0x00407c50
0x00407c50
0x00407c45
0x00407c45
0x00407c47
0x00407c47
0x00407c52
0x00407c54
0x00000000
0x00000000
0x00407cca
0x00407cca
0x00407cce
0x00407cd0
0x00407cd2
0x00407cd3
0x00407cd7
0x00407cd8
0x00407cdc
0x00407cdd
0x00407ce1
0x00407ce7
0x00407ce9
0x00407cef
0x00407cef
0x00407cf3
0x00407cf3
0x00407cf3
0x00407cf3
0x00407c21
0x00000000
0x00000000
0x00407d05
0x00407d05
0x00407d09
0x00407d0b
0x00407db2
0x00407db2
0x00407db5
0x00407db7
0x00407db8
0x00407dbc
0x00407cfd
0x00407cfd
0x00000000
0x00407cfd
0x00407d11
0x00407d11
0x00407d17
0x00407d3e
0x00407d3f
0x00407d45
0x00407d4a
0x00407d50
0x00407d56
0x00407d5a
0x00407d5e
0x00407d60
0x00407d6f
0x00407d75
0x00407d77
0x00407d77
0x00407d62
0x00407d62
0x00407d64
0x00407d6a
0x00407d6c
0x00407d6c
0x00407d79
0x00407d7d
0x00407d7f
0x00407d81
0x00407d87
0x00407d8d
0x00407d8f
0x00407d95
0x00407d97
0x00407d9b
0x00407d9d
0x00407da4
0x00407da8
0x00407da8
0x00407d9f
0x00407d9f
0x00407da1
0x00407da1
0x00407d9d
0x00407d8d
0x00407daa
0x00407dac
0x00000000
0x00000000
0x00000000
0x00000000
0x00407dac
0x00407d19
0x00407d19
0x00407d1f
0x00407d25
0x00407d27
0x00000000
0x00000000
0x00407d29
0x00407d29
0x00407d2b
0x00407d32
0x00407d38
0x00407d38
0x00407d2d
0x00407d2d
0x00407d2f
0x00407d2f
0x00407d3a
0x00407d3c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407dc2
0x00407dc2
0x00407dc4
0x00407dc5
0x00407dc7
0x00407dc9
0x00407dcc
0x00407dcd
0x00407dcd
0x00407dcd
0x00407dd1
0x00407dd5
0x00407dd5
0x00000000
0x00000000
0x004072f8
0x004072f8
0x004072fc
0x004072ff
0x00407336
0x00407338
0x0040733b
0x0040733e
0x00407341
0x00407345
0x00407347
0x00407349
0x0040734a
0x0040734f
0x0040735b
0x0040735f
0x00407363
0x00407363
0x00407366
0x0040747c
0x0040747c
0x00407480
0x00407486
0x00407489
0x0040748b
0x0040748e
0x00000000
0x0040748e
0x0040736c
0x0040736c
0x0040736c
0x0040736f
0x00407393
0x00407393
0x0040739a
0x00407450
0x00407450
0x00407455
0x00407458
0x0040745d
0x00407460
0x00407465
0x00407468
0x0040746d
0x0040746d
0x00407470
0x00000000
0x004073a0
0x004073a0
0x004073a5
0x004073a5
0x004073a7
0x004073a9
0x004073aa
0x004073aa
0x004073aa
0x004073ac
0x004073ad
0x004073b2
0x004073b4
0x004073b9
0x004073c0
0x004073c2
0x004073c7
0x004073c8
0x004073c8
0x004073bb
0x004073bb
0x004073bd
0x004073bd
0x004073b9
0x004073cb
0x004073cb
0x004073d2
0x004073d8
0x004073d8
0x004073dc
0x00407409
0x0040740e
0x00407410
0x00407411
0x00407413
0x0040741b
0x0040741b
0x00407440
0x00407445
0x00407449
0x00000000
0x00407449
0x0040739a
0x00407371
0x00407371
0x00407371
0x00407374
0x00407388
0x00000000
0x00407388
0x00407376
0x00407376
0x00407379
0x0040737d
0x00000000
0x00407383
0x00000000
0x00407383
0x00407301
0x00407301
0x00407305
0x00407305
0x00407305
0x00407307
0x00000000
0x00000000
0x0040730d
0x0040730e
0x00407317
0x00407319
0x00407320
0x00407322
0x00407324
0x00407325
0x00407326
0x00407328
0x0040732c
0x00407330
0x00000000
0x00407332
0x00000000
0x00407332
0x00407330
0x00000000
0x00407305
0x00000000
0x00407494
0x00407494
0x00407498
0x0040749b
0x004074d0
0x004074d0
0x004074d3
0x004074d5
0x004074d7
0x004074da
0x004074de
0x004074e0
0x004074e7
0x004074e2
0x004074e2
0x004074e4
0x004074e4
0x004074ed
0x00000000
0x004074ed
0x0040749d
0x0040749d
0x004074a1
0x004074a1
0x004074a1
0x004074a3
0x00000000
0x00000000
0x004074a9
0x004074aa
0x004074ae
0x004074b1
0x004074b3
0x004074b5
0x004074b8
0x004074bc
0x004074be
0x004074c2
0x004074c3
0x004074c7
0x004074ca
0x00000000
0x00000000
0x004074cc
0x004074cc
0x00000000
0x004074cc
0x00407e36
0x00407e3a
0x00407e40
0x00407e46
0x00407e46
0x00407e46
0x00407e4a
0x00407e4c
0x00000000
0x00000000
0x004074f4
0x004074f4
0x004074f8
0x004074fa
0x00407e85
0x00407e85
0x00407e89
0x00407e8f
0x00407e95
0x00407e99
0x00407e9b
0x00407e52
0x00407e52
0x00407e53
0x00407e53
0x00407e58
0x00000000
0x00407e58
0x00407500
0x00407500
0x00407502
0x004075a9
0x004075a9
0x004075ad
0x004075af
0x004075b1
0x004075b4
0x004075b7
0x004075c3
0x004075c7
0x004075c9
0x004075cd
0x004075cf
0x004075d3
0x004075d5
0x004075d5
0x004075d5
0x004075d8
0x004075dc
0x004075de
0x004075e2
0x004075e6
0x004075e7
0x00000000
0x00000000
0x004075ed
0x004075ed
0x004075f3
0x004075f5
0x004075f5
0x00000000
0x004075f5
0x00407508
0x00407508
0x0040750e
0x00407547
0x00407548
0x0040754e
0x00407553
0x00407559
0x0040755f
0x00407565
0x00407569
0x0040756b
0x00407574
0x00407576
0x00407576
0x0040756d
0x0040756f
0x00407571
0x00407571
0x00407578
0x0040757a
0x0040757c
0x00407582
0x00407584
0x00407586
0x00407588
0x0040758c
0x00407595
0x0040759b
0x0040759b
0x0040758e
0x00407592
0x00407592
0x0040758c
0x00407584
0x0040759d
0x0040759f
0x00407e5f
0x00407e5f
0x00407e63
0x00407e67
0x00407e6d
0x00407e71
0x00407e77
0x00407e7a
0x00407e7c
0x00407e82
0x00000000
0x004075a5
0x004075a5
0x004075a5
0x00000000
0x004075a5
0x0040759f
0x00407510
0x00407510
0x00407516
0x0040751a
0x00407520
0x00407524
0x00000000
0x00000000
0x00407526
0x00407526
0x0040752c
0x00407530
0x00407539
0x0040753f
0x0040753f
0x00407532
0x00407532
0x00407536
0x00407536
0x00407543
0x00407545
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040766c
0x0040766c
0x0040766f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407dd9
0x00407dd9
0x00407dde
0x00407de4
0x00407de9
0x00407def
0x00407df5
0x00407df9
0x00407dfb
0x00407f18
0x00407f18
0x00407f1c
0x00407f1c
0x00407f21
0x00407f27
0x00407f2b
0x00407f31
0x00000000
0x00407f31
0x00407e01
0x00407e01
0x00407e07
0x00407e09
0x00407e0b
0x00000000
0x00000000
0x00407e11
0x00407e11
0x00407e17
0x00407e19
0x00407e1c
0x00407ef7
0x00407ef7
0x00407efb
0x00407f01
0x00407f05
0x00407f0b
0x00407f0e
0x00000000
0x00407f0e
0x00000000
0x00000000
0x004072f1
0x00000000
0x00407e31
0x00407a92
0x00407a92
0x00407a9c
0x00000000
0x00407a9c
0x00407a70
0x00407a72
0x00407a75
0x00407a80
0x00407a83
0x00000000
0x00407a83
0x00407a5a
0x00407a5e
0x00407a61
0x00000000
0x00000000
0x00000000
0x00000000
0x004079bc
0x00407762
0x00407794
0x00407794
0x00407794
0x0040779c
0x00000000
0x00000000
0x0040779e
0x004077a6
0x004077ac
0x004077b3
0x004077b8
0x004077bc
0x004077c0
0x004077c7
0x004077e7
0x004077ea
0x004077f1
0x004077ec
0x004077ee
0x004077ee
0x004077f4
0x004077fa
0x004077fd
0x004077fe
0x00407801
0x00407805
0x0040780d
0x0040780f
0x00407815
0x00407846
0x0040784a
0x0040785a
0x00407864
0x00407866
0x0040786b
0x0040786e
0x00407888
0x0040788e
0x00000000
0x00000000
0x00407894
0x00407899
0x0040789d
0x004078b2
0x004078b2
0x004078b2
0x004078b7
0x004078b7
0x004078be
0x004078c1
0x004078c1
0x004078c1
0x004078c2
0x004078c4
0x004078c4
0x004078c9
0x004078c9
0x004078ce
0x004078d2
0x004078d5
0x004078d5
0x004078d9
0x004078de
0x004078f6
0x00000000
0x00000000
0x00000000
0x004078f6
0x0040789f
0x004078a2
0x00000000
0x00000000
0x004078a8
0x004078ac
0x00000000
0x00407817
0x00407817
0x00407817
0x00407817
0x0040781d
0x00000000
0x00000000
0x00407823
0x00407824
0x00407826
0x0040782a
0x00407836
0x00407838
0x00407840
0x00000000
0x00000000
0x00407842
0x00407842
0x00000000
0x00407842
0x00000000
0x00407817
0x00407815
0x004077c9
0x004077cc
0x004077d0
0x004077d2
0x004077d8
0x004077dc
0x004077df
0x00000000
0x004077df
0x0040776f
0x0040776f
0x00407775
0x00000000
0x00000000
0x0040777b
0x0040777e
0x0040778b
0x0040778d
0x00407791
0x00000000
0x00407791
0x00000000
0x00000000
0x00000000
0x004076dd
0x004076dd
0x004076e0
0x004076e7
0x004076ec
0x004076ef
0x00000000
0x004076dd
0x0040766c
0x00407640

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6e5cab2d0bf7698bdae054db21990c31fcebd81f7c740a7b631921d0cd6e3b
Instruction ID: 34855fb2682deb8042092b43f828aa3e625fb4f43d1e7d882369f70b8a17060e
Opcode Fuzzy Hash: 9a6e5cab2d0bf7698bdae054db21990c31fcebd81f7c740a7b631921d0cd6e3b
Instruction Fuzzy Hash: 09F17171A183418FCB04CF18C49076ABBE5FF89315F14896EE889EB286D778E941CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00406EA8 Relevance: .3, Instructions: 314
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00406EA8(signed int* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr* _a24, signed int* _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v60;
				signed int _v120;
				signed int _v124;
				void _v188;
				intOrPtr _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				void* _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				short _v246;
				char _v247;
				signed char _v248;
				signed int _t170;
				void* _t172;
				signed int _t173;
				signed int _t176;
				signed int _t179;
				signed int _t180;
				signed int _t183;
				signed int _t184;
				signed int _t189;
				intOrPtr* _t203;
				signed int _t204;
				short _t209;
				signed int _t216;
				signed char _t227;
				signed int _t233;
				signed int* _t237;
				signed int _t239;
				signed int _t240;
				signed int* _t242;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed char _t251;
				intOrPtr _t253;
				signed int _t254;
				signed int _t260;
				signed int _t262;
				signed char _t264;
				intOrPtr _t265;
				signed int _t266;
				void* _t267;
				signed int _t268;
				signed int _t269;
				signed int _t272;
				signed int _t274;
				signed int _t276;
				signed int _t279;
				void* _t280;
				void* _t281;
				signed int _t283;
				signed int _t284;
				signed int* _t287;
				signed int _t290;
				void* _t291;
				intOrPtr _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				intOrPtr _t297;
				signed int _t299;
				intOrPtr _t300;
				signed int _t301;
				void* _t304;
				signed int _t308;
				signed char* _t310;

				_t237 = _a4;
				_t297 = _a8;
				_t265 = _t297;
				_t240 = 0x10;
				memset( &_v188, 0, _t240 << 2);
				_t310 =  &(( &_v248)[0xc]);
				_t242 = _t237;
				do {
					_t170 =  *_t242;
					_t242 =  &(_t242[1]);
					_t310[0x4c + _t170 * 4] = _t310[0x4c + _t170 * 4] + 1;
					_t265 = _t265 - 1;
				} while (_t265 != 0);
				if(_v188 == _t297) {
					 *_a24 = 0;
					 *_a28 = 0;
					return 0;
				}
				_t287 = _a28;
				_t244 = 1;
				_t294 = 0;
				_t266 = 0xf;
				while(_t310[0x4c + _t244 * 4] == _t294) {
					_t244 = _t244 + 1;
					if(_t244 <= _t266) {
						continue;
					}
					break;
				}
				_v220 = _t244;
				_t172 =  >=  ?  *_t287 : _t244;
				while(_t310[0x4c + _t266 * 4] == _t294) {
					_t266 = _t266 - 1;
					if(_t266 != 0) {
						continue;
					}
					break;
				}
				_v216 = _t266;
				_t299 =  <=  ? _t172 : _t266;
				_t173 = _t299;
				_v236 = _t299;
				_t300 = _a8;
				 *_t287 = _t173;
				_t290 = 1 << _t244;
				while(_t244 < _t266) {
					_t291 = _t290 - _t310[0x4c + _t244 * 4];
					if(_t291 < 0) {
						L61:
						return _t173 | 0xffffffff;
					}
					_t244 = _t244 + 1;
					_t290 = _t291 + _t291;
				}
				_t246 = _t266 << 2;
				_v212 = _t246;
				_t173 = _t310[_t246 + 0x4c];
				_t292 = _t290 - _t173;
				_v192 = _t292;
				if(_t292 < 0) {
					goto L61;
				}
				_v120 = _t294;
				_t310[_t246 + 0x4c] = _t173 + _t292;
				_t247 = _t294;
				_t267 = _t266 - 1;
				if(_t267 != 0) {
					_t233 = _t294;
					do {
						_t247 = _t247 + _t310[_t233 + 0x50];
						_t233 = _t233 + 4;
						_t310[_t233 + 0x90] = _t247;
						_t267 = _t267 - 1;
					} while (_t267 != 0);
				}
				_t248 = _t294;
				do {
					_t268 =  *_t237;
					_t237 =  &(_t237[1]);
					if(_t268 != 0) {
						_t176 = _t310[0x8c + _t268 * 4];
						 *(0x4330a0 + _t176 * 4) = _t248;
						_t310[0x8c + _t268 * 4] = _t176 + 1;
					}
					_t248 = _t248 + 1;
				} while (_t248 < _t300);
				_t301 = _t294;
				_t249 = _v236;
				_t269 = _v220;
				_t239 =  ~_t249;
				_v232 = _t301;
				_t179 = _t310[_v212 + 0x8c];
				_v196 = _t179;
				_t180 = _t179 | 0xffffffff;
				_v124 = _t294;
				_v228 = 0x4330a0;
				_v244 = _t180;
				_v60 = _t294;
				_v224 = _t294;
				_v208 = _t294;
				if(_t269 <= _v216) {
					_t183 =  &_v188 + _t269 * 4;
					_v204 = _t183;
					do {
						_t184 =  *_t183;
						while(_t184 != 0) {
							_v200 = _t184;
							_v212 = _t184 - 1;
							_t173 = _t249 + _t239;
							while(1) {
								_v240 = _t173;
								if(_t269 <= _t173) {
									break;
								}
								_v244 = _v244 + 1;
								_t304 =  >  ? _t249 : _v216 - _t173;
								_t251 = _t269 - _t173;
								_t272 = 1 << _t251;
								if(1 > _v200) {
									_t280 = _t272 + (_t173 | 0xffffffff) - _v212;
									_t173 = _v204;
									if(_t251 < _t304) {
										while(1) {
											_t251 = _t251 + 1;
											if(_t251 >= _t304) {
												goto L31;
											}
											_t281 = _t280 + _t280;
											_t173 = _t173 + 4;
											if(_t281 >  *_t173) {
												_t280 = _t281 -  *_t173;
												continue;
											}
											goto L31;
										}
									}
								}
								L31:
								_v208 = 1;
								_t274 =  *_a36;
								_t308 = (1 << _t251) + _t274;
								if(1 > 0x5a0) {
									goto L61;
								}
								_v224 = _a32 + _t274 * 4;
								_t276 = _v244;
								_t310[0xcc + _t276 * 4] = _v224;
								 *_a36 = _t308;
								_t189 = _v240;
								_t301 = _v232;
								if(_t276 == 0) {
									 *_a24 = _v224;
								} else {
									_v247 = _v236;
									_v248 = _t251;
									_t310[0x8c + _t276 * 4] = _t301;
									_t279 = _t301 >> _t239;
									_t264 = _t310[0xc8 + _v244 * 4];
									_v246 = (_v224 - _t264 >> 2) - _t279;
									 *(_t264 + _t279 * 4) = _v248;
									_t189 = _v240;
								}
								_t249 = _v236;
								_t239 = _t189;
								_t269 = _v220;
								_t173 = _t189 + _t249;
							}
							_v247 = _t269 - _t239;
							if(_v228 < 0x4330a0 + _v196 * 4) {
								_t203 = _v228;
								_t253 =  *_t203;
								_t204 = _t203 + 4;
								_v232 = _t204;
								if(_t253 >= _a12) {
									_t254 = _t253 - _a12;
									_v248 =  *((intOrPtr*)(_a20 + _t254 * 2)) + 0x50;
									_t209 =  *((intOrPtr*)(_a16 + _t254 * 2));
								} else {
									_v248 = (_t204 & 0xffffff00 | _t253 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
									_t209 =  *_v228;
								}
								_v246 = _t209;
								_v228 = _v232;
							} else {
								_v248 = 0xc0;
							}
							_v200 = 1 << _t269 - _t239;
							_t283 = _t301 >> _t239;
							if(_t283 < _v208) {
								_t227 = _v248;
								_t262 = _v200;
								_t293 = _v224;
								do {
									 *(_t293 + _t283 * 4) = _t227;
									_t283 = _t283 + _t262;
								} while (_t283 < _v208);
								_t292 = _v192;
								_t294 = 0;
							}
							_t269 = _v220;
							_t216 = 1 << _t269 - 1;
							while((_t301 & _t216) != 0) {
								_t301 = _t301 ^ _t216;
								_t216 = _t216 >> 1;
							}
							_t301 = _t301 ^ _t216;
							_v232 = _t301;
							_t260 = _v244;
							if(((1 << _t239) - 0x00000001 & _t301) != _t310[0x8c + _t260 * 4]) {
								_t284 = _v236;
								_t295 = _t260;
								do {
									_t239 = _t239 - _t284;
									_t295 = _t295 - 1;
								} while (((1 << _t239) - 0x00000001 & _t301) != _t310[0x8c + _t295 * 4]);
								_t269 = _v220;
								_v244 = _t295;
								_t294 = 0;
							}
							_t184 = _v212;
							_t249 = _v236;
						}
						_t269 = _t269 + 1;
						_t183 = _v204 + 4;
						_v220 = _t269;
						_v204 = _t183;
					} while (_t269 <= _v216);
					_t180 = _t183 | 0xffffffff;
				}
				if(_t292 == 0 || _v216 == 1) {
					return _t294;
				}
				return _t180;
			}

0x00406eb1
0x00406eb9
0x00406ec0
0x00406ec6
0x00406ecb
0x00406ecb
0x00406ecd
0x00406ecf
0x00406ecf
0x00406ed1
0x00406ed4
0x00406ed8
0x00406ed8
0x00406ee1
0x00406eec
0x00406ef5
0x00000000
0x00406ef7
0x00406efe
0x00406f09
0x00406f0a
0x00406f0c
0x00406f0d
0x00406f13
0x00406f16
0x00000000
0x00000000
0x00000000
0x00406f16
0x00406f1c
0x00406f20
0x00406f23
0x00406f29
0x00406f2c
0x00000000
0x00000000
0x00000000
0x00406f2c
0x00406f30
0x00406f36
0x00406f39
0x00406f3b
0x00406f3f
0x00406f46
0x00406f4b
0x00406f5c
0x00406f4f
0x00406f53
0x0040727e
0x00000000
0x0040727e
0x00406f59
0x00406f5a
0x00406f5a
0x00406f62
0x00406f65
0x00406f69
0x00406f6d
0x00406f6f
0x00406f73
0x00000000
0x00000000
0x00406f7b
0x00406f82
0x00406f86
0x00406f88
0x00406f8b
0x00406f8d
0x00406f8f
0x00406f8f
0x00406f93
0x00406f96
0x00406f9d
0x00406f9d
0x00406f8f
0x00406fa2
0x00406fa4
0x00406fa4
0x00406fa6
0x00406fab
0x00406fad
0x00406fb4
0x00406fbc
0x00406fbc
0x00406fc3
0x00406fc4
0x00406fcc
0x00406fce
0x00406fd4
0x00406fd8
0x00406fda
0x00406fde
0x00406fe5
0x00406fe9
0x00406fec
0x00406ff3
0x00406ffb
0x00406fff
0x00407006
0x0040700a
0x00407012
0x0040701c
0x0040701f
0x00407023
0x00407023
0x0040724a
0x0040702a
0x0040702f
0x00407033
0x00407128
0x00407128
0x0040712e
0x00000000
0x00000000
0x0040703f
0x00407047
0x0040704e
0x00407051
0x00407057
0x00407060
0x00407062
0x00407068
0x0040706a
0x0040706a
0x0040706d
0x00000000
0x00000000
0x0040706f
0x00407071
0x00407076
0x00407078
0x00000000
0x00407078
0x00000000
0x00407076
0x0040706a
0x00407068
0x0040707c
0x00407088
0x0040708c
0x0040708e
0x00407096
0x00000000
0x00000000
0x004070a6
0x004070aa
0x004070b2
0x004070c0
0x004070c2
0x004070c6
0x004070cc
0x0040711a
0x004070ce
0x004070d2
0x004070da
0x004070e0
0x004070e9
0x004070eb
0x004070fd
0x00407106
0x00407109
0x00407109
0x0040711c
0x00407120
0x00407122
0x00407126
0x00407126
0x00407138
0x0040714b
0x00407154
0x00407158
0x0040715a
0x0040715d
0x00407168
0x00407184
0x00407197
0x004071a2
0x0040716a
0x00407177
0x0040717f
0x0040717f
0x004071a6
0x004071af
0x0040714d
0x0040714d
0x0040714d
0x004071c0
0x004071c4
0x004071ca
0x004071cc
0x004071d0
0x004071d4
0x004071d8
0x004071d8
0x004071db
0x004071dd
0x004071e3
0x004071e7
0x004071e7
0x004071e9
0x004071f3
0x004071fb
0x004071f7
0x004071f9
0x004071f9
0x004071ff
0x00407205
0x0040720c
0x0040721a
0x0040721c
0x00407220
0x00407222
0x00407224
0x0040722b
0x0040722f
0x00407238
0x0040723c
0x00407240
0x00407240
0x00407242
0x00407246
0x00407246
0x00407256
0x00407257
0x0040725a
0x0040725e
0x00407262
0x0040726c
0x0040726c
0x00407271
0x00000000
0x0040727a
0x0040728b

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e392d6b6b0d8d2976783d3b417d62ef8802b8105719cbf52046bc6543515951
Instruction ID: 458c99329ba390570ae49b1fba58edefd6773494dbefaa897816e029df8d06ab
Opcode Fuzzy Hash: 8e392d6b6b0d8d2976783d3b417d62ef8802b8105719cbf52046bc6543515951
Instruction Fuzzy Hash: 11C16771A0C3458FC718DF28D580A6ABBE1BBC9304F148A3EE59997380D734E916CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00403D8A Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 221
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00403D8A() {
				struct HWND__* _t60;
				intOrPtr _t61;
				unsigned int _t66;
				signed short* _t88;
				unsigned int _t89;
				long _t104;
				intOrPtr _t117;
				intOrPtr _t118;
				int _t120;
				signed int _t121;
				struct HWND__* _t125;
				int _t126;
				int _t132;
				intOrPtr _t135;
				struct HWND__* _t137;
				struct HWND__* _t138;
				int _t139;
				void* _t142;

				if( *((intOrPtr*)(_t142 + 0x50)) != 0x110) {
					_t139 =  *(_t142 + 0x68);
					if( *(_t142 + 0x60) != 0x111) {
						if( *(_t142 + 0x60) != 0x4e) {
							if( *(_t142 + 0x60) == 0x40b) {
								 *0x42dd5c =  *0x42dd5c + 1;
							}
							L25:
							return E0040575B( *(_t142 + 0x68),  *(_t142 + 0x68), _t139);
						}
						_t60 = GetDlgItem( *(_t142 + 0x60), 0x3e8);
						_t117 =  *((intOrPtr*)(_t139 + 8));
						_t125 = _t60;
						if(_t117 != 0x70b) {
							L16:
							if(_t117 != 0x700 ||  *((intOrPtr*)(_t139 + 0xc)) != 0x100) {
								goto L25;
							} else {
								_t61 =  *((intOrPtr*)(_t139 + 0x10));
								if(_t61 == 0xd) {
									SendMessageW( *0x4349f8, 0x111, 1, 0);
									_t61 =  *((intOrPtr*)(_t139 + 0x10));
								}
								if(_t61 == 0x1b) {
									SendMessageW( *0x4349f8, 0x10, 0, 0);
								}
								return 1;
							}
						}
						if( *((intOrPtr*)(_t139 + 0xc)) != 0x201) {
							goto L25;
						}
						_t66 =  *(_t139 + 0x1c);
						_t118 =  *((intOrPtr*)(_t139 + 0x18));
						 *(_t142 + 0x14) = _t66;
						 *(_t142 + 0x10) = _t118;
						 *(_t142 + 0x18) = 0x4339a0;
						if(_t66 - _t118 >= 0x800) {
							goto L25;
						}
						SendMessageW(_t125, 0x44b, 0, _t142 + 0x10);
						SetCursor(LoadCursorW(0, 0x7f02));
						 *((intOrPtr*)(_t142 + 0x24)) =  *((intOrPtr*)(_t142 + 0x5c));
						 *(_t142 + 0x2c) =  *(_t142 + 0x18);
						 *((intOrPtr*)(_t142 + 0x24)) = 0x500;
						 *(_t142 + 0x3c) = 1;
						 *(_t142 + 0x2c) = L"open";
						 *((intOrPtr*)(_t142 + 0x34)) = 0;
						 *((intOrPtr*)(_t142 + 0x38)) = 0;
						E004069F3(_t142 + 0x1c);
						SetCursor(LoadCursorW(0, 0x7f00));
						_t117 =  *((intOrPtr*)(_t139 + 8));
						goto L16;
					}
					if( *(_t142 + 0x64) >> 0x10 == 0 &&  *0x42dd5c == 0) {
						_t135 =  *0x42dd4c;
						if(( *(_t135 + 0x14) & 0x00000020) != 0) {
							_t120 = SendMessageW(GetDlgItem( *(_t142 + 0x6c), 0x40a), 0xf0, 0, 0) & 0x00000001;
							 *(_t135 + 0x14) =  *(_t135 + 0x14) & 0xfffffffe | _t120;
							EnableWindow( *0x42dd54, _t120);
							E0040553C();
						}
					}
					goto L25;
				} else {
					_t126 =  *(_t142 + 0x68);
					_t121 =  *(_t126 + 0x30);
					if(_t121 < 0) {
						_t121 =  *( *0x4349e0 - 4 + _t121 * 4);
					}
					_push( *((intOrPtr*)(_t126 + 0x34)));
					_t88 =  *0x435a38 + _t121 * 2;
					_t89 =  &(_t88[1]);
					 *(_t142 + 0x64) = _t89;
					 *(_t142 + 0x14) = _t89;
					_t91 =  ==  ? E0040568C : E00405655;
					 *(_t142 + 0x68) =  *_t88 & 0x0000ffff;
					_t137 =  *(_t142 + 0x60);
					 *(_t142 + 0x18) = 0;
					_push(0x22);
					 *((intOrPtr*)(_t142 + 0x24)) =  ==  ? E0040568C : E00405655;
					_t132 = ( !( *(_t126 + 0x14) >> 5) |  *(_t126 + 0x14)) & 1;
					E0040551A(_t137);
					_push( *((intOrPtr*)( *(_t142 + 0x68) + 0x38)));
					_push(0x23);
					E0040551A(_t137);
					CheckDlgButton(_t137, (_t132 ^ 1) + 0x40a, 1);
					EnableWindow( *0x42dd54, _t132);
					_t138 = GetDlgItem(_t137, 0x3e8);
					E00405503(_t138);
					SendMessageW(_t138, 0x45b, 1, 0);
					_t104 =  *( *0x435a10 + 0x68);
					if(_t104 < 0) {
						_t104 = GetSysColor( ~_t104);
					}
					SendMessageW(_t138, 0x443, 0, _t104);
					SendMessageW(_t138, 0x445, 0, 0x4010000);
					SendMessageW(_t138, 0x435, 0, lstrlenW( *(_t142 + 0x60)));
					 *0x42dd5c = 0;
					SendMessageW(_t138, 0x449,  *(_t142 + 0x68), _t142 + 0x10);
					 *0x42dd5c = 0;
					return 0;
				}
			}

0x00403d99
0x00403ecc
0x00403ed0
0x00403f4a
0x00404065
0x00404067
0x00404067
0x0040406d
0x00000000
0x00404076
0x00403f59
0x00403f5f
0x00403f64
0x00403f6c
0x00404013
0x00404019
0x00000000
0x00404024
0x00404024
0x0040402a
0x0040403a
0x00404040
0x00404040
0x00404046
0x00404052
0x00404052
0x00000000
0x0040405a
0x00404019
0x00403f79
0x00000000
0x00000000
0x00403f7f
0x00403f82
0x00403f85
0x00403f8b
0x00403f8f
0x00403f9c
0x00000000
0x00000000
0x00403fae
0x00403fc9
0x00403fcf
0x00403fd7
0x00403fe0
0x00403fe8
0x00403ff0
0x00403ff8
0x00403ffc
0x00404000
0x0040400e
0x00404010
0x00000000
0x00404010
0x00403edc
0x00403eef
0x00403ef9
0x00403f23
0x00403f32
0x00403f35
0x00403f3b
0x00403f3b
0x00403ef9
0x00000000
0x00403d9f
0x00403d9f
0x00403da3
0x00403da8
0x00403db9
0x00403db9
0x00403dca
0x00403dcd
0x00403dd3
0x00403dd6
0x00403ddd
0x00403de6
0x00403de9
0x00403ded
0x00403df9
0x00403e00
0x00403e03
0x00403e07
0x00403e09
0x00403e12
0x00403e15
0x00403e18
0x00403e29
0x00403e36
0x00403e48
0x00403e4b
0x00403e5e
0x00403e65
0x00403e6a
0x00403e6f
0x00403e6f
0x00403e7d
0x00403e8b
0x00403e9e
0x00403ea4
0x00403eb5
0x00403eb7
0x00000000
0x00403ebd

APIs

CheckDlgButton.USER32 ref: 00403E29
EnableWindow.USER32(?), ref: 00403E36
GetDlgItem.USER32 ref: 00403E42
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00403E5E
GetSysColor.USER32(?), ref: 00403E6F
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00403E7D
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00403E8B
lstrlenW.KERNEL32(?), ref: 00403E91
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00403E9E
SendMessageW.USER32(00000000,00000449,?,?), ref: 00403EB5
GetDlgItem.USER32 ref: 00403F11
SendMessageW.USER32(00000000), ref: 00403F18
EnableWindow.USER32(00000000), ref: 00403F35
GetDlgItem.USER32 ref: 00403F59
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 00403FAE
LoadCursorW.USER32(00000000,00007F02), ref: 00403FC0
SetCursor.USER32(00000000), ref: 00403FC9

Part of subcall function 004069F3: ShellExecuteExW.SHELL32(?), ref: 00406A02

LoadCursorW.USER32(00000000,00007F00), ref: 0040400B
SetCursor.USER32(00000000), ref: 0040400E
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040403A
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404052

Strings

N, xrefs: 00403F45
Call, xrefs: 00403F8F

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend$Cursor$Item$EnableLoadWindow$ButtonCheckColorExecuteShelllstrlen
String ID: Call$N
API String ID: 3270077613-3438112850
Opcode ID: 728db8931e19c03b61cc67d759c3f4433907f5a55aac7dcf5e4c8ff3a598ca13
Instruction ID: c65a3a36bb4725451a4dfe1d630424e4f24f9f71ba4400fdcb13afcf6ca1fe0a
Opcode Fuzzy Hash: 728db8931e19c03b61cc67d759c3f4433907f5a55aac7dcf5e4c8ff3a598ca13
Instruction Fuzzy Hash: A3817DB0604305AFD710AF25DC84A6B7BA9FF84744F01493EF641B62A1C778AD45CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00401000() {
				struct HDC__* _t64;
				void* _t82;
				void* _t92;
				struct HDC__* _t100;
				struct tagRECT _t102;
				long _t110;
				struct HWND__* _t120;
				void* _t126;
				void* _t128;
				intOrPtr _t131;
				void* _t133;

				if( *((intOrPtr*)(_t133 + 0x64)) == 0xf) {
					_t131 =  *0x435a10;
					_t64 = BeginPaint( *(_t133 + 0x74), _t133 + 0x24);
					 *(_t133 + 0x10) =  *(_t133 + 0x10) & 0x00000000;
					_t100 = _t64;
					GetClientRect( *(_t133 + 0x74), _t133 + 0x1c);
					_t120 =  *(_t133 + 0x28);
					 *(_t133 + 0x28) =  *(_t133 + 0x28) & 0x00000000;
					_t102 =  *(_t133 + 0x20);
					 *(_t133 + 0x74) = _t120;
					while(_t102 < _t120) {
						_t116 = _t120 - _t102;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						 *(_t133 + 0x18) = (((( *(_t131 + 0x56) & 0x000000ff) * _t102 + ( *(_t131 + 0x52) & 0x000000ff) * (_t120 - _t102)) / _t120 & 0x000000ff) << 0x00000008 | (( *(_t131 + 0x55) & 0x000000ff) *  *(_t133 + 0x20) + ( *(_t131 + 0x51) & 0x000000ff) * _t116) /  *(_t133 + 0x74) & 0x000000ff) << 0x00000008 | (( *(_t131 + 0x54) & 0x000000ff) *  *(_t133 + 0x20) + ( *(_t131 + 0x50) & 0x000000ff) * _t116) /  *(_t133 + 0x74) & 0x000000ff;
						_t82 = CreateBrushIndirect(_t133 + 0x10);
						 *(_t133 + 0x28) =  *(_t133 + 0x28) + 4;
						_t126 = _t82;
						FillRect(_t100, _t133 + 0x20, _t126);
						DeleteObject(_t126);
						_t120 =  *(_t133 + 0x74);
						_t102 =  *(_t133 + 0x20) + 4;
						 *(_t133 + 0x20) = _t102;
					}
					if( *(_t131 + 0x58) != 0xffffffff) {
						_t128 = CreateFontIndirectW( *(_t131 + 0x34));
						 *(_t133 + 0x74) = _t128;
						if(_t128 != 0) {
							 *(_t133 + 0x24) = 0x10;
							 *(_t133 + 0x28) = 8;
							SetBkMode(_t100, 1);
							SetTextColor(_t100,  *(_t131 + 0x58));
							_t92 = SelectObject(_t100, _t128);
							DrawTextW(_t100, 0x434a00, 0xffffffff, _t133 + 0x20, 0x820);
							SelectObject(_t100, _t92);
							DeleteObject( *(_t133 + 0x74));
						}
					}
					EndPaint( *(_t133 + 0x74), _t133 + 0x2c);
					return 0;
				}
				_t110 =  *(_t133 + 0x6c);
				if( *((intOrPtr*)(_t133 + 0x64)) == 0x46) {
					 *(_t110 + 0x18) =  *(_t110 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t110 + 4)) =  *0x4349f8;
				}
				return DefWindowProcW( *(_t133 + 0x6c),  *(_t133 + 0x6c),  *(_t133 + 0x6c), _t110);
			}

0x00401008
0x0040103b
0x0040104c
0x00401052
0x00401057
0x00401062
0x00401068
0x0040106c
0x00401071
0x00401075
0x0040110f
0x00401087
0x00401096
0x004010b1
0x004010cc
0x004010db
0x004010df
0x004010e5
0x004010ea
0x004010f3
0x004010fa
0x00401104
0x00401108
0x0040110b
0x0040110b
0x0040111b
0x00401126
0x00401128
0x0040112e
0x00401133
0x0040113b
0x00401143
0x0040114d
0x0040115b
0x00401171
0x00401179
0x0040117f
0x0040117f
0x0040112e
0x0040118e
0x00000000
0x00401199
0x0040100f
0x00401013
0x00401015
0x0040101e
0x0040101e
0x00000000

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0040102E
BeginPaint.USER32(?,?), ref: 0040104C
GetClientRect.USER32 ref: 00401062
CreateBrushIndirect.GDI32(00000000), ref: 004010DF
FillRect.USER32 ref: 004010F3
DeleteObject.GDI32(00000000), ref: 004010FA
CreateFontIndirectW.GDI32(?), ref: 00401120
SetBkMode.GDI32(00000000,00000001), ref: 00401143
SetTextColor.GDI32(00000000,000000FF), ref: 0040114D
SelectObject.GDI32(00000000,00000000), ref: 0040115B
DrawTextW.USER32(00000000,00434A00,000000FF,?,00000820), ref: 00401171
SelectObject.GDI32(00000000,00000000), ref: 00401179
DeleteObject.GDI32(?), ref: 0040117F
EndPaint.USER32(?,?), ref: 0040118E

Strings

F, xrefs: 0040100A

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: c6345d7c5fceae9535b237699f25ce67e7fd4968e8456bbccafdc44fed7c7a8a
Instruction ID: 3af209a9edb156689bef41e0a63d31b37659a4d6f6412c5d0cf3c0f243fc5647
Opcode Fuzzy Hash: c6345d7c5fceae9535b237699f25ce67e7fd4968e8456bbccafdc44fed7c7a8a
Instruction Fuzzy Hash: E041AFB20083509FC7159F65CD4496BBBE9FF88715F140A2EF995A22A1C734DD04CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00406306 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 124
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00406306() {
				long _t10;
				void* _t32;
				void* _t36;
				long _t37;
				intOrPtr* _t39;
				void* _t43;
				WCHAR* _t44;
				long _t46;
				int _t48;
				void* _t49;

				_t44 =  *(_t49 + 0x14);
				 *0x4319c0 = 0x55004e;
				 *0x4319c4 = 0x4c;
				if(_t44 == 0) {
					L3:
					_t10 = GetShortPathNameW( *(_t49 + 0x1c), 0x4311c0, 0x400);
					if(_t10 != 0 && _t10 <= 0x400) {
						_t48 = wsprintfA(0x430dc0, "%ls=%ls\r\n", 0x4319c0, 0x4311c0);
						_push( *((intOrPtr*)( *0x435a10 + 0x128)));
						_push(0x4311c0);
						E00405EBA();
						_t10 = E0040691B(0x4311c0, 0xc0000000, 4);
						_t32 = _t10;
						if(_t32 != 0xffffffff) {
							_t46 = GetFileSize(_t32, 0);
							_t4 = _t48 + 0xa; // 0xa
							_t35 = _t4 + _t46;
							_t43 = GlobalAlloc(0x40, _t4 + _t46);
							if(_t43 != 0 && E00406948(_t35, _t32, _t43, _t46) != 0) {
								if(E00406B36(_t43, "[Rename]\r\n") != 0) {
									_t36 = E00406B36(_t16 + 0xa, "\n[");
									if(_t36 == 0) {
										goto L10;
									} else {
										_t39 = _t43 + _t46;
										while(_t39 > _t36) {
											 *((char*)(_t39 + _t48)) =  *_t39;
											_t39 = _t39 - 1;
										}
										_t37 = _t36 - _t43 + 1;
										goto L11;
									}
									goto L13;
								} else {
									lstrcpyA(_t43 + _t46, "[Rename]\r\n");
									_t46 = _t46 + 0xa;
									L10:
									_t37 = _t46;
								}
								L11:
								E004066B4(_t37 + _t43, 0x430dc0, _t48);
								SetFilePointer(_t32, 0, 0, 0);
								E00406A0B(_t37, _t32, _t43, _t46 + _t48);
								GlobalFree(_t43);
							}
							_t10 = CloseHandle(_t32);
						}
					}
				} else {
					CloseHandle(E0040691B(_t44, 0, 1));
					_t10 = GetShortPathNameW(_t44, 0x4319c0, 0x400);
					if(_t10 != 0 && _t10 <= 0x400) {
						goto L3;
					}
				}
				L13:
				return _t10;
			}

0x00406309
0x00406312
0x00406321
0x00406334
0x0040635c
0x00406367
0x0040636b
0x00406394
0x00406396
0x0040639c
0x0040639d
0x004063aa
0x004063af
0x004063b4
0x004063c3
0x004063c5
0x004063c8
0x004063d3
0x004063d7
0x004063f2
0x0040644f
0x00406453
0x00000000
0x00406455
0x00406455
0x00406460
0x0040645c
0x0040645f
0x0040645f
0x00406466
0x00000000
0x00406466
0x00000000
0x004063f4
0x004063fd
0x00406403
0x00406406
0x00406406
0x00406406
0x00406408
0x00406412
0x0040641d
0x00406429
0x0040642f
0x0040642f
0x00406436
0x00406436
0x004063b4
0x00406336
0x00406341
0x0040634a
0x0040634e
0x00000000
0x00000000
0x0040634e
0x0040643c
0x00406440

APIs

CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,?,0040625E,?,?), ref: 00406341
GetShortPathNameW.KERNEL32 ref: 0040634A
GetShortPathNameW.KERNEL32 ref: 00406367
wsprintfA.USER32 ref: 00406385
GetFileSize.KERNEL32(00000000,00000000,004311C0,C0000000,00000004,004311C0,?), ref: 004063BD
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 004063CD
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 004063FD
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00430DC0,00000000,-0000000A,00409984,00000000,[Rename],00000000,00000000,00000000), ref: 0040641D
GlobalFree.KERNEL32 ref: 0040642F
CloseHandle.KERNEL32(00000000), ref: 00406436

Part of subcall function 0040691B: GetFileAttributesW.KERNELBASE(00000003,0040342F,C:\Users\user\Desktop\Ta62k9weDV.exe,80000000,00000003,?,?,?,?,?), ref: 0040691F
Part of subcall function 0040691B: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000,?,?,?,?,?), ref: 0040693F

Strings

%ls=%ls, xrefs: 0040637B
[Rename], xrefs: 004063E5, 004063F4

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShort$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2900126502-461813615
Opcode ID: 0a571fe3ba45ea2247c21dd7af0bbb717ae824af8d2c55462ad76218f2181cd1
Instruction ID: 3caf73f0ff98a748f1a35ad4b0faf92cdaa7f83aa24985268d6d9c0dc650f438
Opcode Fuzzy Hash: 0a571fe3ba45ea2247c21dd7af0bbb717ae824af8d2c55462ad76218f2181cd1
Instruction Fuzzy Hash: C93105B12012117AE7206B258D99FAB3A5CEF45748F16053AF903F62D3E63D9C11867C

Uniqueness

Uniqueness Score: -1.00%

Function 72B32209 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E72B32209(intOrPtr* _a4) {
				intOrPtr* _t23;
				signed int _t24;
				intOrPtr _t25;
				intOrPtr _t33;
				void* _t39;
				void* _t42;

				_t39 = E72B312F8();
				_t23 = _a4;
				_t33 =  *((intOrPtr*)(_t23 + 0x1014));
				_t42 = (_t33 + 0x81 << 5) + _t23;
				do {
					if( *((intOrPtr*)(_t42 - 4)) >= 0) {
					}
					_t24 =  *(_t42 - 8) & 0x000000ff;
					if(_t24 <= 7) {
						switch( *((intOrPtr*)(_t24 * 4 +  &M72B32331))) {
							case 0:
								 *_t39 = 0;
								goto L17;
							case 1:
								__edx =  *__edx;
								if(__ecx > 0) {
									__ecx = __ecx - 1;
									__ecx = __ecx *  *(0x72b34064 + __eax * 4);
									asm("sbb eax, eax");
									__edx = __edx &  *(0x72b34084 + __eax * 4);
								}
								_push(__edx);
								goto L15;
							case 2:
								_push(__edi);
								_push(__edx[1]);
								_push( *__edx);
								__eax = E72B3149E(__ecx);
								goto L16;
							case 3:
								__ecx =  *0x72b35040;
								__ecx - 1 = MultiByteToWideChar(0, 0,  *__edx, __ecx, __edi, __ecx - 1);
								__eax =  *0x72b35040;
								__ecx = 0;
								 *((short*)(__edi + __eax * 2 - 2)) = __cx;
								goto L17;
							case 4:
								__eax = lstrcpynW(__edi,  *__edx,  *0x72b35040);
								goto L17;
							case 5:
								_push( *0x72b35040);
								_push(__edi);
								_push( *__edx);
								__imp__StringFromGUID2();
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfW(__edi, 0x72b34058);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					if( *(_t42 + 0x14) != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t42 - 4)) > 0)) {
						GlobalFree( *(_t42 + 0x14));
					}
					_t25 =  *((intOrPtr*)(_t42 + 0xc));
					if(_t25 != 0) {
						if(_t25 != 0xffffffff) {
							if(_t25 > 0) {
								E72B31638(_t25 - 1, _t39);
								goto L26;
							}
						} else {
							E72B315EB(_t39);
							L26:
						}
					}
					_t42 = _t42 - 0x20;
					_t33 = _t33 - 1;
				} while (_t33 >= 0);
				return GlobalFree(_t39);
			}

0x72b32211
0x72b32213
0x72b32217
0x72b32226
0x72b32228
0x72b3222d
0x72b3222d
0x72b32235
0x72b3223c
0x72b32242
0x00000000
0x72b3224b
0x00000000
0x00000000
0x72b32253
0x72b32257
0x72b32259
0x72b3225a
0x72b32265
0x72b32269
0x72b32269
0x72b32270
0x00000000
0x00000000
0x72b32273
0x72b32274
0x72b32277
0x72b32279
0x00000000
0x00000000
0x72b32280
0x72b32292
0x72b32298
0x72b3229d
0x72b3229f
0x00000000
0x00000000
0x72b322c0
0x00000000
0x00000000
0x72b322a6
0x72b322ac
0x72b322ad
0x72b322af
0x00000000
0x00000000
0x72b322c8
0x72b322ca
0x72b322d0
0x72b322d6
0x72b322d6
0x00000000
0x00000000
0x72b32242
0x72b322d9
0x72b322dd
0x72b322f1
0x72b322f1
0x72b322f7
0x72b322fc
0x72b32301
0x72b3230d
0x72b32312
0x00000000
0x72b32317
0x72b32303
0x72b32304
0x72b32318
0x72b32318
0x72b32301
0x72b32319
0x72b3231c
0x72b3231c
0x72b3232f

APIs

Part of subcall function 72B312F8: GlobalAlloc.KERNELBASE(00000040,?,72B311C4,-000000A0), ref: 72B31302

GlobalFree.KERNEL32 ref: 72B322F1
GlobalFree.KERNEL32 ref: 72B32326

Strings

{v@uv, xrefs: 72B322AF
pYhv@hhv, xrefs: 72B32292

Memory Dump Source

Source File: 00000001.00000002.815605546.0000000072B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 72B30000, based on PE: true

Associated: 00000001.00000002.815592077.0000000072B30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815613549.0000000072B34000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815627139.0000000072B36000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72b30000_Ta62k9weDV.jbxd

Similarity

API ID: Global$Free$Alloc
String ID: {v@uv$pYhv@hhv
API String ID: 1780285237-1978877463
Opcode ID: 6e19832011b46b777cc58d2fcf9264669a276b31face6fba45c319c5efa250cc
Instruction ID: 4b6e0c0f8a9ad2f24c5efedc26225c229791877758191e7d21ee1340f589576d
Opcode Fuzzy Hash: 6e19832011b46b777cc58d2fcf9264669a276b31face6fba45c319c5efa250cc
Instruction Fuzzy Hash: 4931CD72244101ABE7278F6ECD84B2EBBB9FB89355B90092DE882C7152D7319858CB60

Uniqueness

Uniqueness Score: -1.00%

Function 72B32049 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 129
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E72B32049(signed int _a4) {
				signed int _t44;
				void* _t45;
				signed int _t46;
				signed int _t50;
				void* _t54;
				signed int _t57;
				void* _t58;
				int _t59;

				_t50 = _a4;
				_t59 = 0;
				_t44 = 0 |  *((intOrPtr*)(_t50 + 0x1014)) > 0x00000000;
				while(1) {
					L1:
					_a4 = _t44;
					_t57 = _t44 << 5;
					_t58 =  *(_t57 + _t50 + 0x1030);
					if(_t58 == 0 || _t58 == 0x1a) {
						goto L8;
					}
					if(_t58 != 0xffffffff) {
						_t49 = _t58 - 1;
						if(_t58 - 1 > 0x18) {
							 *(_t57 + _t50 + 0x1030) = 0x1a;
							L11:
							_t54 = _t57 + _t50;
							if( *((intOrPtr*)(_t57 + _t50 + 0x101c)) >= _t59) {
							}
							_t46 =  *(_t57 + _t50 + 0x1018) & 0x000000ff;
							 *(_t57 + _t50 + 0x1034) =  *(_t57 + _t50 + 0x1034) & 0x00000000;
							if(_t46 > 7) {
								L26:
								_t59 = 0;
								goto L27;
							} else {
								switch( *((intOrPtr*)(_t46 * 4 +  &M72B321E9))) {
									case 0:
										_t59 = 0;
										 *((intOrPtr*)(_t54 + 0x1020)) = 0;
										goto L27;
									case 1:
										_push(__esi);
										__eax = E72B3135A();
										goto L18;
									case 2:
										_push(__esi);
										__eax = E72B3135A();
										_pop(__ecx);
										 *__ebp = __eax;
										_a4 = __edx;
										goto L26;
									case 3:
										__eax = GlobalAlloc(0x40,  *0x72b35040);
										 *(__edi + __ebx + 0x1034) = __eax;
										 *__ebp = __eax;
										__ebp = 0;
										__ecx =  *0x72b35040;
										__eax = WideCharToMultiByte(0, 0, __esi,  *0x72b35040, __eax,  *0x72b35040, 0, 0);
										goto L27;
									case 4:
										__eax = E72B312E1(__esi);
										 *(__edi + __ebx + 0x1034) = __eax;
										L18:
										_pop(__ecx);
										 *__ebp = __eax;
										goto L26;
									case 5:
										__eax = GlobalAlloc(0x40, 0x10);
										_push(__eax);
										 *(__edi + __ebx + 0x1034) = __eax;
										_push(__esi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										goto L26;
									case 6:
										__ebp = 0;
										if( *__esi != __bp) {
											_push(__esi);
											__eax = E72B3135A();
											 *(__edi + __ebx + 0x1020) = __eax;
										}
										L27:
										_t47 = GlobalFree(_t58);
										_t55 = _a4;
										if(_t55 == 0) {
											return _t47;
										}
										_t41 = _t55 + 1; // 0x1
										_t53 =  !=  ? _t41 : 0;
										_t44 =  !=  ? _t41 : 0;
										goto L1;
									case 7:
										__ecx =  *(__edi + __ebx + 0x1030);
										__eax =  *0x72b35038;
										 *(__edi + __ebx + 0x1030) - 1 = ( *(__edi + __ebx + 0x1030) - 1) *  *0x72b35040;
										__ecx =  *0x72b35038 + ( *(__edi + __ebx + 0x1030) - 1) *  *0x72b35040 * 2;
										__eax = __ecx + 0x18;
										 *(__edx + 0x1020) = __eax;
										_push(__ecx);
										asm("cdq");
										_push(__edx);
										_push(__eax);
										__eax = E72B3149E(__ecx);
										__esp = __esp + 0xc;
										goto L26;
								}
							}
						}
						_t45 = E72B31548(_t49);
						L9:
						L10:
						_t58 = _t45;
						goto L11;
					}
					_t45 = E72B31593();
					goto L10;
					L8:
					_t45 = E72B312E1(0x72b340e0);
					goto L9;
				}
			}

0x72b3204a
0x72b32051
0x72b3205b
0x72b3205e
0x72b3205e
0x72b32060
0x72b32064
0x72b32067
0x72b32070
0x00000000
0x00000000
0x72b3207a
0x72b32083
0x72b32089
0x72b32093
0x72b320ad
0x72b320ad
0x72b320b7
0x72b320b7
0x72b320c7
0x72b320cf
0x72b320da
0x72b321bc
0x72b321bc
0x00000000
0x72b320e0
0x72b320e0
0x00000000
0x72b320e7
0x72b320e9
0x00000000
0x00000000
0x72b320f4
0x72b320f5
0x00000000
0x00000000
0x72b32103
0x72b32104
0x72b32109
0x72b3210a
0x72b3210d
0x00000000
0x00000000
0x72b3212c
0x72b32132
0x72b32139
0x72b3213c
0x72b3213e
0x72b3214c
0x00000000
0x00000000
0x72b32116
0x72b3211b
0x72b320fa
0x72b320fa
0x72b320fb
0x00000000
0x00000000
0x72b32158
0x72b3215e
0x72b3215f
0x72b32166
0x72b32167
0x72b3216a
0x00000000
0x00000000
0x72b32172
0x72b32177
0x72b32179
0x72b3217a
0x72b32187
0x72b32187
0x72b321be
0x72b321bf
0x72b321c5
0x72b321cb
0x72b321e6
0x72b321e6
0x72b321cf
0x72b321d8
0x72b321db
0x00000000
0x00000000
0x72b32190
0x72b32197
0x72b3219d
0x72b321a4
0x72b321a7
0x72b321aa
0x72b321b0
0x72b321b1
0x72b321b2
0x72b321b3
0x72b321b4
0x72b321b9
0x00000000
0x00000000
0x72b320e0
0x72b320da
0x72b3208c
0x72b320aa
0x72b320ab
0x72b320ab
0x00000000
0x72b320ab
0x72b3207c
0x00000000
0x72b320a0
0x72b320a5
0x00000000
0x72b320a5

APIs

GlobalFree.KERNEL32 ref: 72B321BF

Part of subcall function 72B312E1: lstrcpynW.KERNEL32(00000000,?,72B3156A,?,72B311C4,-000000A0), ref: 72B312F1

GlobalAlloc.KERNEL32(00000040), ref: 72B3212C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 72B3214C

Strings

@hhv, xrefs: 72B3214C
@uv, xrefs: 72B3216A

Memory Dump Source

Source File: 00000001.00000002.815605546.0000000072B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 72B30000, based on PE: true

Associated: 00000001.00000002.815592077.0000000072B30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815613549.0000000072B34000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815627139.0000000072B36000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72b30000_Ta62k9weDV.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID: @hhv$@uv
API String ID: 4216380887-1609614287
Opcode ID: 09f100f9932a426f6556801569a583e4787dba568e44b24cf6fd1b42cfae0059
Instruction ID: 23299766644c1c30010e2efe23c41f1529416907ed141155a666338a193bd81e
Opcode Fuzzy Hash: 09f100f9932a426f6556801569a583e4787dba568e44b24cf6fd1b42cfae0059
Instruction Fuzzy Hash: 5C41F5B2505605AFD3179F2CC984BE97BB8FB44780BC0463DE9499B14BDB705990CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00402BA3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00402BA3(intOrPtr __ebp, void* _a4, intOrPtr _a8, void* _a12, WCHAR* _a16, long _a20, void* _a24, void* _a32, void* _a44, WCHAR* _a76) {
				void* _v0;
				void* _v4;
				void* _v8;
				void* _v16;
				void* _v40;
				long _t34;
				WCHAR* _t46;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t52;
				void* _t54;
				void* _t55;
				void* _t56;
				void* _t58;
				void _t59;
				intOrPtr _t60;
				void* _t62;

				_t60 = __ebp;
				_a24 = 0xfffffd66;
				_t46 = E0040303E(_t51, 0xfffffff0);
				_a76 = _t46;
				if(E00406E03(_t46) == 0) {
					E0040303E(__edx, 0xffffffed);
				}
				E00406B9D(_t46);
				_t52 = E0040691B(_t46, 0x40000000, 2);
				_a12 = _t52;
				if(_t52 != 0xffffffff) {
					_t31 = _a44;
					 *(_t62 + 0x44) = _a44;
					if( *(_t62 + 0x30) != _t60) {
						_t34 =  *0x435a08;
						_a20 = _t34;
						_t58 = GlobalAlloc(0x40, _t34);
						_a24 = _t58;
						if(_t58 == 0) {
							_t31 =  *(_t62 + 0x44);
						} else {
							E00403131(_t60);
							E0040311B(_t58, _a16);
							_t54 = GlobalAlloc(0x40,  *(_t62 + 0x30));
							 *(_t62 + 0x44) = _t54;
							if(_t54 != 0) {
								E00403148(_a44, _t60, _t54,  *(_t62 + 0x30));
								if( *_t54 != 0) {
									_t49 = _t58;
									do {
										_t59 =  *_t54;
										_t55 = _t54 + 8;
										E004066B4( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t59);
										_t54 = _t55 + _t59;
									} while ( *_t54 != 0);
									_t46 =  *(_t62 + 0x50);
									_t58 = _a24;
								}
								GlobalFree( *(_t62 + 0x44));
							}
							_t52 =  *(_t62 + 0x20);
							E00406A0B(_t50, _t52, _t58, _a20);
							_t31 = GlobalFree(_t58) | 0xffffffff;
						}
					}
					_a8 = E00403148(_t31, _t52, _t60, _t60);
					CloseHandle(_t52);
				}
				_t56 = 0xfffffff3;
				if(_a24 >= _t60) {
					_t46 = _a16;
				} else {
					_t56 = 0xffffffef;
					DeleteFileW(_t46);
					_t46 = 1;
				}
				_push("C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp\System.dll");
				_push(_t56);
				E00405D3A();
				 *0x435ac8 =  *0x435ac8 + _t46;
				return 0;
			}

0x00402ba3
0x00402ba5
0x00402bb2
0x00402bb5
0x00402bc0
0x00402bc4
0x00402bc4
0x00402bca
0x00402bdc
0x00402bde
0x00402be5
0x00402beb
0x00402bef
0x00402bf7
0x00402bfd
0x00402c05
0x00402c0f
0x00402c11
0x00402c17
0x00402c9f
0x00402c1d
0x00402c1e
0x00402c28
0x00402c39
0x00402c3b
0x00402c41
0x00402c4d
0x00402c55
0x00402c57
0x00402c59
0x00402c59
0x00402c5e
0x00402c66
0x00402c6b
0x00402c6d
0x00402c72
0x00402c76
0x00402c76
0x00402c7e
0x00402c7e
0x00402c88
0x00402c8e
0x00402c9a
0x00402c9a
0x00402c17
0x00402cad
0x00402cb1
0x00402cb1
0x00402cb9
0x00402cbe
0x00402ccf
0x00402cc0
0x00402cc2
0x00402cc4
0x00402ccc
0x00402ccc
0x00402cd3
0x00402cd8
0x00402345
0x00402ea5
0x00402eb7

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402C09
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402C33
GlobalFree.KERNEL32 ref: 00402C7E
GlobalFree.KERNEL32 ref: 00402C94
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,40000000,00000002,00000000,00000000), ref: 00402CB1
DeleteFileW.KERNEL32(00000000,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402CC4

Strings

C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll, xrefs: 00402CD3

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll
API String ID: 2667972263-1821568989
Opcode ID: 21bf38eaf766e30db3ad4f67b39d13bf90a53ba7524260bc4dffed712f826359
Instruction ID: 23d93ea21af668beabbcb9178b0b7634ed911faf56d8c64a437eebf92f001ab7
Opcode Fuzzy Hash: 21bf38eaf766e30db3ad4f67b39d13bf90a53ba7524260bc4dffed712f826359
Instruction Fuzzy Hash: B2310471508351ABD310AF65CD48E1FBBE8AF89714F100A3EF5A1772D2C37899018BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00406D3D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00406D3D(WCHAR* _a4) {
				signed short _t5;
				signed int _t8;
				signed int _t9;
				signed short _t18;
				signed short _t20;
				signed int _t21;
				signed short _t22;
				WCHAR* _t23;
				WCHAR* _t24;
				void* _t25;
				WCHAR* _t26;

				_t24 = _a4;
				_t22 = 0x5c;
				_t5 =  *_t24 & 0x0000ffff;
				_t20 = _t5;
				if(_t5 == _t22) {
					_t20 = _t22;
					if(_t24[1] == _t22 && _t24[2] == 0x3f && _t24[3] == _t22) {
						_t24 =  &(_t24[4]);
						_t20 =  *_t24 & 0x0000ffff;
					}
				}
				_t18 = _t20 & 0x0000ffff;
				if(_t20 != 0) {
					_t18 = _t20 & 0x0000ffff;
					if(E00406E03(_t24) != 0) {
						_t24 =  &(_t24[2]);
						_t18 =  *_t24 & 0x0000ffff;
					}
				}
				_t26 = _t24;
				_t23 = _t24;
				if(_t18 == 0) {
					L14:
					 *_t23 = 0;
					_t25 = 0x5c;
					while(1) {
						_push(_t23);
						_push(_t26);
						_t23 = CharPrevW();
						_t8 =  *_t23 & 0x0000ffff;
						if(_t8 != 0x20 && _t8 != _t25) {
							break;
						}
						_t8 = 0;
						 *_t23 = 0;
						if(_t26 < _t23) {
							continue;
						}
						break;
					}
					return _t8;
				} else {
					_t9 = _t18 & 0x0000ffff;
					do {
						if(_t9 > 0x1f &&  *((short*)(E004065F6(L"*?|<>/\":", _t9))) == 0) {
							E004066B4(_t23, _t24, CharNextW(_t24) - _t24 >> 1);
							_t23 = CharNextW(_t23);
						}
						_t24 = CharNextW(_t24);
						_t21 =  *_t24 & 0x0000ffff;
						_t9 = _t21;
					} while (_t21 != 0);
					goto L14;
				}
			}

0x00406d40
0x00406d47
0x00406d48
0x00406d4b
0x00406d50
0x00406d52
0x00406d58
0x00406d67
0x00406d6a
0x00406d6a
0x00406d58
0x00406d6d
0x00406d73
0x00406d76
0x00406d80
0x00406d82
0x00406d85
0x00406d85
0x00406d80
0x00406d88
0x00406d8a
0x00406d8f
0x00406dd4
0x00406dd8
0x00406ddb
0x00406ddc
0x00406ddc
0x00406ddd
0x00406de4
0x00406de6
0x00406dec
0x00000000
0x00000000
0x00406df3
0x00406df5
0x00406dfa
0x00000000
0x00000000
0x00000000
0x00406dfa
0x00406e00
0x00406d91
0x00406d91
0x00406d9a
0x00406d9e
0x00406dbb
0x00406dc3
0x00406dc3
0x00406dc8
0x00406dca
0x00406dcd
0x00406dcf
0x00000000
0x00406d9a

APIs

CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,766DFAA0,004039C2), ref: 00406DB2
CharNextW.USER32(?,?,?,00000000), ref: 00406DC1
CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,766DFAA0,004039C2), ref: 00406DC6
CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,766DFAA0,004039C2), ref: 00406DDE

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406D44
C:\Users\user\AppData\Local\Temp\, xrefs: 00406D3D, 00406D3F
*?|<>/":, xrefs: 00406DA1

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
API String ID: 589700163-879122614
Opcode ID: 0b6213c0c1622fb53aee38363b717c73aa2e600d62468f8e3aca7b6a41b68933
Instruction ID: 9b03febb742ef4485f2caa0616bf8b5dba6ff04d2a2b11022b5674ddd7f14081
Opcode Fuzzy Hash: 0b6213c0c1622fb53aee38363b717c73aa2e600d62468f8e3aca7b6a41b68933
Instruction Fuzzy Hash: 4E110211B0022566DA306B2A9C4097B72E8DFA9761746443BF9C6A32C0F77D8CA1D2B8

Uniqueness

Uniqueness Score: -1.00%

Function 0040364F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040364F(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t18;

				if(_a8 != 0x110) {
					if(_a8 == 0x113) {
						goto L3;
					}
				} else {
					SetTimer(_a4, 1, 0xfa, 0);
					L3:
					_t18 =  *0x40d968; // 0x938d8
					_t19 =  <  ?  *0x40d96c : _t18;
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv( <  ?  *0x40d96c : _t18, 0x64, _t18));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x0040365f
0x0040367c
0x00000000
0x00000000
0x00403661
0x0040366d
0x0040367e
0x0040367e
0x0040368b
0x004036a5
0x004036b5
0x004036c7
0x004036c7
0x004036cf

APIs

SetTimer.USER32 ref: 0040366D
MulDiv.KERNEL32(000938D8,00000064,000938D8), ref: 00403695
wsprintfW.USER32 ref: 004036A5
SetWindowTextW.USER32(?,?), ref: 004036B5
SetDlgItemTextW.USER32 ref: 004036C7

Strings

1, xrefs: 00403684
verifying installer: %d%%, xrefs: 0040369F

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%$1
API String ID: 1451636040-2928864593
Opcode ID: 7999ebd0115e22dc8382da0543a4734c08260491a853317dea2dbb1df602252a
Instruction ID: 5c883eac817cb3b9f0e850005900bd2bca04ae763b88d1ec11a0ecb90196ae4f
Opcode Fuzzy Hash: 7999ebd0115e22dc8382da0543a4734c08260491a853317dea2dbb1df602252a
Instruction Fuzzy Hash: 87013671940209BBDF249FA0DD49FAA3B78A700705F008439F606B51E1DBB59A55CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040575B Relevance: 12.1, APIs: 8, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040575B(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				void* _t38;
				signed char _t40;
				signed char _t42;
				long _t51;
				long _t52;
				long* _t55;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					_t38 = 0;
				} else {
					_t55 = GetWindowLongW(_a12, 0xffffffeb);
					if(_t55 == 0 || _t55[2] > 1 || _t55[4] > 2) {
						goto L18;
					} else {
						_t40 = _t55[5];
						if((_t40 & 0xffffffe0) != 0) {
							goto L18;
						} else {
							_t51 =  *_t55;
							if((_t40 & 0x00000002) != 0) {
								_t51 = GetSysColor(_t51);
								_t40 = _t55[5];
							}
							if((_t40 & 0x00000001) != 0) {
								SetTextColor(_a8, _t51);
							}
							SetBkMode(_a8, _t55[4]);
							_t42 = _t55[5];
							_t52 = _t55[1];
							_v16.lbColor = _t52;
							if((_t42 & 0x00000008) != 0) {
								_t52 = GetSysColor(_t52);
								_t42 = _t55[5];
								_v16.lbColor = _t52;
							}
							if((_t42 & 0x00000004) != 0) {
								SetBkColor(_a8, _t52);
								_t42 = _t55[5];
							}
							if((_t42 & 0x00000010) != 0) {
								_v16.lbStyle = _t55[2];
								if(_t55[3] != 0) {
									DeleteObject(_t55[3]);
								}
								_t55[3] = CreateBrushIndirect( &_v16);
							}
							_t38 = _t55[3];
						}
					}
				}
				return _t38;
			}

0x0040576d
0x0040582e
0x0040582e
0x00405773
0x0040577e
0x00405782
0x00000000
0x0040579c
0x0040579c
0x004057a4
0x00000000
0x004057aa
0x004057aa
0x004057ae
0x004057b7
0x004057b9
0x004057b9
0x004057be
0x004057c4
0x004057c4
0x004057d0
0x004057d6
0x004057d9
0x004057dc
0x004057e1
0x004057ea
0x004057ec
0x004057ef
0x004057ef
0x004057f4
0x004057fa
0x00405800
0x00405800
0x00405805
0x0040580e
0x00405811
0x00405816
0x00405816
0x00405826
0x00405826
0x00405829
0x00405829
0x004057a4
0x00405782
0x00405832

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00405778
GetSysColor.USER32 ref: 004057B1
SetTextColor.GDI32(?), ref: 004057C4
SetBkMode.GDI32(?,?), ref: 004057D0
GetSysColor.USER32(?), ref: 004057E4
SetBkColor.GDI32(?,?), ref: 004057FA
DeleteObject.GDI32(?), ref: 00405816
CreateBrushIndirect.GDI32(?), ref: 00405820

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 884efe4836094bb20a6f18f16c634fbe29c57d0ac42d5c945227a46e33033bd0
Instruction ID: d6878141ad4b6a1f495ba237af706d2ee8e98f75713b616aff0e98366caa8665
Opcode Fuzzy Hash: 884efe4836094bb20a6f18f16c634fbe29c57d0ac42d5c945227a46e33033bd0
Instruction Fuzzy Hash: 64210775600B059FDB34AF28E94895B7BF8EF05710700CA3AE896A27A1D735EC14CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004056DA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056DA(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t18;
				unsigned int _t22;
				signed int _t28;

				_t18 = SendMessageW(_a4, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t18;
					_v60 = 4;
					SendMessageW(_a4, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t22 = GetMessagePos();
				_v16 = _t22 >> 0x10;
				_v20 = _t22;
				ScreenToClient(_a4,  &_v20);
				_t28 = SendMessageW(_a4, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t18 = _v8;
					goto L4;
				}
				return _t28 | 0xffffffff;
			}

0x004056f3
0x004056f9
0x00405739
0x00405739
0x0040574a
0x00405751
0x00000000
0x00405753
0x004056fb
0x00405708
0x00405712
0x00405715
0x00405729
0x0040572f
0x00405736
0x00000000
0x00405736
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004056F3
GetMessagePos.USER32 ref: 004056FB
ScreenToClient.USER32 ref: 00405715
SendMessageW.USER32(?,00001111,00000000,?), ref: 00405729
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00405751

Strings

f, xrefs: 0040572B

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 831e9add14996ca58957b6d0f39193948d4b40b41c3f38ee460bf659b5b9a320
Instruction ID: c2e7ed3a8a7ffde0c91d4cd6f33517ea70e65294e07f2b992d5a249d380e7f5b
Opcode Fuzzy Hash: 831e9add14996ca58957b6d0f39193948d4b40b41c3f38ee460bf659b5b9a320
Instruction Fuzzy Hash: 01014C7190020DBBEB119FA4CC45BEEBBB9EB44720F104226FA51B61E0D7B59A419F54

Uniqueness

Uniqueness Score: -1.00%

Function 00401FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00401FB8(struct HWND__* __edx, intOrPtr _a8, struct HWND__* _a24, intOrPtr _a36, signed char _a48) {
				void* _v12;
				int _t7;
				intOrPtr _t13;
				intOrPtr _t22;
				signed char _t26;
				struct HDC__* _t29;
				void* _t35;

				_t29 = GetDC(__edx);
				_t7 = E00403002(2);
				0x40d908->lfHeight =  ~(MulDiv(_t7, GetDeviceCaps(_t29, 0x5a), 0x48));
				ReleaseDC(_a24, _t29);
				_t13 = E00403002(3);
				_t26 = _a48;
				_push(_a36);
				 *0x40d918 = _t13;
				 *0x40d91f = 1;
				 *0x40d91c = _t26 & 0x00000001;
				_push("Tahoma");
				 *0x40d91d = _t26 & 0x00000002;
				 *0x40d91e = _t26 & 0x00000004;
				E00405EBA();
				_push(CreateFontIndirectW(0x40d908));
				_push(_a8);
				E0040661F();
				_t22 =  *((intOrPtr*)(_t35 + 0x10));
				 *0x435ac8 =  *0x435ac8 + _t22;
				return 0;
			}

0x00401fc1
0x00401fc3
0x00401fe0
0x00401feb
0x00401ff3
0x00401ff9
0x00401ffd
0x00402001
0x0040200a
0x00402011
0x0040201d
0x00402022
0x00402027
0x0040202d
0x00402041
0x00402042
0x004016b7
0x00402ea1
0x00402ea5
0x00402eb7

APIs

GetDC.USER32 ref: 00401FB9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401FD0
MulDiv.KERNEL32(00000000,00000000), ref: 00401FD8
ReleaseDC.USER32 ref: 00401FEB

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406070

CreateFontIndirectW.GDI32(0040D908), ref: 00402037

Strings

Tahoma, xrefs: 0040201D

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcat
String ID: Tahoma
API String ID: 4253744674-3580928618
Opcode ID: 68512fbf4ac7801365b5f78afe65c0e513a631e9eafc47c317fc045465379f25
Instruction ID: 19ee21ee25b481e0e115610c7b0d21c914cbbc44bdafb393b7f83238122b1e8a
Opcode Fuzzy Hash: 68512fbf4ac7801365b5f78afe65c0e513a631e9eafc47c317fc045465379f25
Instruction Fuzzy Hash: 4B01D4B6905340AFD300AFB4AD0AB563FA8ABA9705F10483DF641B71E2C6784709CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 72B31F7B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72B31F7B(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t11;

				_t11 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t11);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t11, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x72b31f92
0x72b31fa0
0x72b31fab
0x72b31fb6
0x72b31fbf
0x72b31fca

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000808,00000000,72B32B4C,00000000,00000808), ref: 72B31F8C
GlobalAlloc.KERNEL32(00000040,00000000), ref: 72B31F97
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 72B31FAB
GetProcAddress.KERNEL32(?,00000000), ref: 72B31FB6
GlobalFree.KERNEL32 ref: 72B31FBF

Strings

@hhv, xrefs: 72B31F8C, 72B31FAB

Memory Dump Source

Source File: 00000001.00000002.815605546.0000000072B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 72B30000, based on PE: true

Associated: 00000001.00000002.815592077.0000000072B30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815613549.0000000072B34000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815627139.0000000072B36000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72b30000_Ta62k9weDV.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID: @hhv
API String ID: 1148316912-3906349087
Opcode ID: 35f143d4d9fdc8141a3cf0071ab9b8dea710dc91db3b5d090e2819abfb680f5b
Instruction ID: 8fa14290f8f36dd6323653e580ee7b52ff88aba2940d39429408fa751fb5de90
Opcode Fuzzy Hash: 35f143d4d9fdc8141a3cf0071ab9b8dea710dc91db3b5d090e2819abfb680f5b
Instruction Fuzzy Hash: 4CF0C033248118BBC6201AE7DC0CE5BBE7CEB8B6FAB260619F619D21A1C57368008771

Uniqueness

Uniqueness Score: -1.00%

Function 72B310C7 Relevance: 8.9, APIs: 7, Instructions: 162
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72B310C7(void* _a8, intOrPtr _a12, void* _a16, intOrPtr _a20) {
				signed int _v0;
				signed int _t31;
				void* _t32;
				signed int _t34;
				void* _t39;
				void* _t46;
				intOrPtr _t55;
				void* _t59;
				void* _t66;
				void* _t67;
				signed short _t70;
				void* _t71;
				void* _t78;
				signed short _t79;
				void* _t83;
				void* _t85;
				void* _t86;
				void* _t88;
				signed int _t89;
				void* _t91;
				void _t94;
				void _t95;
				void* _t96;
				void* _t98;
				void* _t100;

				 *0x72b35040 = _a8;
				 *0x72b3503c = _a16;
				 *0x72b35038 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x72b35014, E72B3132B, _t85, _t88);
				_t89 =  *0x72b35040 * 0x28;
				_v0 = _t89;
				_t96 = E72B31593();
				_a8 = _t96;
				_t86 = _t96;
				_t70 = _v0 & 0x0000ffff;
				if(_t70 != 0) {
					_t83 = 0xa;
					do {
						_t31 = _t70 & 0x0000ffff;
						_t86 = _t86 + 2;
						_t100 = _t31 - 0x66;
						if(_t100 > 0) {
							_t32 = _t31 - 0x6c;
							if(_t32 == 0) {
								goto L24;
							} else {
								_t39 = _t32 - 4;
								if(_t39 == 0) {
									goto L13;
								} else {
									_t46 = _t39;
									if(_t46 == 0) {
										goto L11;
									} else {
										goto L8;
									}
								}
							}
						} else {
							if(_t100 == 0) {
								_t78 =  *0x72b3503c;
								_t91 =  *_t78;
								 *_t78 =  *_t91;
								_t79 = _v0;
								_t55 =  *((intOrPtr*)(_t79 + 0xc));
								_a12 = _t55;
								if( *((intOrPtr*)(_t91 + 4)) == 0x2691) {
									E72B3132E(_t79, _t91 + 8, 0x38);
									_t79 = _v0;
									_t98 = _t98 + 0xc;
									_t55 = _a12;
								}
								 *((intOrPtr*)(_t79 + 0xc)) = _t55;
								GlobalFree(_t91);
								goto L16;
							} else {
								_t59 = _t31 - 0x46;
								if(_t59 == 0) {
									_t95 = GlobalAlloc(0x40, 8 +  *0x72b35040 * 2);
									 *((intOrPtr*)(_t95 + 4)) = 0x2691;
									_t15 = _t95 + 8; // 0x8
									E72B3132E(_t15, _v0, 0x38);
									 *_t95 =  *( *0x72b3503c);
									 *( *0x72b3503c) = _t95;
									goto L15;
								} else {
									_t66 = _t59 - 6;
									if(_t66 == 0) {
										L24:
										_t33 =  *0x72b35010;
										if( *0x72b35010 != 0) {
											E72B3132E( *0x72b35038, _t33 + 4, _t89);
											_t71 =  *0x72b35010;
											_t98 = _t98 + 0xc;
											 *0x72b35010 =  *_t71;
											GlobalFree(_t71);
											goto L26;
										}
									} else {
										_t67 = _t66 - 4;
										if(_t67 == 0) {
											 *_t86 =  *_t86 + _t83;
											L13:
											GlobalFree(E72B315EB(E72B31548(( *_t86 & 0x0000ffff) - 0x30)));
											_t86 = _t86 + 2;
											goto L26;
										} else {
											_t46 = _t67;
											if(_t46 == 0) {
												 *_t86 =  *_t86 + _t83;
												L11:
												GlobalFree(E72B31638(( *_t86 & 0x0000ffff) - 0x30, E72B31593()));
												_t86 = _t86 + 2;
												goto L16;
											} else {
												L8:
												if(_t46 == 1) {
													_t94 = GlobalAlloc(0x40, _t89 + 4);
													_t11 = _t94 + 4; // 0x4
													E72B3132E(_t11,  *0x72b35038, _v0);
													 *_t94 =  *0x72b35010;
													 *0x72b35010 = _t94;
													L15:
													_t98 = _t98 + 0xc;
													L16:
													_t89 = _v0;
													L26:
													_t83 = 0xa;
												}
											}
										}
									}
								}
							}
						}
						_t34 =  *_t86 & 0x0000ffff;
						_t70 = _t34;
					} while (_t34 != 0);
					_t96 = _a8;
				}
				return GlobalFree(_t96);
			}

0x72b310cd
0x72b310d7
0x72b310e1
0x72b310f5
0x72b310f8
0x72b310ff
0x72b3110e
0x72b31110
0x72b31114
0x72b31116
0x72b3111d
0x72b31129
0x72b3112a
0x72b3112a
0x72b3112d
0x72b31130
0x72b31133
0x72b31260
0x72b31263
0x00000000
0x72b31265
0x72b31265
0x72b31268
0x00000000
0x72b3126e
0x72b3126f
0x72b31272
0x00000000
0x72b31278
0x00000000
0x72b31278
0x72b31272
0x72b31268
0x72b31139
0x72b31139
0x72b31221
0x72b3122c
0x72b31230
0x72b31232
0x72b31235
0x72b31238
0x72b31240
0x72b31249
0x72b3124e
0x72b31251
0x72b31254
0x72b31254
0x72b31259
0x72b3125c
0x00000000
0x72b3113f
0x72b3113f
0x72b31142
0x72b311ec
0x72b311f5
0x72b311f8
0x72b311ff
0x72b3120c
0x72b31213
0x00000000
0x72b31148
0x72b31148
0x72b3114b
0x72b3127d
0x72b3127d
0x72b31284
0x72b31291
0x72b31296
0x72b3129c
0x72b312a2
0x72b312a7
0x00000000
0x72b312a7
0x72b31151
0x72b31151
0x72b31154
0x72b311b5
0x72b311b8
0x72b311cd
0x72b311cf
0x00000000
0x72b31156
0x72b31157
0x72b3115a
0x72b31196
0x72b31199
0x72b311ae
0x72b311b0
0x00000000
0x72b3115c
0x72b3115c
0x72b3115f
0x72b31175
0x72b3117d
0x72b31181
0x72b3118c
0x72b3118e
0x72b31215
0x72b31215
0x72b31218
0x72b31218
0x72b312a9
0x72b312ab
0x72b312ab
0x72b3115f
0x72b3115a
0x72b31154
0x72b3114b
0x72b31142
0x72b31139
0x72b312ac
0x72b312af
0x72b312b1
0x72b312ba
0x72b312ba
0x72b312c5

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 72B3116B
GlobalFree.KERNEL32 ref: 72B311AE
GlobalFree.KERNEL32 ref: 72B311CD
GlobalAlloc.KERNEL32(00000040,?), ref: 72B311E6
GlobalFree.KERNEL32 ref: 72B3125C
GlobalFree.KERNEL32 ref: 72B312A7
GlobalFree.KERNEL32 ref: 72B312BF

Memory Dump Source

Source File: 00000001.00000002.815605546.0000000072B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 72B30000, based on PE: true

Associated: 00000001.00000002.815592077.0000000072B30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815613549.0000000072B34000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815627139.0000000072B36000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72b30000_Ta62k9weDV.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 4dc4da2feaccf46afe5d1dc0d6e70ec48c58677eaab6df8e4b06ec76a9dee37f
Instruction ID: cb467c84eadf5913b167163fa4c7e49e59efb878e9f0dfd4ef19908349503001
Opcode Fuzzy Hash: 4dc4da2feaccf46afe5d1dc0d6e70ec48c58677eaab6df8e4b06ec76a9dee37f
Instruction Fuzzy Hash: A151C5766502019FD722CF6EC980B697BBCFF88344B90592DF986D7252EB35E901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00405560 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 90
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00405560(signed int __ecx, intOrPtr _a8, signed int _a12, signed int _a16) {
				int _v12;
				char _v80;
				char _v136;
				signed int _t23;
				void* _t26;
				void* _t34;
				void* _t43;
				signed char _t45;
				signed int _t46;
				signed char _t50;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				void* _t59;
				signed int _t61;
				signed int _t63;

				_t23 = _a16;
				_t59 = 0xffffffdc;
				if(_t23 == 0) {
					_t54 = _a12;
					_t61 = _t54;
					asm("sbb ecx, ecx");
					_t43 = 0x14;
					asm("sbb eax, eax");
					_t26 = 0xffffffde;
					_t59 =  <  ? _t26 : _t59 +  ~0x100000;
					_t45 =  >=  ? (__ecx & 0xfffffff6) + _t43 : 0;
					if(_t61 < 0xffff3333) {
						asm("cdq");
						_t53 = 0x14;
						_t54 = _t61 + 1 / _t53;
					}
					_t50 = _t45;
					_t63 = _t54 >> _t50;
					_t51 = 0xa;
					_t46 = ((_t54 & 0x00ffffff) * 0xa >> _t50) % _t51;
				} else {
					_t63 = (_t23 << 0x00000020 | _a12) >> 0x14;
					_t46 = 0;
				}
				_push(_a8);
				_push(0x42bd48);
				E00405EBA();
				_push(0xffffffdf);
				_push( &_v136);
				_push(E00405EBA());
				_push(_t59);
				_t34 = E00405EBA();
				wsprintfW( &(0x42bd48[lstrlenW(0x42bd48)]), L"%u.%u%s%s", _t63, _t46, _t34,  &_v80);
				return SetDlgItemTextW( *0x4349dc, _v12, 0x42bd48);
			}

0x00405560
0x00405570
0x00405573
0x00405584
0x00405590
0x0040559b
0x004055a0
0x004055a7
0x004055af
0x004055b0
0x004055b7
0x004055c0
0x004055cb
0x004055cc
0x004055cf
0x004055cf
0x004055d4
0x004055dc
0x004055e7
0x004055ea
0x00405575
0x0040557c
0x00405580
0x00405580
0x004055ec
0x004055f8
0x004055f9
0x004055fe
0x00405604
0x0040560a
0x0040560b
0x00405611
0x0040562c
0x00405652

APIs

lstrlenW.KERNEL32(Waywort87 Setup: Installing,%u.%u%s%s,?,00000000,00000000,?,000000DC,00000000,?,000000DF,Waywort87 Setup: Installing,?,?,?,?,?), ref: 0040561F
wsprintfW.USER32 ref: 0040562C
SetDlgItemTextW.USER32 ref: 00405643

Strings

Waywort87 Setup: Installing, xrefs: 004055F3, 004055F8, 0040561E, 00405635
%u.%u%s%s, xrefs: 00405619

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Waywort87 Setup: Installing
API String ID: 3540041739-1673848103
Opcode ID: b3da9a1244fcee535f9463e31d5d6ec72300bd819393bad9935e8733ca876ae6
Instruction ID: ddca7360d09b2edd05df8fb08f039e75c7842db061d31d06a5ac0fb1d0c25846
Opcode Fuzzy Hash: b3da9a1244fcee535f9463e31d5d6ec72300bd819393bad9935e8733ca876ae6
Instruction Fuzzy Hash: 072106337402242BD724A9799C40FAB729DDBC1364F01473AFD6AF31D1E9399C1885A4

Uniqueness

Uniqueness Score: -1.00%

Function 00401EEA Relevance: 7.6, APIs: 5, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00401EEA(struct HWND__* __edx, intOrPtr _a16, WCHAR* _a20, signed int _a24, signed int _a28, intOrPtr _a40, signed short _a44, int _a48, signed int _a52, struct tagRECT _a80, signed int _a88, signed int _a92) {
				struct HWND__* _t21;
				signed int _t22;
				signed int _t23;
				void* _t35;
				signed int _t41;
				long _t42;
				intOrPtr _t43;
				int _t53;
				struct HWND__* _t55;

				_t49 = __edx;
				if((_a52 & 0x00000100) == 0) {
					_t21 = GetDlgItem(__edx, _a48);
				} else {
					E00403002(2);
				}
				_t55 = _t21;
				_t22 = _a52;
				_a28 = _t22 & 0x00000004;
				_t53 = _t22 & 0x00000003;
				_t41 = _t22 >> 0x0000001e & 0x00000001;
				_a24 = _t22 >> 0x1f;
				if((_t22 & 0x00010000) == 0) {
					_t23 = _a44 & 0x0000ffff;
				} else {
					_t23 = E0040303E(_t49, 0x11);
				}
				_a20 = _t23;
				GetClientRect(_t55,  &_a80);
				_t33 =  !=  ?  *0x4349f4 : 0;
				_t42 = LoadImageW( !=  ?  *0x4349f4 : 0, _a20, _t53, _a88 * _a24, _a92 * _t41, _a52 & 0x0000fef0);
				_t35 = SendMessageW(_t55, 0x172, _t53, _t42);
				if(_t35 != 0 && _t53 == 0) {
					DeleteObject(_t35);
				}
				if(_a40 >= 0) {
					_push(_t42);
					E0040661F();
				}
				_t43 = _a16;
				 *0x435ac8 =  *0x435ac8 + _t43;
				return 0;
			}

0x00401eea
0x00401ef2
0x00401f03
0x00401ef4
0x00401ef6
0x00401efb
0x00401f09
0x00401f0b
0x00401f19
0x00401f21
0x00401f27
0x00401f2a
0x00401f33
0x00401f3e
0x00401f35
0x00401f37
0x00401f37
0x00401f43
0x00401f4d
0x00401f7a
0x00401f88
0x00401f92
0x00401f9a
0x00401fa1
0x00401fa1
0x00401fac
0x00401fb2
0x004016b7
0x004016b7
0x00402ea1
0x00402ea5
0x00402eb7

APIs

GetDlgItem.USER32 ref: 00401F03
GetClientRect.USER32 ref: 00401F4D
LoadImageW.USER32 ref: 00401F82
SendMessageW.USER32(00000000,00000172,00000100,00000000), ref: 00401F92
DeleteObject.GDI32(00000000), ref: 00401FA1

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 4ca5b3e5092630b07da66f14ef21835f456d21acd53533bfcf070e0f2a8088fe
Instruction ID: 799bb538699f0f6bb00644a204e03bb935fb5af8a8b8547909695eab986b8c59
Opcode Fuzzy Hash: 4ca5b3e5092630b07da66f14ef21835f456d21acd53533bfcf070e0f2a8088fe
Instruction Fuzzy Hash: 2A218072609302AFD340DF64DD85A6BB7E8EB88305F04093EF945E62A1D678DD40DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401DBA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401DBA(void* _a8, struct HWND__* _a12, intOrPtr _a16, struct HWND__* _a20, long _a28, void* _a32, intOrPtr _a36, intOrPtr _a56, signed int _a60) {
				signed char _t23;
				void* _t25;
				long _t26;
				int _t30;
				long _t34;
				intOrPtr _t35;
				int _t47;
				void* _t48;
				int _t52;
				void* _t53;
				int _t55;
				void* _t57;

				_t52 = E00403002(3);
				_a20 = _t52;
				_t34 = E00403002(4);
				_t23 = _a60;
				if((_t23 & 0x00000001) != 0) {
					__esi = E0040303E(__edx, 0x33);
					_a16 = __esi;
				}
				if((_t23 & 0x00000002) != 0) {
					_t34 = E0040303E(_t48, 0x44);
				}
				_push(1);
				if(_a36 != 0x21) {
					_t53 = E0040303E(_t48);
					_t25 = E0040303E(_t48);
					_t41 =  !=  ? _t25 : 0;
					_t43 =  !=  ? _t53 : 0;
					_t26 = FindWindowExW(_a12, _t34,  !=  ? _t53 : 0,  !=  ? _t25 : 0);
					goto L12;
				} else {
					_a20 = E00403002();
					_t30 = E00403002(2);
					_t47 = _a60 >> 2;
					if(_t47 == 0) {
						_t26 = SendMessageW(_a20, _t30, _t52, _t34);
						L12:
						_a28 = _t26;
					} else {
						SendMessageTimeoutW(_a20, _t30, _t52, _t34, _t55, _t47,  &_a28);
						asm("sbb ebx, ebx");
						_t26 = _a28;
						_a16 = _t34 + 1;
					}
				}
				if( *((intOrPtr*)(_t57 + 0x28)) >= _t55) {
					_push(_t26);
					E0040661F();
				}
				_t35 = _a16;
				 *0x435ac8 =  *0x435ac8 + _t35;
				return 0;
			}

0x00401dc1
0x00401dc5
0x00401dce
0x00401dd0
0x00401dd8
0x00401de1
0x00401de7
0x00401de7
0x00401ded
0x00401df6
0x00401df6
0x00401dfd
0x00401dff
0x00401e57
0x00401e59
0x00401e63
0x00401e6c
0x00401e75
0x00000000
0x00401e01
0x00401e08
0x00401e0c
0x00401e17
0x00401e1c
0x00401e48
0x00401e7b
0x00401e7b
0x00401e1e
0x00401e2c
0x00401e34
0x00401e36
0x00401e3b
0x00401e3b
0x00401e1c
0x00401e83
0x00401afd
0x004016b7
0x004016b7
0x00402ea1
0x00402ea5
0x00402eb7

APIs

SendMessageTimeoutW.USER32 ref: 00401E2C
SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00401E48

Strings

!, xrefs: 00401DF8

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 91d7549d19bfd9567b9db0d62f4607727a13d94ab572956bc1fd2bc583f7e011
Instruction ID: 1d489b1cab37c72f7a9fe7ae17229530812e46ff9257658ed8c6d6ee4a6b2e26
Opcode Fuzzy Hash: 91d7549d19bfd9567b9db0d62f4607727a13d94ab572956bc1fd2bc583f7e011
Instruction Fuzzy Hash: 4F21F471609301AFE714AF21C886A2FBBE8EF84755F00093FF585A61E0D6B99D05CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 72B31F1E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E72B31F1E(intOrPtr _a4, WCHAR* _a8) {
				intOrPtr _t11;
				intOrPtr _t19;
				WCHAR* _t21;

				_t11 = _a4;
				if( *((intOrPtr*)(_t11 + 4)) != 1) {
					_t21 = _a8;
					_t13 =  ==  ? 0x72b340d8 : L"error";
					lstrcpyW(_t21,  ==  ? 0x72b340d8 : L"error");
				} else {
					_t19 =  *((intOrPtr*)(_t11 + 0x1c98));
					if(( *(_t11 + 0x1010) & 0x00000100) != 0) {
						_t19 =  *((intOrPtr*)( *((intOrPtr*)(_t11 + 0x100c)) + 1));
					}
					_t21 = _a8;
					wsprintfW(_t21, L"callback%d", _t19);
				}
				return _t21;
			}

0x72b31f1e
0x72b31f29
0x72b31f5c
0x72b31f6c
0x72b31f71
0x72b31f2b
0x72b31f35
0x72b31f3b
0x72b31f43
0x72b31f43
0x72b31f46
0x72b31f51
0x72b31f57
0x72b31f7a

APIs

wsprintfW.USER32 ref: 72B31F51
lstrcpyW.KERNEL32 ref: 72B31F71

Strings

error, xrefs: 72B31F67, 72B31F6F
callback%d, xrefs: 72B31F4B

Memory Dump Source

Source File: 00000001.00000002.815605546.0000000072B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 72B30000, based on PE: true

Associated: 00000001.00000002.815592077.0000000072B30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815613549.0000000072B34000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815627139.0000000072B36000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72b30000_Ta62k9weDV.jbxd

Similarity

API ID: lstrcpywsprintf
String ID: callback%d$error
API String ID: 2408954437-1307476583
Opcode ID: ca85d87ae7e90b772a688c0cebe2f1a2a54446daee7bb070547f9dc21da72d80
Instruction ID: 625d4a73b5a8776260e43a99e1778905f2d5262fce893eb6484b4c99e5518d5e
Opcode Fuzzy Hash: ca85d87ae7e90b772a688c0cebe2f1a2a54446daee7bb070547f9dc21da72d80
Instruction Fuzzy Hash: AAF01C35314110AFD7068B08D988EBA73BAEFCA354F5585ACFD4ADB212CB74EC449B91

Uniqueness

Uniqueness Score: -1.00%

Function 00406556 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00406556(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x4092b0);
				}
				return _t9;
			}

0x00406557
0x00406565
0x00406566
0x00406571
0x00406579
0x00406579
0x00406582

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403CC3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,766DFAA0,004039C2), ref: 0040655C
CharPrevW.USER32(?,00000000), ref: 00406567
lstrcatW.KERNEL32(?,004092B0), ref: 00406579

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406556

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: fdfa961eb15b44997f3f2a02f7ac6fdf64fbe3aae0b57c1f36678e5d22b7198e
Instruction ID: 519304617d09d62b109db9489078dc762d93bb7b848864bf6502fc90c90d6087
Opcode Fuzzy Hash: fdfa961eb15b44997f3f2a02f7ac6fdf64fbe3aae0b57c1f36678e5d22b7198e
Instruction Fuzzy Hash: 3BD05E31502521BBC7029B64AD08D9B7BBCEF46301301446AFA41B3165C7745D41C7ED

Uniqueness

Uniqueness Score: -1.00%

Function 72B31CC7 Relevance: 6.2, APIs: 4, Instructions: 209
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E72B31CC7(signed int __edx, signed int _a8, void* _a16) {
				intOrPtr _v8;
				char _v52;
				void* _v56;
				signed int _v60;
				signed int _v64;
				void* _t28;
				signed int _t31;
				signed int _t32;
				signed int _t33;
				signed int _t41;
				signed int _t42;
				signed int _t43;
				void* _t44;
				signed int _t45;
				signed int _t46;
				signed int _t47;
				signed int _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;
				void* _t57;
				signed int _t64;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t73;
				void* _t74;
				signed int _t76;
				void* _t83;
				void* _t85;
				signed int _t87;
				signed int _t90;
				void* _t95;

				_t71 = __edx;
				asm("xorps xmm0, xmm0");
				 *0x72b35040 = _a8;
				 *0x72b3503c = _a16;
				asm("movlpd [esp+0x10], xmm0");
				_t28 = E72B31593();
				_push(_t28);
				_v56 = _t28;
				_t76 = E72B3135A();
				_t64 = _t71;
				_t83 = E72B31593();
				_a16 = _t83;
				_t72 = 0x21;
				_t68 =  *_t83 & 0x0000ffff;
				_t31 = _t68;
				_a8 = _t31;
				if(_t68 == 0x7e) {
					L3:
					_t69 = _v60;
					_t87 = _v64;
					L4:
					_t32 = _t31 & 0x0000ffff;
					_t73 = 0x2f;
					_t95 = _t32 - _t73;
					if(_t95 > 0) {
						_t74 = 0x3c;
						_t33 = _t32 - _t74;
						__eflags = _t33;
						if(_t33 == 0) {
							__eflags =  *((intOrPtr*)(_t83 + 2)) - _t74;
							if( *((intOrPtr*)(_t83 + 2)) != _t74) {
								__eflags = _t64 - _t69;
								if(__eflags > 0) {
									L18:
									asm("xorps xmm0, xmm0");
									asm("movlpd [esp+0x10], xmm0");
									_t76 = _v64;
									_t64 = _v60;
									L19:
									_push( &_v52);
									_push(_t64);
									_push(_t76);
									E72B3149E(_t69);
									E72B315EB( &_v52);
									GlobalFree(_v56);
									return GlobalFree(_t83);
								}
								if(__eflags < 0) {
									L57:
									_t76 = 1;
									_t64 = 0;
									goto L19;
								}
								__eflags = _t76 - _t87;
								if(_t76 >= _t87) {
									goto L18;
								}
								goto L57;
							}
							_t73 = _t64;
							_t69 = _t87;
							_t41 = E72B331E0(_t76, _t87, _t73);
							L53:
							_t76 = _t41;
							_t64 = _t73;
							goto L19;
						}
						_t42 = _t33 - 1;
						__eflags = _t42;
						if(_t42 == 0) {
							__eflags = _t76 - _t87;
							if(_t76 != _t87) {
								goto L18;
							}
							__eflags = _t64 - _t69;
							L22:
							if(__eflags != 0) {
								goto L18;
							}
							goto L57;
						}
						_t43 = _t42 - 1;
						__eflags = _t43;
						if(_t43 == 0) {
							_t44 = 0x3e;
							__eflags =  *((intOrPtr*)(_t83 + 2)) - _t44;
							if( *((intOrPtr*)(_t83 + 2)) != _t44) {
								__eflags = _t64 - _t69;
								if(__eflags < 0) {
									goto L18;
								}
								if(__eflags > 0) {
									goto L57;
								}
								__eflags = _t76 - _t87;
								if(_t76 <= _t87) {
									goto L18;
								}
								goto L57;
							}
							__eflags =  *((intOrPtr*)(_t83 + 4)) - _t44;
							_t73 = _t64;
							_t69 = _t87;
							_t45 = _t76;
							if( *((intOrPtr*)(_t83 + 4)) != _t44) {
								_t41 = E72B33200(_t45, _t69, _t73);
							} else {
								_t41 = E72B33230(_t45, _t69, _t73);
							}
							goto L53;
						}
						_t46 = _t43 - 0x20;
						__eflags = _t46;
						if(_t46 == 0) {
							_t76 = _t76 ^ _t87;
							_t64 = _t64 ^ _t69;
							goto L19;
						}
						_t47 = _t46 - 0x1e;
						__eflags = _t47;
						if(_t47 == 0) {
							__eflags =  *((short*)(_t83 + 2)) - 0x7c;
							if( *((short*)(_t83 + 2)) != 0x7c) {
								_t76 = _t76 | _t87;
								_t64 = _t64 | _t69;
								goto L19;
							}
							__eflags = _t76 | _t64;
							if((_t76 | _t64) != 0) {
								goto L57;
							}
							L17:
							__eflags = _t87 | _t69;
							if((_t87 | _t69) != 0) {
								goto L57;
							}
							goto L18;
						}
						__eflags = _t47 == 0;
						if(_t47 == 0) {
							_t76 =  !_t76;
							_t64 =  !_t64;
						}
						goto L19;
					}
					if(_t95 == 0) {
						L24:
						__eflags = _t87 | _t69;
						if((_t87 | _t69) != 0) {
							_push(_t69);
							_push(_t87);
							_push(_t64);
							_push(_t76);
							_t52 = E72B33100();
							_t90 = _t64;
							_t76 = _t52;
							_t64 = _t73;
							_t73 = 0x2f;
						} else {
							asm("xorps xmm0, xmm0");
							_t69 = _t76;
							asm("movlpd [esp+0x10], xmm0");
							_t90 = _t64;
							_t64 = _v60;
							_t76 = _v64;
						}
						__eflags = _v8 - _t73;
						if(_v8 != _t73) {
							_t76 = _t69;
							_t64 = _t90;
						}
						goto L19;
					}
					_t53 = _t32 - 0x21;
					if(_t53 == 0) {
						__eflags = _t76 | _t64;
						goto L22;
					}
					_t54 = _t53 - 4;
					if(_t54 == 0) {
						goto L24;
					}
					_t55 = _t54 - 1;
					if(_t55 == 0) {
						__eflags =  *((short*)(_t83 + 2)) - 0x26;
						if( *((short*)(_t83 + 2)) != 0x26) {
							_t76 = _t76 & _t87;
							_t64 = _t64 & _t69;
							goto L19;
						}
						__eflags = _t76 | _t64;
						if((_t76 | _t64) == 0) {
							goto L18;
						}
						goto L17;
					}
					_t56 = _t55 - 4;
					if(_t56 == 0) {
						_t41 = E72B33020(_t76, _t64, _t87, _t69);
						goto L53;
					} else {
						_t57 = _t56 - 1;
						if(_t57 == 0) {
							_t76 = _t76 + _t87;
							asm("adc ebx, ecx");
						} else {
							if(_t57 == 0) {
								_t76 = _t76 - _t87;
								asm("sbb ebx, ecx");
							}
						}
						goto L19;
					}
				}
				_a8 = _t31;
				if(_t68 == _t72) {
					goto L3;
				} else {
					_t85 = E72B31593();
					_push(_t85);
					_t87 = E72B3135A();
					_v64 = _t72;
					GlobalFree(_t85);
					_t83 = _a16;
					_t69 = _v64;
					_t31 =  *_t83 & 0x0000ffff;
					_a8 = _t31;
					goto L4;
				}
			}

0x72b31cc7
0x72b31cce
0x72b31cd4
0x72b31cde
0x72b31ce3
0x72b31ce9
0x72b31cee
0x72b31cef
0x72b31cf9
0x72b31cfb
0x72b31d02
0x72b31d06
0x72b31d0a
0x72b31d0b
0x72b31d0e
0x72b31d10
0x72b31d17
0x72b31d4e
0x72b31d4e
0x72b31d52
0x72b31d56
0x72b31d58
0x72b31d5b
0x72b31d5c
0x72b31d5e
0x72b31e4c
0x72b31e4d
0x72b31e4d
0x72b31e4f
0x72b31ee8
0x72b31eec
0x72b31f02
0x72b31f04
0x72b31dbe
0x72b31dbe
0x72b31dc1
0x72b31dc7
0x72b31dcb
0x72b31dcf
0x72b31dd3
0x72b31dd4
0x72b31dd5
0x72b31dd6
0x72b31de0
0x72b31df2
0x72b31dfe
0x72b31dfe
0x72b31f0a
0x72b31f14
0x72b31f16
0x72b31f17
0x00000000
0x72b31f17
0x72b31f0c
0x72b31f0e
0x00000000
0x00000000
0x00000000
0x72b31f0e
0x72b31ef0
0x72b31ef2
0x72b31ef4
0x72b31ef9
0x72b31ef9
0x72b31efb
0x00000000
0x72b31efb
0x72b31e55
0x72b31e55
0x72b31e58
0x72b31ed9
0x72b31edb
0x00000000
0x00000000
0x72b31ee1
0x72b31e07
0x72b31e07
0x00000000
0x00000000
0x00000000
0x72b31e09
0x72b31e5a
0x72b31e5a
0x72b31e5d
0x72b31ea4
0x72b31ea5
0x72b31ea9
0x72b31ec5
0x72b31ec7
0x00000000
0x00000000
0x72b31ecd
0x00000000
0x00000000
0x72b31ecf
0x72b31ed1
0x00000000
0x00000000
0x00000000
0x72b31ed7
0x72b31eab
0x72b31eaf
0x72b31eb1
0x72b31eb3
0x72b31eb5
0x72b31ebe
0x72b31eb7
0x72b31eb7
0x72b31eb7
0x00000000
0x72b31eb5
0x72b31e5f
0x72b31e5f
0x72b31e62
0x72b31e99
0x72b31e9b
0x00000000
0x72b31e9b
0x72b31e64
0x72b31e64
0x72b31e67
0x72b31e7c
0x72b31e81
0x72b31e90
0x72b31e92
0x00000000
0x72b31e92
0x72b31e83
0x72b31e85
0x00000000
0x00000000
0x72b31db6
0x72b31db6
0x72b31db8
0x00000000
0x00000000
0x00000000
0x72b31db8
0x72b31e6a
0x72b31e6d
0x72b31e73
0x72b31e75
0x72b31e75
0x00000000
0x72b31e6d
0x72b31d64
0x72b31e0e
0x72b31e10
0x72b31e12
0x72b31e2b
0x72b31e2c
0x72b31e2d
0x72b31e2e
0x72b31e2f
0x72b31e34
0x72b31e36
0x72b31e3a
0x72b31e3c
0x72b31e14
0x72b31e14
0x72b31e17
0x72b31e19
0x72b31e1f
0x72b31e21
0x72b31e25
0x72b31e25
0x72b31e3d
0x72b31e42
0x72b31e44
0x72b31e46
0x72b31e46
0x00000000
0x72b31e42
0x72b31d6a
0x72b31d6d
0x72b31e05
0x00000000
0x72b31e05
0x72b31d73
0x72b31d76
0x00000000
0x00000000
0x72b31d7c
0x72b31d7f
0x72b31dab
0x72b31db0
0x72b31dff
0x72b31e01
0x00000000
0x72b31e01
0x72b31db2
0x72b31db4
0x00000000
0x00000000
0x00000000
0x72b31db4
0x72b31d81
0x72b31d84
0x72b31da1
0x00000000
0x72b31d86
0x72b31d86
0x72b31d89
0x72b31d97
0x72b31d99
0x72b31d8b
0x72b31d8f
0x72b31d91
0x72b31d93
0x72b31d93
0x72b31d8f
0x00000000
0x72b31d89
0x72b31d84
0x72b31d19
0x72b31d20
0x00000000
0x72b31d22
0x72b31d27
0x72b31d29
0x72b31d31
0x72b31d33
0x72b31d37
0x72b31d3d
0x72b31d41
0x72b31d45
0x72b31d48
0x00000000
0x72b31d48

APIs

GlobalFree.KERNEL32 ref: 72B31D37
GlobalFree.KERNEL32 ref: 72B31DF2
GlobalFree.KERNEL32 ref: 72B31DF5
__alldvrm.LIBCMT ref: 72B31E2F

Memory Dump Source

Source File: 00000001.00000002.815605546.0000000072B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 72B30000, based on PE: true

Associated: 00000001.00000002.815592077.0000000072B30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815613549.0000000072B34000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.815627139.0000000072B36000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72b30000_Ta62k9weDV.jbxd

Similarity

API ID: FreeGlobal$__alldvrm
String ID:
API String ID: 482422042-0
Opcode ID: 77811771bf0f6cc42dc256d7cb98bccf37fd6d36e74037b04943c9d921d56d01
Instruction ID: b4c6adac4e9aaa9ae09289e873088ca6989b6e443ed7e9bd42e1d077787fbc2c
Opcode Fuzzy Hash: 77811771bf0f6cc42dc256d7cb98bccf37fd6d36e74037b04943c9d921d56d01
Instruction Fuzzy Hash: D651D8726343154BD3079E7DC98057A76FEEBCA304BD0A92DE043C7247FAB289958251

Uniqueness

Uniqueness Score: -1.00%

Function 0040285F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040285F(intOrPtr* __edi, void* __ebp, void* _a12, signed int _a20, intOrPtr _a36, void* _a44, intOrPtr _a48, void* _a72, intOrPtr _a80) {
				void* _v4;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr* _t31;
				void* _t33;
				int _t36;
				void* _t40;
				void* _t42;

				_t40 = __ebp;
				_t31 = __edi;
				_t29 = _a36;
				_t30 = _a48;
				_a80 = _t30;
				_t27 = 1;
				_a20 = 0 | _t29 == 0x00000038;
				if(_t30 == 0) {
					if(_t29 != 0x38) {
						_t36 = lstrlenW(E0040303E(_t30, 0x11)) + _t15;
					} else {
						E0040303E(_t30, 0x21);
						E00406469("C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp", 0x40b908, 0x400);
						_t42 = _t42 + 0xc;
						_t36 = lstrlenA(0x40b908);
					}
				} else {
					 *0x40b908 = E00403002(1);
					_pop(_t29);
					_t36 = (_a20 ^ 1) + 1;
				}
				if( *_t31 != _t40) {
					_t33 = E00406C25(_t31);
					if(( *(_t42 + 0x14) |  *(_t42 + 0x50)) != 0 ||  *((intOrPtr*)(_t42 + 0x34)) == _t40 || E00406484(_t33, _t33) >= 0) {
						if(E00406A0B(_t29, _t33, ?str?, _t36) != 0) {
							_t27 =  *((intOrPtr*)(_t42 + 0x10));
						}
					}
				}
				 *0x435ac8 =  *0x435ac8 + _t27;
				return 0;
			}

0x0040285f
0x0040285f
0x0040285f
0x00402865
0x0040286c
0x0040287a
0x0040287b
0x00402881
0x0040289c
0x004028d2
0x0040289e
0x004028a0
0x004028b0
0x004028b5
0x004028bf
0x004028bf
0x00402883
0x0040288f
0x00402895
0x00402896
0x00402896
0x004028d7
0x004028e3
0x004028ed
0x00402912
0x00402ea1
0x00402ea1
0x00402912
0x004028ed
0x00402ea5
0x00402eb7

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll), ref: 004028B9

Strings

C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll, xrefs: 00402870, 0040288F, 004028AA, 004028B8, 00402905
C:\Users\user\AppData\Local\Temp\nsb72B8.tmp, xrefs: 004028AB

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp$C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll
API String ID: 1659193697-1157869534
Opcode ID: 76a2946e9aa7d140166730b6d7970edbf635fa779fa0885824462093d2e607dc
Instruction ID: 711803fd364401e957546549a979f7dfd5371b874df28eda27acfe343a1b9a3f
Opcode Fuzzy Hash: 76a2946e9aa7d140166730b6d7970edbf635fa779fa0885824462093d2e607dc
Instruction Fuzzy Hash: 9A112676A443116BD310AB618A8992FB7E4AF84354F15453FF905F31C1D7FC980183AE

Uniqueness

Uniqueness Score: -1.00%

Function 00402077 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00402077(intOrPtr _a8, signed char _a28, intOrPtr _a32, char _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, char* _a80, signed char _a84, void* _a104, void* _a108) {
				void* _v12;
				intOrPtr _t19;
				void* _t31;
				void* _t37;
				void* _t38;
				void* _t42;

				_t31 = E0040303E(_t37, _t42);
				_t19 = E0040303E(_t37, 0x31);
				_t38 = E0040303E(_t37, 0x22);
				E0040303E(_t37, 0x15);
				E00405D3A(0xffffffec, "C:\Users\alfons\AppData\Local\Temp\nsb72B8.tmp\System.dll");
				_a64 = _a8;
				_a60 = _a32;
				_a84 = _a28;
				_a72 = _t19;
				_t25 =  !=  ? _t31 : 0;
				_a68 =  !=  ? _t31 : 0;
				_a80 = L"C:\\Users\\alfons\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane";
				_t27 =  !=  ? _t38 : 0;
				_a76 =  !=  ? _t38 : 0;
				if(E004069F3( &_a56) != 0) {
					if((_a84 & 0x00000040) != 0) {
						E00406514(__ecx,  *((intOrPtr*)(__esp + 0x88)));
						_push( *((intOrPtr*)(__esp + 0x88)));
						CloseHandle();
					}
				}
				 *0x435ac8 =  *0x435ac8 + 1;
				return 0;
			}

0x0040207f
0x00402081
0x00402091
0x00402093
0x0040209f
0x004020ac
0x004020b2
0x004020ba
0x004020c1
0x004020c5
0x004020c8
0x004020d1
0x004020d9
0x004020dc
0x004020ec
0x004020f7
0x00402104
0x00402109
0x00402110
0x00402110
0x00402ea1
0x00402ea5
0x00402eb7

APIs

Part of subcall function 00405D3A: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll,?,00000000,?,?), ref: 00405D6C
Part of subcall function 00405D3A: lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll,?,00000000,?,?), ref: 00405D7E
Part of subcall function 00405D3A: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll,?), ref: 00405D99
Part of subcall function 00405D3A: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll), ref: 00405DB1
Part of subcall function 00405D3A: SendMessageW.USER32(?), ref: 00405DD8
Part of subcall function 00405D3A: SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DF3
Part of subcall function 00405D3A: SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E00

Part of subcall function 004069F3: ShellExecuteExW.SHELL32(?), ref: 00406A02

Part of subcall function 00406514: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040651E
Part of subcall function 00406514: GetExitCodeProcess.KERNEL32 ref: 00406548

CloseHandle.KERNEL32(?,?), ref: 00402110

Strings

@, xrefs: 004020F2
C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll, xrefs: 00402098
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane, xrefs: 004020D1

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend$lstrlen$CloseCodeExecuteExitHandleObjectProcessShellSingleTextWaitWindowlstrcat
String ID: @$C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll$C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane
API String ID: 4079680657-3493806009
Opcode ID: 8083aaef74757542c6ffbf2f548fe58a23a890bf1e441e1445bba5dd78c4c14f
Instruction ID: 7c7d4bc9f8110f395c3ef373be7a4f0c936d35dff6000358c7303bcbf620d08d
Opcode Fuzzy Hash: 8083aaef74757542c6ffbf2f548fe58a23a890bf1e441e1445bba5dd78c4c14f
Instruction Fuzzy Hash: 47118F716083809BC310AF61C98561BBBE5BF84349F00493EF595E72D1DBBC8845CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00403389 Relevance: 6.0, APIs: 4, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403389(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					if( *0x40d970 == 0) {
						_t2 = GetTickCount();
						if(_t2 >  *0x435a00) {
							_t3 = CreateDialogParamW( *0x4349f4, 0x6f, 0, E0040364F, 0);
							 *0x40d970 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E0040620F(0);
					}
				} else {
					_t6 =  *0x40d970; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x40d970 =  *0x40d970 & 0x00000000;
					return _t6;
				}
			}

0x0040338e
0x004033af
0x004033b9
0x004033c5
0x004033d8
0x004033e1
0x00000000
0x004033e6
0x004033ec
0x004033b1
0x004033b8
0x004033b8
0x00403390
0x00403390
0x00403397
0x0040339a
0x0040339a
0x004033a0
0x004033a7
0x004033a7

APIs

DestroyWindow.USER32(00000000,00403579), ref: 0040339A
GetTickCount.KERNEL32 ref: 004033B9
CreateDialogParamW.USER32 ref: 004033D8
ShowWindow.USER32(00000000,00000005), ref: 004033E6

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 7ff58af3a69088ba52de52b21ac6e50ccae1de6d9f2c722b533f380b119e7b3d
Instruction ID: 0c7035cfe5d59141003efccf1163e7ed1ec08c4572f7111a89f6d0b07e944292
Opcode Fuzzy Hash: 7ff58af3a69088ba52de52b21ac6e50ccae1de6d9f2c722b533f380b119e7b3d
Instruction Fuzzy Hash: 87F098B0981300BBEB24AF60EE4DB5A3AB8B744B03F800979F505B51E1DB795955DA1C

Uniqueness

Uniqueness Score: -1.00%

Function 004058D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004058D0(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t8;
				int _t11;
				int _t15;
				long _t16;

				_t16 = _a16;
				_t15 = _a8;
				_t8 = _t15;
				if(_t15 != 0x102) {
					__eflags = _t15 - 0x200;
					if(_t15 != 0x200) {
						__eflags = _t8 - 0x419;
						if(_t8 != 0x419) {
							L9:
							return CallWindowProcW( *0x42dd64, _a4, _t15, _a12, _t16);
						}
						L7:
						__eflags =  *0x42ed68 - _t16; // 0x0
						if(__eflags != 0) {
							_push(_t16);
							_push(6);
							 *0x42ed68 = _t16;
							E004054B6();
						}
						goto L9;
					}
					_t11 = IsWindowVisible(_a4);
					__eflags = _t11;
					if(_t11 == 0) {
						goto L9;
					}
					_t16 = E004056DA(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L9;
				}
				E004054E8(0x413);
				return 0;
			}

0x004058d4
0x004058d8
0x004058db
0x004058e3
0x004058f9
0x004058ff
0x00405921
0x00405926
0x0040593e
0x00000000
0x0040594c
0x00405928
0x00405928
0x0040592e
0x00405930
0x00405931
0x00405933
0x00405939
0x00405939
0x00000000
0x0040592e
0x00405904
0x0040590a
0x0040590c
0x00000000
0x00000000
0x00405918
0x0040591a
0x00000000
0x0040591a
0x004058e9
0x00000000
0x00000000
0x004058f0
0x00000000

APIs

IsWindowVisible.USER32 ref: 00405904
CallWindowProcW.USER32(?,?,?,?), ref: 0040594C

Part of subcall function 004054E8: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054FA

Strings

, xrefs: 004058E5

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: ce6b446289bf2d1d80a1f39e5d6dd25478004387473800b399ee72f8fd73986e
Instruction ID: 06e031647f3a40a893da8a12316d751141f27423df1ca697d7c88d312f012a23
Opcode Fuzzy Hash: ce6b446289bf2d1d80a1f39e5d6dd25478004387473800b399ee72f8fd73986e
Instruction Fuzzy Hash: 64018F72A00609FBEF305F51ED44A9B3A2AEB54760F104437F904B61E1C2798892DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405864 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
comCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00405864(signed int __eax) {
				intOrPtr _v0;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t12;

				_t11 =  *0x435a28;
				_t10 =  *0x435a2c;
				__imp__OleInitialize(0);
				 *0x435a60 =  *0x435a60 | __eax;
				E004054E8(0);
				if(_t10 != 0) {
					_t12 = _t11 + 0xc;
					do {
						_t10 = _t10 - 1;
						if(( *(_t12 - 4) & 0x00000001) == 0) {
							goto L4;
						} else {
							_push(_v0);
							if(E00401399( *_t12) != 0) {
								 *0x435acc =  *0x435acc + 1;
							} else {
								goto L4;
							}
						}
						goto L7;
						L4:
						_t12 = _t12 + 0x818;
					} while (_t10 != 0);
				}
				L7:
				E004054E8(0x404);
				__imp__OleUninitialize();
				return  *0x435acc;
			}

0x00405865
0x0040586c
0x00405874
0x0040587a
0x00405882
0x00405889
0x0040588b
0x0040588e
0x0040588e
0x00405893
0x00000000
0x00405895
0x00405895
0x004058a2
0x004058b0
0x00000000
0x00000000
0x00000000
0x004058a2
0x00000000
0x004058a4
0x004058a4
0x004058aa
0x004058ae
0x004058b6
0x004058bb
0x004058c0
0x004058cd

APIs

OleInitialize.OLE32(00000000), ref: 00405874

Part of subcall function 004054E8: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054FA

OleUninitialize.OLE32(00000404,00000000), ref: 004058C0

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Strings

Waywort87 Setup: Installing, xrefs: 00405864

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend$InitializeUninitialize
String ID: Waywort87 Setup: Installing
API String ID: 1011633862-679012682
Opcode ID: d3b477feca803d38b0fa0a9443a8adab0e946c85309316e9af7505676d23e992
Instruction ID: 6162ea9da32c9538b6d8593dc8e66a114e5892011aec6599076d88f80df4c0eb
Opcode Fuzzy Hash: d3b477feca803d38b0fa0a9443a8adab0e946c85309316e9af7505676d23e992
Instruction Fuzzy Hash: C5F0FA33500A009AF711B715AC02B6B73A8EB84705F08813EEE48A22A2E77948409B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040620F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040620F(int _a4) {
				struct tagMSG _v32;
				int _t6;

				while(1) {
					_t2 =  &_a4; // 0x403579
					_t6 = PeekMessageW( &_v32, 0, _a4,  *_t2, 1);
					if(_t6 == 0) {
						break;
					}
					DispatchMessageW( &_v32);
				}
				return _t6;
			}

0x00406221
0x00406223
0x0040622f
0x00406237
0x00000000
0x00000000
0x0040621b
0x0040621b
0x0040623a

APIs

DispatchMessageW.USER32 ref: 0040621B
PeekMessageW.USER32 ref: 0040622F

Strings

y5@, xrefs: 00406223

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Message$DispatchPeek
String ID: y5@
API String ID: 1770753511-1888225771
Opcode ID: 64ff892afa75a6f008d7101155dee183943c3d1907309ee94509adaab9142ef1
Instruction ID: a24ec92ef1b44bd1206bcd030c3399a913cbf723d0e0f52077422d22942c0190
Opcode Fuzzy Hash: 64ff892afa75a6f008d7101155dee183943c3d1907309ee94509adaab9142ef1
Instruction Fuzzy Hash: 41D0127194020ABBEF10AFE0DD09F9A7B6CAB54744F008475B701B5091D678D5258B59

Uniqueness

Uniqueness Score: -1.00%

Function 00406D10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00406D10(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t8;

				_t8 = _a4;
				_t5 =  &(_t8[lstrlenW(_t8)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t8);
					_t5 = CharPrevW();
					if(_t5 > _t8) {
						continue;
					}
					break;
				}
				 *_t5 = 0;
				return  &(_t5[1]);
			}

0x00406d11
0x00406d1c
0x00406d1f
0x00406d25
0x00406d26
0x00406d27
0x00406d2f
0x00000000
0x00000000
0x00000000
0x00406d2f
0x00406d33
0x00406d3a

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00403458,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ta62k9weDV.exe,C:\Users\user\Desktop\Ta62k9weDV.exe,80000000,00000003,?,?,?,?,?), ref: 00406D16
CharPrevW.USER32(80000000,00000000,?,?,?,?,?), ref: 00406D27

Strings

C:\Users\user\Desktop, xrefs: 00406D10

Memory Dump Source

Source File: 00000001.00000002.814729829.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.814725104.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814737772.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814744085.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814770222.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814774644.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814779493.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814784483.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814792098.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814796093.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.814895301.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: ad5ea2724f566449118616985c1ca7d7286fc26986b3b6df7891a374239d9a00
Instruction ID: 44824fea6f3b9252f25675ab164e3effdf97f7511deaacd8752cc1a9fc297a0b
Opcode Fuzzy Hash: ad5ea2724f566449118616985c1ca7d7286fc26986b3b6df7891a374239d9a00
Instruction Fuzzy Hash: CBD05E31102531ABCB126B18DC059AF77B8EF41300306886AE542E7164C7785D92CBAD

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ta62k9weDV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsb72B8.tmp\System.dll

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\Ambulatoriums\Nrbutik\Cowbanes\GdkWin32-3.0.typelib

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\Azotes\Undfangelsestidspunktet\Semicrepe79\Bouchon.Tft

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\BtvStack.exe

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\Demograph.tip

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\System.ValueTuple.dll

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\checkbox_unchecked_disabled.png

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\emblem-shared-symbolic.symbolic.png

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\face-devilish.png

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\input-gaming-symbolic.symbolic.png

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\lang-1042.dll

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\lang-9999.dll

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\power-profile-performance-symbolic.symbolic.png

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\system-help.png

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Windows Analysis Report
Ta62k9weDV.exe

Function 004036FC Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 416
stringfilecomCOMMON

Function 00404B30 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 295
windowclipboardmemoryCOMMON

Function 72B32351 Relevance: 18.7, APIs: 12, Instructions: 705
stringlibrarymemoryCOMMONCrypto

Function 00406719 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Function 004065CF Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00402B75 Relevance: 1.5, APIs: 1, Instructions: 19
fileCOMMON

Function 00404F92 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Function 00405A3E Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 225
stringregistryCOMMON

Function 0040154A Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 441
stringtimesleepCOMMON

Function 004033ED Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 178
memoryCOMMON

Function 00405EBA Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 209
stringCOMMON

Function 00405D3A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Function 00403148 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167
COMMON

Function 0040291D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166
fileCOMMON

Function 0040619E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00406A56 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Function 0040141E Relevance: 7.6, APIs: 5, Instructions: 82
registryCOMMON

Function 72B3167A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123
COMMON

Function 0040225D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81
libraryCOMMON

Function 00402656 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
registrystringCOMMON

Function 004068E6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Function 00405E3E Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Function 00406977 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
registryCOMMON

Function 00405E1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12
COMMON

Function 72B31A4A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21
memoryCOMMON

Function 00402728 Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Function 00401399 Relevance: 3.0, APIs: 2, Instructions: 49
windowCOMMON

Function 004025FF Relevance: 3.0, APIs: 2, Instructions: 40
registryCOMMON

Function 004066D6 Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON

Function 0040691B Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00406B9D Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Function 72B32D14 Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Function 004025AC Relevance: 1.5, APIs: 1, Instructions: 36
COMMON

Function 00402566 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 00402AF5 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON