Edit tour

Windows Analysis Report
Ta62k9weDV.exe

Overview

General Information

Sample Name:	Ta62k9weDV.exe
Analysis ID:	717105
MD5:	d68ce542ec367e67f667b75d491cf032
SHA1:	5833c8f3b5c907236e2ca2734b99d9bd0f1a5a36
SHA256:	b65f37c2f7def47bd57ae2837b9c422113da608c3b37a80f62e0332fb717546f
Infos:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Yara detected GuLoader

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses 32bit PE files

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Creates files inside the system directory

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality for execution timing, often used to detect debuggers

PE file does not import any functions

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Found evaded block containing many API calls

PE / OLE file has an invalid certificate

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

Ta62k9weDV.exe (PID: 7044 cmdline: C:\Users\user\Desktop\Ta62k9weDV.exe MD5: D68CE542EC367E67F667B75D491CF032)

Ta62k9weDV.exe (PID: 7680 cmdline: C:\Users\user\Desktop\Ta62k9weDV.exe MD5: D68CE542EC367E67F667B75D491CF032)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\Demograph.tip	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000003.00000000.30660739923.0000000001660000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000003.00000002.35517977177.0000000001660000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Ta62k9weDV.exe	ReversingLabs: Detection: 80%
Source: Ta62k9weDV.exe	Virustotal: Detection: 51%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: Ta62k9weDV.exe

Avira: detected

Source: Ta62k9weDV.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fortrdelsers\Jrks\Glanslseste\Hingstens

Jump to behavior

Source: Ta62k9weDV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: f:\bluetooth8.0.1.57\sw\src\WIN8_Mainline\ExtArch\Bin\x64\Release\BtvStack.pdb source: BtvStack.exe.1.dr
Source:	Binary string: mshtml.pdb source: Ta62k9weDV.exe, 00000003.00000001.30662784215.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source:	Binary string: mshtml.pdbUGP source: Ta62k9weDV.exe, 00000003.00000001.30662784215.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.ValueTuple\net6.0-Release\System.ValueTuple.pdb source: System.ValueTuple.dll.1.dr

Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_00402B75 FindFirstFileW,	1_2_00402B75
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_00406719 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00406719
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_004065CF FindFirstFileW,FindClose,	1_2_004065CF

Source: global traffic

TCP traffic: 192.168.11.20:49836 -> 146.70.79.5:80

Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.79.5

Source: Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.79.5/
Source: Ta62k9weDV.exe, 00000003.00000002.35518290513.00000000017D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.79.5/UDoLIkVzxMSpy103.fla
Source: Ta62k9weDV.exe, 00000003.00000002.35518290513.00000000017D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.79.5/UDoLIkVzxMSpy103.fla&
Source: Ta62k9weDV.exe, 00000003.00000002.35518290513.00000000017D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.79.5/UDoLIkVzxMSpy103.fla-
Source: Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.79.5/UDoLIkVzxMSpy103.fla.
Source: Ta62k9weDV.exe, 00000003.00000002.35518290513.00000000017D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.79.5/UDoLIkVzxMSpy103.fla:
Source: Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.79.5/UDoLIkVzxMSpy103.flaDoLIkVzxMSpy103.flac
Source: Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.79.5/UDoLIkVzxMSpy103.flaI
Source: Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.79.5/UDoLIkVzxMSpy103.flaR
Source: Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.79.5/UDoLIkVzxMSpy103.flaW
Source: Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.79.5/UDoLIkVzxMSpy103.fla_
Source: Ta62k9weDV.exe, 00000003.00000002.35518290513.00000000017D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.79.5/UDoLIkVzxMSpy103.flaj
Source: Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.79.5/UDoLIkVzxMSpy103.flak
Source: Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.79.5/UDoLIkVzxMSpy103.flaq
Source: Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.79.5/UDoLIkVzxMSpy103.flav
Source: Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://146.70.79.5/UDoLIkVzxMSpy103.fla~
Source: Ta62k9weDV.exe, 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-9999.dll.1.dr, lang-1042.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Ta62k9weDV.exe, 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-9999.dll.1.dr, lang-1042.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Ta62k9weDV.exe, 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-9999.dll.1.dr, lang-1042.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Ta62k9weDV.exe, 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-9999.dll.1.dr, lang-1042.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Ta62k9weDV.exe, 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-9999.dll.1.dr, lang-1042.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Ta62k9weDV.exe, 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-9999.dll.1.dr, lang-1042.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Ta62k9weDV.exe, 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-9999.dll.1.dr, lang-1042.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Ta62k9weDV.exe, 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-9999.dll.1.dr, lang-1042.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Ta62k9weDV.exe, 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-9999.dll.1.dr, lang-1042.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Ta62k9weDV.exe, 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-9999.dll.1.dr, lang-1042.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Ta62k9weDV.exe, 00000003.00000001.30662784215.0000000000649000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: Ta62k9weDV.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error...
Source: Ta62k9weDV.exe, 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-9999.dll.1.dr, lang-1042.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Ta62k9weDV.exe, 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-9999.dll.1.dr, lang-1042.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: Ta62k9weDV.exe, 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-9999.dll.1.dr, lang-1042.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: Ta62k9weDV.exe, 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-9999.dll.1.dr, lang-1042.dll.1.dr	String found in binary or memory: http://www.avast.com0/
Source: lang-1042.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Ta62k9weDV.exe, 00000003.00000001.30662784215.0000000000649000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: Ta62k9weDV.exe, 00000003.00000001.30662603290.0000000000626000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: Ta62k9weDV.exe, 00000003.00000001.30662337606.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Ta62k9weDV.exe, 00000003.00000001.30662337606.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: System.ValueTuple.dll.1.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: Ta62k9weDV.exe, 00000003.00000001.30662784215.0000000000649000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: Ta62k9weDV.exe, 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-9999.dll.1.dr, lang-1042.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Code function: 1_2_00404B30 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_00404B30

Source: Ta62k9weDV.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Code function: 1_2_004036FC EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

1_2_004036FC

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

File created: C:\Windows\resources\0409

Jump to behavior

Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_0040441E	1_2_0040441E
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_004075FE	1_2_004075FE
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_00406EA8	1_2_00406EA8
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_74272351	1_2_74272351
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B737BA	1_2_02B737BA
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B606B7	1_2_02B606B7
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B616B8	1_2_02B616B8
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B616A6	1_2_02B616A6
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B65EAC	1_2_02B65EAC
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B60688	1_2_02B60688
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B602FF	1_2_02B602FF
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B606ED	1_2_02B606ED
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B6B6C8	1_2_02B6B6C8
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B75A36	1_2_02B75A36
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B6023A	1_2_02B6023A
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B67616	1_2_02B67616
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B60204	1_2_02B60204
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B6060F	1_2_02B6060F
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B71E70	1_2_02B71E70
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B60647	1_2_02B60647
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B603AB	1_2_02B603AB
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B607ED	1_2_02B607ED
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B617C2	1_2_02B617C2
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B6673E	1_2_02B6673E
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B67722	1_2_02B67722
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B60354	1_2_02B60354
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B60742	1_2_02B60742
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B7449A	1_2_02B7449A
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B60881	1_2_02B60881
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B600F3	1_2_02B600F3
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B604E6	1_2_02B604E6
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B608E4	1_2_02B608E4
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B73CE0	1_2_02B73CE0
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B60420	1_2_02B60420
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B6082E	1_2_02B6082E
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B60003	1_2_02B60003
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B6780D	1_2_02B6780D
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B66474	1_2_02B66474
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B60857	1_2_02B60857
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B66458	1_2_02B66458
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B60447	1_2_02B60447
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B60591	1_2_02B60591
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B60189	1_2_02B60189
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B669FA	1_2_02B669FA
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B605E4	1_2_02B605E4
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B609D1	1_2_02B609D1
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B601DD	1_2_02B601DD
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B609CF	1_2_02B609CF
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B73114	1_2_02B73114
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B60974	1_2_02B60974
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B6655D	1_2_02B6655D
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B60143	1_2_02B60143
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B71D4D	1_2_02B71D4D

Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B737BA NtAllocateVirtualMemory,	1_2_02B737BA
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B76918 NtResumeThread,	1_2_02B76918
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B75A36 NtResumeThread,	1_2_02B75A36

Source: lang-9999.dll.1.dr	Static PE information: No import functions for PE file found
Source: lang-1042.dll.1.dr	Static PE information: No import functions for PE file found

Source: Ta62k9weDV.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BtvStack.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BtvStack.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BtvStack.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BtvStack.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BtvStack.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BtvStack.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BtvStack.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BtvStack.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: Ta62k9weDV.exe

Static PE information: invalid certificate

Source: Ta62k9weDV.exe	ReversingLabs: Detection: 80%
Source: Ta62k9weDV.exe	Virustotal: Detection: 51%

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

File read: C:\Users\user\Desktop\Ta62k9weDV.exe

Jump to behavior

Source: Ta62k9weDV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Ta62k9weDV.exe C:\Users\user\Desktop\Ta62k9weDV.exe
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Process created: C:\Users\user\Desktop\Ta62k9weDV.exe C:\Users\user\Desktop\Ta62k9weDV.exe
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Process created: C:\Users\user\Desktop\Ta62k9weDV.exe C:\Users\user\Desktop\Ta62k9weDV.exe	Jump to behavior

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

1_2_004036FC

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

File created: C:\Users\user\AppData\Roaming\Bipersoner

Jump to behavior

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

File created: C:\Users\user\AppData\Local\Temp\nsw1664.tmp

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winEXE@3/14@0/1

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Code function: 1_2_0040234F CoCreateInstance,

1_2_0040234F

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Code function: 1_2_00404085 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,EnableWindow,

1_2_00404085

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fortrdelsers\Jrks\Glanslseste\Hingstens

Jump to behavior

Source: Ta62k9weDV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: f:\bluetooth8.0.1.57\sw\src\WIN8_Mainline\ExtArch\Bin\x64\Release\BtvStack.pdb source: BtvStack.exe.1.dr
Source:	Binary string: mshtml.pdb source: Ta62k9weDV.exe, 00000003.00000001.30662784215.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source:	Binary string: mshtml.pdbUGP source: Ta62k9weDV.exe, 00000003.00000001.30662784215.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.ValueTuple\net6.0-Release\System.ValueTuple.pdb source: System.ValueTuple.dll.1.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\Demograph.tip, type: DROPPED
Source: Yara match	File source: 00000003.00000000.30660739923.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.35517977177.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B6523C push ecx; ret	1_2_02B6523F
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B633AA push esp; iretd	1_2_02B633AE
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B63BAA push ecx; iretd	1_2_02B638C1
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B638EE push ecx; iretd	1_2_02B638C1
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B62C2F push es; iretd	1_2_02B62C89
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B6886D pushfd ; iretd	1_2_02B6889C
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B63840 push ecx; iretd	1_2_02B638C1
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B62C49 push es; iretd	1_2_02B62C89
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 3_2_0166513E push cs; ret	3_2_01665143
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 3_2_016644E6 push edi; iretd	3_2_016644FD
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 3_2_01660CD8 push FFFFFF92h; ret	3_2_01660CEE
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 3_2_016638AD push ds; ret	3_2_016638B0
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 3_2_01662E44 push es; iretd	3_2_01662E45
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 3_2_01661A40 pushad ; retf	3_2_01661A41

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Code function: 1_2_74272351 GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_74272351

Source: System.ValueTuple.dll.1.dr

Static PE information: 0xC5E61367 [Tue Mar 19 02:56:39 2075 UTC]

Source: C:\Users\user\Desktop\Ta62k9weDV.exe	File created: C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\lang-1042.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	File created: C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\BtvStack.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	File created: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	File created: C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	File created: C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\lang-9999.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\Ta62k9weDV.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Ta62k9weDV.exe, 00000001.00000002.31320605977.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOKERNELBASE.DLLSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSHTML.DLL
Source: Ta62k9weDV.exe, 00000001.00000002.31320605977.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: C:\Users\user\Desktop\Ta62k9weDV.exe TID: 2112	Thread sleep count: 92 > 30			Jump to behavior
Source: C:\Users\user\Desktop\Ta62k9weDV.exe TID: 2112	Thread sleep time: -92000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\lang-1042.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\BtvStack.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\lang-9999.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Code function: 1_2_02B606B7 rdtsc

1_2_02B606B7

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Evaded block: after key decision

graph_1-12064

Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_00402B75 FindFirstFileW,	1_2_00402B75
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_00406719 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00406719
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_004065CF FindFirstFileW,FindClose,	1_2_004065CF

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

API call chain: ExitProcess graph end node

graph_1-11951

Source: Ta62k9weDV.exe, 00000001.00000002.31320932267.0000000004739000.00000004.00000800.00020000.00000000.sdmp, Ta62k9weDV.exe, 00000003.00000002.35519718895.0000000003479000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: Ta62k9weDV.exe, 00000001.00000002.31320932267.0000000004739000.00000004.00000800.00020000.00000000.sdmp, Ta62k9weDV.exe, 00000003.00000002.35519718895.0000000003479000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Ta62k9weDV.exe, 00000003.00000002.35519718895.0000000003479000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: Ta62k9weDV.exe, 00000001.00000002.31320932267.0000000004739000.00000004.00000800.00020000.00000000.sdmp, Ta62k9weDV.exe, 00000003.00000002.35519718895.0000000003479000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Ta62k9weDV.exe, 00000001.00000002.31320932267.0000000004739000.00000004.00000800.00020000.00000000.sdmp, Ta62k9weDV.exe, 00000003.00000002.35519718895.0000000003479000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: Ta62k9weDV.exe, 00000001.00000002.31320932267.0000000004739000.00000004.00000800.00020000.00000000.sdmp, Ta62k9weDV.exe, 00000003.00000002.35519718895.0000000003479000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: Ta62k9weDV.exe, 00000003.00000002.35519718895.0000000003479000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: Ta62k9weDV.exe, 00000003.00000002.35519053182.0000000001842000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Ta62k9weDV.exe, 00000001.00000002.31320605977.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoKERNELBASE.DLLshell32advapi32TEMP=windir=\syswow64\mshtml.dll
Source: Ta62k9weDV.exe, 00000001.00000002.31320605977.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Ta62k9weDV.exe, 00000001.00000002.31320932267.0000000004739000.00000004.00000800.00020000.00000000.sdmp, Ta62k9weDV.exe, 00000003.00000002.35519718895.0000000003479000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: Ta62k9weDV.exe, 00000001.00000002.31320932267.0000000004739000.00000004.00000800.00020000.00000000.sdmp, Ta62k9weDV.exe, 00000003.00000002.35519718895.0000000003479000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: Ta62k9weDV.exe, 00000001.00000002.31320932267.0000000004739000.00000004.00000800.00020000.00000000.sdmp, Ta62k9weDV.exe, 00000003.00000002.35519718895.0000000003479000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: Ta62k9weDV.exe, 00000003.00000002.35518290513.00000000017D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPt
Source: Ta62k9weDV.exe, 00000003.00000002.35519718895.0000000003479000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Code function: 1_2_74272351 GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_74272351

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Code function: 1_2_02B606B7 rdtsc

1_2_02B606B7

Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B72369 mov eax, dword ptr fs:[00000030h]		1_2_02B72369
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Code function: 1_2_02B6F026 mov eax, dword ptr fs:[00000030h]		1_2_02B6F026

Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Ta62k9weDV.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Code function: 1_2_02B72391 LdrLoadDll,

1_2_02B72391

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

Process created: C:\Users\user\Desktop\Ta62k9weDV.exe C:\Users\user\Desktop\Ta62k9weDV.exe

Jump to behavior

Source: C:\Users\user\Desktop\Ta62k9weDV.exe

1_2_004036FC

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	1 Windows Service	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Windows Service	12 Virtualization/Sandbox Evasion	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	11 Process Injection	1 Access Token Manipulation	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 DLL Side-Loading	11 Process Injection	NTDS	4 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Timestomp	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Ta62k9weDV.exe	100%	Avira	TR/Injector.shsia
Ta62k9weDV.exe	81%	ReversingLabs	Win32.Spyware.Guloader
Ta62k9weDV.exe	51%	Virustotal		Browse
Ta62k9weDV.exe	NaN%	Metadefender		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\BtvStack.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\BtvStack.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\System.ValueTuple.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\lang-1042.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\lang-1042.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\lang-9999.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\lang-9999.dll	0%	Metadefender	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://146.70.79.5/UDoLIkVzxMSpy103.flaDoLIkVzxMSpy103.flac	0%	Avira URL Cloud	safe
http://146.70.79.5/UDoLIkVzxMSpy103.fla_	0%	Avira URL Cloud	safe
http://146.70.79.5/UDoLIkVzxMSpy103.fla&	0%	Avira URL Cloud	safe
http://146.70.79.5/UDoLIkVzxMSpy103.flaW	0%	Avira URL Cloud	safe
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	0%	Avira URL Cloud	safe
http://www.avast.com0/	0%	Avira URL Cloud	safe
http://146.70.79.5/UDoLIkVzxMSpy103.flaR	0%	Avira URL Cloud	safe
http://www.gopher.ftp://ftp.	0%	Avira URL Cloud	safe
http://146.70.79.5/UDoLIkVzxMSpy103.flaI	0%	Avira URL Cloud	safe
http://146.70.79.5/UDoLIkVzxMSpy103.fla:	0%	Avira URL Cloud	safe
http://146.70.79.5/UDoLIkVzxMSpy103.fla~	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Avira URL Cloud	safe
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Avira URL Cloud	safe
http://146.70.79.5/UDoLIkVzxMSpy103.fla	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	0%	Avira URL Cloud	safe
http://146.70.79.5/UDoLIkVzxMSpy103.flav	0%	Avira URL Cloud	safe
http://146.70.79.5/UDoLIkVzxMSpy103.fla.	0%	Avira URL Cloud	safe
http://146.70.79.5/UDoLIkVzxMSpy103.flaq	0%	Avira URL Cloud	safe
http://146.70.79.5/UDoLIkVzxMSpy103.flak	0%	Avira URL Cloud	safe
http://146.70.79.5/	0%	Avira URL Cloud	safe
http://146.70.79.5/UDoLIkVzxMSpy103.flaj	0%	Avira URL Cloud	safe
http://146.70.79.5/UDoLIkVzxMSpy103.fla-	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://146.70.79.5/UDoLIkVzxMSpy103.fla&	Ta62k9weDV.exe, 00000003.00000002.35518290513.00000000017D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://146.70.79.5/UDoLIkVzxMSpy103.fla_	Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://146.70.79.5/UDoLIkVzxMSpy103.flaW	Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	Ta62k9weDV.exe, 00000003.00000001.30662784215.0000000000649000.00000008.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://146.70.79.5/UDoLIkVzxMSpy103.flaDoLIkVzxMSpy103.flac	Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.avast.com0/	Ta62k9weDV.exe, 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmp, lang-9999.dll.1.dr, lang-1042.dll.1.dr	false	Avira URL Cloud: safe	unknown
http://146.70.79.5/UDoLIkVzxMSpy103.flaR	Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error...	Ta62k9weDV.exe	false		high
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD	Ta62k9weDV.exe, 00000003.00000001.30662603290.0000000000626000.00000008.00000001.01000000.00000006.sdmp	false		high
http://www.gopher.ftp://ftp.	Ta62k9weDV.exe, 00000003.00000001.30662784215.0000000000649000.00000008.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/runtime	System.ValueTuple.dll.1.dr	false		high
http://146.70.79.5/UDoLIkVzxMSpy103.flaI	Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	Ta62k9weDV.exe, 00000003.00000001.30662337606.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://146.70.79.5/UDoLIkVzxMSpy103.fla~	Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://146.70.79.5/UDoLIkVzxMSpy103.fla:	Ta62k9weDV.exe, 00000003.00000002.35518290513.00000000017D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	Ta62k9weDV.exe, 00000003.00000001.30662784215.0000000000649000.00000008.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://146.70.79.5/UDoLIkVzxMSpy103.fla	Ta62k9weDV.exe, 00000003.00000002.35518290513.00000000017D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	Ta62k9weDV.exe, 00000003.00000001.30662337606.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://146.70.79.5/UDoLIkVzxMSpy103.flav	Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://146.70.79.5/UDoLIkVzxMSpy103.fla.	Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://146.70.79.5/UDoLIkVzxMSpy103.flaq	Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://146.70.79.5/UDoLIkVzxMSpy103.flak	Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://146.70.79.5/	Ta62k9weDV.exe, 00000003.00000002.35518905883.000000000182F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://146.70.79.5/UDoLIkVzxMSpy103.flaj	Ta62k9weDV.exe, 00000003.00000002.35518290513.00000000017D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://146.70.79.5/UDoLIkVzxMSpy103.fla-	Ta62k9weDV.exe, 00000003.00000002.35518290513.00000000017D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
146.70.79.5	unknown	United Kingdom		2018	TENET-1ZA	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	717105
Start date and time:	2022-10-06 01:28:18 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Ta62k9weDV.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@3/14@0/1
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 33.4% (good quality ratio 33%) Quality average: 85.8% Quality standard deviation: 22.9%
HCA Information:	Successful, ratio: 95% Number of executed functions: 57 Number of non-executed functions: 73
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.126.32.68, 40.126.32.74, 40.126.32.136, 20.190.160.17, 20.190.160.20, 40.126.32.133, 40.126.32.76, 40.126.32.138
Excluded domains from analysis (whitelisted): ecs.office.com, wdcpalt.microsoft.com, prda.aadg.msidentity.com, login.live.com, ctldl.windowsupdate.com, www.tm.a.prd.aadg.akadns.net, wdcp.microsoft.com, login.msa.msidentity.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target Ta62k9weDV.exe, PID 7680 because there are no executed function
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
146.70.79.5	PO853653-35683JKD0884-8854003559254_Order.exe	Get hash	malicious	Browse	146.70.79.5/tjucGaAqtraCLzoKDmv34.smi
	PO853653-35683JKD0884-8854003559254_Order.exe	Get hash	malicious	Browse	146.70.79.5/tjucGaAqtraCLzoKDmv34.smi
	RFQ852352-006420025_rev001.exe	Get hash	malicious	Browse	146.70.79.5/hxvUGouOFIEvvsrXEHqOew61.fla
	OA3GSLgaBx.exe	Get hash	malicious	Browse	146.70.79.5/HtXbQlEUnb3.xsn

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TENET-1ZA	ai1gpZjaAM.elf	Get hash	malicious	Browse	155.232.83.183
	9hDTXkAoNe.elf	Get hash	malicious	Browse	146.239.92.31
	fursro1cJb.elf	Get hash	malicious	Browse	196.248.75.22
	IrYa1qwShV.elf	Get hash	malicious	Browse	163.200.142.74
	http://dogog.top	Get hash	malicious	Browse	146.70.71.249
	Ux97JfisA1.elf	Get hash	malicious	Browse	146.236.254.195
	new order.exe	Get hash	malicious	Browse	146.70.76.43
	PO853653-35683JKD0884-8854003559254_Order.exe	Get hash	malicious	Browse	146.70.79.5
	PO853653-35683JKD0884-8854003559254_Order.exe	Get hash	malicious	Browse	146.70.79.5
	confirm order.exe	Get hash	malicious	Browse	146.70.76.43
	updx64.exe	Get hash	malicious	Browse	146.70.44.202
	RFQ852352-006420025_rev001.exe	Get hash	malicious	Browse	146.70.79.5
	04350035-219978.png.exe	Get hash	malicious	Browse	146.70.79.13
	UDeAF2I4uY.elf	Get hash	malicious	Browse	143.128.154.67
	V5UFmf8KNR.elf	Get hash	malicious	Browse	146.70.34.134
	MziZlZn6L5.elf	Get hash	malicious	Browse	146.239.92.31
	chi.arm4.elf	Get hash	malicious	Browse	102.36.195.108
	5r53b4ErLL.elf	Get hash	malicious	Browse	146.239.92.90
	QQlbAyRysQ.elf	Get hash	malicious	Browse	163.200.213.238
	p4GiIKtK0z.exe	Get hash	malicious	Browse	146.70.101.95

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll	Ta62k9weDV.exe	Get hash	malicious	Browse
	HF-2209869481.exe	Get hash	malicious	Browse
	HF-2209869481.exe	Get hash	malicious	Browse
	RFQ852352-006420025_rev001.exe	Get hash	malicious	Browse
	RFQ852352-006420025_rev001.exe	Get hash	malicious	Browse
	receipt_001546037_pdf.exe	Get hash	malicious	Browse
	receipt_001546037_pdf.exe	Get hash	malicious	Browse
	PROFORMA INVOICE.exe	Get hash	malicious	Browse
	PROFORMA INVOICE.exe	Get hash	malicious	Browse
	BESTELLUNG Nr. 6010551.exe	Get hash	malicious	Browse
	BESTELLUNG Nr. 6010551.exe	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.Injector.AOW.tr.14199.exe	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.Injector.AOW.tr.19074.exe	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.Injector.AOW.tr.14199.exe	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.Injector.AOW.tr.19074.exe	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.InjectorX-gen.1168.exe	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.InjectorX-gen.1168.exe	Get hash	malicious	Browse
	Request for Quotation (Taipei Medical Univers.exe	Get hash	malicious	Browse
	Request for Quotation (Taipei Medical Univers.exe	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.InjectorX-gen.7718.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.974444797015433
Encrypted:	false
SSDEEP:	192:U4A1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6gn9Mw:UYR7SrtTv53tdtTgwF4SQbGPX36g9Mw
MD5:	637E1FA13012A78922B6E98EFC0B12E2
SHA1:	8012D44E42CD6D813EA63D5CCBF190FE72E3C778
SHA-256:	703E17D30A91775F8DDC2648B537FC846FAD6415589A503A4529C36F60A17439
SHA-512:	932ED6A52E89C4FA587A7C0C3903D69CF89A32DBD46ED8DCB251ABB6C15192D92B1F624C31F0E4BD3E9BF95FC1A55FDB7CEE9DD668E1B4F22DDB95786C063E96
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Metadefender, Detection: 0%, Browse
Joe Sandbox View:	Filename: Ta62k9weDV.exe, Detection: malicious, Browse Filename: HF-2209869481.exe, Detection: malicious, Browse Filename: HF-2209869481.exe, Detection: malicious, Browse Filename: RFQ852352-006420025_rev001.exe, Detection: malicious, Browse Filename: RFQ852352-006420025_rev001.exe, Detection: malicious, Browse Filename: receipt_001546037_pdf.exe, Detection: malicious, Browse Filename: receipt_001546037_pdf.exe, Detection: malicious, Browse Filename: PROFORMA INVOICE.exe, Detection: malicious, Browse Filename: PROFORMA INVOICE.exe, Detection: malicious, Browse Filename: BESTELLUNG Nr. 6010551.exe, Detection: malicious, Browse Filename: BESTELLUNG Nr. 6010551.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.Injector.AOW.tr.14199.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.Injector.AOW.tr.19074.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.Injector.AOW.tr.14199.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.Injector.AOW.tr.19074.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.InjectorX-gen.1168.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.InjectorX-gen.1168.exe, Detection: malicious, Browse Filename: Request for Quotation (Taipei Medical Univers.exe, Detection: malicious, Browse Filename: Request for Quotation (Taipei Medical Univers.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.InjectorX-gen.7718.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.]e..]e..]e......Ze......Ze..]e..Ie......Ye......\e......\e......\e..Rich]e..........................PE..L...^+.c.........."!.....$..........J........@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...{".......$.................. ..`.rdata.......@.......(..............@..@.data...D....P.......,..............@....reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\Ambulatoriums\Nrbutik\Cowbanes\GdkWin32-3.0.typelib

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1245
Entropy (8bit):	5.462849750105637
Encrypted:	false
SSDEEP:	24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5
MD5:	5343C1A8B203C162A3BF3870D9F50FD4
SHA1:	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D
SHA-256:	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
SHA-512:	E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">.. ..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="co

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\Azotes\Undfangelsestidspunktet\Semicrepe79\Bouchon.Tft

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	data
Category:	dropped
Size (bytes):	17420
Entropy (8bit):	7.987853014496246
Encrypted:	false
SSDEEP:	384:uEwEKzvS/nA2P33XQJGn9xGskEoaLiAXU7zNkE8GVwsb6lUn:uEwRO93XQJGmsk4LiUazgiulQ
MD5:	E6AA554EDC6AE606C1BD37B22C1A7DBD
SHA1:	33CA225AED62C095D7CBBAB08F6D64D873327ADD
SHA-256:	822CCF4597F0DB1C36D2DB1E4103695FB2E719FA3FE618C0C465A96FE82D4894
SHA-512:	E7A3EC9C979A8FC674FD6C62A8C15F2E95B03510F07EEA9A9685A3347EC5D4B242535FEE84E0D15A1FCB9CE69A95C13F66AFE6EA163ED877243EC748295172FE
Malicious:	false
Reputation:	low
Preview:	..z.V.I..=..]......b.`i%G...@H..9.....Ow.V.tW.s......)....?.b].Xd....gn....\|...\..Y.1@.+.he.v...5......^.z$X[,........P..#....o..$...AC.......S./a......K...B..z.\|.......S....x../.\|U.Y/..J.M.Z..z..b...A..M.k.....l..C..>...y.Nh...E.Q..uAa).....2........1..1.T.O....{.q-y..!.\|.3....j.G...U 5..A..'.p.....c..)+t.T.q..D[-.v4,.S* x...Wu(h...R...F...}.........:..7.w.U.9.p..u.Q.Q8K2q!.v+.fv..'...).]p....c......q...v.j..a.n3.a}..Y}.~...V....&.T>...:..5.......a.{0.....P?.I..K..........D.Cn=X..1.%.c.RP.'......eD..np.U.P.A.[(L..^... .;....Vk.. .O...^.O3.8......I...9.u...f..O..${.Q^!VY...&.,].H.w<...........f?...9.aY...]........,...Ff...+.$,.X:&D.b..5bD/..o.....3... =.....O..'...~....&..\|..uc[.......Jl.0.+.BW)#.d.......V...`C.U;.^.XH.D}T......5..1..G...j.F. .....#... )t35..U..p ...j...h.3(..dTJw.\|.40.XD....W..:'.^.8.z..^...... ....?..{J...9....J..oV.b..0.&.o...-S.#..."W....<h./..o.{.3.W..W..k....M......dXy...o.E[../fw......ll...iV.p...B...z..iE....%W

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\BtvStack.exe

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	134784
Entropy (8bit):	5.0976083386137345
Encrypted:	false
SSDEEP:	3072:lBpXgi+uHL7xlOu1u/3nJ7jOYlWcDXvXJP:lfXgi+uHPxYu8/3nJ7jOYlWw
MD5:	49B7481C3D50FAABAF07F775E077FD8B
SHA1:	A67F9193346DE1A223CFD6341AF224589D1026C7
SHA-256:	E74AE0A4F510AEB53D5E4785B62BE3F76E1ACEA302CC75963042BC3F9BEF8FC3
SHA-512:	7AEE06F1F2FEA6FBA7C1516EB95EC8415ADB712FAFA1BA90EEBDAFFAE73235B86C47F27E425DE1FC3EF36F75460472103C40708FE427B283896E2426E8AD6A10
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Metadefender, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........2Fc.aFc.aFc.a.-TaGc.a].RaGc.a].faWc.a].gaLc.a).gaEc.a..uaRc.a].PaOc.aFc.a.c.a].ca@c.a].WaGc.a].VaGc.a].QaGc.aRichFc.a................PE..d......S.........."..........f.................@.............................@......&>....@.................................................(...,....0....... ...............0...... ...........................................................@....................text...o........................... ..`.rdata..,\.......^..................@..@.data...`...........................@....pdata....... ......................@..@.rsrc........0......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\Demograph.tip

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	data
Category:	dropped
Size (bytes):	97943
Entropy (8bit):	6.7302426785976435
Encrypted:	false
SSDEEP:	1536:pVBn5kf8cRPlQ3cpg2qPJ3P09dDPzyV60uPskkkkWU9lU4w0IR7Ub8:pV4UqPlQMi25dDTU9lkx1
MD5:	37647C9B79F3366556CE8BC7D626A48D
SHA1:	D4A7800599AE7A6C7B3F38ED1E5715F2924652E9
SHA-256:	BB737005CB6692FA072A9E1789E0AF79EFCFA917F426626992405D70159F096A
SHA-512:	821212145E685AEF33BE28C0BC78B5B5B473FF5319C692F544F429F565EE729790E3B0576C3C719F7A66C21908FC2B9272D210F33AA837B54D7498839CDF7130
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\Demograph.tip, Author: Joe Security
Preview:	e...hX..H(.9W..P.\|....U.Ad-.X..+..T^...u...>?c?.j..V....y...}`.'.2bm....A....[...{.w.P..........LA.e.............................................................................f....KJ..Q............................................................................f.r.F.5Tj.z..................................................@;.%..f.r.h.B.`.V................................................................^.e....:....[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[.f.a..s.t.H.T.p.......................................................................M.n..........k..................................-3.xh............................................f.`..4.>.........................................................q....Ev..<11111111111111111111111111111111111111111111111111111111111111111....f.g..*X.................................................I.ck........................................................................aC.....".s$+000000000000000000000000000000f..........Hh..

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\System.ValueTuple.dll

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15512
Entropy (8bit):	6.804083746928105
Encrypted:	false
SSDEEP:	384:mjCGc/2IWfGWql7/uPHRN7vRzWF//dJR9zt1:mjwiylTMvRzWF//dj9zf
MD5:	852CE23048161A42484C276C6BD8804F
SHA1:	DFBB4337C0B8DEDC65330786AA9FE30E3039C3E4
SHA-256:	B1DF7B8F18CA5FED0A75B3FEA989AF7B5CD00C9275BB2D5D2C6575D35A422ACD
SHA-512:	3B8B69F45C5ABCCFB3AB412A7677701DEE69CA61BB008E582EEC73DC8434E36D0ACEFBBFA05DFD6A57CC0BB5F15156C059CC95875466C9B65684EFE0060E6DA7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g............."!..0..............)... ........@.. ..............................gt....`..................................)..O....@..d................(...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc...d....@......................@..@.reloc.......`......................@..B.................)......H........ ..(...................P ......................................^..~Q.).a..mw....?.....PG.\|....\...C....0.{7+.....t.A~.......u.>o..............bN.....&8...6...T:`T.v/..6Z.....].....BSJB............v4.0.30319......`...@...#~..........#Strings............#GUID...........#Blob......................3......................................]...............%...................C.....s...Q.z.....z.....z.....z...4.z.....z.....z.....z.....z...........i.................

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\checkbox_unchecked_disabled.png

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	279
Entropy (8bit):	6.905844347023734
Encrypted:	false
SSDEEP:	6:6v/lhPKJTwHN8v7TPYQjdlKuT4scGQgMwHKymyw6nXQz8ydp:6v/7i+EnPYyJTZCgxKKw14o
MD5:	73573DC24C96407A1D39B7C7DDEE0A09
SHA1:	494F335F482BB63693E132D9007BA14B93B5F13A
SHA-256:	CF64F5D6E32CA050AFFAC4DFBCE1D7EE56AF265A88B59F57ECF82411BD057868
SHA-512:	864DCDFEB2A95998A43CDFC19BDEBE0AFB056449DFBBB6A1FFA3A29BD37C276BC607F4A3231BDE86F21943D5F59E4BB614CA6BAA59E5A64759FCD31D3EB57363
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....IDATx..=..@...[.s5....S...A..U.#H.3fl.J...y.+y...7.4..#zv...c&....H:../.....M&G...:..o>....v..$....R..P....R.a...'z..:vt.%...N....Z.@:.............`u..'Y.."..R].E.........Aw.C.k..(.\u.w...1.jrX..o9.y.:.....2.f..=@.L3M....E.D5....IEND.B`.

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\emblem-shared-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	287
Entropy (8bit):	6.910770879396414
Encrypted:	false
SSDEEP:	6:6v/lhPyso9f2XmECnTcF64W2rnEvsAGMuTpyMO3exKxoQlbp:6v/7IV22EIQLjrnRTrDKbl1
MD5:	41B8FE6EB2295848349FC2421BB32B7A
SHA1:	FEC722FAE45DBD3D6A374D787364D320889DC0C0
SHA-256:	A44B90002A67F87D8B0D5F1FC9EBE74793D1A9BD5F3FB6B0A632E9F825DF8431
SHA-512:	E7A5B8D6CAF84C40952D7D3DD254AEFD4622A48D8DD7F73561DB8221E6D535E23CD12A8D68E20AE8A8CC6251A773EA6E2F4C1C211E06F81B5AD3996DCC15F781
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...NBA......=.....Ibmak..&RP..)(\|.}!m4@(...y.(.por1..{Or...93gw(.3L....hV.7....U....y...D;r.O..0.t......8.5....<.._.\....K.H..*R..U.!.s.O...%.P`a.[...4p.i.....Za...6...>.&,...>.#..2..6....7.....U......&....X..<......IEND.B`.

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\face-devilish.png

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	888
Entropy (8bit):	7.732925273250331
Encrypted:	false
SSDEEP:	12:6v/7MbFKFeR6MbBHV32Xg+Rcn5vAdNat0R86EUqykJR1u7jJ+IMH5KU9HwOJC/Gp:B/kMbB1cgMcxAuA8OqpP16J+bQW
MD5:	BCE06854D4F29AAC0898BE1777567967
SHA1:	9AE785BCF22704FC40CB56C914DD57372E98FA18
SHA-256:	47B0CFF567039F85E1187A26DF49BF7BAF80EB22C395BB066303AD361DD5ACCE
SHA-512:	69BACB18BD6EC4E3C30EB46163E088102E7A8F3BAB9835791E201F16C8855B08321DE5C522A6A291CC6F7897449861FB030871C8DDC5DF15DC1E5FD9A2DD9139
Malicious:	false
Preview:	.PNG........IHDR................a...?IDATx.].S....F.F.NU.wl.m..m.m.6.O.,uW.......PWW.b.Xz.u....l....8.....^......\|:.\|\......m....J..[...0..o.}....W??g......C.....~.i.H........v..y._-o..^==....H....(hmk.s..6h.s.u..wOI..-.h...7.}.....:Z..g..:..g...\.OI.3l.q..d..-.......7X.....j.%.\...]....p.^;.+.]......gAS.._.Ss..~.Yt...LP.-dC.......s....9.=x+...T2.......>j..VS.._..q...Jt.e.aD..d3E.&]F.>^j..O?...+W.(:E.55..r.,..C....xN..v.GS....d.\&..yDa......H.].4..........3ev]...4..#.....m4.(.B.b.s..P...W.R......s.c.....$.....9.}.../.b1d.h......8..RuZ)~.$.bw..z.3U..^)d .2gV..ke)$.T..W....mo`)).\u...!...+...cN.cN....D.......s~. ddl..X\|_.b.+V..w.K,....p....<.F+.E..4L...<W.<[~.)a...........S../..xPsm.... ;4A.Ac.$.../.f........?.....uA...8.,K./......j....a..J@h..*._261....p.. %...!.h...b.+.HT..L..x^@.)Q...`....].....p...p.....D1....q\|..a.2..g.!.....D....IEND.B`.

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\input-gaming-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	248
Entropy (8bit):	6.74996208017984
Encrypted:	false
SSDEEP:	6:6v/lhPyslQxKnANS+73/qZTJ3zhl63jYrw+caoebp:6v/7SxKn7+D/Kdl63OgXg
MD5:	5B1F2682384D7F36AE85CDFAF208DC02
SHA1:	2C242B59131157497CF1431AFA59388B9319CD79
SHA-256:	BF3AF624F9AF3875ED64F3FA8A4495C998EA724EE34465C5DE67A71CE924473E
SHA-512:	5947AE2D7674A5EC87CD83BB7DB818BE95DCE64B1ECCF6079060E307D9B6266C74FC45802F4580ED299F04B1777D2A87DDFE1DDE981BA9C5FF6431744FA3F545
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8..;..@.EO...."..0.Q..)U..kq#J:.:M,.O....J...=w~.7....^....@..4.Q.6.....\|........b.7..}.....\|p........,......../\|s.].z......h......y...I....E.:y.s...(#`.R....[5N...y....IEND.B`.

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\lang-1042.dll

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91656
Entropy (8bit):	5.8106295248914135
Encrypted:	false
SSDEEP:	1536:Nw/WmI1o8uwBL5pcPqY0AUY9fdl/SFfxHdT3/h9+1UCD8ux4:aJI1o8jLHcPqY0AUY9fdl/SbR3ZY8ux4
MD5:	E52C38D77E60B534B9F63F76F51DBE70
SHA1:	F81F9A726F2D7880CF02C098F9443E3DF72F5497
SHA-256:	A66EB9CAAD8387FE96030B8D464A561D76BA46E9B880E3A931E277020B2CF1DF
SHA-512:	8C8B80C4AB26A6BFE78DDEAA684C4616132960E9CAE07C374C86D9C80B16D205BCB2BA98CD51F70682F95D7B133EC6142128BB8724CC5A2A13991D8EABD99B89
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Metadefender, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.@...R.@.P...R.Rich..R.................PE..L....\)b...........!.........D...............................................p............@.......................................... .. A...........F... ...........................................................................................rdata..p...........................@..@.rsrc... A... ...B..................@..@.....\)b........T........................rdata......T....rdata$zzzdbg.... ... ...rsrc$01.....@..P ...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\lang-9999.dll

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	99160
Entropy (8bit):	4.571793664727738
Encrypted:	false
SSDEEP:	1536:I+zgXuyQNvp+nIvbFuYPlqpg0pgLevXKrmFqYQvt7jUf:YdIvjlUxpgLevXKrmFqYO
MD5:	711208EB3AB7596C1BE6B9C10CDADCAE
SHA1:	38AB80C0FC4B75077F60BCC57D3C42F293758763
SHA-256:	0006F35934E72C2AA6B384DA1882308BCB9137BD40E5129FDF3BD065EA918D2B
SHA-512:	1BFED9978183C9B140B4C99DB36BB49A3F37B939EA5B382D7010EB2CCB812F5D779A74444B39FB8A160F9597254E481086AA9484FC5BEB9A4A63220773B838D4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Metadefender, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.@...R.@.P...R.Rich..R.................PE..L....j^...........!.........`.......................................................q....@.......................................... ...\...........b..X!...........................................................................................rdata..p...........................@..@.rsrc....\... ...^..................@..@.....j^........T........................rdata......T....rdata$zzzdbg.... ..P....rsrc$01....P9...C...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\power-profile-performance-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	326
Entropy (8bit):	7.057304353938009
Encrypted:	false
SSDEEP:	6:6v/lhPysRXRioNQ2y02mfMq74Pv+0tLlhhayTHIue7V3leup:6v/7xXi2y2f3437ZhayTniVz
MD5:	FDE53BB8BBE68A0611C9860C480FDA85
SHA1:	EFFEF39DFFF6D3584D3772E62DBDF31FD55B88A2
SHA-256:	15B258273CBE2172ED1680DC27EEAB40D99BB4F144625C2022C2CEA983A76A8F
SHA-512:	3CC7271F35DFF6FCE63A044A2630988E8558143597A58FE42EB591949824D6C3C6EF100BB652C8E1B2D533CFE00B38B4EDCAEFD261A509588DB20E73B7C9205B
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...M.A...%V.P.....,Z ..b2..\|,..9.@.\|z.*.../...,.F...q...{..............j....(k.....s..D4F..q60...U.d.d.o.r/..f..<..nC..H0..4".58....1.KU.)........>...?.L41..1.za.i%....-.L[.d.nT......[....!.j..T...9.eC......[\|.~uF....o#.v..D.K.s....V..o.IUA.j......IEND.B`.

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\system-help.png

Download File

Process:	C:\Users\user\Desktop\Ta62k9weDV.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	568
Entropy (8bit):	7.524994279543221
Encrypted:	false
SSDEEP:	12:6v/7oy22jLAgK5yDYMOow1txurnY3QRevxKvaMMAnpllsc:XcjLAgKcDYMdw1txurYh5KCqxsc
MD5:	2301264CADE42743EA8C8BB13C1CEC4E
SHA1:	65FF9922AD511C63E83FC20E94277796BC8F3A62
SHA-256:	E85C274EEA68B29FDB46507C6A529C4388946F8B50AD203C44F9C28E137DD773
SHA-512:	F844708E1BDA3A26DBD0F947D779242039A563CCE39C9D904BF8EE4A42BF74FA912BB99EEBD5640F597EA459BB1F497894819E111AB6E94861F7651E259BA329
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx......K.D......m.)+)..[..v....m.v.vwn..N...{t.....W..'...._.8.&...6.k.8.].L.A.K.M......{.k.YJ0.d.p...r'.R.E............UN4...../.o..#...`..\fM.....7{...T!Y..T..1V.JC...3..ZZP....l.8..o`...K..\.Y..}O...:....Y{....$Q(_7./X.(.......r.L..%..5cD...t7.U.^?...=K.P.Q....k.^.I.$q...8.J...M..j.4...5k......%P.]..A`yu..9.^.0..Y{.,...C....Xk)_3...yJ.'."N,}..f...H)...(..n..l.#...X...eXE.5k_.e.g.._!...G_O..)..(O.%9..#....Y{.w..8..e.......d.r.l...>~<*...M(y...A.]4v..y....^.x] ....\|~.`.}...#.:<'.+`....IEND.B`.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	5.57316141235501
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Ta62k9weDV.exe
File size:	604376
MD5:	d68ce542ec367e67f667b75d491cf032
SHA1:	5833c8f3b5c907236e2ca2734b99d9bd0f1a5a36
SHA256:	b65f37c2f7def47bd57ae2837b9c422113da608c3b37a80f62e0332fb717546f
SHA512:	46808581eb2b4d975e22f9c250c025218112b7288e40da42170c8ac40440e762654fa28bb54aab06f007bc3f5928ea799c5e79e24227796ad2f6ef778a0b9586
SSDEEP:	6144:IMrudbcDdn2cHWOgP2DSUPRAdEHgmOo466hWCt2uj0+7xeUs9aPYz/76H3/NUEgo:IfLc2jODXPRAdEeo22IYH9QHvNUED
TLSH:	0ED458956D1887BBED9D8C3752DFB6114E0F5F7E8AF013122E8476DA2D33D2384A604A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.<.L.o.L.o.L.op>.n.L.op>.n.L.op>.n.L.o.L.o.L.oa9.n.L.oa9Vo.L.oa9.n.L.oRich.L.o........PE..L....+.c.................r.........

File Icon


Icon Hash:	34746071796969b0

Static PE Info

General

Entrypoint:	0x4036fc
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63132B9B [Sat Sep 3 10:25:31 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3f91aceea750f765ef2ba5d9988e6a00

Authenticode Signature

Signature Valid:	false
Signature Issuer:	OU="Ternet Unanticipated ", E=Fascinationernes@prosencephalic.Py, O=Hedley, L=Wissous, S=\xcele-de-France, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	26/09/2022 20:27:56 25/09/2025 20:27:56
Subject Chain	OU="Ternet Unanticipated ", E=Fascinationernes@prosencephalic.Py, O=Hedley, L=Wissous, S=\xcele-de-France, C=FR
Version:	3
Thumbprint MD5:	6F1CC974ADB8D20524E3CA199191CA0D
Thumbprint SHA-1:	CFF9329090054D649E1427E70D07E6D58404EB1E
Thumbprint SHA-256:	4028FF6FCC01E623218240C498D051D5E90D428D85534174758E36D5B5293788
Serial:	B22424AC17ED0851

Entrypoint Preview

Instruction
sub esp, 000003ECh
push ebx
push ebp
push esi
push edi
xor ebx, ebx
mov edi, 00409528h
push 00008001h
mov dword ptr [esp+14h], ebx
mov ebp, ebx
call dword ptr [00409170h]
mov esi, dword ptr [004090ACh]
lea eax, dword ptr [esp+2Ch]
xorps xmm0, xmm0
mov dword ptr [esp+40h], ebx
push eax
movlpd qword ptr [esp+00000144h], xmm0
mov dword ptr [esp+30h], 0000011Ch
call esi
test eax, eax
jne 00007FE174C73009h
lea eax, dword ptr [esp+2Ch]
mov dword ptr [esp+2Ch], 00000114h
push eax
call esi
push 00000053h
pop eax
mov dl, 04h
mov byte ptr [esp+00000146h], dl
cmp word ptr [esp+40h], ax
jne 00007FE174C72FE3h
mov eax, dword ptr [esp+5Ah]
add eax, FFFFFFD0h
mov word ptr [esp+00000140h], ax
jmp 00007FE174C72FDDh
xor eax, eax
jmp 00007FE174C72FC4h
mov dl, byte ptr [esp+00000146h]
cmp dword ptr [esp+30h], 0Ah
jnc 00007FE174C72FDDh
movzx eax, word ptr [esp+38h]
mov dword ptr [esp+38h], eax
jmp 00007FE174C72FD6h
mov eax, dword ptr [esp+38h]
mov dword ptr [00435AF8h], eax
movzx eax, byte ptr [esp+30h]
shl ax, 0008h
movzx ecx, ax
movzx eax, byte ptr [esp+34h]
or ecx, eax
movzx eax, byte ptr [esp+00000140h]
shl ax, 0008h
shl ecx, 10h
movzx eax, word ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b0c	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x56c70	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x931f0	0x6e8	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7032	0x7200	False	0.6497395833333334	data	6.41220875237026	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x19a2	0x1a00	False	0.455078125	data	5.04107190530894	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x2ab00	0x200	False	0.30078125	data	2.035495984906757	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x36000	0x2e000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0x56c70	0x56e00	False	0.1786083633093525	data	3.1391377765501662	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x64280	0x42028	data	English	United States
RT_ICON	0xa62a8	0x10828	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0xb6ad0	0x25a8	data	English	United States
RT_ICON	0xb9078	0x10a8	data	English	United States
RT_ICON	0xba120	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0xba588	0x100	data	English	United States
RT_DIALOG	0xba688	0x11c	data	English	United States
RT_DIALOG	0xba7a8	0xc4	data	English	United States
RT_DIALOG	0xba870	0x60	data	English	United States
RT_GROUP_ICON	0xba8d0	0x4c	data	English	United States
RT_MANIFEST	0xba920	0x349	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyW, RegEnumValueW, RegQueryValueExW, RegSetValueExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, SetFileSecurityW, RegCreateKeyExW, RegOpenKeyExW
SHELL32.dll	ShellExecuteExW, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, SHGetSpecialFolderLocation
ole32.dll	OleInitialize, OleUninitialize, CoTaskMemFree, IIDFromString, CoCreateInstance
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	DispatchMessageW, wsprintfA, SystemParametersInfoW, SetClassLongW, GetWindowLongW, GetSysColor, ScreenToClient, SetCursor, GetWindowRect, TrackPopupMenu, AppendMenuW, EnableMenuItem, CreatePopupMenu, GetSystemMenu, GetSystemMetrics, IsWindowEnabled, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, CheckDlgButton, EndDialog, DialogBoxParamW, IsWindowVisible, SetWindowPos, CreateWindowExW, GetClassInfoW, PeekMessageW, CallWindowProcW, GetMessagePos, CharNextW, ExitWindowsEx, SetWindowTextW, SetTimer, CreateDialogParamW, DestroyWindow, LoadImageW, FindWindowExW, SetWindowLongW, InvalidateRect, ReleaseDC, GetDC, SetForegroundWindow, EnableWindow, GetDlgItem, ShowWindow, IsWindow, PostQuitMessage, SendMessageTimeoutW, SendMessageW, wsprintfW, FillRect, GetClientRect, EndPaint, BeginPaint, DrawTextW, DefWindowProcW, SetDlgItemTextW, GetDlgItemTextW, CharNextA, MessageBoxIndirectW, RegisterClassW, CharPrevW, LoadCursorW
GDI32.dll	SetBkMode, CreateBrushIndirect, GetDeviceCaps, SelectObject, DeleteObject, SetBkColor, SetTextColor, CreateFontIndirectW
KERNEL32.dll	WriteFile, GetLastError, WaitForSingleObject, GetExitCodeProcess, GetTempFileNameW, CreateFileW, CreateDirectoryW, WideCharToMultiByte, lstrlenW, lstrcpynW, GlobalLock, GlobalUnlock, CreateThread, GetDiskFreeSpaceW, CopyFileW, GetVersionExW, GetWindowsDirectoryW, ExitProcess, GetCurrentProcess, CreateProcessW, GetTempPathW, SetEnvironmentVariableW, GetCommandLineW, GetModuleFileNameW, GetTickCount, GetFileSize, MultiByteToWideChar, MoveFileW, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, lstrcmpiW, lstrcmpW, MulDiv, GlobalFree, GlobalAlloc, LoadLibraryExW, GetModuleHandleW, FreeLibrary, Sleep, CloseHandle, SetFileTime, SetFilePointer, SetFileAttributesW, ReadFile, GetShortPathNameW, GetFullPathNameW, GetFileAttributesW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, CompareFileTime, SearchPathW, SetCurrentDirectoryW, ExpandEnvironmentStringsW, RemoveDirectoryW, GetSystemDirectoryW, MoveFileExW, GetModuleHandleA, GetProcAddress, lstrcmpiA, lstrcpyA, lstrcatW, SetErrorMode

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2022 01:30:46.186306000 CEST	49836	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:30:47.196715117 CEST	49836	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:30:49.211954117 CEST	49836	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:30:51.244990110 CEST	49837	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:30:52.258131027 CEST	49837	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:30:54.273382902 CEST	49837	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:30:56.290632963 CEST	49838	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:30:57.304245949 CEST	49838	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:30:59.319189072 CEST	49838	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:01.337124109 CEST	49839	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:02.349711895 CEST	49839	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:04.364954948 CEST	49839	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:06.397665977 CEST	49840	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:07.411433935 CEST	49840	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:09.426350117 CEST	49840	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:11.450928926 CEST	49842	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:12.457082033 CEST	49842	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:14.472331047 CEST	49842	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:16.489921093 CEST	49843	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:17.503082037 CEST	49843	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:19.518049002 CEST	49843	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:21.534898996 CEST	49844	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:22.548635960 CEST	49844	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:24.563894033 CEST	49844	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:26.565085888 CEST	49845	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:27.578932047 CEST	49845	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:29.594186068 CEST	49845	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:31.596718073 CEST	49846	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:32.609092951 CEST	49846	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:34.624273062 CEST	49846	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:36.641702890 CEST	49847	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:37.654818058 CEST	49847	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:39.670192957 CEST	49847	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:41.686970949 CEST	49848	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:42.700819016 CEST	49848	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:44.716042995 CEST	49848	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:46.749834061 CEST	49849	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:47.762187958 CEST	49849	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:49.777563095 CEST	49849	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:51.793946981 CEST	49850	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:52.808167934 CEST	49850	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:54.823198080 CEST	49850	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:56.839987040 CEST	49851	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:57.853815079 CEST	49851	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:31:59.868921041 CEST	49851	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:01.887078047 CEST	49852	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:02.899746895 CEST	49852	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:04.914794922 CEST	49852	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:06.915864944 CEST	49853	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:07.929790020 CEST	49853	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:09.945000887 CEST	49853	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:11.946691036 CEST	49856	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:12.960026026 CEST	49856	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:14.975298882 CEST	49856	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:16.993141890 CEST	49857	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:18.005784988 CEST	49857	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:20.020945072 CEST	49857	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:22.037992001 CEST	49858	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:23.051783085 CEST	49858	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:25.066997051 CEST	49858	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:27.099123955 CEST	49859	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:28.113032103 CEST	49859	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:30.128245115 CEST	49859	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:32.146558046 CEST	49860	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:33.158864975 CEST	49860	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:35.158499002 CEST	49860	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:37.190704107 CEST	49861	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:38.204932928 CEST	49861	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:40.219927073 CEST	49861	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:42.236598969 CEST	49862	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:43.250580072 CEST	49862	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:45.265772104 CEST	49862	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:47.253397942 CEST	49863	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:48.265144110 CEST	49863	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:50.280281067 CEST	49863	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:52.297081947 CEST	49864	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:53.311105013 CEST	49864	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:55.326155901 CEST	49864	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:57.343357086 CEST	49865	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:32:58.356837034 CEST	49865	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:00.372000933 CEST	49865	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:02.389930010 CEST	49866	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:03.402579069 CEST	49866	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:05.417665958 CEST	49866	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:07.449984074 CEST	49867	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:08.463928938 CEST	49867	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:10.479280949 CEST	49867	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:12.495790958 CEST	49868	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:13.509854078 CEST	49868	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:15.524924994 CEST	49868	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:17.543184042 CEST	49869	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:18.555769920 CEST	49869	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:20.570710897 CEST	49869	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:22.587662935 CEST	49870	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:23.601641893 CEST	49870	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:25.616580009 CEST	49870	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:27.617831945 CEST	49871	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:28.631586075 CEST	49871	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:30.646888971 CEST	49871	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:32.650513887 CEST	49872	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:33.662002087 CEST	49872	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:35.676985025 CEST	49872	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:37.693798065 CEST	49873	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:38.707642078 CEST	49873	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:40.722841978 CEST	49873	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:42.739654064 CEST	49874	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:43.753489971 CEST	49874	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:45.768580914 CEST	49874	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:47.801959991 CEST	49875	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:48.814829111 CEST	49875	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:50.830251932 CEST	49875	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:52.846648932 CEST	49876	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:53.860898972 CEST	49876	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:55.875825882 CEST	49876	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:57.892322063 CEST	49877	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:33:58.906565905 CEST	49877	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:00.921727896 CEST	49877	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:02.939944983 CEST	49878	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:03.952361107 CEST	49878	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:05.967432022 CEST	49878	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:07.968545914 CEST	49879	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:08.973871946 CEST	49879	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:10.982134104 CEST	49879	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:12.998853922 CEST	49880	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:14.012761116 CEST	49880	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:16.027864933 CEST	49880	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:18.045605898 CEST	49881	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:19.058572054 CEST	49881	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:21.073595047 CEST	49881	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:23.090323925 CEST	49882	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:24.104187012 CEST	49882	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:26.119579077 CEST	49882	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:28.151797056 CEST	49883	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:29.165688992 CEST	49883	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:31.165328026 CEST	49883	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:33.198720932 CEST	49884	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:34.211622000 CEST	49884	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:36.226794958 CEST	49884	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:38.243299961 CEST	49885	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:39.257498026 CEST	49885	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:41.272480965 CEST	49885	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:43.289953947 CEST	49886	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:44.303040981 CEST	49886	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:46.318358898 CEST	49886	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:48.352524042 CEST	49887	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:49.364583015 CEST	49887	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:51.379946947 CEST	49887	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:53.396359921 CEST	49888	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:54.410334110 CEST	49888	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:56.425750971 CEST	49888	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:58.442343950 CEST	49889	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:34:59.456260920 CEST	49889	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:01.471317053 CEST	49889	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:03.504942894 CEST	49890	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:04.517601013 CEST	49890	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:06.532877922 CEST	49890	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:08.550833941 CEST	49891	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:09.563594103 CEST	49891	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:11.578690052 CEST	49891	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:13.597176075 CEST	49892	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:14.609313011 CEST	49892	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:16.624532938 CEST	49892	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:18.642030954 CEST	49893	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:19.655009985 CEST	49893	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:21.670136929 CEST	49893	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:23.702512980 CEST	49894	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:24.716420889 CEST	49894	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:26.731848001 CEST	49894	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:28.755656958 CEST	49895	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:29.762319088 CEST	49895	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:31.777503967 CEST	49895	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:33.795496941 CEST	49896	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:34.808096886 CEST	49896	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:36.823333979 CEST	49896	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:38.855600119 CEST	49897	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:39.869431973 CEST	49897	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:41.884660959 CEST	49897	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:43.901360989 CEST	49898	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:44.915227890 CEST	49898	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:46.930568933 CEST	49898	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:48.948113918 CEST	49899	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:49.961199999 CEST	49899	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:51.976274014 CEST	49899	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:53.993176937 CEST	49900	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:55.006963968 CEST	49900	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:57.022258043 CEST	49900	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:35:59.054272890 CEST	49901	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:00.068501949 CEST	49901	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:02.083494902 CEST	49901	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:04.101360083 CEST	49902	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:05.114116907 CEST	49902	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:07.129342079 CEST	49902	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:09.146476030 CEST	49903	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:10.159964085 CEST	49903	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:12.175062895 CEST	49903	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:14.191973925 CEST	49904	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:15.205878973 CEST	49904	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:17.221101046 CEST	49904	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:19.223182917 CEST	49905	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:20.235845089 CEST	49905	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:22.251017094 CEST	49905	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:24.252274036 CEST	49906	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:25.266072035 CEST	49906	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:27.281414032 CEST	49906	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:29.298063040 CEST	49907	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:30.312016010 CEST	49907	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:32.327140093 CEST	49907	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:34.344892025 CEST	49908	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:35.357783079 CEST	49908	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:37.357518911 CEST	49908	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:39.405704975 CEST	49909	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:40.419246912 CEST	49909	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:42.434289932 CEST	49909	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:44.451014996 CEST	49910	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:45.464914083 CEST	49910	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:47.480190992 CEST	49910	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:49.498337984 CEST	49911	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:50.510813951 CEST	49911	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:52.525880098 CEST	49911	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:54.542623043 CEST	49912	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:55.556674957 CEST	49912	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:57.571842909 CEST	49912	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:36:59.572624922 CEST	49913	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:00.586728096 CEST	49913	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:02.601866961 CEST	49913	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:04.604090929 CEST	49914	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:05.616820097 CEST	49914	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:07.632252932 CEST	49914	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:09.649027109 CEST	49916	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:10.662766933 CEST	49916	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:12.678019047 CEST	49916	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:14.695252895 CEST	49917	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:15.708574057 CEST	49917	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:17.723695993 CEST	49917	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:19.757181883 CEST	49918	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:20.770127058 CEST	49918	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:22.785132885 CEST	49918	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:24.801793098 CEST	49919	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:25.815732002 CEST	49919	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:27.815429926 CEST	49919	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:29.848006964 CEST	49920	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:30.861594915 CEST	49920	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:32.876796007 CEST	49920	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:34.895632982 CEST	49921	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:35.907382011 CEST	49921	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:37.922444105 CEST	49921	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:39.923597097 CEST	49922	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:40.937597036 CEST	49922	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:42.952701092 CEST	49922	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:44.955939054 CEST	49923	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:45.967629910 CEST	49923	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:47.982940912 CEST	49923	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:50.001847982 CEST	49924	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:51.013535023 CEST	49924	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:53.013132095 CEST	49924	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:55.045335054 CEST	49925	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:56.059370041 CEST	49925	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:37:58.074697971 CEST	49925	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:00.106672049 CEST	49926	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:01.120788097 CEST	49926	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:03.135874987 CEST	49926	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:05.153690100 CEST	49927	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:06.166513920 CEST	49927	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:08.181767941 CEST	49927	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:10.198406935 CEST	49928	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:11.212455034 CEST	49928	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:13.227546930 CEST	49928	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:15.244786978 CEST	49929	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:16.258246899 CEST	49929	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:18.273302078 CEST	49929	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:20.306397915 CEST	49930	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:21.303976059 CEST	49930	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:23.319032907 CEST	49930	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:25.351831913 CEST	49931	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:26.365299940 CEST	49931	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:28.380671978 CEST	49931	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:30.404640913 CEST	49932	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:31.411268950 CEST	49932	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:33.426441908 CEST	49932	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:35.460372925 CEST	49933	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:36.472708941 CEST	49933	80	192.168.11.20	146.70.79.5
Oct 6, 2022 01:38:38.488116026 CEST	49933	80	192.168.11.20	146.70.79.5

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: Ta62k9weDV.exePID: 7044, Parent PID: 5048

General

Target ID:	1
Start time:	01:30:11
Start date:	06/10/2022
Path:	C:\Users\user\Desktop\Ta62k9weDV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Ta62k9weDV.exe
Imagebase:	0x400000
File size:	604376 bytes
MD5 hash:	D68CE542EC367E67F667B75D491CF032
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: Ta62k9weDV.exePID: 7680, Parent PID: 7044

General

Target ID:	3
Start time:	01:30:30
Start date:	06/10/2022
Path:	C:\Users\user\Desktop\Ta62k9weDV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Ta62k9weDV.exe
Imagebase:	0x400000
File size:	604376 bytes
MD5 hash:	D68CE542EC367E67F667B75D491CF032
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000000.30660739923.0000000001660000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000002.35517977177.0000000001660000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Ta62k9weDV.exePID: 7044, Parent PID: 5048COMMON

Execution Graph

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	6.2%
Signature Coverage:	21.5%
Total number of Nodes:	1655
Total number of Limit Nodes:	47

Executed Functions

Function 004036FC Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 416
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			_entry_() {
				char _v694;
				struct _SHFILEINFOW _v696;
				signed char _v700;
				intOrPtr _v930;
				struct _OSVERSIONINFOW _v976;
				long _v1004;
				struct _TOKEN_PRIVILEGES _v1016;
				intOrPtr _v1020;
				void* _v1024;
				int _v1028;
				intOrPtr _v1036;
				signed short* _v1048;
				signed int _t45;
				intOrPtr* _t58;
				signed int _t71;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t83;
				WCHAR* _t91;
				void* _t95;
				void* _t103;
				void* _t107;
				void* _t113;
				signed short _t124;
				intOrPtr* _t126;
				signed short _t128;
				void* _t131;
				intOrPtr* _t132;
				void* _t136;
				signed char _t137;
				void* _t140;
				WCHAR* _t141;
				int _t143;
				void* _t144;
				signed int _t149;
				void* _t153;
				signed int _t154;
				signed int _t155;
				signed char _t156;
				signed int _t158;
				signed short _t159;
				void* _t160;
				int _t161;
				CHAR* _t163;
				intOrPtr _t165;
				void* _t168;
				void* _t169;
				void* _t170;
				signed int _t173;
				signed int _t175;
				int _t176;

				_t161 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v1004 = 0;
				_t175 = 0; // executed
				SetErrorMode(0x8001); // executed
				asm("xorps xmm0, xmm0");
				_v976.szCSDVersion = 0;
				asm("movlpd [esp+0x144], xmm0");
				_v976.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v976) != 0) {
					_t156 = _v694;
				} else {
					_v976.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v976);
					_t136 = 0x53;
					_t156 = 4;
					_v694 = 4;
					if(_v976.szCSDVersion != _t136) {
						_t137 = 0;
					} else {
						_t137 = _v930 + 0xffffffd0;
					}
					_v700 = _t137;
				}
				if(_v976.dwMajorVersion >= 0xa) {
					_t45 = _v976.dwBuildNumber;
				} else {
					_t45 = _v976.dwBuildNumber & 0x0000ffff;
					_v976.dwBuildNumber = _t45;
				}
				 *0x435af8 = _t45;
				_t149 = ((_v976.dwMajorVersion & 0x000000ff) << 0x00000008 & 0x0000ffff | _v976.dwMinorVersion & 0x000000ff) << 0x00000010 | (_v700 & 0x000000ff) << 0x00000008 & 0x0000ffff | _t156 & 0x000000ff;
				 *0x435afc = _t149;
				if(_t149 >> 0x10 != 0x600) {
					_t132 = E004068E6(0);
					if(_t132 != 0) {
						 *_t132(0xc00);
					}
				}
				_t163 = "UXTHEME";
				do {
					E0040619E(_t163); // executed
					_t163 =  &(( &(_t163[1]))[lstrlenA(_t163)]);
				} while ( *_t163 != 0);
				E004068E6(0xb);
				 *0x4349f0 = E004068E6(9);
				_t58 = E004068E6(7);
				if(_t58 != 0) {
					_t58 =  *_t58(0x1e);
					if(_t58 != 0) {
						 *0x435afc =  *0x435afc | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(0); // executed
				 *0x435a60 = _t58;
				SHGetFileInfoW(0x4095b0, 0,  &_v696, 0x2b4, 0); // executed
				E00406B1A(0x434a00, L"NSIS Error");
				E00406B1A(L"\"C:\\Users\\Arthur\\Desktop\\Ta62k9weDV.exe\"", GetCommandLineW());
				_t165 = 0x22;
				_t140 = 0x20;
				 *0x4349f4 = 0x400000;
				_v1036 = _t165;
				_t65 =  !=  ? _t140 : _t165;
				_t66 = ( !=  ? _t140 : _t165) & 0x0000ffff;
				_t68 =  ==  ?  &M00440002 : L"\"C:\\Users\\Arthur\\Desktop\\Ta62k9weDV.exe\"";
				_t152 = CharNextW(E004065F6( ==  ?  &M00440002 : L"\"C:\\Users\\Arthur\\Desktop\\Ta62k9weDV.exe\"", ( !=  ? _t140 : _t165) & 0x0000ffff));
				_v1048 = _t152;
				_t71 =  *_t152 & 0x0000ffff;
				if(_t71 == 0) {
					L40:
					_t141 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t141);
					__eflags = E00403CA5(_t152, __eflags);
					if(__eflags != 0) {
						L43:
						DeleteFileW(L"1033"); // executed
						_t161 = E004033ED(__eflags, _t175);
						_t176 = 0;
						__eflags = _t161;
						if(_t161 != 0) {
							L71:
							_t143 = _v1028;
							L72:
							E004036D2();
							__imp__OleUninitialize();
							__eflags = _t161;
							if(_t161 == 0) {
								__eflags =  *0x435ad4;
								if( *0x435ad4 == 0) {
									L82:
									__eflags =  *0x435aec - 0xffffffff;
									ExitProcess(_t143);
									L74:
								}
								_t79 = OpenProcessToken(GetCurrentProcess(), 0x28,  &_v1024);
								__eflags = _t79;
								if(_t79 != 0) {
									LookupPrivilegeValueW(_t176, L"SeShutdownPrivilege",  &(_v1016.Privileges));
									_v1016.PrivilegeCount = 1;
									_v1004 = 2;
									AdjustTokenPrivileges(_v1024, _t176,  &_v1016, _t176, _t176, _t176);
								}
								_t80 = E004068E6(4);
								__eflags = _t80;
								if(_t80 == 0) {
									L80:
									_t81 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t81;
									if(_t81 != 0) {
										goto L82;
									}
									goto L81;
								} else {
									_t83 =  *_t80(_t176, _t176, _t176, 0x25, 0x80040002);
									__eflags = _t83;
									if(_t83 == 0) {
										L81:
										E00401533(9);
										goto L82;
									}
									goto L80;
								}
							}
							E00406AA8(_t161, 0x200010);
							ExitProcess(2);
							goto L74;
						}
						__eflags =  *0x435a04;
						if( *0x435a04 == 0) {
							L53:
							 *0x435aec =  *0x435aec | 0xffffffff;
							_t143 = E00405A3E();
							goto L72;
						}
						_t168 = E004065F6(L"\"C:\\Users\\Arthur\\Desktop\\Ta62k9weDV.exe\"", 0);
						_t91 = L"\"C:\\Users\\Arthur\\Desktop\\Ta62k9weDV.exe\"";
						while(1) {
							__eflags = _t168 - _t91;
							if(_t168 < _t91) {
								break;
							}
							__eflags =  *_t168 - 0x5f0020;
							if( *_t168 != 0x5f0020) {
								L48:
								_t168 = _t168 - 2;
								__eflags = _t168;
								continue;
							}
							__eflags =  *((intOrPtr*)(_t168 + 4)) - 0x3d003f;
							if( *((intOrPtr*)(_t168 + 4)) == 0x3d003f) {
								break;
							}
							goto L48;
						}
						_t161 = L"Error launching installer";
						__eflags = _t168 - _t91;
						if(__eflags < 0) {
							_t169 = E004064FC();
							lstrcatW(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\", L"~nsu");
							__eflags = _t169;
							if(_t169 != 0) {
								lstrcatW(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\", "A");
							}
							lstrcatW(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\", L".tmp");
							_t95 = lstrcmpiW(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\", L"C:\\Users\\Arthur\\Desktop");
							__eflags = _t95;
							if(_t95 == 0) {
								L69:
								_t143 = _t176;
								goto L72;
							} else {
								_push(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\");
								__eflags = _t169;
								if(_t169 == 0) {
									E00405E1E();
								} else {
									E00405E3E();
								}
								SetCurrentDirectoryW(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\");
								__eflags = L"C:\\Users\\Arthur\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane" - _t176; // 0x43
								if(__eflags == 0) {
									E00406B1A(L"C:\\Users\\Arthur\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane", L"C:\\Users\\Arthur\\Desktop");
								}
								E00406B1A(0x436000, _v1024);
								 *0x436800 = 0x41;
								_t170 = 0x1a;
								do {
									_push( *((intOrPtr*)( *0x435a10 + 0x120)));
									_push(0x42b538);
									E00405EBA();
									DeleteFileW(0x42b538);
									__eflags = _t161;
									if(_t161 != 0) {
										_t103 = CopyFileW(L"C:\\Users\\Arthur\\Desktop\\Ta62k9weDV.exe", 0x42b538, 1);
										__eflags = _t103;
										if(_t103 != 0) {
											E0040623D(0x42b538, _t176);
											_push( *((intOrPtr*)( *0x435a10 + 0x124)));
											_push(0x42b538);
											E00405EBA();
											_t107 = E004066D6(0x42b538);
											__eflags = _t107;
											if(_t107 != 0) {
												CloseHandle(_t107);
												_t161 = _t176;
											}
										}
									}
									 *0x436800 =  *0x436800 + 1;
									_t170 = _t170 - 1;
									__eflags = _t170;
								} while (_t170 != 0);
								E0040623D(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\", _t176);
								goto L69;
							}
						}
						 *_t168 = 0;
						_t171 = _t168 + 8;
						_t113 = E00406638(__eflags, _t168 + 8);
						__eflags = _t113;
						if(_t113 == 0) {
							goto L69;
						}
						E00406B1A(L"C:\\Users\\Arthur\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane", _t171);
						E00406B1A(L"C:\\Users\\Arthur\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane", _t171);
						_t161 = _t176;
						goto L53;
					}
					GetWindowsDirectoryW(_t141, 0x3fb);
					lstrcatW(_t141, L"\\Temp");
					__eflags = E00403CA5(_t152, __eflags);
					if(__eflags != 0) {
						goto L43;
					}
					GetTempPathW(0x3fc, _t141);
					lstrcatW(_t141, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t141);
					SetEnvironmentVariableW(L"TMP", _t141);
					__eflags = E00403CA5(_t152, __eflags);
					if(__eflags == 0) {
						_t176 = 0;
						__eflags = 0;
						goto L71;
					}
					goto L43;
				} else {
					_t173 = _t71;
					while(1) {
						_t124 = _t173 & 0x0000ffff;
						if(_t173 != _t140) {
							goto L21;
						} else {
							goto L20;
						}
						do {
							L20:
							_t152 =  &(_t152[1]);
							_t124 =  *_t152 & 0x0000ffff;
						} while (_t124 == _t140);
						L21:
						_t158 = _t124 & 0x0000ffff;
						if(_t124 == _v1020) {
							_t158 = _t152[1] & 0x0000ffff;
							_t131 = 0x22;
							_t140 = _t131;
						}
						_t25 =  &(_t152[1]); // 0x0
						_t126 =  !=  ? _t152 : _t25;
						if(_t158 != 0x2f) {
							L35:
							_t152 = E004065F6(_t126, _t140);
							_t144 = 0x22;
							_t128 =  *_t152 & 0x0000ffff;
							_t159 = _t128;
							if(_t128 == _t144) {
								_t152 =  &(_t152[1]);
								_t159 =  *_t152 & 0x0000ffff;
							}
							_t173 = _t159 & 0x0000ffff;
							if(_t159 == 0) {
								goto L40;
							} else {
								_t140 = 0x20;
								continue;
							}
						} else {
							_t126 = _t126 + 2;
							_t153 = 0x53;
							_t160 = 0x20;
							if( *_t126 == _t153) {
								_t155 =  *(_t126 + 2) & 0x0000ffff;
								if(_t155 == _t160 || _t155 == 0) {
									 *0x435ae0 = 1;
								}
							}
							if( *_t126 == 0x43004e &&  *(_t126 + 4) == 0x430052) {
								_t154 =  *(_t126 + 8) & 0x0000ffff;
								if(_t154 == _t160 || _t154 == 0) {
									_t175 = _t175 | 0x00000004;
								}
							}
							if( *((intOrPtr*)(_t126 - 4)) != 0x2f0020 ||  *_t126 != 0x3d0044) {
								goto L35;
							} else {
								_t152 = 0;
								 *((short*)(_t126 - 4)) = 0;
								__eflags = _t126 + 4;
								E00406B1A(L"C:\\Users\\Arthur\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane", _t126 + 4);
								goto L40;
							}
						}
					}
				}
			}

0x00403708
0x00403712
0x00403716
0x00403718
0x00403728
0x0040372b
0x00403730
0x00403739
0x00403745
0x0040377e
0x00403747
0x0040374b
0x00403754
0x00403758
0x00403759
0x0040375b
0x00403767
0x0040377a
0x00403769
0x0040376d
0x0040376d
0x00403770
0x00403770
0x0040378a
0x00403797
0x0040378c
0x0040378c
0x00403791
0x00403791
0x0040379b
0x004037ca
0x004037d1
0x004037dd
0x004037e0
0x004037e7
0x004037ee
0x004037ee
0x004037e7
0x004037f0
0x004037f5
0x004037f6
0x00403803
0x00403805
0x0040380b
0x00403819
0x0040381e
0x00403825
0x00403829
0x0040382d
0x0040382f
0x0040382f
0x0040382d
0x00403836
0x0040383d
0x00403849
0x0040385c
0x0040386c
0x0040387d
0x00403890
0x00403893
0x00403897
0x004038a3
0x004038a7
0x004038aa
0x004038b3
0x004038c3
0x004038c5
0x004038c9
0x004038cf
0x004039aa
0x004039b0
0x004039bb
0x004039c2
0x004039c4
0x00403a1c
0x00403a27
0x00403a2f
0x00403a31
0x00403a33
0x00403a35
0x00403be6
0x00403be6
0x00403bea
0x00403bea
0x00403bef
0x00403bf5
0x00403bf7
0x00403c0c
0x00403c13
0x00403c91
0x00403c91
0x00403c06
0x00403c06
0x00403c06
0x00403c23
0x00403c29
0x00403c2b
0x00403c38
0x00403c45
0x00403c53
0x00403c5b
0x00403c5b
0x00403c63
0x00403c6d
0x00403c6f
0x00403c7d
0x00403c80
0x00403c86
0x00403c88
0x00000000
0x00000000
0x00000000
0x00403c71
0x00403c77
0x00403c79
0x00403c7b
0x00403c8a
0x00403c8c
0x00000000
0x00403c8c
0x00000000
0x00403c7b
0x00403c6f
0x00403bff
0x00403c06
0x00000000
0x00403c06
0x00403a3b
0x00403a41
0x00403aa6
0x00403aa6
0x00403ab2
0x00000000
0x00403ab2
0x00403a4e
0x00403a50
0x00403a6b
0x00403a6b
0x00403a6d
0x00000000
0x00000000
0x00403a57
0x00403a5d
0x00403a68
0x00403a68
0x00403a68
0x00000000
0x00403a68
0x00403a5f
0x00403a66
0x00000000
0x00000000
0x00000000
0x00403a66
0x00403a6f
0x00403a74
0x00403a76
0x00403ac8
0x00403aca
0x00403acf
0x00403ad1
0x00403add
0x00403add
0x00403aec
0x00403afb
0x00403b01
0x00403b03
0x00403be0
0x00403be0
0x00000000
0x00403b09
0x00403b09
0x00403b0e
0x00403b10
0x00403b19
0x00403b12
0x00403b12
0x00403b12
0x00403b23
0x00403b29
0x00403b30
0x00403b3c
0x00403b3c
0x00403b4a
0x00403b51
0x00403b5b
0x00403b5c
0x00403b61
0x00403b67
0x00403b6c
0x00403b76
0x00403b78
0x00403b7a
0x00403b88
0x00403b8e
0x00403b90
0x00403b98
0x00403ba2
0x00403ba8
0x00403bad
0x00403bb7
0x00403bbc
0x00403bbe
0x00403bc1
0x00403bc7
0x00403bc7
0x00403bbe
0x00403b90
0x00403bc9
0x00403bd0
0x00403bd0
0x00403bd0
0x00403bdb
0x00000000
0x00403bdb
0x00403b03
0x00403a7a
0x00403a7d
0x00403a81
0x00403a86
0x00403a88
0x00000000
0x00000000
0x00403a94
0x00403a9f
0x00403aa4
0x00000000
0x00403aa4
0x004039cc
0x004039d8
0x004039e2
0x004039e4
0x00000000
0x00000000
0x004039ec
0x004039f4
0x00403a05
0x00403a0d
0x00403a14
0x00403a16
0x00403be4
0x00403be4
0x00000000
0x00403be4
0x00000000
0x004038d5
0x004038d5
0x004038d7
0x004038d7
0x004038dd
0x00000000
0x00000000
0x00000000
0x00000000
0x004038df
0x004038df
0x004038df
0x004038e2
0x004038e5
0x004038ea
0x004038ed
0x004038f5
0x004038f7
0x004038fd
0x004038fe
0x004038fe
0x00403905
0x00403908
0x0040390f
0x0040396a
0x00403971
0x00403975
0x00403976
0x00403979
0x0040397e
0x00403980
0x00403983
0x00403983
0x00403986
0x0040398c
0x00000000
0x0040398e
0x00403990
0x00000000
0x00403990
0x00403911
0x00403913
0x00403916
0x00403919
0x0040391d
0x0040391f
0x00403926
0x0040392d
0x0040392d
0x00403926
0x0040393d
0x00403948
0x0040394f
0x00403956
0x00403956
0x0040394f
0x00403960
0x00000000
0x00403996
0x00403996
0x00403998
0x0040399c
0x004039a5
0x00000000
0x004039a5
0x00403960
0x0040390f
0x004038d7

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403718
GetVersionExW.KERNEL32 ref: 00403741
GetVersionExW.KERNEL32(?), ref: 00403754
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004037FC
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403836
OleInitialize.OLE32(00000000), ref: 0040383D
SHGetFileInfoW.SHELL32(004095B0,00000000,?,000002B4,00000000), ref: 0040385C
GetCommandLineW.KERNEL32(00434A00,NSIS Error), ref: 00403871
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Ta62k9weDV.exe",?,"C:\Users\user\Desktop\Ta62k9weDV.exe",00000000), ref: 004038BD
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004039BB
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004039CC
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039D8
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039EC
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004039F4
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403A05
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403A0D
DeleteFileW.KERNELBASE(1033), ref: 00403A27

Part of subcall function 004033ED: GetTickCount.KERNEL32 ref: 00403400
Part of subcall function 004033ED: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Ta62k9weDV.exe,00000400,?,?,?,?,?), ref: 0040341C

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403ACA
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00409600), ref: 00403ADD
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403AEC
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Ta62k9weDV.exe",00000000,00000000), ref: 00403AFB
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403B23
DeleteFileW.KERNEL32(0042B538,0042B538,?,00436000,?), ref: 00403B76
CopyFileW.KERNEL32(C:\Users\user\Desktop\Ta62k9weDV.exe,0042B538,00000001), ref: 00403B88
CloseHandle.KERNEL32(00000000,0042B538,0042B538,?,0042B538,00000000), ref: 00403BC1

Part of subcall function 00405E1E: CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CC9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,764E3420,004039C2), ref: 00405E26
Part of subcall function 00405E1E: GetLastError.KERNEL32 ref: 00405E30

OleUninitialize.OLE32(00000000), ref: 00403BEF
ExitProcess.KERNEL32 ref: 00403C06
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403C1C
OpenProcessToken.ADVAPI32(00000000), ref: 00403C23
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403C38
AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00403C5B
ExitWindowsEx.USER32(00000002,80040002), ref: 00403C80

Part of subcall function 004065F6: CharNextW.USER32(?,004038BC,"C:\Users\user\Desktop\Ta62k9weDV.exe",?,"C:\Users\user\Desktop\Ta62k9weDV.exe",00000000), ref: 0040660C

Strings

~nsu, xrefs: 00403ABE
TEMP, xrefs: 00403A00
C:\Users\user\Desktop, xrefs: 00403AF1, 00403B32
NSIS Error, xrefs: 00403862
TMP, xrefs: 00403A08
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane, xrefs: 00403A9A
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403708
SeShutdownPrivilege, xrefs: 00403C32
Low, xrefs: 004039EE
"C:\Users\user\Desktop\Ta62k9weDV.exe", xrefs: 00403878, 004038AE, 004038B6, 00403A44, 00403A50
1033, xrefs: 00403A22
\Temp, xrefs: 004039D2
C:\Users\user\Desktop\Ta62k9weDV.exe, xrefs: 00403B83
Error launching installer, xrefs: 00403A6F
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane, xrefs: 004039A0, 00403A8F, 00403B29, 00403B37
UXTHEME, xrefs: 004037F0, 004037F5, 004037FB
.tmp, xrefs: 00403AE2
C:\Users\user\AppData\Local\Temp\, xrefs: 004039B0, 004039B5, 004039CB, 004039D7, 004039E6, 004039F3, 004039FF, 00403A07, 00403AC3, 00403AD8, 00403AE7, 00403AF6, 00403B09, 00403B1E, 00403BD6

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Filelstrcat$DirectoryProcess$CharCurrentDeleteEnvironmentErrorExitNextPathTempTokenVariableVersionWindows$AdjustCloseCommandCopyCountCreateHandleInfoInitializeLastLineLookupModeModuleNameOpenPrivilegePrivilegesTickUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\Ta62k9weDV.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane$C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane$C:\Users\user\Desktop$C:\Users\user\Desktop\Ta62k9weDV.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 1152188737-158673262
Opcode ID: a525dd75b22903d4bd79fbaf6cc3fb9b74ee5543d4fcd6c254fdcda9163020fa
Instruction ID: bd20618887128fe8ff831b6fc98b417d690d9367272f1fc6873584cad7b34aa2
Opcode Fuzzy Hash: a525dd75b22903d4bd79fbaf6cc3fb9b74ee5543d4fcd6c254fdcda9163020fa
Instruction Fuzzy Hash: 00D134B12043116AE7207F659C46B2B3AACAB4474EF41453FF586B62D2D7BC9D40CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00404B30 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00404B30() {
				struct HMENU__* _t63;
				WCHAR* _t64;
				int _t68;
				void* _t76;
				signed int _t78;
				short _t79;
				short _t80;
				int _t82;
				void* _t97;
				intOrPtr _t100;
				long _t114;
				struct HWND__* _t128;
				struct HWND__* _t130;
				struct HWND__* _t131;
				unsigned int _t132;
				int _t135;
				long _t136;
				int _t138;
				signed int _t140;
				short* _t141;
				int _t144;
				int _t148;
				void* _t149;
				long _t150;
				void* _t151;
				long _t152;
				void* _t153;

				_t128 =  *0x4349e8;
				_t136 =  *(_t153 + 0x64);
				if(_t136 != 0x110) {
					if(_t136 != 0x405) {
						if(_t136 != 0x111) {
							if(_t136 != 0x404) {
								if(_t136 != 0x7b ||  *(_t153 + 0x68) != _t128) {
									L14:
									return E0040575B(_t136,  *(_t153 + 0x6c),  *(_t153 + 0x6c));
								} else {
									_t144 = 0;
									_t148 = SendMessageW(_t128, 0x1004, 0, 0);
									 *(_t153 + 0x64) = _t148;
									if(_t148 <= 0) {
										L37:
										return 0;
									}
									_t63 = CreatePopupMenu();
									_push(0xffffffe1);
									_push(0);
									 *(_t153 + 0x70) = _t63;
									_t64 = E00405EBA();
									_t138 = 1;
									AppendMenuW( *(_t153 + 0x74), 0, 1, _t64);
									_t132 =  *(_t153 + 0x6c);
									_t135 = _t132;
									_t68 = _t132 >> 0x10;
									if(_t132 == 0xffffffff) {
										GetWindowRect(_t128, _t153 + 0x10);
										_t135 =  *(_t153 + 0x10);
										_t68 =  *(_t153 + 0x14);
									}
									if(TrackPopupMenu( *(_t153 + 0x80), 0x180, _t135, _t68, _t144,  *(_t153 + 0x64), _t144) == _t138) {
										 *(_t153 + 0x28) = _t144;
										 *(_t153 + 0x34) = 0x42bd48;
										 *((intOrPtr*)(_t153 + 0x38)) = 0x1000;
										do {
											_t148 = _t148 - 1;
											_t138 = _t138 + 2 + SendMessageW(_t128, 0x1073, _t148, _t153 + 0x20);
										} while (_t148 != 0);
										OpenClipboard(_t144);
										EmptyClipboard();
										_t149 = GlobalAlloc(0x42, _t138 + _t138);
										 *(_t153 + 0x64) = _t149;
										_t76 = GlobalLock(_t149);
										_t150 =  *(_t153 + 0x64);
										_t140 = _t76;
										do {
											 *(_t153 + 0x34) = _t140;
											_t78 = SendMessageW(_t128, 0x1073, _t144, _t153 + 0x20);
											_t141 = _t140 + _t78 * 2;
											_t79 = 0xd;
											 *_t141 = _t79;
											_t80 = 0xa;
											 *((short*)(_t141 + 2)) = _t80;
											_t140 = _t141 + 4;
											_t144 = _t144 + 1;
										} while (_t144 < _t150);
										_t151 =  *(_t153 + 0x60);
										GlobalUnlock(_t151);
										_push(_t151);
										_t82 = 0xd;
										SetClipboardData(_t82, ??);
										CloseClipboard();
									}
									goto L37;
								}
							}
							if( *0x4349ec == 0) {
								ShowWindow( *0x4349f8, 8);
								if( *0x435acc == 0) {
									E00405D3A( *((intOrPtr*)( *0x42dd4c + 0x34)), 0);
								}
								_push(1);
							} else {
								 *0x42bd44 = 2;
								_push(0x78);
							}
							E00405958();
							goto L14;
						}
						if( *(_t153 + 0x68) == 0x403) {
							ShowWindow( *0x4349e4, 0);
							ShowWindow(_t128, 8);
							E00405503(_t128);
						}
						goto L14;
					}
					_t97 = CreateThread(0, 0, E00405864, GetDlgItem( *(_t153 + 0x6c), 0x3ec), 0, _t153 + 0x64); // executed
					CloseHandle(_t97); // executed
					goto L14;
				}
				 *(_t153 + 0x34) =  *(_t153 + 0x34) | 0xffffffff;
				 *(_t153 + 0x20) = 2;
				 *((intOrPtr*)(_t153 + 0x24)) = 0;
				 *((intOrPtr*)(_t153 + 0x2c)) = 0;
				 *((intOrPtr*)(_t153 + 0x30)) = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t100 =  *0x435a10;
				_t152 =  *(_t100 + 0x5c);
				 *(_t153 + 0x70) =  *(_t100 + 0x60);
				 *0x4349e4 = GetDlgItem( *(_t153 + 0x64), 0x403);
				 *0x4349c8 = GetDlgItem( *(_t153 + 0x64), 0x3ee);
				_t130 = GetDlgItem( *(_t153 + 0x64), 0x3f8);
				 *0x4349e8 = _t130;
				E00405503( *0x4349e4);
				 *0x4349cc = E00405835(4);
				 *0x4349d0 = 0;
				GetClientRect(_t130, _t153 + 0x10);
				 *(_t153 + 0x28) =  *((intOrPtr*)(_t153 + 0x18)) - GetSystemMetrics(2);
				SendMessageW(_t130, 0x1061, 0, _t153 + 0x20); // executed
				SendMessageW(_t130, 0x1036, 0x4000, 0x4000); // executed
				if(_t152 >= 0) {
					SendMessageW(_t130, 0x1001, 0, _t152);
					SendMessageW(_t130, 0x1026, 0, _t152);
				}
				_t114 =  *(_t153 + 0x68);
				if(_t114 >= 0) {
					SendMessageW(_t130, 0x1024, 0, _t114);
				}
				_push( *((intOrPtr*)( *(_t153 + 0x6c) + 0x30)));
				_push(0x1b);
				E0040551A( *(_t153 + 0x68));
				if(( *0x435a0c & 0x00000003) != 0) {
					ShowWindow( *0x4349e4, 0);
					if(( *0x435a0c & 0x00000002) != 0) {
						 *0x4349e4 = 0;
					} else {
						ShowWindow(_t130, 8);
					}
					E00405503( *0x4349c8);
				}
				_t131 = GetDlgItem( *(_t153 + 0x64), 0x3ec);
				SendMessageW(_t131, 0x401, 0, 0x75300000);
				if(( *0x435a0c & 0x00000004) != 0) {
					SendMessageW(_t131, 0x409, 0,  *(_t153 + 0x68));
					SendMessageW(_t131, 0x2001, 0, _t152);
				}
				goto L37;
			}

0x00404b34
0x00404b3d
0x00404b47
0x00404cdf
0x00404d2b
0x00404d5c
0x00404da7
0x00404d0d
0x00000000
0x00404db7
0x00404db7
0x00404dc7
0x00404dc9
0x00404dcf
0x00404ee5
0x00000000
0x00404ee5
0x00404dd5
0x00404ddb
0x00404ddd
0x00404dde
0x00404de2
0x00404dea
0x00404df1
0x00404df7
0x00404e00
0x00404e03
0x00404e07
0x00404e0f
0x00404e15
0x00404e19
0x00404e19
0x00404e39
0x00404e3f
0x00404e43
0x00404e4b
0x00404e53
0x00404e57
0x00404e69
0x00404e6b
0x00404e70
0x00404e76
0x00404e88
0x00404e8b
0x00404e8f
0x00404e95
0x00404e99
0x00404e9b
0x00404e9f
0x00404eab
0x00404eb3
0x00404eb6
0x00404eb7
0x00404ebc
0x00404ebd
0x00404ec1
0x00404ec4
0x00404ec5
0x00404ec9
0x00404ece
0x00404ed4
0x00404ed7
0x00404ed9
0x00404edf
0x00404edf
0x00000000
0x00404e39
0x00404da7
0x00404d65
0x00404d82
0x00404d8f
0x00404d9b
0x00404d9b
0x00404da0
0x00404d67
0x00404d67
0x00404d71
0x00404d71
0x00404d73
0x00000000
0x00404d73
0x00404d37
0x00404d47
0x00404d4c
0x00404d4f
0x00404d4f
0x00000000
0x00404d37
0x00404d00
0x00404d07
0x00000000
0x00404d07
0x00404b4d
0x00404b56
0x00404b68
0x00404b6c
0x00404b70
0x00404b74
0x00404b7e
0x00404b7f
0x00404b80
0x00404b81
0x00404b82
0x00404b87
0x00404b8d
0x00404b9c
0x00404bac
0x00404bb9
0x00404bbb
0x00404bc1
0x00404bcd
0x00404bd8
0x00404bde
0x00404bfc
0x00404c08
0x00404c17
0x00404c1b
0x00404c25
0x00404c2f
0x00404c2f
0x00404c31
0x00404c37
0x00404c41
0x00404c41
0x00404c47
0x00404c4a
0x00404c50
0x00404c5c
0x00404c65
0x00404c72
0x00404c7f
0x00404c74
0x00404c77
0x00404c77
0x00404c8b
0x00404c8b
0x00404ca5
0x00404cad
0x00404cb6
0x00404cc8
0x00404cd2
0x00404cd2
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 00404B91
GetDlgItem.USER32(?,000003EE), ref: 00404BA1
GetClientRect.USER32(00000000,?), ref: 00404BDE
GetSystemMetrics.USER32(00000002), ref: 00404BE6
SendMessageW.USER32(00000000,00001061,00000000,00000002), ref: 00404C08
SendMessageW.USER32(00000000,00001036,00004000,00004000), ref: 00404C17
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00404C25
SendMessageW.USER32(00000000,00001026,00000000,?), ref: 00404C2F

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406070

SendMessageW.USER32(00000000,00001024,00000000,?), ref: 00404C41
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00404C65
ShowWindow.USER32(00000000,00000008), ref: 00404C77
GetDlgItem.USER32(?,000003EC), ref: 00404C99
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00404CAD
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00404CC8
SendMessageW.USER32(00000000,00002001,00000000,?), ref: 00404CD2
ShowWindow.USER32(00000000), ref: 00404D47
ShowWindow.USER32(?,00000008), ref: 00404D4C
GetDlgItem.USER32(?,000003F8), ref: 00404BB1

Part of subcall function 00405503: SendMessageW.USER32(00000028,?,00000001,00405338), ref: 00405511

GetDlgItem.USER32(?,000003EC), ref: 00404CF2
CreateThread.KERNEL32(00000000,00000000,Function_00005864,00000000), ref: 00404D00
CloseHandle.KERNELBASE(00000000), ref: 00404D07
ShowWindow.USER32(00000008), ref: 00404D82
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404DC1
CreatePopupMenu.USER32 ref: 00404DD5
AppendMenuW.USER32(?,00000000,00000001,00000000), ref: 00404DF1
GetWindowRect.USER32(?,?), ref: 00404E0F
TrackPopupMenu.USER32(?,00000180,?,?,00000000,?,00000000), ref: 00404E31
SendMessageW.USER32(?,00001073,00000000,?), ref: 00404E60
OpenClipboard.USER32(00000000), ref: 00404E70
EmptyClipboard.USER32 ref: 00404E76
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00404E82
GlobalLock.KERNEL32(00000000), ref: 00404E8F
SendMessageW.USER32(?,00001073,00000000,?), ref: 00404EAB
GlobalUnlock.KERNEL32(?), ref: 00404ECE
SetClipboardData.USER32(0000000D,?), ref: 00404ED9
CloseClipboard.USER32 ref: 00404EDF

Strings

Waywort87 Setup: Installing, xrefs: 00404E43

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlocklstrcat
String ID: Waywort87 Setup: Installing
API String ID: 2901622961-679012682
Opcode ID: 7ec54c2a3a868982bb039b13d8fa38caacdb03059396a995cf16b9d83891ef8f
Instruction ID: b8a9fdf254180bfaf0004a99ba51f40fd9d2112bd445e4f5698f4cfe216f0b8a
Opcode Fuzzy Hash: 7ec54c2a3a868982bb039b13d8fa38caacdb03059396a995cf16b9d83891ef8f
Instruction Fuzzy Hash: 45A1BEB1604304BBE720AF61DD89F9B7FA9FFC4754F00092AF645A62E1C7789840CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00406719 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406719(void* __eflags, WCHAR* _a4, signed char _a8) {
				short _v544;
				short _v546;
				struct _WIN32_FIND_DATAW _v592;
				signed int _v596;
				signed char _v600;
				signed int _v604;
				signed int _t27;
				void* _t40;
				signed int _t43;
				signed int _t46;
				signed int _t54;
				void* _t56;
				signed char _t57;
				signed int _t60;
				WCHAR* _t61;
				signed int _t64;
				void* _t66;

				_t57 = _a8;
				_t61 = _a4;
				_t60 = _t57 & 0x00000004;
				_t27 = E00406638(__eflags, _t61);
				_v600 = _t27;
				if((_t57 & 0x00000008) != 0) {
					_t54 = DeleteFileW(_t61); // executed
					asm("sbb eax, eax");
					_t56 =  ~_t54 + 1;
					 *0x435ac8 =  *0x435ac8 + _t56;
					return _t56;
				}
				_t64 = _t57 & 0x00000001;
				__eflags = _t64;
				_v600 = _t64;
				if(_t64 == 0) {
					L5:
					E00406B1A(0x42fdc0, _t61);
					__eflags = _t64;
					if(_t64 == 0) {
						E00406D10(_t61);
					} else {
						lstrcatW(0x42fdc0, L"\\*.*");
					}
					__eflags =  *_t61;
					if( *_t61 != 0) {
						L10:
						lstrcatW(_t61, 0x4092b0);
						goto L11;
					} else {
						__eflags =  *0x42fdc0 - 0x5c;
						if( *0x42fdc0 != 0x5c) {
							L11:
							_v604 =  &(_t61[lstrlenW(_t61)]);
							_t27 = FindFirstFileW(0x42fdc0,  &_v592); // executed
							_t66 = _t27;
							__eflags = _t66 - 0xffffffff;
							if(_t66 == 0xffffffff) {
								L27:
								__eflags = _v600;
								if(_v600 == 0) {
									goto L35;
								}
								_t27 = _v604;
								 *((short*)(_t27 - 2)) = 0;
								__eflags = _v596;
								if(_v596 == 0) {
									goto L33;
								}
								goto L29;
							}
							_t40 = 0x2e;
							do {
								__eflags = _v592.cFileName - _t40;
								if(_v592.cFileName != _t40) {
									L17:
									E00406B1A(_v604,  &(_v592.cFileName));
									__eflags = _v600 & 0x00000010;
									if(__eflags == 0) {
										_t43 = E00406585(__eflags, _t61, _t60);
										__eflags = _t43;
										if(_t43 != 0) {
											E00405D3A(0xfffffff2, _t61);
										} else {
											__eflags = _t60;
											if(_t60 == 0) {
												 *0x435ac8 =  *0x435ac8 + 1;
											} else {
												E00405D3A(0xfffffff1, _t61);
												E0040623D(_t61, 0);
											}
										}
									} else {
										__eflags = (_t57 & 0x00000003) - 3;
										if(__eflags == 0) {
											E00406719(__eflags, _t61, _t57);
										}
									}
									goto L25;
								}
								__eflags = _v546;
								if(_v546 == 0) {
									goto L25;
								}
								__eflags = _v546 - _t40;
								if(_v546 != _t40) {
									goto L17;
								}
								__eflags = _v544;
								if(_v544 == 0) {
									goto L25;
								}
								goto L17;
								L25:
								_t46 = FindNextFileW(_t66,  &_v592);
								__eflags = _t46;
								_t40 = 0x2e;
							} while (_t46 != 0);
							_t27 = FindClose(_t66);
							goto L27;
						}
						goto L10;
					}
				} else {
					__eflags = _t27;
					if(_t27 == 0) {
						L33:
						 *0x435ac8 =  *0x435ac8 + 1;
						L35:
						return _t27;
					}
					__eflags = _t57 & 0x00000002;
					if((_t57 & 0x00000002) == 0) {
						L29:
						_t27 = E004065CF(_t61);
						__eflags = _t27;
						if(_t27 == 0) {
							goto L35;
						}
						E00406556(_t61);
						_t27 = E00406585(__eflags, _t61, _t60 | 0x00000001);
						__eflags = _t27;
						if(_t27 != 0) {
							_t27 = E00405D3A(0xffffffe5, _t61);
							goto L35;
						}
						__eflags = _t60;
						if(_t60 == 0) {
							goto L33;
						}
						E00405D3A(0xfffffff1, _t61);
						_t27 = E0040623D(_t61, 0);
						goto L35;
					}
					goto L5;
				}
			}

0x00406720
0x00406728
0x00406733
0x00406736
0x0040673b
0x00406742
0x00406745
0x0040674d
0x0040674f
0x00406750
0x00000000
0x00406750
0x0040675e
0x0040675e
0x00406761
0x00406765
0x00406778
0x0040677e
0x00406783
0x0040678b
0x0040679c
0x0040678d
0x00406797
0x00406797
0x004067a3
0x004067a6
0x004067b2
0x004067b8
0x00000000
0x004067a8
0x004067a8
0x004067b0
0x004067ba
0x004067c4
0x004067d2
0x004067d8
0x004067da
0x004067dd
0x0040687b
0x0040687b
0x00406880
0x00000000
0x00000000
0x00406882
0x00406888
0x0040688c
0x00406890
0x00000000
0x00000000
0x00000000
0x00406890
0x004067e5
0x004067e6
0x004067e6
0x004067eb
0x00406804
0x0040680d
0x00406812
0x00406817
0x0040682d
0x00406832
0x00406834
0x00406858
0x00406836
0x00406836
0x00406838
0x0040684d
0x0040683a
0x0040683d
0x00406846
0x00406846
0x00406838
0x00406819
0x0040681e
0x00406820
0x00406824
0x00406824
0x00406820
0x00000000
0x00406817
0x004067ed
0x004067f3
0x00000000
0x00000000
0x004067f5
0x004067fa
0x00000000
0x00000000
0x004067fc
0x00406802
0x00000000
0x00000000
0x00000000
0x0040685d
0x00406863
0x0040686b
0x0040686d
0x0040686d
0x00406875
0x00000000
0x00406875
0x00000000
0x004067b0
0x00406767
0x00406767
0x00406769
0x004068c9
0x004068c9
0x004068d9
0x00000000
0x004068d9
0x0040676f
0x00406772
0x00406892
0x00406893
0x00406898
0x0040689a
0x00000000
0x00000000
0x0040689d
0x004068a9
0x004068ae
0x004068b0
0x004068d4
0x00000000
0x004068d4
0x004068b2
0x004068b4
0x00000000
0x00000000
0x004068b9
0x004068c2
0x00000000
0x004068c2
0x00000000
0x00406772

APIs

Part of subcall function 00406638: lstrlenW.KERNEL32(004305C0,00000000,004305C0,004305C0,00000000,?,?,0040673B,?,00000000,764E3420,?), ref: 0040668C
Part of subcall function 00406638: GetFileAttributesW.KERNEL32(004305C0,004305C0), ref: 0040669D

DeleteFileW.KERNELBASE(?,?,00000000,764E3420,?), ref: 00406745
lstrcatW.KERNEL32(0042FDC0,\*.*), ref: 00406797
lstrcatW.KERNEL32(?,004092B0), ref: 004067B8
lstrlenW.KERNEL32(?), ref: 004067BB
FindFirstFileW.KERNELBASE(0042FDC0,?), ref: 004067D2
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?), ref: 00406863
FindClose.KERNEL32(00000000), ref: 00406875

Strings

\*.*, xrefs: 0040678D

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: File$Find$lstrcatlstrlen$AttributesCloseDeleteFirstNext
String ID: \*.*
API String ID: 2636146433-1173974218
Opcode ID: ec35ec8144d1065000fb23a15f3631645bd2442b6bc3530db3f1337977a5d6e6
Instruction ID: dccc3e871a12a5ab9d695c44a96518fee9cafe6829caada924bdb8552f231abd
Opcode Fuzzy Hash: ec35ec8144d1065000fb23a15f3631645bd2442b6bc3530db3f1337977a5d6e6
Instruction Fuzzy Hash: 084106322067116AD7207B259C49A6B73A8EF41318F16893FF943F21D1E73C8D6586AF

Uniqueness

Uniqueness Score: -1.00%

Function 02B75A36 Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 618
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Czl, xrefs: 02B75C80
&@a, xrefs: 02B75C6F
v_5A, xrefs: 02B76048

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: &@a$Czl$v_5A
API String ID: 0-434344475
Opcode ID: e690f338823dbcf938e00c7fbd2de6a2bf23f112c204c2866a5eccecdc6f1a3c
Instruction ID: 1c32b28d5a8122cd54ecef9b9cff69be2ceaa5d73ea394afb0242a864690ecbe
Opcode Fuzzy Hash: e690f338823dbcf938e00c7fbd2de6a2bf23f112c204c2866a5eccecdc6f1a3c
Instruction Fuzzy Hash: 65E1997213CA585FF21C9A389DCB9BB239FFBC6125760806FE083C359BF566A8474161

Uniqueness

Uniqueness Score: -1.00%

Function 02B737BA Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 565memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02B73A8A

Strings

f, xrefs: 02B74057

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: f
API String ID: 2167126740-1993550816
Opcode ID: 314e7597ffa3c5ca62ddd32dd9474d8b13b2215c1833d1591e0c1cdaed527fe4
Instruction ID: cd7d34646d6ccf97a9d97411310664639f2333bbc24949190b98e23e1e159ecf
Opcode Fuzzy Hash: 314e7597ffa3c5ca62ddd32dd9474d8b13b2215c1833d1591e0c1cdaed527fe4
Instruction Fuzzy Hash: A702777151474A9BDF345E3888A43EB37F2EF053A0F95029EDCE99B285D7308982CB52

Uniqueness

Uniqueness Score: -1.00%

Function 004065CF Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065CF(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x4321c0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4321c0;
			}

0x004065da
0x004065e3
0x00000000
0x004065f0
0x004065e6
0x00000000

APIs

FindFirstFileW.KERNELBASE(00000000,004321C0,00000000,0040667C,004305C0), ref: 004065DA
FindClose.KERNEL32(00000000), ref: 004065E6

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d9e00b7f11b8670b58f1de5a54c434da9086a4a904ca4075b7418d89ed5cb961
Instruction ID: 9bce445b90ad5ff1b83c175b3b927286731ee1a5929a82a3f0dae3cb9bd988e9
Opcode Fuzzy Hash: d9e00b7f11b8670b58f1de5a54c434da9086a4a904ca4075b7418d89ed5cb961
Instruction Fuzzy Hash: 64D012756051316BD70057787E0CC8B7F699F05330F158A36B066F11F5D7748C6196AC

Uniqueness

Uniqueness Score: -1.00%

Function 02B73CE0 Relevance: 1.9, Strings: 1, Instructions: 633COMMON

Download Yara Rule

Strings

f, xrefs: 02B74057

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: 55b35f28242ee996bfcb0b9fc401c58a59401ad0008298b0957d2bba1e0f0ab5
Instruction ID: 78af636206c8054f5e5828f052a50b04aafeff303fc3bf9ceb64dcca12fd50b1
Opcode Fuzzy Hash: 55b35f28242ee996bfcb0b9fc401c58a59401ad0008298b0957d2bba1e0f0ab5
Instruction Fuzzy Hash: C722AC716003469FCF309E388DA87EA77B3EF55360F96426ECCA99B285D7308986C741

Uniqueness

Uniqueness Score: -1.00%

Function 02B76918 Relevance: 1.6, APIs: 1, Instructions: 63nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(00000001,02B77646,4DA3AF50,?,?,?,?,02B726BE,02B61684), ref: 02B76C38

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5ed2bfa630035e9f2511c215cfca769261c1d3a84e18183c51757dc74c0a0d14
Instruction ID: ec5a5f6bdca9ff8511a9a398d9d0d140b65b62397c786beb7aad94e5fd6af973
Opcode Fuzzy Hash: 5ed2bfa630035e9f2511c215cfca769261c1d3a84e18183c51757dc74c0a0d14
Instruction Fuzzy Hash: 4E11A335608E42CFDB285E658A857E9777EFFD9384F1488A9CD379A208EB309945CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00402B75 Relevance: 1.5, APIs: 1, Instructions: 19
fileCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00402B75(void* __edi, void* __esi, struct _WIN32_FIND_DATAW _a136, void* _a172) {
				void* _v4;
				void* _t5;
				intOrPtr _t10;
				void* _t14;
				void* _t20;

				_t5 = FindFirstFileW(E0040303E(_t14, 2),  &_a136); // executed
				if(_t5 != 0xffffffff) {
					E0040661F(__esi, _t5);
					_push(_t20 + 0xb8);
					_push(__edi);
					E00406B1A();
					_t10 =  *((intOrPtr*)(_t20 + 0x10));
				} else {
					 *__esi = __ax;
					 *__edi = __ax;
					_t10 = 1;
				}
				 *0x435ac8 =  *0x435ac8 + _t10;
				return 0;
			}

0x00402b85
0x00402b8e
0x00402b9c
0x00402b6e
0x00402b6f
0x00401d46
0x00402ea1
0x00402b90
0x00402b92
0x00402857
0x0040170b
0x0040170b
0x00402ea5
0x00402eb7

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 00402B85

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 418b3747aa208848d22216286404bd5f33ecbcbc15520eeee9413542a938acf4
Instruction ID: 4ed41b4626080909459e48417ffb7120e43efe1e52fe46e4786edeb33a661726
Opcode Fuzzy Hash: 418b3747aa208848d22216286404bd5f33ecbcbc15520eeee9413542a938acf4
Instruction Fuzzy Hash: ADD0EC61414150A9D2606F71894DABA73ADAF45314F204A3EF156E50D1EAB85501973B

Uniqueness

Uniqueness Score: -1.00%

Function 02B669FA Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5518701b10cc216210034bb57c21b2508ba97b06a65c373dce2d397a6bb3ef08
Instruction ID: 5ca5d183a3088fc3ba7eb38ecac6b178cecc0c6ae0b2f7a91878350e4f158779
Opcode Fuzzy Hash: 5518701b10cc216210034bb57c21b2508ba97b06a65c373dce2d397a6bb3ef08
Instruction Fuzzy Hash: 21D19776A003468FCF319E38C9A83EA77A3EF95360F95416DDC899B241D7358A82CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02B6673E Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 799eedc7080c2daf8bbf6b31e6c31a43e83d1c7c6d48f814254076b18f330dcc
Instruction ID: f2c20add0d97fc45b9f636a3aaada22be6114de5f4e414535388de14251ca9b1
Opcode Fuzzy Hash: 799eedc7080c2daf8bbf6b31e6c31a43e83d1c7c6d48f814254076b18f330dcc
Instruction Fuzzy Hash: B0A1BE766003458FDF319F398D983EA7BA2EF86360F66016ECC999B241D3749D82CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02B65EAC Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22395641f0f1c602086dc2e96cd227dac91e6251978c5dad163eebaf4720fe6d
Instruction ID: 6bc234e17dc6016a2779086634ca1f308e1b169479b561a4344e9fa3d2ff3243
Opcode Fuzzy Hash: 22395641f0f1c602086dc2e96cd227dac91e6251978c5dad163eebaf4720fe6d
Instruction Fuzzy Hash: CA9178716003468FDF315E78C9A83EA77A2AF96360F9A417ECCD99B205D3708986CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02B7449A Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a1fd3d1a5bf86a2b2e6b14211635a0ca11db72a80c148a131c811a19383cee1
Instruction ID: 71b362b7fba4588f769ca418057e8e876a1452641ed14017695056dc5a33d980
Opcode Fuzzy Hash: 7a1fd3d1a5bf86a2b2e6b14211635a0ca11db72a80c148a131c811a19383cee1
Instruction Fuzzy Hash: FF81BE756043458FDF315E2889E43EE77B2EF96320F9641AECCA99B205D7318987CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02B71D4D Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c81740022af46951175e013c76289aa58ff0c4e6d55abadc97e46d1b72bc587
Instruction ID: a54605483e60581cbc8ac04c40863efbb64780f8cf44d3f3dd5643a5e988985b
Opcode Fuzzy Hash: 0c81740022af46951175e013c76289aa58ff0c4e6d55abadc97e46d1b72bc587
Instruction Fuzzy Hash: 4D6156716003069FDF315E28CDE43EA73E2FF9A760F96412ACC999B244E7758986CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02B71E70 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a3c0f35c907fc1f517840f13bc5b523f99c44837025084a52032b0c813d988a
Instruction ID: 513266b5a196e9f8eea036d313b44f1f0ae13dcdb60424882c0629a58288a0d3
Opcode Fuzzy Hash: 7a3c0f35c907fc1f517840f13bc5b523f99c44837025084a52032b0c813d988a
Instruction Fuzzy Hash: CD514772A003059FDF319E2889E87EA77E2FF95360F96412ADC989B204D7315E86CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02B72391 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d855ed2f9146f899aacaeb492e5afabf29372ab25cef85e3e2624dfaa813ac8e
Instruction ID: 5383ebf3f50d727d29ef82856c9f45d07852e453b8efe96be7bea03bb6d209d4
Opcode Fuzzy Hash: d855ed2f9146f899aacaeb492e5afabf29372ab25cef85e3e2624dfaa813ac8e
Instruction Fuzzy Hash: D54146726003059FDF315E688DE87EAB7A2EF95360F96402ECC989B204D7719E868B01

Uniqueness

Uniqueness Score: -1.00%

Function 00404F92 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00404F92(struct HWND__* _a4, int _a8, signed int _a12, long _a16) {
				signed int _v32;
				struct HWND__* _v40;
				void* _v84;
				void* _v88;
				signed int _t51;
				signed int _t53;
				intOrPtr _t55;
				struct HWND__* _t58;
				signed int _t67;
				int _t77;
				struct HWND__* _t113;
				struct HWND__* _t137;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				struct HWND__* _t142;
				signed int _t143;
				long _t146;
				int _t149;
				struct HWND__* _t156;
				void* _t159;

				_t137 = _a4;
				_t143 = _a8;
				if(_t143 == 0x110 || _t143 == 0x408) {
					_t139 = _a12;
					 *0x42dd48 = _t139;
					if(_t143 == 0x110) {
						 *0x4349f8 = _t137;
						 *0x42dd54 = GetDlgItem(_t137, 1);
						_t113 = GetDlgItem(_t137, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x42dd58 = _t113;
						E0040551A(_t137);
						SetClassLongW(_t137, 0xfffffff2,  *0x4349d8);
						 *0x4349ec = E00401533(4);
						_t139 = 1;
						 *0x42dd48 = 1;
					}
					_t51 =  *0x40b014; // 0x0
					_t146 = (_t51 << 6) +  *0x435a20;
					if(_t51 < 0) {
						L38:
						E004054E8(0x40b);
						while(1) {
							_t140 =  *0x40b014; // 0x0
							_t53 =  *0x42dd48;
							_t141 = _t140 + _t53;
							_t146 = _t146 + (_t53 << 6);
							 *0x40b014 = _t141;
							_t55 =  *0x435a24;
							if(_t141 == _t55) {
								E00401533(1);
								_t55 =  *0x435a24;
								_t141 =  *0x40b014; // 0x0
							}
							if( *0x4349ec != 0 || _t141 >= _t55) {
								break;
							}
							_push( *((intOrPtr*)(_t146 + 0x24)));
							_push(0x445000);
							_a12 =  *((intOrPtr*)(_t146 + 0x14));
							E00405EBA();
							_push( *((intOrPtr*)(_t146 + 0x20)));
							_push(0xfffffc19);
							E0040551A(_t137);
							_push( *((intOrPtr*)(_t146 + 0x1c)));
							_push(0xfffffc1b);
							E0040551A(_t137);
							_push( *((intOrPtr*)(_t146 + 0x28)));
							_push(0xfffffc1a);
							E0040551A(_t137);
							_t142 = GetDlgItem(_t137, 3);
							_t67 = _v32;
							_v40 = _t142;
							if( *0x435acc != 0) {
								_t67 = _t67 & 0xfffffefd | 0x00000004;
								 *(_t159 + 0x2c) = _t67;
							}
							ShowWindow(_t142, _t67 & 0x00000008); // executed
							EnableWindow( *(_t159 + 0x28),  *(_t159 + 0x2c) & 0x00000100); // executed
							EnableWindow( *0x42dd54,  *(_t159 + 0x2c) & 0x00000002); // executed
							_t77 =  *(_t159 + 0x2c) & 0x00000004;
							 *(_t159 + 0x34) = _t77;
							EnableWindow( *0x42dd58, _t77);
							if( *(_t159 + 0x2c) == 0) {
								_push(1);
							} else {
								_push(0);
							}
							EnableMenuItem(GetSystemMenu(_t137, 0), 0xf060, ??);
							SendMessageW( *(_t159 + 0x30), 0xf4, 0, 1);
							if( *0x435acc == 0) {
								_push( *0x42dd54);
							} else {
								SendMessageW(_t137, 0x401, 2, 0);
								_push( *0x42dd58);
							}
							E00405503();
							E00406B1A("Waywort87 Setup: Installing", E00405D1B());
							_push( *((intOrPtr*)(_t146 + 0x18)));
							_push(0x42bd48 + lstrlenW("Waywort87 Setup: Installing") * 2);
							E00405EBA();
							SetWindowTextW(_t137, "Waywort87 Setup: Installing"); // executed
							_push(0);
							if(E00401399( *((intOrPtr*)(_t146 + 8))) != 0 ||  *_t146 == 0) {
								continue;
							} else {
								if( *(_t146 + 4) != 5) {
									DestroyWindow( *0x4349dc); // executed
									 *0x42dd4c = _t146;
									if( *_t146 <= 0) {
										L62:
										_t58 =  *0x4349dc;
										goto L63;
									}
									_t58 = CreateDialogParamW( *0x4349f4,  *_t146 +  *0x4349d4 & 0x0000ffff, _t137,  *(0x40b018 +  *(_t146 + 4) * 4), _t146); // executed
									 *0x4349dc = _t58;
									if(_t58 == 0) {
										goto L63;
									}
									_push( *((intOrPtr*)(_t146 + 0x2c)));
									_push(6);
									E0040551A(_t58);
									GetWindowRect(GetDlgItem(_t137, 0x3fa), _t159 + 0x10);
									ScreenToClient(_t137, _t159 + 0x10);
									SetWindowPos( *0x4349dc, 0,  *(_t159 + 0x20),  *(_t159 + 0x20), 0, 0, 0x15);
									_push(0);
									E00401399( *((intOrPtr*)(_t146 + 0xc)));
									if( *0x4349ec != 0) {
										goto L66;
									}
									ShowWindow( *0x4349dc, 8); // executed
									E004054E8(0x405);
									goto L62;
								}
								if( *0x435acc != 0) {
									goto L66;
								}
								if( *0x435ac0 != 0) {
									continue;
								}
								goto L66;
							}
						}
						DestroyWindow( *0x4349dc);
						 *0x4349f8 = 0;
						EndDialog(_t137,  *0x42bd44);
						goto L62;
					} else {
						if(_t139 != 1) {
							L37:
							if( *_t146 == 0) {
								goto L66;
							}
							goto L38;
						}
						_push(0);
						if(E00401399( *((intOrPtr*)(_t146 + 0x10))) == 0) {
							goto L37;
						}
						SendMessageW( *0x4349dc, 0x40f, 0, 1);
						return 0 |  *0x4349ec == 0x00000000;
					}
				} else {
					if(_t143 != 0x47) {
						if(_t143 != 5) {
							if(_t143 != 0x40d) {
								if(_t143 != 0x11) {
									if(_t143 != 0x111) {
										goto L29;
									}
									_t138 = _a12;
									_t149 = _a12 & 0x0000ffff;
									_a8 = _t149;
									_t156 = GetDlgItem(_a4, _t149);
									if(_t156 == 0) {
										L16:
										if(_t149 != 1) {
											if(_t149 != 3) {
												if(_t149 != 2) {
													L28:
													SendMessageW( *0x4349dc, 0x111, _a12, _a16);
													goto L29;
												}
												if( *0x435acc == 0) {
													if(E00401533(3) != 0) {
														goto L30;
													}
													 *0x42bd44 = 1;
													L26:
													_push(0x78);
													L27:
													E00405958();
													goto L30;
												}
												E00401533(_t149);
												 *0x42bd44 = _t149;
												goto L26;
											}
											if( *0x40b014 <= 0) {
												goto L28;
											}
											_push(0xffffffff);
											goto L27;
										}
										_push(1);
										goto L27;
									}
									SendMessageW(_t156, 0xf3, 0, 0);
									if(IsWindowEnabled(_t156) == 0) {
										L66:
										return 0;
									}
									_t149 = _a8;
									goto L16;
								}
								SetWindowLongW(_t137, 0, 0);
								return 1;
							}
							DestroyWindow( *0x4349dc);
							_t58 = _a12;
							 *0x4349dc = _t58;
							L63:
							if( *0x42bd40 == 0 && _t58 != 0) {
								ShowWindow(_t137, 0xa); // executed
								 *0x42bd40 = 1;
							}
							goto L66;
						}
						_t138 = _a12;
						asm("sbb eax, eax");
						ShowWindow( *0x42dd50,  ~(_t138 - 1) & _t143);
						if(_t138 == 2 && (GetWindowLongW(_a4, 0xfffffff0) & 0x21010000) == 0x1000000) {
							ShowWindow(_a4, 4);
						}
						goto L30;
					} else {
						SetWindowPos( *0x42dd50, _t137, 0, 0, 0, 0, 0x13);
						L29:
						_t138 = _a12;
						L30:
						return E0040575B(_t143, _t138, _a16);
					}
				}
			}

0x00404f9b
0x00404fa4
0x00404fab
0x00405133
0x0040513d
0x00405145
0x00405149
0x00405154
0x00405159
0x0040515b
0x0040515d
0x00405160
0x00405165
0x00405173
0x00405180
0x00405185
0x00405187
0x00405187
0x0040518d
0x00405199
0x004051a1
0x004051df
0x004051e4
0x004051e9
0x004051e9
0x004051ef
0x004051f4
0x004051f9
0x004051fb
0x00405201
0x00405208
0x0040520b
0x00405210
0x00405215
0x00405215
0x00405221
0x00000000
0x00000000
0x0040522f
0x00405235
0x0040523a
0x0040523e
0x00405243
0x00405246
0x0040524c
0x00405251
0x00405254
0x0040525a
0x0040525f
0x00405262
0x00405268
0x00405276
0x00405278
0x0040527c
0x00405286
0x0040528d
0x00405290
0x00405290
0x00405299
0x004052ad
0x004052c1
0x004052cb
0x004052d5
0x004052d9
0x004052e3
0x004052e8
0x004052e5
0x004052e5
0x004052e5
0x004052f7
0x00405308
0x00405314
0x0040532d
0x00405316
0x0040531f
0x00405325
0x00405325
0x00405333
0x00405343
0x00405348
0x0040535c
0x0040535d
0x00405368
0x0040536e
0x00405379
0x00000000
0x00405387
0x0040538b
0x004053b0
0x004053b6
0x004053be
0x00405489
0x00405489
0x00000000
0x00405489
0x004053e4
0x004053ea
0x004053f1
0x00000000
0x00000000
0x004053f7
0x004053fa
0x004053fd
0x00405414
0x00405420
0x00405439
0x0040543f
0x00405443
0x0040544e
0x00000000
0x00000000
0x00405458
0x00405463
0x00000000
0x00405463
0x00405393
0x00000000
0x00000000
0x0040539f
0x00000000
0x00000000
0x00000000
0x004053a5
0x00405379
0x00405470
0x0040547c
0x00405483
0x00000000
0x004051a3
0x004051a5
0x004051d7
0x004051d9
0x00000000
0x00000000
0x00000000
0x004051d9
0x004051a7
0x004051b2
0x00000000
0x00000000
0x004051c1
0x00000000
0x004051cf
0x00404fbd
0x00404fc0
0x00404fdf
0x00405035
0x00405054
0x0040506f
0x00000000
0x00000000
0x00405075
0x00405079
0x00405081
0x0040508b
0x0040508f
0x004050b4
0x004050b9
0x004050c1
0x004050d3
0x00405106
0x00405119
0x00000000
0x00405119
0x004050dc
0x004050f5
0x00000000
0x00000000
0x004050f7
0x004050fd
0x004050fd
0x004050ff
0x004050ff
0x00000000
0x004050ff
0x004050df
0x004050e4
0x00000000
0x004050e4
0x004050ca
0x00000000
0x00000000
0x004050cc
0x00000000
0x004050cc
0x004050bb
0x00000000
0x004050bb
0x0040509b
0x004050aa
0x004054aa
0x00000000
0x004054aa
0x004050b0
0x00000000
0x004050b0
0x0040505b
0x00000000
0x00405063
0x0040503d
0x00405043
0x00405047
0x0040548e
0x00405495
0x0040549e
0x004054a4
0x004054a4
0x00000000
0x00405495
0x00404fe1
0x00404ff0
0x00404ffb
0x00405000
0x00405028
0x00405028
0x00000000
0x00404fc2
0x00404fd1
0x0040511f
0x0040511f
0x00405123
0x00000000
0x00405129
0x00404fc0

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404FD1
ShowWindow.USER32(?), ref: 00404FFB
GetWindowLongW.USER32(?,000000F0), ref: 0040500C
ShowWindow.USER32(?,00000004), ref: 00405028
GetDlgItem.USER32(?,00000001), ref: 0040514F
GetDlgItem.USER32(?,00000002), ref: 00405159
SetClassLongW.USER32(?,000000F2,?), ref: 00405173
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004051C1
GetDlgItem.USER32(?,00000003), ref: 00405270
ShowWindow.USER32(00000000,?), ref: 00405299
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004052AD
KiUserCallbackDispatcher.NTDLL(?), ref: 004052C1
EnableWindow.USER32(?), ref: 004052D9
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004052F0
EnableMenuItem.USER32(00000000), ref: 004052F7
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00405308
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040531F
lstrlenW.KERNEL32(Waywort87 Setup: Installing,?,Waywort87 Setup: Installing,00000000), ref: 00405350

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406070

SetWindowTextW.USER32(?,Waywort87 Setup: Installing), ref: 00405368

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

DestroyWindow.USER32(?,00000000), ref: 004053B0
CreateDialogParamW.USER32(?,?,-00435A20), ref: 004053E4

Part of subcall function 0040551A: SetDlgItemTextW.USER32(?,?,00000000), ref: 00405534

GetDlgItem.USER32(?,000003FA), ref: 0040540D
GetWindowRect.USER32(00000000), ref: 00405414
ScreenToClient.USER32(?,?), ref: 00405420
SetWindowPos.USER32(00000000,?,?,00000000,00000000,00000015), ref: 00405439
ShowWindow.USER32(00000008,?,00000000), ref: 00405458

Part of subcall function 004054E8: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054FA

ShowWindow.USER32(?,0000000A), ref: 0040549E

Strings

Waywort87 Setup: Installing, xrefs: 0040533E, 0040534B, 00405362

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Window$Item$MessageSendShow$CallbackDispatcherEnableLongMenuTextUser$ClassClientCreateDestroyDialogParamRectScreenSystemlstrcatlstrlen
String ID: Waywort87 Setup: Installing
API String ID: 162979904-679012682
Opcode ID: 435f8b6443fc9593ff644d9f9dc2a8e4b29ac0017c4218abb197986b28d4ffe3
Instruction ID: ac036152562477463cd4b906f759de02b60d47e3f23a7c23d24dd845f532a47a
Opcode Fuzzy Hash: 435f8b6443fc9593ff644d9f9dc2a8e4b29ac0017c4218abb197986b28d4ffe3
Instruction Fuzzy Hash: 39D19071A00A11BFDB206F61ED49A6B7BA8FB84355F00053AF506B62F1C7389851DF9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405A3E Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 225
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00405A3E() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				intOrPtr* _t21;
				short _t22;
				void* _t31;
				void* _t33;
				void* _t34;
				int _t35;
				int _t40;
				int _t41;
				int _t45;
				int _t59;
				short _t66;
				WCHAR* _t69;
				signed char _t73;
				signed short _t77;
				short _t81;
				void* _t82;
				void* _t84;
				signed int _t86;
				intOrPtr _t87;
				WCHAR* _t92;
				WCHAR* _t93;
				WCHAR* _t94;

				_t87 =  *0x435a10;
				_t21 = E004068E6(2);
				_t81 = 0x30;
				_t97 = _t21;
				if(_t21 == 0) {
					_t22 = 0x78;
					 *0x442002 = _t22;
					L"1033" = _t81;
					 *0x442004 = 0;
					E00406977(_t81, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x42bd48, 0);
					__eflags =  *0x42bd48; // 0x57
					if(__eflags == 0) {
						E00406977(_t81, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M00409684, 0x42bd48, 0);
					}
					lstrcatW(L"1033", 0x42bd48);
				} else {
					_t77 =  *_t21(); // executed
					E0040661F(L"1033", _t77 & 0x0000ffff);
				}
				E0040597F(_t97);
				_t94 = L"C:\\Users\\Arthur\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane";
				 *0x435adc = 0x10000;
				 *0x435ac0 =  *0x435a0c & 0x00000020;
				if(E00406638(_t97, _t94) != 0) {
					L16:
					if(E00406638(_t106, _t94) == 0) {
						_push( *((intOrPtr*)(_t87 + 0x118)));
						_push(_t94);
						E00405EBA();
					}
					_t31 = LoadImageW( *0x4349f4, 0x67, 1, 0, 0, 0x8040); // executed
					_t82 = _t31;
					 *0x4349d8 = _t82;
					if( *((intOrPtr*)(_t87 + 0x50)) == 0xffffffff) {
						L22:
						__eflags = E00401533(0);
						if(__eflags != 0) {
							L32:
							_t33 = 2;
							return _t33;
						}
						_t34 = E0040597F(__eflags);
						__eflags =  *0x435ae0;
						if( *0x435ae0 != 0) {
							_t35 = E00405864(_t34, 0);
							__eflags = _t35;
							if(_t35 == 0) {
								E00401533(1);
								goto L20;
							}
							__eflags =  *0x4349ec;
							if( *0x4349ec == 0) {
								E00401533(2);
							}
							goto L32;
						}
						ShowWindow( *0x42dd50, 5); // executed
						_t40 = E0040619E("RichEd20"); // executed
						__eflags = _t40;
						if(_t40 == 0) {
							E0040619E("RichEd32");
						}
						_t41 = GetClassInfoW(0, L"RichEdit20W", 0x4349a0);
						__eflags = _t41;
						if(_t41 == 0) {
							GetClassInfoW(0, L"RichEdit", 0x4349a0);
							 *0x4349c4 = L"RichEdit20W";
							RegisterClassW(0x4349a0);
						}
						_t45 = DialogBoxParamW( *0x4349f4,  *0x4349d4 + 0x00000069 & 0x0000ffff, 0, E00404F92, 0); // executed
						E00403CF8(E00401533(5), 1);
						return _t45;
					} else {
						_t92 = L"_Nb";
						 *0x4349a4 = E00401000;
						 *0x4349b0 =  *0x4349f4;
						 *0x4349b4 = _t82;
						 *0x4349c4 = _t92;
						if(RegisterClassW(0x4349a0) != 0) {
							SystemParametersInfoW(0x30, 0,  &_v16, 0);
							_t59 = _v8 - _v16;
							__eflags = _t59;
							 *0x42dd50 = CreateWindowExW(0x80, _t92, 0, 0x80000000, _v16, _v12, _t59, _v4 - _v12, 0, 0,  *0x4349f4, 0);
							goto L22;
						}
						L20:
						return 0;
					}
				} else {
					_t86 =  *(_t87 + 0x48);
					_t99 = _t86;
					if(_t86 == 0) {
						goto L16;
					}
					_t83 =  *0x435a38;
					_t93 = 0x4339a0;
					E00406977( *0x435a38, _t99,  *((intOrPtr*)(_t87 + 0x44)),  *0x435a38 + _t86 * 2, _t83 +  *(_t87 + 0x4c) * 2, 0x4339a0, 0);
					_t66 =  *0x4339a0; // 0x43
					if(_t66 == 0) {
						goto L16;
					}
					_t84 = 0x22;
					if(_t66 == _t84) {
						_t93 = 0x4339a2;
						 *((short*)(E004065F6(0x4339a2, _t84))) = 0;
					}
					_t69 =  &(_t93[lstrlenW(_t93) + 0xfffffffc]);
					if(_t69 <= _t93 || lstrcmpiW(_t69, L".exe") != 0) {
						L15:
						E00406B1A(_t94, E00406556(_t93));
						goto L16;
					} else {
						_t73 = GetFileAttributesW(_t93);
						if(_t73 == 0xffffffff) {
							L14:
							E00406D10(_t93);
							goto L15;
						}
						_t106 = _t73 & 0x00000010;
						if((_t73 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00405a45
0x00405a4d
0x00405a56
0x00405a57
0x00405a59
0x00405a6f
0x00405a76
0x00405a85
0x00405a91
0x00405a97
0x00405a9c
0x00405aa3
0x00405ab6
0x00405ab6
0x00405ac1
0x00405a5b
0x00405a5b
0x00405a66
0x00405a66
0x00405ac6
0x00405ad0
0x00405ad8
0x00405ae3
0x00405aef
0x00405b87
0x00405b8f
0x00405b91
0x00405b97
0x00405b98
0x00405b98
0x00405bae
0x00405bb4
0x00405bbb
0x00405bcb
0x00405c4a
0x00405c50
0x00405c52
0x00405d04
0x00405d06
0x00000000
0x00405d06
0x00405c58
0x00405c5d
0x00405c63
0x00405cec
0x00405cf1
0x00405cf3
0x00405d11
0x00000000
0x00405d11
0x00405cf5
0x00405cfb
0x00405cff
0x00405cff
0x00000000
0x00405cfb
0x00405c71
0x00405c7c
0x00405c81
0x00405c83
0x00405c8a
0x00405c8a
0x00405c9c
0x00405c9e
0x00405ca0
0x00405ca9
0x00405cac
0x00405cb6
0x00405cb6
0x00405cd1
0x00405ce2
0x00000000
0x00405bcd
0x00405bd2
0x00405bd8
0x00405be2
0x00405be7
0x00405bed
0x00405bf8
0x00405c0a
0x00405c26
0x00405c26
0x00405c45
0x00000000
0x00405c45
0x00405bfa
0x00000000
0x00405bfa
0x00405af5
0x00405af5
0x00405af8
0x00405afa
0x00000000
0x00000000
0x00405b00
0x00405b06
0x00405b1b
0x00405b20
0x00405b29
0x00000000
0x00000000
0x00405b2d
0x00405b31
0x00405b34
0x00405b41
0x00405b41
0x00405b4d
0x00405b52
0x00405b7a
0x00405b82
0x00000000
0x00405b64
0x00405b65
0x00405b6e
0x00405b74
0x00405b75
0x00000000
0x00405b75
0x00405b70
0x00405b72
0x00000000
0x00000000
0x00000000
0x00405b72
0x00405b52

APIs

Part of subcall function 004068E6: GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,00403810,0000000B), ref: 004068F4
Part of subcall function 004068E6: GetProcAddress.KERNEL32(00000000), ref: 00406910

GetUserDefaultUILanguage.KERNELBASE(00000002,00000000,764E3420,00000000,764E3170), ref: 00405A5B

Part of subcall function 0040661F: wsprintfW.USER32 ref: 0040662C

lstrcatW.KERNEL32(1033,Waywort87 Setup: Installing), ref: 00405AC1
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane,1033,Waywort87 Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Waywort87 Setup: Installing,00000000,00000002,00000000), ref: 00405B45
lstrcmpiW.KERNEL32(-000000FC,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane,1033,Waywort87 Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Waywort87 Setup: Installing,00000000), ref: 00405B5A
GetFileAttributesW.KERNEL32(Call), ref: 00405B65
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane), ref: 00405BAE
RegisterClassW.USER32(004349A0), ref: 00405BF3
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405C0A
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405C3F
ShowWindow.USER32(00000005,00000000), ref: 00405C71
GetClassInfoW.USER32(00000000,RichEdit20W,004349A0), ref: 00405C9C
GetClassInfoW.USER32(00000000,RichEdit,004349A0), ref: 00405CA9
RegisterClassW.USER32(004349A0), ref: 00405CB6
DialogBoxParamW.USER32(?,00000000,00404F92,00000000), ref: 00405CD1

Strings

.exe, xrefs: 00405B54
RichEdit, xrefs: 00405CA3
1033, xrefs: 00405A61, 00405A85, 00405ABC
RichEdit20W, xrefs: 00405C96, 00405CAC
.DEFAULT\Control Panel\International, xrefs: 00405AAC
Call, xrefs: 00405B06, 00405B0F, 00405B20, 00405B74, 00405B7A
RichEd32, xrefs: 00405C85
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane, xrefs: 00405AD0, 00405AE2, 00405B81, 00405B87, 00405B97
Control Panel\Desktop\ResourceLocale, xrefs: 00405A7E
Waywort87 Setup: Installing, xrefs: 00405A71, 00405A7C, 00405A9C, 00405AA6, 00405ABB
_Nb, xrefs: 00405BD2, 00405C39
RichEd20, xrefs: 00405C77

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$Waywort87 Setup: Installing$_Nb
API String ID: 606308-2969794100
Opcode ID: a27ea127888db64f7d6294d20d6e234172cb57f21fc50ad571c48084d45d65b5
Instruction ID: 6fb6b78dff8dcbba7a007941f02a836e4a1cfbcf653c0408c2f56a309db5e394
Opcode Fuzzy Hash: a27ea127888db64f7d6294d20d6e234172cb57f21fc50ad571c48084d45d65b5
Instruction Fuzzy Hash: 7061E4B1201605BEE610AB75AD45F7B36ACEF80358F50453BF901B61E2DB79AC108F6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040154A Relevance: 37.2, APIs: 17, Strings: 4, Instructions: 441
stringtimesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0040154A(void* _a4) {
				char _v548;
				struct _WIN32_FIND_DATAW _v596;
				void* _v620;
				void* _v624;
				void* _v638;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				int _v652;
				WCHAR* _v656;
				short _v660;
				short _v664;
				RECT* _v668;
				int _v672;
				struct _FILETIME _v680;
				int _v684;
				int _v688;
				signed int _v692;
				void _v696;
				int _v700;
				int _v704;
				int _v708;
				RECT* _v712;
				char _v716;
				signed int _v720;
				RECT* _v724;
				signed int _v728;
				WCHAR* _v732;
				int _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				void* _v752;
				int _v756;
				intOrPtr _v760;
				int _v764;
				void* _v768;
				int _v776;
				void* _v784;
				void* _v792;
				void* _v796;
				signed int _t453;
				char _t457;
				signed int _t459;
				signed int _t461;
				int _t466;

				_t459 = 7;
				_v700 =  *0x4349f8;
				memcpy( &_v696, _a4, _t459 << 2);
				_t461 = _v692;
				_t453 = _v688;
				_v652 = _t461;
				_v704 = (_t461 << 0xb) + 0x436000;
				 *0x40b104 =  &_v692;
				_t466 = _v696 + 0xfffffffe;
				_v716 = 0;
				_v708 = _t466;
				_v668 = _t453;
				_v712 = (_t453 << 0xb) + 0x436000;
				if(_t466 > 0x43) {
					L391:
					_t457 = _v716;
					L392:
					 *0x435ac8 =  *0x435ac8 + _t457;
					L393:
					return 0;
				}
				switch( *((intOrPtr*)(_v708 * 4 +  &M00402EBA))) {
					case 0:
						return _t461;
					case 1:
						_push(0);
						_push(__ecx);
						goto L4;
					case 2:
						 *0x4349ec =  *0x4349ec + 1;
						__eflags = __edx;
						if(__edx != 0) {
							PostQuitMessage(0);
						}
						goto L5;
					case 3:
						E004030FD(__ecx) = __eax - 1;
						_push(0);
						return __eax;
					case 4:
						_push(0);
						_push(__ecx);
						goto L10;
					case 5:
						__eax = E00403002(0);
						0 = 1;
						__eflags = __eax - 1;
						__ecx =  >  ? __eax : 1;
						Sleep( >  ? __eax : 1); // executed
						goto L391;
					case 6:
						__eax = SetForegroundWindow(__edx);
						goto L391;
					case 7:
						__edx =  *0x4349e4;
						__esi = ShowWindow;
						__eflags = __edx;
						if(__edx != 0) {
							__eax = ShowWindow(__edx, __eax);
							__ecx = _v692;
						}
						__eax =  *0x4349e8;
						__eflags = __eax;
						if(__eax != 0) {
							__eax = ShowWindow(__eax, __ecx);
						}
						goto L391;
					case 8:
						__eax = E0040303E(__edx, 0xfffffff0);
						__eax = SetFileAttributesW(__eax, _v692); // executed
						goto L27;
					case 9:
						__edi = E0040303E(__edx, 0xfffffff0);
						__eax = E00406BC5(__edi);
						__ebx = _v724;
						__esi = __eax;
						__eflags = __esi;
						if(__esi == 0) {
							L41:
							__eflags = _v688;
							_push("C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp\System.dll");
							if(_v688 == 0) {
								_push(0xfffffff5);
								goto L10;
							} else {
								_push(0xffffffe6);
								E00405D3A() = E00406B1A(L"C:\\Users\\Arthur\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane", __edi);
								__eax = SetCurrentDirectoryW(__edi); // executed
								__eflags = __eax;
								if(__eax == 0) {
									_v716 = 0;
								}
								goto L391;
							}
						} else {
							goto L30;
						}
						L31:
						__eflags = _v684;
						if(_v684 == 0) {
							goto L34;
						}
						__eax = E004064FC();
						__eflags = __eax;
						if(__eax != 0) {
							__eax = E00405E3E(__edi); // executed
							L35:
							__eflags = __eax;
							if(__eax == 0) {
								L39:
								 *__esi = __bp;
								__esi = __esi + 2;
								__eflags = __bp;
								if(__bp != 0) {
									L30:
									__esi = E004065F6(__esi, 0x5c);
									__eax = 0;
									__ebp =  *__esi & 0x0000ffff;
									 *__esi = __ax;
									__eflags = __bp;
									if(__bp != 0) {
										goto L34;
									}
									goto L31;
								} else {
									_v716 = __ebx;
									goto L41;
								}
							}
							__eflags = __eax - 0xb7;
							if(__eax != 0xb7) {
								L38:
								__ebx =  &(__ebx[0]);
								__eflags = __ebx;
								goto L39;
							}
							__eax = GetFileAttributesW(__edi); // executed
							__eflags = __al & 0x00000010;
							if((__al & 0x00000010) != 0) {
								goto L39;
							}
							goto L38;
						}
						L34:
						__eax = E00405E1E(__edi);
						goto L35;
					case 0xa:
						__eax = E0040303E(__edx, 0);
						__eax = E004065CF(__eax);
						goto L176;
					case 0xb:
						__eax = _v684;
						__eflags = _v684;
						if(__eflags > 0) {
							__eax =  *(0x435a80 + __ecx * 4);
							 *(0x435ac0 + __ecx * 4) =  *(0x435a80 + __ecx * 4);
						} else {
							if(__eflags == 0) {
								__eax =  *(0x435ac0 + __ecx * 4);
								 *(0x435a80 + __ecx * 4) =  *(0x435ac0 + __ecx * 4);
							}
							0 = E00403002(1);
							__eax = _v692;
							 *(0x435ac0 + _v692 * 4) = __ecx;
						}
						goto L391;
					case 0xc:
						__ecx = _v684;
						_push(4);
						__edx =  *(0x435ac0 + __ecx * 4);
						__edx = __edx & _v680.dwLowDateTime;
						 *(0x435ac0 + __ecx * 4) = __edx & _v680.dwLowDateTime;
						__eax = 0;
						__eflags = __edx;
						_pop(__ecx);
						 ==  ? 0 : 0 =  *((intOrPtr*)(__esp + ( ==  ? 0 : 0) + 0x28));
						return  *((intOrPtr*)(__esp + ( ==  ? 0 : 0) + 0x28));
					case 0xd:
						_push( *((intOrPtr*)(0x435ac0 + __eax * 4)));
						goto L20;
					case 0xe:
						__esi = E0040303E(__edx, 0xffffffd0);
						__edi = E0040303E(__edx, 0xffffffdf);
						__eax = E0040303E(__edx, 0x13);
						__eax = MoveFileW(__esi, __edi); // executed
						__eflags = __eax;
						if(__eax == 0) {
							__eflags = _v684;
							if(_v684 == 0) {
								goto L28;
							}
							__eax = E004065CF(__esi);
							__eflags = __eax;
							if(__eax == 0) {
								goto L28;
							} else {
								__eax = E0040623D(__esi, __edi);
								_push("C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp\System.dll");
								_push(0xffffffe4);
								goto L10;
							}
						} else {
							_push("C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp\System.dll");
							_push(0xffffffe3);
							L10:
							__eax = E00405D3A();
							goto L391;
						}
					case 0xf:
						__edi = E0040303E(__edx, 0);
						__eax =  &_v716;
						__eax = GetFullPathNameW(__edi, 0x400, __esi,  &_v716);
						__eflags = __eax;
						if(__eax != 0) {
							__eax = _v712;
							__eflags = __eax - __edi;
							if(__eax <= __edi) {
								L57:
								__ebx = _v716;
								L58:
								__eflags = _v684 - __ebp;
								if(_v684 == __ebp) {
									__eax = GetShortPathNameW(__esi, __esi, 0x400);
								}
								goto L392;
							}
							__eflags =  *__eax - __bp;
							if( *__eax == __bp) {
								goto L57;
							}
							__eax = E004065CF(__edi);
							__eflags = __eax;
							if(__eax == 0) {
								goto L52;
							} else {
								__eflags = __eax;
								__eax = E00406B1A(_v712, __eax);
								goto L57;
							}
						}
						L52:
						0 = 1;
						__eax = 0;
						 *__esi = __ax;
						goto L58;
					case 0x10:
						__eax = E0040303E(__edx, 0xffffffff);
						__ecx =  &_v656;
						__eax = SearchPathW(0, __eax, 0, 0x400, __edi,  &_v656); // executed
						__eflags = __eax;
						if(__eax != 0) {
							goto L391;
						}
						goto L61;
					case 0x11:
						__eax = E0040303E(__edx, 0xffffffef);
						__eax = E00406A56(__ecx, __edi, __eax); // executed
						goto L27;
					case 0x12:
						__eax = E0040303E(__edx, 0x31);
						__ebx = _v696;
						__esi = __eax;
						__ebx = _v696 & 0x00000007;
						_v708 = __esi;
						_v716 = __ebx;
						__eax = E00406E03(__esi);
						__edi = L"Call";
						_push(__esi);
						__eflags = __eax;
						if(__eax == 0) {
							__eax = E00406B1A(__edi, L"C:\\Users\\Arthur\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane");
							__eax = lstrcatW(__eax, ??);
						} else {
							_push(__edi);
							__eax = E00406B1A();
						}
						__eax = E00406D3D(__edi);
						__esi = 0;
						__esi = 1;
						__eflags = 1;
						do {
							__eflags = __ebx - 3;
							if(__ebx < 3) {
								L71:
								__eflags = __ebx;
								if(__ebx == 0) {
									__eax = E00406B9D(__edi);
								}
								__eax = 0;
								__eflags = __ebx - __esi;
								0 | __eflags != 0x00000000 = (__eflags != 0) + 1;
								__eax = E0040691B(__edi, 0x40000000, (__eflags != 0) + 1);
								_v720 = __eax;
								__eflags = __eax - 0xffffffff;
								if(__eax != 0xffffffff) {
									__esi = _v704;
									__eax = E00405D3A(0xffffffea, __esi);
									__ebx = _v716;
									 *0x435af4 =  *0x435af4 + 1;
									__eax = E00403148(_v692, __ebx, __ebp, __ebp);
									 *0x435af4 =  *0x435af4 - 1;
									__eflags = _v704 - 0xffffffff;
									_v732 = __eax;
									if(_v704 != 0xffffffff) {
										L83:
										 &_v680 = SetFileTime(0,  &_v680, __ebp,  &_v680); // executed
										L84:
										__eax = CloseHandle(__ebx); // executed
										__eax = _v708;
										__eflags = __eax;
										if(__eax >= 0) {
											goto L391;
										}
										__eflags = __eax - 0xfffffffe;
										if(__eax != 0xfffffffe) {
											_push(0xffffffee);
											_push(__edi);
											__eax = E00405EBA();
										} else {
											_push(0xffffffe9);
											_push(__edi);
											E00405EBA() = lstrcatW(__edi, __esi);
										}
										_push(0x200010);
										_push(__edi);
										goto L89;
									}
									__eflags = _v680.dwHighDateTime - 0xffffffff;
									if(_v680.dwHighDateTime == 0xffffffff) {
										goto L84;
									}
									goto L83;
								} else {
									__eflags = __ebx;
									if(__ebx != 0) {
										__esi = _v704;
										__eax = E00405D3A(0xffffffe2, _v704);
										__ebx = 0;
										__eflags = _v720 - 2;
										goto L80;
									}
									goto L75;
								}
							}
							__eax = E004065CF(__edi);
							__ecx = __ebp;
							__eflags = __eax;
							if(__eax != 0) {
								__ecx =  &_v680;
								__eax = __eax + 0x14;
								__eflags = __eax;
								0 = __eax;
							}
							__ebx =  &(__ebx[0xffffffffffffffff]);
							__ebx = __ebx | 0x80000000;
							__ebx = __ebx & __ecx;
							__ebx =  ~__ebx;
							asm("sbb ebx, ebx");
							__ebx =  &(__ebx[0]);
							__eflags = __ebx;
							_v712 = __ebx;
							goto L71;
							L75:
							E00406B1A("C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp", 0x436000) = E00406B1A(0x436000, __edi);
							_push(_v688);
							_push("C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp\System.dll");
							E00405EBA() = E00406B1A(0x436000, "C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp");
							_v724 = _v724 >> 3;
							__eax = E00406AA8("C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp\System.dll", _v724 >> 3);
							__eax = __eax - 4;
							__eflags = __eax;
						} while (__eax == 0);
						__eax = __eax - 1;
						__eflags = __eax;
						if(__eax == 0) {
							 *0x435ac8 =  *0x435ac8 + 1;
							goto L393;
						}
						_push(__edi);
						_push(0xfffffffa);
						L4:
						__eax = E00405D3A();
						goto L5;
					case 0x13:
						_push(0);
						goto L91;
					case 0x14:
						__eax = E0040303E(__edx, 0x31);
						__eax = E00406AA8(__eax, _v696);
						__eflags = __eax;
						if(__eax == 0) {
							goto L28;
						}
						__eflags = __eax - _v684;
						if(__eax == _v684) {
							goto L122;
						}
						__eflags = __eax - _v680.dwHighDateTime;
						if(__eax != _v680.dwHighDateTime) {
							goto L391;
						}
						__eax = _v672;
						return _v672;
					case 0x15:
						_push(0xfffffff0);
						L91:
						E0040303E(__edx) = E00406719(__eflags, __eax, _v692);
						goto L391;
					case 0x16:
						__eax = E0040303E(__edx, 1);
						__eax = lstrlenW(__eax);
						goto L98;
					case 0x17:
						0 = E00403002(2);
						__esi = __edx;
						__ebp = E00403002(3);
						__eax = E0040303E(__edx, 1);
						_v712 = __eax;
						__eax = lstrlenW(__eax);
						__ecx = 0;
						__eflags = __esi;
						 *__edi = __cx;
						__ebx =  ==  ? __eax : __ebx;
						__eflags = __ebx;
						if(__ebx == 0) {
							goto L391;
						}
						__eflags = __ebp;
						if(__ebp >= 0) {
							L102:
							__eflags = __ebp - __eax;
							__ebp =  >  ? __eax : __ebp;
							_v708 = _v708 + __ebp * 2;
							__eax = E00406B1A(__edi, _v708 + __ebp * 2);
							__eflags = __ebx;
							if(__ebx < 0) {
								0 = 0 + lstrlenW(__edi);
								__eflags = __ebx;
							}
							__eax = 0;
							__eflags = __ebx;
							__eax =  >=  ? __ebx : 0;
							__ebx = _v716;
							__eflags = __eax - 0x400;
							if(__eax < 0x400) {
								__ecx = 0;
								 *(__edi + __eax * 2) = __cx;
							}
							goto L392;
						}
						__ebp = __ebp + __eax;
						__eflags = __ebp;
						if(__ebp < 0) {
							goto L391;
						}
						goto L102;
					case 0x18:
						__esi = E0040303E(__edx, 0x20);
						_push(E0040303E(__edx, 0x31));
						_push(__esi);
						__eflags = _v684;
						if(_v684 != 0) {
							__eax = lstrcmpW();
						} else {
							__eax = lstrcmpiW();
						}
						__eflags = __eax;
						if(__eax != 0) {
							goto L122;
						} else {
							goto L110;
						}
					case 0x19:
						__esi = 0;
						__esi = 1;
						0 = E0040303E(__edx, 1);
						__eax = ExpandEnvironmentStringsW(__ebx, __edi, 0x400);
						__eflags = __eax;
						if(__eax == 0) {
							L114:
							__eax = 0;
							__ebx = __esi;
							 *__edi = __ax;
							L116:
							__eax = 0;
							 *(__edi + 0x7fe) = __ax;
							goto L392;
						}
						__eflags = _v684;
						if(_v684 == 0) {
							L115:
							__ebx = _v716;
							goto L116;
						}
						__eax = lstrcmpW(__ebx, __edi);
						__eflags = __eax;
						if(__eax != 0) {
							goto L115;
						}
						goto L114;
					case 0x1a:
						__esi = _v672;
						__edi = E00403002(0);
						__eax = E00403002(1);
						__eflags = _v672;
						if(_v672 != 0) {
							__eflags = __edi - __eax;
							if(__eflags >= 0) {
								if(__eflags <= 0) {
									goto L110;
								}
								L124:
								__eax = _v680.dwHighDateTime;
								return _v680.dwHighDateTime;
							}
							L122:
							__eax = _v680.dwLowDateTime;
							return _v680.dwLowDateTime;
						}
						__eflags = __edi - __eax;
						if(__eflags < 0) {
							goto L122;
						}
						if(__eflags <= 0) {
							goto L110;
						}
						goto L124;
					case 0x1b:
						__ebx = 0;
						__ebx = 1;
						__esi = E00403002(1);
						0 = E00403002(2);
						__eax = _v680.dwLowDateTime;
						__eflags = __eax - 0xd;
						if(__eax > 0xd) {
							L149:
							__ebx = _v716;
							L150:
							__eax = E0040661F(__edi, __esi);
							goto L392;
						}
						switch( *((intOrPtr*)(__eax * 4 +  &M00402FCA))) {
							case 0:
								__esi = __esi + __ecx;
								goto L149;
							case 1:
								__esi = __esi - __ecx;
								goto L149;
							case 2:
								__esi = __esi * __ecx;
								goto L149;
							case 3:
								__eflags = __ecx;
								if(__ecx == 0) {
									goto L132;
								}
								__eax = __esi;
								asm("cdq");
								_t103 = __eax % __ecx;
								__eax = __eax / __ecx;
								__edx = _t103;
								__esi = __eax;
								goto L133;
							case 4:
								__esi = __esi | __ecx;
								goto L149;
							case 5:
								__esi = __esi & __ecx;
								goto L149;
							case 6:
								__esi = __esi ^ __ecx;
								goto L149;
							case 7:
								__eax = 0;
								__eflags = __esi;
								__eax = 0 | __eflags == 0x00000000;
								__esi = __eflags == 0;
								goto L149;
							case 8:
								__eflags = __esi;
								if(__esi == 0) {
									goto L142;
								}
								goto L139;
							case 9:
								__eflags = __esi;
								if(__esi == 0) {
									L140:
									__esi = __ebp;
									goto L149;
								}
								L142:
								__eflags = __ecx;
								if(__ecx == 0) {
									goto L140;
								}
								L139:
								__esi = __ebx;
								goto L149;
							case 0xa:
								__eflags = __ecx;
								if(__ecx == 0) {
									L132:
									__esi = __ebp;
									L133:
									__ebx = 0;
									__eflags = __ecx;
									__ebx = 0 | __ecx == 0x00000000;
									goto L150;
								}
								__eax = __esi;
								asm("cdq");
								_t111 = __eax % __ecx;
								__eax = __eax / __ecx;
								__edx = _t111;
								__esi = _t111;
								goto L133;
							case 0xb:
								__esi = __esi << __cl;
								goto L149;
							case 0xc:
								__esi = __esi >> __cl;
								goto L149;
							case 0xd:
								__eflags = __esi;
								goto L149;
						}
					case 0x1c:
						__esi = E0040303E(__edx, 1);
						E00403002(2) = wsprintfW(__edi, __esi, __eax);
						__esp = __esp + 0x10;
						goto L391;
					case 0x1d:
						__ecx = _v684;
						__esi =  *0x40b100; // 0x0
						__eflags = __ecx;
						if(__ecx == 0) {
							__eflags = __eax;
							if(__eax == 0) {
								__eax = GlobalAlloc(0x40, 0x804);
								_push(_v692);
								__esi = __eax;
								_t118 = __esi + 4; // 0x4
								__eax = _t118;
								_push(_t118);
								__eax = E00405EBA();
								__eax =  *0x40b100; // 0x0
								 *__esi = __eax;
								 *0x40b100 = __esi;
								goto L391;
							}
							__eflags = __esi;
							if(__esi == 0) {
								goto L28;
							}
							_t116 = __esi + 4; // 0x4
							_t116 = E00406B1A(__edi, _t116);
							__eax =  *__esi;
							 *0x40b100 =  *__esi;
							__eax = GlobalFree(__esi);
							goto L391;
						} else {
							goto L153;
						}
						while(1) {
							L153:
							__ecx = __ecx - 1;
							__eflags = __esi;
							if(__esi == 0) {
								goto L158;
							}
							__esi =  *__esi;
							__eflags = __ecx;
							if(__ecx != 0) {
								continue;
							}
							__eflags = __esi;
							if(__esi == 0) {
								goto L158;
							}
							__esi = __esi + 4;
							__edi = L"Call";
							__eax = E00406B1A(__edi, __esi);
							__eax =  *0x40b100; // 0x0
							__eax = E00406B1A(__esi, __eax);
							__eax =  *0x40b100; // 0x0
							_push(__edi);
							__eax = __eax + 4;
							__eflags = __eax;
							_push(__eax);
							goto L157;
						}
						goto L158;
					case 0x1e:
						__esi = E00403002(3);
						_v712 = __esi;
						0 = E00403002(4);
						__eax = _v672;
						__eflags = __al & 0x00000001;
						if((__al & 0x00000001) != 0) {
							__esi = E0040303E(__edx, 0x33);
							__eax = _v680.dwHighDateTime;
							_v716 = __esi;
						}
						__eflags = __al & 0x00000002;
						if((__al & 0x00000002) != 0) {
							0 = E0040303E(__edx, 0x44);
						}
						__eflags = _v696 - 0x21;
						_push(1);
						if(_v696 != 0x21) {
							__esi = E0040303E(__edx);
							__eax = E0040303E(__edx);
							__ecx = 0;
							__eflags =  *__eax - __bp;
							 !=  ? __eax : 0 = 0;
							__eflags =  *__esi - __bp;
							__ecx =  !=  ? __esi : 0;
							__eax = FindWindowExW(_v720, __ebx,  !=  ? __esi : 0,  !=  ? __eax : 0);
							goto L172;
						} else {
							_v712 = E00403002();
							__eax = E00403002(2);
							__ecx = _v672;
							__ecx = _v672 >> 2;
							__eflags = __ecx;
							if(__ecx == 0) {
								__eax = SendMessageW(_v712, __eax, __esi, __ebx);
								L172:
								_v704 = __eax;
								L173:
								__eflags = _v692 - __ebp;
								if(_v692 < __ebp) {
									goto L391;
								}
								goto L98;
							}
							__edx =  &_v704;
							__eax =  ~__eax;
							asm("sbb ebx, ebx");
							__eax = _v704;
							_v716 = 0;
							goto L173;
						}
					case 0x1f:
						__eax = E00403002(0);
						__eax = IsWindow(__eax);
						L176:
						__eflags = __eax;
						if(__eax == 0) {
							L110:
							__eax = _v684;
							return _v684;
						}
						__eax = _v688;
						return _v688;
					case 0x20:
						__esi = E00403002(2);
						__eax = E00403002(1);
						__eax = GetDlgItem(__eax, __esi);
						goto L98;
					case 0x21:
						__esi =  *0x435a48;
						__esi =  *0x435a48 + __eax;
						E00403002(0) = SetWindowLongW(__eax, 0xffffffeb, __esi);
						goto L391;
					case 0x22:
						__eflags = _v680.dwLowDateTime & 0x00000100;
						if((_v680.dwLowDateTime & 0x00000100) == 0) {
							__eax = GetDlgItem(__edx, _v684);
						} else {
							__eax = E00403002(2);
						}
						__ebp = __eax;
						__eax = _v680.dwLowDateTime;
						__ecx = __eax;
						__ebx = __eax;
						__ecx = __eax & 0x00000004;
						__ebx = __eax >> 0x1e;
						_v704 = __eax & 0x00000004;
						__esi = __eax;
						__ecx = __eax;
						__esi = __eax & 0x00000003;
						__ecx = __eax >> 0x1f;
						__ebx = __eax >> 0x0000001e & 0x00000001;
						_v708 = __eax >> 0x1f;
						__eflags = __eax & 0x00010000;
						if((__eax & 0x00010000) == 0) {
							__eax = _v688 & 0x0000ffff;
						} else {
							__eax = E0040303E(__edx, 0x11);
						}
						_v712 = __eax;
						 &_v652 = GetClientRect(__ebp,  &_v652);
						_v680.dwLowDateTime = _v680.dwLowDateTime & 0x0000fef0;
						_v640 = _v640 * 0;
						_v644 = _v644 * _v708;
						__eax = 0;
						__eflags = _v704;
						__eax =  !=  ?  *0x4349f4 : 0;
						0 = LoadImageW( !=  ?  *0x4349f4 : 0, _v712, __esi, _v644 * _v708, _v640 * 0, _v680.dwLowDateTime & 0x0000fef0);
						__eax = SendMessageW(__ebp, 0x172, __esi, __ebx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __esi;
							if(__esi == 0) {
								__eax = DeleteObject(__eax);
							}
						}
						__eflags = _v692;
						if(_v692 < 0) {
							goto L391;
						} else {
							_push(__ebx);
							goto L20;
						}
					case 0x23:
						__edi = GetDC(__edx);
						__esi = E00403002(2);
						__eax = GetDeviceCaps(__edi, 0x5a);
						__eax = MulDiv(__esi, __eax, 0x48);
						0x40d908->lfHeight = __eax;
						_v708 = ReleaseDC(_v708, __edi);
						__eax = E00403002(3);
						__ecx = _v684;
						_push(_v696);
						 *0x40d918 = __eax;
						__cl = __cl & 0x00000001;
						 *0x40d91f = 1;
						 *0x40d91c = __cl & 0x00000001;
						__al = __cl;
						__al = __cl & 0x00000002;
						__cl = __cl & 0x00000004;
						_push("Tahoma");
						 *0x40d91d = __al;
						 *0x40d91e = __cl;
						__eax = E00405EBA();
						__eax = CreateFontIndirectW(0x40d908);
						__ebp = _v724;
						_push(__eax);
						_push(_v724);
						goto L21;
					case 0x24:
						__esi = E00403002(0);
						_push(E00403002(1));
						_push(__esi);
						__eflags = _v680.dwLowDateTime;
						if(_v680.dwLowDateTime != 0) {
							__eax = EnableWindow();
						} else {
							__eax = ShowWindow(); // executed
						}
						goto L391;
					case 0x25:
						0 = E0040303E(__edx, 0);
						__esi = E0040303E(__edx, 0x31);
						__edi = E0040303E(__edx, 0x22);
						E0040303E(__edx, 0x15) = E00405D3A(0xffffffec, "C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp\System.dll");
						__ecx = _v700;
						__eax = _v724;
						_v668 = _v724;
						__eax = 0;
						_v672 = _v700;
						__ecx = _v704;
						_v648 = __ecx;
						__eflags =  *__ebx - __bp;
						_v660 = __esi;
						__eax =  !=  ? __ebx : 0;
						_v664 =  !=  ? __ebx : 0;
						__eax = 0;
						__eflags =  *__edi - __bp;
						_v652 = L"C:\\Users\\Arthur\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane";
						__eax =  !=  ? __edi : 0;
						_v656 =  !=  ? __edi : 0;
						__eax =  &(_v680.dwHighDateTime);
						__eax = E004069F3( &(_v680.dwHighDateTime));
						__eflags = __eax;
						if(__eax == 0) {
							goto L28;
						}
						__eflags = _v648 & 0x00000040;
						if((_v648 & 0x00000040) == 0) {
							goto L391;
						}
						__eax = E00406514(__ecx, _v596.dwFileAttributes);
						__eax = CloseHandle( *(__esp + 0x88));
						goto L198;
					case 0x26:
						__esi = E0040303E(__edx, 0);
						__eax = E00405D3A(0xffffffeb, __eax);
						__eax = E004066D6(__esi); // executed
						__ebx = _v732;
						__esi = __eax;
						__eflags = __esi;
						if(__esi == 0) {
							goto L28;
						}
						__eflags = _v684;
						if(_v684 != 0) {
							__eax = E00406514(__ecx, __esi);
							__eflags = _v692;
							if(_v692 < 0) {
								0 = 1;
								__eflags = __eax;
								_v716 = 0;
							} else {
								__eax = E0040661F(_v712, __eax);
							}
						}
						__eax = CloseHandle(__esi);
						goto L198;
					case 0x27:
						__eax = E0040303E(__edx, 2);
						0 = __eax;
						__eflags = __ebx;
						if(__ebx == 0) {
							__eax = 0;
							 *__edi = __ax;
							 *__esi = __ax;
							goto L28;
						}
						__eax = E0040661F(__esi, __ebx[0xa]);
						_push(__ebx[0xc]);
						goto L20;
					case 0x28:
						__eax = E0040303E(__edx, 0xffffffee);
						__ecx =  &_v656;
						_v660 = __eax;
						_push( &_v656);
						_push(__eax);
						__eax = E004068E6(0xa);
						__eax =  *__eax();
						__ecx = 0;
						_v724 = __eax;
						__ebx = 0;
						 *__edi = __cx;
						__ebx = 1;
						 *__esi = __cx;
						__eflags = __eax;
						if(__eax != 0) {
							__eax = GlobalAlloc(0x40, __eax);
							_v712 = __eax;
							__eflags = __eax;
							if(__eax != 0) {
								__esi = E004068E6(0xb);
								__eax = E004068E6(0xc);
								_push(_v720);
								_v716 = __eax;
								_push(_v724);
								_push(0);
								_push(_v672);
								__eax =  *__esi();
								__eflags = __eax;
								if(__eax != 0) {
									__eax =  &_v688;
									_push( &_v688);
									__eax =  &_v692;
									_push( &_v692);
									_push(0x4092b0);
									_push(_v728);
									__eax = _v724();
									__eflags = __eax;
									if(__eax != 0) {
										__ecx = _v708;
										_v720 = E0040661F(__edi,  *((intOrPtr*)(_v708 + 8 + _v720 * 4)));
										__ecx = _v728;
										_v716 = E0040661F(_v760,  *((intOrPtr*)(_v716 + 0xc + _v728 * 4)));
										__ebx = 0;
									}
								}
								__eax = GlobalFree(_v728);
							}
						}
						goto L392;
					case 0x29:
						__esi = 0;
						__esi = 1;
						__ebx = 1;
						__eflags =  *0x435a60;
						if( *0x435a60 < 0) {
							_push("C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp\System.dll");
							_push(0xffffffe7);
							goto L230;
						}
						__edi = E0040303E(__edx, 0xfffffff0);
						_v712 = __edi;
						_v720 = E0040303E(__edx, 1);
						__eflags = _v684;
						if(_v684 == 0) {
							L218:
							__eax = LoadLibraryExW(__edi, __ebp, 8); // executed
							__edi = __eax;
							__eflags = __edi;
							if(__eflags == 0) {
								_push("C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp\System.dll");
								_push(0xfffffff6);
								goto L230;
							}
							L219:
							0 = E00406269(__eflags, __edi, _v712);
							_v716 = __ecx;
							__eflags = __ecx;
							if(__ecx == 0) {
								__eax = E00405D3A(0xfffffff7, _v712);
							} else {
								__ebx = __ebp;
								__eflags = _v684 - __ebp;
								if(_v684 == __ebp) {
									__eax = _v700;
									_push(0x40b000);
									_push(0x40b100);
									_push(0x436000);
									_push(0x400);
									_push(_v700);
									__eax =  *__ecx();
									__esp = __esp + 0x14;
								} else {
									__eax = E00405D3A(_v684, "C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp\System.dll");
									__eax = _v716();
									__eflags = __eax;
									if(__eax != 0) {
										__ebx = __esi;
									}
								}
							}
							__eflags = _v680.dwLowDateTime - __ebp;
							if(_v680.dwLowDateTime == __ebp) {
								__eax = E00403CD6(__edi);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = FreeLibrary(__edi);
								}
							}
							goto L392;
						}
						__eax = GetModuleHandleW(__edi); // executed
						__edi = __eax;
						__eflags = __edi;
						if(__eflags != 0) {
							goto L219;
						}
						__edi = _v708;
						goto L218;
					case 0x2a:
						_v656 = E0040303E(__edx, 0xfffffff0);
						__eax = E0040303E(__edx, 0xffffffdf);
						__ebx = __eax;
						_v716 = __eax;
						_v672 = E0040303E(__edx, 2);
						_v672 = E0040303E(__edx, 0xffffffcd);
						_v684 = E0040303E(__edx, 0x45);
						__eax = _v696;
						__eax = __eax & 0x00000fff;
						__edi = __eax;
						_v720 = __eax & 0x00000fff;
						__ecx = __eax;
						__ecx = __eax & 0x00008000;
						__eax = __eax >> 0x10;
						__edi = __edi >> 0xc;
						_v724 = __ecx;
						__edi = __edi & 0x00000007;
						_v688 = __eax;
						__eax = E00406E03(__ebx);
						__eflags = __eax;
						if(__eax == 0) {
							__eax = E0040303E(__edx, 0x21);
						}
						__eax =  &_v716;
						__esi = 0;
						_push(__eax);
						_push(0x409abc);
						__esi = 1;
						_push(1);
						_push(__ebp);
						_push(0x409adc);
						__imp__CoCreateInstance();
						__ebx = __eax;
						__eflags = __ebx;
						if(__ebx >= 0) {
							__eax = _v736;
							__edx =  &_v732;
							_push( &_v732);
							_push(0x409acc);
							_push(__eax);
							__ecx =  *__eax;
							0 = __eax;
							__eflags = __ebx;
							if(__ebx >= 0) {
								__eax =  *(__esp + 0x10);
								_push(_v740);
								_push(__eax);
								__ecx =  *__eax;
								0 = __eax;
								__eflags = _v744 - __ebp;
								if(_v744 == __ebp) {
									__eax = _v756;
									_push(L"C:\\Users\\Arthur\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane");
									_push(__eax);
									__ecx =  *__eax;
									__eax =  *((intOrPtr*)( *__eax + 0x24))();
								}
								__eflags = __edi;
								if(__edi != 0) {
									__eax = _v756;
									_push(__edi);
									_push(__eax);
									__ecx =  *__eax;
									__eax =  *((intOrPtr*)( *__eax + 0x3c))();
								}
								__eax = _v756;
								_push(_v708);
								_push(__eax);
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 0x34))();
								__edx = _v704;
								__eflags = __edx->i - __bp;
								if(__edx->i != __bp) {
									__eax = _v764;
									_push( *((intOrPtr*)(__esp + 0x20)));
									_push(__edx);
									__ecx =  *__eax;
									_push(__eax);
									__eax =  *((intOrPtr*)( *__eax + 0x44))();
								}
								__eax = _v764;
								_push(_v708);
								_push(__eax);
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 0x2c))();
								__eax =  *(__esp + 0x10);
								_push(_v720);
								_push(__eax);
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 0x1c))();
								__eflags = __ebx;
								if(__ebx >= 0) {
									__eax = _v776;
									_push(__esi);
									_push(_v716);
									__ecx =  *__eax;
									_push(__eax);
									0 = __eax;
								}
								__eax = _v776;
								_push(__eax);
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 8))();
							}
							__eax =  *(__esp + 0x10);
							_push(__eax);
							__ecx =  *__eax;
							__eax =  *((intOrPtr*)( *__eax + 8))();
						}
						__ebx = 0 >> 0x1f;
						0xbadbac = 0xbadba0;
						__eax = E00405D3A(0xbadba0, "C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp\System.dll");
						__ebx = __ebx >> 0x1f;
						goto L392;
					case 0x2b:
						__esi = E0040303E(__edx, 0);
						__edi = E0040303E(__edx, 0x11);
						0 = E0040303E(__edx, 0x23);
						__eax = E004065CF(__esi);
						__eflags = __eax;
						if(__eax != 0) {
							__eax = _v700;
							_v652 = _v700;
							_v648 = 2;
							__eax = lstrlenW(__esi);
							__ecx = 0;
							 *(__esi + 2 + __eax * 2) = __cx;
							__eax = lstrlenW(__edi);
							__ecx = 0;
							 *(__edi + 2 + __eax * 2) = __cx;
							__ax = _v684;
							_v644 = __esi;
							_v640 = __edi;
							 *(__esp + 0x72) = __ebx;
							 *((short*)(__esp + 0x68)) = _v684;
							E00405D3A(0, __ebx) =  &_v660;
							__eax = SHFileOperationW( &_v660);
							__eflags = __eax;
							if(__eax == 0) {
								goto L391;
							}
						}
						__eax = E00405D3A(0xfffffff9, __ebp);
						goto L28;
					case 0x2c:
						__eflags = __ecx - 0xbadf00d;
						if(__ecx != 0xbadf00d) {
							L158:
							_push(0x200010);
							_push(0xffffffe8);
							_push(__ebp);
							_push(E00405EBA());
							L89:
							__eax = E00406AA8();
							L5:
							__eax = 0x7fffffff;
							return 0x7fffffff;
						}
						 *0x435ad4 =  *0x435ad4 + 1;
						goto L391;
					case 0x2d:
						__esi = 0;
						__edi = 0;
						__eflags = __ecx;
						if(__ecx != 0) {
							__ebp = E0040303E(__edx, 0);
							__eax = _v692;
						}
						__eflags = __eax;
						if(__eax != 0) {
							__esi = E0040303E(__edx, 0x11);
						}
						__eflags = _v680.dwHighDateTime - __edi;
						if(_v680.dwHighDateTime != __edi) {
							__edi = E0040303E(__edx, 0x22);
						}
						__eax = E0040303E(__edx, 0xffffffcd);
						__eax = WritePrivateProfileStringW(__ebp, __esi, __edi, __eax); // executed
						L27:
						__eflags = __eax;
						if(__eax != 0) {
							goto L391;
						}
						goto L28;
					case 0x2e:
						__ebx = 0;
						_v652 = 0xa;
						__ebx = 1;
						__edi = E0040303E(__edx, 1);
						__esi = E0040303E(__edx, 0x12);
						__eax = E0040303E(__edx, 0xffffffdd);
						__ebp = _v716;
						 &_v664 = GetPrivateProfileStringW(__edi, __esi,  &_v664, __ebp, 0x3ff,  &_v664); // executed
						_push(0xa);
						_pop(__eax);
						__eflags =  *__ebp - __ax;
						if( *__ebp != __ax) {
							goto L391;
						}
						__eax = 0;
						 *__ebp = __ax;
						goto L392;
					case 0x2f:
						__edi = 0;
						__edi = 1;
						__eflags = _v680.dwHighDateTime;
						if(__eflags != 0) {
							__eax = E0040303E(__edx, 0x22);
							_v680.dwLowDateTime = _v680.dwLowDateTime >> 1;
							__ecx = _v672;
							__eax = E0040307C(_v672, __eax, _v680.dwLowDateTime >> 1); // executed
							__edi = __eax;
						} else {
							__esi = E004030C1(__ecx, __edx, __eflags, 2);
							__eflags = __esi;
							if(__esi != 0) {
								__eax = E0040303E(__edx, 0x33);
								__edi = __eax;
								__eax = RegCloseKey(__esi);
							}
						}
						__ebx = 0;
						__eflags = __edi;
						__ebx = 0 | __edi != 0x00000000;
						goto L392;
					case 0x30:
						__eax = _v680.dwHighDateTime;
						_v708 = _v680.dwHighDateTime;
						__eax = _v672;
						_v712 = _v672;
						_v708 = E0040303E(__edx, 2);
						__eax = E0040303E(__edx, 0x11);
						__ecx =  &_v672;
						0 = 1;
						__ebx = 1;
						__eax = E00403023(_v660);
						__eax = E004062A5(__eflags, __eax, __eax, 0x100022,  &_v672); // executed
						__edi = _v692;
						__ecx = 0;
						__eflags = __eax;
						__edi =  !=  ? 0 : _v692;
						_v680.dwLowDateTime = __edi;
						__eflags = __edi;
						if(__edi == 0) {
							goto L392;
						}
						__eax = _v708;
						__edi = 0x40c108;
						__eflags = __eax - 1;
						if(__eax != 1) {
							_push(4);
							_pop(__esi);
							__eflags = __eax - 1;
							if(__eax != 1) {
								__esi = 0;
								__eflags = __eax - 3;
								if(__eax == 3) {
									0 = E00403148(_v680.dwLowDateTime, 0, 0x40c108, 0x1800);
								}
							} else {
								 *0x40c108 = E00403002(3);
							}
						} else {
							__eax = E0040303E(__edx, 0x23);
							0 = 2 + lstrlenW(0x40c108) * 2;
						}
						__esi = _v652;
						__eax = RegSetValueExW(__esi, _v704, __ebp, _v712, __edi, __esi); // executed
						__eax =  ~__eax;
						asm("sbb eax, eax");
						__eflags = 0;
						goto L274;
					case 0x31:
						__eax = E004030C1(__ecx, __edx, __eflags, 0x20019); // executed
						__esi = __eax;
						__eax = E0040303E(__edx, 0x33);
						__ecx = 0;
						 *__edi = __cx;
						__eflags = __esi;
						if(__esi == 0) {
							goto L28;
						}
						__ecx =  &_v652;
						_v652 = 0x800;
						__ecx =  &_v704;
						__eax = RegQueryValueExW(__esi, __eax, 0,  &_v704, __edi,  &_v652);
						__ecx = 0;
						__ecx = 1;
						__eflags = __eax;
						if(__eax != 0) {
							L282:
							__eax = 0;
							__ebx = __ecx;
							 *__edi = __ax;
							L274:
							__eax = RegCloseKey(__esi);
							goto L392;
						}
						__eflags = _v704 - 4;
						if(_v704 == 4) {
							__ebx = 0;
							__eflags = _v680.dwHighDateTime;
							__ebx = 0 | _v680.dwHighDateTime == 0x00000000;
							__eax = E0040661F(__edi,  *__edi);
							goto L274;
						}
						__eflags = _v704 - 1;
						if(_v704 == 1) {
							L280:
							__ebx = _v680.dwHighDateTime;
							__eax = 0;
							 *(__edi + 0x7fe) = __ax;
							goto L274;
						}
						__eflags = _v704 - 2;
						if(_v704 != 2) {
							goto L282;
						}
						goto L280;
					case 0x32:
						0 = E004030C1(__ecx, __edx, __eflags, 0x20019);
						__eax = E00403002(3);
						__ebx = _v720;
						__ecx = 0;
						 *__edi = __cx;
						__eflags = __esi;
						if(__esi == 0) {
							goto L28;
						}
						__ecx = 0x3ff;
						_v652 = 0x3ff;
						__eflags = _v680.dwHighDateTime;
						if(_v680.dwHighDateTime == 0) {
							__ecx =  &_v652;
							__eax = RegEnumValueW(__esi, __eax, __edi,  &_v652, 0, 0, 0, 0);
							0 = 1;
							__eflags = __eax;
							_v716 = 0;
						} else {
							__eax = RegEnumKeyW(__esi, __eax, __edi, 0x3ff);
						}
						__eax = 0;
						 *(__edi + 0x7fe) = __ax;
						__eax = RegCloseKey(__esi);
						goto L391;
					case 0x33:
						__eax = E00406C25(__edi);
						__eflags = __eax;
						if(__eax == 0) {
							goto L391;
						}
						__eax = CloseHandle(__eax);
						L198:
						goto L391;
					case 0x34:
						__eax = E0040303E(__edx, 0xffffffed);
						__eax = E0040691B(__eax, _v692, _v688);
						__eflags = __eax - 0xffffffff;
						if(__eax != 0xffffffff) {
							L98:
							_push(__eax);
							L20:
							_push(__edi);
							goto L21;
						}
						goto L291;
					case 0x35:
						__ecx = _v696;
						__eax = 0;
						__edx = _v684;
						__eflags = __ecx - 0x38;
						_v652 = __edx;
						__esi = 0x40b908;
						__eax = 0 | __eflags == 0x00000000;
						0 = 1;
						_v712 = __eflags == 0;
						__eflags = __edx;
						if(__edx == 0) {
							__eflags = __ecx - 0x38;
							if(__ecx != 0x38) {
								__eax = E0040303E(__edx, 0x11);
								__eax = lstrlenW(__eax);
								__eflags = __eax + __eax;
							} else {
								E0040303E(__edx, 0x21) = E00406469("C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp", 0x40b908, 0x400);
								__esi = lstrlenA(0x40b908);
							}
						} else {
							__eax = E00403002(1);
							_v712 = _v712 ^ 1;
							 *0x40b908 = __ax;
							__esi = (_v712 ^ 1) + 1;
						}
						__eflags =  *__edi - __bp;
						if( *__edi == __bp) {
							goto L392;
						} else {
							__edi = E00406C25(__edi);
							_v716 = _v716 | _v656;
							__eflags = _v716 | _v656;
							if((_v716 | _v656) != 0) {
								L301:
								__eax = E00406A0B(__ecx, __edi, "C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp\System.dll", __esi);
								__eflags = __eax;
								if(__eax != 0) {
									goto L391;
								}
								goto L392;
							}
							__eflags = _v680.dwLowDateTime - __ebp;
							if(_v680.dwLowDateTime == __ebp) {
								goto L301;
							}
							__eax = E00406484(__edi, __edi);
							__eflags = __eax;
							if(__eax < 0) {
								goto L392;
							}
							goto L301;
						}
					case 0x36:
						_push(2);
						_pop(__ecx);
						_v712 = 0;
						_v700 = __ecx;
						__eax = E00403002(__ecx);
						__ebx = 0;
						__ebx = 1;
						__eflags = __eax - 1;
						if(__eax < 1) {
							goto L391;
						}
						__ecx = 0x3ff;
						__eflags = __eax - 0x3ff;
						_v708 = __eax;
						__eflags =  *__edi - __bp;
						if( *__edi == __bp) {
							L327:
							__eax = _v712;
							__ecx = 0;
							__ebx = 0;
							__eflags = __eax;
							 *(__esi + __eax * 2) = __cx;
							L80:
							__ebx = __ebx & 0xffffff00 | __eflags == 0x00000000;
							goto L392;
						}
						_v668 = 0;
						0 = E00406C25(__edi);
						_v708 = __ecx;
						__eflags = _v712;
						if(_v712 <= 0) {
							goto L327;
						}
						_v664 = 0xd;
						__edi = 0;
						do {
							__eflags = _v696 - 0x39;
							if(_v696 != 0x39) {
								__eflags = _v680.dwLowDateTime - __ebp;
								if(_v680.dwLowDateTime != __ebp) {
									L320:
									__eax =  &_v660;
									__eax = E00406948(__ecx, __ecx,  &_v660, 2);
									__eflags = __eax;
									if(__eax == 0) {
										goto L327;
									}
									L321:
									__ecx = _v700;
									__eax = _v660;
									L322:
									__eflags = _v680.dwLowDateTime - __ebp;
									if(_v680.dwLowDateTime != __ebp) {
										L333:
										__ax & 0x0000ffff = E0040661F(__esi, __ax & 0x0000ffff);
										goto L393;
									}
									_push(0xd);
									_pop(__edx);
									__eflags = _v668 - __dx;
									_push(0xa);
									_pop(__edx);
									if(_v668 == __dx) {
										L328:
										__eflags = _v668 - __ax;
										if(_v668 == __ax) {
											L332:
											__eax = SetFilePointer(_v704, 0, __ebp, 0);
											goto L327;
										}
										__eflags = __ax - _v664;
										if(__ax == _v664) {
											L331:
											 *(__esi + __edi * 2) = __ax;
											_v712 = __edi;
											goto L327;
										}
										__eflags = __ax - __dx;
										if(__ax != __dx) {
											goto L332;
										}
										goto L331;
									}
									__eflags = _v668 - __dx;
									if(_v668 == __dx) {
										goto L328;
									}
									 *(__esi + __edi * 2) = __ax;
									__edi = __edi + 1;
									__eax = __ax & 0x0000ffff;
									_v712 = __edi;
									_v668 = __ax & 0x0000ffff;
									__eflags = __ax;
									if(__ax == 0) {
										goto L327;
									}
									goto L326;
								}
								__eflags = __edi;
								if(__edi != 0) {
									goto L320;
								}
								__eax = E00406484(__ecx, __ebp);
								__eflags = __eax;
								if(__eax < 0) {
									goto L327;
								}
								__ecx = _v704;
								goto L320;
							}
							_push(__ebp);
							__eax =  &_v656;
							_push( &_v656);
							_push(2);
							_pop(__eax);
							 &_v656 - _v680.dwLowDateTime =  &_v716;
							__eax = ReadFile(__ecx,  &_v716,  &_v656 - _v680.dwLowDateTime, ??, ??); // executed
							__eflags = __eax;
							if(__eax == 0) {
								goto L327;
							}
							__ecx = _v656;
							_v700 = __ecx;
							__eflags = __ecx;
							if(__ecx == 0) {
								goto L327;
							}
							__eax = _v716 & 0x000000ff;
							_v660 = _v716 & 0x000000ff;
							__eflags = _v680.dwLowDateTime - __ebp;
							if(_v680.dwLowDateTime != __ebp) {
								goto L333;
							}
							 &_v660 =  &_v716;
							__eax = MultiByteToWideChar(__ebp, 8,  &_v716, __ecx,  &_v660, __ebx);
							__eflags = __eax;
							if(__eax != 0) {
								goto L321;
							}
							__ecx = _v700;
							__edx = __ecx;
							__edx =  ~__ecx;
							while(1) {
								_t351 =  &_v656;
								 *_t351 = _v656 - 1;
								__eflags =  *_t351;
								__eax = 0xfffd;
								_v660 = 0xfffd;
								if( *_t351 == 0) {
									goto L322;
								}
								__ecx = __ecx - 1;
								__edx =  &(__edx->i);
								_v700 = __ecx;
								_v652 = __edx;
								__eax = SetFilePointer(_v704, __edx, __ebp, __ebx); // executed
								 &_v660 =  &_v716;
								__eax = MultiByteToWideChar(__ebp, 8,  &_v716, _v656,  &_v660, __ebx);
								__ecx = _v700;
								__edx = _v652;
								__eflags = __eax;
								if(__eax == 0) {
									continue;
								}
								goto L321;
							}
							goto L322;
							L326:
							__ecx = _v704;
							__eflags = __edi - _v708;
						} while (__edi < _v708);
						goto L327;
					case 0x37:
						__eflags =  *__edi - __bp;
						asm("das");
						if(__eflags == 0) {
							goto L391;
						} else {
							__eax = E00403002(2);
							__eax = E00406C25(__edi);
							__eax = SetFilePointer(__eax, __eax, 0, _v680.dwLowDateTime); // executed
							__eflags = _v692;
							if(_v692 < 0) {
								goto L391;
							}
							goto L337;
						}
					case 0x38:
						__eax = E00406C25(__edi);
						__eflags = __eax;
						if(__eax != 0) {
							__eax = FindClose(__eax);
						}
						goto L391;
					case 0x39:
						__eax = E00406C25(__esi);
						__eflags = __eax;
						if(__eax == 0) {
							L61:
							0 = 1;
							__eax = 0;
							 *__edi = __ax;
							goto L392;
						}
						__ecx =  &(_v596.ftCreationTime);
						__eax = FindNextFileW(__eax,  &(_v596.ftCreationTime));
						__eflags = __eax;
						if(__eax == 0) {
							goto L61;
						}
						goto L342;
					case 0x3a:
						__eax = E0040303E(__edx, 2);
						__ecx =  &_v596;
						__eax = FindFirstFileW(__eax,  &_v596); // executed
						__eflags = __eax - 0xffffffff;
						if(__eax != 0xffffffff) {
							__eax = E0040661F(__esi, __eax);
							L342:
							__eax =  &_v548;
							_push( &_v548);
							_push(__edi);
							goto L157;
						}
						__eax = 0;
						 *__esi = __ax;
						L291:
						__eax = 0;
						 *__edi = __ax;
						goto L28;
					case 0x3b:
						_v708 = 0xfffffd66;
						0 = E0040303E(__edx, 0xfffffff0);
						_v656 = __ebx;
						__eax = E00406E03(__ebx);
						__eflags = __eax;
						if(__eax == 0) {
							__eax = E0040303E(__edx, 0xffffffed);
						}
						__eax = E00406B9D(__ebx);
						__edi = E0040691B(__ebx, 0x40000000, 2);
						_v720 = __edi;
						__eflags = __edi - 0xffffffff;
						if(__edi == 0xffffffff) {
							L360:
							_push(0xfffffff3);
							_pop(__esi);
							__eflags = _v708 - __ebp;
							if(_v708 >= __ebp) {
								__ebx = _v716;
							} else {
								_push(0xffffffef);
								_pop(__esi);
								__eax = DeleteFileW(__ebx);
								0 = 1;
							}
							_push("C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp\System.dll");
							_push(__esi);
							L230:
							__eax = E00405D3A();
							goto L392;
						} else {
							__eax = _v688;
							_v664 = _v688;
							__eflags = _v684 - __ebp;
							if(_v684 == __ebp) {
								L359:
								_v724 = __eax;
								__eax = CloseHandle(__edi);
								goto L360;
							}
							__eax =  *0x435a08;
							_v712 = __eax;
							__esi = __eax;
							_v708 = __esi;
							__eflags = __esi;
							if(__esi == 0) {
								__eax = _v664;
								goto L359;
							}
							E00403131(__ebp) = E0040311B(__esi, _v716);
							__edi = GlobalAlloc(0x40, _v696);
							_v680.dwHighDateTime = __edi;
							__eflags = __edi;
							if(__edi == 0) {
								L357:
								__edi = _v704;
								__eax = E00406A0B(__ecx, __edi, __esi, _v712);
								GlobalFree(__esi) = __eax | 0xffffffff;
								goto L359;
							}
							__eax = E00403148(_v688, __ebp, __edi, _v684);
							__eflags =  *__edi;
							if( *__edi == 0) {
								L356:
								__eax = GlobalFree(_v664);
								goto L357;
							}
							__ebx = __esi;
							do {
								__esi =  *__edi;
								__eax =  *(__edi + 4);
								__edi = __edi + 8;
								__eax = E004066B4(__eax, __edi, __esi);
								__edi = __edi + __esi;
								__eflags =  *__edi;
							} while ( *__edi != 0);
							__ebx = _v652;
							__esi = _v708;
							goto L356;
						}
					case 0x3c:
						__eax = E00403002(0);
						__ebx = __eax;
						__eflags = __ebx -  *0x435a2c;
						if(__ebx >=  *0x435a2c) {
							goto L28;
						}
						__ecx = _v684;
						__edi = __ebx * 0x818;
						__edi = __ebx * 0x818 +  *0x435a28;
						__eflags = __ecx;
						if(__eflags < 0) {
							__eax = __eax | 0xffffffff;
							__eax = __eax - __ecx;
							__eflags = __eax;
							_v684 = __eax;
							if(__eax == 0) {
								_push(_v680.dwHighDateTime);
								__eax = __edi + 0x18;
								_push(__edi + 0x18);
								__eax = E00405EBA();
								_t421 = __edi + 8;
								 *_t421 =  *(__edi + 8) | 0x00000100;
								__eflags =  *_t421;
								__ecx = _v696;
							} else {
								0 = E00403002(1);
								_v688 = __ecx;
							}
							__eax = _v692;
							 *(__edi + _v692 * 4) = __ecx;
							__eflags = _v688 - __ebp;
							if(_v688 != __ebp) {
								__eax = E00401221(__ebx);
							}
							goto L391;
						}
						__eax =  *(__edi + __ecx * 4);
						if(__eflags != 0) {
							goto L337;
						}
						__eax = __edi + 0x18;
						_push(__edi + 0x18);
						_push(__esi);
						L157:
						__eax = E00406B1A();
						goto L391;
					case 0x3d:
						__edx = E00403002(0);
						__eflags = __edx - 0x20;
						if(__edx >= 0x20) {
							L28:
							0 = 1;
							goto L392;
						}
						__eflags = _v680.dwLowDateTime;
						if(_v680.dwLowDateTime == 0) {
							__eax =  *0x435a10;
							__eflags = _v684;
							if(_v684 == 0) {
								_push( *((intOrPtr*)(__eax + 0x94 + __edx * 4)));
								_push(__esi);
								__eax = E00405EBA();
							} else {
								__ecx = _v688;
								 *((intOrPtr*)(__eax + 0x94 + __edx * 4)) = _v688;
							}
							goto L391;
						}
						__eflags = _v684;
						if(_v684 == 0) {
							__eax = E004011A0(0);
							L337:
							_push(__eax);
							_push(__esi);
							goto L21;
						}
						E00401290(__edx) = E004012DD(0, 0);
						goto L391;
					case 0x3e:
						__eax = _v680.dwLowDateTime;
						__eax = _v680.dwLowDateTime;
						__eflags = __eax;
						if(__eax == 0) {
							__edi = E004068E6(5);
							__eax = E0040303E(__edx, 0x22);
							__eflags = __edi;
							if(__edi == 0) {
								L388:
								0 = 1;
								__eax = 0;
								 *__esi = __ax;
								goto L392;
							}
							__ecx =  &_v652;
							_push( &_v652);
							_push(__eax);
							__imp__IIDFromString();
							__eflags = __eax;
							if(__eax < 0) {
								goto L388;
							}
							__eax =  &_v716;
							_push( &_v716);
							_push(0);
							_push(_v688);
							__eax =  &_v660;
							_push( &_v660);
							__eax =  *__edi();
							__eflags = __eax;
							if(__eax < 0) {
								goto L388;
							}
							__eax = E00406B1A(__esi, _v732);
							_push(_v740);
							__imp__CoTaskMemFree();
							goto L391;
						}
						__eax = __eax - 1;
						__eflags = __eax;
						if(__eax != 0) {
							goto L391;
						}
						__esi = E00403002(2);
						__eax = E00403002(4);
						__edx = __al & 0x000000ff;
						__eax = __eax >> 0x18;
						__ecx = 0x435ac0;
						__eflags = __esi;
						_v708 = 0;
						__ecx =  !=  ? __esi : 0x435ac0;
						 &_v708 = E004066B4( &_v708,  &_v708, __al & 0x000000ff);
						_push(_v720);
						_push(_v724);
						L21:
						__eax = E0040661F();
						goto L391;
					case 0x3f:
						goto L391;
					case 0x40:
						__eax =  *0x42bd40; // 0x1
						__eax = SendMessageW(__edx, 0xb, __eax, 0);
						__eflags = _v692;
						if(_v692 != 0) {
							_v700 = InvalidateRect(_v700, 0, 0);
						}
						goto L391;
				}
			}

0x00401565
0x0040156a
0x0040156e
0x00401570
0x00401579
0x0040158b
0x00401593
0x00401597
0x004015a3
0x004015a6
0x004015aa
0x004015b5
0x004015b9
0x004015bd
0x00402ea1
0x00402ea1
0x00402ea5
0x00402ea5
0x00402eab
0x00000000
0x00402eab
0x004015c7
0x00000000
0x00000000
0x00000000
0x004015d5
0x004015d6
0x00000000
0x00000000
0x004015e6
0x004015ec
0x004015ee
0x004015f1
0x004015f1
0x00000000
0x00000000
0x004015ff
0x00401600
0x00000000
0x00000000
0x0040160c
0x0040160d
0x00000000
0x00000000
0x00401619
0x00401621
0x00401622
0x00401624
0x00401628
0x00000000
0x00000000
0x00401634
0x00000000
0x00000000
0x004016c1
0x004016c7
0x004016cd
0x004016cf
0x004016d3
0x004016d5
0x004016d5
0x004016d9
0x004016de
0x004016e0
0x004016e8
0x004016e8
0x00000000
0x00000000
0x004016f1
0x004016fb
0x00000000
0x00000000
0x00401718
0x0040171b
0x00401720
0x00401724
0x00401726
0x00401728
0x00401784
0x00401784
0x00401789
0x0040178e
0x004017bb
0x00000000
0x00401790
0x00401790
0x0040179d
0x004017a3
0x004017a9
0x004017ab
0x004017b2
0x004017b2
0x00000000
0x004017ab
0x00000000
0x00000000
0x00000000
0x00401741
0x00401741
0x00401745
0x00000000
0x00000000
0x00401747
0x0040174c
0x0040174e
0x00401751
0x0040175e
0x0040175e
0x00401760
0x00401775
0x00401775
0x00401778
0x0040177b
0x0040177e
0x0040172a
0x00401732
0x00401734
0x00401736
0x00401739
0x0040173c
0x0040173f
0x00000000
0x00000000
0x00000000
0x00401780
0x00401780
0x00000000
0x00401780
0x0040177e
0x00401762
0x00401767
0x00401774
0x00401774
0x00401774
0x00000000
0x00401774
0x0040176a
0x00401770
0x00401772
0x00000000
0x00000000
0x00000000
0x00401772
0x00401758
0x00401759
0x00000000
0x00000000
0x004017c3
0x004017c9
0x00000000
0x00000000
0x0040163f
0x00401643
0x00401645
0x00401671
0x00401678
0x00401647
0x00401647
0x00401649
0x00401650
0x00401650
0x0040165f
0x00401661
0x00401665
0x00401665
0x00000000
0x00000000
0x00401684
0x00401688
0x0040168a
0x00401693
0x00401697
0x0040169e
0x004016a0
0x004016a2
0x004016a6
0x00000000
0x00000000
0x004016af
0x00000000
0x00000000
0x004017dc
0x004017e5
0x004017e7
0x004017ee
0x004017f4
0x004017f6
0x00401804
0x00401808
0x00000000
0x00000000
0x0040180f
0x00401814
0x00401816
0x00000000
0x0040181c
0x0040181e
0x00401823
0x00401828
0x00000000
0x00401828
0x004017f8
0x004017f8
0x004017fd
0x0040160e
0x0040160e
0x00000000
0x0040160e
0x00000000
0x00401835
0x00401837
0x00401843
0x00401849
0x0040184b
0x00401857
0x0040185b
0x0040185d
0x0040187b
0x0040187b
0x0040187f
0x0040187f
0x00401883
0x00401890
0x00401890
0x00000000
0x00401883
0x0040185f
0x00401862
0x00000000
0x00000000
0x00401865
0x0040186a
0x0040186c
0x00000000
0x0040186e
0x0040186e
0x00401876
0x00000000
0x00401876
0x0040186c
0x0040184d
0x0040184f
0x00401850
0x00401852
0x00000000
0x00000000
0x0040189d
0x004018a2
0x004018b0
0x004018b6
0x004018b8
0x00000000
0x00000000
0x00000000
0x00000000
0x004018cd
0x004018d4
0x00000000
0x00000000
0x004018e0
0x004018e5
0x004018e9
0x004018eb
0x004018ee
0x004018f3
0x004018f7
0x004018fc
0x00401901
0x00401902
0x00401904
0x00401914
0x00401920
0x00401906
0x00401906
0x00401907
0x00401907
0x00401926
0x0040192b
0x0040192d
0x0040192d
0x0040192e
0x0040192e
0x00401931
0x00401964
0x00401964
0x00401966
0x00401969
0x00401969
0x0040196e
0x00401970
0x00401975
0x0040197d
0x00401982
0x00401986
0x00401989
0x00401a18
0x00401a1f
0x00401a24
0x00401a28
0x00401a35
0x00401a3a
0x00401a40
0x00401a45
0x00401a49
0x00401a52
0x00401a5a
0x00401a60
0x00401a61
0x00401a67
0x00401a6b
0x00401a6d
0x00000000
0x00000000
0x00401a73
0x00401a76
0x00401a89
0x00401a8b
0x00401a8c
0x00401a78
0x00401a78
0x00401a7a
0x00401a82
0x00401a82
0x00401a91
0x00401a96
0x00000000
0x00401a96
0x00401a4b
0x00401a50
0x00000000
0x00000000
0x00000000
0x0040198f
0x0040198f
0x00401991
0x004019fd
0x00401a04
0x00401a09
0x00401a0b
0x00000000
0x00401a0b
0x00000000
0x00401991
0x00401989
0x00401934
0x00401939
0x0040193b
0x0040193d
0x0040193f
0x00401943
0x00401943
0x0040194e
0x0040194e
0x00401950
0x00401953
0x00401959
0x0040195b
0x0040195d
0x0040195f
0x0040195f
0x00401960
0x00000000
0x00401993
0x004019a8
0x004019ad
0x004019b1
0x004019c5
0x004019ce
0x004019d7
0x004019dc
0x004019dc
0x004019dc
0x004019e5
0x004019e5
0x004019e8
0x004019f2
0x00000000
0x004019f2
0x004019ea
0x004019eb
0x004015d7
0x004015d7
0x00000000
0x00000000
0x00401aa1
0x00000000
0x00000000
0x00401ab8
0x00401ac2
0x00401ac7
0x00401ac9
0x00000000
0x00000000
0x00401acf
0x00401ad3
0x00000000
0x00000000
0x00401ad9
0x00401add
0x00000000
0x00000000
0x00401ae3
0x00000000
0x00000000
0x00401aec
0x00401aa2
0x00401aac
0x00000000
0x00000000
0x00401af2
0x00401af8
0x00000000
0x00000000
0x00401b0c
0x00401b0e
0x00401b19
0x00401b1b
0x00401b21
0x00401b25
0x00401b2a
0x00401b2c
0x00401b2e
0x00401b31
0x00401b34
0x00401b36
0x00000000
0x00000000
0x00401b3c
0x00401b3e
0x00401b48
0x00401b48
0x00401b4a
0x00401b51
0x00401b56
0x00401b5b
0x00401b5d
0x00401b65
0x00401b65
0x00401b65
0x00401b67
0x00401b69
0x00401b6b
0x00401b6e
0x00401b72
0x00401b77
0x00401b7d
0x00401b7f
0x00401b7f
0x00000000
0x00401b77
0x00401b40
0x00401b40
0x00401b42
0x00000000
0x00000000
0x00000000
0x00000000
0x00401b91
0x00401b98
0x00401b99
0x00401b9a
0x00401b9e
0x00401ba8
0x00401ba0
0x00401ba0
0x00401ba0
0x00401bae
0x00401bb0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00401bbb
0x00401bbd
0x00401bc9
0x00401bcd
0x00401bd3
0x00401bd5
0x00401be9
0x00401be9
0x00401beb
0x00401bed
0x00401bf6
0x00401bf6
0x00401bf8
0x00000000
0x00401bf8
0x00401bd7
0x00401bdb
0x00401bf2
0x00401bf2
0x00000000
0x00401bf2
0x00401bdf
0x00401be5
0x00401be7
0x00000000
0x00000000
0x00000000
0x00000000
0x00401c04
0x00401c10
0x00401c12
0x00401c19
0x00401c1b
0x00401c25
0x00401c27
0x00401c32
0x00000000
0x00000000
0x00401c38
0x00401c38
0x00000000
0x00401c38
0x00401c29
0x00401c29
0x00000000
0x00401c29
0x00401c1d
0x00401c1f
0x00000000
0x00000000
0x00401c21
0x00000000
0x00000000
0x00000000
0x00000000
0x00401c41
0x00401c43
0x00401c4c
0x00401c55
0x00401c57
0x00401c5b
0x00401c5e
0x00401cd0
0x00401cd0
0x00401cd4
0x00401cd6
0x00000000
0x00401cd6
0x00401c60
0x00000000
0x00401c67
0x00000000
0x00000000
0x00401c6b
0x00000000
0x00000000
0x00401c6f
0x00000000
0x00000000
0x00401c74
0x00401c76
0x00000000
0x00000000
0x00401c78
0x00401c7a
0x00401c7b
0x00401c7b
0x00401c7b
0x00401c7d
0x00000000
0x00000000
0x00401c8c
0x00000000
0x00000000
0x00401c90
0x00000000
0x00000000
0x00401c94
0x00000000
0x00000000
0x00401c98
0x00401c9a
0x00401c9c
0x00401c9f
0x00000000
0x00000000
0x00401ca3
0x00401ca5
0x00000000
0x00000000
0x00000000
0x00000000
0x00401caf
0x00401cb1
0x00401cab
0x00401cab
0x00000000
0x00401cab
0x00401cb3
0x00401cb3
0x00401cb5
0x00000000
0x00000000
0x00401ca7
0x00401ca7
0x00000000
0x00000000
0x00401cb9
0x00401cbb
0x00401c81
0x00401c81
0x00401c83
0x00401c83
0x00401c85
0x00401c87
0x00000000
0x00401c87
0x00401cbd
0x00401cbf
0x00401cc0
0x00401cc0
0x00401cc0
0x00401cc2
0x00000000
0x00000000
0x00401cc6
0x00000000
0x00000000
0x00401cca
0x00000000
0x00000000
0x00401cce
0x00000000
0x00000000
0x00000000
0x00401ce9
0x00401cf3
0x00401cf9
0x00000000
0x00000000
0x00401d01
0x00401d05
0x00401d0b
0x00401d0d
0x00401d63
0x00401d65
0x00401d93
0x00401d99
0x00401d9d
0x00401d9f
0x00401d9f
0x00401da2
0x00401da3
0x00401da8
0x00401dad
0x00401daf
0x00000000
0x00401daf
0x00401d67
0x00401d69
0x00000000
0x00000000
0x00401d6f
0x00401d74
0x00401d79
0x00401d7c
0x00401d81
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d0f
0x00401d0f
0x00401d0f
0x00401d10
0x00401d12
0x00000000
0x00000000
0x00401d14
0x00401d16
0x00401d18
0x00000000
0x00000000
0x00401d1a
0x00401d1c
0x00000000
0x00000000
0x00401d1e
0x00401d21
0x00401d28
0x00401d2d
0x00401d37
0x00401d3c
0x00401d41
0x00401d42
0x00401d42
0x00401d45
0x00000000
0x00401d45
0x00000000
0x00000000
0x00401dc1
0x00401dc5
0x00401dce
0x00401dd0
0x00401dd6
0x00401dd8
0x00401de1
0x00401de3
0x00401de7
0x00401de7
0x00401deb
0x00401ded
0x00401df6
0x00401df6
0x00401df8
0x00401dfd
0x00401dff
0x00401e57
0x00401e59
0x00401e5e
0x00401e60
0x00401e67
0x00401e69
0x00401e6c
0x00401e75
0x00000000
0x00401e01
0x00401e08
0x00401e0c
0x00401e13
0x00401e17
0x00401e1a
0x00401e1c
0x00401e48
0x00401e7b
0x00401e7b
0x00401e7f
0x00401e7f
0x00401e83
0x00000000
0x00000000
0x00000000
0x00401e89
0x00401e1e
0x00401e32
0x00401e34
0x00401e36
0x00401e3b
0x00000000
0x00401e3b
0x00000000
0x00401e8f
0x00401e96
0x00401e9c
0x00401e9c
0x00401e9e
0x00401bb2
0x00401bb2
0x00000000
0x00401bb2
0x00401ea4
0x00000000
0x00000000
0x00401eb6
0x00401eb8
0x00401ec1
0x00000000
0x00000000
0x00401ecc
0x00401ed3
0x00401edf
0x00000000
0x00000000
0x00401eea
0x00401ef2
0x00401f03
0x00401ef4
0x00401ef6
0x00401efb
0x00401f09
0x00401f0b
0x00401f0f
0x00401f11
0x00401f13
0x00401f16
0x00401f19
0x00401f1d
0x00401f1f
0x00401f21
0x00401f24
0x00401f27
0x00401f2a
0x00401f2e
0x00401f33
0x00401f3e
0x00401f35
0x00401f37
0x00401f37
0x00401f43
0x00401f4d
0x00401f57
0x00401f61
0x00401f69
0x00401f6f
0x00401f71
0x00401f7a
0x00401f88
0x00401f92
0x00401f98
0x00401f9a
0x00401f9c
0x00401f9e
0x00401fa1
0x00401fa1
0x00401f9e
0x00401fa7
0x00401fac
0x00000000
0x00401fb2
0x00401fb2
0x00000000
0x00401fb2
0x00000000
0x00401fc1
0x00401fce
0x00401fd0
0x00401fd8
0x00401fe0
0x00401feb
0x00401ff3
0x00401ff9
0x00401ffd
0x00402001
0x00402008
0x0040200a
0x00402011
0x00402016
0x00402018
0x0040201a
0x0040201d
0x00402022
0x00402027
0x0040202d
0x00402037
0x0040203d
0x00402041
0x00402042
0x00000000
0x00000000
0x00402050
0x00402059
0x0040205a
0x0040205b
0x0040205f
0x0040206c
0x00402061
0x00402061
0x00402061
0x00000000
0x00000000
0x0040207f
0x00402088
0x00402091
0x0040209f
0x004020a4
0x004020a8
0x004020ac
0x004020b0
0x004020b2
0x004020b6
0x004020ba
0x004020be
0x004020c1
0x004020c5
0x004020c8
0x004020cc
0x004020ce
0x004020d1
0x004020d9
0x004020dc
0x004020e0
0x004020e5
0x004020ea
0x004020ec
0x00000000
0x00000000
0x004020f2
0x004020f7
0x00000000
0x00000000
0x00402104
0x00402110
0x00000000
0x00000000
0x00402121
0x00402126
0x0040212c
0x00402131
0x00402135
0x00402137
0x00402139
0x00000000
0x00000000
0x0040213f
0x00402143
0x00402146
0x0040214b
0x0040214f
0x0040215f
0x00402160
0x00402165
0x00402151
0x00402156
0x00402156
0x0040214f
0x00402110
0x00000000
0x00000000
0x0040216e
0x00402179
0x0040217b
0x0040217d
0x00402190
0x00402192
0x00402195
0x00000000
0x00402195
0x00402183
0x00402188
0x00000000
0x00000000
0x0040219f
0x004021a4
0x004021a8
0x004021ac
0x004021ad
0x004021b0
0x004021b5
0x004021b7
0x004021b9
0x004021bd
0x004021bf
0x004021c2
0x004021c3
0x004021c6
0x004021c8
0x004021d1
0x004021d7
0x004021db
0x004021dd
0x004021ec
0x004021ee
0x004021f3
0x004021f7
0x004021fb
0x004021ff
0x00402200
0x00402204
0x00402206
0x00402208
0x0040220a
0x0040220e
0x0040220f
0x00402213
0x00402214
0x00402219
0x0040221d
0x00402221
0x00402223
0x00402225
0x00402232
0x00402237
0x00402247
0x0040224c
0x0040224c
0x00402223
0x00402252
0x00402252
0x004021dd
0x00000000
0x00000000
0x0040225d
0x0040225f
0x00402260
0x00402262
0x00402268
0x0040233e
0x00402343
0x00000000
0x00402343
0x00402275
0x00402278
0x00402281
0x00402285
0x00402289
0x0040229c
0x004022a0
0x004022a6
0x004022a8
0x004022aa
0x00402335
0x0040233a
0x00000000
0x0040233a
0x004022b0
0x004022ba
0x004022bc
0x004022c0
0x004022c2
0x0040230c
0x004022c4
0x004022c4
0x004022c6
0x004022ca
0x004022e6
0x004022ea
0x004022ef
0x004022f4
0x004022f9
0x004022fe
0x004022ff
0x00402301
0x004022cc
0x004022d5
0x004022da
0x004022de
0x004022e0
0x004022e2
0x004022e2
0x004022e0
0x004022ca
0x00402311
0x00402315
0x0040231c
0x00402321
0x00402323
0x0040232a
0x0040232a
0x00402323
0x00000000
0x00402315
0x0040228c
0x00402292
0x00402294
0x00402296
0x00000000
0x00000000
0x00402298
0x00000000
0x00000000
0x00402358
0x0040235c
0x00402361
0x00402365
0x00402370
0x0040237b
0x00402384
0x00402388
0x0040238e
0x00402394
0x00402396
0x0040239a
0x0040239c
0x004023a2
0x004023a5
0x004023a9
0x004023ad
0x004023b0
0x004023b4
0x004023b9
0x004023bb
0x004023bf
0x004023bf
0x004023c4
0x004023c8
0x004023ca
0x004023cb
0x004023d0
0x004023d1
0x004023d2
0x004023d3
0x004023d8
0x004023de
0x004023e0
0x004023e2
0x004023e8
0x004023ec
0x004023f0
0x004023f1
0x004023f6
0x004023f7
0x004023fb
0x004023fd
0x004023ff
0x00402405
0x00402409
0x0040240d
0x0040240e
0x00402413
0x00402415
0x00402419
0x0040241b
0x0040241f
0x00402424
0x00402425
0x00402427
0x00402427
0x0040242a
0x0040242c
0x0040242e
0x00402432
0x00402433
0x00402434
0x00402436
0x00402436
0x00402439
0x0040243d
0x00402441
0x00402442
0x00402444
0x00402447
0x0040244b
0x0040244e
0x00402450
0x00402454
0x00402458
0x00402459
0x0040245b
0x0040245c
0x0040245c
0x0040245f
0x00402463
0x00402467
0x00402468
0x0040246a
0x0040246d
0x00402471
0x00402475
0x00402476
0x00402478
0x0040247b
0x0040247d
0x0040247f
0x00402483
0x00402484
0x00402488
0x0040248a
0x0040248e
0x0040248e
0x00402490
0x00402494
0x00402495
0x00402497
0x00402497
0x0040249a
0x0040249e
0x0040249f
0x004024a1
0x004024a1
0x004024a6
0x004024b1
0x004024b5
0x004024ba
0x00000000
0x00000000
0x004024ca
0x004024d3
0x004024db
0x004024dd
0x004024e2
0x004024e4
0x004024f3
0x004024f8
0x004024fc
0x00402504
0x00402509
0x0040250c
0x00402511
0x00402516
0x0040251a
0x0040251f
0x00402524
0x00402528
0x0040252c
0x00402530
0x0040253a
0x0040253f
0x00402545
0x00402547
0x00000000
0x00000000
0x0040254d
0x004024e9
0x00000000
0x00000000
0x0040254f
0x00402555
0x00401d50
0x00401d50
0x00401d55
0x00401d57
0x00401d5d
0x00401a97
0x00401a97
0x004015dc
0x004015dc
0x00000000
0x004015dc
0x0040255b
0x00000000
0x00000000
0x00402566
0x00402568
0x0040256a
0x0040256c
0x00402574
0x00402576
0x00402576
0x0040257a
0x0040257c
0x00402585
0x00402585
0x00402587
0x0040258b
0x00402594
0x00402594
0x00402598
0x004025a1
0x00401701
0x00401701
0x00401703
0x00000000
0x00000000
0x00000000
0x00000000
0x004025ac
0x004025ae
0x004025b6
0x004025bf
0x004025c8
0x004025ca
0x004025cf
0x004025e1
0x004025e7
0x004025e9
0x004025ea
0x004025ee
0x00000000
0x00000000
0x004025f4
0x004025f6
0x00000000
0x00000000
0x004025ff
0x00402601
0x00402602
0x00402606
0x00402631
0x0040263a
0x0040263d
0x00402643
0x00402648
0x00402608
0x0040260f
0x00402611
0x00402613
0x00402617
0x00402625
0x00402627
0x00402627
0x00402613
0x0040264a
0x0040264c
0x0040264e
0x00000000
0x00000000
0x00402656
0x0040265a
0x0040265e
0x00402664
0x0040266f
0x00402673
0x00402678
0x00402689
0x0040268a
0x0040268c
0x00402692
0x00402697
0x0040269b
0x0040269d
0x0040269f
0x004026a2
0x004026a6
0x004026a8
0x00000000
0x00000000
0x004026ae
0x004026b2
0x004026b7
0x004026b9
0x004026d1
0x004026d3
0x004026d4
0x004026d6
0x004026e7
0x004026e9
0x004026ec
0x004026fe
0x004026fe
0x004026d8
0x004026e0
0x004026e0
0x004026bb
0x004026bd
0x004026c8
0x004026c8
0x00402701
0x00402710
0x00402716
0x00402718
0x0040271a
0x00000000
0x00000000
0x0040272d
0x00402734
0x00402736
0x0040273b
0x0040273d
0x00402740
0x00402742
0x00000000
0x00000000
0x00402748
0x0040274c
0x00402756
0x0040275e
0x00402764
0x00402766
0x00402767
0x00402769
0x004027a4
0x004027a4
0x004027a6
0x004027a8
0x0040271c
0x0040271d
0x00000000
0x0040271d
0x0040276b
0x00402770
0x00402790
0x00402792
0x00402797
0x0040279a
0x00000000
0x0040279a
0x00402772
0x00402776
0x0040277f
0x0040277f
0x00402783
0x00402785
0x00000000
0x00402785
0x00402778
0x0040277d
0x00000000
0x00000000
0x00000000
0x00000000
0x004027bc
0x004027be
0x004027c3
0x004027c8
0x004027ca
0x004027cd
0x004027cf
0x00000000
0x00000000
0x004027d5
0x004027da
0x004027de
0x004027e2
0x004027f4
0x004027fc
0x00402804
0x00402805
0x0040280a
0x004027e4
0x004027e8
0x004027e8
0x0040280e
0x00402811
0x00402818
0x00000000
0x00000000
0x00402824
0x00402829
0x0040282b
0x00000000
0x00000000
0x00402110
0x00402110
0x00000000
0x00000000
0x00402839
0x00402847
0x0040284c
0x0040284f
0x00401afd
0x00401afd
0x004016b6
0x004016b6
0x00000000
0x004016b6
0x00000000
0x00000000
0x0040285f
0x00402863
0x00402865
0x00402869
0x0040286c
0x00402870
0x00402875
0x0040287a
0x0040287b
0x0040287f
0x00402881
0x00402899
0x0040289c
0x004028c5
0x004028cb
0x004028d2
0x0040289e
0x004028b0
0x004028bf
0x004028bf
0x00402883
0x00402884
0x0040288d
0x0040288f
0x00402896
0x00402896
0x004028d4
0x004028d7
0x00000000
0x004028dd
0x004028e3
0x004028e9
0x004028e9
0x004028ed
0x00402904
0x0040290b
0x00402910
0x00402912
0x00000000
0x00000000
0x00000000
0x00402918
0x004028ef
0x004028f3
0x00000000
0x00000000
0x004028f7
0x004028fc
0x004028fe
0x00000000
0x00000000
0x00000000
0x004028fe
0x00000000
0x0040291d
0x0040291f
0x00402921
0x00402925
0x00402929
0x0040292e
0x00402930
0x00402932
0x00402934
0x00000000
0x00000000
0x0040293a
0x0040293f
0x00402944
0x00402948
0x0040294b
0x00402aa2
0x00402aa2
0x00402aa6
0x00402aa8
0x00402aaa
0x00402aac
0x00401a10
0x00401a10
0x00000000
0x00401a10
0x00402952
0x0040295b
0x0040295d
0x00402961
0x00402965
0x00000000
0x00000000
0x0040296b
0x00402973
0x00402975
0x00402975
0x0040297a
0x00402a33
0x00402a37
0x00402a4c
0x00402a4e
0x00402a54
0x00402a59
0x00402a5b
0x00000000
0x00000000
0x00402a5d
0x00402a5d
0x00402a61
0x00402a65
0x00402a65
0x00402a69
0x00402ae4
0x00402ae9
0x00000000
0x00402ae9
0x00402a6b
0x00402a6d
0x00402a6e
0x00402a73
0x00402a75
0x00402a76
0x00402ab5
0x00402ab5
0x00402aba
0x00402ad3
0x00402adc
0x00000000
0x00402adc
0x00402abc
0x00402ac1
0x00402ac8
0x00402ac8
0x00402acd
0x00000000
0x00402acd
0x00402ac3
0x00402ac6
0x00000000
0x00000000
0x00000000
0x00402ac6
0x00402a78
0x00402a7d
0x00000000
0x00000000
0x00402a7f
0x00402a83
0x00402a84
0x00402a87
0x00402a8b
0x00402a8f
0x00402a92
0x00000000
0x00000000
0x00000000
0x00402a92
0x00402a39
0x00402a3b
0x00000000
0x00000000
0x00402a3f
0x00402a44
0x00402a46
0x00000000
0x00000000
0x00402a48
0x00000000
0x00402a48
0x00402980
0x00402981
0x00402985
0x00402986
0x00402988
0x0040298e
0x00402994
0x0040299a
0x0040299c
0x00000000
0x00000000
0x004029a2
0x004029a6
0x004029aa
0x004029ac
0x00000000
0x00000000
0x004029b2
0x004029b7
0x004029bb
0x004029bf
0x00000000
0x00000000
0x004029cc
0x004029d4
0x004029da
0x004029dc
0x00000000
0x00000000
0x004029de
0x004029e2
0x004029e4
0x004029e6
0x004029e6
0x004029e6
0x004029e6
0x004029eb
0x004029f0
0x004029f4
0x00000000
0x00000000
0x004029f7
0x004029f8
0x004029ff
0x00402a03
0x00402a07
0x00402a17
0x00402a1f
0x00402a25
0x00402a29
0x00402a2d
0x00402a2f
0x00000000
0x00000000
0x00000000
0x00402a31
0x00000000
0x00402a94
0x00402a94
0x00402a98
0x00402a98
0x00000000
0x00000000
0x00402af3
0x00402af5
0x00402af6
0x00000000
0x00402afc
0x00402afe
0x00402b0b
0x00402b11
0x00402b17
0x00402b1b
0x00000000
0x00000000
0x00000000
0x00402b1b
0x00000000
0x00402b29
0x00402b2e
0x00402b30
0x00402b37
0x00402b37
0x00000000
0x00000000
0x00402b43
0x00402b48
0x00402b4a
0x004018be
0x004018c0
0x004018c1
0x004018c3
0x00000000
0x004018c3
0x00402b50
0x00402b59
0x00402b5f
0x00402b61
0x00000000
0x00000000
0x00000000
0x00000000
0x00402b77
0x00402b7c
0x00402b85
0x00402b8b
0x00402b8e
0x00402b9c
0x00402b67
0x00402b67
0x00402b6e
0x00402b6f
0x00000000
0x00402b6f
0x00402b90
0x00402b92
0x00402855
0x00402855
0x00402857
0x00000000
0x00000000
0x00402ba5
0x00402bb2
0x00402bb5
0x00402bb9
0x00402bbe
0x00402bc0
0x00402bc4
0x00402bc4
0x00402bca
0x00402bdc
0x00402bde
0x00402be2
0x00402be5
0x00402cb7
0x00402cb7
0x00402cb9
0x00402cba
0x00402cbe
0x00402ccf
0x00402cc0
0x00402cc0
0x00402cc2
0x00402cc4
0x00402ccc
0x00402ccc
0x00402cd3
0x00402cd8
0x00402345
0x00402345
0x00000000
0x00402beb
0x00402beb
0x00402bef
0x00402bf3
0x00402bf7
0x00402ca3
0x00402cad
0x00402cb1
0x00000000
0x00402cb1
0x00402bfd
0x00402c05
0x00402c0f
0x00402c11
0x00402c15
0x00402c17
0x00402c9f
0x00000000
0x00402c9f
0x00402c28
0x00402c39
0x00402c3b
0x00402c3f
0x00402c41
0x00402c84
0x00402c88
0x00402c8e
0x00402c9a
0x00000000
0x00402c9a
0x00402c4d
0x00402c52
0x00402c55
0x00402c7a
0x00402c7e
0x00000000
0x00402c7e
0x00402c57
0x00402c59
0x00402c59
0x00402c5b
0x00402c5e
0x00402c66
0x00402c6b
0x00402c6d
0x00402c6d
0x00402c72
0x00402c76
0x00000000
0x00402c76
0x00000000
0x00402cdf
0x00402ce4
0x00402ce7
0x00402ced
0x00000000
0x00000000
0x00402cf3
0x00402cf7
0x00402cfd
0x00402d03
0x00402d05
0x00402d1a
0x00402d1d
0x00402d1d
0x00402d1f
0x00402d23
0x00402d35
0x00402d39
0x00402d3c
0x00402d3d
0x00402d42
0x00402d42
0x00402d42
0x00402d49
0x00402d25
0x00402d2d
0x00402d2f
0x00402d2f
0x00402d4d
0x00402d51
0x00402d54
0x00402d58
0x00402d5f
0x00402d5f
0x00000000
0x00402d58
0x00402d07
0x00402d0a
0x00000000
0x00000000
0x00402d10
0x00402d13
0x00402d14
0x00401d46
0x00401d46
0x00000000
0x00000000
0x00402d6f
0x00402d72
0x00402d75
0x00401709
0x0040170b
0x00000000
0x0040170b
0x00402d7b
0x00402d7f
0x00402da4
0x00402da9
0x00402dad
0x00402dbf
0x00402dc6
0x00402dc7
0x00402daf
0x00402daf
0x00402db3
0x00402db3
0x00000000
0x00402dad
0x00402d81
0x00402d85
0x00402d9a
0x00402b21
0x00402b21
0x00402b22
0x00000000
0x00402b22
0x00402d8f
0x00000000
0x00000000
0x00402dd1
0x00402dd5
0x00402dd5
0x00402dd7
0x00402e2c
0x00402e2e
0x00402e33
0x00402e35
0x00402e72
0x00402e74
0x00402e75
0x00402e77
0x00000000
0x00402e77
0x00402e37
0x00402e3b
0x00402e3c
0x00402e3d
0x00402e43
0x00402e45
0x00000000
0x00000000
0x00402e47
0x00402e4b
0x00402e4c
0x00402e4d
0x00402e51
0x00402e55
0x00402e56
0x00402e58
0x00402e5a
0x00000000
0x00000000
0x00402e61
0x00402e66
0x00402e6a
0x00000000
0x00402e6a
0x00402dd9
0x00402dd9
0x00402ddc
0x00000000
0x00000000
0x00402deb
0x00402ded
0x00402df3
0x00402df7
0x00402dfa
0x00402dff
0x00402e01
0x00402e06
0x00402e11
0x00402e16
0x00402e1a
0x004016b7
0x004016b7
0x00000000
0x00000000
0x00000000
0x00000000
0x00402e7c
0x00402e88
0x00402e8e
0x00402e92
0x00402e9b
0x00402e9b
0x00000000
0x00000000

APIs

PostQuitMessage.USER32(00000000), ref: 004015F1
Sleep.KERNELBASE(00000001,?,00000000,00000000), ref: 00401628
SetForegroundWindow.USER32 ref: 00401634
ShowWindow.USER32(?,00000000,?,?,00000000,00000000), ref: 004016D3
ShowWindow.USER32(?,?,?,?,00000000,00000000), ref: 004016E8
SetFileAttributesW.KERNELBASE(00000000,?,000000F0,?,?,00000000,00000000), ref: 004016FB
GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0,?,?,00000000,00000000), ref: 0040176A
SetCurrentDirectoryW.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane,00000000,000000E6,C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll), ref: 004017A3
MoveFileW.KERNEL32(00000000,00000000), ref: 004017EE
GetFullPathNameW.KERNEL32(00000000,00000400,00000000,?,00000000,000000E3,C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll,?,?,00000000,00000000), ref: 00401843
GetShortPathNameW.KERNEL32(00000000,00000000,00000400), ref: 00401890
SearchPathW.KERNELBASE(00000000,00000000,00000000,00000400,00000000,?,000000FF,?,?,00000000,00000000), ref: 004018B0
lstrcatW.KERNEL32(00000000,00000000), ref: 00401920
CompareFileTime.KERNEL32(-00000014,00000000,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane,00000000,00000000,00000031,00000000,00000000,000000EF), ref: 00401948
SetFileTime.KERNELBASE(00000000,000000FF,00000000,000000FF,?,00000000,00000000,00000000,000000EA,00000000,Call,40000000,00000001,Call,00000000), ref: 00401A5A
CloseHandle.KERNELBASE(00000000), ref: 00401A61
lstrcatW.KERNEL32(Call,00000000), ref: 00401A82

Strings

C:\Users\user\AppData\Local\Temp\nsw2317.tmp, xrefs: 00401998, 004019BB
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane, xrefs: 00401798, 0040190E
Call, xrefs: 004018FC, 00401906, 00401913, 00401925, 00401933, 00401968, 0040197C, 004019A2, 004019EA, 00401A7A, 00401A81, 00401A8B, 00401A96
C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll, xrefs: 00401789, 004017F8, 00401823, 004019B1, 004019D2

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: File$PathWindow$AttributesNameShowTimelstrcat$CloseCompareCurrentDirectoryForegroundFullHandleMessageMovePostQuitSearchShortSleep
String ID: C:\Users\user\AppData\Local\Temp\nsw2317.tmp$C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll$C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane$Call
API String ID: 3895412863-1556470346
Opcode ID: db1ce9060cecfb2e0718cc752e6bbe8ceafac46b7366c05d7717f681698771ae
Instruction ID: 8c1cf908ae02b995a3a41f7ffac76b054db7533a66b8d62ade7f549c41348504
Opcode Fuzzy Hash: db1ce9060cecfb2e0718cc752e6bbe8ceafac46b7366c05d7717f681698771ae
Instruction Fuzzy Hash: 38D10870604301BBD710AF26CD85E2B76A8EF85359F204A3FF452B62E1D77CD9019A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004033ED Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 178
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E004033ED(void* __eflags, signed int _a4) {
				char _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				long _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				long _t35;
				void* _t45;
				intOrPtr* _t49;
				long _t50;
				void* _t56;
				intOrPtr _t64;
				struct HINSTANCE__* _t70;
				signed int _t72;
				void* _t73;
				void* _t76;
				intOrPtr _t78;
				long _t80;
				long _t83;
				long _t86;
				void* _t87;
				void* _t88;

				_t80 = 0;
				_t70 = 0;
				_v32 = 0;
				_v36 = 0;
				_t35 = GetTickCount();
				_t84 = L"C:\\Users\\Arthur\\Desktop\\Ta62k9weDV.exe";
				 *0x435a00 = _t35 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Arthur\\Desktop\\Ta62k9weDV.exe", 0x400);
				_t88 = E0040691B(_t84, 0x80000000, 3);
				 *0x40b010 = _t88;
				if(_t88 == 0xffffffff) {
					return L"Error launching installer";
				}
				_t85 = L"C:\\Users\\Arthur\\Desktop";
				E00406B1A(L"C:\\Users\\Arthur\\Desktop", _t84);
				E00406B1A(0x444000, E00406D10(_t85));
				_t86 = GetFileSize(_t88, 0);
				 *0x40d968 = _t86;
				if(_t86 == 0) {
					L21:
					E00403389(1);
					_pop(_t73);
					if( *0x435a08 == 0) {
						L32:
						return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
					}
					if(_t70 == 0) {
						L25:
						_t45 = GlobalAlloc(0x40, _v8); // executed
						_t87 = _t45;
						E00403131( *0x435a08 + 0x1c);
						if(E00403148(0xffffffff, 0, _t87, _v12) != _v28) {
							goto L32;
						}
						 *0x435a10 = _t87;
						 *0x435a0c =  *_t87;
						if((_v28 & 0x00000001) != 0) {
							 *0x435a04 =  *0x435a04 + 1;
						}
						_t76 = 8;
						_t31 = _t87 + 0x44; // 0x44
						_t49 = _t31;
						do {
							_t49 = _t49 - 8;
							 *_t49 =  *_t49 + _t87;
							_t76 = _t76 - 1;
						} while (_t76 != 0);
						_t50 = SetFilePointer(_t88, 0, 0, 1); // executed
						 *(_t87 + 0x3c) = _t50;
						_t34 = _t87 + 4; // 0x4
						E004066B4(0x435a20, _t34, 0x40);
						return 0;
					}
					E00403131( *0x40d96c);
					_t56 = E00406948(_t73,  *0x40b010,  &_v0, 4); // executed
					if(_t56 == 0 || _t80 != _a4) {
						goto L32;
					} else {
						goto L25;
					}
				}
				_t72 = _a4;
				while(1) {
					_t82 =  !=  ? 0x8000 : 0x200;
					_t83 =  <  ? _t86 :  !=  ? 0x8000 : 0x200;
					if(E0040311B(0x417538, 0x200) == 0) {
						break;
					}
					if( *0x435a08 != 0) {
						if((_t72 & 0x00000002) == 0) {
							E00403389(0);
						}
						L17:
						if(_t86 <  *0x40d968) {
							_v44 = E00406E3C(_v32, 0x417538, _t83);
						}
						 *0x40d96c =  *0x40d96c + _t83;
						_t86 = _t86 - _t83;
						if(_t86 != 0) {
							continue;
						} else {
							L20:
							_t80 = _v32;
							_t22 =  &_v36; // 0x417538
							_t70 =  *_t22;
							goto L21;
						}
					}
					E004066B4( &_v28, 0x417538, 0x1c);
					if((_v40 & 0xfffffff0) == 0 && _v24 == 0xdeadbeef && _v12 == 0x74736e49 && _v16 == 0x74666f73 && _v20 == 0x6c6c754e) {
						_t64 =  *0x40d96c; // 0x931e6
						_t72 = _t72 | _v28;
						_t78 = _v4;
						 *0x435a08 = _t64;
						 *0x435ae0 =  *0x435ae0 | _t72 & 0x00000002;
						if(_t78 > _t86) {
							goto L32;
						}
						if((_t72 & 0x0000000c) == 4) {
							goto L20;
						}
						_v36 = _v36 + 1;
						_t86 = _t78 - 4;
						if(0x200 > _t86) {
							_t83 = _t86;
						}
					}
					goto L17;
				}
				E00403389(1);
				goto L32;
			}

0x004033f4
0x004033f6
0x004033f8
0x004033fc
0x00403400
0x0040340b
0x00403417
0x0040341c
0x0040342f
0x00403431
0x0040343a
0x00000000
0x0040343c
0x00403447
0x0040344d
0x0040345e
0x0040346c
0x0040346e
0x00403476
0x00403572
0x00403574
0x00403580
0x00403581
0x00403640
0x00000000
0x00403640
0x00403589
0x004035ba
0x004035c0
0x004035cc
0x004035d2
0x004035ea
0x00000000
0x00000000
0x004035f1
0x004035f9
0x004035fe
0x00403600
0x00403600
0x00403608
0x00403609
0x00403609
0x0040360c
0x0040360c
0x0040360f
0x00403611
0x00403611
0x0040361b
0x00403621
0x00403624
0x0040362f
0x00000000
0x00403634
0x00403591
0x004035a3
0x004035aa
0x00000000
0x00000000
0x00000000
0x00000000
0x004035aa
0x0040347c
0x00403480
0x00403491
0x00403496
0x004034a6
0x00000000
0x00000000
0x004034b3
0x00403537
0x0040353b
0x00403540
0x00403541
0x00403547
0x00403558
0x00403558
0x0040355c
0x00403562
0x00403564
0x00000000
0x0040356a
0x0040356a
0x0040356a
0x0040356e
0x0040356e
0x00000000
0x0040356e
0x00403564
0x004034c1
0x004034ce
0x004034f8
0x004034fd
0x00403501
0x00403505
0x0040350f
0x00403517
0x00000000
0x00000000
0x00403523
0x00000000
0x00000000
0x00403525
0x00403529
0x0040352e
0x00403530
0x00403530
0x0040352e
0x00000000
0x004034ce
0x0040363a
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00403400
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Ta62k9weDV.exe,00000400,?,?,?,?,?), ref: 0040341C

Part of subcall function 0040691B: GetFileAttributesW.KERNELBASE(00000003,0040342F,C:\Users\user\Desktop\Ta62k9weDV.exe,80000000,00000003,?,?,?,?,?), ref: 0040691F
Part of subcall function 0040691B: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000,?,?,?,?,?), ref: 0040693F

GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ta62k9weDV.exe,C:\Users\user\Desktop\Ta62k9weDV.exe,80000000,00000003,?,?,?,?,?), ref: 00403466
GlobalAlloc.KERNELBASE(00000040,?,?,?,?,?,?), ref: 004035C0

Strings

Inst, xrefs: 004034DA
Null, xrefs: 004034EE
C:\Users\user\Desktop\Ta62k9weDV.exe, xrefs: 0040340B, 00403415, 00403429, 00403446
C:\Users\user\Desktop, xrefs: 00403447, 0040344C, 00403452
Error launching installer, xrefs: 0040343C
soft, xrefs: 004034E4
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004033F3
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403640
1, xrefs: 004034F8, 0040355C
8uA, xrefs: 0040356E

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: 8uA$C:\Users\user\Desktop$C:\Users\user\Desktop\Ta62k9weDV.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$1
API String ID: 2803837635-409137639
Opcode ID: b1b98763bb0db303c7b3231907fd55efb5170903535a500b48b663575e7cf9bd
Instruction ID: 38a706e546d8de2da2def33f7086105d1948706aa1bd56b4a23ee49e5693a868
Opcode Fuzzy Hash: b1b98763bb0db303c7b3231907fd55efb5170903535a500b48b663575e7cf9bd
Instruction Fuzzy Hash: 0A51B171504310BFD720AF21DD81B1B7BA8AB4471AF10093FFA55B72E1C7789A848BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405EBA Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00405EBA() {
				signed int _t33;
				WCHAR* _t35;
				void* _t39;
				void* _t40;
				short _t41;
				signed int _t46;
				void* _t48;
				int _t49;
				void* _t58;
				signed int _t59;
				signed int _t60;
				signed int _t65;
				WCHAR* _t78;
				signed char* _t80;
				signed int _t84;
				signed int _t85;
				WCHAR* _t90;
				short _t91;
				WCHAR* _t93;
				void* _t96;
				signed int _t101;
				signed int _t103;
				signed char* _t107;
				signed int _t110;
				void* _t111;

				_t33 =  *(_t111 + 8);
				if(_t33 < 0) {
					_t33 =  *( *0x4349e0 - 4 + _t33 * 4);
				}
				_t90 = 0x4339a0;
				_t78 =  *(_t111 + 0x1c);
				_t107 =  *0x435a38 + _t33 * 2;
				_t93 = 0x4339a0;
				if(_t78 >= 0x4339a0 && _t78 - 0x4339a0 >> 1 < 0x800) {
					_t93 = _t78;
					_t78 = 0;
					 *((intOrPtr*)(_t111 + 0x24)) = 0;
				}
				_t84 =  *_t107 & 0x0000ffff;
				if(_t84 == 0) {
					L41:
					 *_t93 = 0;
					if(_t78 == 0) {
						_t35 = _t90;
					} else {
						_t35 = E00406B1A(_t78, _t90);
					}
					return _t35;
				} else {
					_t96 = 2;
					while(1) {
						_t80 = _t107;
						if((_t93 - _t90 & 0xfffffffe) >= 0x800) {
							break;
						}
						_t91 = _t84 & 0x0000ffff;
						_t107 =  &(_t107[_t96]);
						_t39 = 4;
						if(_t91 >= _t39) {
							if(__eflags != 0) {
								 *_t93 = _t91;
							} else {
								_t41 =  *_t107;
								_t107 =  &(_t80[4]);
								 *_t93 = _t41;
							}
							_t40 = _t96;
							L39:
							_t84 =  *_t107 & 0x0000ffff;
							_t93 = _t93 + _t40;
							_t90 = 0x4339a0;
							if(_t84 != 0) {
								continue;
							}
							break;
						}
						_t85 =  *_t107 & 0x000000ff;
						_t101 = (_t80[3] & 0x0000007f) << 0x00000007 |  *_t107 & 0x0000007f;
						 *(_t111 + 0x18) = _t85;
						 *(_t111 + 0x14) = _t85 | 0x00008000;
						_t46 = _t107[1] & 0x000000ff;
						_t107 =  &(_t80[4]);
						 *(_t111 + 0x20) = _t46;
						 *(_t111 + 0x20) = _t46 | 0x00008000;
						_t48 = 2;
						 *(_t111 + 0x10) = _t107;
						if(_t91 != _t48) {
							__eflags = _t91 - 3;
							if(_t91 != 3) {
								__eflags = _t91 - 1;
								if(__eflags == 0) {
									_push( !_t101);
									_push(_t93);
									E00405EBA();
								}
							} else {
								__eflags = _t101 - 0x1d;
								if(__eflags != 0) {
									E00406B1A(_t93, (_t101 << 0xb) + 0x436000);
									__eflags = _t101 - 0x15 - 7;
									if(__eflags < 0) {
										E00406D3D(_t93);
									}
								} else {
									E0040661F(_t93,  *0x4349f8);
								}
							}
							L34:
							_t49 = lstrlenW(_t93);
							_t40 = _t49 + _t49;
							_t96 = 2;
							goto L39;
						}
						_t58 = 4;
						_t110 =  !=  ? _t58 : _t48;
						_t121 = _t85;
						if(_t85 >= 0) {
							__eflags = _t85 - 0x25;
							if(_t85 != 0x25) {
								__eflags = _t85 - 0x24;
								if(_t85 != 0x24) {
									do {
										_t59 =  *0x4349f0;
										_t110 = _t110 - 1;
										__eflags = _t59;
										if(_t59 == 0) {
											L19:
											_t60 = _t111 + 0x2c;
											_push(_t60);
											_push( *((intOrPtr*)(_t111 + 0x18 + _t110 * 4)));
											_push( *0x4349f8);
											L0040802C();
											__eflags = _t60;
											if(_t60 != 0) {
												goto L21;
											}
											__imp__SHGetPathFromIDListW( *((intOrPtr*)(_t111 + 0x30)), _t93);
											__imp__CoTaskMemFree( *(_t111 + 0x2c));
											__eflags = _t60;
											if(_t60 != 0) {
												break;
											}
											goto L21;
										}
										_t65 =  *_t59( *0x4349f8,  *((intOrPtr*)(_t111 + 0x20 + _t110 * 4)), 0, 0, _t93); // executed
										__eflags = _t65;
										if(_t65 == 0) {
											break;
										}
										goto L19;
										L21:
										 *_t93 = 0;
										__eflags = _t110;
									} while (_t110 != 0);
									L22:
									_t103 =  *(_t111 + 0x20);
									goto L23;
								}
								GetWindowsDirectoryW(_t93, 0x400);
								goto L22;
							}
							GetSystemDirectoryW(_t93, 0x400);
							goto L22;
						} else {
							E00406977(_t85 & 0x0000003f, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x435a38 + (_t85 & 0x0000003f) * 2, _t93, _t85 & 0x00000040); // executed
							_t103 =  *(_t111 + 0x20);
							if( *_t93 == 0) {
								_push(_t103);
								_push(_t93);
								E00405EBA();
							}
							L23:
							if( *_t93 != 0 && _t103 == 0x1a) {
								lstrcatW(_t93, L"\\Microsoft\\Internet Explorer\\Quick Launch");
							}
							E00406D3D(_t93);
							_t107 =  *(_t111 + 0x10);
							goto L34;
						}
					}
					_t78 =  *(_t111 + 0x28);
					goto L41;
				}
			}

0x00405eba
0x00405ec3
0x00405ed4
0x00405ed4
0x00405edc
0x00405ee2
0x00405ee7
0x00405eed
0x00405ef1
0x00405f00
0x00405f02
0x00405f04
0x00405f04
0x00405f08
0x00405f0f
0x00406103
0x00406105
0x0040610a
0x00406115
0x0040610c
0x0040610e
0x0040610e
0x0040611d
0x00405f15
0x00405f18
0x00405f19
0x00405f1b
0x00405f27
0x00000000
0x00000000
0x00405f2f
0x00405f32
0x00405f34
0x00405f38
0x004060d7
0x004060e5
0x004060d9
0x004060d9
0x004060dd
0x004060e0
0x004060e0
0x004060e8
0x004060ea
0x004060ea
0x004060ee
0x004060f0
0x004060f8
0x00000000
0x00000000
0x00000000
0x004060f8
0x00405f49
0x00405f53
0x00405f55
0x00405f60
0x00405f64
0x00405f68
0x00405f6b
0x00405f76
0x00405f7a
0x00405f7b
0x00405f82
0x00406082
0x00406085
0x004060bb
0x004060be
0x004060c2
0x004060c3
0x004060c4
0x004060c4
0x00406087
0x00406087
0x0040608a
0x004060a6
0x004060ae
0x004060b1
0x004060b4
0x004060b4
0x0040608c
0x00406093
0x00406093
0x0040608a
0x004060c9
0x004060ca
0x004060d2
0x004060d4
0x00000000
0x004060d4
0x00405f93
0x00405f94
0x00405f97
0x00405f99
0x00405fd9
0x00405fdc
0x00405fec
0x00405fef
0x00405fff
0x00405fff
0x00406004
0x00406005
0x00406007
0x0040601e
0x0040601e
0x00406022
0x00406023
0x00406027
0x0040602d
0x00406032
0x00406034
0x00000000
0x00000000
0x0040603b
0x00406047
0x0040604d
0x0040604f
0x00000000
0x00000000
0x00000000
0x0040604f
0x00406018
0x0040601a
0x0040601c
0x00000000
0x00000000
0x00000000
0x00406051
0x00406053
0x00406056
0x00406056
0x0040605a
0x0040605a
0x00000000
0x0040605a
0x00405ff7
0x00000000
0x00405ff7
0x00405fe4
0x00000000
0x00405f9b
0x00405fb9
0x00405fc3
0x00405fc7
0x00405fcd
0x00405fce
0x00405fcf
0x00405fcf
0x0040605e
0x00406063
0x00406070
0x00406070
0x00406077
0x0040607c
0x00000000
0x0040607c
0x00405f99
0x004060fe
0x00000000
0x00406102

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00405FE4

Part of subcall function 00406B1A: lstrcpynW.KERNEL32(?,?,00000400,00403871,00434A00,NSIS Error), ref: 00406B27

Part of subcall function 00406D3D: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,764E3420,004039C2), ref: 00406DB2
Part of subcall function 00406D3D: CharNextW.USER32(?,?,?,00000000), ref: 00406DC1
Part of subcall function 00406D3D: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,764E3420,004039C2), ref: 00406DC6
Part of subcall function 00406D3D: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,764E3420,004039C2), ref: 00406DDE

GetWindowsDirectoryW.KERNEL32(Call,00000400,Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll,?,?,?,?,?,00000000,?,?), ref: 00405FF7
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406070
lstrlenW.KERNEL32(Call,Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll,?,?,?,?,?,00000000,?,?), ref: 004060CA

Strings

Call, xrefs: 00405EDC, 00405FAA, 00405FCE, 00405FE3, 00405FF6, 00406009, 00406036, 0040606F, 00406076, 00406092, 004060A5, 004060B3, 004060C3, 004060C9, 004060F0, 0040610C
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040606A
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405FAF
Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll, xrefs: 00405F15

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Char$Next$Directory$PrevSystemWindowslstrcatlstrcpynlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4187626192-1623212502
Opcode ID: 311af7c87eb71035c8d5b2a7baacc15b69a4590f910f25a3f4acb13c9fbad21a
Instruction ID: 8c51b57b95ad5d2f56c6428f73255cfba4eda90222275d8884e674a65d57f274
Opcode Fuzzy Hash: 311af7c87eb71035c8d5b2a7baacc15b69a4590f910f25a3f4acb13c9fbad21a
Instruction Fuzzy Hash: 05611471240216ABDB20AF248C40A7B76A5EF99314F12453FF942FB2D1D77CD9218B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D3A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00405D3A(signed int _a4, WCHAR* _a8) {
				WCHAR* _v40;
				long _v52;
				int _v56;
				void* _v60;
				void* _t18;
				signed int _t19;
				long _t20;
				signed char _t29;
				signed int _t35;
				WCHAR* _t39;
				WCHAR* _t40;
				struct HWND__* _t43;

				_t43 =  *0x4349e8;
				if(_t43 == 0) {
					return _t18;
				}
				_t29 =  *0x435af4;
				_t35 = _t29 & 0x00000001;
				if(_t35 == 0) {
					_push(_a4);
					_push(0x42ed78);
					E00405EBA();
				}
				_t19 = lstrlenW(0x42ed78);
				_t39 = _a8;
				_a4 = _t19;
				if(_t39 == 0) {
					_t40 = 0x42ed78;
					goto L7;
				} else {
					_t19 = lstrlenW(_t39) + _a4;
					if(_t19 >= 0x1000) {
						L13:
						return _t19;
					}
					_t40 = 0x42ed78;
					_t19 = lstrcatW(0x42ed78, _t39);
					L7:
					if((_t29 & 0x00000004) == 0) {
						_t19 = SetWindowTextW( *0x4349c8, _t40); // executed
					}
					if((_t29 & 0x00000002) == 0) {
						_v40 = _t40;
						_v60 = 1;
						_t20 = SendMessageW(_t43, 0x1004, 0, 0); // executed
						_v52 = 0;
						_v56 = _t20 - _t35;
						SendMessageW(_t43, 0x104d - _t35, 0,  &_v60); // executed
						_t19 = SendMessageW(_t43, 0x1013, _v56, 0); // executed
					}
					if(_t35 != 0) {
						_t19 = _a4;
						0x42ed78[_t19] = 0;
					}
					goto L13;
				}
			}

0x00405d3e
0x00405d46
0x00405e1b
0x00405e1b
0x00405d4d
0x00405d5c
0x00405d5f
0x00405d61
0x00405d65
0x00405d66
0x00405d66
0x00405d6c
0x00405d71
0x00405d75
0x00405d7b
0x00405da0
0x00000000
0x00405d7d
0x00405d83
0x00405d8c
0x00405e14
0x00000000
0x00405e16
0x00405d93
0x00405d99
0x00405da5
0x00405da8
0x00405db1
0x00405db1
0x00405dba
0x00405dbe
0x00405dd0
0x00405dd8
0x00405ddc
0x00405de0
0x00405df3
0x00405e00
0x00405e00
0x00405e04
0x00405e06
0x00405e0c
0x00405e0c
0x00000000
0x00405e04

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll,?,00000000,?,?), ref: 00405D6C
lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll,?,00000000,?,?), ref: 00405D7E
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll,?), ref: 00405D99
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll), ref: 00405DB1
SendMessageW.USER32(?), ref: 00405DD8
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DF3
SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E00

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406070

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll, xrefs: 00405D57, 00405D65, 00405D6B, 00405D93, 00405D98, 00405DA0, 00405DAA

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$TextWindow
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll
API String ID: 1759915248-1929078369
Opcode ID: ceb28205faf147af3908885d1a7d22d6de82ef9b87b173db114e6d635282a543
Instruction ID: 65e3057419f119a88936ccc655a9da3a15af0d16a1f773064a71e2051a7db8da
Opcode Fuzzy Hash: ceb28205faf147af3908885d1a7d22d6de82ef9b87b173db114e6d635282a543
Instruction Fuzzy Hash: D121C2B2A056206BD310AB59DC44AABBBDCEF94710F45043FB984A3291C7B89D404AED

Uniqueness

Uniqueness Score: -1.00%

Function 00403148 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00403148(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v124;
				short _v132;
				intOrPtr _v136;
				signed int _v140;
				int _v144;
				intOrPtr _v148;
				long _v152;
				signed int _v156;
				signed int _v160;
				void* _t39;
				void* _t40;
				signed int _t41;
				void* _t45;
				long _t47;
				signed int _t50;
				intOrPtr _t52;
				intOrPtr _t53;
				long _t55;
				long _t56;
				void* _t57;
				intOrPtr _t71;
				signed int _t73;
				intOrPtr _t74;
				void* _t76;
				signed int _t77;
				intOrPtr _t81;
				int _t82;
				signed int* _t83;

				_t83 =  &_v156;
				_t72 = _a4;
				_t74 = _a12;
				_t71 =  !=  ? _a16 : 0x8000;
				_t77 = 0;
				_t37 =  !=  ? _t74 : 0x423538;
				_v144 =  !=  ? _t74 : 0x423538;
				if(_a4 >= 0) {
					E00403131( *0x435a58 + _t72);
				}
				_t39 = E00406948(_t72,  *0x40b010,  &_v156, 4); // executed
				if(_t39 == 0) {
					L31:
					_push(0xfffffffd);
					goto L32;
				} else {
					_t41 = _v156;
					if(_t41 >= 0) {
						if(_t74 != 0) {
							_t77 =  <  ? _t41 : _a16;
							if(E0040311B(_t74, _t77) != 0) {
								L20:
								return _t77;
							}
							goto L31;
						}
						if(_t41 <= 0) {
							goto L20;
						}
						while(1) {
							_t76 =  <  ? _t41 : _t71;
							if(E0040311B(0x41f538, _t76) == 0) {
								goto L31;
							}
							_t45 = E00406A0B(_t72, _a8, 0x41f538, _t76); // executed
							if(_t45 == 0) {
								L29:
								_push(0xfffffffe);
								L32:
								_pop(_t40);
								return _t40;
							}
							_t77 = _t77 + _t76;
							_t41 = _v156 - _t76;
							_v156 = _t41;
							if(_t41 > 0) {
								continue;
							}
							goto L20;
						}
						goto L31;
					}
					_t47 = GetTickCount();
					 *0x40dea4 =  *0x40dea4 & _t77;
					 *0x40dea0 =  *0x40dea0 & _t77;
					_v152 = _t47;
					 *0x417530 = 0x40f528;
					 *0x41752c = 0x40f528;
					_t50 = _v156 & 0x7fffffff;
					 *0x40d988 = 8;
					_t73 = _t50;
					 *0x417528 = 0x417528;
					_v140 = _t50;
					_v156 = _t73;
					if(_t50 <= 0) {
						goto L20;
					} else {
						goto L5;
					}
					while(1) {
						L5:
						_t81 =  <  ? _t73 : 0x4000;
						if(E0040311B(0x41f538, 0x4000) == 0) {
							goto L31;
						}
						_v156 = _v156 - 0x4000;
						 *0x40d97c = _t81;
						_t82 = _v144;
						 *0x40d978 = 0x41f538;
						while(1) {
							_push(0x40d978);
							 *0x40d980 = _t82;
							 *0x40d984 = _t71;
							_t52 = E0040728E();
							_v136 = _t52;
							if(_t52 < 0) {
								break;
							}
							_t53 =  *0x40d980; // 0x423538
							_v152 = _t53 - _t82;
							_t55 = GetTickCount();
							_t73 = _v160;
							_v140 = _t55;
							if(( *0x435af4 & 0x00000001) != 0 && (_t55 - _v156 > 0xc8 || _t73 == 0)) {
								wsprintfW( &_v132, L"... %d%%", MulDiv(_v144 - _t73, 0x64, _v144));
								_t83 =  &(_t83[3]);
								E00405D3A(0,  &_v124);
								_t73 = _v160;
								_v156 = _v140;
							}
							_t56 = _v152;
							if(_t56 == 0) {
								if(_t73 > 0) {
									goto L5;
								}
								goto L20;
							} else {
								if(_t74 != 0) {
									_t82 =  *0x40d980; // 0x423538
									_t71 = _t71 - _t56;
									_v148 = _t82;
									L17:
									_t77 = _t77 + _t56;
									if(_v136 != 1) {
										continue;
									}
									goto L20;
								}
								_t57 = E00406A0B(_t73, _a4, _t82, _t56); // executed
								if(_t57 == 0) {
									goto L29;
								}
								_t56 = _v152;
								goto L17;
							}
						}
						_push(0xfffffffc);
						goto L32;
					}
					goto L31;
				}
			}

0x00403148
0x0040314e
0x0040315e
0x0040316c
0x00403174
0x00403178
0x0040317b
0x00403181
0x0040318b
0x0040318b
0x0040319d
0x004031a4
0x00403379
0x00403379
0x00000000
0x004031aa
0x004031aa
0x004031b0
0x0040331d
0x0040336b
0x00403377
0x00403313
0x00000000
0x00403313
0x00000000
0x00403377
0x00403321
0x00000000
0x00000000
0x00403328
0x0040332c
0x00403338
0x00000000
0x00000000
0x00403343
0x0040334a
0x0040335e
0x0040335e
0x0040337b
0x0040337b
0x00000000
0x0040337b
0x00403350
0x00403352
0x00403354
0x0040335a
0x00000000
0x00000000
0x00000000
0x0040335c
0x00000000
0x00403328
0x004031b6
0x004031bc
0x004031c2
0x004031c8
0x004031d1
0x004031d6
0x004031df
0x004031e4
0x004031ee
0x004031f0
0x004031fa
0x004031fe
0x00403202
0x00000000
0x00000000
0x00000000
0x00000000
0x00403208
0x00403208
0x0040320f
0x0040321f
0x00000000
0x00000000
0x00403225
0x00403229
0x0040322f
0x00403233
0x0040323d
0x0040323d
0x00403242
0x00403248
0x0040324e
0x00403253
0x00403259
0x00000000
0x00000000
0x0040325f
0x00403266
0x0040326a
0x00403277
0x0040327b
0x0040327f
0x004032ab
0x004032b1
0x004032bb
0x004032c4
0x004032c8
0x004032c8
0x004032cc
0x004032d2
0x0040330d
0x00000000
0x00000000
0x00000000
0x004032d4
0x004032d6
0x004032f0
0x004032f6
0x004032f8
0x004032fc
0x004032fc
0x00403303
0x00000000
0x00000000
0x00000000
0x00403309
0x004032e1
0x004032e8
0x00000000
0x00000000
0x004032ea
0x00000000
0x004032ea
0x004032d2
0x00403317
0x00000000
0x00403317
0x00000000
0x00403208

APIs

GetTickCount.KERNEL32 ref: 004031B6
GetTickCount.KERNEL32 ref: 0040326A
MulDiv.KERNEL32(?,00000064,?), ref: 0040329A
wsprintfW.USER32 ref: 004032AB

Part of subcall function 00403131: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004035D7,?,?,?,?,?,?), ref: 0040313F

Strings

85B, xrefs: 00403155
... %d%%, xrefs: 004032A5
85B, xrefs: 00403242, 0040325F, 004032F0

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CountTick$FilePointerwsprintf
String ID: ... %d%%$85B$85B
API String ID: 999035486-2772677642
Opcode ID: 2ba54163d51c3a8551e8519958d675213576959048d36eb55140e7cadd9fce55
Instruction ID: e2bf7c2ae867e5e0c149cd35682d72f4c4d2633ef795981e2bf4a0daba4be17b
Opcode Fuzzy Hash: 2ba54163d51c3a8551e8519958d675213576959048d36eb55140e7cadd9fce55
Instruction Fuzzy Hash: 355180716083019BD710DF69DD84A2BBBE8AB84756F10493FFC54E7291DB38DE088B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040291D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E0040291D(void* __edi, void* __esi, signed int __ebp, void* _a4, void* _a8, void* _a12, char _a16, signed int _a20, long _a24, void* _a28, long _a32, intOrPtr _a36, void* _a48, intOrPtr _a52, void* _a56, signed int _a64, intOrPtr _a68, short _a72, int _a76) {
				signed int _t61;
				long _t63;
				void* _t73;

				_t63 = 2;
				_a20 = __ebp;
				_a32 = _t63;
				_t73 = E00403002(_t63) - 1;
				if(_t73 < 0) {
					_t61 = _a16;
					goto L33;
				} else {
					__ecx = 0x3ff;
					_a24 = __eax;
					if( *__edi == __bp) {
						L25:
						__eax = _a20;
						__ecx = 0;
						__ebx = 0;
						 *((short*)(__esi + _a20 * 2)) = __cx;
						_t61 = 0 | _t73 == 0x00000000;
						L33:
						 *0x435ac8 =  *0x435ac8 + _t61;
					} else {
						_a64 = __ebp;
						__ecx = E00406C25(__edi);
						_a24 = __ecx;
						if(_a20 > __ebp) {
							_a68 = 0xd;
							__edi = __ebp;
							do {
								if(_a36 != 0x39) {
									if(_a52 != __ebp || __edi != 0) {
										L18:
										__eax =  &_a72;
										if(E00406948(__ecx, __ecx,  &_a72, 2) == 0) {
											goto L25;
										} else {
											goto L19;
										}
									} else {
										if(E00406484(__ecx, __ebp) < 0) {
											goto L25;
										} else {
											__ecx = _a28;
											goto L18;
										}
									}
								} else {
									_push(__ebp);
									__eax =  &_a76;
									_push( &_a76);
									__eax = 2;
									 &_a76 - _a52 =  &_a16;
									__eax = ReadFile(__ecx,  &_a16,  &_a76 - _a52, ??, ??); // executed
									if(__eax == 0) {
										goto L25;
									} else {
										__ecx = _a76;
										_a32 = __ecx;
										if(__ecx == 0) {
											goto L25;
										} else {
											__eax = _a16 & 0x000000ff;
											_a72 = _a16 & 0x000000ff;
											if(_a52 != __ebp) {
												L31:
												__ax & 0x0000ffff = E0040661F(__esi, __ax & 0x0000ffff);
											} else {
												 &_a72 =  &_a16;
												if(MultiByteToWideChar(__ebp, 8,  &_a16, __ecx,  &_a72, __ebx) != 0) {
													L19:
													__ecx = _a32;
													__eax = _a72;
												} else {
													__ecx = _a32;
													__edx = __ecx;
													__edx =  ~__ecx;
													while(1) {
														_t22 =  &_a76;
														 *_t22 = _a76 - 1;
														__eax = 0xfffd;
														_a72 = 0xfffd;
														if( *_t22 == 0) {
															goto L20;
														}
														__ecx = __ecx - 1;
														__edx = __edx + 1;
														_a32 = __ecx;
														 *(__esp + 0x60) = __edx;
														__eax = SetFilePointer(_a28, __edx, __ebp, __ebx); // executed
														 &_a72 =  &_a16;
														__eax = MultiByteToWideChar(__ebp, 8,  &_a16, _a76,  &_a72, __ebx);
														__ecx = _a32;
														__edx =  *(__esp + 0x50);
														if(__eax == 0) {
															continue;
														} else {
															goto L19;
														}
														goto L20;
													}
												}
												L20:
												if(_a52 != __ebp) {
													goto L31;
												} else {
													__edx = 0xd;
													__edx = 0xa;
													if(_a64 == __dx || _a64 == __dx) {
														if(_a64 == __ax || __ax != _a68 && __ax != __dx) {
															__eax = SetFilePointer(_a28, __ecx, __ebp, __ebx);
														} else {
															 *(__esi + __edi * 2) = __ax;
															_a20 = __edi;
														}
														goto L25;
													} else {
														 *(__esi + __edi * 2) = __ax;
														__edi = __edi + 1;
														__eax = __ax & 0x0000ffff;
														_a20 = __edi;
														_a64 = __ax & 0x0000ffff;
														if(__ax == 0) {
															goto L25;
														} else {
															goto L24;
														}
													}
												}
											}
										}
									}
								}
								goto L34;
								L24:
								__ecx = _a28;
							} while (__edi < _a24);
						}
						goto L25;
					}
				}
				L34:
				return 0;
			}

0x0040291f
0x00402921
0x00402925
0x00402932
0x00402934
0x00402ea1
0x00000000
0x0040293a
0x0040293a
0x00402944
0x0040294b
0x00402aa2
0x00402aa2
0x00402aa6
0x00402aa8
0x00402aac
0x00401a10
0x00402ea5
0x00402ea5
0x00402951
0x00402952
0x0040295b
0x0040295d
0x00402965
0x0040296b
0x00402973
0x00402975
0x0040297a
0x00402a37
0x00402a4c
0x00402a4e
0x00402a5b
0x00000000
0x00000000
0x00000000
0x00000000
0x00402a3d
0x00402a46
0x00000000
0x00402a48
0x00402a48
0x00000000
0x00402a48
0x00402a46
0x00402980
0x00402980
0x00402981
0x00402985
0x00402988
0x0040298e
0x00402994
0x0040299c
0x00000000
0x004029a2
0x004029a2
0x004029a6
0x004029ac
0x00000000
0x004029b2
0x004029b2
0x004029b7
0x004029bf
0x00402ae4
0x00402ae9
0x004029c5
0x004029cc
0x004029dc
0x00402a5d
0x00402a5d
0x00402a61
0x004029de
0x004029de
0x004029e2
0x004029e4
0x004029e6
0x004029e6
0x004029e6
0x004029eb
0x004029f0
0x004029f4
0x00000000
0x00000000
0x004029f7
0x004029f8
0x004029ff
0x00402a03
0x00402a07
0x00402a17
0x00402a1f
0x00402a25
0x00402a29
0x00402a2f
0x00000000
0x00402a31
0x00000000
0x00402a31
0x00000000
0x00402a2f
0x004029e6
0x00402a65
0x00402a69
0x00000000
0x00402a6b
0x00402a6d
0x00402a75
0x00402a76
0x00402aba
0x00402adc
0x00402ac8
0x00402ac8
0x00402acd
0x00402acd
0x00000000
0x00402a7f
0x00402a7f
0x00402a83
0x00402a84
0x00402a87
0x00402a8b
0x00402a92
0x00000000
0x00000000
0x00000000
0x00000000
0x00402a92
0x00402a76
0x00402a69
0x004029bf
0x004029ac
0x0040299c
0x00000000
0x00402a94
0x00402a94
0x00402a98
0x00402975
0x00000000
0x00402965
0x0040294b
0x00402eab
0x00402eb7

APIs

ReadFile.KERNELBASE(00000000,?,?,?), ref: 00402994
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004029D4
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402A07
MultiByteToWideChar.KERNEL32(?,00000008,?,?,00000001,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402A1F
SetFilePointer.KERNEL32(?,?,?,00000001,00000000,?,00000002), ref: 00402ADC

Strings

9, xrefs: 00402975

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: File$ByteCharMultiPointerWide$Read
String ID: 9
API String ID: 1439708474-2366072709
Opcode ID: 9f93ca41379e5358701e9762d9d73a54771f02cb738d955fe51c94385f5bda32
Instruction ID: c0364eb4a24137c8a00bba018ae5694ccc63d4c43f2b92d4ab62ccb683855c39
Opcode Fuzzy Hash: 9f93ca41379e5358701e9762d9d73a54771f02cb738d955fe51c94385f5bda32
Instruction Fuzzy Hash: FD513B71618301AFD724DF11CA48A2BB7E8BFD5304F00483FF985A62D1DBB9D9458B66

Uniqueness

Uniqueness Score: -1.00%

Function 0040619E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040619E(intOrPtr _a4) {
				short _v576;
				int _t8;
				void* _t9;
				struct HINSTANCE__* _t13;
				void* _t14;
				void* _t19;

				_t8 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t8 > 0x104 || _t8 == 0) {
					_t9 = 0;
					goto L5;
				} else {
					_t9 = _t8 + _t8;
					if( *((short*)(_t19 + _t9 - 0x23e)) == 0x5c) {
						L5:
						_t14 = 0x4092b2;
					} else {
						_t14 = 0x4092b0;
					}
				}
				wsprintfW(_t9 +  &_v576, L"%s%S.dll", _t14, _a4);
				_t13 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t13;
			}

0x004061b5
0x004061be
0x004061d8
0x00000000
0x004061c4
0x004061c4
0x004061cf
0x004061da
0x004061da
0x004061d1
0x004061d1
0x004061d1
0x004061cf
0x004061f1
0x00406205
0x0040620c

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004061B5
wsprintfW.USER32 ref: 004061F1
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406205

Strings

%s%S.dll, xrefs: 004061EB
UXTHEME, xrefs: 004061AD
\, xrefs: 004061C6

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: f1f7e37c5f37630b72f6845fbd57869b2fc528f3cdafd86d5b2e789551c5bd10
Instruction ID: 46fd840fe6511d7ccc003e1cb9660209246fe71c7ecdf6ea51a48f4d7cc48468
Opcode Fuzzy Hash: f1f7e37c5f37630b72f6845fbd57869b2fc528f3cdafd86d5b2e789551c5bd10
Instruction Fuzzy Hash: 93F0BB7160022467DB10A764DC0DB9A36ACEB00304F50447AA906F61C2E77CDE54C79C

Uniqueness

Uniqueness Score: -1.00%

Function 00406A56 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406A56(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				signed int _t12;
				WCHAR* _t15;
				signed int _t17;
				void* _t21;
				WCHAR* _t24;

				_t24 = _a4;
				_t21 = 0x64;
				while(1) {
					_t21 = _t21 - 1;
					_v12 = 0x73006e;
					_v8 = 0x61;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_v8 = _v8 + _t12 % _t17;
					_t15 = GetTempFileNameW(_a8,  &_v12, 0, _t24); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t21 != 0) {
						continue;
					} else {
						 *_t24 = _t15;
					}
					L5:
					return _t15;
				}
				_t15 = _t24;
				goto L5;
			}

0x00406a5c
0x00406a62
0x00406a63
0x00406a63
0x00406a64
0x00406a6b
0x00406a72
0x00406a7a
0x00406a80
0x00406a8d
0x00406a95
0x00000000
0x00000000
0x00406a99
0x00000000
0x00406a9b
0x00406a9b
0x00406a9b
0x00406aa2
0x00406aa5
0x00406aa5
0x00406aa0
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00406A72
GetTempFileNameW.KERNELBASE(?,0073006E,00000000,?,?,?,00000000,00403CD4,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,764E3420,004039C2), ref: 00406A8D

Strings

a, xrefs: 00406A6B
n, xrefs: 00406A64
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406A5F
C:\Users\user\AppData\Local\Temp\, xrefs: 00406A5B

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$a$n
API String ID: 1716503409-3027303449
Opcode ID: 9de58611c99d9c927524e8b5e5d4063ad7aa9c56d54475759094ed59cc3f2f7a
Instruction ID: ceede72bcc8b9f9399702d6205d38d242a1142e8e26f45c6d668c419d088e7be
Opcode Fuzzy Hash: 9de58611c99d9c927524e8b5e5d4063ad7aa9c56d54475759094ed59cc3f2f7a
Instruction Fuzzy Hash: E9F05E72700208BBEB149F55DC09BDE7779EF91B14F14803BEA41BA180E3F45E5487A4

Uniqueness

Uniqueness Score: -1.00%

Function 0040141E Relevance: 7.6, APIs: 5, Instructions: 82
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E0040141E(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v4;
				void* _v8;
				short _v524;
				int _v528;
				void* _v532;
				void* _v536;
				void* _v544;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t43;
				signed int _t45;

				_t45 = _a12 & 0x00000300;
				_t43 = _a12 & 0x00000001;
				_t27 = E004062D8(__eflags, _a4, _a8, _t45 | 0x00000009,  &_v532); // executed
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v524);
						_push(0);
						while(RegEnumKeyW(_v532, ??, ??, ??) == 0) {
							__eflags = _t43;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v532);
								return 0x3eb;
							}
							_t33 = E0040141E(__eflags, _v532,  &_v524, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v524);
							_push(_t43);
						}
						RegCloseKey(_v532);
						_t35 = E004068E6(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t45, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v528 = 0;
					if(RegEnumValueW(_v532, 0,  &_v524,  &_v528, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00401438
0x00401441
0x00401456
0x0040145d
0x0040146d
0x00401493
0x00401493
0x0040149c
0x0040149d
0x004014ce
0x004014a6
0x004014a8
0x00401503
0x00401507
0x00000000
0x0040150d
0x004014ba
0x004014bf
0x004014c1
0x00000000
0x00000000
0x004014c3
0x004014cc
0x004014cd
0x004014cd
0x004014dc
0x004014e4
0x004014eb
0x00000000
0x00401525
0x00000000
0x004014fb
0x00401477
0x00401491
0x00000000
0x00000000
0x00000000
0x00401491
0x00401530

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00401486
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014D2
RegCloseKey.ADVAPI32(?), ref: 004014DC
RegDeleteKeyW.ADVAPI32(?,?), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401507

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 30017b8bd83a5a7471793a7c8ba9a53ddb3d91c26afeeaccdb12cfd0c7e39771
Instruction ID: 21b5a5252aa063403de6f9026dc2c812d9767c74370f87ead0cd0c39fa3adcf8
Opcode Fuzzy Hash: 30017b8bd83a5a7471793a7c8ba9a53ddb3d91c26afeeaccdb12cfd0c7e39771
Instruction Fuzzy Hash: 3F218032108244BBD7219F51DC08FABBBADEFD9344F01043AF989A11B0D3399A14DA6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040225D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81
libraryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0040225D(void* __ebp, void* _a4, void* _a8, intOrPtr _a12, intOrPtr* _a16, WCHAR* _a20, void* _a28, intOrPtr _a32, signed int _a48) {
				void* _v0;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t26;
				void* _t27;
				intOrPtr* _t29;
				void* _t30;
				WCHAR* _t32;
				struct HINSTANCE__* _t33;
				void* _t37;
				void* _t39;

				_t37 = __ebp;
				_t27 = 1;
				if( *0x435a60 < __ebp) {
					_push("C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp\System.dll");
					_push(0xffffffe7);
					L16:
					E00405D3A();
					L17:
					 *0x435ac8 =  *0x435ac8 + _t27;
					return 0;
				}
				_t32 = E0040303E(_t30, 0xfffffff0);
				_a20 = _t32;
				_a12 = E0040303E(_t30, 1);
				if(_a48 == __ebp) {
					L4:
					_t17 = LoadLibraryExW(_t32, _t37, 8); // executed
					_t33 = _t17;
					_t44 = _t33;
					if(_t33 == 0) {
						_push("C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp\System.dll");
						_push(0xfffffff6);
						goto L16;
					}
					L5:
					_t29 = E00406269(_t44, _t33, _a20);
					_a16 = _t29;
					if(_t29 == 0) {
						E00405D3A(0xfffffff7, _a20);
					} else {
						_t27 = _t37;
						if(_a48 == _t27) {
							 *_t29(_a32, 0x400, 0x436000, 0x40b100, 0x40b000);
							_t39 = _t39 + 0x14;
						} else {
							E00405D3A(_a48, "C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp\System.dll");
							if(_a16() != 0) {
								_t27 = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 + 0x34)) == _t37 && E00403CD6(_t33) != 0) {
						FreeLibrary(_t33);
					}
					goto L17;
				}
				_t26 = GetModuleHandleW(_t32); // executed
				_t33 = _t26;
				if(_t33 != 0) {
					goto L5;
				}
				_t32 =  *(_t39 + 0x18);
				goto L4;
			}

0x0040225d
0x00402260
0x00402268
0x0040233e
0x00402343
0x00402345
0x00402345
0x00402ea5
0x00402ea5
0x00402eb7
0x00402eb7
0x00402275
0x00402278
0x00402281
0x00402289
0x0040229c
0x004022a0
0x004022a6
0x004022a8
0x004022aa
0x00402335
0x0040233a
0x00000000
0x0040233a
0x004022b0
0x004022ba
0x004022bc
0x004022c2
0x0040230c
0x004022c4
0x004022c4
0x004022ca
0x004022ff
0x00402301
0x004022cc
0x004022d5
0x004022e0
0x004022e2
0x004022e2
0x004022e0
0x004022ca
0x00402315
0x0040232a
0x0040232a
0x00000000
0x00402315
0x0040228c
0x00402292
0x00402296
0x00000000
0x00000000
0x00402298
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040228C

Part of subcall function 00405D3A: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll,?,00000000,?,?), ref: 00405D6C
Part of subcall function 00405D3A: lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll,?,00000000,?,?), ref: 00405D7E
Part of subcall function 00405D3A: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll,?), ref: 00405D99
Part of subcall function 00405D3A: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll), ref: 00405DB1
Part of subcall function 00405D3A: SendMessageW.USER32(?), ref: 00405DD8
Part of subcall function 00405D3A: SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DF3
Part of subcall function 00405D3A: SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E00

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004022A0
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040232A

Strings

C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll, xrefs: 004022CC, 00402335, 0040233E

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll
API String ID: 334405425-2866194894
Opcode ID: ef58e730e87b036fb3bb273f3d25c6645116cf6908839c118768283bfaa69e59
Instruction ID: aa6b704e5079027a8c34e107c1f377ebbd1d9565507d54c53cf3a7cdcd1ba86e
Opcode Fuzzy Hash: ef58e730e87b036fb3bb273f3d25c6645116cf6908839c118768283bfaa69e59
Instruction Fuzzy Hash: C3210632648701ABD710AF618E8DA3F76A4ABD8721F20013FF941B12D1DBBC9801979F

Uniqueness

Uniqueness Score: -1.00%

Function 00402656 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00402656(int _a20, intOrPtr _a24, intOrPtr _a40, intOrPtr _a52, intOrPtr _a56, char _a60, intOrPtr _a72) {
				void* _v0;
				void* _v4;
				void* _v8;
				void* _t20;
				intOrPtr _t24;
				signed int _t25;
				signed int _t32;
				void* _t37;
				intOrPtr _t39;
				int _t45;
				void* _t46;
				int _t47;
				void* _t49;
				void* _t51;

				_a24 = _a56;
				_a20 = _a60;
				_a24 = E0040303E(_t37, 2);
				_t20 = E0040303E(_t37, 0x11);
				_t32 = 1;
				E004062A5(_t51, E00403023(_a72), _t20, 0x100022,  &_a60); // executed
				_t39 =  !=  ? 0 : _a40;
				_a52 = _t39;
				if(_t39 != 0) {
					_t24 = _a24;
					if(_t24 != 1) {
						_t45 = 4;
						__eflags = _t24 - 1;
						if(_t24 != 1) {
							_t45 = _t47;
							__eflags = _t24 - 3;
							if(_t24 == 3) {
								_t45 = E00403148(_a52, _t47, 0x40c108, 0x1800);
							}
						} else {
							 *0x40c108 = E00403002(3);
						}
					} else {
						E0040303E(_t37, 0x23);
						_t45 = 2 + lstrlenW(0x40c108) * 2;
					}
					_t46 =  *(_t49 + 0x54);
					_t25 = RegSetValueExW(_t46,  *(_t49 + 0x2c), _t47, _a20, 0x40c108, _t45); // executed
					asm("sbb eax, eax");
					_t32 = _t32 &  ~_t25;
					RegCloseKey(_t46);
				}
				 *0x435ac8 =  *0x435ac8 + _t32;
				return 0;
			}

0x0040265a
0x00402664
0x0040266f
0x00402673
0x0040268a
0x00402692
0x0040269f
0x004026a2
0x004026a8
0x004026ae
0x004026b9
0x004026d3
0x004026d4
0x004026d6
0x004026e7
0x004026e9
0x004026ec
0x004026fe
0x004026fe
0x004026d8
0x004026e0
0x004026e0
0x004026bb
0x004026bd
0x004026c8
0x004026c8
0x00402701
0x00402710
0x00402718
0x0040271a
0x0040271d
0x0040271d
0x00402ea5
0x00402eb7

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsw2317.tmp,00000023,?,00000011,00000002), ref: 004026C3
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsw2317.tmp,?,?,00000011,00000002), ref: 00402710
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsw2317.tmp,?,?,00000011,00000002), ref: 0040271D

Strings

C:\Users\user\AppData\Local\Temp\nsw2317.tmp, xrefs: 004026B2, 004026C2, 004026E0, 004026F3, 00402705

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsw2317.tmp
API String ID: 2655323295-1816576402
Opcode ID: 8edcd19f25d8d05edf2d8148b6cc1e24fb060151bf47dec0a3455c4438ded43c
Instruction ID: b85799c5b09c0d4e5107b9a6a50aeda658419008c73e2f9c6ba38a7de01b1a8e
Opcode Fuzzy Hash: 8edcd19f25d8d05edf2d8148b6cc1e24fb060151bf47dec0a3455c4438ded43c
Instruction Fuzzy Hash: CF21D072608311ABD711AFA5CC85B2FBBE8EB98760F10093EF541F71C1C7B99901879A

Uniqueness

Uniqueness Score: -1.00%

Function 004068E6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004068E6(signed int _a4) {
				struct HINSTANCE__* _t6;
				signed int _t8;

				_t8 = _a4;
				_t9 =  *(0x40b030 + _t8 * 8);
				_t6 = GetModuleHandleA( *(0x40b030 + _t8 * 8));
				if(_t6 != 0) {
					L2:
					return GetProcAddress(_t6,  *(0x40b034 + _t8 * 8));
				}
				_t6 = E0040619E(_t9); // executed
				if(_t6 != 0) {
					goto L2;
				}
				return _t6;
			}

0x004068e8
0x004068ec
0x004068f4
0x004068fc
0x00406908
0x00000000
0x00406910
0x004068ff
0x00406906
0x00000000
0x00000000
0x00406918

APIs

GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,00403810,0000000B), ref: 004068F4
GetProcAddress.KERNEL32(00000000), ref: 00406910

Part of subcall function 0040619E: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004061B5
Part of subcall function 0040619E: wsprintfW.USER32 ref: 004061F1
Part of subcall function 0040619E: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406205

Strings

UXTHEME, xrefs: 004068E6, 004068F3, 004068FE
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004068E7

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID: Error writing temporary file. Make sure your temp folder is valid.$UXTHEME
API String ID: 2547128583-890815371
Opcode ID: 08f22430275ebaf4ce71005d419f066f02b7a6b81224d03b75b5b8ff4b37f54b
Instruction ID: 085141bfa328d30a19c357711f10e0b2ef6edf17adcd8b925e9f05de384a5053
Opcode Fuzzy Hash: 08f22430275ebaf4ce71005d419f066f02b7a6b81224d03b75b5b8ff4b37f54b
Instruction Fuzzy Hash: 00D02B316012159BDB001F22AE0C94F771DEEA67907020032F501F6231E334DC21C5FC

Uniqueness

Uniqueness Score: -1.00%

Function 00405E3E Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E3E(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				short _t17;
				int _t21;
				long _t23;

				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_t17 = 4;
				_v36.Control = _t17;
				_v36.Owner = 0x409760;
				_v36.Group = 0x409760;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Dacl = 0x409750;
				_v16.nLength = 0xc;
				_t21 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t21 != 0) {
					L3:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) == 0) {
						return GetLastError();
					}
					goto L3;
				}
				return _t23;
			}

0x00405e44
0x00405e48
0x00405e4e
0x00405e4f
0x00405e58
0x00405e5b
0x00405e61
0x00405e6b
0x00405e71
0x00405e78
0x00405e7f
0x00405e87
0x00405eac
0x00000000
0x00405eac
0x00405e89
0x00405e94
0x00405eaa
0x00000000
0x00405eb0
0x00000000
0x00405eaa
0x00405eb7

APIs

CreateDirectoryW.KERNELBASE(00000000,?), ref: 00405E7F
GetLastError.KERNEL32 ref: 00405E89
SetFileSecurityW.ADVAPI32(00000000,80000007,00000001), ref: 00405EA2
GetLastError.KERNEL32 ref: 00405EB0

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: 03bab9027c0db145622c505044cc12d7385c4ed912075bcffeefb87771bfe4ea
Instruction ID: 6ae0cafa5f15e980fc825a914f3c6ead540d2f1400f747b3271702dfe1e84024
Opcode Fuzzy Hash: 03bab9027c0db145622c505044cc12d7385c4ed912075bcffeefb87771bfe4ea
Instruction Fuzzy Hash: 3F01D675D00209EBEB009FA0D948BEFBBB9EB14315F104526E949F2291E7789A44CF99

Uniqueness

Uniqueness Score: -1.00%

Function 02B719F1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 02B71BD1

Strings

TO^<, xrefs: 02B71A01
TO^<, xrefs: 02B719FC

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: TO^<$TO^<
API String ID: 823142352-971462200
Opcode ID: 65533276efc611b377696e7718a28ebde76027731b662379cd8cfb79735a004d
Instruction ID: b9b88d10b726095e26a981b8abe0b3db69213744b752d3779894c849faa337ae
Opcode Fuzzy Hash: 65533276efc611b377696e7718a28ebde76027731b662379cd8cfb79735a004d
Instruction Fuzzy Hash: 91312E755083069FCB249E7988A6BEBB7E6EF11750F55881EECC68B210C7318881CB47

Uniqueness

Uniqueness Score: -1.00%

Function 00406977 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406977(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, short* _a12, char* _a16, int _a20) {
				void* _v8;
				int _v12;
				void* _t20;
				char _t21;
				long _t24;
				char* _t28;

				_v12 = 0x800;
				asm("sbb eax, eax");
				_t20 = E004062D8(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_v8); // executed
				_t28 = _a16;
				if(_t20 != 0) {
					L4:
					_t21 = 0;
					 *_t28 = 0;
				} else {
					_t24 = RegQueryValueExW(_v8, _a12, 0,  &_a20, _t28,  &_v12); // executed
					RegCloseKey(_v8); // executed
					_t21 = 0;
					_t28[0x7fe] = 0;
					if(_t24 != 0 || _a20 != 1 && _a20 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406980
0x0040698d
0x004069a0
0x004069a5
0x004069aa
0x004069e9
0x004069e9
0x004069eb
0x004069ac
0x004069be
0x004069c9
0x004069cf
0x004069d3
0x004069db
0x00000000
0x00000000
0x004069db
0x004069f0

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,00000800,?,00000800,?,?,?,Call,00000000,00000000,00000002,00405FBE), ref: 004069BE
RegCloseKey.KERNELBASE(?), ref: 004069C9

Strings

Call, xrefs: 0040697C

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: ef5c50818b295da6df722ea66ea55a7044f0b077f586aae140e4b9602ce783b5
Instruction ID: a3e06d51c6875ee3f629547af2dd4b96d71687c661178dbbbd55dab6437f425a
Opcode Fuzzy Hash: ef5c50818b295da6df722ea66ea55a7044f0b077f586aae140e4b9602ce783b5
Instruction Fuzzy Hash: D3010C7651010ABBDB218FA4DC06AEF7BA8EF45344F110126B901E2160D275DE60DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00405E1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E1E(WCHAR* _a4) {
				int _t2;
				long _t5;

				_t5 = 0;
				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					_t5 = GetLastError();
				}
				return _t5;
			}

0x00405e1f
0x00405e26
0x00405e2e
0x00405e36
0x00405e36
0x00405e3b

APIs

CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CC9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,764E3420,004039C2), ref: 00405E26
GetLastError.KERNEL32 ref: 00405E30

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E1E

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1375471231-3355392842
Opcode ID: 8059bd01f3cb96d00b90c150394375a165c75bb7fcfbb43778e4f95d7889324c
Instruction ID: 407710f282aa9913273e94a45afee278ff037c1c447fef60eab8b448319c413c
Opcode Fuzzy Hash: 8059bd01f3cb96d00b90c150394375a165c75bb7fcfbb43778e4f95d7889324c
Instruction Fuzzy Hash: 56C012326050309BC3201B69AD0CA87BE94EB906A13018635B989E2220D2308C008AE8

Uniqueness

Uniqueness Score: -1.00%

Function 7427167A Relevance: 4.6, APIs: 3, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E7427167A(void* __ebx, void* __edx, void* __edi, void* __esi) {
				void* _t37;
				intOrPtr _t43;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t55;
				void* _t56;
				signed char _t62;
				signed int _t64;
				signed int _t66;
				struct HINSTANCE__* _t71;
				void* _t72;
				void* _t80;
				void* _t84;
				void* _t85;
				void* _t87;

				_t80 = __esi;
				_t72 = __edi;
				_t55 = __ebx;
				 *0x74275040 =  *((intOrPtr*)(_t87 + 8));
				 *0x7427503c =  *((intOrPtr*)(_t87 + 0x94));
				 *0x74275038 =  *((intOrPtr*)(_t87 + 0x90));
				 *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x9c)) + 0xc))( *0x74275014, E7427132B, _t84);
				_push(1);
				_t37 = E74272351();
				_t85 = _t37;
				if(_t85 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t85 + 4)) != 1) {
						E74271FCB(_t85);
					}
					E74272049(_t85);
					if( *((intOrPtr*)(_t85 + 4)) == 0xffffffff) {
						L14:
						if(( *(_t85 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t85 + 4)) == 0) {
								_t37 = E74272209(_t85);
							} else {
								_push(_t55);
								_push(_t80);
								_push(_t72);
								_t64 = 8;
								_t14 = _t85 + 0x1018; // 0x1018
								_t56 = _t14;
								memcpy(_t87 + 0x14, _t56, _t64 << 2);
								_t43 = E74271F1E(_t85, _t87 + 0x30);
								 *(_t85 + 0x1034) =  *(_t85 + 0x1034) & 0x00000000;
								 *((intOrPtr*)(_t85 + 0x1020)) = _t43;
								 *_t56 = 4;
								E74272209(_t85);
								_t66 = 8;
								_t37 = memcpy(_t56, _t87 + 0x28, _t66 << 2);
							}
						} else {
							E74272209(_t85);
							_t37 = GlobalFree(E742715EB(E74271668(_t85)));
						}
						if( *((intOrPtr*)(_t85 + 4)) != 1) {
							E7427200D(_t85);
							_t62 =  *(_t85 + 0x1010);
							_t37 = _t62;
							if((_t62 & 0x00000040) != 0 &&  *_t85 == 1) {
								_t71 =  *(_t85 + 0x1008);
								if(_t71 != 0) {
									FreeLibrary(_t71);
									_t37 =  *(_t85 + 0x1010);
								}
							}
							if((_t37 & 0x00000020) != 0) {
								_t37 = E742715C5( *0x7427502c);
							}
						}
						if(( *(_t85 + 0x1010) & 0x00000002) == 0) {
							_t37 = GlobalFree(_t85);
						}
						goto L28;
					}
					_t49 =  *_t85;
					if(_t49 == 0) {
						if( *((intOrPtr*)(_t85 + 4)) != 1) {
							goto L14;
						}
						E74272F9F(_t85);
						L12:
						_t85 = _t49;
						L13:
						goto L14;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						L8:
						_t49 = E74272D14(_t85); // executed
						goto L12;
					}
					_t51 = _t50 - 1;
					if(_t51 == 0) {
						_push(_t85);
						E742717F7();
						goto L13;
					}
					if(_t51 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x7427167a
0x7427167a
0x7427167a
0x74271684
0x74271690
0x7427169d
0x742716b4
0x742716b7
0x742716b9
0x742716be
0x742716c3
0x742717ef
0x742717f6
0x742716c9
0x742716cd
0x742716d0
0x742716d5
0x742716d7
0x742716e1
0x74271719
0x74271720
0x74271744
0x74271792
0x74271746
0x74271746
0x74271747
0x74271748
0x7427174b
0x74271750
0x74271750
0x7427175d
0x74271760
0x74271765
0x7427176d
0x74271773
0x74271779
0x74271789
0x7427178a
0x7427178e
0x74271722
0x74271723
0x74271738
0x74271738
0x7427179c
0x7427179f
0x742717a5
0x742717ab
0x742717b0
0x742717b8
0x742717c0
0x742717c3
0x742717c9
0x742717c9
0x742717c0
0x742717d1
0x742717d9
0x742717de
0x742717d1
0x742717e6
0x742717e9
0x742717e9
0x00000000
0x742717e6
0x742716e6
0x742716e9
0x7427170e
0x00000000
0x00000000
0x74271711
0x74271716
0x74271716
0x74271718
0x00000000
0x74271718
0x742716eb
0x742716ee
0x742716fa
0x742716fb
0x00000000
0x742716fb
0x742716f0
0x742716f3
0x74271702
0x74271703
0x00000000
0x74271703
0x742716f8
0x00000000
0x00000000
0x00000000
0x742716f8

APIs

Part of subcall function 74272351: GlobalFree.KERNEL32(?), ref: 74272A44
Part of subcall function 74272351: GlobalFree.KERNEL32(?), ref: 74272A4A
Part of subcall function 74272351: GlobalFree.KERNEL32(?), ref: 74272A50

GlobalFree.KERNEL32(00000000), ref: 74271738
FreeLibrary.KERNEL32(?), ref: 742717C3
GlobalFree.KERNEL32(00000000), ref: 742717E9

Part of subcall function 74271FCB: GlobalAlloc.KERNEL32(00000040,?), ref: 74271FFA

Part of subcall function 742717F7: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,74271708,00000000), ref: 7427189A

Part of subcall function 74271F1E: wsprintfW.USER32 ref: 74271F51

Memory Dump Source

Source File: 00000001.00000002.31335580458.0000000074271000.00000020.00000001.01000000.00000005.sdmp, Offset: 74270000, based on PE: true

Associated: 00000001.00000002.31335529968.0000000074270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.31335640727.0000000074274000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.31335690337.0000000074276000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74270000_Ta62k9weDV.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-0
Opcode ID: 2c7aa48dd7c54cf539fa18cf1317cf01d83d7b0653071e26ce5b6ae4fd952c80
Instruction ID: 4beef0367f8497e6c286c1729670f6e403c955ce69626e9dbf177fb4dadbe9b0
Opcode Fuzzy Hash: 2c7aa48dd7c54cf539fa18cf1317cf01d83d7b0653071e26ce5b6ae4fd952c80
Instruction Fuzzy Hash: D841F73270024A9FD7239F29C848BEA33FDFF84311F104019FB4A9A685DB7497A4D661

Uniqueness

Uniqueness Score: -1.00%

Function 00402728 Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402728(short* __edi, void* _a20, void* _a48, void* _a72) {
				int* __ebp;
				void* _t12;
				void* _t18;
				void* _t20;
				void* _t28;

				_t12 = E004030C1(_t18, _t20, _t28, 0x20019); // executed
				E0040303E(_t20, 0x33);
				 *__edi = 0;
				if(_t12 != 0) {
					__ecx = __esp + 0x50;
					 *(__esp + 0x50) = 0x800;
					__ecx = __esp + 0x24;
					__eax = RegQueryValueExW(__esi, __eax, __ebp, __esp + 0x24, __edi, __esp + 0x50);
					0 = 1;
					__eflags = __eax;
					if(__eax != 0) {
						L9:
						__eax = 0;
						 *__edi = __ax;
						goto L2;
					} else {
						__eflags =  *((intOrPtr*)(__esp + 0x1c)) - 4;
						if( *((intOrPtr*)(__esp + 0x1c)) == 4) {
							__eflags =  *(__esp + 0x3c);
							__eax = E0040661F(__edi,  *__edi);
							goto L2;
						} else {
							__eflags =  *((intOrPtr*)(__esp + 0x1c)) - 1;
							if( *((intOrPtr*)(__esp + 0x1c)) == 1) {
								L7:
								__eax = 0;
								__edi[0x7fe] = __ax;
								L2:
								__eax = RegCloseKey(__esi);
								goto L10;
							} else {
								__eflags =  *((intOrPtr*)(__esp + 0x1c)) - 2;
								if( *((intOrPtr*)(__esp + 0x1c)) != 2) {
									goto L9;
								} else {
									goto L7;
								}
							}
						}
					}
					L11:
					return 0;
				}
				L10:
				 *0x435ac8 =  *0x435ac8 + 1;
				goto L11;
			}

0x0040272d
0x00402736
0x0040273d
0x00402742
0x00402748
0x0040274c
0x00402756
0x0040275e
0x00402766
0x00402767
0x00402769
0x004027a4
0x004027a4
0x004027a8
0x00000000
0x0040276b
0x0040276b
0x00402770
0x00402792
0x0040279a
0x00000000
0x00402772
0x00402772
0x00402776
0x0040277f
0x00402783
0x00402785
0x0040271c
0x0040271d
0x00000000
0x00402778
0x00402778
0x0040277d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040277d
0x00402776
0x00402770
0x00402eab
0x00402eb7
0x00402eb7
0x00402ea5
0x00402ea5
0x00000000

APIs

RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsw2317.tmp,?,?,00000011,00000002), ref: 0040271D
RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040275E

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 1d42ab8b4145a25c79b294e04f02a9cb00a7c1bb6d884b11203412bb77f2baf5
Instruction ID: fb228a38f7146265a3f721d89abc8bf78f6fe6bd0b338e84b9d16a0e51430f88
Opcode Fuzzy Hash: 1d42ab8b4145a25c79b294e04f02a9cb00a7c1bb6d884b11203412bb77f2baf5
Instruction Fuzzy Hash: 5C11C235658302AFD7149FA4D98863BB3A4EF84315F10093FF102A21D1D7B85909CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00401399 Relevance: 3.0, APIs: 2, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401399(signed int _a4) {
				signed int _t10;
				int _t12;
				void* _t16;
				signed int _t17;
				void* _t18;
				signed int _t20;
				void* _t21;

				_t20 = _a4;
				if(_t20 < 0) {
					L10:
					return 0;
				}
				while(1) {
					_t6 =  *0x435a30 + _t20 * 0x1c;
					if( *((intOrPtr*)( *0x435a30 + _t20 * 0x1c)) == 1) {
						goto L10;
					}
					if(E0040154A(_t6) == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t16 = E004030FD(_t7);
					if(_t16 != 0) {
						_t17 = _t16 - 1;
						_t10 = _t20;
						_t20 = _t17;
						_t18 = _t17 - _t10;
					} else {
						_t18 = _t16 + 1;
						_t20 = _t20 + 1;
					}
					if( *((intOrPtr*)(_t21 + 0x10)) != 0) {
						_t12 =  *0x4349d0 + _t18;
						 *0x4349d0 = _t12;
						SendMessageW( *(_t21 + 0x1c), 0x402, MulDiv(_t12, 0x7530,  *0x4349cc), 0); // executed
					}
					if(_t20 >= 0) {
						continue;
					} else {
						goto L10;
					}
				}
				goto L10;
			}

0x0040139a
0x004013a1
0x00401413
0x00000000
0x00401413
0x004013a8
0x004013b0
0x004013b5
0x00000000
0x00000000
0x004013bf
0x00000000
0x0040141a
0x004013c7
0x004013cb
0x004013d1
0x004013d2
0x004013d4
0x004013d6
0x004013cd
0x004013cd
0x004013ce
0x004013ce
0x004013dd
0x004013ec
0x004013f4
0x00401409
0x00401409
0x00401411
0x00000000
0x00000000
0x00000000
0x00000000
0x00401411
0x00000000

APIs

MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6e7d67269c197b40b003dd71ad8670726c572316c8dc3490559f09bac35d8640
Instruction ID: 538a9e804dfe71f8462b772bc95ac31ea7b37d3b99b6caf0eca62282663b68d4
Opcode Fuzzy Hash: 6e7d67269c197b40b003dd71ad8670726c572316c8dc3490559f09bac35d8640
Instruction Fuzzy Hash: 4701D472A152309BD7196F28AC09B6B3699AB80711F15453AF901F72F1D2B89C018758

Uniqueness

Uniqueness Score: -1.00%

Function 004025FF Relevance: 3.0, APIs: 2, Instructions: 40
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004025FF(void* __ebp, signed int _a52, intOrPtr _a56, intOrPtr _a60) {
				long _t7;
				signed int _t14;
				void* _t16;
				void* _t20;
				long _t22;
				void* _t25;

				_t22 = 1;
				_t30 = _a56 - __ebp;
				if(_a56 != __ebp) {
					_t7 = E0040307C(_a60, E0040303E(_t20, 0x22), _a52 >> 1); // executed
					_t22 = _t7;
				} else {
					_t25 = E004030C1(_t16, _t20, _t30, 2);
					if(_t25 != 0) {
						_t22 = RegDeleteValueW(_t25, E0040303E(_t20, 0x33));
						RegCloseKey(_t25);
					}
				}
				_t14 = 0 | _t22 != 0x00000000;
				 *0x435ac8 =  *0x435ac8 + _t14;
				return 0;
			}

0x00402601
0x00402602
0x00402606
0x00402643
0x00402648
0x00402608
0x0040260f
0x00402613
0x00402625
0x00402627
0x00402627
0x00402613
0x0040264e
0x00402ea5
0x00402eb7

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040261E
RegCloseKey.ADVAPI32(00000000), ref: 00402627

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 324bf70aa83da3cc8c88ee0ac58f0f218d6888d112ffb8df115b361c504563c9
Instruction ID: 5f348ce6c2db00307db5fd01af11d87f06065e179f09fd272fc5be425d392e88
Opcode Fuzzy Hash: 324bf70aa83da3cc8c88ee0ac58f0f218d6888d112ffb8df115b361c504563c9
Instruction Fuzzy Hash: 29F02433545601B7E310ABA49C4AA7E766DABD03A2F10053FFA02A61C5CA7E8C42822D

Uniqueness

Uniqueness Score: -1.00%

Function 00402048 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00402061
EnableWindow.USER32(00000000,00000000), ref: 0040206C

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 463400b56811a7c13ea037226f78c2a66b88d1b796af0464d73bb1f96cdb645b
Instruction ID: fdac18c2d6c3cf3b828b417e97f1a58467e7a2ecdc8cc8e73c20e1074f32c310
Opcode Fuzzy Hash: 463400b56811a7c13ea037226f78c2a66b88d1b796af0464d73bb1f96cdb645b
Instruction Fuzzy Hash: 66E02672548300AFE314AF20E84E96AB768FB40326F20083FF900A40C2C77D2C40876E

Uniqueness

Uniqueness Score: -1.00%

Function 004066D6 Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004066D6(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42fd78->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42fd78,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004066dc
0x004066ff
0x00406707
0x0040670c
0x00000000
0x00406712
0x00406716

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042FD78,?), ref: 004066FF
CloseHandle.KERNEL32(?), ref: 0040670C

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 56b83460f623c560f9136c4b0375a20ff073fe194eb282a2dd1e719b426acf2b
Instruction ID: 0c6c23135c748ad7b6e02b48b863ea359631b5b673f9ca8adb803affa24eb5bb
Opcode Fuzzy Hash: 56b83460f623c560f9136c4b0375a20ff073fe194eb282a2dd1e719b426acf2b
Instruction Fuzzy Hash: F3E04FF0600619BFFB009B64EC09F7B777CEB40204F904435BD11E6151E3749C148A78

Uniqueness

Uniqueness Score: -1.00%

Function 0040691B Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040691B(WCHAR* _a4, long _a8, long _a12) {
				long _t5;
				void* _t7;

				_t5 = GetFileAttributesW(_a4); // executed
				_t6 =  ==  ? 0 : _t5;
				_t7 = CreateFileW(_a4, _a8, 1, 0, _a12,  ==  ? 0 : _t5, 0); // executed
				return _t7;
			}

0x0040691f
0x0040692c
0x0040693f
0x00406945

APIs

GetFileAttributesW.KERNELBASE(00000003,0040342F,C:\Users\user\Desktop\Ta62k9weDV.exe,80000000,00000003,?,?,?,?,?), ref: 0040691F
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000,?,?,?,?,?), ref: 0040693F

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 29eaa5c778d4abe525d16e25b35aaa524ea266b59eab42b9d8fe5f4f647b10db
Instruction ID: d43685c7aa133134ae341259a1979053aa5ebee8cfee21dedca447a2e346f0f1
Opcode Fuzzy Hash: 29eaa5c778d4abe525d16e25b35aaa524ea266b59eab42b9d8fe5f4f647b10db
Instruction Fuzzy Hash: 77D09E71218202AEEF055F20DE4AF1FBA65EF84710F104A2CF6A6D40F0D6718C24AA11

Uniqueness

Uniqueness Score: -1.00%

Function 00406B9D Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406B9D(WCHAR* _a4) {
				signed int _t3;
				signed int _t8;

				_t3 = GetFileAttributesW(_a4); // executed
				_t8 = _t3;
				if(_t8 != 0xffffffff) {
					SetFileAttributesW(_a4, _t8 & 0xfffffffe);
				}
				return _t8;
			}

0x00406ba2
0x00406ba8
0x00406bad
0x00406bb9
0x00406bb9
0x00406bc2

APIs

GetFileAttributesW.KERNELBASE(?,?,00406591,?,?,00000000,004068AE,?,?,?,?), ref: 00406BA2
SetFileAttributesW.KERNEL32(?,00000000), ref: 00406BB9

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a418f70179c15550a51c69d56742fce75144ee9ce949d273047196127aa882e5
Instruction ID: 2641cd0fcf7a615d2272f2c652f3c677170a534def33f5957a60d90ba1304b54
Opcode Fuzzy Hash: a418f70179c15550a51c69d56742fce75144ee9ce949d273047196127aa882e5
Instruction Fuzzy Hash: 11D0A7712040316BC6042738DC0C45ABA56DB853707018735F9F6A22F1D7300C2186D4

Uniqueness

Uniqueness Score: -1.00%

Function 74272D14 Relevance: 1.6, APIs: 1, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E74272D14(intOrPtr _a4) {
				signed int _v8;
				void* __ebx;
				void* _t28;
				void* _t29;
				int _t33;
				void* _t37;
				void* _t44;
				void* _t47;
				signed int _t53;
				void* _t58;
				intOrPtr _t64;
				intOrPtr _t67;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t75;
				signed int _t78;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				intOrPtr _t86;
				intOrPtr _t87;

				if( *0x74275024 != 0 && E74271BC1(_a4) == 0) {
					 *0x74275030 = _t86;
					if( *0x74275034 != 0) {
						_t86 =  *0x74275034;
					} else {
						E74273250(E74271C43());
						 *0x74275034 = _t86;
					}
				}
				_t28 = E74271C49(_a4);
				_t87 = _t86 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E74271BBB();
					_t67 = _a4;
					_t74 =  *0x74275028;
					 *((intOrPtr*)(_t29 + _t67)) = _t74;
					 *0x74275028 = _t67;
					E74271C5A();
					_t33 = ReadFile(??, ??, ??, ??, ??); // executed
					 *0x74275000 = _t33;
					 *0x74275004 = _t74;
					if( *0x74275024 != 0 && E74271BC1( *0x74275028) == 0) {
						 *0x74275034 = _t87;
						_t87 =  *0x74275030;
					}
					_t75 =  *0x74275028;
					_a4 = _t75;
					 *0x74275028 =  *((intOrPtr*)(E74271BBB() + _t75));
					_t37 = E74271BAD(_t75);
					_pop(_t76);
					if(_t37 != 0) {
						_t37 = E74271C49(_t76);
						if(_t37 > 0) {
							_push(_t37);
							_push(E74271C54() + _a4 + _v8);
							_push(E74271C64());
							if( *0x74275024 <= 0 || E74271BC1(_a4) != 0) {
								_pop(_t81);
								_pop(_t44);
								if( *((intOrPtr*)(_t44 + _t81)) == 2) {
								}
								_pop(_t76);
								_t37 = _t44 + _v8;
								asm("loop 0xfffffff5");
							} else {
								_pop(_t82);
								_pop(_t47);
								_t78 =  *(_t47 + _t82);
								_t64 =  *0x74275034;
								_t76 = _t64 + _t78 * 4;
								 *0x74275034 = _t64 + _t78 * 4;
								_t37 = _t47 + _v8;
								asm("loop 0xffffffeb");
							}
						}
					}
					if( *0x74275028 == 0) {
						 *0x74275034 = 0;
					}
					_push( *0x74275004);
					E74272CBF(_t37, _t64, _t76, _a4,  *0x74275000);
					return _a4;
				}
				_push(E74271C54() + _a4);
				_t53 = E74271C60();
				_v8 = _t53;
				_t72 = _t28;
				_push(_t65 + _t53 * _t72);
				_t64 = E74271CC3();
				_t80 = E74271CBF();
				_t83 = E74271C64();
				_t58 = _t72;
				if( *((intOrPtr*)(_t58 + _t83)) == 2) {
					_push( *((intOrPtr*)(_t58 + _t64)));
				}
				_push( *((intOrPtr*)(_t58 + _t80)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x74272d24
0x74272d35
0x74272d42
0x74272d56
0x74272d44
0x74272d49
0x74272d4e
0x74272d4e
0x74272d42
0x74272d5f
0x74272d64
0x74272d6a
0x74272dae
0x74272dae
0x74272db3
0x74272db8
0x74272dbe
0x74272dc0
0x74272dc6
0x74272dd3
0x74272dd5
0x74272dda
0x74272de7
0x74272dfa
0x74272e00
0x74272e06
0x74272e07
0x74272e0d
0x74272e19
0x74272e1f
0x74272e27
0x74272e28
0x74272e2b
0x74272e36
0x74272e38
0x74272e44
0x74272e4a
0x74272e52
0x74272e7e
0x74272e7f
0x74272e85
0x74272e85
0x74272e88
0x74272e89
0x74272e8c
0x74272e62
0x74272e62
0x74272e63
0x74272e65
0x74272e68
0x74272e6e
0x74272e71
0x74272e77
0x74272e7a
0x74272e7a
0x74272e52
0x74272e36
0x74272e95
0x74272e97
0x74272e97
0x74272ea1
0x74272eb0
0x74272ebe
0x74272ebe
0x74272d75
0x74272d76
0x74272d7b
0x74272d7f
0x74272d84
0x74272d98
0x74272d99
0x74272d9a
0x74272d9c
0x74272da1
0x74272da3
0x74272da3
0x74272da6
0x74272dac
0x00000000

APIs

ReadFile.KERNELBASE(?), ref: 74272DD3

Memory Dump Source

Source File: 00000001.00000002.31335580458.0000000074271000.00000020.00000001.01000000.00000005.sdmp, Offset: 74270000, based on PE: true

Associated: 00000001.00000002.31335529968.0000000074270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.31335640727.0000000074274000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.31335690337.0000000074276000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74270000_Ta62k9weDV.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b5b8065eefd5ed2ec6bebc65388df5b6bac367014bc05f09734aa36079a695d4
Instruction ID: 1dd0e3bf5c81c38ebfb262a35c2fd1ce7dcb3462b72cd383843aca0ee74b0563
Opcode Fuzzy Hash: b5b8065eefd5ed2ec6bebc65388df5b6bac367014bc05f09734aa36079a695d4
Instruction Fuzzy Hash: D341E472B102059FEB039FA9D989BA97BB5EF88314F31402DE704CB750D63496B1DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004025AC Relevance: 1.5, APIs: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004025AC(void* _a4, WCHAR* _a16, short _a68, intOrPtr _a80) {
				WCHAR* _t5;
				WCHAR* _t6;
				WCHAR* _t7;
				void* _t10;
				WCHAR* _t14;
				void* _t16;
				WCHAR* _t21;

				_a80 = 0xa;
				_t14 = 1;
				_t5 = E0040303E(_t16, 1);
				_t6 = E0040303E(_t16, 0x12);
				_t7 = E0040303E(_t16, 0xffffffdd);
				_t21 = _a16;
				GetPrivateProfileStringW(_t5, _t6,  &_a68, _t21, 0x3ff, _t7); // executed
				_t10 = 0xa;
				if( *_t21 != _t10) {
					_t14 = _a16;
				} else {
					 *_t21 = 0;
				}
				 *0x435ac8 =  *0x435ac8 + _t14;
				return 0;
			}

0x004025ae
0x004025b6
0x004025b8
0x004025c1
0x004025ca
0x004025cf
0x004025e1
0x004025e9
0x004025ee
0x00402ea1
0x004025f4
0x004025f6
0x004025f6
0x00402ea5
0x00402eb7

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,000003FF,00000000), ref: 004025E1

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: e8e1ac1a0b4b7baf2cbfffd2cb35931e42492f711062094e30c6c1d024b2ac51
Instruction ID: ca7729e569941477bac25a737720eb0af98943c80a75a6d3102d76ed2cf5914b
Opcode Fuzzy Hash: e8e1ac1a0b4b7baf2cbfffd2cb35931e42492f711062094e30c6c1d024b2ac51
Instruction Fuzzy Hash: 00F0B4326443446BD310EFA1DC84A6AB39CFB84365F104A3BFA15DB1C1E7B899058366

Uniqueness

Uniqueness Score: -1.00%

Function 00402566 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402566(void* __ecx, WCHAR* __ebp, void* _a12, intOrPtr _a40, intOrPtr _a56) {
				int _t4;
				intOrPtr _t9;
				void* _t13;
				WCHAR* _t14;
				WCHAR* _t16;
				WCHAR* _t18;
				void* _t20;

				_t18 = __ebp;
				_t16 = __ebp;
				_t14 = __ebp;
				if(__ecx != 0) {
					__ebp = E0040303E(__edx, __ebp);
				}
				if(_t4 != 0) {
					_t16 = E0040303E(_t13, 0x11);
				}
				if(_a56 != _t14) {
					_t14 = E0040303E(_t13, 0x22);
				}
				_t4 = WritePrivateProfileStringW(_t18, _t16, _t14, E0040303E(_t13, 0xffffffcd)); // executed
				if(_t4 != 0) {
					_t9 =  *((intOrPtr*)(_t20 + 0x10));
				} else {
					_t9 = 1;
				}
				 *0x435ac8 =  *0x435ac8 + _t9;
				return 0;
			}

0x00402566
0x00402566
0x00402568
0x0040256c
0x00402574
0x00402576
0x0040257c
0x00402585
0x00402585
0x0040258b
0x00402594
0x00402594
0x004025a1
0x00401703
0x00402ea1
0x00401709
0x0040170b
0x0040170b
0x00402ea5
0x00402eb7

APIs

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 004025A1

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 9af0a1d878fae9e3e89ffa2e9034ec420723555003de84cdee57c9f052185a13
Instruction ID: f65784f0cf837312192d28317bace7b0ee78b13f5a7e28397f60b6fd89985110
Opcode Fuzzy Hash: 9af0a1d878fae9e3e89ffa2e9034ec420723555003de84cdee57c9f052185a13
Instruction Fuzzy Hash: 90E09A32505254BAD6703A738C09B2B299C5B407A2B64023FB806B22CAE9F98E01812D

Uniqueness

Uniqueness Score: -1.00%

Function 00402AF5 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00402AF5(void* __eflags, intOrPtr _a16, intOrPtr _a40, long _a52) {
				void* __edi;
				void* __esi;
				LONG* __ebp;
				intOrPtr _t6;

				asm("das");
				if(__eflags != 0) {
					__eax = E00403002(2);
					__eax = E00406C25(__edi);
					__eax = SetFilePointer(__eax, __eax, __ebp, _a52); // executed
					__eflags = _a40 - __ebp;
					if(_a40 >= __ebp) {
						_push(__eax);
						E0040661F();
					}
				}
				_t6 = _a16;
				 *0x435ac8 =  *0x435ac8 + _t6;
				return 0;
			}

0x00402af5
0x00402af6
0x00402afe
0x00402b0b
0x00402b11
0x00402b17
0x00402b1b
0x00402b21
0x004016b7
0x004016b7
0x00402b1b
0x00402ea1
0x00402ea5
0x00402eb7

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402B11

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7f3c9236b8feace5d63155e2ab4110c41a4624875c48bb8d285f5a6b1831d61d
Instruction ID: 511448bb44b16b4c3bf5c6e9e6dce24c9e36f35aa22cbfff603521d9bfcae4f3
Opcode Fuzzy Hash: 7f3c9236b8feace5d63155e2ab4110c41a4624875c48bb8d285f5a6b1831d61d
Instruction Fuzzy Hash: 91E0DF722452007FE300AB11ED8AC3FB71CEB80319F04083FF904E40C1C23E2800866A

Uniqueness

Uniqueness Score: -1.00%

Function 00406948 Relevance: 1.5, APIs: 1, Instructions: 24
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406948(void* __ecx, void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t7;
				long _t11;
				struct _OVERLAPPED* _t14;

				_t11 = _a12;
				_t14 = 0;
				_t7 = ReadFile(_a4, _a8, _t11,  &_v8, 0); // executed
				if(_t7 != 0 && _t11 == _v8) {
					_t14 = 1;
				}
				return _t14;
			}

0x0040694e
0x00406954
0x0040695f
0x00406967
0x0040696e
0x0040696e
0x00406974

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,004031A2,00000004,00000004,00000000,00000000,00000000,00000000), ref: 0040695F

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 2db7c5b5d383cb428e65bf87e114ea6cc39ae6a838efe8624f6ef6c49ed421ec
Instruction ID: 496ccccc8c492c243bc388fe3eb656b5cfb520ee4410d2fb8332981663b8a2fe
Opcode Fuzzy Hash: 2db7c5b5d383cb428e65bf87e114ea6cc39ae6a838efe8624f6ef6c49ed421ec
Instruction Fuzzy Hash: 38E04672200229BBCF209B9ADC08D9FBFADEE957A07024026B805A3110D270EE21C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 00406A0B Relevance: 1.5, APIs: 1, Instructions: 24
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406A0B(void* __ecx, void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t7;
				long _t11;
				struct _OVERLAPPED* _t14;

				_t11 = _a12;
				_t14 = 0;
				_t7 = WriteFile(_a4, _a8, _t11,  &_v8, 0); // executed
				if(_t7 != 0 && _t11 == _v8) {
					_t14 = 1;
				}
				return _t14;
			}

0x00406a11
0x00406a17
0x00406a22
0x00406a2a
0x00406a31
0x00406a31
0x00406a37

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,?,0041F538,00403348,?,0041F538,?,0041F538,?,00000004), ref: 00406A22

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: df327e9a7695e02a5bae04bfea65e0978199b1218c5bef36048a46936c94f75f
Instruction ID: 40df579de253d7cbce13811cecf730e98513d225cd3d08ff0a4c9fddec416105
Opcode Fuzzy Hash: df327e9a7695e02a5bae04bfea65e0978199b1218c5bef36048a46936c94f75f
Instruction Fuzzy Hash: F9E0BF32600129BBCF205B5ADC04E9FFF6DEE926A07114026F905A2150E670EE11DAE4

Uniqueness

Uniqueness Score: -1.00%

Function 004062A5 Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062A5(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406120(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExW(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004062af
0x004062b6
0x004062ce
0x00000000
0x004062ce
0x004062ba
0x00000000

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?), ref: 004062CE

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9d74b961b3018e30b71e857dcddf3078069952a5892463cd94a54035f436c205
Instruction ID: 8015555a5faba5d47a7295c794b4dc45a0f837954a803b2f281cb622c6ff763f
Opcode Fuzzy Hash: 9d74b961b3018e30b71e857dcddf3078069952a5892463cd94a54035f436c205
Instruction Fuzzy Hash: 38E0B6B201020ABEEF096F90DC0ADBB7A5DEB08310F00492EFA0694091E6B5AD30A634

Uniqueness

Uniqueness Score: -1.00%

Function 74271A4A Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x74275014 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x7427501c, 4, 0x40, 0x74275034); // executed
					 *0x7427501c = 0xc2;
					 *0x74275034 = 0;
					 *0x74275030 = 0;
					 *0x7427502c = 0;
					 *0x74275028 = 0;
					 *0x74275024 = 0;
					 *0x74275020 = 0;
					 *0x7427501e = 0;
				}
				return 1;
			}

0x74271a53
0x74271a58
0x74271a68
0x74271a70
0x74271a77
0x74271a7d
0x74271a83
0x74271a89
0x74271a8f
0x74271a95
0x74271a9b
0x74271a9b
0x74271aa4

APIs

VirtualProtect.KERNELBASE(7427501C,00000004,00000040,74275034), ref: 74271A68

Memory Dump Source

Source File: 00000001.00000002.31335580458.0000000074271000.00000020.00000001.01000000.00000005.sdmp, Offset: 74270000, based on PE: true

Associated: 00000001.00000002.31335529968.0000000074270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.31335640727.0000000074274000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.31335690337.0000000074276000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74270000_Ta62k9weDV.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: bc440c8ea34ca5e9518efdb2feef396271c8f10bb89a5a649f62074f8cb9470f
Instruction ID: c12e208a489644f0f6a55dab609ac1d9032964fe3b4a68e9ab4e17685869bb21
Opcode Fuzzy Hash: bc440c8ea34ca5e9518efdb2feef396271c8f10bb89a5a649f62074f8cb9470f
Instruction Fuzzy Hash: E3F09872F79340DBC31A8F1E944C79ABAA0F71C344B22452EF749DAB40C33041A0BB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004062D8 Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062D8(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406120(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004062e2
0x004062e9
0x004062fc
0x00000000
0x004062fc
0x004062ed
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,?,00000000,00000800,?,?,004069A5,00000800,?,?,?,Call,00000000,00000000), ref: 004062FC

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6046d274b78c3224a6ad722eb80787644d3a57436a5b6bc7b2547111f35c777e
Instruction ID: 212ff8f8ceecf1c7f7b975949926931c9c9ff354a47ded1b1035142b567bad43
Opcode Fuzzy Hash: 6046d274b78c3224a6ad722eb80787644d3a57436a5b6bc7b2547111f35c777e
Instruction Fuzzy Hash: 81D0123204020EBBDF116F909D05FAB3B2DAB08340F004436FE06A4091D775D930A758

Uniqueness

Uniqueness Score: -1.00%

Function 02B62627 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 02B62642

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 1039426f4a7d1a05a2358fcc0f7506d431781390f0b349d4848e5949c03499ca
Instruction ID: 7c79e6d806371f186947eb5ebbd271867a357056bd9d45c057d0da6419e3e171
Opcode Fuzzy Hash: 1039426f4a7d1a05a2358fcc0f7506d431781390f0b349d4848e5949c03499ca
Instruction Fuzzy Hash: 8AD012F06941DD8AC72E8F15DC549BE6E159BC3140F000A3C5926CBFC2CB305705D560

Uniqueness

Uniqueness Score: -1.00%

Function 004054E8 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004054E8(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x4349dc;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004054e8
0x004054ef
0x004054fa
0x00000000
0x004054fa
0x00405500

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054FA

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e4e95d0fddce0dc824c6f013e603094366fa7490cb3008435431beda4080c4b1
Instruction ID: f4f70a023dfa60edfff8c312ec9360925e699ce3f775cceab6ab340ddbd6ed3a
Opcode Fuzzy Hash: e4e95d0fddce0dc824c6f013e603094366fa7490cb3008435431beda4080c4b1
Instruction Fuzzy Hash: BFC04C716402407ADA109B619D09F477755AB90700F5094257200E51E4D674F410CA1C

Uniqueness

Uniqueness Score: -1.00%

Function 00405503 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405503(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x4349f8, 0x28, _a4, 1); // executed
				return _t2;
			}

0x00405511
0x00405517

APIs

SendMessageW.USER32(00000028,?,00000001,00405338), ref: 00405511

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0b1b9ea5971de38bd84785100290da62d9cd6102021a2a242e6f148554a4776c
Instruction ID: 6de71dbe5e5d375af2ff60806ac132807507260846fa189ddd953f73e58556b8
Opcode Fuzzy Hash: 0b1b9ea5971de38bd84785100290da62d9cd6102021a2a242e6f148554a4776c
Instruction Fuzzy Hash: 5EB092B5181201BADA919B10DD09F8A7B62ABA4702F028564B200640B0C7B214A0DB18

Uniqueness

Uniqueness Score: -1.00%

Function 00403131 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403131(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40b010, _a4, 0, 0); // executed
				return _t2;
			}

0x0040313f
0x00403145

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004035D7,?,?,?,?,?,?), ref: 0040313F

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 05fd317d58219744d4d36f9992a09dc30e109d4b8129d559949c0663f1233a42
Instruction ID: 0f2f3f991563ac80fd27f5aa645e2e28db5cd0803139906cd9636725fed969f3
Opcode Fuzzy Hash: 05fd317d58219744d4d36f9992a09dc30e109d4b8129d559949c0663f1233a42
Instruction Fuzzy Hash: D2B01231240200BFEA214F00DE0AF067B21F7D0700F10C830B360780F183711460EB4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040211B Relevance: 1.3, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040211B(void* _a24, void* _a32) {
				void* _v0;
				void* _v4;
				void* __ebp;
				void* _t9;
				void* _t15;
				void* _t20;

				_t17 = E0040303E(_t15, _t20);
				E00405D3A(0xffffffeb, _t7);
				_t9 = E004066D6(_t17); // executed
				if(_t9 != 0) {
					if( *((intOrPtr*)(__esp + 0x30)) != __ebp) {
						__eax = E00406514(__ecx, __esi);
						if( *((intOrPtr*)(__esp + 0x2c)) < __ebp) {
							0 = 1;
							 *((intOrPtr*)(__esp + 0x10)) = __ebx;
						} else {
							__eax = E0040661F( *((intOrPtr*)(__esp + 0x18)), __eax);
						}
					}
					_push(__esi);
					__eax = CloseHandle();
					__ebx =  *((intOrPtr*)(__esp + 0x10));
				}
				 *0x435ac8 =  *0x435ac8 + 1;
				return 0;
			}

0x00402121
0x00402126
0x0040212c
0x00402139
0x00402143
0x00402146
0x0040214f
0x0040215f
0x00402165
0x00402151
0x00402156
0x00402156
0x0040214f
0x00402169
0x00402110
0x00402ea1
0x00402ea1
0x00402ea5
0x00402eb7

APIs

Part of subcall function 00405D3A: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll,?,00000000,?,?), ref: 00405D6C
Part of subcall function 00405D3A: lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll,?,00000000,?,?), ref: 00405D7E
Part of subcall function 00405D3A: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll,?), ref: 00405D99
Part of subcall function 00405D3A: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll), ref: 00405DB1
Part of subcall function 00405D3A: SendMessageW.USER32(?), ref: 00405DD8
Part of subcall function 00405D3A: SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DF3
Part of subcall function 00405D3A: SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E00

Part of subcall function 004066D6: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042FD78,?), ref: 004066FF
Part of subcall function 004066D6: CloseHandle.KERNEL32(?), ref: 0040670C

CloseHandle.KERNEL32(?,?), ref: 00402110

Part of subcall function 00406514: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040651E
Part of subcall function 00406514: GetExitCodeProcess.KERNEL32(?,?), ref: 00406548

Part of subcall function 0040661F: wsprintfW.USER32 ref: 0040662C

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 882677aa00bba72a8284b2112c1c206fef535646b8e7bbfe774034422b24b4ca
Instruction ID: ffb54da432574bf9da0ba630d69bdc1efbc191342e5e665899b832719b8482a7
Opcode Fuzzy Hash: 882677aa00bba72a8284b2112c1c206fef535646b8e7bbfe774034422b24b4ca
Instruction Fuzzy Hash: 50F0C8356093519BD310AF61DD8982FB298FF85359B100A3FFA52B51D2C77C4D068AAF

Uniqueness

Uniqueness Score: -1.00%

Function 742712F8 Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E742712F8() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x74275040 +  *0x74275040); // executed
				return _t3;
			}

0x74271302
0x74271308

APIs

GlobalAlloc.KERNELBASE(00000040,?,742711C4,-000000A0), ref: 74271302

Memory Dump Source

Source File: 00000001.00000002.31335580458.0000000074271000.00000020.00000001.01000000.00000005.sdmp, Offset: 74270000, based on PE: true

Associated: 00000001.00000002.31335529968.0000000074270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.31335640727.0000000074274000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.31335690337.0000000074276000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74270000_Ta62k9weDV.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: c8dea71a44d4a2529d6535c1a124446ecffd8f6edb73db35e361c896415d05dc
Instruction ID: e55f52f754c6d4661da96d47466603ae826bdb70b261fd5f71e355dde79bbee5
Opcode Fuzzy Hash: c8dea71a44d4a2529d6535c1a124446ecffd8f6edb73db35e361c896415d05dc
Instruction Fuzzy Hash: 21B012B23500009FEE018B1DDC0EF703254F700304F200000F700D5041C12458209514

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040441E Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 576
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E0040441E(struct HWND__* _a4, signed int _a8, long _a12, signed int _a16) {
				struct HWND__* _v0;
				signed int* _v40;
				void* _v44;
				signed int _v48;
				long _v52;
				void* _v56;
				signed int _v60;
				int _v64;
				struct HWND__* _v68;
				struct HWND__* _v72;
				void* _v76;
				struct HWND__* _v80;
				void* _v84;
				struct HWND__* _v88;
				intOrPtr _v96;
				void* _v100;
				void* _v104;
				struct HWND__* _v108;
				signed int _t158;
				signed int _t159;
				int _t160;
				void* _t167;
				void* _t170;
				long _t175;
				void* _t198;
				void* _t199;
				int _t209;
				intOrPtr _t214;
				signed int _t215;
				signed int _t216;
				void* _t235;
				void* _t238;
				intOrPtr _t245;
				intOrPtr _t253;
				long _t257;
				void* _t263;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				long _t279;
				long _t280;
				int _t282;
				signed int _t283;
				signed int _t285;
				signed int _t288;
				int _t293;
				signed int _t296;
				void* _t301;
				int _t302;
				void* _t303;
				void* _t306;
				signed int _t307;
				long _t311;
				struct HWND__* _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t319;
				signed int _t320;
				struct HWND__* _t321;
				int _t326;
				struct HWND__* _t327;
				intOrPtr* _t329;
				struct HWND__* _t330;
				signed int _t333;
				int _t334;
				int _t336;
				long _t337;
				intOrPtr _t338;
				signed int* _t340;
				struct HWND__* _t342;
				long _t343;
				void* _t344;
				long _t345;
				signed int _t346;
				struct HWND__* _t347;
				int _t348;
				int _t349;
				void* _t350;
				struct HWND__* _t352;
				struct HWND__* _t354;
				struct HWND__** _t355;

				_t355 =  &_v80;
				_t330 = _a4;
				_v68 = GetDlgItem(_t330, 0x3f9);
				_t347 = GetDlgItem(_t330, 0x408);
				_v72 =  *0x435a28;
				_v64 =  *0x435a10;
				_v80 = _t347;
				if(_a8 != 0x110) {
					L24:
					_t282 =  !=  ? _a8 : 0x40f;
					_v60 = 0x40f;
					_t158 =  !=  ? _a12 : 0;
					_a12 = _t158;
					_t333 =  !=  ? _a16 : 1;
					if(0x40f == 0x4e) {
						L26:
						if(_t282 == 0x413) {
							L28:
							_t320 = _t333;
							_t275 = _t158;
							_t348 = _t282;
							if(( *0x435a0c & 0x00000200) == 0 && (_t282 == 0x413 ||  *((intOrPtr*)(_t333 + 8)) == 0xfffffffe)) {
								_t313 = E004056DA(_v80, 0 | _t282 != 0x413);
								_t320 = _t333;
								_a8 = _t313;
								_t275 = _a4;
								_t348 = _v68;
								if(_t313 >= 0) {
									_t314 = _t313 * 0x818;
									_a8 = _t314;
									_t315 =  *(_t314 + _v72 + 8);
									_t320 = _t333;
									if((_t315 & 0x00000010) == 0) {
										if((_t315 & 0x00000040) == 0) {
											_t316 = _t315 ^ 1;
										} else {
											_t316 =  ==  ? (_t315 ^ 0x00000080) & 0xfffffffe : _t315 ^ 0x00000080 | 0x00000001;
										}
										_t278 = _a16;
										 *(_a8 + _v72 + 8) = _t316;
										E00401221(_t278);
										_t275 = _t278 + 1;
										_t320 =  !( *0x435a0c >> 8) & 1;
										_t348 = 0x40f;
									}
								}
							}
							if(_t333 != 0) {
								_t214 =  *((intOrPtr*)(_t333 + 8));
								if(_t214 == 0xfffffe3d) {
									SendMessageW(_v80, 0x419, 0,  *(_t333 + 0x5c));
									_t214 =  *((intOrPtr*)(_t333 + 8));
								}
								if(_t214 == 0xfffffe39) {
									_t296 =  *(_t333 + 0x5c) * 0x818;
									_t312 = _v72;
									_t215 =  *(_t296 + _t312 + 8);
									if( *((intOrPtr*)(_t333 + 0xc)) != 2) {
										_t216 = _t215 & 0xffffffdf;
									} else {
										_t216 = _t215 | 0x00000020;
									}
									 *(_t296 + _t312 + 8) = _t216;
								}
							}
							L45:
							_t159 = _t275;
							_t283 = _t320;
							_a16 = _t159;
							_t334 = _t348;
							_a8 = _t283;
							_t306 = 8;
							if(_t348 != 0x111) {
								_t320 = _t283;
								_t275 = _t159;
								_t349 = _t334;
								if(_t334 != 0x200) {
									_t160 = _t349;
									if(_t349 != 0x40b) {
										_a8 = _t320;
										_t349 = _t160;
										_v60 = _t275;
										_a16 = _t349;
										if(_t160 != 0x40f) {
											L88:
											if(_t349 == 0x420 && ( *0x435a0c & 0x00000100) != 0) {
												_t336 =  ==  ? _t306 : 0;
												ShowWindow(_v80, _t336);
												ShowWindow(GetDlgItem(_a4, 0x3fe), _t336);
											}
											L91:
											return E0040575B(_t349, _t275, _t320);
										}
										_t337 = 0;
										L63:
										E004012DD(_t337, _t337);
										if(_t275 != 0) {
											_t196 =  ==  ? _t275 : _t275 - 1;
											_push( ==  ? _t275 : _t275 - 1);
											_push(8);
											E004054B6();
										}
										if(_t320 == 0) {
											L71:
											E004012DD(_t337, _t337);
											_t285 =  *0x435a2c;
											_t167 =  *0x42ed6c; // 0x0
											_a4 = _t337;
											_t338 =  *0x435a28;
											_v52 = 0xf030;
											if(_t285 <= 0) {
												L83:
												if( *0x435afe == 0x400) {
													InvalidateRect(_v80, 0, 1);
												}
												if( *((intOrPtr*)( *0x4349e0 + 0x10)) != 0) {
													_t170 = E00405835(5);
													_push(0);
													E00405560(_t285, 0x3ff, 0xfffffffb, _t170);
												}
												_t306 = 8;
												goto L88;
											}
											_t276 = _a12;
											_t340 = _t338 + 8;
											_t321 = _v80;
											_t350 = _t167;
											do {
												_t175 =  *((intOrPtr*)(_t350 + _t276 * 4));
												_a12 = _t175;
												if(_t175 != 0) {
													_t307 =  *_t340;
													_v52 = _t175;
													_v56 = 8;
													if((_t307 & 0x00000100) != 0) {
														_v56 = 9;
														_v40 =  &(_t340[4]);
														 *_t340 =  *_t340 & 0xfffffeff;
														_a12 = _v52;
													}
													if((_t307 & 0x00000040) == 0) {
														_t288 = (_t307 & 1) + 1;
														if((_t307 & 0x00000010) != 0) {
															_t288 = _t288 + 3;
														}
													} else {
														_t288 = 3;
													}
													_v48 = (_t288 << 0x0000000b | _t307 & 0x00000008) + (_t288 << 0x0000000b | _t307 & 0x00000008) | _t307 & 0x00000020;
													SendMessageW(_t321, 0x1102, (_t307 >> 0x00000005 & 1) + 1, _a12);
													SendMessageW(_t321, 0x113f, 0,  &_v56);
													_t285 =  *0x435a2c;
												}
												_t276 = _t276 + 1;
												_t340 =  &(_t340[0x206]);
											} while (_t276 < _t285);
											_t320 = _a8;
											_t275 = _v60;
											_t349 = _a16;
											goto L83;
										} else {
											_t320 = E004011A0( *0x42ed6c);
											_a4 = _t320;
											E00401290(_t320);
											_t293 = _t337;
											_t311 = _t337;
											if(_t320 <= 0) {
												L70:
												SendMessageW(_v68, 0x14e, _t293, _t337);
												_t349 = 0x420;
												_a16 = 0x420;
												goto L71;
											}
											do {
												_t116 = _t293 + 1; // 0x1
												_t194 =  ==  ? _t293 : _t116;
												_t311 = _t311 + 1;
												_t293 =  ==  ? _t293 : _t116;
											} while (_t311 < _t320);
											_t337 = 0;
											goto L70;
										}
									}
									_t198 =  *0x42ed70; // 0x0
									if(_t198 != 0) {
										ImageList_Destroy(_t198);
									}
									_t199 =  *0x42ed6c; // 0x0
									if(_t199 != 0) {
										GlobalFree(_t199);
									}
									 *0x42ed70 = 0;
									 *0x42ed6c = 0;
									 *0x435ab8 = 0;
									goto L91;
								}
								SendMessageW(_v80, 0x200, 0, 0);
								_t320 = _a8;
								_t275 = _a16;
								goto L91;
							}
							if(_t275 != 0x3f9 || _t275 >> 0x10 != 1) {
								goto L91;
							} else {
								_t342 = _v68;
								_t209 = SendMessageW(_t342, 0x147, 0, 0);
								if(_t209 == 0xffffffff) {
									goto L91;
								}
								_t277 = SendMessageW;
								_t343 = SendMessageW(_t342, 0x150, _t209, 0);
								if(_t343 == 0xffffffff ||  *((intOrPtr*)(_v64 + 0x94 + _t343 * 4)) == 0) {
									_t343 = 0x20;
								}
								E00401290(_t343);
								_t337 = 0;
								SendMessageW(_v0, 0x420, 0, _t343);
								_t275 = _t277 | 0xffffffff;
								_a4 = 0;
								_t349 = 0x40f;
								_v64 = _t275;
								_t320 = 0;
								_a12 = 0x40f;
								goto L63;
							}
						}
						_t320 = _t333;
						_t275 = _t158;
						_t348 = _t282;
						if( *((intOrPtr*)(_t333 + 4)) != 0x408) {
							goto L45;
						}
						goto L28;
					}
					_t320 = 1;
					_t275 = _t158;
					_t348 = 0x40f;
					if(0x40f != 0x413) {
						goto L45;
					}
					goto L26;
				} else {
					_v76 = 0;
					_t326 = 2;
					 *0x435ab8 = _t330;
					 *0x42ed6c = GlobalAlloc(0x40,  *0x435a2c << 2);
					_t235 = LoadImageW( *0x4349f4, 0x6e, 0, 0, 0, 0);
					 *0x42ed68 =  *0x42ed68 | 0xffffffff;
					_t344 = _t235;
					 *0x42dd64 = SetWindowLongW(_t347, 0xfffffffc, E004058D0);
					_t238 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42ed70 = _t238;
					ImageList_AddMasked(_t238, _t344, 0xff00ff);
					SendMessageW(_t347, 0x1109, _t326,  *0x42ed70);
					if(SendMessageW(_t347, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_t347, 0x111b, 0x10, 0);
					}
					DeleteObject(_t344);
					_t352 = _v72;
					_t301 = 0;
					_t345 = 0;
					do {
						_t245 =  *((intOrPtr*)(_v68 + 0x94 + _t345 * 4));
						if(_t245 != 0) {
							_push(_t245);
							_push(_t301);
							SendMessageW(_t352, 0x151, SendMessageW(_t352, 0x143, 0, E00405EBA()), _t345);
							_t270 =  ==  ? _t326 : 0;
							_t301 = 0;
							_t326 =  ==  ? _t326 : 0;
						}
						_t345 = _t345 + 1;
					} while (_t345 < 0x21);
					_t279 = _a12;
					_v64 = _t326;
					_push( *((intOrPtr*)(_t279 + 0x30 + _t326 * 4)));
					_push(0x15);
					E0040551A(_v0);
					_push( *((intOrPtr*)(_t279 + 0x34 + _t326 * 4)));
					_push(0x16);
					E0040551A(_v0);
					_t354 = _v108;
					_t302 = 0;
					_t280 = 0;
					_t346 = 0;
					if( *0x435a2c <= 0) {
						L19:
						SetWindowLongW(_t354, 0xfffffff0, GetWindowLongW(_t354, 0xfffffff0) & 0xfffffffb);
						goto L20;
					} else {
						_t329 = _t355[6] + 0x18;
						do {
							if( *_t329 == _t302) {
								L16:
								_t253 = _v96;
								goto L17;
							}
							_t319 = 0x20;
							_v76 = _t280;
							_v72 = 0xffff0002;
							_v68 = 0xd;
							_v56 = _t319;
							_t355[0x15] = _t346;
							_v52 = _t329;
							_v60 =  *(_t329 - 0x10) & _t319;
							if(( *(_t329 - 0x10) & 0x00000002) == 0) {
								if(( *(_t329 - 0x10) & 0x00000004) == 0) {
									_t257 = SendMessageW(_t354, 0x1132, _t302,  &_v76);
									_t303 =  *0x42ed6c; // 0x0
									 *(_t303 + _t346 * 4) = _t257;
								} else {
									_t280 = SendMessageW(_t354, 0x110a, 3, _t280);
								}
								_t302 = 0;
								goto L16;
							}
							_v68 = 0x4d;
							_t355[0x14] = 1;
							_t280 = SendMessageW(_t354, 0x1132, _t302,  &_v76);
							_t263 =  *0x42ed6c; // 0x0
							 *(_t263 + _t346 * 4) = _t280;
							_t253 = 1;
							_t302 = 0;
							_v96 = 1;
							L17:
							_t346 = _t346 + 1;
							_t329 = _t329 + 0x818;
						} while (_t346 <  *0x435a2c);
						if(_t253 != 0) {
							L20:
							if(_v80 != 0) {
								_push(_t354);
							} else {
								_t327 = _v88;
								ShowWindow(_t327, 5);
								_push(_t327);
							}
							E00405503();
							goto L24;
						}
						goto L19;
					}
				}
			}

0x0040441e
0x0040442f
0x0040443e
0x0040444a
0x00404451
0x0040445a
0x00404468
0x0040446c
0x00404698
0x004046a4
0x004046af
0x004046b3
0x004046bb
0x004046c3
0x004046ce
0x004046de
0x004046e0
0x004046f5
0x004046ff
0x00404701
0x00404703
0x00404705
0x0040472e
0x00404734
0x00404736
0x0040473a
0x0040473c
0x00404740
0x00404746
0x0040474c
0x00404750
0x00404754
0x00404759
0x0040475e
0x0040477b
0x00404760
0x00404773
0x00404773
0x00404785
0x0040478a
0x0040478e
0x004047a1
0x004047a2
0x004047a4
0x004047a4
0x00404759
0x00404740
0x004047ab
0x004047ad
0x004047b5
0x004047c6
0x004047cc
0x004047cc
0x004047d4
0x004047d6
0x004047e1
0x004047e5
0x004047e9
0x004047f0
0x004047eb
0x004047eb
0x004047eb
0x004047f3
0x004047f3
0x004047d4
0x004047f7
0x004047f7
0x004047f9
0x004047fb
0x004047ff
0x00404801
0x00404807
0x0040480e
0x004048a9
0x004048ab
0x004048b2
0x004048b6
0x004048d4
0x004048dc
0x00404914
0x00404918
0x0040491a
0x0040491e
0x00404927
0x00404ae0
0x00404ae6
0x00404af9
0x00404b01
0x00404b18
0x00404b18
0x00404b1e
0x00404b2d
0x00404b2d
0x0040492d
0x0040492f
0x00404931
0x00404938
0x00404940
0x00404943
0x00404944
0x00404946
0x00404946
0x0040494d
0x004049a3
0x004049a5
0x004049aa
0x004049b0
0x004049b5
0x004049b9
0x004049bf
0x004049c9
0x00404a9f
0x00404aad
0x00404ab8
0x00404ab8
0x00404ac6
0x00404aca
0x00404acf
0x00404ad8
0x00404ad8
0x00404adf
0x00000000
0x00404adf
0x004049cf
0x004049d3
0x004049d6
0x004049da
0x004049dc
0x004049dc
0x004049e0
0x004049e6
0x004049ec
0x004049ee
0x004049f2
0x00404a00
0x00404a05
0x00404a0d
0x00404a11
0x00404a1b
0x00404a1b
0x00404a22
0x00404a30
0x00404a34
0x00404a36
0x00404a36
0x00404a24
0x00404a26
0x00404a26
0x00404a56
0x00404a64
0x00404a78
0x00404a7e
0x00404a7e
0x00404a84
0x00404a85
0x00404a8b
0x00404a93
0x00404a97
0x00404a9b
0x00000000
0x0040494f
0x0040495a
0x0040495d
0x00404961
0x00404966
0x00404968
0x0040496c
0x00404989
0x00404994
0x0040499a
0x0040499f
0x00000000
0x0040499f
0x00404972
0x0040497a
0x0040497d
0x00404980
0x00404981
0x00404983
0x00404987
0x00000000
0x00404987
0x0040494d
0x004048de
0x004048e5
0x004048e8
0x004048e8
0x004048ee
0x004048f5
0x004048f8
0x004048f8
0x00404900
0x00404905
0x0040490a
0x00000000
0x0040490a
0x004048c1
0x004048c7
0x004048cb
0x00000000
0x004048cb
0x0040481c
0x00000000
0x00404833
0x00404833
0x00404841
0x0040484a
0x00000000
0x00000000
0x00404850
0x00404862
0x00404867
0x00404878
0x00404878
0x0040487a
0x00404880
0x0040488c
0x0040488e
0x00404891
0x00404895
0x0040489a
0x0040489e
0x004048a0
0x00000000
0x004048a0
0x0040481c
0x004046e9
0x004046eb
0x004046ed
0x004046ef
0x00000000
0x00000000
0x00000000
0x004046ef
0x004046d0
0x004046d2
0x004046d4
0x004046d8
0x00000000
0x00000000
0x00000000
0x00404472
0x00404472
0x0040447d
0x00404484
0x00404490
0x004044a3
0x004044a9
0x004044b0
0x004044c0
0x004044d0
0x004044dd
0x004044e2
0x004044f5
0x00404506
0x00404513
0x00404513
0x00404516
0x0040451c
0x00404520
0x00404522
0x00404524
0x00404528
0x00404531
0x00404533
0x00404534
0x0040454e
0x00404555
0x00404558
0x0040455a
0x0040455a
0x0040455c
0x0040455d
0x00404562
0x0040456a
0x0040456e
0x00404572
0x00404575
0x0040457a
0x0040457e
0x00404581
0x00404586
0x0040458a
0x0040458c
0x0040458e
0x00404596
0x00404665
0x00404675
0x00000000
0x0040459c
0x004045a0
0x004045a3
0x004045a6
0x0040464a
0x0040464a
0x00000000
0x0040464a
0x004045b1
0x004045b4
0x004045bc
0x004045c4
0x004045cc
0x004045d0
0x004045d4
0x004045d8
0x004045dc
0x00404618
0x00404639
0x0040463f
0x00404645
0x0040461a
0x00404629
0x00404629
0x00404648
0x00000000
0x00404648
0x004045e0
0x004045e9
0x004045ff
0x00404601
0x00404606
0x0040460b
0x0040460c
0x0040460e
0x0040464e
0x0040464e
0x0040464f
0x00404655
0x00404663
0x0040467b
0x00404680
0x00404692
0x00404682
0x00404682
0x00404689
0x0040468f
0x0040468f
0x00404693
0x00000000
0x00404693
0x00000000
0x00404663
0x00404596

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404436
GetDlgItem.USER32(?,00000408), ref: 00404442
GlobalAlloc.KERNEL32(00000040,?), ref: 0040448A
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 004044A3
SetWindowLongW.USER32(00000000,000000FC,Function_000058D0), ref: 004044BA
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004044D0
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004044E2
SendMessageW.USER32(00000000,00001109,00000002), ref: 004044F5
SendMessageW.USER32(00000000,0000111C,00000000,00000000), ref: 00404501
SendMessageW.USER32(00000000,0000111B,00000010,00000000), ref: 00404513
DeleteObject.GDI32(00000000), ref: 00404516
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404544
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040454E
SendMessageW.USER32(?,00001132,00000000,?), ref: 004045F9
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404623
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404639
GetWindowLongW.USER32(?,000000F0), ref: 00404668
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404675
ShowWindow.USER32(?,00000005), ref: 00404689
SendMessageW.USER32(?,00000419,00000000,?), ref: 004047C6
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404841
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404860
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040488C
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004048C1
ImageList_Destroy.COMCTL32(00000000), ref: 004048E8
GlobalFree.KERNEL32(00000000), ref: 004048F8

Strings

M, xrefs: 004045E0

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend$ImageWindow$List_Long$GlobalItem$AllocCreateDeleteDestroyFreeLoadMaskedObjectShow
String ID: M
API String ID: 1688767230-3664761504
Opcode ID: 593f695f4e0e7a559147944b019e1e190396842a77f5fef561b0bfd50dce2793
Instruction ID: 0c70e663620b203d4295ddec51a1238c6828a203a6db769dd6a487d059f7c121
Opcode Fuzzy Hash: 593f695f4e0e7a559147944b019e1e190396842a77f5fef561b0bfd50dce2793
Instruction Fuzzy Hash: D812CEB1604301AFD7209F24DC85A6BB7E9EBC8314F104A3EFA95E72E1D7789C018B59

Uniqueness

Uniqueness Score: -1.00%

Function 00404085 Relevance: 31.8, APIs: 11, Strings: 7, Instructions: 281
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00404085(void* __ebx, void* __ebp, struct HWND__* _a4, unsigned int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v4;
				WCHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				signed int _v28;
				struct HWND__* _v32;
				unsigned int _v36;
				signed int _v40;
				long _v48;
				unsigned int _v52;
				signed int _v56;
				long _v64;
				long _v68;
				long _v72;
				unsigned int _v92;
				unsigned int _v96;
				unsigned int _t59;
				unsigned int _t61;
				unsigned int _t63;
				unsigned int _t65;
				unsigned int _t70;
				intOrPtr _t72;
				signed int _t85;
				unsigned int _t86;
				unsigned int _t89;
				signed int _t90;
				unsigned int _t92;
				unsigned int _t95;
				int _t98;
				unsigned int _t103;
				unsigned int _t108;
				unsigned int _t110;
				WCHAR* _t116;
				signed int _t117;
				unsigned int _t118;
				unsigned int _t120;
				short* _t122;
				struct HWND__* _t123;
				struct HWND__* _t124;
				unsigned int _t125;
				void* _t128;
				unsigned int _t134;
				unsigned int _t135;
				WCHAR* _t138;
				unsigned int _t139;
				void* _t140;
				unsigned int _t141;
				unsigned int _t142;
				intOrPtr _t143;
				unsigned int _t147;
				struct HWND__* _t149;
				long* _t150;

				_t150 =  &_v72;
				_t125 =  *0x42dd4c;
				_t135 = _a8;
				_t138 = ( *(_t125 + 0x3c) << 0xb) + 0x436000;
				_v52 = _t125;
				if(_t135 != 0x40b) {
					__eflags = _t135 - 0x110;
					if(_t135 != 0x110) {
						__eflags = _t135 - 0x111;
						if(_t135 != 0x111) {
							L19:
							_t59 = _t135;
							__eflags = _t135 - 0x40f;
							if(__eflags == 0) {
								L21:
								_v56 = 0;
								E00406A3A(0x3fb, _t138);
								_t61 = E00406638(__eflags, _t138);
								_t116 = 0x42e568;
								_t147 = 1;
								__eflags = _t61;
								_t127 =  ==  ? 1 : 0;
								_v4 =  ==  ? 1 : 0;
								E00406B1A(0x42e568, _t138);
								_t63 = E004068E6(1);
								_v96 = _t63;
								__eflags = _t63;
								if(_t63 == 0) {
									L28:
									E00406B1A(_t116, _t138);
									_t65 = E00406BC5(_t116);
									__eflags = _t65;
									if(_t65 != 0) {
										__eflags = 0;
										 *_t65 = 0;
									}
									_t70 = GetDiskFreeSpaceW(_t116,  &_v68,  &_v64,  &_v72,  &_v48);
									__eflags = _t70;
									if(_t70 == 0) {
										_t139 = _v36;
										_t117 = _v40;
										_t147 = _v56;
										goto L35;
									} else {
										_t85 = MulDiv(_v68 * _v64, _v72, 0x400);
										asm("cdq");
										_t117 = _t85;
										_t139 = _t134;
										L33:
										_v40 = _t117;
										_v36 = _t139;
										L35:
										_t128 = E00405835(5);
										__eflags = _t147;
										if(_t147 == 0) {
											L40:
											_t118 = _a8;
											L41:
											_t72 =  *0x4349e0;
											__eflags =  *(_t72 + 0x10);
											if( *(_t72 + 0x10) != 0) {
												_push(0);
												E00405560(_t128, 0x3ff, 0xfffffffb, _t128);
												__eflags = _t147;
												if(_t147 == 0) {
													SetDlgItemTextW(_t150[0x19], 0x400, 0x4095b0);
												} else {
													_push(_v40);
													E00405560(_t128, 0x400, 0xfffffffc, _t150[0xd]);
												}
											}
											 *0x435ae4 = _t118;
											__eflags = _t118;
											if(_t118 == 0) {
												_t118 = E00401533(7);
											}
											_t140 = 0;
											__eflags =  *(_v52 + 0x14) & 0x00000400;
											_t141 =  ==  ? _t118 : _t140;
											__eflags = _t141;
											EnableWindow( *0x42dd54, 0 | _t141 == 0x00000000);
											__eflags = _t141;
											if(_t141 == 0) {
												__eflags =  *0x42dd60 - _t141;
												if( *0x42dd60 == _t141) {
													E0040553C();
												}
											}
											 *0x42dd60 =  *0x42dd60 & 0x00000000;
											__eflags =  *0x42dd60;
											goto L51;
										}
										__eflags = _t139;
										if(__eflags > 0) {
											goto L40;
										}
										if(__eflags < 0) {
											L39:
											_t118 = 2;
											goto L41;
										}
										__eflags = _t117 - _t128;
										if(_t117 >= _t128) {
											goto L40;
										}
										goto L39;
									}
								}
								_t120 = 0;
								__eflags = 0;
								while(1) {
									_t86 =  *_t63(0x42e568,  &_v40,  &_v64,  &_v48);
									__eflags = _t86;
									if(_t86 != 0) {
										break;
									}
									__eflags = _t120;
									if(_t120 != 0) {
										 *_t120 = _t86;
									}
									_t122 = E00406D10(0x42e568);
									 *_t122 = 0;
									_t120 = _t122 - 2;
									_t89 = 0x5c;
									 *_t120 = _t89;
									_t63 = _v92;
									__eflags = _t120 - 0x42e568;
									if(_t120 != 0x42e568) {
										continue;
									} else {
										_t116 = 0x42e568;
										goto L28;
									}
								}
								_t142 = _v52;
								_t117 = (_t142 << 0x00000020 | _v56) >> 0xa;
								_t139 = _t142 >> 0xa;
								__eflags = _t139;
								goto L33;
							}
							__eflags = _t59 - 0x405;
							if(__eflags != 0) {
								goto L51;
							}
							goto L21;
						}
						_t134 = _a12;
						_t90 = _t134 & 0x0000ffff;
						__eflags = _t90 - 0x3fb;
						if(_t90 != 0x3fb) {
							_t134 = 0x3e9;
							__eflags = _t90 - 0x3e9;
							if(_t90 != 0x3e9) {
								goto L19;
							}
							_t123 = _a4;
							_v28 = 0;
							_v4 = 0;
							_v32 = _t123;
							_v24 = 0x42bd48;
							_v12 = E00404F33;
							_v8 = _t138;
							_v28 = E00405EBA();
							_t92 =  &_v40;
							_v24 = 0x41;
							__imp__SHBrowseForFolderW(_t92, 0x42dd68,  *((intOrPtr*)(_t125 + 0x38)));
							__eflags = _t92;
							if(__eflags == 0) {
								L11:
								_t135 = 0x40f;
								goto L21;
							}
							__imp__CoTaskMemFree(_t92);
							E00406556(_t138);
							_t95 =  *( *0x435a10 + 0x11c);
							__eflags = _t95;
							if(_t95 != 0) {
								__eflags = _t138 - L"C:\\Users\\Arthur\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane";
								if(_t138 == L"C:\\Users\\Arthur\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane") {
									_push(_t95);
									_push(0);
									E00405EBA();
									_t98 = lstrcmpiW("Call", "Waywort87 Setup: Installing");
									__eflags = _t98;
									if(_t98 != 0) {
										lstrcatW(_t138, "Call");
									}
								}
							}
							 *0x42dd60 =  *0x42dd60 + 1;
							__eflags =  *0x42dd60;
							SetDlgItemTextW(_t123, 0x3fb, _t138);
							goto L19;
						}
						__eflags = _t134 >> 0x10 - 0x300;
						if(__eflags != 0) {
							goto L19;
						}
						goto L11;
					} else {
						_t124 = _a4;
						_t149 = GetDlgItem(_t124, 0x3fb);
						_t103 = E00406E03(_t138);
						__eflags = _t103;
						if(_t103 != 0) {
							_t110 = E00406BC5(_t138);
							__eflags = _t110;
							if(_t110 == 0) {
								E00406556(_t138);
							}
						}
						 *0x4349dc = _t124;
						SetWindowTextW(_t149, _t138);
						_t143 = _a16;
						_push( *((intOrPtr*)(_t143 + 0x34)));
						_push(1);
						E0040551A(_t124);
						_push( *((intOrPtr*)(_t143 + 0x30)));
						_push(0x14);
						E0040551A(_t124);
						E00405503(_t149);
						_t108 = E004068E6(8);
						__eflags = _t108;
						if(_t108 != 0) {
							 *_t108(_t149, 1);
						}
						L51:
						goto L52;
					}
				} else {
					E00406A3A(0x3fb, _t138);
					E00406D3D(_t138);
					L52:
					return E0040575B(_t135, _a12, _a16);
				}
			}

0x00404085
0x00404088
0x00404090
0x0040409a
0x004040a0
0x004040aa
0x004040c4
0x004040ca
0x00404146
0x0040414c
0x00404231
0x00404231
0x00404233
0x00404239
0x00404246
0x0040424c
0x00404250
0x00404256
0x0040425d
0x00404264
0x00404265
0x00404268
0x0040426c
0x00404270
0x00404276
0x0040427b
0x0040427f
0x00404281
0x004042d5
0x004042d7
0x004042dd
0x004042e2
0x004042e4
0x004042e6
0x004042e8
0x004042e8
0x00404300
0x00404306
0x00404308
0x00404343
0x00404347
0x0040434b
0x00000000
0x0040430a
0x0040431d
0x00404323
0x00404324
0x00404326
0x00404339
0x00404339
0x0040433d
0x0040434f
0x00404356
0x00404358
0x0040435a
0x0040436b
0x0040436b
0x0040436f
0x0040436f
0x00404374
0x00404378
0x0040437a
0x00404384
0x00404389
0x0040438b
0x004043b1
0x0040438d
0x0040438d
0x0040439c
0x0040439c
0x0040438b
0x004043b6
0x004043bc
0x004043be
0x004043c7
0x004043c7
0x004043cf
0x004043d0
0x004043d7
0x004043dc
0x004043e8
0x004043ee
0x004043f0
0x004043f2
0x004043f8
0x004043fa
0x004043fa
0x004043f8
0x004043ff
0x004043ff
0x00000000
0x004043ff
0x0040435c
0x0040435e
0x00000000
0x00000000
0x00404360
0x00404366
0x00404368
0x00000000
0x00404368
0x00404362
0x00404364
0x00000000
0x00000000
0x00000000
0x00404364
0x00404308
0x00404283
0x00404283
0x00404285
0x00404299
0x0040429b
0x0040429d
0x00000000
0x00000000
0x004042a3
0x004042a5
0x004042a7
0x004042a7
0x004042b4
0x004042ba
0x004042bd
0x004042c0
0x004042c1
0x004042c4
0x004042c8
0x004042ce
0x00000000
0x004042d0
0x004042d0
0x00000000
0x004042d0
0x004042ce
0x0040432e
0x00404332
0x00404336
0x00404336
0x00000000
0x00404336
0x0040423b
0x00404240
0x00000000
0x00000000
0x00000000
0x00404240
0x00404152
0x00404156
0x00404159
0x0040415c
0x0040417b
0x00404180
0x00404183
0x00000000
0x00000000
0x0040418c
0x00404195
0x00404199
0x0040419d
0x004041a1
0x004041a9
0x004041b1
0x004041ba
0x004041be
0x004041c3
0x004041cb
0x004041d1
0x004041d3
0x00404171
0x00404171
0x00000000
0x00404171
0x004041d6
0x004041dd
0x004041e7
0x004041ed
0x004041ef
0x004041f1
0x004041f7
0x004041f9
0x004041fa
0x004041fb
0x0040420a
0x00404210
0x00404212
0x0040421a
0x0040421a
0x00404212
0x004041f7
0x0040421f
0x0040421f
0x0040422c
0x00000000
0x0040422c
0x00404168
0x0040416b
0x00000000
0x00000000
0x00000000
0x004040cc
0x004040cc
0x004040dd
0x004040df
0x004040e4
0x004040e6
0x004040e9
0x004040ee
0x004040f0
0x004040f3
0x004040f3
0x004040f0
0x004040fa
0x00404100
0x00404106
0x0040410a
0x0040410d
0x00404110
0x00404115
0x00404118
0x0040411b
0x00404121
0x00404128
0x0040412d
0x0040412f
0x00404138
0x00404138
0x00404406
0x00000000
0x00404407
0x004040ac
0x004040b2
0x004040b8
0x00404408
0x0040441b
0x0040441b

APIs

GetDlgItem.USER32(?,000003FB), ref: 004040D6
SetWindowTextW.USER32(00000000,?), ref: 00404100

Part of subcall function 00406A3A: GetDlgItemTextW.USER32(?,?,00000400,00404F4C), ref: 00406A4D

Part of subcall function 00406D3D: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,764E3420,004039C2), ref: 00406DB2
Part of subcall function 00406D3D: CharNextW.USER32(?,?,?,00000000), ref: 00406DC1
Part of subcall function 00406D3D: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,764E3420,004039C2), ref: 00406DC6
Part of subcall function 00406D3D: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,764E3420,004039C2), ref: 00406DDE

Strings

hB, xrefs: 004042C8
Call, xrefs: 00404205, 00404214
C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane, xrefs: 004041F1
hB, xrefs: 0040425D
A, xrefs: 004041C3
Waywort87 Setup: Installing, xrefs: 004041A1, 00404200
hB, xrefs: 004042D0

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Char$Next$ItemText$PrevWindow
String ID: A$C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane$Call$Waywort87 Setup: Installing$hB$hB$hB
API String ID: 4089110348-3512462699
Opcode ID: 67f0241dfe840fb746c4c22d524f7960e15f62eb2687287e958e8c1ad4191570
Instruction ID: 78a62133d8830c36d5793369ed94498114b99b2b12e517e73a25645684f3fa2c
Opcode Fuzzy Hash: 67f0241dfe840fb746c4c22d524f7960e15f62eb2687287e958e8c1ad4191570
Instruction Fuzzy Hash: BD91BFB1704311ABD720AF658C81B6B76A8AF94744F41483EFB42B62D1D77CD9018BAE

Uniqueness

Uniqueness Score: -1.00%

Function 74272351 Relevance: 18.7, APIs: 12, Instructions: 705
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E74272351() {
				void _v4;
				void* _v8;
				signed short _v12;
				signed int _v16;
				WCHAR* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _v60;
				short* _t243;
				signed short* _t245;
				signed int _t246;
				signed int _t250;
				void* _t256;
				struct HINSTANCE__* _t257;
				signed int _t258;
				signed int _t260;
				void* _t261;
				signed short _t263;
				signed int _t267;
				void* _t268;
				signed int* _t269;
				void* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t284;
				signed int _t287;
				signed int _t290;
				void* _t294;
				signed int _t295;
				signed short* _t296;
				void* _t299;
				signed int _t306;
				signed int _t307;
				signed int _t311;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				short* _t320;
				signed int _t321;
				signed short* _t325;
				signed int _t327;
				WCHAR* _t328;
				signed short* _t329;
				signed int _t341;
				void* _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				void* _t349;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t355;
				void* _t356;
				void* _t357;
				void* _t358;
				void* _t359;
				signed int _t365;
				signed int _t370;
				void* _t371;
				signed int _t378;
				signed int _t379;
				signed int _t380;
				void* _t381;
				signed short* _t383;
				void* _t384;
				void* _t386;
				signed short* _t387;
				short* _t388;
				WCHAR* _t389;
				WCHAR* _t390;
				struct HINSTANCE__* _t391;
				signed int _t393;
				signed int _t394;
				signed short _t395;
				void _t396;
				void* _t398;
				void* _t403;
				signed int _t405;
				signed int _t407;
				signed int _t409;

				_t394 = 0;
				_v32 = 0;
				_v52 = 0;
				_t386 = 0;
				_v28 = 0;
				_v56 = 0;
				_v24 = 0;
				_v16 = 0;
				_v36 = 0;
				_t243 = E742712F8();
				_v40 = _t243;
				_t320 = _t243;
				_v20 = E742712F8();
				_t245 = E74271593();
				_t325 = _t245;
				_v8 = _t245;
				_v60 = _t325;
				_t387 = _t245;
				_v44 = _t325;
				_v4 = 2;
				while(1) {
					_t378 = _t394;
					if(_t394 != 0 && _t386 == 0) {
						break;
					}
					_t395 =  *_t325 & 0x0000ffff;
					_t246 = _t395 & 0x0000ffff;
					_v12 = _t395;
					_t327 = _t246;
					if(_t327 == 0) {
						_t175 =  &_v52;
						 *_t175 = _v52 | 0xffffffff;
						__eflags =  *_t175;
						L132:
						_t396 = _v32;
						L133:
						_t379 = _t378;
						if(_t379 == 0) {
							 *_t320 = 0;
							__eflags = _t386;
							if(_t386 != 0) {
								_t380 = 0;
								__eflags = 0;
							} else {
								_t386 = GlobalAlloc(0x40, 0x1ca4);
								_t380 = 0;
								 *(_t386 + 0x1010) = 0;
								 *((intOrPtr*)(_t386 + 0x1014)) = 0;
							}
							 *(_t386 + 0x1008) = _t380;
							_t184 = _t386 + 8; // 0x8
							_t328 = _t184;
							 *(_t386 + 0x100c) = _t380;
							_t186 = _t386 + 0x808; // 0x808
							_t388 = _t186;
							 *_t328 = 0;
							 *_t388 = 0;
							 *_t386 = _t396;
							 *(_t386 + 4) = _t380;
							_t250 = _t396 - _t380;
							__eflags = _t250;
							if(_t250 == 0) {
								__eflags = _t320 - _v40;
								if(_t320 == _v40) {
									goto L157;
								}
								_t393 = _t380;
								GlobalFree(_t386);
								_push(_v40);
								_t386 = E7427135A();
								__eflags = _t386;
								if(_t386 == 0) {
									goto L157;
								} else {
									goto L150;
								}
								while(1) {
									L150:
									_t280 =  *(_t386 + 0x1ca0);
									__eflags = _t280;
									if(_t280 == 0) {
										break;
									}
									_t393 = _t386;
									_t386 = _t280;
								}
								__eflags = _t393;
								if(_t393 != 0) {
									_t193 = _t393 + 0x1ca0;
									 *_t193 =  *(_t393 + 0x1ca0) & 0x00000000;
									__eflags =  *_t193;
								}
								_t281 =  *(_t386 + 0x1010);
								__eflags = _t281 & 0x00000008;
								if((_t281 & 0x00000008) == 0) {
									_t341 = 2;
									_t282 = _t281 | _t341;
									__eflags = _t282;
									 *(_t386 + 0x1010) = _t282;
								} else {
									_t386 = E74271309(_t386);
									 *(_t386 + 0x1010) =  *(_t386 + 0x1010) & 0xfffffff5;
								}
								goto L157;
							} else {
								_t284 = _t250 - 1;
								__eflags = _t284;
								if(_t284 == 0) {
									L145:
									lstrcpyW(_t328, _v20);
									L146:
									_push(_v40);
									_push(_t388);
									L147:
									lstrcpyW();
									L157:
									_t329 = _v60;
									L158:
									_t320 = _v40;
									L159:
									_t394 = _v52;
									_t325 =  &(_t329[1]);
									_v60 = _t325;
									_t387 = _t325;
									_v44 = _t325;
									if(_t394 != 0xffffffff) {
										continue;
									}
									break;
								}
								_t287 = _t284 - 1;
								__eflags = _t287;
								if(_t287 == 0) {
									goto L146;
								}
								__eflags = _t287 != 1;
								if(_t287 != 1) {
									goto L157;
								}
								goto L145;
							}
						}
						_t381 = _t379 - 1;
						if(_t381 == 0) {
							_t290 = _v28;
							if(_v24 == _t381) {
								_t290 = _t290 - 1;
							}
							 *((intOrPtr*)(_t386 + 0x1014)) = _t290;
						}
						goto L157;
					}
					_t343 = _t327 - 0x23;
					if(_t343 == 0) {
						__eflags = _t387 - _v8;
						if(_t387 <= _v8) {
							_t344 = _v52;
							L31:
							__eflags = _v36;
							if(_v36 != 0) {
								L15:
								_t345 = _t344;
								__eflags = _t345;
								if(_t345 == 0) {
									_t383 = _v60;
									while(1) {
										__eflags = _t246 - 0x22;
										if(_t246 != 0x22) {
											break;
										}
										_t383 =  &(_t383[1]);
										__eflags = _v36;
										_v60 = _t383;
										_t387 = _t383;
										if(_v36 == 0) {
											__eflags = 1;
											_v36 = 1;
											L123:
											_t329 = _v60;
											 *_t320 =  *_t329;
											_t294 = 2;
											_t320 = _t320 + _t294;
											goto L159;
										}
										_t161 =  &_v36;
										 *_t161 = _v36 & 0x00000000;
										__eflags =  *_t161;
										_t246 =  *_t383 & 0x0000ffff;
									}
									__eflags = _t246 - 0x2a;
									if(_t246 == 0x2a) {
										_t295 = 2;
										_v32 = _t295;
										goto L157;
									}
									_t398 = 0x2d;
									__eflags = _t246 - _t398;
									if(_t246 == _t398) {
										L119:
										_t346 =  *_t383 & 0x0000ffff;
										__eflags = _t346 - _t398;
										if(_t346 != _t398) {
											L124:
											_t296 =  &(_t383[1]);
											_t384 = 0x3a;
											__eflags =  *_t296 - _t384;
											if( *_t296 != _t384) {
												goto L123;
											}
											__eflags = _t346 - _t398;
											if(_t346 == _t398) {
												goto L123;
											}
											__eflags = 1;
											_v32 = 1;
											L127:
											_t329 = _t296;
											_v60 = _t329;
											__eflags = _t320 - _v40;
											if(_t320 <= _v40) {
												 *_v20 = 0;
												goto L158;
											}
											_push(_v40);
											_push(_v20);
											 *_t320 = 0;
											goto L147;
										}
										_t296 =  &(_t387[1]);
										__eflags =  *_t296 - 0x3e;
										if( *_t296 != 0x3e) {
											goto L124;
										}
										_v32 = 3;
										goto L127;
									}
									_t349 = 0x3a;
									__eflags = _t246 - _t349;
									if(_t246 != _t349) {
										goto L123;
									}
									goto L119;
								}
								_t350 = _t345 - 1;
								__eflags = _t350;
								if(_t350 == 0) {
									_t321 = _v28;
									L51:
									_t299 = _t246 + 0xffffffde;
									__eflags = _t299 - 0x55;
									if(_t299 > 0x55) {
										goto L157;
									}
									_t77 = _t299 + 0x74272c69; // 0x39000010
									switch( *((intOrPtr*)(( *_t77 & 0x000000ff) * 4 +  &M74272BDD))) {
										case 0:
											__ecx = _v40;
											__ebx = _v60;
											_push(2);
											__edx = __bp & 0x0000ffff;
											_pop(__ebp);
											while(1) {
												__ebx = __ebx + 2;
												__eax =  *__ebx & 0x0000ffff;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L90;
												}
												L89:
												__eflags =  *(__ebx + 2) - __dx;
												if( *(__ebx + 2) != __dx) {
													L94:
													__ebp = _v40;
													__eax = 0;
													__eflags = 0;
													_v60 = __ebx;
													 *__ecx = __ax;
													__esi = E742712E1(_v40);
													goto L95;
												}
												L90:
												__eflags = __ax;
												if(__ax == 0) {
													goto L94;
												}
												__eflags = __ax - __dx;
												if(__ax == __dx) {
													__ebx = __ebx + 2;
													__eflags = __ebx;
												}
												__ax =  *__ebx;
												 *__ecx = __ax;
												__ecx = __ecx + __ebp;
												__ebx = __ebx + 2;
												__eax =  *__ebx & 0x0000ffff;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L90;
												}
												goto L89;
											}
										case 1:
											L48:
											_v56 = 1;
											goto L157;
										case 2:
											_v56 = _v56 | 0xffffffff;
											goto L157;
										case 3:
											_v56 = _v56 & __edx;
											__eax = 0;
											_v48 = _v48 & __edx;
											__ebx = __ebx + 1;
											__eax = 1;
											_v28 = __ebx;
											_v24 = 1;
											goto L157;
										case 4:
											__eflags = _v48 - __edx;
											if(_v48 != __edx) {
												goto L157;
											}
											__eax = _v60;
											_push(2);
											_pop(__ecx);
											__eax = _v60 - __ecx;
											_v44 = _v60 - __ecx;
											__esi = E742712F8();
											__eax =  &_v44;
											_push(__esi);
											__eax = E74271BCF( &_v44);
											_push(__edx);
											_push(__eax);
											__eax = E7427149E(__ecx);
											__esp = __esp + 0xc;
											goto L83;
										case 5:
											_v48 = _v48 + 1;
											goto L157;
										case 6:
											_push(7);
											goto L77;
										case 7:
											_push(0x19);
											goto L103;
										case 8:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L60;
										case 9:
											_push(0x15);
											goto L103;
										case 0xa:
											_push(0x16);
											goto L103;
										case 0xb:
											_push(0x18);
											goto L103;
										case 0xc:
											__eax = 0;
											__eflags = 0;
											_t105 = __eax + 1; // 0x1
											__edx = _t105;
											goto L72;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L63;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L78;
										case 0xf:
											__eax = 0;
											__eflags = 0;
											_t107 = __eax + 1; // 0x1
											__edx = _t107;
											goto L76;
										case 0x10:
											__eax = 0;
											__eflags = 0;
											_t101 = __eax + 1; // 0x1
											__edx = _t101;
											goto L67;
										case 0x11:
											_push(3);
											goto L77;
										case 0x12:
											_push(0x17);
											L103:
											_pop(__esi);
											goto L104;
										case 0x13:
											__eax =  &_v44;
											__eax = E74271BCF( &_v44);
											_push(0xb);
											_pop(__esi);
											_t132 = __eax + 1; // 0x1
											__ecx = _t132;
											__eflags = _t132 - __esi;
											_push(1);
											_pop(__ecx);
											__esi =  >=  ? _t132 : __esi;
											__esi = __eax + __esi;
											__eflags = __esi;
											goto L83;
										case 0x14:
											__esi = __esi | 0xffffffff;
											goto L104;
										case 0x15:
											__eax = 0;
											__eflags = 0;
											_t102 = __eax + 1; // 0x1
											__edx = _t102;
											goto L70;
										case 0x16:
											__eax = 0;
											goto L78;
										case 0x17:
											__eax = 0;
											__eflags = 0;
											_t106 = __eax + 1; // 0x1
											__edx = _t106;
											goto L74;
										case 0x18:
											_t351 =  *((intOrPtr*)(_t386 + 0x1014));
											__eflags = _t351 - _t321;
											_push(1);
											_t302 =  <=  ? _t321 : _t351;
											_v56 = _v56 & 0;
											_v48 = _v48 & 0;
											_t322 =  <=  ? _t321 : _t351;
											_v28 =  <=  ? _t321 : _t351;
											_v32 - 3 = _t351 - (0 | _v32 == 0x00000003);
											_pop(_t305);
											_t400 =  !=  ? _t305 : _v24;
											_v24 =  !=  ? _t305 : _v24;
											goto L157;
										case 0x19:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											L60:
											_push(2);
											_pop(__ecx);
											_v56 = __ecx;
											goto L78;
										case 0x1a:
											L72:
											_push(5);
											goto L77;
										case 0x1b:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											L63:
											_push(3);
											_pop(__esi);
											_v56 = __esi;
											goto L78;
										case 0x1c:
											__eax = 0;
											__eax = 1;
											goto L78;
										case 0x1d:
											L76:
											_push(6);
											goto L77;
										case 0x1e:
											L67:
											_push(2);
											goto L77;
										case 0x1f:
											__eax =  &_v44;
											_t136 = E74271BCF( &_v44) + 1; // 0x1
											__esi = _t136;
											L83:
											__ecx = _v44;
											_v60 = _v44;
											L95:
											__eflags = __esi;
											if(__esi == 0) {
												goto L157;
											}
											L104:
											__edx = _v48;
											0 = 1;
											_v24 = 1;
											__eflags = __edx;
											if(__edx != 0) {
												__eflags = __edx - 1;
												if(__edx == 1) {
													__eax = _v28;
													__eax = _v28 << 5;
													__eflags = __eax;
													 *(__eax + __edi + 0x102c) = __esi;
												}
												L111:
												__edx = __edx + 1;
												_v48 = __edx;
												goto L157;
											}
											__ebx = _v28;
											__ebx = _v28 << 5;
											__eax =  *(__ebx + __edi + 0x1030);
											__eflags = __eax - 0xffffffff;
											if(__eax <= 0xffffffff) {
												L107:
												__eax = GlobalFree(__eax);
												__edx = _v48;
												L108:
												 *(__ebx + __edi + 0x1030) = __esi;
												goto L111;
											}
											__eflags = __eax - 0x19;
											if(__eax <= 0x19) {
												goto L108;
											}
											goto L107;
										case 0x20:
											L70:
											_v16 = _v16 + 1;
											_push(4);
											goto L77;
										case 0x21:
											L74:
											_push(4);
											L77:
											_pop(__eax);
											L78:
											__ecx =  *(0x74274094 + __eax * 4);
											0 = 1;
											__esi = __ebx;
											__esi = __ebx << 5;
											__edx =  ~__edx;
											_push(1);
											asm("sbb edx, edx");
											_v24 = 1;
											__edx = __edx & 0x00008000;
											__edx = __edx | __eax;
											0 = 1;
											 *(__esi + __edi + 0x1018) = __edx;
											__edx = _v56;
											__eflags = __ecx;
											__eax =  >  ? __ecx : 1;
											__eflags = __edx;
											_pop(__ecx);
											__eax =  <  ? __ecx :  >  ? __ecx : 1;
											 *((intOrPtr*)(__esi + __edi + 0x1028)) =  <  ? __ecx :  >  ? __ecx : 1;
											__eflags = __edx - __ecx;
											if(__edx == __ecx) {
												__eax =  &_v44;
												__eax = E74271BCF( &_v44);
												__ecx = _v44;
												_v60 = _v44;
												_t119 = __eax + 1; // 0x1
												__edx = _t119;
												_v56 = __edx;
											}
											__ecx = __ebx + 0x81;
											 *(__esi + __edi + 0x101c) = __edx;
											__ecx = __ebx + 0x81 << 5;
											__edx = 0;
											 *((intOrPtr*)(__esi + __edi + 0x1030)) = 0;
											 *((intOrPtr*)(__esi + __edi + 0x102c)) = 0;
											 *((intOrPtr*)((__ebx + 0x81 << 5) + __edi)) = 0;
											goto L157;
										case 0x22:
											goto L157;
									}
								}
								_t352 = _t350 - 1;
								__eflags = _t352;
								if(_t352 == 0) {
									_t321 = 0;
									_v28 = 0;
									goto L51;
								}
								__eflags = _t352 != 1;
								if(_t352 != 1) {
									goto L123;
								}
								__eflags = _t246 - 0x6e;
								if(__eflags > 0) {
									_t306 = _t246 - 0x72;
									__eflags = _t306;
									if(_t306 == 0) {
										_push(4);
										L43:
										_pop(_t307);
										L44:
										_t354 =  *(_t386 + 0x1010);
										__eflags = _v56 - 1;
										if(_v56 != 1) {
											_t355 = _t354 &  !_t307;
											__eflags = _t355;
										} else {
											_t355 = _t354 | _t307;
										}
										 *(_t386 + 0x1010) = _t355;
										goto L48;
									}
									_t311 = _t306 - 1;
									__eflags = _t311;
									if(_t311 == 0) {
										_push(0x10);
										goto L43;
									}
									_t356 = 2;
									__eflags = _t311 != _t356;
									if(_t311 != _t356) {
										goto L157;
									}
									_push(0x40);
									goto L43;
								}
								if(__eflags == 0) {
									_push(8);
									goto L43;
								}
								_t313 = _t246 - 0x21;
								__eflags = _t313;
								if(_t313 == 0) {
									_v56 =  ~_v56;
									goto L157;
								}
								_t314 = _t313 - 0x11;
								__eflags = _t314;
								if(_t314 == 0) {
									_t307 = 0x100;
									goto L44;
								}
								_t315 = _t314 - 0x31;
								__eflags = _t315;
								if(_t315 == 0) {
									_t307 = 1;
									goto L44;
								}
								_t357 = 2;
								__eflags = _t315 != _t357;
								if(_t315 != _t357) {
									goto L157;
								}
								_push(0x20);
								goto L43;
							}
							_v52 = _v52 & 0x00000000;
							_t396 = 0;
							_v32 = 0;
							goto L133;
						}
						_t358 = _v60;
						_t403 = 0x3a;
						__eflags =  *((intOrPtr*)(_t358 - 2)) - _t403;
						_t344 = _v52;
						if( *((intOrPtr*)(_t358 - 2)) != _t403) {
							goto L31;
						}
						__eflags = _t344;
						if(_t344 == 0) {
							goto L15;
						}
						goto L31;
					}
					_t359 = _t343 - 5;
					if(_t359 == 0) {
						__eflags = _v36;
						if(_v36 == 0) {
							_v52 = 1;
							__eflags = _v32 - 3;
							_t370 = (0 | _v32 == 0x00000003) + 1;
							__eflags = _t370;
							_v28 = _t370;
						}
						_v56 = _v56 & 0x00000000;
						_t405 = _v36;
						__eflags = _t405;
						_t361 =  ==  ? _v56 : _v56;
						_v56 =  ==  ? _v56 : _v56;
						_v24 = _v24 & 0x00000000;
						__eflags = _t405;
						_t363 =  ==  ? _v24 : _v24;
						_v24 =  ==  ? _v24 : _v24;
						__eflags = _t405;
						_t365 = 0 | _t405 == 0x00000000;
						_v48 = _v48 & 0x00000000;
						__eflags = _v36;
						_t407 =  ==  ? _v48 : _v48;
						L13:
						_v48 = _t407;
						__eflags = _t365;
						if(_t365 != 0) {
							goto L132;
						}
						L14:
						_t344 = _v52;
						goto L15;
					}
					_t371 = _t359 - 1;
					if(_t371 == 0) {
						_t409 = _v36;
						__eflags = _t409;
						_t373 =  ==  ? _v4 : _v52;
						_v52 =  ==  ? _v4 : _v52;
						_v56 = _v56 & 0x00000000;
						__eflags = _t409;
						_t375 =  ==  ? _v56 : _v56;
						_v56 =  ==  ? _v56 : _v56;
						__eflags = _t409;
						_t365 = 0 | _t409 == 0x00000000;
						_v48 = _v48 & 0x00000000;
						__eflags = _v36;
						_t407 =  ==  ? _v48 : _v48;
						goto L13;
					}
					if(_t371 != 0x16) {
						goto L14;
					} else {
						_v52 = 3;
						_v56 = 1;
						goto L132;
					}
				}
				GlobalFree(_v8);
				GlobalFree(_v40);
				GlobalFree(_v20);
				if(_t386 == 0 ||  *(_t386 + 0x100c) != 0) {
					L185:
					return _t386;
				} else {
					_t256 =  *_t386 - 1;
					if(_t256 == 0) {
						_t221 = _t386 + 8; // 0x8
						_t389 = _t221;
						__eflags =  *_t389;
						if( *_t389 != 0) {
							_t257 = GetModuleHandleW(_t389);
							 *(_t386 + 0x1008) = _t257;
							__eflags = _t257;
							if(_t257 != 0) {
								L173:
								_t226 = _t386 + 0x808; // 0x808
								_t390 = _t226;
								_t258 = E74271F7B(_t257, _t390);
								 *(_t386 + 0x100c) = _t258;
								__eflags = _t258;
								if(_t258 == 0) {
									_t261 = 0x23;
									__eflags =  *_t390 - _t261;
									if( *_t390 == _t261) {
										_t228 = _t386 + 0x80a; // 0x80a
										_t263 = E7427135A();
										__eflags = _t263;
										if(_t263 != 0) {
											__eflags = _t263 & 0xffff0000;
											if((_t263 & 0xffff0000) == 0) {
												 *(_t386 + 0x100c) = GetProcAddress( *(_t386 + 0x1008), _t263 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v16;
								if(_v16 != 0) {
									L180:
									_t390[lstrlenW(_t390)] = 0x57;
									_t260 = E74271F7B( *(_t386 + 0x1008), _t390);
									__eflags = _t260;
									if(_t260 == 0) {
										__eflags =  *(_t386 + 0x100c);
										L183:
										if(__eflags != 0) {
											goto L185;
										}
										L184:
										_t240 = _t386 + 4;
										 *_t240 =  *(_t386 + 4) | 0xffffffff;
										__eflags =  *_t240;
										goto L185;
									}
									L181:
									 *(_t386 + 0x100c) = _t260;
									goto L185;
								} else {
									__eflags =  *(_t386 + 0x100c);
									if( *(_t386 + 0x100c) != 0) {
										goto L185;
									}
									goto L180;
								}
							}
							_t257 = LoadLibraryW(_t389);
							 *(_t386 + 0x1008) = _t257;
							__eflags = _t257;
							if(_t257 == 0) {
								goto L184;
							}
							goto L173;
						}
						_t222 = _t386 + 0x808; // 0x808
						_t267 = E7427135A();
						 *(_t386 + 0x100c) = _t267;
						__eflags = _t267;
						goto L183;
					}
					_t268 = _t256 - 1;
					if(_t268 == 0) {
						_t220 = _t386 + 0x808; // 0x808
						_t269 = _t220;
						__eflags =  *_t269;
						if( *_t269 == 0) {
							goto L185;
						}
						_push(_t269);
						_t260 = E7427135A();
						goto L181;
					}
					if(_t268 != 1) {
						goto L185;
					}
					_t210 = _t386 + 8; // 0x8
					_t324 = _t210;
					_push(_t210);
					_t391 = E7427135A();
					 *(_t386 + 0x1008) = _t391;
					if(_t391 == 0) {
						goto L184;
					}
					 *((intOrPtr*)(_t386 + 0x104c)) = 0;
					 *((intOrPtr*)(_t386 + 0x1050)) = E742712E1(_t324);
					 *((intOrPtr*)(_t386 + 0x103c)) = 0;
					 *((intOrPtr*)(_t386 + 0x1048)) = 1;
					 *((intOrPtr*)(_t386 + 0x1038)) = 1;
					_t217 = _t386 + 0x808; // 0x808
					_t260 =  *(_t391->i + E7427135A() * 4);
					goto L181;
				}
			}

0x74272359
0x7427235b
0x74272360
0x74272364
0x74272366
0x7427236a
0x7427236e
0x74272372
0x74272376
0x7427237a
0x7427237f
0x74272383
0x7427238a
0x7427238e
0x74272393
0x74272395
0x74272399
0x7427239d
0x7427239f
0x742723a3
0x742723ab
0x742723ab
0x742723af
0x00000000
0x00000000
0x742723b9
0x742723bc
0x742723c1
0x742723c5
0x742723c8
0x74272911
0x74272911
0x74272911
0x74272916
0x74272916
0x7427291a
0x7427291a
0x7427291d
0x74272940
0x74272943
0x74272945
0x74272966
0x74272966
0x74272947
0x74272954
0x74272956
0x74272958
0x7427295e
0x7427295e
0x7427296a
0x74272970
0x74272970
0x74272973
0x74272979
0x74272979
0x7427297f
0x74272982
0x74272987
0x74272989
0x7427298c
0x7427298c
0x7427298e
0x742729b7
0x742729bb
0x00000000
0x00000000
0x742729be
0x742729c0
0x742729c6
0x742729cf
0x742729d2
0x742729d4
0x00000000
0x00000000
0x00000000
0x00000000
0x742729d6
0x742729d6
0x742729d6
0x742729dc
0x742729de
0x00000000
0x00000000
0x742729e0
0x742729e2
0x742729e2
0x742729e6
0x742729e8
0x742729ea
0x742729ea
0x742729ea
0x742729ea
0x742729f1
0x742729f7
0x742729f9
0x74272a0f
0x74272a10
0x74272a10
0x74272a12
0x742729fb
0x74272a01
0x74272a04
0x74272a04
0x00000000
0x74272990
0x74272990
0x74272990
0x74272993
0x7427299f
0x742729a4
0x742729aa
0x742729aa
0x742729ae
0x742729af
0x742729af
0x74272a18
0x74272a18
0x74272a1c
0x74272a1c
0x74272a20
0x74272a20
0x74272a24
0x74272a27
0x74272a2b
0x74272a2d
0x74272a34
0x00000000
0x00000000
0x00000000
0x74272a34
0x74272995
0x74272995
0x74272998
0x00000000
0x00000000
0x7427299a
0x7427299d
0x00000000
0x00000000
0x00000000
0x7427299d
0x7427298e
0x7427291f
0x74272922
0x74272928
0x74272930
0x74272932
0x74272932
0x74272933
0x74272933
0x00000000
0x74272922
0x742723ce
0x742723d1
0x74272502
0x74272506
0x74272522
0x74272526
0x74272526
0x7427252b
0x742724b8
0x742724ba
0x742724ba
0x742724bc
0x74272852
0x74272870
0x74272870
0x74272873
0x00000000
0x00000000
0x74272858
0x7427285b
0x74272860
0x74272864
0x74272866
0x742728a9
0x742728aa
0x742728ae
0x742728ae
0x742728b7
0x742728ba
0x742728bb
0x00000000
0x742728bb
0x74272868
0x74272868
0x74272868
0x7427286d
0x7427286d
0x74272875
0x74272878
0x74272907
0x74272908
0x00000000
0x74272908
0x74272880
0x74272881
0x74272883
0x7427288c
0x7427288c
0x7427288f
0x74272892
0x742728c2
0x742728c2
0x742728c7
0x742728c8
0x742728cb
0x00000000
0x00000000
0x742728cd
0x742728d0
0x00000000
0x00000000
0x742728d4
0x742728d5
0x742728d9
0x742728d9
0x742728db
0x742728df
0x742728e3
0x742728fd
0x00000000
0x742728fd
0x742728e5
0x742728eb
0x742728ef
0x00000000
0x742728ef
0x74272894
0x74272897
0x7427289b
0x00000000
0x00000000
0x7427289d
0x00000000
0x7427289d
0x74272887
0x74272888
0x7427288a
0x00000000
0x00000000
0x00000000
0x7427288a
0x742724c2
0x742724c2
0x742724c5
0x742725a7
0x742725ab
0x742725ab
0x742725ae
0x742725b1
0x00000000
0x00000000
0x742725b7
0x742725be
0x00000000
0x7427278d
0x74272791
0x74272795
0x74272797
0x7427279a
0x7427279b
0x7427279b
0x7427279e
0x742727a1
0x742727a4
0x00000000
0x00000000
0x742727a6
0x742727a6
0x742727aa
0x742727c3
0x742727c3
0x742727c7
0x742727c7
0x742727ca
0x742727ce
0x742727d7
0x00000000
0x742727d7
0x742727ac
0x742727ac
0x742727af
0x00000000
0x00000000
0x742727b1
0x742727b4
0x742727b6
0x742727b6
0x742727b6
0x742727b9
0x742727bc
0x742727bf
0x7427279b
0x7427279e
0x742727a1
0x742727a4
0x00000000
0x00000000
0x00000000
0x742727a4
0x00000000
0x74272593
0x74272596
0x00000000
0x00000000
0x74272618
0x00000000
0x00000000
0x742725ff
0x74272603
0x74272605
0x74272609
0x7427260a
0x7427260b
0x7427260f
0x00000000
0x00000000
0x74272757
0x7427275b
0x00000000
0x00000000
0x74272761
0x74272765
0x74272767
0x74272768
0x7427276a
0x74272773
0x74272775
0x74272779
0x7427277b
0x74272781
0x74272782
0x74272783
0x74272788
0x00000000
0x00000000
0x74272716
0x00000000
0x00000000
0x74272622
0x00000000
0x00000000
0x742727f8
0x00000000
0x00000000
0x7427262a
0x7427262c
0x7427262d
0x00000000
0x00000000
0x742727e8
0x00000000
0x00000000
0x742727ec
0x00000000
0x00000000
0x742727f4
0x00000000
0x00000000
0x74272676
0x74272676
0x74272678
0x74272678
0x00000000
0x00000000
0x7427263d
0x7427263f
0x74272640
0x00000000
0x00000000
0x74272650
0x74272652
0x74272653
0x00000000
0x00000000
0x74272688
0x74272688
0x7427268a
0x7427268a
0x00000000
0x00000000
0x7427265c
0x7427265c
0x7427265e
0x7427265e
0x00000000
0x00000000
0x74272665
0x00000000
0x00000000
0x742727f0
0x742727fa
0x742727fa
0x00000000
0x00000000
0x7427271f
0x74272724
0x7427272a
0x7427272c
0x7427272d
0x7427272d
0x74272730
0x74272732
0x74272734
0x74272735
0x74272738
0x74272738
0x00000000
0x00000000
0x742727e3
0x00000000
0x00000000
0x74272669
0x74272669
0x7427266b
0x7427266b
0x00000000
0x00000000
0x74272626
0x00000000
0x00000000
0x7427267f
0x7427267f
0x74272681
0x74272681
0x00000000
0x00000000
0x742725c5
0x742725d1
0x742725d3
0x742725d5
0x742725d8
0x742725dc
0x742725e0
0x742725e4
0x742725f0
0x742725f2
0x742725f3
0x742725f6
0x00000000
0x00000000
0x74272631
0x74272633
0x74272633
0x74272634
0x74272634
0x74272636
0x74272637
0x00000000
0x00000000
0x7427267b
0x7427267b
0x00000000
0x00000000
0x74272644
0x74272646
0x74272646
0x74272647
0x74272647
0x74272649
0x7427264a
0x00000000
0x00000000
0x74272657
0x74272659
0x00000000
0x00000000
0x7427268d
0x7427268d
0x00000000
0x00000000
0x74272661
0x74272661
0x00000000
0x00000000
0x74272747
0x74272752
0x74272752
0x7427273a
0x7427273a
0x7427273e
0x742727d9
0x742727d9
0x742727db
0x00000000
0x00000000
0x742727fb
0x742727fb
0x74272801
0x74272802
0x74272806
0x74272808
0x74272836
0x74272838
0x7427283a
0x7427283e
0x7427283e
0x74272841
0x74272841
0x74272848
0x74272848
0x74272849
0x00000000
0x74272849
0x7427280a
0x7427280e
0x74272811
0x74272818
0x7427281b
0x74272822
0x74272823
0x74272829
0x7427282d
0x7427282d
0x00000000
0x7427282d
0x7427281d
0x74272820
0x00000000
0x00000000
0x00000000
0x00000000
0x7427266e
0x7427266e
0x74272672
0x00000000
0x00000000
0x74272684
0x74272684
0x7427268f
0x7427268f
0x74272690
0x74272690
0x74272699
0x7427269a
0x7427269c
0x7427269f
0x742726a1
0x742726a2
0x742726a4
0x742726a8
0x742726ae
0x742726b2
0x742726b3
0x742726ba
0x742726be
0x742726c0
0x742726c3
0x742726c5
0x742726c6
0x742726c9
0x742726d0
0x742726d2
0x742726d4
0x742726d9
0x742726df
0x742726e3
0x742726e7
0x742726e7
0x742726ea
0x742726ea
0x742726ee
0x742726f4
0x742726fb
0x742726fe
0x74272700
0x74272707
0x7427270e
0x00000000
0x00000000
0x00000000
0x00000000
0x742725be
0x742724cb
0x742724cb
0x742724ce
0x7427259f
0x742725a1
0x00000000
0x742725a1
0x742724d4
0x742724d7
0x00000000
0x00000000
0x742724dd
0x742724e0
0x74272556
0x74272556
0x74272559
0x74272573
0x74272575
0x74272575
0x74272576
0x74272576
0x7427257f
0x74272583
0x7427258b
0x7427258b
0x74272585
0x74272585
0x74272585
0x7427258d
0x00000000
0x7427258d
0x7427255b
0x7427255b
0x7427255e
0x7427256f
0x00000000
0x7427256f
0x74272562
0x74272563
0x74272565
0x00000000
0x00000000
0x7427256b
0x00000000
0x7427256b
0x742724e2
0x74272552
0x00000000
0x74272552
0x742724e4
0x742724e4
0x742724e7
0x74272549
0x00000000
0x74272549
0x742724e9
0x742724e9
0x742724ec
0x74272542
0x00000000
0x74272542
0x742724ee
0x742724ee
0x742724f1
0x7427253f
0x00000000
0x7427253f
0x742724f5
0x742724f6
0x742724f8
0x00000000
0x00000000
0x742724fe
0x00000000
0x742724fe
0x7427252d
0x74272532
0x74272534
0x00000000
0x74272534
0x74272508
0x7427250e
0x7427250f
0x74272516
0x7427251a
0x00000000
0x00000000
0x7427251c
0x7427251e
0x00000000
0x00000000
0x00000000
0x74272520
0x742723d7
0x742723da
0x74272441
0x74272446
0x7427244b
0x74272451
0x74272459
0x74272459
0x7427245a
0x7427245a
0x74272462
0x74272467
0x7427246b
0x7427246d
0x74272472
0x7427247a
0x7427247f
0x74272481
0x74272486
0x7427248c
0x74272492
0x74272495
0x7427249a
0x7427249f
0x742724a4
0x742724a4
0x742724ac
0x742724ae
0x00000000
0x00000000
0x742724b4
0x742724b4
0x00000000
0x742724b4
0x742723dc
0x742723df
0x742723fe
0x74272402
0x74272408
0x7427240d
0x74272415
0x7427241a
0x7427241c
0x74272421
0x74272427
0x7427242d
0x74272430
0x74272435
0x7427243a
0x00000000
0x7427243a
0x742723e4
0x00000000
0x742723ea
0x742723ec
0x742723f5
0x00000000
0x742723f5
0x742723e4
0x74272a44
0x74272a4a
0x74272a50
0x74272a54
0x74272bd0
0x74272bd9
0x74272a68
0x74272a6a
0x74272a6d
0x74272af7
0x74272af7
0x74272afa
0x74272afd
0x74272b1a
0x74272b20
0x74272b26
0x74272b28
0x74272b3f
0x74272b3f
0x74272b3f
0x74272b47
0x74272b4c
0x74272b54
0x74272b56
0x74272b5a
0x74272b5b
0x74272b5e
0x74272b60
0x74272b67
0x74272b6d
0x74272b6f
0x74272b71
0x74272b76
0x74272b88
0x74272b88
0x74272b76
0x74272b6f
0x74272b5e
0x74272b8e
0x74272b92
0x74272b9c
0x74272ba4
0x74272bb1
0x74272bb8
0x74272bba
0x74272bc4
0x74272bca
0x74272bca
0x00000000
0x00000000
0x74272bcc
0x74272bcc
0x74272bcc
0x74272bcc
0x00000000
0x74272bcc
0x74272bbc
0x74272bbc
0x00000000
0x74272b94
0x74272b94
0x74272b9a
0x00000000
0x00000000
0x00000000
0x74272b9a
0x74272b92
0x74272b2b
0x74272b31
0x74272b37
0x74272b39
0x00000000
0x00000000
0x00000000
0x74272b39
0x74272aff
0x74272b06
0x74272b0c
0x74272b12
0x00000000
0x74272b12
0x74272a73
0x74272a76
0x74272adc
0x74272adc
0x74272ae2
0x74272ae5
0x00000000
0x00000000
0x74272aeb
0x74272aec
0x00000000
0x74272af1
0x74272a7b
0x00000000
0x00000000
0x74272a81
0x74272a81
0x74272a84
0x74272a8a
0x74272a8c
0x74272a95
0x00000000
0x00000000
0x74272a9c
0x74272aa7
0x74272ab0
0x74272ab6
0x74272abc
0x74272ac2
0x74272ad5
0x00000000
0x74272ad5

APIs

Part of subcall function 742712F8: GlobalAlloc.KERNELBASE(00000040,?,742711C4,-000000A0), ref: 74271302

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 7427294E
lstrcpyW.KERNEL32(00000008,?), ref: 742729A4
lstrcpyW.KERNEL32(00000808,?), ref: 742729AF
GlobalFree.KERNEL32(00000000), ref: 742729C0
GlobalFree.KERNEL32(?), ref: 74272A44
GlobalFree.KERNEL32(?), ref: 74272A4A
GlobalFree.KERNEL32(?), ref: 74272A50
GetModuleHandleW.KERNEL32(00000008), ref: 74272B1A
LoadLibraryW.KERNEL32(00000008), ref: 74272B2B
GetProcAddress.KERNEL32(?,?), ref: 74272B82
lstrlenW.KERNEL32(00000808), ref: 74272B9D

Memory Dump Source

Source File: 00000001.00000002.31335580458.0000000074271000.00000020.00000001.01000000.00000005.sdmp, Offset: 74270000, based on PE: true

Associated: 00000001.00000002.31335529968.0000000074270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.31335640727.0000000074274000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.31335690337.0000000074276000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74270000_Ta62k9weDV.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 1042148487-0
Opcode ID: 88379e2ae7a84ef6cc75c0642387ab382c75d467ea3a5e39d34d10e25ac7376e
Instruction ID: 009eaf0a79d8b5df9f61caa2033fe7ccd33fa2b7a8f6fc5c7e1d3fa66aba0d82
Opcode Fuzzy Hash: 88379e2ae7a84ef6cc75c0642387ab382c75d467ea3a5e39d34d10e25ac7376e
Instruction Fuzzy Hash: 9B42A071A18302DFD31BCF25854076AB7F1FF88710F144A2EE69AD6284E774D664CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0040234F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134
comCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040234F(void* _a4, signed int _a8, signed int _a12, char _a16, signed int _a36, signed int _a44, intOrPtr _a48, intOrPtr _a60, intOrPtr _a76) {
				char _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v24;
				void* _v28;
				intOrPtr* _v32;
				void* _v36;
				intOrPtr* _v40;
				void* _v48;
				void* _v56;
				void* _v64;
				void* _v68;
				signed int _t46;
				unsigned int _t49;
				intOrPtr* _t56;
				intOrPtr* _t58;
				intOrPtr* _t60;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				unsigned int _t80;
				unsigned int _t81;
				void* _t98;
				intOrPtr* _t100;
				signed int _t103;
				void* _t108;
				void* _t110;

				_a76 = E0040303E(_t98, 0xfffffff0);
				_a16 = E0040303E(_t98, 0xffffffdf);
				_a60 = E0040303E(_t98, 2);
				_a60 = E0040303E(_t98, 0xffffffcd);
				_a48 = E0040303E(_t98, 0x45);
				_t46 = _a36;
				_a12 = _t46 & 0x00000fff;
				_a8 = _t46 & 0x00008000;
				_t103 = _t46 >> 0x0000000c & 0x00000007;
				_a44 = _t46 >> 0x10;
				if(E00406E03(_t42) == 0) {
					E0040303E(_t98, 0x21);
				}
				_t49 =  &_a16;
				__imp__CoCreateInstance(0x409adc, _t108, 1, 0x409abc, _t49);
				_t80 = _t49;
				if(_t80 >= 0) {
					_t56 =  *((intOrPtr*)(_t110 + 0x10));
					_t80 =  *((intOrPtr*)( *_t56))(_t56, 0x409acc,  &_v0);
					if(_t80 >= 0) {
						_t60 =  *((intOrPtr*)(_t110 + 0x10));
						_t80 =  *((intOrPtr*)( *_t60 + 0x50))(_t60, _v8);
						if(_v12 == _t108) {
							_t76 = _v24;
							 *((intOrPtr*)( *_t76 + 0x24))(_t76, L"C:\\Users\\Arthur\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane");
						}
						if(_t103 != 0) {
							_t74 = _v24;
							 *((intOrPtr*)( *_t74 + 0x3c))(_t74, _t103);
						}
						_t62 = _v24;
						 *((intOrPtr*)( *_t62 + 0x34))(_t62,  *((intOrPtr*)(_t110 + 0x40)));
						_t100 =  *((intOrPtr*)(_t110 + 0x4c));
						if( *_t100 != _t108) {
							_t72 = _v32;
							 *((intOrPtr*)( *_t72 + 0x44))(_t72, _t100,  *((intOrPtr*)(_t110 + 0x20)));
						}
						_t64 = _v32;
						 *((intOrPtr*)( *_t64 + 0x2c))(_t64,  *((intOrPtr*)(_t110 + 0x48)));
						_t66 = _v40;
						 *((intOrPtr*)( *_t66 + 0x1c))(_t66, _a12);
						if(_t80 >= 0) {
							_t70 =  *((intOrPtr*)(_t110 + 0x14));
							_t80 =  *((intOrPtr*)( *_t70 + 0x18))(_t70, _a16, 1);
						}
						_t68 =  *((intOrPtr*)(_t110 + 0x14));
						 *((intOrPtr*)( *_t68 + 8))(_t68);
					}
					_t58 =  *((intOrPtr*)(_t110 + 0x10));
					 *((intOrPtr*)( *_t58 + 8))(_t58);
				}
				E00405D3A((_t80 >> 0x0000001f & 0xfffffffc) - 0xc, "C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp\System.dll");
				_t81 = _t80 >> 0x1f;
				 *0x435ac8 =  *0x435ac8 + _t81;
				return 0;
			}

0x00402358
0x00402365
0x00402370
0x0040237b
0x00402384
0x00402388
0x00402396
0x004023a9
0x004023ad
0x004023b0
0x004023bb
0x004023bf
0x004023bf
0x004023c4
0x004023d8
0x004023de
0x004023e2
0x004023e8
0x004023fb
0x004023ff
0x00402405
0x00402413
0x00402419
0x0040241b
0x00402427
0x00402427
0x0040242c
0x0040242e
0x00402436
0x00402436
0x00402439
0x00402444
0x00402447
0x0040244e
0x00402450
0x0040245c
0x0040245c
0x0040245f
0x0040246a
0x0040246d
0x00402478
0x0040247d
0x0040247f
0x0040248e
0x0040248e
0x00402490
0x00402497
0x00402497
0x0040249a
0x004024a1
0x004024a1
0x004024b5
0x004024ba
0x00402ea5
0x00402eb7

APIs

CoCreateInstance.OLE32(00409ADC,?,00000001,00409ABC,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004023D8

Strings

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane, xrefs: 0040241F
C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll, xrefs: 004024AC

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll$C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane
API String ID: 542301482-2223675861
Opcode ID: bc0662a52d98e10143171a3c355a99e9a72edb8270824da348fbf334a5ed34ad
Instruction ID: 400f91c807c924ebcba0c57f4558c7b9259f909ea30478445bd8bb36a2d5bedd
Opcode Fuzzy Hash: bc0662a52d98e10143171a3c355a99e9a72edb8270824da348fbf334a5ed34ad
Instruction Fuzzy Hash: 5E414C72604341AFC700DFA5C888A1BBBE9FF89315F14092EF655DB291DB79D805CB16

Uniqueness

Uniqueness Score: -1.00%

Function 02B60003 Relevance: 5.3, Strings: 4, Instructions: 256COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
@;%, xrefs: 02B600E9
^, xrefs: 02B60139
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$@;%$LZ$^
API String ID: 0-296296773
Opcode ID: 48f9f4872105c80ad86824c1b7386949ccf3781529be1905e7506d2abd2f940a
Instruction ID: 0648d65ef0ae7ffac04f7426db0c0a489ca1a80c67375339b28e74b4051a7f4a
Opcode Fuzzy Hash: 48f9f4872105c80ad86824c1b7386949ccf3781529be1905e7506d2abd2f940a
Instruction Fuzzy Hash: 4061EE47E7E306CBF79330B6815D3F61281EF221C2E954ED74C6F62656B22E498AC8C5

Uniqueness

Uniqueness Score: -1.00%

Function 02B60189 Relevance: 4.1, Strings: 3, Instructions: 316COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
^, xrefs: 02B60139
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ$^
API String ID: 0-73303536
Opcode ID: 68eed9a977e433cd87c2d11827eb3345e12260ddf30eb46441d3ab42606ccc83
Instruction ID: d877523985848d2674c28254752fad2e9c3e6d3b0066de977694d72062984c60
Opcode Fuzzy Hash: 68eed9a977e433cd87c2d11827eb3345e12260ddf30eb46441d3ab42606ccc83
Instruction Fuzzy Hash: 75613243D7E306CBF75330B6814D3F31641EF22282EA54ED74C6F62666B22F4989CA85

Uniqueness

Uniqueness Score: -1.00%

Function 02B60647 Relevance: 4.0, Strings: 3, Instructions: 207COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
4LLL, xrefs: 02B60648
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 4LLL$89n1$LZ
API String ID: 0-1341032138
Opcode ID: 9284e48e21a51160fb4877a57c3fcaf28348de33730cfac61fabf48270bc5612
Instruction ID: ea8f1998523abb1b4d340d54a02b7d4baac075b070364b6c15b4f65dc44298fe
Opcode Fuzzy Hash: 9284e48e21a51160fb4877a57c3fcaf28348de33730cfac61fabf48270bc5612
Instruction Fuzzy Hash: A0411246E3E306CBEB6170FE815D3F65142AF321C1ED54AD74C6F22755B21E8582C9C6

Uniqueness

Uniqueness Score: -1.00%

Function 02B606ED Relevance: 2.8, Strings: 2, Instructions: 347COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: 553c4f2a45c429fc7dbf9422efd574bc3c7e353b75f84760221d976be421012a
Instruction ID: 657dea5d6989286de05c5c95b90487d407b9e03e0e3ada98e9d6ccc00a99af64
Opcode Fuzzy Hash: 553c4f2a45c429fc7dbf9422efd574bc3c7e353b75f84760221d976be421012a
Instruction Fuzzy Hash: AA71D93D9B9B468AEF1570BB411C3F526C3BF121A5F940DD6CC9B52621A24E8483CEC9

Uniqueness

Uniqueness Score: -1.00%

Function 02B60420 Relevance: 2.8, Strings: 2, Instructions: 320COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: b16d8e9a5b9cae464877803be30e21e154d3e221cdd702c714d09aeb7a23698b
Instruction ID: 8e8de6c2ed3846e2ee590d4eb78a7fa846e615ed62e24e3055b4daaeaa9741a1
Opcode Fuzzy Hash: b16d8e9a5b9cae464877803be30e21e154d3e221cdd702c714d09aeb7a23698b
Instruction Fuzzy Hash: 8561201392D346CBEF6630BBC0DD3F15741BF212A1E981ED6C95F12A67B22E4845C88D

Uniqueness

Uniqueness Score: -1.00%

Function 02B60204 Relevance: 2.8, Strings: 2, Instructions: 304COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: ea058a1589a514ad1e13ec879d661441de4681c7712957b47d09fc2ed6827b09
Instruction ID: 9b1e775752b225ef66c5aa3df4bd18a9d0c2f7ee672980e634b723837e85dafe
Opcode Fuzzy Hash: ea058a1589a514ad1e13ec879d661441de4681c7712957b47d09fc2ed6827b09
Instruction Fuzzy Hash: D9611047E3E30ACBFB5230B6814D3F62242FF22182F994ED74D2F62652B22E4585C9C5

Uniqueness

Uniqueness Score: -1.00%

Function 02B60143 Relevance: 2.8, Strings: 2, Instructions: 291COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: 19cdc139ee429296093e53057cbc4b2e0048d2a0c5d96e2ce52d90745c40e461
Instruction ID: 816df8480bcd5eff144184c7b6224e7a84c3fedff6d71a18a8000b4d7046268f
Opcode Fuzzy Hash: 19cdc139ee429296093e53057cbc4b2e0048d2a0c5d96e2ce52d90745c40e461
Instruction Fuzzy Hash: AB61F147E7E306CBF79330B6815D3F61241EF22182E994FD74C2F62656B22E4989C9C9

Uniqueness

Uniqueness Score: -1.00%

Function 02B6023A Relevance: 2.8, Strings: 2, Instructions: 265COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: ba66d8fe4b2972617db872f8dea30a5ef6b831b42880a6a6939a4c872505e5b7
Instruction ID: fe2d0ec9437a5c21713f3f7bf34656e76fd1f59209934ad84e29164a2a1f44bd
Opcode Fuzzy Hash: ba66d8fe4b2972617db872f8dea30a5ef6b831b42880a6a6939a4c872505e5b7
Instruction Fuzzy Hash: AB511057E3E306CBE762307AC14D3F62241EF22282F994ED74C6F62652B22E4545C9C5

Uniqueness

Uniqueness Score: -1.00%

Function 02B600F3 Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: 3b9ad300b8e8bef39af972663ab99b32142bb330a1428476dbda5b0b8f019576
Instruction ID: c4ace906b730195f886f39d4c2fb6e46054730849d4e7257bd41a3b98346e1a6
Opcode Fuzzy Hash: 3b9ad300b8e8bef39af972663ab99b32142bb330a1428476dbda5b0b8f019576
Instruction Fuzzy Hash: 17612047E7E306CBE75330B6814D3F61241EF221C2E994ED74C2F62652B22E4989C9C9

Uniqueness

Uniqueness Score: -1.00%

Function 02B601DD Relevance: 2.8, Strings: 2, Instructions: 254COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: a593f9ad622a247f467c9e911f2660edccbc1634e11e0b12d99c8cbd16245baa
Instruction ID: 0be0ee1beaf6a0b75c5000166c8ed2e86aa174bae5568e97fbebdda946a8bad6
Opcode Fuzzy Hash: a593f9ad622a247f467c9e911f2660edccbc1634e11e0b12d99c8cbd16245baa
Instruction Fuzzy Hash: AB511147E7E306CBF7A330BA815D3F61241FF22182E994ED74C2F62651B22E4985C8C5

Uniqueness

Uniqueness Score: -1.00%

Function 02B602FF Relevance: 2.7, Strings: 2, Instructions: 244COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: 65cad96cc3caa64fa370814367f3cab4f12a39808826f11b8cb0ab7784afe321
Instruction ID: 667603f188bee6bc8e33c2ea6886c000d49f97227c104027250fa14be21d46af
Opcode Fuzzy Hash: 65cad96cc3caa64fa370814367f3cab4f12a39808826f11b8cb0ab7784afe321
Instruction Fuzzy Hash: 6651E246E3E306CBEB6230BA815D3F62241EF31182E994FD74D2F62695B22E4949C9C5

Uniqueness

Uniqueness Score: -1.00%

Function 02B60591 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: ade34dd968c0deda01ae5bee11948577bb649927513873893df43728e74beb50
Instruction ID: a2dfe3bc43b97ee230b3e6d6cd6af6838171f7deeafd2cdc1a7ef0d61c2626f1
Opcode Fuzzy Hash: ade34dd968c0deda01ae5bee11948577bb649927513873893df43728e74beb50
Instruction Fuzzy Hash: 4241FF46E2E306CBFB6170BA815D3F61242EF321C1FD54AD74C6F22655B21E4982C9C6

Uniqueness

Uniqueness Score: -1.00%

Function 02B603AB Relevance: 2.7, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: 84e6983c3a7c793d52ba504e37a5f0e15a2303fc9d1c8d30536b89ec9bec53f0
Instruction ID: e3420c9c0c01612618ced1d3fb0ed7b1ebc712e68b88bff4ea2ad31e0c9eb5d3
Opcode Fuzzy Hash: 84e6983c3a7c793d52ba504e37a5f0e15a2303fc9d1c8d30536b89ec9bec53f0
Instruction Fuzzy Hash: E3513547D3E346CBE76270BA805D3F22242FF221C2F994ED74C6F22656B22E4585C9C5

Uniqueness

Uniqueness Score: -1.00%

Function 02B60354 Relevance: 2.7, Strings: 2, Instructions: 223COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: d46ef2a539990a315706a7ac7cc8bab632f6699f3b6a8d30a4de3ff018505e41
Instruction ID: 9390330da355ab451b9c3c968b8831c37437f6068c248c417c35757950e91fc8
Opcode Fuzzy Hash: d46ef2a539990a315706a7ac7cc8bab632f6699f3b6a8d30a4de3ff018505e41
Instruction Fuzzy Hash: 7A511447D3E306CBFB6230BA815D3F61241EF32182ED94ED74C2F62652B22E4985C9C5

Uniqueness

Uniqueness Score: -1.00%

Function 02B6060F Relevance: 2.7, Strings: 2, Instructions: 217COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: 32d9cfad9c96648384f7ac024a7ab2b91d64b13f7279873a8daf97790318ecf8
Instruction ID: 9898d3164cae72ab85ebebb49d4a1382d726556f90f3afa1df5d74491d3cc6c5
Opcode Fuzzy Hash: 32d9cfad9c96648384f7ac024a7ab2b91d64b13f7279873a8daf97790318ecf8
Instruction Fuzzy Hash: 8041EE46E2E316CBEB6170BA805D3F61242AF22181FD54AD74C6F63255B21E4982C9C6

Uniqueness

Uniqueness Score: -1.00%

Function 02B60447 Relevance: 2.7, Strings: 2, Instructions: 212COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: 1ca0e58b1687af2df317f1be3a376be871e8f2abd92dc6be43cf73a8c6552365
Instruction ID: 661e0035637ca8eda65949c2be292935282efc370de1e0fdee6658f0338e5997
Opcode Fuzzy Hash: 1ca0e58b1687af2df317f1be3a376be871e8f2abd92dc6be43cf73a8c6552365
Instruction Fuzzy Hash: B1510247E7E30ACBEB6230BA815D3F61242EF32181ED54ED74C6F22656B22E4985C9C5

Uniqueness

Uniqueness Score: -1.00%

Function 02B604E6 Relevance: 2.7, Strings: 2, Instructions: 208COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: 6e6c69efdf405d9b00f831ad48fb360ea22da5360be74114aeff30b9a38bbfa6
Instruction ID: 74b0a4b83472314996455e615519a3d73ff023af2b811cdf538d5309f9bd75e9
Opcode Fuzzy Hash: 6e6c69efdf405d9b00f831ad48fb360ea22da5360be74114aeff30b9a38bbfa6
Instruction Fuzzy Hash: E151F146D7E306CBFB5230BA815D3F61242EF32182ED54AD74C6F22656B21E4986C8C6

Uniqueness

Uniqueness Score: -1.00%

Function 02B605E4 Relevance: 2.7, Strings: 2, Instructions: 195COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: f4c32a5e44aee1c1e3a9c07a58fe3223f659b96def4e9278a9e80fe3139aa6ee
Instruction ID: ad3210689ae7957311a77c1f1532dfe4b689d2d15e9404d1da790f6cf420f360
Opcode Fuzzy Hash: f4c32a5e44aee1c1e3a9c07a58fe3223f659b96def4e9278a9e80fe3139aa6ee
Instruction Fuzzy Hash: A941F047E7E306CBEB6170BE805D3F66242AF32181ED94AD74C6F22655B21E4982C9C6

Uniqueness

Uniqueness Score: -1.00%

Function 02B606B7 Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: 42e1d688a97a8c52f0cb3a6bfe524881a3ec1b9ab76f9a5f2c502dc7da7f4911
Instruction ID: 92cf119297d084f116879d07a7ffc5ea4e1209a403e4288cab415093ccadd99c
Opcode Fuzzy Hash: 42e1d688a97a8c52f0cb3a6bfe524881a3ec1b9ab76f9a5f2c502dc7da7f4911
Instruction Fuzzy Hash: 6E410206E7E305CBEB6170FD819D3F66242AF221C1FD94AD78C6F23645B21E8586C982

Uniqueness

Uniqueness Score: -1.00%

Function 02B60688 Relevance: 2.7, Strings: 2, Instructions: 170COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: 64b6892f8848cd806fe129fca0176ec0d037cf99428a16585f0e0c6510f31126
Instruction ID: 71bbd2e14d0ba1e1803309cc7be218a2d93fdace951abba1f056e2673813ae2b
Opcode Fuzzy Hash: 64b6892f8848cd806fe129fca0176ec0d037cf99428a16585f0e0c6510f31126
Instruction Fuzzy Hash: E5410246E3E306CBEB6170FE815D3F65242AF221C1ED90AD78C6F62745B21E4582CDC2

Uniqueness

Uniqueness Score: -1.00%

Function 02B60742 Relevance: 2.7, Strings: 2, Instructions: 166COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: 954f21b031c831bf478d07ab04efd8238c65a037ecc87f7867c5663a671e9640
Instruction ID: 67db4d7903bd8b322d4eb47381bfbb75297c7154125c50ec23f6124ea8de289e
Opcode Fuzzy Hash: 954f21b031c831bf478d07ab04efd8238c65a037ecc87f7867c5663a671e9640
Instruction Fuzzy Hash: A641ED46E7E306CBEB6170FD819D3F66242AF221C1ED84AD78C6F63745B21E8585C9C2

Uniqueness

Uniqueness Score: -1.00%

Function 02B60881 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: 7e0fe595b3dfa279b318cebce696df303465fec8ab07439f329647838f1f288d
Instruction ID: cce5be9e7cadebc44d4d9a4fdaf127db2868b1b943b2b98177c67f94ff867525
Opcode Fuzzy Hash: 7e0fe595b3dfa279b318cebce696df303465fec8ab07439f329647838f1f288d
Instruction Fuzzy Hash: 5831CC0AA7E34ACBEB2570FD41AD3F625475F221C1EC846D78C9F53704A21E8586CD57

Uniqueness

Uniqueness Score: -1.00%

Function 02B6082E Relevance: 2.6, Strings: 2, Instructions: 143COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: 446529b0af0f65cbfa54adb356726f8283f307a36f2706c2e7feaa8af2894177
Instruction ID: b04a46c8cf977a5e9086f4e43fcc1cdf241c96b43c1cd4388ac0dfbfba17e8e7
Opcode Fuzzy Hash: 446529b0af0f65cbfa54adb356726f8283f307a36f2706c2e7feaa8af2894177
Instruction Fuzzy Hash: EE31CD46E7E346CBEB2170FD41AD3F526429F22181FC846D78C5F63705B21E8582C997

Uniqueness

Uniqueness Score: -1.00%

Function 02B607ED Relevance: 2.6, Strings: 2, Instructions: 143COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: 373ad54f40c1e70f8d913a651344b838519a883e4083567be9634673f325f7d1
Instruction ID: 7252667d08711be1d357eb57f45ce608b51f6a1b7e66194fa5af4b43fed7efef
Opcode Fuzzy Hash: 373ad54f40c1e70f8d913a651344b838519a883e4083567be9634673f325f7d1
Instruction Fuzzy Hash: 4E31EE46E7E34ACBEB2170FD419D3F526869F221C1FD846D78C5F52705F21E8582C982

Uniqueness

Uniqueness Score: -1.00%

Function 02B60857 Relevance: 2.6, Strings: 2, Instructions: 135COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: 87725d9a5e7c91803bbd32f3440dc6e7e0c4aeae51ccd119a8693cb719b11d58
Instruction ID: caf4eefd965d1206aa562aa150116a03be9acafee905094b9e9c4c727a55b299
Opcode Fuzzy Hash: 87725d9a5e7c91803bbd32f3440dc6e7e0c4aeae51ccd119a8693cb719b11d58
Instruction Fuzzy Hash: 0631CE06E7D356CBEB24B0FD41AD3F16647AF22181FC846D78C5F52744A21E8582CD47

Uniqueness

Uniqueness Score: -1.00%

Function 02B60974 Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: 8ddfc682643a0fab26a9f253dda3e0eec1289390d22d5e1b63f28e5d2be94fab
Instruction ID: 140a739da965201a78675bf3416eb9087432134b8de50ea5cf7023f417c4c035
Opcode Fuzzy Hash: 8ddfc682643a0fab26a9f253dda3e0eec1289390d22d5e1b63f28e5d2be94fab
Instruction Fuzzy Hash: AC31AA1897E35ACBEB2170BD44AD3F226875F22281FC846DB8C9F13B05E21E8086C953

Uniqueness

Uniqueness Score: -1.00%

Function 02B608E4 Relevance: 2.6, Strings: 2, Instructions: 114COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: aeab823a430432ff6eedefd4a87944fc8a2f0432e772007e89aa560c44da2427
Instruction ID: 3708e59f5a93c832031bfa254c3279259ba24e082540a4e00b8b2ffdc7a2769a
Opcode Fuzzy Hash: aeab823a430432ff6eedefd4a87944fc8a2f0432e772007e89aa560c44da2427
Instruction Fuzzy Hash: 7531CB0AA7E34ACBEB2070ED41AD3F225475F22280EC846D78C9F52704A21E85C6C957

Uniqueness

Uniqueness Score: -1.00%

Function 02B609CF Relevance: 2.6, Strings: 2, Instructions: 110COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: 456b9a21d9456a3d3f4465d466bf9dab6b4919136ba88f8e013e1f0fd294a218
Instruction ID: 6562176b08ab516ec51b36218ccf2fae33baf55e0f94986f3e9db32c196ccfc6
Opcode Fuzzy Hash: 456b9a21d9456a3d3f4465d466bf9dab6b4919136ba88f8e013e1f0fd294a218
Instruction Fuzzy Hash: AB319B09A7E35ADBEB2470FD056D3F225475F21280EC846DB8C9F53B09A21E81C6C967

Uniqueness

Uniqueness Score: -1.00%

Function 02B609D1 Relevance: 2.6, Strings: 2, Instructions: 109COMMON

Download Yara Rule

Strings

89n1, xrefs: 02B614F2
LZ, xrefs: 02B61426

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID: 89n1$LZ
API String ID: 0-2738250265
Opcode ID: 03196084978418782fc7e9a17cd4d8134735210ce5868c0c05db398da3551d5f
Instruction ID: 0f61ddcef00d8e31fff81f131e59ac2a2fbcb6db707b19a0b9991a77f26a96eb
Opcode Fuzzy Hash: 03196084978418782fc7e9a17cd4d8134735210ce5868c0c05db398da3551d5f
Instruction Fuzzy Hash: A7219B0997A35ADAEB2470FD056D3F225575F21280EC846DB8C9F53B05A21E81C6C967

Uniqueness

Uniqueness Score: -1.00%

Function 004075FE Relevance: .4, Instructions: 410
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E004075FE(signed int* __ebx, signed int __edi, signed int __esi) {
				signed int _t447;
				signed int _t450;
				void* _t460;
				signed int _t461;
				signed int _t466;
				signed int _t467;
				void* _t469;
				signed int _t470;
				signed int _t475;
				signed int _t476;
				unsigned int _t505;
				void* _t513;
				signed int _t526;
				signed int _t531;
				signed int _t532;
				signed int _t533;
				signed int _t539;
				signed int _t544;
				signed int _t545;
				void* _t546;
				signed int _t547;
				unsigned int _t555;
				signed int _t559;
				signed int* _t567;
				signed int _t572;
				signed int _t574;
				signed int _t576;
				signed int _t595;
				void* _t602;
				signed int _t604;
				signed int _t607;
				signed char _t608;
				signed char* _t609;
				signed int _t611;
				signed int _t614;
				signed int _t615;
				void* _t616;
				unsigned int _t619;
				unsigned int _t625;
				signed int* _t629;
				signed char _t634;
				signed char _t635;
				signed char** _t637;
				void* _t638;
				signed int _t639;
				unsigned int _t644;
				signed int _t646;
				signed int _t647;
				unsigned int _t651;
				signed int _t652;
				void* _t657;

				L0:
				while(1) {
					L0:
					_t652 = __esi;
					_t647 = __edi;
					_t567 = __ebx;
					_t637 =  *(_t657 + 0x48);
					L56:
					while(_t652 < 0xe) {
						if(_t447 == 0) {
							L189:
							 *(_t657 + 0x1c) =  *(_t657 + 0x1c) & 0x00000000;
							_t567[0x147] = _t647;
							_t567[0x146] = _t652;
							_t637[1] = _t637[1] & 0x00000000;
							L196:
							 *_t637 =  *(_t657 + 0x14);
							_t567[0x26ea] =  *(_t657 + 0x18);
							L00407FBE(_t637);
							_t450 =  *(_t657 + 0x1c);
							L197:
							return _t450;
						}
						L55:
						 *(_t657 + 0x10) = _t447 - 1;
						_t647 = _t647 | ( *( *(_t657 + 0x14)) & 0x000000ff) << _t652;
						 *(_t657 + 0x14) =  &(( *(_t657 + 0x14))[1]);
						_t447 =  *(_t657 + 0x10);
						_t652 = _t652 + 8;
					}
					_t572 = _t647 & 0x00003fff;
					_t567[1] = _t572;
					if((_t572 & 0x0000001f) > 0x1d || (_t572 & 0x000003e0) > 0x3a0) {
						L186:
						_t567[0x146] = _t652;
						 *_t567 = 0x11;
						_t567[0x147] = _t647;
						_t637[1] =  *(_t657 + 0x10);
						goto L196;
					} else {
						L59:
						_t652 = _t652 - 0xe;
						_t647 = _t647 >> 0xe;
						_t567[2] = _t567[2] & 0x00000000;
						 *(_t657 + 0x20) = _t652;
						 *_t567 = 0xc;
						while(1) {
							L60:
							_t574 = _t567[2];
							_t637 =  *(_t657 + 0x48);
							L65:
							while(_t574 < (_t567[1] >> 0xa) + 4) {
								while(1) {
									L63:
									_t460 = 3;
									if(_t652 >= _t460) {
										break;
									}
									L61:
									_t461 =  *(_t657 + 0x10);
									if(_t461 == 0) {
										goto L189;
									}
									L62:
									 *(_t657 + 0x10) = _t461 - 1;
									_t647 = _t647 | ( *( *(_t657 + 0x14)) & 0x000000ff) << _t652;
									 *(_t657 + 0x14) =  &(( *(_t657 + 0x14))[1]);
									_t652 = _t652 + 8;
								}
								L64:
								_t466 = 7;
								_t576 = _t647;
								_t647 = _t647 >> 3;
								_t467 = _t567[2];
								_t96 = _t467 + 0x4099b0; // 0x121110
								 *(_t567 + 0xc +  *_t96 * 4) = _t576 & _t466;
								_t574 = _t567[2] + 1;
								_t469 = 3;
								_t652 = _t652 - _t469;
								_t567[2] = _t574;
								 *(_t657 + 0x20) = _t652;
							}
							_t638 = 0x13;
							if(_t574 >= _t638) {
								L68:
								_t470 = 7;
								 *(_t657 + 0x30) =  *(_t657 + 0x30) & 0x00000000;
								_t567[0x143] = _t470;
								_t475 = E00406EA8( &(_t567[3]), _t638, _t638, 0, 0,  &(_t567[0x144]),  &(_t567[0x143]),  &(_t567[0x148]), _t657 + 0x30);
								if(_t475 != 0 || _t567[0x143] == _t475) {
									L73:
									 *_t567 = 0x11;
									goto L22;
								} else {
									L70:
									_t567[2] = _t567[2] & _t475;
									 *_t567 = 0xd;
									L71:
									_t505 = _t567[1];
									_t637 =  *(_t657 + 0x48);
									 *(_t657 + 0x24) = _t505;
									if(_t567[2] >= (_t505 & 0x0000001f) + 0x102 + (_t505 >> 0x00000005 & 0x0000001f)) {
										L95:
										_t595 =  *(_t657 + 0x24);
										_t567[0x144] = _t567[0x144] & 0x00000000;
										 *(_t657 + 0x2c) =  *(_t657 + 0x2c) & 0x00000000;
										 *(_t657 + 0x30) = (_t595 & 0x0000001f) + 0x101;
										 *(_t657 + 0x2c) = 9;
										 *(_t657 + 0x28) = (_t595 >> 0x00000005 & 0x0000001f) + 1;
										 *(_t657 + 0x28) = 6;
										_t513 = E00406EA8( &(_t567[3]), (_t595 & 0x0000001f) + 0x101, 0x101, 0x4099c4, 0x409a04, _t657 + 0x48, _t657 + 0x30,  &(_t567[0x148]), _t657 + 0x2c);
										_t602 = 0xffffffff;
										_t476 =  ==  ? _t602 : _t513;
										if(_t476 != 0) {
											L187:
											_t637 =  *(_t657 + 0x48);
											L188:
											_t567[0x146] = _t652;
											_t567[0x147] = _t647;
											 *_t567 = 0x11;
											_t637[1] =  *(_t657 + 0x10);
											L195:
											 *(_t657 + 0x1c) = _t476 | 0xffffffff;
											goto L196;
										}
										L96:
										_t476 = E00406EA8( &(_t567[ *((intOrPtr*)(_t657 + 0x50)) + 3]),  *((intOrPtr*)(_t657 + 0x34)), 0, 0x409a44, 0x409a80, _t657 + 0x4c, _t657 + 0x28,  &(_t567[0x148]), _t657 + 0x2c);
										if(_t476 != 0) {
											goto L187;
										}
										L97:
										_t476 =  *(_t657 + 0x20);
										if(_t476 != 0 ||  *(_t657 + 0x30) <= 0x101) {
											L99:
											 *_t567 =  *_t567 & 0x00000000;
											_t567[4] = _t476;
											_t567[5] =  *(_t657 + 0x3c);
											_t567[4] =  *(_t657 + 0x28);
											_t567[6] =  *(_t657 + 0x40);
											L100:
											_t567[3] = _t567[4] & 0x000000ff;
											_t567[2] = _t567[5];
											_t526 =  *(_t657 + 0x10);
											 *_t567 = 1;
											L101:
											_t637 =  *(_t657 + 0x48);
											while(1) {
												L104:
												_t604 = _t567[3];
												if(_t652 >= _t604) {
													break;
												}
												L102:
												if(_t526 == 0) {
													goto L189;
												}
												L103:
												 *(_t657 + 0x10) = _t526 - 1;
												_t647 = _t647 | ( *( *(_t657 + 0x14)) & 0x000000ff) << _t652;
												 *(_t657 + 0x14) =  &(( *(_t657 + 0x14))[1]);
												_t526 =  *(_t657 + 0x10);
												_t652 = _t652 + 8;
											}
											L105:
											_t531 = _t567[2];
											_t607 =  *(0x40b0c0 + _t604 * 2) & 0x0000ffff & _t647;
											_t644 = _t531 + _t607 * 4;
											_t608 =  *(_t531 + 1 + _t607 * 4) & 0x000000ff;
											_t652 = _t652 - _t608;
											_t647 = _t647 >> _t608;
											_t609 = _t644;
											 *(_t657 + 0x30) = _t644;
											 *(_t657 + 0x20) = _t652;
											_t532 =  *_t609 & 0x000000ff;
											if(_t532 != 0) {
												L107:
												if((_t532 & 0x00000010) == 0) {
													L109:
													if((_t532 & 0x00000040) != 0) {
														L111:
														if((_t532 & 0x00000020) == 0) {
															L193:
															_t476 =  *(_t657 + 0x10);
															L194:
															_t637 =  *(_t657 + 0x48);
															 *_t567 = 0x11;
															_t567[0x147] = _t647;
															_t567[0x146] = _t652;
															_t637[1] = _t476;
															goto L195;
														}
														L112:
														_t533 = 7;
														 *_t567 = _t533;
														L22:
														L177:
														_t476 =  *(_t657 + 0x10);
														L178:
														_t639 = 0xf;
														L179:
														while( *_t567 <= _t639) {
															switch( *((intOrPtr*)( *_t567 * 4 +  &M00407F7E))) {
																case 0:
																	goto L100;
																case 1:
																	goto L101;
																case 2:
																	L113:
																	__edx =  *(__esp + 0x48);
																	while(1) {
																		L116:
																		__ecx = __ebx[2];
																		__eflags = __esi - __ecx;
																		if(__esi >= __ecx) {
																			break;
																		}
																		L114:
																		__eflags = __eax;
																		if(__eax == 0) {
																			goto L189;
																		}
																		L115:
																		__eax = __eax - 1;
																		__ecx = __esi;
																		 *(__esp + 0x10) = __eax;
																		 *(__esp + 0x14) =  *( *(__esp + 0x14)) & 0x000000ff;
																		__eax = ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		__edi = __edi | ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		 *(__esp + 0x14) =  *(__esp + 0x14) + 1;
																		__eax =  *(__esp + 0x10);
																		__esi = __esi + 8;
																		__eflags = __esi;
																	}
																	L117:
																	__eax =  *(0x40b0c0 + __ecx * 2) & 0x0000ffff;
																	__eax =  *(0x40b0c0 + __ecx * 2) & 0x0000ffff & __edi;
																	__edi = __edi >> __cl;
																	__ebx[1] = __ebx[1] + __eax;
																	__esi = __esi - __ecx;
																	__eflags = __esi;
																	__eax = __ebx[4] & 0x000000ff;
																	__ebx[3] = __ebx[4] & 0x000000ff;
																	__eax = __ebx[6];
																	__ebx[2] = __ebx[6];
																	_push(3);
																	_pop(__eax);
																	 *__ebx = __ebx[6];
																	__eax =  *(__esp + 0x10);
																	goto L118;
																case 3:
																	L118:
																	__edx =  *(__esp + 0x48);
																	while(1) {
																		L121:
																		__ecx = __ebx[3];
																		__eflags = __esi - __ecx;
																		if(__esi >= __ecx) {
																			break;
																		}
																		L119:
																		__eflags = __eax;
																		if(__eax == 0) {
																			goto L189;
																		}
																		L120:
																		__eax = __eax - 1;
																		__ecx = __esi;
																		 *(__esp + 0x10) = __eax;
																		 *(__esp + 0x14) =  *( *(__esp + 0x14)) & 0x000000ff;
																		__eax = ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		__edi = __edi | ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		 *(__esp + 0x14) =  *(__esp + 0x14) + 1;
																		__eax =  *(__esp + 0x10);
																		__esi = __esi + 8;
																		__eflags = __esi;
																	}
																	L122:
																	__ecx =  *(0x40b0c0 + __ecx * 2) & 0x0000ffff;
																	__eax = __ebx[2];
																	__eax = __ebx[2] + __ecx * 4;
																	__ecx =  *(__eax + 1) & 0x000000ff;
																	 *(__esp + 0x30) = __eax;
																	__esi = __esi - ( *(__eax + 1) & 0x000000ff);
																	__eax =  *__eax & 0x000000ff;
																	__edi = __edi >> __cl;
																	 *(__esp + 0x20) = __esi;
																	__eflags = __al & 0x00000010;
																	if((__al & 0x00000010) == 0) {
																		L124:
																		__eflags = __al & 0x00000040;
																		if((__al & 0x00000040) != 0) {
																			goto L193;
																		}
																		L125:
																		__ecx =  *(__esp + 0x30);
																		goto L110;
																	}
																	L123:
																	_push(0xf);
																	_pop(__ecx);
																	__eax = __eax & __ecx;
																	__ecx =  *(__esp + 0x30);
																	__ebx[2] = __eax;
																	__eax =  *(__ecx + 2) & 0x0000ffff;
																	__ebx[3] = __eax;
																	 *__ebx = 4;
																	goto L22;
																case 4:
																	L126:
																	__edx =  *(__esp + 0x48);
																	while(1) {
																		L129:
																		__ecx = __ebx[2];
																		__eflags = __esi - __ecx;
																		if(__esi >= __ecx) {
																			break;
																		}
																		L127:
																		__eflags = __eax;
																		if(__eax == 0) {
																			goto L189;
																		}
																		L128:
																		__eax = __eax - 1;
																		__ecx = __esi;
																		 *(__esp + 0x10) = __eax;
																		 *(__esp + 0x14) =  *( *(__esp + 0x14)) & 0x000000ff;
																		__eax = ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		__edi = __edi | ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		 *(__esp + 0x14) =  *(__esp + 0x14) + 1;
																		__eax =  *(__esp + 0x10);
																		__esi = __esi + 8;
																		__eflags = __esi;
																	}
																	L130:
																	__eax =  *(0x40b0c0 + __ecx * 2) & 0x0000ffff;
																	__eax =  *(0x40b0c0 + __ecx * 2) & 0x0000ffff & __edi;
																	__edi = __edi >> __cl;
																	__ebx[3] = __ebx[3] + __eax;
																	__esi = __esi - __ecx;
																	__eflags = __esi;
																	__ecx =  *(__esp + 0x18);
																	 *(__esp + 0x20) = __esi;
																	 *__ebx = 5;
																	goto L131;
																case 5:
																	L131:
																	__edx =  *(__esp + 0x48);
																	__ecx = __ecx - __ebx;
																	__eax = __ecx - __ebx - 0x1ba0;
																	__eflags = __ecx - __ebx - 0x1ba0 - __ebx[3];
																	if(__ecx - __ebx - 0x1ba0 >= __ebx[3]) {
																		__eax = __ecx;
																		__eax = __ecx - __ebx[3];
																		__eflags = __eax;
																	} else {
																		__ebx[0x26e8] = __ebx[0x26e8] - __ebx[3];
																		__ebx[0x26e8] - __ebx[3] - __ebx = __ebx[0x26e8] - __ebx[3] - __ebx + 0xffffe460;
																		__eax = __ebx[0x26e8] - __ebx[3] - __ebx + 0xffffe460 + __ecx;
																	}
																	__eflags = __ebx[1];
																	 *(__esp + 0x24) = __eax;
																	if(__ebx[1] != 0) {
																		do {
																			L135:
																			__eflags = __ebp;
																			if(__ebp != 0) {
																				goto L151;
																			}
																			L136:
																			__eflags = __ecx - __ebx[0x26e8];
																			if(__ecx != __ebx[0x26e8]) {
																				L142:
																				__ebx[0x26ea] = __ecx;
																				L00407FBE(__edx);
																				__ecx = __ebx[0x26ea];
																				__eax = __ebx[0x26e9];
																				__edx =  *(__esp + 0x48);
																				 *(__esp + 0x18) = __ecx;
																				__eflags = __ecx - __eax;
																				if(__ecx >= __eax) {
																					__eax = __ebx[0x26e8];
																					__ebp = __eax;
																					__ebp = __eax - __ecx;
																					__eflags = __ebp;
																				} else {
																					__ebp = __eax;
																					__eax =  *(__edx + 0x9bb0);
																					__ebp = __ebp - __ecx;
																					__ebp = __ebp - 1;
																				}
																				 *(__esp + 0x30) = __eax;
																				__eflags = __ecx - __eax;
																				if(__ecx == __eax) {
																					__eax =  &(__ebx[0x6e8]);
																					__eflags = __ebx[0x26e9] - __eax;
																					if(__ebx[0x26e9] != __eax) {
																						__ebp = __ebx[0x26e9];
																						__ecx = __eax;
																						 *(__esp + 0x18) = __ecx;
																						__eflags = __eax - __ebp;
																						if(__eax >= __ebp) {
																							__ebp =  *(__esp + 0x30);
																							__ebp =  *(__esp + 0x30) - __eax;
																							__eflags = __ebp;
																						} else {
																							__ebp = __ebp - __eax;
																							__ebp = __ebp - 1;
																						}
																					}
																				}
																				__eflags = __ebp;
																				if(__ebp == 0) {
																					goto L192;
																				} else {
																					goto L151;
																				}
																			}
																			L137:
																			__ebp = __ebx[0x26e9];
																			__eax =  &(__ebx[0x6e8]);
																			__eflags = __ebp - __eax;
																			if(__eflags == 0) {
																				goto L142;
																			}
																			L138:
																			__ecx = __eax;
																			if(__eflags <= 0) {
																				__ebp = __ebx[0x26e8];
																				__ebp = __ebx[0x26e8] - __eax;
																				__eflags = __ebp;
																			} else {
																				__ebp = __ebp - __eax;
																				__ebp = __ebp - 1;
																			}
																			__eflags = __ebp;
																			if(__ebp == 0) {
																				goto L142;
																			}
																			L151:
																			__eax =  *(__esp + 0x24);
																			__al =  *( *(__esp + 0x24));
																			 *__ecx = __al;
																			__ecx = __ecx + 1;
																			__eax =  *(__esp + 0x24);
																			__eax =  *(__esp + 0x24) + 1;
																			 *(__esp + 0x18) = __ecx;
																			__ebp = __ebp - 1;
																			 *(__esp + 0x24) = __eax;
																			__eflags = __eax - __ebx[0x26e8];
																			if(__eax == __ebx[0x26e8]) {
																				__eax =  &(__ebx[0x6e8]);
																				 *(__esp + 0x24) = __eax;
																			}
																			_t356 =  &(__ebx[1]);
																			 *_t356 = __ebx[1] - 1;
																			__eflags =  *_t356;
																		} while ( *_t356 != 0);
																	}
																	goto L154;
																case 6:
																	L155:
																	__edx =  *(__esp + 0x48);
																	__eflags = __ebp;
																	if(__ebp != 0) {
																		L171:
																		__al = __ebx[2];
																		 *__ecx = __al;
																		__ecx = __ecx + 1;
																		 *(__esp + 0x18) = __ecx;
																		__ebp = __ebp - 1;
																		L154:
																		 *__ebx =  *__ebx & 0x00000000;
																		goto L177;
																	}
																	L156:
																	__eflags = __ecx - __ebx[0x26e8];
																	if(__ecx != __ebx[0x26e8]) {
																		L162:
																		__ebx[0x26ea] = __ecx;
																		L00407FBE(__edx);
																		__ecx = __ebx[0x26ea];
																		__eax = __ebx[0x26e9];
																		__edx =  *(__esp + 0x48);
																		 *(__esp + 0x18) = __ecx;
																		__eflags = __ecx - __eax;
																		if(__ecx >= __eax) {
																			__eax = __ebx[0x26e8];
																			__ebp = __eax;
																			__ebp = __eax - __ecx;
																			__eflags = __ebp;
																		} else {
																			__ebp = __eax;
																			__eax =  *(__edx + 0x9bb0);
																			__ebp = __ebp - __ecx;
																			__ebp = __ebp - 1;
																		}
																		 *(__esp + 0x30) = __eax;
																		__eflags = __ecx - __eax;
																		if(__ecx == __eax) {
																			__eax =  &(__ebx[0x6e8]);
																			__eflags = __ebx[0x26e9] - __eax;
																			if(__ebx[0x26e9] != __eax) {
																				__ebp = __ebx[0x26e9];
																				__ecx = __eax;
																				 *(__esp + 0x18) = __ecx;
																				__eflags = __eax - __ebp;
																				if(__eax >= __ebp) {
																					__ebp =  *(__esp + 0x30);
																					__ebp =  *(__esp + 0x30) - __eax;
																					__eflags = __ebp;
																				} else {
																					__ebp = __ebp - __eax;
																					__ebp = __ebp - 1;
																				}
																			}
																		}
																		__eflags = __ebp;
																		if(__ebp == 0) {
																			goto L192;
																		} else {
																			goto L171;
																		}
																	}
																	L157:
																	__ebp = __ebx[0x26e9];
																	__eax =  &(__ebx[0x6e8]);
																	__eflags = __ebp - __eax;
																	if(__eflags == 0) {
																		goto L162;
																	}
																	L158:
																	__ecx = __eax;
																	if(__eflags <= 0) {
																		__ebp = __ebx[0x26e8];
																		__ebp = __ebx[0x26e8] - __eax;
																		__eflags = __ebp;
																	} else {
																		__ebp = __ebp - __eax;
																		__ebp = __ebp - 1;
																	}
																	__eflags = __ebp;
																	if(__ebp != 0) {
																		goto L171;
																	} else {
																		goto L162;
																	}
																case 7:
																	L172:
																	_push(7);
																	_pop(__ebp);
																	__eflags = __esi - __ebp;
																	if(__esi > __ebp) {
																		__esi = __esi - 8;
																		__eax = __eax + 1;
																		_t378 = __esp + 0x14;
																		 *_t378 =  *(__esp + 0x14) - 1;
																		__eflags =  *_t378;
																		 *(__esp + 0x20) = __esi;
																		 *(__esp + 0x10) = __eax;
																	}
																	goto L174;
																case 8:
																	L2:
																	_t641 =  *(_t657 + 0x48);
																	__eflags = _t652 - 3;
																	if(_t652 >= 3) {
																		L7:
																		_t652 = _t652 + 0xfffffffd;
																		_t478 = _t647 & 0x00000007;
																		_t647 = _t647 >> 3;
																		 *(_t657 + 0x30) = _t478;
																		__eflags = _t478 & 0x00000001;
																		_push(8);
																		_pop(_t479);
																		_t480 =  !=  ?  *((void*)(_t657 + 0x34)) : _t479;
																		_t567[0x145] =  !=  ?  *((void*)(_t657 + 0x34)) : _t479;
																		 *(_t657 + 0x2c) = _t647;
																		 *(_t657 + 0x20) = _t652;
																		_t483 =  *(_t657 + 0x30) >> 1;
																		__eflags = _t483;
																		if(_t483 == 0) {
																			L23:
																			_push(7);
																			 *_t567 = 9;
																			_pop(_t484);
																			_t647 = _t647 >> (_t652 & _t484);
																			_t652 = _t652 & 0xfffffff8;
																			 *(_t657 + 0x20) = _t652;
																			goto L22;
																		}
																		L8:
																		_t485 = _t483 - 1;
																		__eflags = _t485;
																		if(_t485 == 0) {
																			L13:
																			__eflags =  *0x432810;
																			if( *0x432810 != 0) {
																				L21:
																				_t486 =  *0x40b0e4; // 0x9
																				_t567[4] = _t486;
																				_t487 =  *0x40b0e8; // 0x5
																				_t567[4] = _t487;
																				_t488 =  *0x433098; // 0x432818
																				_t567[5] = _t488;
																				_t489 =  *0x43309c; // 0x433018
																				 *_t567 =  *_t567 & 0x00000000;
																				__eflags =  *_t567;
																				_t567[6] = _t489;
																				goto L22;
																			} else {
																				 *(_t657 + 0x28) =  *(_t657 + 0x28) & 0x00000000;
																				_t490 = 0;
																				__eflags = 0;
																				_push(7);
																				_pop(_t569);
																				do {
																					L15:
																					_push(8);
																					_pop(_t583);
																					__eflags = _t490 - 0x8f;
																					if(_t490 > 0x8f) {
																						__eflags = _t490 - 0x100;
																						if(_t490 >= 0x100) {
																							_push(8);
																							__eflags = _t490 - 0x118;
																							_pop(_t587);
																							_t583 =  <  ? _t569 : _t587;
																							__eflags = _t583;
																						} else {
																							_push(9);
																							_pop(_t583);
																						}
																					}
																					L19:
																					 *(0x433520 + _t490 * 4) = _t583;
																					_t490 = _t490 + 1;
																					__eflags = _t490 - 0x120;
																				} while (_t490 < 0x120);
																				_t567 =  *(_t657 + 0x38);
																				E00406EA8(0x433520, 0x120, 0x101, 0x4099c4, 0x409a04, 0x433098, 0x40b0e4, 0x432818, _t657 + 0x28);
																				_push(0x1e);
																				_pop(_t585);
																				_push(5);
																				_pop(_t493);
																				memset(0x433520, _t493, _t585 << 2);
																				_t657 = _t657 + 0xc;
																				E00406EA8(0x433520, 0x1e, 0, 0x409a44, 0x409a80, 0x43309c, 0x40b0e8, 0x432818, _t657 + 0x28);
																				_t647 =  *(_t657 + 0x2c);
																				 *0x432810 = 1;
																				goto L21;
																			}
																		}
																		L9:
																		_t497 = _t485 - 1;
																		__eflags = _t497;
																		if(_t497 == 0) {
																			 *_t567 = 0xb;
																			goto L177;
																		}
																		L10:
																		__eflags = _t497 == 1;
																		_t476 =  *(_t657 + 0x10);
																		if(_t497 == 1) {
																			goto L194;
																		} else {
																			goto L178;
																		}
																	} else {
																		_t588 =  *(_t657 + 0x14);
																		while(1) {
																			L4:
																			__eflags = _t476;
																			if(_t476 == 0) {
																				goto L181;
																			}
																			L5:
																			 *(_t657 + 0x10) = _t476 - 1;
																			_t503 = ( *_t588 & 0x000000ff) << _t652;
																			_t652 = _t652 + 8;
																			_t647 = _t647 | _t503;
																			_push(3);
																			_pop(_t504);
																			_t588 =  &(( *(_t657 + 0x14))[1]);
																			__eflags = _t652 - _t504;
																			_t476 =  *(_t657 + 0x10);
																			 *(_t657 + 0x14) = _t588;
																			if(_t652 < _t504) {
																				continue;
																			} else {
																				goto L7;
																			}
																		}
																		goto L181;
																	}
																case 9:
																	L24:
																	__edx =  *(__esp + 0x48);
																	__eflags = __esi - 0x20;
																	if(__esi >= 0x20) {
																		L29:
																		__eax = __di & 0x0000ffff;
																		__esi = 0;
																		__edi = 0;
																		__ebx[1] = __eax;
																		 *(__esp + 0x20) = 0;
																		__eflags = __eax;
																		if(__eax == 0) {
																			__eax = __ebx[0x145];
																		} else {
																			_push(0xa);
																			_pop(__eax);
																		}
																		 *__ebx = __eax;
																		goto L177;
																	}
																	L25:
																	__ecx =  *(__esp + 0x14);
																	while(1) {
																		L26:
																		__eflags = __eax;
																		if(__eax == 0) {
																			break;
																		}
																		L27:
																		 *(__esp + 0x10) = __eax;
																		__eax =  *__ecx & 0x000000ff;
																		__ecx = __esi;
																		__eax = __eax << __cl;
																		__esi = __esi + 8;
																		__ecx =  *(__esp + 0x14);
																		__edi = __edi | __eax;
																		__eax =  *(__esp + 0x10);
																		__ecx =  *(__esp + 0x14) + 1;
																		 *(__esp + 0x14) = __ecx;
																		__eflags = __esi - 0x20;
																		if(__esi < 0x20) {
																			continue;
																		}
																		L28:
																		__ecx =  *(__esp + 0x18);
																		goto L29;
																	}
																	L181:
																	_t567[0x147] = _t647;
																	_t567[0x146] = _t652;
																	_t393 =  &(_t641[1]);
																	 *_t393 = _t641[1] & 0x00000000;
																	__eflags =  *_t393;
																	 *_t641 = _t588;
																	_t567[0x26ea] =  *(_t657 + 0x18);
																	goto L182;
																case 0xa:
																	L33:
																	__edx =  *(__esp + 0x48);
																	__eflags = __eax;
																	if(__eax == 0) {
																		L185:
																		__eax =  *(__esp + 0x14);
																		__ebx[0x147] = __edi;
																		__ebx[0x146] = __esi;
																		 *(__edx + 4) =  *(__edx + 4) & 0x00000000;
																		 *__edx =  *(__esp + 0x14);
																		__ebx[0x26ea] = __ecx;
																		L182:
																		_push(_t641);
																		L183:
																		L00407FBE();
																		_t450 = 0;
																		goto L197;
																	}
																	L34:
																	__eflags = __ebp;
																	if(__ebp != 0) {
																		L51:
																		__edx =  *(__esp + 0x14);
																		__eflags = __ebp - __eax;
																		__esi = __eax;
																		__esi =  <  ? __ebp : __eax;
																		__eflags = __ebx[1] - __esi;
																		__esi =  <  ? __ebx[1] : __esi;
																		E004066B4(__ecx,  *(__esp + 0x14), __esi) =  *(__esp + 0x10);
																		__ebp = __ebp - __esi;
																		__ecx =  *(__esp + 0x18);
																		__eax =  *(__esp + 0x10) - __esi;
																		 *(__esp + 0x14) =  *(__esp + 0x14) + __esi;
																		__ecx =  *(__esp + 0x18) + __esi;
																		_t72 =  &(__ebx[1]);
																		 *_t72 = __ebx[1] - __esi;
																		__eflags =  *_t72;
																		__esi =  *(__esp + 0x20);
																		_push(0xf);
																		 *(__esp + 0x14) = __eax;
																		 *(__esp + 0x1c) = __ecx;
																		_pop(__edx);
																		if( *_t72 != 0) {
																			goto L179;
																		}
																		L52:
																		__eax = __ebx[0x145];
																		 *__ebx = __eax;
																		L53:
																		_t476 =  *(_t657 + 0x10);
																		goto L179;
																	}
																	L35:
																	__eflags = __ecx - __ebx[0x26e8];
																	if(__ecx != __ebx[0x26e8]) {
																		L41:
																		__ebx[0x26ea] = __ecx;
																		L00407FBE(__edx);
																		__ecx = __ebx[0x26ea];
																		__edx = __ebx[0x26e9];
																		__eax = __ebx[0x26e8];
																		 *(__esp + 0x18) = __ecx;
																		__eflags = __ecx - __edx;
																		if(__ecx >= __edx) {
																			__ebp = __eax;
																			__ebp = __eax - __ecx;
																			__eflags = __ebp;
																		} else {
																			__edx = __edx - __ecx;
																			__ebp = __edx - __ecx - 1;
																		}
																		__eflags = __ecx - __eax;
																		if(__ecx == __eax) {
																			__eax =  &(__ebx[0x6e8]);
																			__eflags = __edx - __eax;
																			if(__eflags != 0) {
																				__ecx = __eax;
																				 *(__esp + 0x18) = __ecx;
																				if(__eflags <= 0) {
																					__ebp = __ebx[0x26e8];
																					__ebp = __ebx[0x26e8] - __eax;
																					__eflags = __ebp;
																				} else {
																					__ebp = __edx - __eax - 1;
																				}
																			}
																		}
																		__eflags = __ebp;
																		if(__ebp == 0) {
																			L184:
																			__eax =  *(__esp + 0x48);
																			__edx =  *(__esp + 0x14);
																			__ebx[0x146] = __esi;
																			__esi =  *(__esp + 0x10);
																			__ebx[0x147] = __edi;
																			 *(__eax + 4) =  *(__esp + 0x10);
																			 *__eax =  *(__esp + 0x14);
																			__ebx[0x26ea] = __ecx;
																			_push(__eax);
																			goto L183;
																		} else {
																			L50:
																			__eax =  *(__esp + 0x10);
																			goto L51;
																		}
																	}
																	L36:
																	__ebp =  &(__ebx[0x6e8]);
																	 *(__esp + 0x24) =  &(__ebx[0x6e8]);
																	__ebp = __ebx[0x26e9];
																	__eflags = __ebp -  *(__esp + 0x24);
																	if(__eflags == 0) {
																		goto L41;
																	}
																	L37:
																	__ecx =  &(__ebx[0x6e8]);
																	 *(__esp + 0x18) = __ecx;
																	if(__eflags <= 0) {
																		__ebp = __ebx[0x26e8];
																		__ebp = __ebx[0x26e8] -  *(__esp + 0x24);
																		__eflags = __ebp;
																	} else {
																		__ebp = __ebp -  *(__esp + 0x24);
																		__ebp = __ebp - 1;
																	}
																	__eflags = __ebp;
																	if(__ebp != 0) {
																		goto L51;
																	} else {
																		goto L41;
																	}
																case 0xb:
																	goto L0;
																case 0xc:
																	L60:
																	_t574 = _t567[2];
																	_t637 =  *(_t657 + 0x48);
																	goto L65;
																case 0xd:
																	goto L71;
																case 0xe:
																	goto L194;
																case 0xf:
																	L174:
																	__edx =  *(__esp + 0x48);
																	__ebx[0x26ea] = __ecx;
																	L00407FBE( *(__esp + 0x48));
																	__ecx = __ebx[0x26ea];
																	__eax = __ebx[0x26e9];
																	 *(__esp + 0x18) = __ecx;
																	__eflags = __ecx - __eax;
																	if(__ecx < __eax) {
																		L191:
																		__edx =  *(__esp + 0x48);
																		L192:
																		 *(__esp + 0x1c) =  *(__esp + 0x1c) & 0x00000000;
																		__ebx[0x146] = __esi;
																		__esi =  *(__esp + 0x10);
																		__ebx[0x147] = __edi;
																		 *(__edx + 4) =  *(__esp + 0x10);
																		goto L196;
																	}
																	L175:
																	__ebp = __ebx[0x26e8];
																	__ebp = __ebx[0x26e8] - __ecx;
																	__eflags = __ecx - __eax;
																	if(__ecx != __eax) {
																		goto L191;
																	}
																	L176:
																	__eax = __ebx[0x145];
																	 *__ebx = __eax;
																	__eflags = __eax - 8;
																	if(__eax != 8) {
																		L190:
																		__edx =  *(__esp + 0x48);
																		__ebx[0x146] = __esi;
																		__esi =  *(__esp + 0x10);
																		__ebx[0x147] = __edi;
																		 *( *(__esp + 0x48) + 4) =  *(__esp + 0x10);
																		 *(__esp + 0x1c) = 1;
																		goto L196;
																	}
																	goto L177;
															}
														}
														goto L194;
													}
													L110:
													_t567[3] = _t532;
													_t567[2] = _t609 + (_t609[2] & 0x0000ffff) * 4;
													goto L22;
												}
												L108:
												_t639 = 0xf;
												_t567[2] = _t532 & _t639;
												_t567[1] = _t609[2] & 0x0000ffff;
												 *_t567 = 2;
												goto L53;
											}
											L106:
											_t567[2] = _t609[2] & 0x0000ffff;
											 *_t567 = 6;
											goto L22;
										} else {
											goto L187;
										}
									}
									L72:
									while(1) {
										L76:
										_t611 = _t567[0x143];
										if(_t652 < _t611) {
											break;
										}
										L77:
										_t544 = _t567[0x144];
										_t614 =  *(0x40b0c0 + _t611 * 2) & 0x0000ffff & _t647;
										_t545 =  *(_t544 + 2 + _t614 * 4) & 0x0000ffff;
										 *(_t657 + 0x24) =  *(_t544 + 1 + _t614 * 4) & 0x000000ff;
										_t637 =  *(_t657 + 0x48);
										 *(_t657 + 0x2c) = _t545;
										if(_t545 >= 0x10) {
											L79:
											if(_t545 != 0x12) {
												_t615 = _t545 - 0xe;
											} else {
												_t615 = 7;
											}
											 *(_t657 + 0x20) = _t615;
											_t616 = 0xb;
											_t546 = 3;
											_t617 =  !=  ? _t546 : _t616;
											_t547 =  *(_t657 + 0x20);
											 *(_t657 + 0x28) =  !=  ? _t546 : _t616;
											_t619 =  *(_t657 + 0x24) + _t547;
											 *(_t657 + 0x30) = _t619;
											if(_t652 >= _t619) {
												L86:
												_t651 = _t647 >>  *(_t657 + 0x24);
												 *(_t657 + 0x28) = ( *(0x40b0c0 + _t547 * 2) & 0x0000ffff & _t651) +  *(_t657 + 0x28);
												_t652 = _t652 - _t547 +  *(_t657 + 0x24);
												_t647 = _t651 >> _t547;
												_t625 = _t567[1];
												 *(_t657 + 0x20) = _t567[2];
												_t476 =  *(_t657 + 0x20) +  *(_t657 + 0x28);
												if(_t476 > (_t625 & 0x0000001f) + (_t625 >> 0x00000005 & 0x0000001f) + 0x102) {
													goto L188;
												}
												L87:
												_t476 =  *(_t657 + 0x20);
												if( *(_t657 + 0x2c) != 0x10) {
													L90:
													_t186 = _t657 + 0x2c;
													 *_t186 =  *(_t657 + 0x2c) & 0x00000000;
													L91:
													_t646 =  *(_t657 + 0x2c);
													_t629 =  &(_t567[_t476 + 3]);
													do {
														L92:
														_t476 = _t476 + 1;
														 *_t629 = _t646;
														_t192 = _t657 + 0x28;
														 *_t192 =  *(_t657 + 0x28) - 1;
														_t629 =  &(_t629[1]);
													} while ( *_t192 != 0);
													_t637 =  *(_t657 + 0x48);
													_t567[2] = _t476;
													L94:
													 *(_t657 + 0x20) = _t476;
													_t555 = _t567[1];
													 *(_t657 + 0x24) = _t555;
													if( *(_t657 + 0x20) < (_t555 & 0x0000001f) + 0x102 + (_t555 >> 0x00000005 & 0x0000001f)) {
														continue;
													}
													goto L95;
												}
												L88:
												if(_t476 < 1) {
													goto L188;
												}
												L89:
												 *(_t657 + 0x2c) =  *(_t567 + 8 + _t476 * 4);
												goto L91;
											} else {
												while(1) {
													L83:
													_t559 =  *(_t657 + 0x10);
													if(_t559 == 0) {
														goto L189;
													}
													L84:
													_t634 = _t652;
													 *(_t657 + 0x10) = _t559 - 1;
													_t652 = _t652 + 8;
													_t647 = _t647 | ( *( *(_t657 + 0x14)) & 0x000000ff) << _t634;
													 *(_t657 + 0x14) =  &(( *(_t657 + 0x14))[1]);
													if(_t652 <  *(_t657 + 0x30)) {
														continue;
													}
													L85:
													_t547 =  *(_t657 + 0x20);
													goto L86;
												}
												goto L189;
											}
										}
										L78:
										_t635 =  *(_t657 + 0x24);
										_t652 = _t652 - _t635;
										_t647 = _t647 >> _t635;
										 *(_t567 + 0xc + _t567[2] * 4) =  *(_t657 + 0x2c);
										_t567[2] = _t567[2] + 1;
										_t476 = _t567[2];
										goto L94;
									}
									L74:
									_t539 =  *(_t657 + 0x10);
									if(_t539 == 0) {
										goto L189;
									}
									L75:
									 *(_t657 + 0x10) = _t539 - 1;
									_t647 = _t647 | ( *( *(_t657 + 0x14)) & 0x000000ff) << _t652;
									 *(_t657 + 0x14) =  &(( *(_t657 + 0x14))[1]);
									_t652 = _t652 + 8;
									goto L76;
								}
							} else {
								goto L67;
							}
							do {
								L67:
								_t105 = _t567[2] + 0x4099b0; // 0x121110
								 *(_t567 + 0xc +  *_t105 * 4) =  *(_t567 + 0xc +  *_t105 * 4) & 0x00000000;
								_t567[2] = _t567[2] + 1;
							} while (_t567[2] < _t638);
							goto L68;
						}
					}
				}
			}

0x004075fe
0x004075fe
0x004075fe
0x004075fe
0x004075fe
0x004075fe
0x004075fe
0x00000000
0x00407629
0x00407606
0x00407ee0
0x00407ee0
0x00407ee5
0x00407eeb
0x00407ef1
0x00407f5a
0x00407f5e
0x00407f65
0x00407f6b
0x00407f70
0x00407f74
0x00407f7b
0x00407f7b
0x0040760c
0x0040760f
0x0040761c
0x0040761e
0x00407622
0x00407626
0x00407626
0x00407630
0x00407638
0x00407640
0x00407ea3
0x00407ea3
0x00407ead
0x00407eb3
0x00407eb9
0x00000000
0x00407658
0x00407658
0x00407658
0x0040765b
0x0040765e
0x00407662
0x00407666
0x0040766c
0x0040766c
0x0040766c
0x0040766f
0x00000000
0x004076c9
0x0040769a
0x0040769a
0x0040769c
0x0040769f
0x00000000
0x00000000
0x00407675
0x00407675
0x0040767b
0x00000000
0x00000000
0x00407681
0x00407684
0x00407691
0x00407693
0x00407697
0x00407697
0x004076a1
0x004076a3
0x004076a4
0x004076a6
0x004076ab
0x004076b0
0x004076b7
0x004076be
0x004076bf
0x004076c0
0x004076c2
0x004076c5
0x004076c5
0x004076d8
0x004076db
0x004076f4
0x004076f6
0x004076f7
0x00407702
0x00407722
0x00407729
0x00407764
0x00407764
0x00000000
0x00407733
0x00407733
0x00407733
0x00407736
0x0040773c
0x0040773c
0x00407741
0x00407745
0x0040775c
0x004078fc
0x004078fc
0x00407904
0x0040790d
0x00407920
0x00407926
0x0040792e
0x0040793d
0x0040795f
0x0040796b
0x0040796c
0x00407971
0x00407ec1
0x00407ec1
0x00407ec5
0x00407ec5
0x00407ecf
0x00407ed5
0x00407edb
0x00407f53
0x00407f56
0x00000000
0x00407f56
0x00407977
0x004079a9
0x004079b0
0x00000000
0x00000000
0x004079b6
0x004079b6
0x004079bc
0x004079cc
0x004079d0
0x004079d3
0x004079da
0x004079e1
0x004079e4
0x004079e7
0x004079eb
0x004079f1
0x004079f4
0x004079f8
0x004079fe
0x004079fe
0x00407a29
0x00407a29
0x00407a29
0x00407a2e
0x00000000
0x00000000
0x00407a04
0x00407a06
0x00000000
0x00000000
0x00407a0c
0x00407a0f
0x00407a1c
0x00407a1e
0x00407a22
0x00407a26
0x00407a26
0x00407a30
0x00407a38
0x00407a3b
0x00407a3d
0x00407a40
0x00407a45
0x00407a47
0x00407a49
0x00407a4b
0x00407a4f
0x00407a53
0x00407a58
0x00407a6c
0x00407a6e
0x00407a8e
0x00407a90
0x00407aa4
0x00407aa6
0x00407f36
0x00407f36
0x00407f3a
0x00407f3a
0x00407f3e
0x00407f44
0x00407f4a
0x00407f50
0x00000000
0x00407f50
0x00407aac
0x00407aae
0x00407aaf
0x00407473
0x00407e22
0x00407e22
0x00407e26
0x00407e28
0x00000000
0x00407e29
0x004072f1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ab6
0x00407ab6
0x00407ae1
0x00407ae1
0x00407ae1
0x00407ae4
0x00407ae6
0x00000000
0x00000000
0x00407abc
0x00407abc
0x00407abe
0x00000000
0x00000000
0x00407ac4
0x00407ac4
0x00407ac5
0x00407ac7
0x00407acf
0x00407ad2
0x00407ad4
0x00407ad6
0x00407ada
0x00407ade
0x00407ade
0x00407ade
0x00407ae8
0x00407ae8
0x00407af0
0x00407af2
0x00407af4
0x00407af7
0x00407af7
0x00407af9
0x00407afd
0x00407b00
0x00407b03
0x00407b06
0x00407b08
0x00407b09
0x00407b0b
0x00000000
0x00000000
0x00407b0f
0x00407b0f
0x00407b3a
0x00407b3a
0x00407b3a
0x00407b3d
0x00407b3f
0x00000000
0x00000000
0x00407b15
0x00407b15
0x00407b17
0x00000000
0x00000000
0x00407b1d
0x00407b1d
0x00407b1e
0x00407b20
0x00407b28
0x00407b2b
0x00407b2d
0x00407b2f
0x00407b33
0x00407b37
0x00407b37
0x00407b37
0x00407b41
0x00407b41
0x00407b49
0x00407b4e
0x00407b51
0x00407b55
0x00407b59
0x00407b5b
0x00407b5e
0x00407b60
0x00407b64
0x00407b66
0x00407b86
0x00407b86
0x00407b88
0x00000000
0x00000000
0x00407b8e
0x00407b8e
0x00000000
0x00407b8e
0x00407b68
0x00407b68
0x00407b6a
0x00407b6b
0x00407b6d
0x00407b71
0x00407b74
0x00407b78
0x00407b7b
0x00000000
0x00000000
0x00407b97
0x00407b97
0x00407bc2
0x00407bc2
0x00407bc2
0x00407bc5
0x00407bc7
0x00000000
0x00000000
0x00407b9d
0x00407b9d
0x00407b9f
0x00000000
0x00000000
0x00407ba5
0x00407ba5
0x00407ba6
0x00407ba8
0x00407bb0
0x00407bb3
0x00407bb5
0x00407bb7
0x00407bbb
0x00407bbf
0x00407bbf
0x00407bbf
0x00407bc9
0x00407bc9
0x00407bd1
0x00407bd3
0x00407bd5
0x00407bd8
0x00407bd8
0x00407bda
0x00407bde
0x00407be2
0x00000000
0x00000000
0x00407be8
0x00407be8
0x00407bee
0x00407bf0
0x00407bf5
0x00407bf8
0x00407c0e
0x00407c10
0x00407c10
0x00407bfa
0x00407c00
0x00407c05
0x00407c0a
0x00407c0a
0x00407c13
0x00407c17
0x00407c1b
0x00407c21
0x00407c21
0x00407c21
0x00407c23
0x00000000
0x00000000
0x00407c29
0x00407c29
0x00407c2f
0x00407c56
0x00407c57
0x00407c5d
0x00407c62
0x00407c68
0x00407c6e
0x00407c72
0x00407c76
0x00407c78
0x00407c87
0x00407c8d
0x00407c8f
0x00407c8f
0x00407c7a
0x00407c7a
0x00407c7c
0x00407c82
0x00407c84
0x00407c84
0x00407c91
0x00407c95
0x00407c97
0x00407c99
0x00407c9f
0x00407ca5
0x00407ca7
0x00407cad
0x00407caf
0x00407cb3
0x00407cb5
0x00407cbc
0x00407cc0
0x00407cc0
0x00407cb7
0x00407cb7
0x00407cb9
0x00407cb9
0x00407cb5
0x00407ca5
0x00407cc2
0x00407cc4
0x00000000
0x00000000
0x00000000
0x00000000
0x00407cc4
0x00407c31
0x00407c31
0x00407c37
0x00407c3d
0x00407c3f
0x00000000
0x00000000
0x00407c41
0x00407c41
0x00407c43
0x00407c4a
0x00407c50
0x00407c50
0x00407c45
0x00407c45
0x00407c47
0x00407c47
0x00407c52
0x00407c54
0x00000000
0x00000000
0x00407cca
0x00407cca
0x00407cce
0x00407cd0
0x00407cd2
0x00407cd3
0x00407cd7
0x00407cd8
0x00407cdc
0x00407cdd
0x00407ce1
0x00407ce7
0x00407ce9
0x00407cef
0x00407cef
0x00407cf3
0x00407cf3
0x00407cf3
0x00407cf3
0x00407c21
0x00000000
0x00000000
0x00407d05
0x00407d05
0x00407d09
0x00407d0b
0x00407db2
0x00407db2
0x00407db5
0x00407db7
0x00407db8
0x00407dbc
0x00407cfd
0x00407cfd
0x00000000
0x00407cfd
0x00407d11
0x00407d11
0x00407d17
0x00407d3e
0x00407d3f
0x00407d45
0x00407d4a
0x00407d50
0x00407d56
0x00407d5a
0x00407d5e
0x00407d60
0x00407d6f
0x00407d75
0x00407d77
0x00407d77
0x00407d62
0x00407d62
0x00407d64
0x00407d6a
0x00407d6c
0x00407d6c
0x00407d79
0x00407d7d
0x00407d7f
0x00407d81
0x00407d87
0x00407d8d
0x00407d8f
0x00407d95
0x00407d97
0x00407d9b
0x00407d9d
0x00407da4
0x00407da8
0x00407da8
0x00407d9f
0x00407d9f
0x00407da1
0x00407da1
0x00407d9d
0x00407d8d
0x00407daa
0x00407dac
0x00000000
0x00000000
0x00000000
0x00000000
0x00407dac
0x00407d19
0x00407d19
0x00407d1f
0x00407d25
0x00407d27
0x00000000
0x00000000
0x00407d29
0x00407d29
0x00407d2b
0x00407d32
0x00407d38
0x00407d38
0x00407d2d
0x00407d2d
0x00407d2f
0x00407d2f
0x00407d3a
0x00407d3c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407dc2
0x00407dc2
0x00407dc4
0x00407dc5
0x00407dc7
0x00407dc9
0x00407dcc
0x00407dcd
0x00407dcd
0x00407dcd
0x00407dd1
0x00407dd5
0x00407dd5
0x00000000
0x00000000
0x004072f8
0x004072f8
0x004072fc
0x004072ff
0x00407336
0x00407338
0x0040733b
0x0040733e
0x00407341
0x00407345
0x00407347
0x00407349
0x0040734a
0x0040734f
0x0040735b
0x0040735f
0x00407363
0x00407363
0x00407366
0x0040747c
0x0040747c
0x00407480
0x00407486
0x00407489
0x0040748b
0x0040748e
0x00000000
0x0040748e
0x0040736c
0x0040736c
0x0040736c
0x0040736f
0x00407393
0x00407393
0x0040739a
0x00407450
0x00407450
0x00407455
0x00407458
0x0040745d
0x00407460
0x00407465
0x00407468
0x0040746d
0x0040746d
0x00407470
0x00000000
0x004073a0
0x004073a0
0x004073a5
0x004073a5
0x004073a7
0x004073a9
0x004073aa
0x004073aa
0x004073aa
0x004073ac
0x004073ad
0x004073b2
0x004073b4
0x004073b9
0x004073c0
0x004073c2
0x004073c7
0x004073c8
0x004073c8
0x004073bb
0x004073bb
0x004073bd
0x004073bd
0x004073b9
0x004073cb
0x004073cb
0x004073d2
0x004073d8
0x004073d8
0x004073dc
0x00407409
0x0040740e
0x00407410
0x00407411
0x00407413
0x0040741b
0x0040741b
0x00407440
0x00407445
0x00407449
0x00000000
0x00407449
0x0040739a
0x00407371
0x00407371
0x00407371
0x00407374
0x00407388
0x00000000
0x00407388
0x00407376
0x00407376
0x00407379
0x0040737d
0x00000000
0x00407383
0x00000000
0x00407383
0x00407301
0x00407301
0x00407305
0x00407305
0x00407305
0x00407307
0x00000000
0x00000000
0x0040730d
0x0040730e
0x00407317
0x00407319
0x00407320
0x00407322
0x00407324
0x00407325
0x00407326
0x00407328
0x0040732c
0x00407330
0x00000000
0x00407332
0x00000000
0x00407332
0x00407330
0x00000000
0x00407305
0x00000000
0x00407494
0x00407494
0x00407498
0x0040749b
0x004074d0
0x004074d0
0x004074d3
0x004074d5
0x004074d7
0x004074da
0x004074de
0x004074e0
0x004074e7
0x004074e2
0x004074e2
0x004074e4
0x004074e4
0x004074ed
0x00000000
0x004074ed
0x0040749d
0x0040749d
0x004074a1
0x004074a1
0x004074a1
0x004074a3
0x00000000
0x00000000
0x004074a9
0x004074aa
0x004074ae
0x004074b1
0x004074b3
0x004074b5
0x004074b8
0x004074bc
0x004074be
0x004074c2
0x004074c3
0x004074c7
0x004074ca
0x00000000
0x00000000
0x004074cc
0x004074cc
0x00000000
0x004074cc
0x00407e36
0x00407e3a
0x00407e40
0x00407e46
0x00407e46
0x00407e46
0x00407e4a
0x00407e4c
0x00000000
0x00000000
0x004074f4
0x004074f4
0x004074f8
0x004074fa
0x00407e85
0x00407e85
0x00407e89
0x00407e8f
0x00407e95
0x00407e99
0x00407e9b
0x00407e52
0x00407e52
0x00407e53
0x00407e53
0x00407e58
0x00000000
0x00407e58
0x00407500
0x00407500
0x00407502
0x004075a9
0x004075a9
0x004075ad
0x004075af
0x004075b1
0x004075b4
0x004075b7
0x004075c3
0x004075c7
0x004075c9
0x004075cd
0x004075cf
0x004075d3
0x004075d5
0x004075d5
0x004075d5
0x004075d8
0x004075dc
0x004075de
0x004075e2
0x004075e6
0x004075e7
0x00000000
0x00000000
0x004075ed
0x004075ed
0x004075f3
0x004075f5
0x004075f5
0x00000000
0x004075f5
0x00407508
0x00407508
0x0040750e
0x00407547
0x00407548
0x0040754e
0x00407553
0x00407559
0x0040755f
0x00407565
0x00407569
0x0040756b
0x00407574
0x00407576
0x00407576
0x0040756d
0x0040756f
0x00407571
0x00407571
0x00407578
0x0040757a
0x0040757c
0x00407582
0x00407584
0x00407586
0x00407588
0x0040758c
0x00407595
0x0040759b
0x0040759b
0x0040758e
0x00407592
0x00407592
0x0040758c
0x00407584
0x0040759d
0x0040759f
0x00407e5f
0x00407e5f
0x00407e63
0x00407e67
0x00407e6d
0x00407e71
0x00407e77
0x00407e7a
0x00407e7c
0x00407e82
0x00000000
0x004075a5
0x004075a5
0x004075a5
0x00000000
0x004075a5
0x0040759f
0x00407510
0x00407510
0x00407516
0x0040751a
0x00407520
0x00407524
0x00000000
0x00000000
0x00407526
0x00407526
0x0040752c
0x00407530
0x00407539
0x0040753f
0x0040753f
0x00407532
0x00407532
0x00407536
0x00407536
0x00407543
0x00407545
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040766c
0x0040766c
0x0040766f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407dd9
0x00407dd9
0x00407dde
0x00407de4
0x00407de9
0x00407def
0x00407df5
0x00407df9
0x00407dfb
0x00407f18
0x00407f18
0x00407f1c
0x00407f1c
0x00407f21
0x00407f27
0x00407f2b
0x00407f31
0x00000000
0x00407f31
0x00407e01
0x00407e01
0x00407e07
0x00407e09
0x00407e0b
0x00000000
0x00000000
0x00407e11
0x00407e11
0x00407e17
0x00407e19
0x00407e1c
0x00407ef7
0x00407ef7
0x00407efb
0x00407f01
0x00407f05
0x00407f0b
0x00407f0e
0x00000000
0x00407f0e
0x00000000
0x00000000
0x004072f1
0x00000000
0x00407e31
0x00407a92
0x00407a92
0x00407a9c
0x00000000
0x00407a9c
0x00407a70
0x00407a72
0x00407a75
0x00407a80
0x00407a83
0x00000000
0x00407a83
0x00407a5a
0x00407a5e
0x00407a61
0x00000000
0x00000000
0x00000000
0x00000000
0x004079bc
0x00407762
0x00407794
0x00407794
0x00407794
0x0040779c
0x00000000
0x00000000
0x0040779e
0x004077a6
0x004077ac
0x004077b3
0x004077b8
0x004077bc
0x004077c0
0x004077c7
0x004077e7
0x004077ea
0x004077f1
0x004077ec
0x004077ee
0x004077ee
0x004077f4
0x004077fa
0x004077fd
0x004077fe
0x00407801
0x00407805
0x0040780d
0x0040780f
0x00407815
0x00407846
0x0040784a
0x0040785a
0x00407864
0x00407866
0x0040786b
0x0040786e
0x00407888
0x0040788e
0x00000000
0x00000000
0x00407894
0x00407899
0x0040789d
0x004078b2
0x004078b2
0x004078b2
0x004078b7
0x004078b7
0x004078be
0x004078c1
0x004078c1
0x004078c1
0x004078c2
0x004078c4
0x004078c4
0x004078c9
0x004078c9
0x004078ce
0x004078d2
0x004078d5
0x004078d5
0x004078d9
0x004078de
0x004078f6
0x00000000
0x00000000
0x00000000
0x004078f6
0x0040789f
0x004078a2
0x00000000
0x00000000
0x004078a8
0x004078ac
0x00000000
0x00407817
0x00407817
0x00407817
0x00407817
0x0040781d
0x00000000
0x00000000
0x00407823
0x00407824
0x00407826
0x0040782a
0x00407836
0x00407838
0x00407840
0x00000000
0x00000000
0x00407842
0x00407842
0x00000000
0x00407842
0x00000000
0x00407817
0x00407815
0x004077c9
0x004077cc
0x004077d0
0x004077d2
0x004077d8
0x004077dc
0x004077df
0x00000000
0x004077df
0x0040776f
0x0040776f
0x00407775
0x00000000
0x00000000
0x0040777b
0x0040777e
0x0040778b
0x0040778d
0x00407791
0x00000000
0x00407791
0x00000000
0x00000000
0x00000000
0x004076dd
0x004076dd
0x004076e0
0x004076e7
0x004076ec
0x004076ef
0x00000000
0x004076dd
0x0040766c
0x00407640

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6e5cab2d0bf7698bdae054db21990c31fcebd81f7c740a7b631921d0cd6e3b
Instruction ID: 34855fb2682deb8042092b43f828aa3e625fb4f43d1e7d882369f70b8a17060e
Opcode Fuzzy Hash: 9a6e5cab2d0bf7698bdae054db21990c31fcebd81f7c740a7b631921d0cd6e3b
Instruction Fuzzy Hash: 09F17171A183418FCB04CF18C49076ABBE5FF89315F14896EE889EB286D778E941CF56

Uniqueness

Uniqueness Score: -1.00%

Function 02B616B8 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4411149e5fbe8a921f0713bf1fe86c871f3a30cbd08ba6a276f4c80f08e300b6
Instruction ID: 205dbd9ef5cc660ca90d7fc6b0d555715321b4ce434f1a37597c4fd3dcb47534
Opcode Fuzzy Hash: 4411149e5fbe8a921f0713bf1fe86c871f3a30cbd08ba6a276f4c80f08e300b6
Instruction Fuzzy Hash: 5CB169B06213028FDF2C9E2885A47FA73A2EF55260FD442AEDC9A47286DF35CD42C611

Uniqueness

Uniqueness Score: -1.00%

Function 00406EA8 Relevance: .3, Instructions: 314
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00406EA8(signed int* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr* _a24, signed int* _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v60;
				signed int _v120;
				signed int _v124;
				void _v188;
				intOrPtr _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				void* _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				short _v246;
				char _v247;
				signed char _v248;
				signed int _t170;
				void* _t172;
				signed int _t173;
				signed int _t176;
				signed int _t179;
				signed int _t180;
				signed int _t183;
				signed int _t184;
				signed int _t189;
				intOrPtr* _t203;
				signed int _t204;
				short _t209;
				signed int _t216;
				signed char _t227;
				signed int _t233;
				signed int* _t237;
				signed int _t239;
				signed int _t240;
				signed int* _t242;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed char _t251;
				intOrPtr _t253;
				signed int _t254;
				signed int _t260;
				signed int _t262;
				signed char _t264;
				intOrPtr _t265;
				signed int _t266;
				void* _t267;
				signed int _t268;
				signed int _t269;
				signed int _t272;
				signed int _t274;
				signed int _t276;
				signed int _t279;
				void* _t280;
				void* _t281;
				signed int _t283;
				signed int _t284;
				signed int* _t287;
				signed int _t290;
				void* _t291;
				intOrPtr _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				intOrPtr _t297;
				signed int _t299;
				intOrPtr _t300;
				signed int _t301;
				void* _t304;
				signed int _t308;
				signed char* _t310;

				_t237 = _a4;
				_t297 = _a8;
				_t265 = _t297;
				_t240 = 0x10;
				memset( &_v188, 0, _t240 << 2);
				_t310 =  &(( &_v248)[0xc]);
				_t242 = _t237;
				do {
					_t170 =  *_t242;
					_t242 =  &(_t242[1]);
					_t310[0x4c + _t170 * 4] = _t310[0x4c + _t170 * 4] + 1;
					_t265 = _t265 - 1;
				} while (_t265 != 0);
				if(_v188 == _t297) {
					 *_a24 = 0;
					 *_a28 = 0;
					return 0;
				}
				_t287 = _a28;
				_t244 = 1;
				_t294 = 0;
				_t266 = 0xf;
				while(_t310[0x4c + _t244 * 4] == _t294) {
					_t244 = _t244 + 1;
					if(_t244 <= _t266) {
						continue;
					}
					break;
				}
				_v220 = _t244;
				_t172 =  >=  ?  *_t287 : _t244;
				while(_t310[0x4c + _t266 * 4] == _t294) {
					_t266 = _t266 - 1;
					if(_t266 != 0) {
						continue;
					}
					break;
				}
				_v216 = _t266;
				_t299 =  <=  ? _t172 : _t266;
				_t173 = _t299;
				_v236 = _t299;
				_t300 = _a8;
				 *_t287 = _t173;
				_t290 = 1 << _t244;
				while(_t244 < _t266) {
					_t291 = _t290 - _t310[0x4c + _t244 * 4];
					if(_t291 < 0) {
						L61:
						return _t173 | 0xffffffff;
					}
					_t244 = _t244 + 1;
					_t290 = _t291 + _t291;
				}
				_t246 = _t266 << 2;
				_v212 = _t246;
				_t173 = _t310[_t246 + 0x4c];
				_t292 = _t290 - _t173;
				_v192 = _t292;
				if(_t292 < 0) {
					goto L61;
				}
				_v120 = _t294;
				_t310[_t246 + 0x4c] = _t173 + _t292;
				_t247 = _t294;
				_t267 = _t266 - 1;
				if(_t267 != 0) {
					_t233 = _t294;
					do {
						_t247 = _t247 + _t310[_t233 + 0x50];
						_t233 = _t233 + 4;
						_t310[_t233 + 0x90] = _t247;
						_t267 = _t267 - 1;
					} while (_t267 != 0);
				}
				_t248 = _t294;
				do {
					_t268 =  *_t237;
					_t237 =  &(_t237[1]);
					if(_t268 != 0) {
						_t176 = _t310[0x8c + _t268 * 4];
						 *(0x4330a0 + _t176 * 4) = _t248;
						_t310[0x8c + _t268 * 4] = _t176 + 1;
					}
					_t248 = _t248 + 1;
				} while (_t248 < _t300);
				_t301 = _t294;
				_t249 = _v236;
				_t269 = _v220;
				_t239 =  ~_t249;
				_v232 = _t301;
				_t179 = _t310[_v212 + 0x8c];
				_v196 = _t179;
				_t180 = _t179 | 0xffffffff;
				_v124 = _t294;
				_v228 = 0x4330a0;
				_v244 = _t180;
				_v60 = _t294;
				_v224 = _t294;
				_v208 = _t294;
				if(_t269 <= _v216) {
					_t183 =  &_v188 + _t269 * 4;
					_v204 = _t183;
					do {
						_t184 =  *_t183;
						while(_t184 != 0) {
							_v200 = _t184;
							_v212 = _t184 - 1;
							_t173 = _t249 + _t239;
							while(1) {
								_v240 = _t173;
								if(_t269 <= _t173) {
									break;
								}
								_v244 = _v244 + 1;
								_t304 =  >  ? _t249 : _v216 - _t173;
								_t251 = _t269 - _t173;
								_t272 = 1 << _t251;
								if(1 > _v200) {
									_t280 = _t272 + (_t173 | 0xffffffff) - _v212;
									_t173 = _v204;
									if(_t251 < _t304) {
										while(1) {
											_t251 = _t251 + 1;
											if(_t251 >= _t304) {
												goto L31;
											}
											_t281 = _t280 + _t280;
											_t173 = _t173 + 4;
											if(_t281 >  *_t173) {
												_t280 = _t281 -  *_t173;
												continue;
											}
											goto L31;
										}
									}
								}
								L31:
								_v208 = 1;
								_t274 =  *_a36;
								_t308 = (1 << _t251) + _t274;
								if(1 > 0x5a0) {
									goto L61;
								}
								_v224 = _a32 + _t274 * 4;
								_t276 = _v244;
								_t310[0xcc + _t276 * 4] = _v224;
								 *_a36 = _t308;
								_t189 = _v240;
								_t301 = _v232;
								if(_t276 == 0) {
									 *_a24 = _v224;
								} else {
									_v247 = _v236;
									_v248 = _t251;
									_t310[0x8c + _t276 * 4] = _t301;
									_t279 = _t301 >> _t239;
									_t264 = _t310[0xc8 + _v244 * 4];
									_v246 = (_v224 - _t264 >> 2) - _t279;
									 *(_t264 + _t279 * 4) = _v248;
									_t189 = _v240;
								}
								_t249 = _v236;
								_t239 = _t189;
								_t269 = _v220;
								_t173 = _t189 + _t249;
							}
							_v247 = _t269 - _t239;
							if(_v228 < 0x4330a0 + _v196 * 4) {
								_t203 = _v228;
								_t253 =  *_t203;
								_t204 = _t203 + 4;
								_v232 = _t204;
								if(_t253 >= _a12) {
									_t254 = _t253 - _a12;
									_v248 =  *((intOrPtr*)(_a20 + _t254 * 2)) + 0x50;
									_t209 =  *((intOrPtr*)(_a16 + _t254 * 2));
								} else {
									_v248 = (_t204 & 0xffffff00 | _t253 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
									_t209 =  *_v228;
								}
								_v246 = _t209;
								_v228 = _v232;
							} else {
								_v248 = 0xc0;
							}
							_v200 = 1 << _t269 - _t239;
							_t283 = _t301 >> _t239;
							if(_t283 < _v208) {
								_t227 = _v248;
								_t262 = _v200;
								_t293 = _v224;
								do {
									 *(_t293 + _t283 * 4) = _t227;
									_t283 = _t283 + _t262;
								} while (_t283 < _v208);
								_t292 = _v192;
								_t294 = 0;
							}
							_t269 = _v220;
							_t216 = 1 << _t269 - 1;
							while((_t301 & _t216) != 0) {
								_t301 = _t301 ^ _t216;
								_t216 = _t216 >> 1;
							}
							_t301 = _t301 ^ _t216;
							_v232 = _t301;
							_t260 = _v244;
							if(((1 << _t239) - 0x00000001 & _t301) != _t310[0x8c + _t260 * 4]) {
								_t284 = _v236;
								_t295 = _t260;
								do {
									_t239 = _t239 - _t284;
									_t295 = _t295 - 1;
								} while (((1 << _t239) - 0x00000001 & _t301) != _t310[0x8c + _t295 * 4]);
								_t269 = _v220;
								_v244 = _t295;
								_t294 = 0;
							}
							_t184 = _v212;
							_t249 = _v236;
						}
						_t269 = _t269 + 1;
						_t183 = _v204 + 4;
						_v220 = _t269;
						_v204 = _t183;
					} while (_t269 <= _v216);
					_t180 = _t183 | 0xffffffff;
				}
				if(_t292 == 0 || _v216 == 1) {
					return _t294;
				}
				return _t180;
			}

0x00406eb1
0x00406eb9
0x00406ec0
0x00406ec6
0x00406ecb
0x00406ecb
0x00406ecd
0x00406ecf
0x00406ecf
0x00406ed1
0x00406ed4
0x00406ed8
0x00406ed8
0x00406ee1
0x00406eec
0x00406ef5
0x00000000
0x00406ef7
0x00406efe
0x00406f09
0x00406f0a
0x00406f0c
0x00406f0d
0x00406f13
0x00406f16
0x00000000
0x00000000
0x00000000
0x00406f16
0x00406f1c
0x00406f20
0x00406f23
0x00406f29
0x00406f2c
0x00000000
0x00000000
0x00000000
0x00406f2c
0x00406f30
0x00406f36
0x00406f39
0x00406f3b
0x00406f3f
0x00406f46
0x00406f4b
0x00406f5c
0x00406f4f
0x00406f53
0x0040727e
0x00000000
0x0040727e
0x00406f59
0x00406f5a
0x00406f5a
0x00406f62
0x00406f65
0x00406f69
0x00406f6d
0x00406f6f
0x00406f73
0x00000000
0x00000000
0x00406f7b
0x00406f82
0x00406f86
0x00406f88
0x00406f8b
0x00406f8d
0x00406f8f
0x00406f8f
0x00406f93
0x00406f96
0x00406f9d
0x00406f9d
0x00406f8f
0x00406fa2
0x00406fa4
0x00406fa4
0x00406fa6
0x00406fab
0x00406fad
0x00406fb4
0x00406fbc
0x00406fbc
0x00406fc3
0x00406fc4
0x00406fcc
0x00406fce
0x00406fd4
0x00406fd8
0x00406fda
0x00406fde
0x00406fe5
0x00406fe9
0x00406fec
0x00406ff3
0x00406ffb
0x00406fff
0x00407006
0x0040700a
0x00407012
0x0040701c
0x0040701f
0x00407023
0x00407023
0x0040724a
0x0040702a
0x0040702f
0x00407033
0x00407128
0x00407128
0x0040712e
0x00000000
0x00000000
0x0040703f
0x00407047
0x0040704e
0x00407051
0x00407057
0x00407060
0x00407062
0x00407068
0x0040706a
0x0040706a
0x0040706d
0x00000000
0x00000000
0x0040706f
0x00407071
0x00407076
0x00407078
0x00000000
0x00407078
0x00000000
0x00407076
0x0040706a
0x00407068
0x0040707c
0x00407088
0x0040708c
0x0040708e
0x00407096
0x00000000
0x00000000
0x004070a6
0x004070aa
0x004070b2
0x004070c0
0x004070c2
0x004070c6
0x004070cc
0x0040711a
0x004070ce
0x004070d2
0x004070da
0x004070e0
0x004070e9
0x004070eb
0x004070fd
0x00407106
0x00407109
0x00407109
0x0040711c
0x00407120
0x00407122
0x00407126
0x00407126
0x00407138
0x0040714b
0x00407154
0x00407158
0x0040715a
0x0040715d
0x00407168
0x00407184
0x00407197
0x004071a2
0x0040716a
0x00407177
0x0040717f
0x0040717f
0x004071a6
0x004071af
0x0040714d
0x0040714d
0x0040714d
0x004071c0
0x004071c4
0x004071ca
0x004071cc
0x004071d0
0x004071d4
0x004071d8
0x004071d8
0x004071db
0x004071dd
0x004071e3
0x004071e7
0x004071e7
0x004071e9
0x004071f3
0x004071fb
0x004071f7
0x004071f9
0x004071f9
0x004071ff
0x00407205
0x0040720c
0x0040721a
0x0040721c
0x00407220
0x00407222
0x00407224
0x0040722b
0x0040722f
0x00407238
0x0040723c
0x00407240
0x00407240
0x00407242
0x00407246
0x00407246
0x00407256
0x00407257
0x0040725a
0x0040725e
0x00407262
0x0040726c
0x0040726c
0x00407271
0x00000000
0x0040727a
0x0040728b

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e392d6b6b0d8d2976783d3b417d62ef8802b8105719cbf52046bc6543515951
Instruction ID: 458c99329ba390570ae49b1fba58edefd6773494dbefaa897816e029df8d06ab
Opcode Fuzzy Hash: 8e392d6b6b0d8d2976783d3b417d62ef8802b8105719cbf52046bc6543515951
Instruction Fuzzy Hash: 11C16771A0C3458FC718DF28D580A6ABBE1BBC9304F148A3EE59997380D734E916CF96

Uniqueness

Uniqueness Score: -1.00%

Function 02B616A6 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0498961a91bf0e5f1508518aa56388c7670ba810fe8ee8c79fc5f98e6bad7210
Instruction ID: b11c8796328f1b0db4107dc98ab20b6552fc869360c0e975342982c02698c096
Opcode Fuzzy Hash: 0498961a91bf0e5f1508518aa56388c7670ba810fe8ee8c79fc5f98e6bad7210
Instruction Fuzzy Hash: 7681AE705213068FEF2C5E3889E87F67762EF15250FD442EEDC9647286DF29C886C612

Uniqueness

Uniqueness Score: -1.00%

Function 02B67616 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21724080acbe11b31418570cc43804f177afc7f650ccb78384821e8c9e7b9a2a
Instruction ID: 2731a8a5123b50685b2b0e5e8c3095bd292f57d183e7fc8ac46429f2f2b5397e
Opcode Fuzzy Hash: 21724080acbe11b31418570cc43804f177afc7f650ccb78384821e8c9e7b9a2a
Instruction Fuzzy Hash: E2A132756043469FDF309E788C987EB73A3EF49390F86442EDC89E7204D7349A868B42

Uniqueness

Uniqueness Score: -1.00%

Function 02B6780D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a0f007a59f47a374d3a1f590aeceabfdb2e67e170f65ff6ecd53aa57a92e83
Instruction ID: e5a6abb7e8c8f6152f11935a0e4faa32940401dcbcb6910a11300f72a9e358ba
Opcode Fuzzy Hash: 16a0f007a59f47a374d3a1f590aeceabfdb2e67e170f65ff6ecd53aa57a92e83
Instruction Fuzzy Hash: F47177B11147869FCF348E358C987EA77A2EF49354FC501AEDC889B286CB349E42CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02B67722 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63f700d6b1d06d159147668e7e4dd737855b78379f90ac2f7d810e8543d647e
Instruction ID: 83be514d4578c3ca443641cb332b4982a2cd38d1dcc103a6229366ef08c1635b
Opcode Fuzzy Hash: a63f700d6b1d06d159147668e7e4dd737855b78379f90ac2f7d810e8543d647e
Instruction Fuzzy Hash: BE81467160435A9FDF309E788C987EB73A7EF49794F85012ADC88EB204C7349A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02B6B6C8 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac85e6e3766456554d10cbff676697c8d77cdb964691f2ec4ed9e557c99ab214
Instruction ID: 8f0977e28b0019ea42d7831a99cddf65771006b2f8617762967e6729d502de76
Opcode Fuzzy Hash: ac85e6e3766456554d10cbff676697c8d77cdb964691f2ec4ed9e557c99ab214
Instruction Fuzzy Hash: B8612A7260130A9BEB34CE2A89D83FB73F3EF99384F95822ACD4A97644DB3555418B01

Uniqueness

Uniqueness Score: -1.00%

Function 02B6655D Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591de8f1ad9d640f1c9b5f34cf26f4c354ec7a34863e3c08f242e45dae2e4603
Instruction ID: 26cec6eaf09c21e155c954ff8da3116b574b4e74d69caebe93fa7deb1fa302b8
Opcode Fuzzy Hash: 591de8f1ad9d640f1c9b5f34cf26f4c354ec7a34863e3c08f242e45dae2e4603
Instruction Fuzzy Hash: 3E4136705397189BDF1C5F64846A3B9B7A9BF09220FC1069DDEC1571CBD72D8882CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02B617C2 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0263c60fe4bcf75b01bfeb6d92c68c07994e768c1eee1117a33fedb98f65560
Instruction ID: 7addd8f84f301327a2950cd7b26f0e9ee25e3c41216bed4b2090b64e0f6103f5
Opcode Fuzzy Hash: d0263c60fe4bcf75b01bfeb6d92c68c07994e768c1eee1117a33fedb98f65560
Instruction Fuzzy Hash: 444154306013068FEF68AE3881E57F663A3AF51284F9980EFCD974B255DF228985D602

Uniqueness

Uniqueness Score: -1.00%

Function 02B66458 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a1bdf3f34d547995dba9a7de16e04b105ddb15e002f7fb6ce70b0d8b58aaa0
Instruction ID: 611a0c1b3f19c9ad7d7829f6ae2bab9bc9722b7074878d6432085a4add552deb
Opcode Fuzzy Hash: 53a1bdf3f34d547995dba9a7de16e04b105ddb15e002f7fb6ce70b0d8b58aaa0
Instruction Fuzzy Hash: 09414670A08345CFDB289F38C9A97EB3BB6AF46350F86061EDCC697690D7354981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B73114 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b235151835813a8c8d56f3d50cf206c1822581b8a55325765be5e2b640498028
Instruction ID: 2e6a862857b242e51eebdad7c844010573c082db1c7709bc76c73ad4ce1793e5
Opcode Fuzzy Hash: b235151835813a8c8d56f3d50cf206c1822581b8a55325765be5e2b640498028
Instruction Fuzzy Hash: 4B415C397443059FD7288D388BF47D927A3AFAA340F8541AE8D86CB545DF304985C605

Uniqueness

Uniqueness Score: -1.00%

Function 02B66474 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f16f9660b2817d76d3c36967b0441bf9e063c90a1506f6eddefdf7743fa70f02
Instruction ID: b9440d88117e6edc64f64be4a823c4e7148541cc2c7fa2e90596159f3482fd3a
Opcode Fuzzy Hash: f16f9660b2817d76d3c36967b0441bf9e063c90a1506f6eddefdf7743fa70f02
Instruction Fuzzy Hash: AE412771608345CFDB28AE38C8A97EA37B7AF45750F46061EDCCA97690D73589C1CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02B72369 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368a6e29595ea3a6c27891f536e7fc8144e064c258bea6af5fd7aac2979e3382
Instruction ID: 194cff0dbf74ebed045f8f3cdea901f288085aea12e360004c7da0fe6b7077cf
Opcode Fuzzy Hash: 368a6e29595ea3a6c27891f536e7fc8144e064c258bea6af5fd7aac2979e3382
Instruction Fuzzy Hash: D0C04875320A818FD752CA08C290F82B7A1AB17B81F825894E9468BAD1C32DEC41CA01

Uniqueness

Uniqueness Score: -1.00%

Function 02B6F026 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.31320399829.0000000002B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b60000_Ta62k9weDV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 00403D8A Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 221
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00403D8A() {
				struct HWND__* _t60;
				intOrPtr _t61;
				unsigned int _t66;
				signed short* _t88;
				unsigned int _t89;
				long _t104;
				intOrPtr _t117;
				intOrPtr _t118;
				int _t120;
				signed int _t121;
				struct HWND__* _t125;
				int _t126;
				int _t132;
				intOrPtr _t135;
				struct HWND__* _t137;
				struct HWND__* _t138;
				int _t139;
				void* _t142;

				if( *((intOrPtr*)(_t142 + 0x50)) != 0x110) {
					_t139 =  *(_t142 + 0x68);
					if( *(_t142 + 0x60) != 0x111) {
						if( *(_t142 + 0x60) != 0x4e) {
							if( *(_t142 + 0x60) == 0x40b) {
								 *0x42dd5c =  *0x42dd5c + 1;
							}
							L25:
							return E0040575B( *(_t142 + 0x68),  *(_t142 + 0x68), _t139);
						}
						_t60 = GetDlgItem( *(_t142 + 0x60), 0x3e8);
						_t117 =  *((intOrPtr*)(_t139 + 8));
						_t125 = _t60;
						if(_t117 != 0x70b) {
							L16:
							if(_t117 != 0x700 ||  *((intOrPtr*)(_t139 + 0xc)) != 0x100) {
								goto L25;
							} else {
								_t61 =  *((intOrPtr*)(_t139 + 0x10));
								if(_t61 == 0xd) {
									SendMessageW( *0x4349f8, 0x111, 1, 0);
									_t61 =  *((intOrPtr*)(_t139 + 0x10));
								}
								if(_t61 == 0x1b) {
									SendMessageW( *0x4349f8, 0x10, 0, 0);
								}
								return 1;
							}
						}
						if( *((intOrPtr*)(_t139 + 0xc)) != 0x201) {
							goto L25;
						}
						_t66 =  *(_t139 + 0x1c);
						_t118 =  *((intOrPtr*)(_t139 + 0x18));
						 *(_t142 + 0x14) = _t66;
						 *(_t142 + 0x10) = _t118;
						 *(_t142 + 0x18) = 0x4339a0;
						if(_t66 - _t118 >= 0x800) {
							goto L25;
						}
						SendMessageW(_t125, 0x44b, 0, _t142 + 0x10);
						SetCursor(LoadCursorW(0, 0x7f02));
						 *((intOrPtr*)(_t142 + 0x24)) =  *((intOrPtr*)(_t142 + 0x5c));
						 *(_t142 + 0x2c) =  *(_t142 + 0x18);
						 *((intOrPtr*)(_t142 + 0x24)) = 0x500;
						 *(_t142 + 0x3c) = 1;
						 *(_t142 + 0x2c) = L"open";
						 *((intOrPtr*)(_t142 + 0x34)) = 0;
						 *((intOrPtr*)(_t142 + 0x38)) = 0;
						E004069F3(_t142 + 0x1c);
						SetCursor(LoadCursorW(0, 0x7f00));
						_t117 =  *((intOrPtr*)(_t139 + 8));
						goto L16;
					}
					if( *(_t142 + 0x64) >> 0x10 == 0 &&  *0x42dd5c == 0) {
						_t135 =  *0x42dd4c;
						if(( *(_t135 + 0x14) & 0x00000020) != 0) {
							_t120 = SendMessageW(GetDlgItem( *(_t142 + 0x6c), 0x40a), 0xf0, 0, 0) & 0x00000001;
							 *(_t135 + 0x14) =  *(_t135 + 0x14) & 0xfffffffe | _t120;
							EnableWindow( *0x42dd54, _t120);
							E0040553C();
						}
					}
					goto L25;
				} else {
					_t126 =  *(_t142 + 0x68);
					_t121 =  *(_t126 + 0x30);
					if(_t121 < 0) {
						_t121 =  *( *0x4349e0 - 4 + _t121 * 4);
					}
					_push( *((intOrPtr*)(_t126 + 0x34)));
					_t88 =  *0x435a38 + _t121 * 2;
					_t89 =  &(_t88[1]);
					 *(_t142 + 0x64) = _t89;
					 *(_t142 + 0x14) = _t89;
					_t91 =  ==  ? E0040568C : E00405655;
					 *(_t142 + 0x68) =  *_t88 & 0x0000ffff;
					_t137 =  *(_t142 + 0x60);
					 *(_t142 + 0x18) = 0;
					_push(0x22);
					 *((intOrPtr*)(_t142 + 0x24)) =  ==  ? E0040568C : E00405655;
					_t132 = ( !( *(_t126 + 0x14) >> 5) |  *(_t126 + 0x14)) & 1;
					E0040551A(_t137);
					_push( *((intOrPtr*)( *(_t142 + 0x68) + 0x38)));
					_push(0x23);
					E0040551A(_t137);
					CheckDlgButton(_t137, (_t132 ^ 1) + 0x40a, 1);
					EnableWindow( *0x42dd54, _t132);
					_t138 = GetDlgItem(_t137, 0x3e8);
					E00405503(_t138);
					SendMessageW(_t138, 0x45b, 1, 0);
					_t104 =  *( *0x435a10 + 0x68);
					if(_t104 < 0) {
						_t104 = GetSysColor( ~_t104);
					}
					SendMessageW(_t138, 0x443, 0, _t104);
					SendMessageW(_t138, 0x445, 0, 0x4010000);
					SendMessageW(_t138, 0x435, 0, lstrlenW( *(_t142 + 0x60)));
					 *0x42dd5c = 0;
					SendMessageW(_t138, 0x449,  *(_t142 + 0x68), _t142 + 0x10);
					 *0x42dd5c = 0;
					return 0;
				}
			}

0x00403d99
0x00403ecc
0x00403ed0
0x00403f4a
0x00404065
0x00404067
0x00404067
0x0040406d
0x00000000
0x00404076
0x00403f59
0x00403f5f
0x00403f64
0x00403f6c
0x00404013
0x00404019
0x00000000
0x00404024
0x00404024
0x0040402a
0x0040403a
0x00404040
0x00404040
0x00404046
0x00404052
0x00404052
0x00000000
0x0040405a
0x00404019
0x00403f79
0x00000000
0x00000000
0x00403f7f
0x00403f82
0x00403f85
0x00403f8b
0x00403f8f
0x00403f9c
0x00000000
0x00000000
0x00403fae
0x00403fc9
0x00403fcf
0x00403fd7
0x00403fe0
0x00403fe8
0x00403ff0
0x00403ff8
0x00403ffc
0x00404000
0x0040400e
0x00404010
0x00000000
0x00404010
0x00403edc
0x00403eef
0x00403ef9
0x00403f23
0x00403f32
0x00403f35
0x00403f3b
0x00403f3b
0x00403ef9
0x00000000
0x00403d9f
0x00403d9f
0x00403da3
0x00403da8
0x00403db9
0x00403db9
0x00403dca
0x00403dcd
0x00403dd3
0x00403dd6
0x00403ddd
0x00403de6
0x00403de9
0x00403ded
0x00403df9
0x00403e00
0x00403e03
0x00403e07
0x00403e09
0x00403e12
0x00403e15
0x00403e18
0x00403e29
0x00403e36
0x00403e48
0x00403e4b
0x00403e5e
0x00403e65
0x00403e6a
0x00403e6f
0x00403e6f
0x00403e7d
0x00403e8b
0x00403e9e
0x00403ea4
0x00403eb5
0x00403eb7
0x00000000
0x00403ebd

APIs

CheckDlgButton.USER32(?,?,00000001), ref: 00403E29
EnableWindow.USER32(?), ref: 00403E36
GetDlgItem.USER32(?,000003E8), ref: 00403E42
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00403E5E
GetSysColor.USER32(?), ref: 00403E6F
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00403E7D
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00403E8B
lstrlenW.KERNEL32(?), ref: 00403E91
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00403E9E
SendMessageW.USER32(00000000,00000449,?,?), ref: 00403EB5
GetDlgItem.USER32(?,0000040A), ref: 00403F11
SendMessageW.USER32(00000000), ref: 00403F18
EnableWindow.USER32(00000000), ref: 00403F35
GetDlgItem.USER32(0000004E,000003E8), ref: 00403F59
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 00403FAE
LoadCursorW.USER32(00000000,00007F02), ref: 00403FC0
SetCursor.USER32(00000000), ref: 00403FC9

Part of subcall function 004069F3: ShellExecuteExW.SHELL32(?), ref: 00406A02

LoadCursorW.USER32(00000000,00007F00), ref: 0040400B
SetCursor.USER32(00000000), ref: 0040400E
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040403A
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404052

Strings

Call, xrefs: 00403F8F
N, xrefs: 00403F45

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend$Cursor$Item$EnableLoadWindow$ButtonCheckColorExecuteShelllstrlen
String ID: Call$N
API String ID: 3270077613-3438112850
Opcode ID: 728db8931e19c03b61cc67d759c3f4433907f5a55aac7dcf5e4c8ff3a598ca13
Instruction ID: c65a3a36bb4725451a4dfe1d630424e4f24f9f71ba4400fdcb13afcf6ca1fe0a
Opcode Fuzzy Hash: 728db8931e19c03b61cc67d759c3f4433907f5a55aac7dcf5e4c8ff3a598ca13
Instruction Fuzzy Hash: A3817DB0604305AFD710AF25DC84A6B7BA9FF84744F01493EF641B62A1C778AD45CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00401000() {
				struct HDC__* _t64;
				void* _t82;
				void* _t92;
				struct HDC__* _t100;
				struct tagRECT _t102;
				long _t110;
				struct HWND__* _t120;
				void* _t126;
				void* _t128;
				intOrPtr _t131;
				void* _t133;

				if( *((intOrPtr*)(_t133 + 0x64)) == 0xf) {
					_t131 =  *0x435a10;
					_t64 = BeginPaint( *(_t133 + 0x74), _t133 + 0x24);
					 *(_t133 + 0x10) =  *(_t133 + 0x10) & 0x00000000;
					_t100 = _t64;
					GetClientRect( *(_t133 + 0x74), _t133 + 0x1c);
					_t120 =  *(_t133 + 0x28);
					 *(_t133 + 0x28) =  *(_t133 + 0x28) & 0x00000000;
					_t102 =  *(_t133 + 0x20);
					 *(_t133 + 0x74) = _t120;
					while(_t102 < _t120) {
						_t116 = _t120 - _t102;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						 *(_t133 + 0x18) = (((( *(_t131 + 0x56) & 0x000000ff) * _t102 + ( *(_t131 + 0x52) & 0x000000ff) * (_t120 - _t102)) / _t120 & 0x000000ff) << 0x00000008 | (( *(_t131 + 0x55) & 0x000000ff) *  *(_t133 + 0x20) + ( *(_t131 + 0x51) & 0x000000ff) * _t116) /  *(_t133 + 0x74) & 0x000000ff) << 0x00000008 | (( *(_t131 + 0x54) & 0x000000ff) *  *(_t133 + 0x20) + ( *(_t131 + 0x50) & 0x000000ff) * _t116) /  *(_t133 + 0x74) & 0x000000ff;
						_t82 = CreateBrushIndirect(_t133 + 0x10);
						 *(_t133 + 0x28) =  *(_t133 + 0x28) + 4;
						_t126 = _t82;
						FillRect(_t100, _t133 + 0x20, _t126);
						DeleteObject(_t126);
						_t120 =  *(_t133 + 0x74);
						_t102 =  *(_t133 + 0x20) + 4;
						 *(_t133 + 0x20) = _t102;
					}
					if( *(_t131 + 0x58) != 0xffffffff) {
						_t128 = CreateFontIndirectW( *(_t131 + 0x34));
						 *(_t133 + 0x74) = _t128;
						if(_t128 != 0) {
							 *(_t133 + 0x24) = 0x10;
							 *(_t133 + 0x28) = 8;
							SetBkMode(_t100, 1);
							SetTextColor(_t100,  *(_t131 + 0x58));
							_t92 = SelectObject(_t100, _t128);
							DrawTextW(_t100, 0x434a00, 0xffffffff, _t133 + 0x20, 0x820);
							SelectObject(_t100, _t92);
							DeleteObject( *(_t133 + 0x74));
						}
					}
					EndPaint( *(_t133 + 0x74), _t133 + 0x2c);
					return 0;
				}
				_t110 =  *(_t133 + 0x6c);
				if( *((intOrPtr*)(_t133 + 0x64)) == 0x46) {
					 *(_t110 + 0x18) =  *(_t110 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t110 + 4)) =  *0x4349f8;
				}
				return DefWindowProcW( *(_t133 + 0x6c),  *(_t133 + 0x6c),  *(_t133 + 0x6c), _t110);
			}

0x00401008
0x0040103b
0x0040104c
0x00401052
0x00401057
0x00401062
0x00401068
0x0040106c
0x00401071
0x00401075
0x0040110f
0x00401087
0x00401096
0x004010b1
0x004010cc
0x004010db
0x004010df
0x004010e5
0x004010ea
0x004010f3
0x004010fa
0x00401104
0x00401108
0x0040110b
0x0040110b
0x0040111b
0x00401126
0x00401128
0x0040112e
0x00401133
0x0040113b
0x00401143
0x0040114d
0x0040115b
0x00401171
0x00401179
0x0040117f
0x0040117f
0x0040112e
0x0040118e
0x00000000
0x00401199
0x0040100f
0x00401013
0x00401015
0x0040101e
0x0040101e
0x00000000

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0040102E
BeginPaint.USER32(?,?), ref: 0040104C
GetClientRect.USER32(?,?), ref: 00401062
CreateBrushIndirect.GDI32(00000000), ref: 004010DF
FillRect.USER32(00000000,?,00000000), ref: 004010F3
DeleteObject.GDI32(00000000), ref: 004010FA
CreateFontIndirectW.GDI32(?), ref: 00401120
SetBkMode.GDI32(00000000,00000001), ref: 00401143
SetTextColor.GDI32(00000000,000000FF), ref: 0040114D
SelectObject.GDI32(00000000,00000000), ref: 0040115B
DrawTextW.USER32(00000000,00434A00,000000FF,?,00000820), ref: 00401171
SelectObject.GDI32(00000000,00000000), ref: 00401179
DeleteObject.GDI32(?), ref: 0040117F
EndPaint.USER32(?,?), ref: 0040118E

Strings

F, xrefs: 0040100A

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: c6345d7c5fceae9535b237699f25ce67e7fd4968e8456bbccafdc44fed7c7a8a
Instruction ID: 3af209a9edb156689bef41e0a63d31b37659a4d6f6412c5d0cf3c0f243fc5647
Opcode Fuzzy Hash: c6345d7c5fceae9535b237699f25ce67e7fd4968e8456bbccafdc44fed7c7a8a
Instruction Fuzzy Hash: E041AFB20083509FC7159F65CD4496BBBE9FF88715F140A2EF995A22A1C734DD04CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00406306 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 124
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00406306() {
				long _t10;
				void* _t32;
				void* _t36;
				long _t37;
				intOrPtr* _t39;
				void* _t43;
				WCHAR* _t44;
				long _t46;
				int _t48;
				void* _t49;

				_t44 =  *(_t49 + 0x14);
				 *0x4319c0 = 0x55004e;
				 *0x4319c4 = 0x4c;
				if(_t44 == 0) {
					L3:
					_t10 = GetShortPathNameW( *(_t49 + 0x1c), 0x4311c0, 0x400);
					if(_t10 != 0 && _t10 <= 0x400) {
						_t48 = wsprintfA(0x430dc0, "%ls=%ls\r\n", 0x4319c0, 0x4311c0);
						_push( *((intOrPtr*)( *0x435a10 + 0x128)));
						_push(0x4311c0);
						E00405EBA();
						_t10 = E0040691B(0x4311c0, 0xc0000000, 4);
						_t32 = _t10;
						if(_t32 != 0xffffffff) {
							_t46 = GetFileSize(_t32, 0);
							_t4 = _t48 + 0xa; // 0xa
							_t35 = _t4 + _t46;
							_t43 = GlobalAlloc(0x40, _t4 + _t46);
							if(_t43 != 0 && E00406948(_t35, _t32, _t43, _t46) != 0) {
								if(E00406B36(_t43, "[Rename]\r\n") != 0) {
									_t36 = E00406B36(_t16 + 0xa, "\n[");
									if(_t36 == 0) {
										goto L10;
									} else {
										_t39 = _t43 + _t46;
										while(_t39 > _t36) {
											 *((char*)(_t39 + _t48)) =  *_t39;
											_t39 = _t39 - 1;
										}
										_t37 = _t36 - _t43 + 1;
										goto L11;
									}
									goto L13;
								} else {
									lstrcpyA(_t43 + _t46, "[Rename]\r\n");
									_t46 = _t46 + 0xa;
									L10:
									_t37 = _t46;
								}
								L11:
								E004066B4(_t37 + _t43, 0x430dc0, _t48);
								SetFilePointer(_t32, 0, 0, 0);
								E00406A0B(_t37, _t32, _t43, _t46 + _t48);
								GlobalFree(_t43);
							}
							_t10 = CloseHandle(_t32);
						}
					}
				} else {
					CloseHandle(E0040691B(_t44, 0, 1));
					_t10 = GetShortPathNameW(_t44, 0x4319c0, 0x400);
					if(_t10 != 0 && _t10 <= 0x400) {
						goto L3;
					}
				}
				L13:
				return _t10;
			}

0x00406309
0x00406312
0x00406321
0x00406334
0x0040635c
0x00406367
0x0040636b
0x00406394
0x00406396
0x0040639c
0x0040639d
0x004063aa
0x004063af
0x004063b4
0x004063c3
0x004063c5
0x004063c8
0x004063d3
0x004063d7
0x004063f2
0x0040644f
0x00406453
0x00000000
0x00406455
0x00406455
0x00406460
0x0040645c
0x0040645f
0x0040645f
0x00406466
0x00000000
0x00406466
0x00000000
0x004063f4
0x004063fd
0x00406403
0x00406406
0x00406406
0x00406406
0x00406408
0x00406412
0x0040641d
0x00406429
0x0040642f
0x0040642f
0x00406436
0x00406436
0x004063b4
0x00406336
0x00406341
0x0040634a
0x0040634e
0x00000000
0x00000000
0x0040634e
0x0040643c
0x00406440

APIs

CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,?,0040625E,?,?), ref: 00406341
GetShortPathNameW.KERNEL32(00000000,004319C0,00000400), ref: 0040634A
GetShortPathNameW.KERNEL32(?,004311C0,00000400), ref: 00406367
wsprintfA.USER32 ref: 00406385
GetFileSize.KERNEL32(00000000,00000000,004311C0,C0000000,00000004,004311C0,?), ref: 004063BD
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 004063CD
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 004063FD
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00430DC0,00000000,-0000000A,00409984,00000000,[Rename],00000000,00000000,00000000), ref: 0040641D
GlobalFree.KERNEL32(00000000), ref: 0040642F
CloseHandle.KERNEL32(00000000), ref: 00406436

Part of subcall function 0040691B: GetFileAttributesW.KERNELBASE(00000003,0040342F,C:\Users\user\Desktop\Ta62k9weDV.exe,80000000,00000003,?,?,?,?,?), ref: 0040691F
Part of subcall function 0040691B: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000,?,?,?,?,?), ref: 0040693F

Strings

%ls=%ls, xrefs: 0040637B
[Rename], xrefs: 004063E5, 004063F4

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShort$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2900126502-461813615
Opcode ID: 0a571fe3ba45ea2247c21dd7af0bbb717ae824af8d2c55462ad76218f2181cd1
Instruction ID: 3caf73f0ff98a748f1a35ad4b0faf92cdaa7f83aa24985268d6d9c0dc650f438
Opcode Fuzzy Hash: 0a571fe3ba45ea2247c21dd7af0bbb717ae824af8d2c55462ad76218f2181cd1
Instruction Fuzzy Hash: C93105B12012117AE7206B258D99FAB3A5CEF45748F16053AF903F62D3E63D9C11867C

Uniqueness

Uniqueness Score: -1.00%

Function 00402BA3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00402BA3(intOrPtr __ebp, void* _a4, intOrPtr _a8, void* _a12, WCHAR* _a16, long _a20, void* _a24, void* _a32, void* _a44, WCHAR* _a76) {
				void* _v0;
				void* _v4;
				void* _v8;
				void* _v16;
				void* _v40;
				long _t34;
				WCHAR* _t46;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t52;
				void* _t54;
				void* _t55;
				void* _t56;
				void* _t58;
				void _t59;
				intOrPtr _t60;
				void* _t62;

				_t60 = __ebp;
				_a24 = 0xfffffd66;
				_t46 = E0040303E(_t51, 0xfffffff0);
				_a76 = _t46;
				if(E00406E03(_t46) == 0) {
					E0040303E(__edx, 0xffffffed);
				}
				E00406B9D(_t46);
				_t52 = E0040691B(_t46, 0x40000000, 2);
				_a12 = _t52;
				if(_t52 != 0xffffffff) {
					_t31 = _a44;
					 *(_t62 + 0x44) = _a44;
					if( *(_t62 + 0x30) != _t60) {
						_t34 =  *0x435a08;
						_a20 = _t34;
						_t58 = GlobalAlloc(0x40, _t34);
						_a24 = _t58;
						if(_t58 == 0) {
							_t31 =  *(_t62 + 0x44);
						} else {
							E00403131(_t60);
							E0040311B(_t58, _a16);
							_t54 = GlobalAlloc(0x40,  *(_t62 + 0x30));
							 *(_t62 + 0x44) = _t54;
							if(_t54 != 0) {
								E00403148(_a44, _t60, _t54,  *(_t62 + 0x30));
								if( *_t54 != 0) {
									_t49 = _t58;
									do {
										_t59 =  *_t54;
										_t55 = _t54 + 8;
										E004066B4( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t59);
										_t54 = _t55 + _t59;
									} while ( *_t54 != 0);
									_t46 =  *(_t62 + 0x50);
									_t58 = _a24;
								}
								GlobalFree( *(_t62 + 0x44));
							}
							_t52 =  *(_t62 + 0x20);
							E00406A0B(_t50, _t52, _t58, _a20);
							_t31 = GlobalFree(_t58) | 0xffffffff;
						}
					}
					_a8 = E00403148(_t31, _t52, _t60, _t60);
					CloseHandle(_t52);
				}
				_t56 = 0xfffffff3;
				if(_a24 >= _t60) {
					_t46 = _a16;
				} else {
					_t56 = 0xffffffef;
					DeleteFileW(_t46);
					_t46 = 1;
				}
				_push("C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp\System.dll");
				_push(_t56);
				E00405D3A();
				 *0x435ac8 =  *0x435ac8 + _t46;
				return 0;
			}

0x00402ba3
0x00402ba5
0x00402bb2
0x00402bb5
0x00402bc0
0x00402bc4
0x00402bc4
0x00402bca
0x00402bdc
0x00402bde
0x00402be5
0x00402beb
0x00402bef
0x00402bf7
0x00402bfd
0x00402c05
0x00402c0f
0x00402c11
0x00402c17
0x00402c9f
0x00402c1d
0x00402c1e
0x00402c28
0x00402c39
0x00402c3b
0x00402c41
0x00402c4d
0x00402c55
0x00402c57
0x00402c59
0x00402c59
0x00402c5e
0x00402c66
0x00402c6b
0x00402c6d
0x00402c72
0x00402c76
0x00402c76
0x00402c7e
0x00402c7e
0x00402c88
0x00402c8e
0x00402c9a
0x00402c9a
0x00402c17
0x00402cad
0x00402cb1
0x00402cb1
0x00402cb9
0x00402cbe
0x00402ccf
0x00402cc0
0x00402cc2
0x00402cc4
0x00402ccc
0x00402ccc
0x00402cd3
0x00402cd8
0x00402345
0x00402ea5
0x00402eb7

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402C09
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402C33
GlobalFree.KERNEL32(?), ref: 00402C7E
GlobalFree.KERNEL32(00000000), ref: 00402C94
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,40000000,00000002,00000000,00000000), ref: 00402CB1
DeleteFileW.KERNEL32(00000000,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402CC4

Strings

C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll, xrefs: 00402CD3

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll
API String ID: 2667972263-2866194894
Opcode ID: 21bf38eaf766e30db3ad4f67b39d13bf90a53ba7524260bc4dffed712f826359
Instruction ID: 23d93ea21af668beabbcb9178b0b7634ed911faf56d8c64a437eebf92f001ab7
Opcode Fuzzy Hash: 21bf38eaf766e30db3ad4f67b39d13bf90a53ba7524260bc4dffed712f826359
Instruction Fuzzy Hash: B2310471508351ABD310AF65CD48E1FBBE8AF89714F100A3EF5A1772D2C37899018BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00406D3D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00406D3D(WCHAR* _a4) {
				signed short _t5;
				signed int _t8;
				signed int _t9;
				signed short _t18;
				signed short _t20;
				signed int _t21;
				signed short _t22;
				WCHAR* _t23;
				WCHAR* _t24;
				void* _t25;
				WCHAR* _t26;

				_t24 = _a4;
				_t22 = 0x5c;
				_t5 =  *_t24 & 0x0000ffff;
				_t20 = _t5;
				if(_t5 == _t22) {
					_t20 = _t22;
					if(_t24[1] == _t22 && _t24[2] == 0x3f && _t24[3] == _t22) {
						_t24 =  &(_t24[4]);
						_t20 =  *_t24 & 0x0000ffff;
					}
				}
				_t18 = _t20 & 0x0000ffff;
				if(_t20 != 0) {
					_t18 = _t20 & 0x0000ffff;
					if(E00406E03(_t24) != 0) {
						_t24 =  &(_t24[2]);
						_t18 =  *_t24 & 0x0000ffff;
					}
				}
				_t26 = _t24;
				_t23 = _t24;
				if(_t18 == 0) {
					L14:
					 *_t23 = 0;
					_t25 = 0x5c;
					while(1) {
						_push(_t23);
						_push(_t26);
						_t23 = CharPrevW();
						_t8 =  *_t23 & 0x0000ffff;
						if(_t8 != 0x20 && _t8 != _t25) {
							break;
						}
						_t8 = 0;
						 *_t23 = 0;
						if(_t26 < _t23) {
							continue;
						}
						break;
					}
					return _t8;
				} else {
					_t9 = _t18 & 0x0000ffff;
					do {
						if(_t9 > 0x1f &&  *((short*)(E004065F6(L"*?|<>/\":", _t9))) == 0) {
							E004066B4(_t23, _t24, CharNextW(_t24) - _t24 >> 1);
							_t23 = CharNextW(_t23);
						}
						_t24 = CharNextW(_t24);
						_t21 =  *_t24 & 0x0000ffff;
						_t9 = _t21;
					} while (_t21 != 0);
					goto L14;
				}
			}

0x00406d40
0x00406d47
0x00406d48
0x00406d4b
0x00406d50
0x00406d52
0x00406d58
0x00406d67
0x00406d6a
0x00406d6a
0x00406d58
0x00406d6d
0x00406d73
0x00406d76
0x00406d80
0x00406d82
0x00406d85
0x00406d85
0x00406d80
0x00406d88
0x00406d8a
0x00406d8f
0x00406dd4
0x00406dd8
0x00406ddb
0x00406ddc
0x00406ddc
0x00406ddd
0x00406de4
0x00406de6
0x00406dec
0x00000000
0x00000000
0x00406df3
0x00406df5
0x00406dfa
0x00000000
0x00000000
0x00000000
0x00406dfa
0x00406e00
0x00406d91
0x00406d91
0x00406d9a
0x00406d9e
0x00406dbb
0x00406dc3
0x00406dc3
0x00406dc8
0x00406dca
0x00406dcd
0x00406dcf
0x00000000
0x00406d9a

APIs

CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,764E3420,004039C2), ref: 00406DB2
CharNextW.USER32(?,?,?,00000000), ref: 00406DC1
CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,764E3420,004039C2), ref: 00406DC6
CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,764E3420,004039C2), ref: 00406DDE

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406D44
C:\Users\user\AppData\Local\Temp\, xrefs: 00406D3D, 00406D3F
*?|<>/":, xrefs: 00406DA1

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
API String ID: 589700163-2188270913
Opcode ID: 0b6213c0c1622fb53aee38363b717c73aa2e600d62468f8e3aca7b6a41b68933
Instruction ID: 9b03febb742ef4485f2caa0616bf8b5dba6ff04d2a2b11022b5674ddd7f14081
Opcode Fuzzy Hash: 0b6213c0c1622fb53aee38363b717c73aa2e600d62468f8e3aca7b6a41b68933
Instruction Fuzzy Hash: 4E110211B0022566DA306B2A9C4097B72E8DFA9761746443BF9C6A32C0F77D8CA1D2B8

Uniqueness

Uniqueness Score: -1.00%

Function 0040364F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040364F(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t18;

				if(_a8 != 0x110) {
					if(_a8 == 0x113) {
						goto L3;
					}
				} else {
					SetTimer(_a4, 1, 0xfa, 0);
					L3:
					_t18 =  *0x40d968; // 0x938d8
					_t19 =  <  ?  *0x40d96c : _t18;
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv( <  ?  *0x40d96c : _t18, 0x64, _t18));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x0040365f
0x0040367c
0x00000000
0x00000000
0x00403661
0x0040366d
0x0040367e
0x0040367e
0x0040368b
0x004036a5
0x004036b5
0x004036c7
0x004036c7
0x004036cf

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040366D
MulDiv.KERNEL32(000938D8,00000064,000938D8), ref: 00403695
wsprintfW.USER32 ref: 004036A5
SetWindowTextW.USER32(?,?), ref: 004036B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004036C7

Strings

verifying installer: %d%%, xrefs: 0040369F
1, xrefs: 00403684

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%$1
API String ID: 1451636040-2928864593
Opcode ID: 7999ebd0115e22dc8382da0543a4734c08260491a853317dea2dbb1df602252a
Instruction ID: 5c883eac817cb3b9f0e850005900bd2bca04ae763b88d1ec11a0ecb90196ae4f
Opcode Fuzzy Hash: 7999ebd0115e22dc8382da0543a4734c08260491a853317dea2dbb1df602252a
Instruction Fuzzy Hash: 87013671940209BBDF249FA0DD49FAA3B78A700705F008439F606B51E1DBB59A55CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040575B Relevance: 12.1, APIs: 8, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040575B(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				void* _t38;
				signed char _t40;
				signed char _t42;
				long _t51;
				long _t52;
				long* _t55;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					_t38 = 0;
				} else {
					_t55 = GetWindowLongW(_a12, 0xffffffeb);
					if(_t55 == 0 || _t55[2] > 1 || _t55[4] > 2) {
						goto L18;
					} else {
						_t40 = _t55[5];
						if((_t40 & 0xffffffe0) != 0) {
							goto L18;
						} else {
							_t51 =  *_t55;
							if((_t40 & 0x00000002) != 0) {
								_t51 = GetSysColor(_t51);
								_t40 = _t55[5];
							}
							if((_t40 & 0x00000001) != 0) {
								SetTextColor(_a8, _t51);
							}
							SetBkMode(_a8, _t55[4]);
							_t42 = _t55[5];
							_t52 = _t55[1];
							_v16.lbColor = _t52;
							if((_t42 & 0x00000008) != 0) {
								_t52 = GetSysColor(_t52);
								_t42 = _t55[5];
								_v16.lbColor = _t52;
							}
							if((_t42 & 0x00000004) != 0) {
								SetBkColor(_a8, _t52);
								_t42 = _t55[5];
							}
							if((_t42 & 0x00000010) != 0) {
								_v16.lbStyle = _t55[2];
								if(_t55[3] != 0) {
									DeleteObject(_t55[3]);
								}
								_t55[3] = CreateBrushIndirect( &_v16);
							}
							_t38 = _t55[3];
						}
					}
				}
				return _t38;
			}

0x0040576d
0x0040582e
0x0040582e
0x00405773
0x0040577e
0x00405782
0x00000000
0x0040579c
0x0040579c
0x004057a4
0x00000000
0x004057aa
0x004057aa
0x004057ae
0x004057b7
0x004057b9
0x004057b9
0x004057be
0x004057c4
0x004057c4
0x004057d0
0x004057d6
0x004057d9
0x004057dc
0x004057e1
0x004057ea
0x004057ec
0x004057ef
0x004057ef
0x004057f4
0x004057fa
0x00405800
0x00405800
0x00405805
0x0040580e
0x00405811
0x00405816
0x00405816
0x00405826
0x00405826
0x00405829
0x00405829
0x004057a4
0x00405782
0x00405832

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00405778
GetSysColor.USER32 ref: 004057B1
SetTextColor.GDI32(?), ref: 004057C4
SetBkMode.GDI32(?,?), ref: 004057D0
GetSysColor.USER32(?), ref: 004057E4
SetBkColor.GDI32(?,?), ref: 004057FA
DeleteObject.GDI32(?), ref: 00405816
CreateBrushIndirect.GDI32(?), ref: 00405820

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 884efe4836094bb20a6f18f16c634fbe29c57d0ac42d5c945227a46e33033bd0
Instruction ID: d6878141ad4b6a1f495ba237af706d2ee8e98f75713b616aff0e98366caa8665
Opcode Fuzzy Hash: 884efe4836094bb20a6f18f16c634fbe29c57d0ac42d5c945227a46e33033bd0
Instruction Fuzzy Hash: 64210775600B059FDB34AF28E94895B7BF8EF05710700CA3AE896A27A1D735EC14CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004056DA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056DA(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t18;
				unsigned int _t22;
				signed int _t28;

				_t18 = SendMessageW(_a4, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t18;
					_v60 = 4;
					SendMessageW(_a4, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t22 = GetMessagePos();
				_v16 = _t22 >> 0x10;
				_v20 = _t22;
				ScreenToClient(_a4,  &_v20);
				_t28 = SendMessageW(_a4, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t18 = _v8;
					goto L4;
				}
				return _t28 | 0xffffffff;
			}

0x004056f3
0x004056f9
0x00405739
0x00405739
0x0040574a
0x00405751
0x00000000
0x00405753
0x004056fb
0x00405708
0x00405712
0x00405715
0x00405729
0x0040572f
0x00405736
0x00000000
0x00405736
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004056F3
GetMessagePos.USER32 ref: 004056FB
ScreenToClient.USER32(?,?), ref: 00405715
SendMessageW.USER32(?,00001111,00000000,?), ref: 00405729
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00405751

Strings

f, xrefs: 0040572B

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 831e9add14996ca58957b6d0f39193948d4b40b41c3f38ee460bf659b5b9a320
Instruction ID: c2e7ed3a8a7ffde0c91d4cd6f33517ea70e65294e07f2b992d5a249d380e7f5b
Opcode Fuzzy Hash: 831e9add14996ca58957b6d0f39193948d4b40b41c3f38ee460bf659b5b9a320
Instruction Fuzzy Hash: 01014C7190020DBBEB119FA4CC45BEEBBB9EB44720F104226FA51B61E0D7B59A419F54

Uniqueness

Uniqueness Score: -1.00%

Function 00401FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00401FB8(struct HWND__* __edx, intOrPtr _a8, struct HWND__* _a24, intOrPtr _a36, signed char _a48) {
				void* _v12;
				int _t7;
				intOrPtr _t13;
				intOrPtr _t22;
				signed char _t26;
				struct HDC__* _t29;
				void* _t35;

				_t29 = GetDC(__edx);
				_t7 = E00403002(2);
				0x40d908->lfHeight =  ~(MulDiv(_t7, GetDeviceCaps(_t29, 0x5a), 0x48));
				ReleaseDC(_a24, _t29);
				_t13 = E00403002(3);
				_t26 = _a48;
				_push(_a36);
				 *0x40d918 = _t13;
				 *0x40d91f = 1;
				 *0x40d91c = _t26 & 0x00000001;
				_push("Tahoma");
				 *0x40d91d = _t26 & 0x00000002;
				 *0x40d91e = _t26 & 0x00000004;
				E00405EBA();
				_push(CreateFontIndirectW(0x40d908));
				_push(_a8);
				E0040661F();
				_t22 =  *((intOrPtr*)(_t35 + 0x10));
				 *0x435ac8 =  *0x435ac8 + _t22;
				return 0;
			}

0x00401fc1
0x00401fc3
0x00401fe0
0x00401feb
0x00401ff3
0x00401ff9
0x00401ffd
0x00402001
0x0040200a
0x00402011
0x0040201d
0x00402022
0x00402027
0x0040202d
0x00402041
0x00402042
0x004016b7
0x00402ea1
0x00402ea5
0x00402eb7

APIs

GetDC.USER32 ref: 00401FB9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401FD0
MulDiv.KERNEL32(00000000,00000000), ref: 00401FD8
ReleaseDC.USER32(?,00000000), ref: 00401FEB

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406070

CreateFontIndirectW.GDI32(0040D908), ref: 00402037

Strings

Tahoma, xrefs: 0040201D

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcat
String ID: Tahoma
API String ID: 4253744674-3580928618
Opcode ID: 68512fbf4ac7801365b5f78afe65c0e513a631e9eafc47c317fc045465379f25
Instruction ID: 19ee21ee25b481e0e115610c7b0d21c914cbbc44bdafb393b7f83238122b1e8a
Opcode Fuzzy Hash: 68512fbf4ac7801365b5f78afe65c0e513a631e9eafc47c317fc045465379f25
Instruction Fuzzy Hash: 4B01D4B6905340AFD300AFB4AD0AB563FA8ABA9705F10483DF641B71E2C6784709CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 74272209 Relevance: 9.1, APIs: 6, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E74272209(intOrPtr* _a4) {
				intOrPtr* _t23;
				signed int _t24;
				intOrPtr _t25;
				intOrPtr _t33;
				void* _t39;
				void* _t42;

				_t39 = E742712F8();
				_t23 = _a4;
				_t33 =  *((intOrPtr*)(_t23 + 0x1014));
				_t42 = (_t33 + 0x81 << 5) + _t23;
				do {
					if( *((intOrPtr*)(_t42 - 4)) >= 0) {
					}
					_t24 =  *(_t42 - 8) & 0x000000ff;
					if(_t24 <= 7) {
						switch( *((intOrPtr*)(_t24 * 4 +  &M74272331))) {
							case 0:
								 *_t39 = 0;
								goto L17;
							case 1:
								__edx =  *__edx;
								if(__ecx > 0) {
									__ecx = __ecx - 1;
									__ecx = __ecx *  *(0x74274064 + __eax * 4);
									asm("sbb eax, eax");
									__edx = __edx &  *(0x74274084 + __eax * 4);
								}
								_push(__edx);
								goto L15;
							case 2:
								_push(__edi);
								_push(__edx[1]);
								_push( *__edx);
								__eax = E7427149E(__ecx);
								goto L16;
							case 3:
								__ecx =  *0x74275040;
								__ecx - 1 = MultiByteToWideChar(0, 0,  *__edx, __ecx, __edi, __ecx - 1);
								__eax =  *0x74275040;
								__ecx = 0;
								 *((short*)(__edi + __eax * 2 - 2)) = __cx;
								goto L17;
							case 4:
								__eax = lstrcpynW(__edi,  *__edx,  *0x74275040);
								goto L17;
							case 5:
								_push( *0x74275040);
								_push(__edi);
								_push( *__edx);
								__imp__StringFromGUID2();
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfW(__edi, 0x74274058);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					if( *(_t42 + 0x14) != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t42 - 4)) > 0)) {
						GlobalFree( *(_t42 + 0x14));
					}
					_t25 =  *((intOrPtr*)(_t42 + 0xc));
					if(_t25 != 0) {
						if(_t25 != 0xffffffff) {
							if(_t25 > 0) {
								E74271638(_t25 - 1, _t39);
								goto L26;
							}
						} else {
							E742715EB(_t39);
							L26:
						}
					}
					_t42 = _t42 - 0x20;
					_t33 = _t33 - 1;
				} while (_t33 >= 0);
				return GlobalFree(_t39);
			}

0x74272211
0x74272213
0x74272217
0x74272226
0x74272228
0x7427222d
0x7427222d
0x74272235
0x7427223c
0x74272242
0x00000000
0x7427224b
0x00000000
0x00000000
0x74272253
0x74272257
0x74272259
0x7427225a
0x74272265
0x74272269
0x74272269
0x74272270
0x00000000
0x00000000
0x74272273
0x74272274
0x74272277
0x74272279
0x00000000
0x00000000
0x74272280
0x74272292
0x74272298
0x7427229d
0x7427229f
0x00000000
0x00000000
0x742722c0
0x00000000
0x00000000
0x742722a6
0x742722ac
0x742722ad
0x742722af
0x00000000
0x00000000
0x742722c8
0x742722ca
0x742722d0
0x742722d6
0x742722d6
0x00000000
0x00000000
0x74272242
0x742722d9
0x742722dd
0x742722f1
0x742722f1
0x742722f7
0x742722fc
0x74272301
0x7427230d
0x74272312
0x00000000
0x74272317
0x74272303
0x74272304
0x74272318
0x74272318
0x74272301
0x74272319
0x7427231c
0x7427231c
0x7427232f

APIs

Part of subcall function 742712F8: GlobalAlloc.KERNELBASE(00000040,?,742711C4,-000000A0), ref: 74271302

GlobalFree.KERNEL32(00000000), ref: 742722F1
GlobalFree.KERNEL32(00000000), ref: 74272326

Memory Dump Source

Source File: 00000001.00000002.31335580458.0000000074271000.00000020.00000001.01000000.00000005.sdmp, Offset: 74270000, based on PE: true

Associated: 00000001.00000002.31335529968.0000000074270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.31335640727.0000000074274000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.31335690337.0000000074276000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74270000_Ta62k9weDV.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: fb2dabeb674df8696cb9c14ce3abac0b67432b996ab4cfb98811aa5c3ce38dc7
Instruction ID: 7bf8e2b19cb62b40e9a0168f79f1f1b9cf12a9304ae3b7e2ab8e54000c5a7d3d
Opcode Fuzzy Hash: fb2dabeb674df8696cb9c14ce3abac0b67432b996ab4cfb98811aa5c3ce38dc7
Instruction Fuzzy Hash: 8B31D232324101EBD71B8F5AC948BAAB7B5FF86311B200929F702D6150DB35D6B0EB71

Uniqueness

Uniqueness Score: -1.00%

Function 742710C7 Relevance: 8.9, APIs: 7, Instructions: 162
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E742710C7(void* _a8, intOrPtr _a12, void* _a16, intOrPtr _a20) {
				signed int _v0;
				signed int _t31;
				void* _t32;
				signed int _t34;
				void* _t39;
				void* _t46;
				intOrPtr _t55;
				void* _t59;
				void* _t66;
				void* _t67;
				signed short _t70;
				void* _t71;
				void* _t78;
				signed short _t79;
				void* _t83;
				void* _t85;
				void* _t86;
				void* _t88;
				signed int _t89;
				void* _t91;
				void _t94;
				void _t95;
				void* _t96;
				void* _t98;
				void* _t100;

				 *0x74275040 = _a8;
				 *0x7427503c = _a16;
				 *0x74275038 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x74275014, E7427132B, _t85, _t88);
				_t89 =  *0x74275040 * 0x28;
				_v0 = _t89;
				_t96 = E74271593();
				_a8 = _t96;
				_t86 = _t96;
				_t70 = _v0 & 0x0000ffff;
				if(_t70 != 0) {
					_t83 = 0xa;
					do {
						_t31 = _t70 & 0x0000ffff;
						_t86 = _t86 + 2;
						_t100 = _t31 - 0x66;
						if(_t100 > 0) {
							_t32 = _t31 - 0x6c;
							if(_t32 == 0) {
								goto L24;
							} else {
								_t39 = _t32 - 4;
								if(_t39 == 0) {
									goto L13;
								} else {
									_t46 = _t39;
									if(_t46 == 0) {
										goto L11;
									} else {
										goto L8;
									}
								}
							}
						} else {
							if(_t100 == 0) {
								_t78 =  *0x7427503c;
								_t91 =  *_t78;
								 *_t78 =  *_t91;
								_t79 = _v0;
								_t55 =  *((intOrPtr*)(_t79 + 0xc));
								_a12 = _t55;
								if( *((intOrPtr*)(_t91 + 4)) == 0x2691) {
									E7427132E(_t79, _t91 + 8, 0x38);
									_t79 = _v0;
									_t98 = _t98 + 0xc;
									_t55 = _a12;
								}
								 *((intOrPtr*)(_t79 + 0xc)) = _t55;
								GlobalFree(_t91);
								goto L16;
							} else {
								_t59 = _t31 - 0x46;
								if(_t59 == 0) {
									_t95 = GlobalAlloc(0x40, 8 +  *0x74275040 * 2);
									 *((intOrPtr*)(_t95 + 4)) = 0x2691;
									_t15 = _t95 + 8; // 0x8
									E7427132E(_t15, _v0, 0x38);
									 *_t95 =  *( *0x7427503c);
									 *( *0x7427503c) = _t95;
									goto L15;
								} else {
									_t66 = _t59 - 6;
									if(_t66 == 0) {
										L24:
										_t33 =  *0x74275010;
										if( *0x74275010 != 0) {
											E7427132E( *0x74275038, _t33 + 4, _t89);
											_t71 =  *0x74275010;
											_t98 = _t98 + 0xc;
											 *0x74275010 =  *_t71;
											GlobalFree(_t71);
											goto L26;
										}
									} else {
										_t67 = _t66 - 4;
										if(_t67 == 0) {
											 *_t86 =  *_t86 + _t83;
											L13:
											GlobalFree(E742715EB(E74271548(( *_t86 & 0x0000ffff) - 0x30)));
											_t86 = _t86 + 2;
											goto L26;
										} else {
											_t46 = _t67;
											if(_t46 == 0) {
												 *_t86 =  *_t86 + _t83;
												L11:
												GlobalFree(E74271638(( *_t86 & 0x0000ffff) - 0x30, E74271593()));
												_t86 = _t86 + 2;
												goto L16;
											} else {
												L8:
												if(_t46 == 1) {
													_t94 = GlobalAlloc(0x40, _t89 + 4);
													_t11 = _t94 + 4; // 0x4
													E7427132E(_t11,  *0x74275038, _v0);
													 *_t94 =  *0x74275010;
													 *0x74275010 = _t94;
													L15:
													_t98 = _t98 + 0xc;
													L16:
													_t89 = _v0;
													L26:
													_t83 = 0xa;
												}
											}
										}
									}
								}
							}
						}
						_t34 =  *_t86 & 0x0000ffff;
						_t70 = _t34;
					} while (_t34 != 0);
					_t96 = _a8;
				}
				return GlobalFree(_t96);
			}

0x742710cd
0x742710d7
0x742710e1
0x742710f5
0x742710f8
0x742710ff
0x7427110e
0x74271110
0x74271114
0x74271116
0x7427111d
0x74271129
0x7427112a
0x7427112a
0x7427112d
0x74271130
0x74271133
0x74271260
0x74271263
0x00000000
0x74271265
0x74271265
0x74271268
0x00000000
0x7427126e
0x7427126f
0x74271272
0x00000000
0x74271278
0x00000000
0x74271278
0x74271272
0x74271268
0x74271139
0x74271139
0x74271221
0x7427122c
0x74271230
0x74271232
0x74271235
0x74271238
0x74271240
0x74271249
0x7427124e
0x74271251
0x74271254
0x74271254
0x74271259
0x7427125c
0x00000000
0x7427113f
0x7427113f
0x74271142
0x742711ec
0x742711f5
0x742711f8
0x742711ff
0x7427120c
0x74271213
0x00000000
0x74271148
0x74271148
0x7427114b
0x7427127d
0x7427127d
0x74271284
0x74271291
0x74271296
0x7427129c
0x742712a2
0x742712a7
0x00000000
0x742712a7
0x74271151
0x74271151
0x74271154
0x742711b5
0x742711b8
0x742711cd
0x742711cf
0x00000000
0x74271156
0x74271157
0x7427115a
0x74271196
0x74271199
0x742711ae
0x742711b0
0x00000000
0x7427115c
0x7427115c
0x7427115f
0x74271175
0x7427117d
0x74271181
0x7427118c
0x7427118e
0x74271215
0x74271215
0x74271218
0x74271218
0x742712a9
0x742712ab
0x742712ab
0x7427115f
0x7427115a
0x74271154
0x7427114b
0x74271142
0x74271139
0x742712ac
0x742712af
0x742712b1
0x742712ba
0x742712ba
0x742712c5

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 7427116B
GlobalFree.KERNEL32(00000000), ref: 742711AE
GlobalFree.KERNEL32(00000000), ref: 742711CD
GlobalAlloc.KERNEL32(00000040,?), ref: 742711E6
GlobalFree.KERNEL32 ref: 7427125C
GlobalFree.KERNEL32(?), ref: 742712A7
GlobalFree.KERNEL32(00000000), ref: 742712BF

Memory Dump Source

Source File: 00000001.00000002.31335580458.0000000074271000.00000020.00000001.01000000.00000005.sdmp, Offset: 74270000, based on PE: true

Associated: 00000001.00000002.31335529968.0000000074270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.31335640727.0000000074274000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.31335690337.0000000074276000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74270000_Ta62k9weDV.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 6ff5fc5a6a7025eb6d6979bd9aef09ae45ccc9cbedf52d093459f818746e20eb
Instruction ID: b687239388f540c1a1eca2e5974d3a4e339452e7cb86e35196fa1447d873cd3c
Opcode Fuzzy Hash: 6ff5fc5a6a7025eb6d6979bd9aef09ae45ccc9cbedf52d093459f818746e20eb
Instruction Fuzzy Hash: 3551D1727102129FD716CF6AC844B7AB7B8FF48240B200529FB86DB750DB35EA60DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00405560 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 90
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00405560(signed int __ecx, intOrPtr _a8, signed int _a12, signed int _a16) {
				int _v12;
				char _v80;
				char _v136;
				signed int _t23;
				void* _t26;
				void* _t34;
				void* _t43;
				signed char _t45;
				signed int _t46;
				signed char _t50;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				void* _t59;
				signed int _t61;
				signed int _t63;

				_t23 = _a16;
				_t59 = 0xffffffdc;
				if(_t23 == 0) {
					_t54 = _a12;
					_t61 = _t54;
					asm("sbb ecx, ecx");
					_t43 = 0x14;
					asm("sbb eax, eax");
					_t26 = 0xffffffde;
					_t59 =  <  ? _t26 : _t59 +  ~0x100000;
					_t45 =  >=  ? (__ecx & 0xfffffff6) + _t43 : 0;
					if(_t61 < 0xffff3333) {
						asm("cdq");
						_t53 = 0x14;
						_t54 = _t61 + 1 / _t53;
					}
					_t50 = _t45;
					_t63 = _t54 >> _t50;
					_t51 = 0xa;
					_t46 = ((_t54 & 0x00ffffff) * 0xa >> _t50) % _t51;
				} else {
					_t63 = (_t23 << 0x00000020 | _a12) >> 0x14;
					_t46 = 0;
				}
				_push(_a8);
				_push(0x42bd48);
				E00405EBA();
				_push(0xffffffdf);
				_push( &_v136);
				_push(E00405EBA());
				_push(_t59);
				_t34 = E00405EBA();
				wsprintfW( &(0x42bd48[lstrlenW(0x42bd48)]), L"%u.%u%s%s", _t63, _t46, _t34,  &_v80);
				return SetDlgItemTextW( *0x4349dc, _v12, 0x42bd48);
			}

0x00405560
0x00405570
0x00405573
0x00405584
0x00405590
0x0040559b
0x004055a0
0x004055a7
0x004055af
0x004055b0
0x004055b7
0x004055c0
0x004055cb
0x004055cc
0x004055cf
0x004055cf
0x004055d4
0x004055dc
0x004055e7
0x004055ea
0x00405575
0x0040557c
0x00405580
0x00405580
0x004055ec
0x004055f8
0x004055f9
0x004055fe
0x00405604
0x0040560a
0x0040560b
0x00405611
0x0040562c
0x00405652

APIs

lstrlenW.KERNEL32(Waywort87 Setup: Installing,%u.%u%s%s,?,00000000,00000000,?,000000DC,00000000,?,000000DF,Waywort87 Setup: Installing,?,?,?,?,?), ref: 0040561F
wsprintfW.USER32 ref: 0040562C
SetDlgItemTextW.USER32(?,Waywort87 Setup: Installing), ref: 00405643

Strings

%u.%u%s%s, xrefs: 00405619
Waywort87 Setup: Installing, xrefs: 004055F3, 004055F8, 0040561E, 00405635

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Waywort87 Setup: Installing
API String ID: 3540041739-1673848103
Opcode ID: b3da9a1244fcee535f9463e31d5d6ec72300bd819393bad9935e8733ca876ae6
Instruction ID: ddca7360d09b2edd05df8fb08f039e75c7842db061d31d06a5ac0fb1d0c25846
Opcode Fuzzy Hash: b3da9a1244fcee535f9463e31d5d6ec72300bd819393bad9935e8733ca876ae6
Instruction Fuzzy Hash: 072106337402242BD724A9799C40FAB729DDBC1364F01473AFD6AF31D1E9399C1885A4

Uniqueness

Uniqueness Score: -1.00%

Function 74272049 Relevance: 7.6, APIs: 5, Instructions: 129
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E74272049(signed int _a4) {
				signed int _t44;
				void* _t45;
				signed int _t46;
				signed int _t50;
				void* _t54;
				signed int _t57;
				void* _t58;
				int _t59;

				_t50 = _a4;
				_t59 = 0;
				_t44 = 0 |  *((intOrPtr*)(_t50 + 0x1014)) > 0x00000000;
				while(1) {
					L1:
					_a4 = _t44;
					_t57 = _t44 << 5;
					_t58 =  *(_t57 + _t50 + 0x1030);
					if(_t58 == 0 || _t58 == 0x1a) {
						goto L8;
					}
					if(_t58 != 0xffffffff) {
						_t49 = _t58 - 1;
						if(_t58 - 1 > 0x18) {
							 *(_t57 + _t50 + 0x1030) = 0x1a;
							L11:
							_t54 = _t57 + _t50;
							if( *((intOrPtr*)(_t57 + _t50 + 0x101c)) >= _t59) {
							}
							_t46 =  *(_t57 + _t50 + 0x1018) & 0x000000ff;
							 *(_t57 + _t50 + 0x1034) =  *(_t57 + _t50 + 0x1034) & 0x00000000;
							if(_t46 > 7) {
								L26:
								_t59 = 0;
								goto L27;
							} else {
								switch( *((intOrPtr*)(_t46 * 4 +  &M742721E9))) {
									case 0:
										_t59 = 0;
										 *((intOrPtr*)(_t54 + 0x1020)) = 0;
										goto L27;
									case 1:
										_push(__esi);
										__eax = E7427135A();
										goto L18;
									case 2:
										_push(__esi);
										__eax = E7427135A();
										_pop(__ecx);
										 *__ebp = __eax;
										_a4 = __edx;
										goto L26;
									case 3:
										__eax = GlobalAlloc(0x40,  *0x74275040);
										 *(__edi + __ebx + 0x1034) = __eax;
										 *__ebp = __eax;
										__ebp = 0;
										__ecx =  *0x74275040;
										__eax = WideCharToMultiByte(0, 0, __esi,  *0x74275040, __eax,  *0x74275040, 0, 0);
										goto L27;
									case 4:
										__eax = E742712E1(__esi);
										 *(__edi + __ebx + 0x1034) = __eax;
										L18:
										_pop(__ecx);
										 *__ebp = __eax;
										goto L26;
									case 5:
										__eax = GlobalAlloc(0x40, 0x10);
										_push(__eax);
										 *(__edi + __ebx + 0x1034) = __eax;
										_push(__esi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										goto L26;
									case 6:
										__ebp = 0;
										if( *__esi != __bp) {
											_push(__esi);
											__eax = E7427135A();
											 *(__edi + __ebx + 0x1020) = __eax;
										}
										L27:
										_t47 = GlobalFree(_t58);
										_t55 = _a4;
										if(_t55 == 0) {
											return _t47;
										}
										_t41 = _t55 + 1; // 0x1
										_t53 =  !=  ? _t41 : 0;
										_t44 =  !=  ? _t41 : 0;
										goto L1;
									case 7:
										__ecx =  *(__edi + __ebx + 0x1030);
										__eax =  *0x74275038;
										 *(__edi + __ebx + 0x1030) - 1 = ( *(__edi + __ebx + 0x1030) - 1) *  *0x74275040;
										__ecx =  *0x74275038 + ( *(__edi + __ebx + 0x1030) - 1) *  *0x74275040 * 2;
										__eax = __ecx + 0x18;
										 *(__edx + 0x1020) = __eax;
										_push(__ecx);
										asm("cdq");
										_push(__edx);
										_push(__eax);
										__eax = E7427149E(__ecx);
										__esp = __esp + 0xc;
										goto L26;
								}
							}
						}
						_t45 = E74271548(_t49);
						L9:
						L10:
						_t58 = _t45;
						goto L11;
					}
					_t45 = E74271593();
					goto L10;
					L8:
					_t45 = E742712E1(0x742740e0);
					goto L9;
				}
			}

0x7427204a
0x74272051
0x7427205b
0x7427205e
0x7427205e
0x74272060
0x74272064
0x74272067
0x74272070
0x00000000
0x00000000
0x7427207a
0x74272083
0x74272089
0x74272093
0x742720ad
0x742720ad
0x742720b7
0x742720b7
0x742720c7
0x742720cf
0x742720da
0x742721bc
0x742721bc
0x00000000
0x742720e0
0x742720e0
0x00000000
0x742720e7
0x742720e9
0x00000000
0x00000000
0x742720f4
0x742720f5
0x00000000
0x00000000
0x74272103
0x74272104
0x74272109
0x7427210a
0x7427210d
0x00000000
0x00000000
0x7427212c
0x74272132
0x74272139
0x7427213c
0x7427213e
0x7427214c
0x00000000
0x00000000
0x74272116
0x7427211b
0x742720fa
0x742720fa
0x742720fb
0x00000000
0x00000000
0x74272158
0x7427215e
0x7427215f
0x74272166
0x74272167
0x7427216a
0x00000000
0x00000000
0x74272172
0x74272177
0x74272179
0x7427217a
0x74272187
0x74272187
0x742721be
0x742721bf
0x742721c5
0x742721cb
0x742721e6
0x742721e6
0x742721cf
0x742721d8
0x742721db
0x00000000
0x00000000
0x74272190
0x74272197
0x7427219d
0x742721a4
0x742721a7
0x742721aa
0x742721b0
0x742721b1
0x742721b2
0x742721b3
0x742721b4
0x742721b9
0x00000000
0x00000000
0x742720e0
0x742720da
0x7427208c
0x742720aa
0x742720ab
0x742720ab
0x00000000
0x742720ab
0x7427207c
0x00000000
0x742720a0
0x742720a5
0x00000000
0x742720a5

APIs

GlobalFree.KERNEL32(00000000), ref: 742721BF

Part of subcall function 742712E1: lstrcpynW.KERNEL32(00000000,?,7427156A,?,742711C4,-000000A0), ref: 742712F1

GlobalAlloc.KERNEL32(00000040), ref: 7427212C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 7427214C

Memory Dump Source

Source File: 00000001.00000002.31335580458.0000000074271000.00000020.00000001.01000000.00000005.sdmp, Offset: 74270000, based on PE: true

Associated: 00000001.00000002.31335529968.0000000074270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.31335640727.0000000074274000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.31335690337.0000000074276000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74270000_Ta62k9weDV.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 65feb497b97ac0a69734dc4a7a52920452b3022cb4ec76660a88aefcffe91c69
Instruction ID: b8e32d2ccb33254cccc6e3f155515f40ac9e1c46987095417c1a9201d2e8e3bd
Opcode Fuzzy Hash: 65feb497b97ac0a69734dc4a7a52920452b3022cb4ec76660a88aefcffe91c69
Instruction Fuzzy Hash: DF410471615205EFC3079F698848BE9B7B8FF45380B44423DEB499B14ADB7457B0DAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00401EEA Relevance: 7.6, APIs: 5, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00401EEA(struct HWND__* __edx, intOrPtr _a16, WCHAR* _a20, signed int _a24, signed int _a28, intOrPtr _a40, signed short _a44, int _a48, signed int _a52, struct tagRECT _a80, signed int _a88, signed int _a92) {
				struct HWND__* _t21;
				signed int _t22;
				signed int _t23;
				void* _t35;
				signed int _t41;
				long _t42;
				intOrPtr _t43;
				int _t53;
				struct HWND__* _t55;

				_t49 = __edx;
				if((_a52 & 0x00000100) == 0) {
					_t21 = GetDlgItem(__edx, _a48);
				} else {
					E00403002(2);
				}
				_t55 = _t21;
				_t22 = _a52;
				_a28 = _t22 & 0x00000004;
				_t53 = _t22 & 0x00000003;
				_t41 = _t22 >> 0x0000001e & 0x00000001;
				_a24 = _t22 >> 0x1f;
				if((_t22 & 0x00010000) == 0) {
					_t23 = _a44 & 0x0000ffff;
				} else {
					_t23 = E0040303E(_t49, 0x11);
				}
				_a20 = _t23;
				GetClientRect(_t55,  &_a80);
				_t33 =  !=  ?  *0x4349f4 : 0;
				_t42 = LoadImageW( !=  ?  *0x4349f4 : 0, _a20, _t53, _a88 * _a24, _a92 * _t41, _a52 & 0x0000fef0);
				_t35 = SendMessageW(_t55, 0x172, _t53, _t42);
				if(_t35 != 0 && _t53 == 0) {
					DeleteObject(_t35);
				}
				if(_a40 >= 0) {
					_push(_t42);
					E0040661F();
				}
				_t43 = _a16;
				 *0x435ac8 =  *0x435ac8 + _t43;
				return 0;
			}

0x00401eea
0x00401ef2
0x00401f03
0x00401ef4
0x00401ef6
0x00401efb
0x00401f09
0x00401f0b
0x00401f19
0x00401f21
0x00401f27
0x00401f2a
0x00401f33
0x00401f3e
0x00401f35
0x00401f37
0x00401f37
0x00401f43
0x00401f4d
0x00401f7a
0x00401f88
0x00401f92
0x00401f9a
0x00401fa1
0x00401fa1
0x00401fac
0x00401fb2
0x004016b7
0x004016b7
0x00402ea1
0x00402ea5
0x00402eb7

APIs

GetDlgItem.USER32(?,?), ref: 00401F03
GetClientRect.USER32(00000000,?), ref: 00401F4D
LoadImageW.USER32(00000000,?,00000100,?,?,00000100), ref: 00401F82
SendMessageW.USER32(00000000,00000172,00000100,00000000), ref: 00401F92
DeleteObject.GDI32(00000000), ref: 00401FA1

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 4ca5b3e5092630b07da66f14ef21835f456d21acd53533bfcf070e0f2a8088fe
Instruction ID: 799bb538699f0f6bb00644a204e03bb935fb5af8a8b8547909695eab986b8c59
Opcode Fuzzy Hash: 4ca5b3e5092630b07da66f14ef21835f456d21acd53533bfcf070e0f2a8088fe
Instruction Fuzzy Hash: 2A218072609302AFD340DF64DD85A6BB7E8EB88305F04093EF945E62A1D678DD40DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 74271F7B Relevance: 7.5, APIs: 5, Instructions: 38
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E74271F7B(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t11;

				_t11 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t11);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t11, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x74271f92
0x74271fa0
0x74271fab
0x74271fb6
0x74271fbf
0x74271fca

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000808,00000000,74272B4C,00000000,00000808), ref: 74271F8C
GlobalAlloc.KERNEL32(00000040,00000000), ref: 74271F97
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 74271FAB
GetProcAddress.KERNEL32(?,00000000), ref: 74271FB6
GlobalFree.KERNEL32(00000000), ref: 74271FBF

Memory Dump Source

Source File: 00000001.00000002.31335580458.0000000074271000.00000020.00000001.01000000.00000005.sdmp, Offset: 74270000, based on PE: true

Associated: 00000001.00000002.31335529968.0000000074270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.31335640727.0000000074274000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.31335690337.0000000074276000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74270000_Ta62k9weDV.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 589dd1fd03dcaff07a381f36fa4abd4c7751b61fe3aaf085d36b7b0449589aee
Instruction ID: 706dd830691ff80a498a1ae0e6f67944949727ce196e92fedb37f46f7fc8face
Opcode Fuzzy Hash: 589dd1fd03dcaff07a381f36fa4abd4c7751b61fe3aaf085d36b7b0449589aee
Instruction Fuzzy Hash: 59F0C733258118BBC6151AEBDC0CE977E6CEB8B7FDB160219F719D11A1C66264109771

Uniqueness

Uniqueness Score: -1.00%

Function 00401DBA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401DBA(void* _a8, struct HWND__* _a12, intOrPtr _a16, struct HWND__* _a20, long _a28, void* _a32, intOrPtr _a36, intOrPtr _a56, signed int _a60) {
				signed char _t23;
				void* _t25;
				long _t26;
				int _t30;
				long _t34;
				intOrPtr _t35;
				int _t47;
				void* _t48;
				int _t52;
				void* _t53;
				int _t55;
				void* _t57;

				_t52 = E00403002(3);
				_a20 = _t52;
				_t34 = E00403002(4);
				_t23 = _a60;
				if((_t23 & 0x00000001) != 0) {
					__esi = E0040303E(__edx, 0x33);
					_a16 = __esi;
				}
				if((_t23 & 0x00000002) != 0) {
					_t34 = E0040303E(_t48, 0x44);
				}
				_push(1);
				if(_a36 != 0x21) {
					_t53 = E0040303E(_t48);
					_t25 = E0040303E(_t48);
					_t41 =  !=  ? _t25 : 0;
					_t43 =  !=  ? _t53 : 0;
					_t26 = FindWindowExW(_a12, _t34,  !=  ? _t53 : 0,  !=  ? _t25 : 0);
					goto L12;
				} else {
					_a20 = E00403002();
					_t30 = E00403002(2);
					_t47 = _a60 >> 2;
					if(_t47 == 0) {
						_t26 = SendMessageW(_a20, _t30, _t52, _t34);
						L12:
						_a28 = _t26;
					} else {
						SendMessageTimeoutW(_a20, _t30, _t52, _t34, _t55, _t47,  &_a28);
						asm("sbb ebx, ebx");
						_t26 = _a28;
						_a16 = _t34 + 1;
					}
				}
				if( *((intOrPtr*)(_t57 + 0x28)) >= _t55) {
					_push(_t26);
					E0040661F();
				}
				_t35 = _a16;
				 *0x435ac8 =  *0x435ac8 + _t35;
				return 0;
			}

0x00401dc1
0x00401dc5
0x00401dce
0x00401dd0
0x00401dd8
0x00401de1
0x00401de7
0x00401de7
0x00401ded
0x00401df6
0x00401df6
0x00401dfd
0x00401dff
0x00401e57
0x00401e59
0x00401e63
0x00401e6c
0x00401e75
0x00000000
0x00401e01
0x00401e08
0x00401e0c
0x00401e17
0x00401e1c
0x00401e48
0x00401e7b
0x00401e7b
0x00401e1e
0x00401e2c
0x00401e34
0x00401e36
0x00401e3b
0x00401e3b
0x00401e1c
0x00401e83
0x00401afd
0x004016b7
0x004016b7
0x00402ea1
0x00402ea5
0x00402eb7

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,?,?,?), ref: 00401E2C
SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00401E48

Strings

!, xrefs: 00401DF8

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 91d7549d19bfd9567b9db0d62f4607727a13d94ab572956bc1fd2bc583f7e011
Instruction ID: 1d489b1cab37c72f7a9fe7ae17229530812e46ff9257658ed8c6d6ee4a6b2e26
Opcode Fuzzy Hash: 91d7549d19bfd9567b9db0d62f4607727a13d94ab572956bc1fd2bc583f7e011
Instruction Fuzzy Hash: 4F21F471609301AFE714AF21C886A2FBBE8EF84755F00093FF585A61E0D6B99D05CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 74271F1E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E74271F1E(intOrPtr _a4, WCHAR* _a8) {
				intOrPtr _t11;
				intOrPtr _t19;
				WCHAR* _t21;

				_t11 = _a4;
				if( *((intOrPtr*)(_t11 + 4)) != 1) {
					_t21 = _a8;
					_t13 =  ==  ? 0x742740d8 : L"error";
					lstrcpyW(_t21,  ==  ? 0x742740d8 : L"error");
				} else {
					_t19 =  *((intOrPtr*)(_t11 + 0x1c98));
					if(( *(_t11 + 0x1010) & 0x00000100) != 0) {
						_t19 =  *((intOrPtr*)( *((intOrPtr*)(_t11 + 0x100c)) + 1));
					}
					_t21 = _a8;
					wsprintfW(_t21, L"callback%d", _t19);
				}
				return _t21;
			}

0x74271f1e
0x74271f29
0x74271f5c
0x74271f6c
0x74271f71
0x74271f2b
0x74271f35
0x74271f3b
0x74271f43
0x74271f43
0x74271f46
0x74271f51
0x74271f57
0x74271f7a

APIs

wsprintfW.USER32 ref: 74271F51
lstrcpyW.KERNEL32(?,error), ref: 74271F71

Strings

callback%d, xrefs: 74271F4B
error, xrefs: 74271F67, 74271F6F

Memory Dump Source

Source File: 00000001.00000002.31335580458.0000000074271000.00000020.00000001.01000000.00000005.sdmp, Offset: 74270000, based on PE: true

Associated: 00000001.00000002.31335529968.0000000074270000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.31335640727.0000000074274000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.31335690337.0000000074276000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74270000_Ta62k9weDV.jbxd

Similarity

API ID: lstrcpywsprintf
String ID: callback%d$error
API String ID: 2408954437-1307476583
Opcode ID: 59afb288a075c8d2242fb2224a7c125e09b1cfbc269a35755e514fe5e76da14c
Instruction ID: bb2fdb46b8b4d2a969b495c54b18df18c7248eea1a5b24258df5058d3026a2e8
Opcode Fuzzy Hash: 59afb288a075c8d2242fb2224a7c125e09b1cfbc269a35755e514fe5e76da14c
Instruction Fuzzy Hash: 51F08235354110AFD30A8B08D94CEBA73A5FF85314F158198FE4A97302C774EE60DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00406556 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00406556(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x4092b0);
				}
				return _t9;
			}

0x00406557
0x00406565
0x00406566
0x00406571
0x00406579
0x00406579
0x00406582

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403CC3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,764E3420,004039C2), ref: 0040655C
CharPrevW.USER32(?,00000000), ref: 00406567
lstrcatW.KERNEL32(?,004092B0), ref: 00406579

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406556

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: fdfa961eb15b44997f3f2a02f7ac6fdf64fbe3aae0b57c1f36678e5d22b7198e
Instruction ID: 519304617d09d62b109db9489078dc762d93bb7b848864bf6502fc90c90d6087
Opcode Fuzzy Hash: fdfa961eb15b44997f3f2a02f7ac6fdf64fbe3aae0b57c1f36678e5d22b7198e
Instruction Fuzzy Hash: 3BD05E31502521BBC7029B64AD08D9B7BBCEF46301301446AFA41B3165C7745D41C7ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040285F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040285F(intOrPtr* __edi, void* __ebp, void* _a12, signed int _a20, intOrPtr _a36, void* _a44, intOrPtr _a48, void* _a72, intOrPtr _a80) {
				void* _v4;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr* _t31;
				void* _t33;
				int _t36;
				void* _t40;
				void* _t42;

				_t40 = __ebp;
				_t31 = __edi;
				_t29 = _a36;
				_t30 = _a48;
				_a80 = _t30;
				_t27 = 1;
				_a20 = 0 | _t29 == 0x00000038;
				if(_t30 == 0) {
					if(_t29 != 0x38) {
						_t36 = lstrlenW(E0040303E(_t30, 0x11)) + _t15;
					} else {
						E0040303E(_t30, 0x21);
						E00406469("C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp", 0x40b908, 0x400);
						_t42 = _t42 + 0xc;
						_t36 = lstrlenA(0x40b908);
					}
				} else {
					 *0x40b908 = E00403002(1);
					_pop(_t29);
					_t36 = (_a20 ^ 1) + 1;
				}
				if( *_t31 != _t40) {
					_t33 = E00406C25(_t31);
					if(( *(_t42 + 0x14) |  *(_t42 + 0x50)) != 0 ||  *((intOrPtr*)(_t42 + 0x34)) == _t40 || E00406484(_t33, _t33) >= 0) {
						if(E00406A0B(_t29, _t33, ?str?, _t36) != 0) {
							_t27 =  *((intOrPtr*)(_t42 + 0x10));
						}
					}
				}
				 *0x435ac8 =  *0x435ac8 + _t27;
				return 0;
			}

0x0040285f
0x0040285f
0x0040285f
0x00402865
0x0040286c
0x0040287a
0x0040287b
0x00402881
0x0040289c
0x004028d2
0x0040289e
0x004028a0
0x004028b0
0x004028b5
0x004028bf
0x004028bf
0x00402883
0x0040288f
0x00402895
0x00402896
0x00402896
0x004028d7
0x004028e3
0x004028ed
0x00402912
0x00402ea1
0x00402ea1
0x00402912
0x004028ed
0x00402ea5
0x00402eb7

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll), ref: 004028B9

Strings

C:\Users\user\AppData\Local\Temp\nsw2317.tmp, xrefs: 004028AB
C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll, xrefs: 00402870, 0040288F, 004028AA, 004028B8, 00402905

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsw2317.tmp$C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll
API String ID: 1659193697-1448114331
Opcode ID: 76a2946e9aa7d140166730b6d7970edbf635fa779fa0885824462093d2e607dc
Instruction ID: 711803fd364401e957546549a979f7dfd5371b874df28eda27acfe343a1b9a3f
Opcode Fuzzy Hash: 76a2946e9aa7d140166730b6d7970edbf635fa779fa0885824462093d2e607dc
Instruction Fuzzy Hash: 9A112676A443116BD310AB618A8992FB7E4AF84354F15453FF905F31C1D7FC980183AE

Uniqueness

Uniqueness Score: -1.00%

Function 00402077 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00402077(intOrPtr _a8, signed char _a28, intOrPtr _a32, char _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, char* _a80, signed char _a84, void* _a104, void* _a108) {
				void* _v12;
				intOrPtr _t19;
				void* _t31;
				void* _t37;
				void* _t38;
				void* _t42;

				_t31 = E0040303E(_t37, _t42);
				_t19 = E0040303E(_t37, 0x31);
				_t38 = E0040303E(_t37, 0x22);
				E0040303E(_t37, 0x15);
				E00405D3A(0xffffffec, "C:\Users\Arthur\AppData\Local\Temp\nsw2317.tmp\System.dll");
				_a64 = _a8;
				_a60 = _a32;
				_a84 = _a28;
				_a72 = _t19;
				_t25 =  !=  ? _t31 : 0;
				_a68 =  !=  ? _t31 : 0;
				_a80 = L"C:\\Users\\Arthur\\AppData\\Roaming\\Bipersoner\\Dehorted\\Chikane";
				_t27 =  !=  ? _t38 : 0;
				_a76 =  !=  ? _t38 : 0;
				if(E004069F3( &_a56) != 0) {
					if((_a84 & 0x00000040) != 0) {
						E00406514(__ecx,  *((intOrPtr*)(__esp + 0x88)));
						_push( *((intOrPtr*)(__esp + 0x88)));
						CloseHandle();
					}
				}
				 *0x435ac8 =  *0x435ac8 + 1;
				return 0;
			}

0x0040207f
0x00402081
0x00402091
0x00402093
0x0040209f
0x004020ac
0x004020b2
0x004020ba
0x004020c1
0x004020c5
0x004020c8
0x004020d1
0x004020d9
0x004020dc
0x004020ec
0x004020f7
0x00402104
0x00402109
0x00402110
0x00402110
0x00402ea1
0x00402ea5
0x00402eb7

APIs

Part of subcall function 00405D3A: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll,?,00000000,?,?), ref: 00405D6C
Part of subcall function 00405D3A: lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll,?,00000000,?,?), ref: 00405D7E
Part of subcall function 00405D3A: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll,?), ref: 00405D99
Part of subcall function 00405D3A: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll), ref: 00405DB1
Part of subcall function 00405D3A: SendMessageW.USER32(?), ref: 00405DD8
Part of subcall function 00405D3A: SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DF3
Part of subcall function 00405D3A: SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E00

Part of subcall function 004069F3: ShellExecuteExW.SHELL32(?), ref: 00406A02

Part of subcall function 00406514: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040651E
Part of subcall function 00406514: GetExitCodeProcess.KERNEL32(?,?), ref: 00406548

CloseHandle.KERNEL32(?,?), ref: 00402110

Strings

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane, xrefs: 004020D1
@, xrefs: 004020F2
C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll, xrefs: 00402098

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend$lstrlen$CloseCodeExecuteExitHandleObjectProcessShellSingleTextWaitWindowlstrcat
String ID: @$C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll$C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane
API String ID: 4079680657-1767009605
Opcode ID: 8083aaef74757542c6ffbf2f548fe58a23a890bf1e441e1445bba5dd78c4c14f
Instruction ID: 7c7d4bc9f8110f395c3ef373be7a4f0c936d35dff6000358c7303bcbf620d08d
Opcode Fuzzy Hash: 8083aaef74757542c6ffbf2f548fe58a23a890bf1e441e1445bba5dd78c4c14f
Instruction Fuzzy Hash: 47118F716083809BC310AF61C98561BBBE5BF84349F00493EF595E72D1DBBC8845CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00403389 Relevance: 6.0, APIs: 4, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403389(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					if( *0x40d970 == 0) {
						_t2 = GetTickCount();
						if(_t2 >  *0x435a00) {
							_t3 = CreateDialogParamW( *0x4349f4, 0x6f, 0, E0040364F, 0);
							 *0x40d970 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E0040620F(0);
					}
				} else {
					_t6 =  *0x40d970; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x40d970 =  *0x40d970 & 0x00000000;
					return _t6;
				}
			}

0x0040338e
0x004033af
0x004033b9
0x004033c5
0x004033d8
0x004033e1
0x00000000
0x004033e6
0x004033ec
0x004033b1
0x004033b8
0x004033b8
0x00403390
0x00403390
0x00403397
0x0040339a
0x0040339a
0x004033a0
0x004033a7
0x004033a7

APIs

DestroyWindow.USER32(00000000,00403579), ref: 0040339A
GetTickCount.KERNEL32 ref: 004033B9
CreateDialogParamW.USER32(0000006F,00000000,0040364F,00000000), ref: 004033D8
ShowWindow.USER32(00000000,00000005), ref: 004033E6

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 7ff58af3a69088ba52de52b21ac6e50ccae1de6d9f2c722b533f380b119e7b3d
Instruction ID: 0c7035cfe5d59141003efccf1163e7ed1ec08c4572f7111a89f6d0b07e944292
Opcode Fuzzy Hash: 7ff58af3a69088ba52de52b21ac6e50ccae1de6d9f2c722b533f380b119e7b3d
Instruction Fuzzy Hash: 87F098B0981300BBEB24AF60EE4DB5A3AB8B744B03F800979F505B51E1DB795955DA1C

Uniqueness

Uniqueness Score: -1.00%

Function 004058D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004058D0(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t8;
				int _t11;
				int _t15;
				long _t16;

				_t16 = _a16;
				_t15 = _a8;
				_t8 = _t15;
				if(_t15 != 0x102) {
					__eflags = _t15 - 0x200;
					if(_t15 != 0x200) {
						__eflags = _t8 - 0x419;
						if(_t8 != 0x419) {
							L9:
							return CallWindowProcW( *0x42dd64, _a4, _t15, _a12, _t16);
						}
						L7:
						__eflags =  *0x42ed68 - _t16; // 0x0
						if(__eflags != 0) {
							_push(_t16);
							_push(6);
							 *0x42ed68 = _t16;
							E004054B6();
						}
						goto L9;
					}
					_t11 = IsWindowVisible(_a4);
					__eflags = _t11;
					if(_t11 == 0) {
						goto L9;
					}
					_t16 = E004056DA(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L9;
				}
				E004054E8(0x413);
				return 0;
			}

0x004058d4
0x004058d8
0x004058db
0x004058e3
0x004058f9
0x004058ff
0x00405921
0x00405926
0x0040593e
0x00000000
0x0040594c
0x00405928
0x00405928
0x0040592e
0x00405930
0x00405931
0x00405933
0x00405939
0x00405939
0x00000000
0x0040592e
0x00405904
0x0040590a
0x0040590c
0x00000000
0x00000000
0x00405918
0x0040591a
0x00000000
0x0040591a
0x004058e9
0x00000000
0x00000000
0x004058f0
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405904
CallWindowProcW.USER32(?,?,?,?), ref: 0040594C

Part of subcall function 004054E8: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054FA

Strings

, xrefs: 004058E5

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: ce6b446289bf2d1d80a1f39e5d6dd25478004387473800b399ee72f8fd73986e
Instruction ID: 06e031647f3a40a893da8a12316d751141f27423df1ca697d7c88d312f012a23
Opcode Fuzzy Hash: ce6b446289bf2d1d80a1f39e5d6dd25478004387473800b399ee72f8fd73986e
Instruction Fuzzy Hash: 64018F72A00609FBEF305F51ED44A9B3A2AEB54760F104437F904B61E1C2798892DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405864 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
comCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00405864(signed int __eax) {
				intOrPtr _v0;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t12;

				_t11 =  *0x435a28;
				_t10 =  *0x435a2c;
				__imp__OleInitialize(0);
				 *0x435a60 =  *0x435a60 | __eax;
				E004054E8(0);
				if(_t10 != 0) {
					_t12 = _t11 + 0xc;
					do {
						_t10 = _t10 - 1;
						if(( *(_t12 - 4) & 0x00000001) == 0) {
							goto L4;
						} else {
							_push(_v0);
							if(E00401399( *_t12) != 0) {
								 *0x435acc =  *0x435acc + 1;
							} else {
								goto L4;
							}
						}
						goto L7;
						L4:
						_t12 = _t12 + 0x818;
					} while (_t10 != 0);
				}
				L7:
				E004054E8(0x404);
				__imp__OleUninitialize();
				return  *0x435acc;
			}

0x00405865
0x0040586c
0x00405874
0x0040587a
0x00405882
0x00405889
0x0040588b
0x0040588e
0x0040588e
0x00405893
0x00000000
0x00405895
0x00405895
0x004058a2
0x004058b0
0x00000000
0x00000000
0x00000000
0x004058a2
0x00000000
0x004058a4
0x004058a4
0x004058aa
0x004058ae
0x004058b6
0x004058bb
0x004058c0
0x004058cd

APIs

OleInitialize.OLE32(00000000), ref: 00405874

Part of subcall function 004054E8: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054FA

OleUninitialize.OLE32(00000404,00000000), ref: 004058C0

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Strings

Waywort87 Setup: Installing, xrefs: 00405864

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: MessageSend$InitializeUninitialize
String ID: Waywort87 Setup: Installing
API String ID: 1011633862-679012682
Opcode ID: d3b477feca803d38b0fa0a9443a8adab0e946c85309316e9af7505676d23e992
Instruction ID: 6162ea9da32c9538b6d8593dc8e66a114e5892011aec6599076d88f80df4c0eb
Opcode Fuzzy Hash: d3b477feca803d38b0fa0a9443a8adab0e946c85309316e9af7505676d23e992
Instruction Fuzzy Hash: C5F0FA33500A009AF711B715AC02B6B73A8EB84705F08813EEE48A22A2E77948409B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040620F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040620F(int _a4) {
				struct tagMSG _v32;
				int _t6;

				while(1) {
					_t2 =  &_a4; // 0x403579
					_t6 = PeekMessageW( &_v32, 0, _a4,  *_t2, 1);
					if(_t6 == 0) {
						break;
					}
					DispatchMessageW( &_v32);
				}
				return _t6;
			}

0x00406221
0x00406223
0x0040622f
0x00406237
0x00000000
0x00000000
0x0040621b
0x0040621b
0x0040623a

APIs

DispatchMessageW.USER32(?), ref: 0040621B
PeekMessageW.USER32(?,00000000,?,y5@,00000001), ref: 0040622F

Strings

y5@, xrefs: 00406223

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: Message$DispatchPeek
String ID: y5@
API String ID: 1770753511-1888225771
Opcode ID: 64ff892afa75a6f008d7101155dee183943c3d1907309ee94509adaab9142ef1
Instruction ID: a24ec92ef1b44bd1206bcd030c3399a913cbf723d0e0f52077422d22942c0190
Opcode Fuzzy Hash: 64ff892afa75a6f008d7101155dee183943c3d1907309ee94509adaab9142ef1
Instruction Fuzzy Hash: 41D0127194020ABBEF10AFE0DD09F9A7B6CAB54744F008475B701B5091D678D5258B59

Uniqueness

Uniqueness Score: -1.00%

Function 00406D10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00406D10(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t8;

				_t8 = _a4;
				_t5 =  &(_t8[lstrlenW(_t8)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t8);
					_t5 = CharPrevW();
					if(_t5 > _t8) {
						continue;
					}
					break;
				}
				 *_t5 = 0;
				return  &(_t5[1]);
			}

0x00406d11
0x00406d1c
0x00406d1f
0x00406d25
0x00406d26
0x00406d27
0x00406d2f
0x00000000
0x00000000
0x00000000
0x00406d2f
0x00406d33
0x00406d3a

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00403458,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ta62k9weDV.exe,C:\Users\user\Desktop\Ta62k9weDV.exe,80000000,00000003,?,?,?,?,?), ref: 00406D16
CharPrevW.USER32(80000000,00000000,?,?,?,?,?), ref: 00406D27

Strings

C:\Users\user\Desktop, xrefs: 00406D10

Memory Dump Source

Source File: 00000001.00000002.31317079623.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.31317038778.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317150887.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317199110.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317449434.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317488582.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317539763.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317598777.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317663535.0000000000462000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31317707284.0000000000464000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.31318085299.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ta62k9weDV.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: ad5ea2724f566449118616985c1ca7d7286fc26986b3b6df7891a374239d9a00
Instruction ID: 44824fea6f3b9252f25675ab164e3effdf97f7511deaacd8752cc1a9fc297a0b
Opcode Fuzzy Hash: ad5ea2724f566449118616985c1ca7d7286fc26986b3b6df7891a374239d9a00
Instruction Fuzzy Hash: CBD05E31102531ABCB126B18DC059AF77B8EF41300306886AE542E7164C7785D92CBAD

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ta62k9weDV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsw2317.tmp\System.dll

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\Ambulatoriums\Nrbutik\Cowbanes\GdkWin32-3.0.typelib

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\Azotes\Undfangelsestidspunktet\Semicrepe79\Bouchon.Tft

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\BtvStack.exe

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\Demograph.tip

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\System.ValueTuple.dll

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\checkbox_unchecked_disabled.png

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\emblem-shared-symbolic.symbolic.png

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\face-devilish.png

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\input-gaming-symbolic.symbolic.png

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\lang-1042.dll

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\lang-9999.dll

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\power-profile-performance-symbolic.symbolic.png

C:\Users\user\AppData\Roaming\Bipersoner\Dehorted\Chikane\system-help.png

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Windows Analysis Report
Ta62k9weDV.exe

Function 004036FC Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 416
stringfilecomCOMMON

Function 00404B30 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 295
windowclipboardmemoryCOMMON

Function 00406719 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Function 02B75A36 Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 618
COMMON

Function 004065CF Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00402B75 Relevance: 1.5, APIs: 1, Instructions: 19
fileCOMMON

Function 00404F92 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Function 00405A3E Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 225
stringregistryCOMMON

Function 0040154A Relevance: 37.2, APIs: 17, Strings: 4, Instructions: 441
stringtimesleepCOMMON

Function 004033ED Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 178
memoryCOMMON

Function 00405EBA Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 209
stringCOMMON

Function 00405D3A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Function 00403148 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167
COMMON

Function 0040291D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166
fileCOMMON

Function 0040619E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00406A56 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Function 0040141E Relevance: 7.6, APIs: 5, Instructions: 82
registryCOMMON

Function 0040225D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81
libraryCOMMON

Function 00402656 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
registrystringCOMMON

Function 004068E6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON