Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report https://www.cctvsecuritypros.com/content/pages/software/06212019-General-SMARTPSS-Win32-ChnEng-IS.zip

Overview

General Information

Sample URL:https://www.cctvsecuritypros.com/content/pages/software/06212019-General-SMARTPSS-Win32-ChnEng-IS.zip
Analysis ID:432180
Infos:

Most interesting Screenshot:

Detection

Score:8
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Abnormal high CPU Usage
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample may be VM or Sandbox-aware, try analysis on a native machine
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Process Tree

  • System is w10x64
  • cmd.exe (PID: 5440 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.cctvsecuritypros.com/content/pages/software/06212019-General-SMARTPSS-Win32-ChnEng-IS.zip' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 5424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wget.exe (PID: 5940 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.cctvsecuritypros.com/content/pages/software/06212019-General-SMARTPSS-Win32-ChnEng-IS.zip' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • 7za.exe (PID: 2132 cmdline: 7za x -y -pinfected -o'C:\Users\user\Desktop\extract' 'C:\Users\user\Desktop\download\06212019-General-SMARTPSS-Win32-ChnEng-IS.zip' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
    • conhost.exe (PID: 4000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • unarchiver.exe (PID: 2648 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\download\06212019-General-SMARTPSS-Win32-ChnEng-IS.zip' MD5: DB55139D9DD29F24AE8EA8F0E5606901)
    • 7za.exe (PID: 5540 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\j3sovef2.qui' 'C:\Users\user\Desktop\download\06212019-General-SMARTPSS-Win32-ChnEng-IS.zip' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
      • conhost.exe (PID: 4732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5428 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\license1.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseCS.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseDA.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseDE.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseEL.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseEN.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseES.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseFI.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseFR.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseIT.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseJA.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseKO.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseNL.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licensePL.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licensePT.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseRU.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseTC.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseTH.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseVN.rtf
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeCode function: 26_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,26_2_00405302
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeCode function: 26_2_00405CD8 FindFirstFileA,FindClose,26_2_00405CD8
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeCode function: 26_2_0040263E FindFirstFileA,26_2_0040263E
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 02FC099Bh19_2_02FC02A8
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 02FC099Ah19_2_02FC02A8
Source: wget.exe, 00000002.00000002.357533573.0000000002B58000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/EncryptionEverywhereDVTLSCA-G1.crt
Source: wget.exe, 00000002.00000002.357533573.0000000002B58000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/EncryptionEverywhereDVTLSCA-G1.crt0
Source: wget.exe, 00000002.00000002.357533573.0000000002B58000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/EncryptionEverywhereDVTLSCA-G1.crtlY
Source: wget.exe, 00000002.00000003.355890268.0000000002B15000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000002.00000003.355890268.0000000002B15000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wget.exe, 00000002.00000003.355890268.0000000002B15000.00000004.00000001.sdmp, wget.exe, 00000002.00000002.357533573.0000000002B58000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl
Source: wget.exe, 00000002.00000002.357533573.0000000002B58000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0L
Source: wget.exe, 00000002.00000002.357533573.0000000002B58000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crloY
Source: wget.exe, 00000002.00000003.355890268.0000000002B15000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crlqY
Source: SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe, SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe, 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe, 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: wget.exe, 00000002.00000003.355890268.0000000002B15000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com
Source: wget.exe, 00000002.00000002.357533573.0000000002B58000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0B
Source: wget.exe, 00000002.00000002.357533573.0000000002B58000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0J
Source: wget.exe, 00000002.00000002.356771659.0000000000B00000.00000004.00000020.sdmp, cmdline.out.2.drString found in binary or memory: https://www.cctvsecuritypros.com/content/pages/software/06212019-General-SMARTPSS-Win32-ChnEng-IS.zi
Source: wget.exe, 00000002.00000002.357533573.0000000002B58000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeCode function: 26_2_00404EB9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,26_2_00404EB9
Source: C:\Windows\SysWOW64\wget.exeProcess Stats: CPU usage > 98%
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeCode function: 26_2_004030CB EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,26_2_004030CB
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 19_2_02FC02A819_2_02FC02A8
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 19_2_02FC029919_2_02FC0299
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeCode function: 26_2_004046CA26_2_004046CA
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeCode function: 26_2_00405FA826_2_00405FA8
Source: SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe.15.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe.15.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe.15.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe.20.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe.20.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe.20.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: classification engineClassification label: clean8.win@15/81@0/2
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeCode function: 26_2_004041CD GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,26_2_004041CD
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeCode function: 26_2_00402020 CoCreateInstance,MultiByteToWideChar,26_2_00402020
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4732:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5284:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5424:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4000:120:WilError_01
Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\m0pzrwos.ivt
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile read: C:\Users\desktop.ini
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.cctvsecuritypros.com/content/pages/software/06212019-General-SMARTPSS-Win32-ChnEng-IS.zip' > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.cctvsecuritypros.com/content/pages/software/06212019-General-SMARTPSS-Win32-ChnEng-IS.zip'
Source: unknownProcess created: C:\Windows\SysWOW64\7za.exe 7za x -y -pinfected -o'C:\Users\user\Desktop\extract' 'C:\Users\user\Desktop\download\06212019-General-SMARTPSS-Win32-ChnEng-IS.zip'
Source: C:\Windows\SysWOW64\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\download\06212019-General-SMARTPSS-Win32-ChnEng-IS.zip'
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\j3sovef2.qui' 'C:\Users\user\Desktop\download\06212019-General-SMARTPSS-Win32-ChnEng-IS.zip'
Source: C:\Windows\SysWOW64\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.cctvsecuritypros.com/content/pages/software/06212019-General-SMARTPSS-Win32-ChnEng-IS.zip' Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\j3sovef2.qui' 'C:\Users\user\Desktop\download\06212019-General-SMARTPSS-Win32-ChnEng-IS.zip'
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile written: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\LangStr_zh.ini
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAutomated click: agreement
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeCode function: 26_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,26_2_00405CFF
Source: C:\Windows\SysWOW64\wget.exeCode function: 2_2_00CCBB5C push edx; retf 2_2_00CCBB5E
Source: C:\Windows\SysWOW64\wget.exeCode function: 2_2_00CCA9F4 push ss; iretd 2_2_00CCA9F6
Source: C:\Windows\SysWOW64\wget.exeCode function: 2_2_00CC9905 push ds; iretd 2_2_00CC9906
Source: C:\Windows\SysWOW64\wget.exeCode function: 2_2_00CCA722 push ds; iretd 2_2_00CCA736
Source: C:\Windows\SysWOW64\wget.exeCode function: 2_2_00CCA9BD push ss; iretd 2_2_00CCA9BE
Source: C:\Windows\SysWOW64\wget.exeCode function: 2_2_00CD5EB0 push ecx; iretd 2_2_00CD605A
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeCode function: 26_2_03082A10 push eax; ret 26_2_03082A3E
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\nsDialogs.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\WndProc.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\SkinBtn.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\FindProcDLL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\ButtonEvent.dllJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\Desktop\extract\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\license1.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseCS.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseDA.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseDE.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseEL.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseEN.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseES.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseFI.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseFR.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseIT.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseJA.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseKO.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseNL.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licensePL.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licensePT.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseRU.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseTC.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseTH.rtf
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile created: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseVN.rtf
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\SysWOW64\unarchiver.exeWindow / User API: threadDelayed 909
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeWindow / User API: threadDelayed 681
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5892Thread sleep count: 909 > 30
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5892Thread sleep time: -454500s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\unarchiver.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\unarchiver.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeCode function: 26_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,26_2_00405302
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeCode function: 26_2_00405CD8 FindFirstFileA,FindClose,26_2_00405CD8
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeCode function: 26_2_0040263E FindFirstFileA,26_2_0040263E
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 19_2_0154B042 GetSystemInfo,19_2_0154B042
Source: wget.exeBinary or memory string: Hyper-V RAW
Source: wget.exe, 00000002.00000002.356816696.0000000000CC8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAPI call chain: ExitProcess graph end nodegraph_26-4700
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeAPI call chain: ExitProcess graph end nodegraph_26-4696
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeProcess information queried: ProcessInformation
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeCode function: 26_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,26_2_00405CFF
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeCode function: 26_2_03B21855 CreateControl,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,GetProcessHeap,HeapReAlloc,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,CreateWindowExA,SetPropA,SendMessageA,SendMessageA,SendMessageA,SetWindowLongA,GetProcessHeap,HeapFree,26_2_03B21855
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guard
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\j3sovef2.qui' 'C:\Users\user\Desktop\download\06212019-General-SMARTPSS-Win32-ChnEng-IS.zip'
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
Source: unarchiver.exe, 00000013.00000002.1463027988.0000000001AB0000.00000002.00000001.sdmp, SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe, 0000001A.00000002.1463808140.0000000000DF0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: unarchiver.exe, 00000013.00000002.1463027988.0000000001AB0000.00000002.00000001.sdmp, SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe, 0000001A.00000002.1463808140.0000000000DF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: unarchiver.exe, 00000013.00000002.1463027988.0000000001AB0000.00000002.00000001.sdmp, SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe, 0000001A.00000002.1463808140.0000000000DF0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: unarchiver.exe, 00000013.00000002.1463027988.0000000001AB0000.00000002.00000001.sdmp, SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe, 0000001A.00000002.1463808140.0000000000DF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeCode function: 26_2_004059FF GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,26_2_004059FF
Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API1Path InterceptionProcess Injection12Masquerading1OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion21LSASS MemoryVirtualization/Sandbox Evasion21Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery15Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 432180 URL: https://www.cctvsecuritypro... Startdate: 09/06/2021 Architecture: WINDOWS Score: 8 6 unarchiver.exe 2->6         started        8 cmd.exe 2 2->8         started        10 7za.exe 2->10         started        file3 13 cmd.exe 6->13         started        15 7za.exe 6->15         started        18 wget.exe 2 8->18         started        21 conhost.exe 8->21         started        40 SMARTPSS-Win32_Chn....181023-General.exe, PE32 10->40 dropped 23 conhost.exe 10->23         started        process4 dnsIp5 25 SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe 13->25         started        28 conhost.exe 13->28         started        42 SMARTPSS-Win32_Chn....181023-General.exe, PE32 15->42 dropped 30 conhost.exe 15->30         started        44 35.241.47.235 GOOGLEUS United States 18->44 46 8.8.8.8 GOOGLEUS United States 18->46 file6 process7 file8 32 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 25->32 dropped 34 C:\Users\user\AppData\Local\...\WndProc.dll, PE32 25->34 dropped 36 C:\Users\user\AppData\Local\...\System.dll, PE32 25->36 dropped 38 3 other files (none is malicious) 25->38 dropped

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
https://www.cctvsecuritypros.com/content/pages/software/06212019-General-SMARTPSS-Win32-ChnEng-IS.zip0%VirustotalBrowse
https://www.cctvsecuritypros.com/content/pages/software/06212019-General-SMARTPSS-Win32-ChnEng-IS.zip0%Avira URL Cloudsafe

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe3%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe2%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\ButtonEvent.dll1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\ButtonEvent.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\ButtonEvent.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\FindProcDLL.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\FindProcDLL.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\FindProcDLL.dll0%ReversingLabs

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
26.2.SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
26.0.SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nsis.sf.net/NSIS_ErrorSMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe, SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe, 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmpfalse
    		high
    http://nsis.sf.net/NSIS_ErrorErrorSMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe, 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmpfalse
      		high
      https://www.cctvsecuritypros.com/content/pages/software/06212019-General-SMARTPSS-Win32-ChnEng-IS.ziwget.exe, 00000002.00000002.356771659.0000000000B00000.00000004.00000020.sdmp, cmdline.out.2.drfalse
        		high

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        8.8.8.8
        		unknownUnited States
        		15169GOOGLEUSfalse
        35.241.47.235
        		unknownUnited States
        		15169GOOGLEUSfalse

        General Information

        Joe Sandbox Version:32.0.0 Black Diamond
        Analysis ID:432180
        Start date:09.06.2021
        Start time:20:55:49
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 18m 27s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:urldownload.jbs
        Sample URL:https://www.cctvsecuritypros.com/content/pages/software/06212019-General-SMARTPSS-Win32-ChnEng-IS.zip
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:46
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:CLEAN
        Classification:clean8.win@15/81@0/2
        EGA Information:
        • Successful, ratio: 66.7%
        HDC Information:
        • Successful, ratio: 30.1% (good quality ratio 29.9%)
        • Quality average: 90.1%
        • Quality standard deviation: 17.6%
        HCA Information:
        • Successful, ratio: 56%
        • Number of executed functions: 92
        • Number of non-executed functions: 44
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        Warnings:
        Show All
        • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, MusNotifyIcon.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
        • Execution Graph export aborted for target wget.exe, PID 5940 because there are no executed function
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtReadVirtualMemory calls found.

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASN

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
        Category:dropped
        Size (bytes):133090997
        Entropy (8bit):7.999920909132232
        Encrypted:true
        SSDEEP:3145728:2RZEVFOR4IWmfkkr3BZynOzY9E1rzMlbszvVCIOUFLLWkH:2zOOHkkrRZoOzYSZ4OVJOUFH
        MD5:B540B8A341C20DCED4BAD4E568B4CBF9
        SHA1:9A9742F9465375DE68386C73B5386D54F25B5353
        SHA-256:BFC7B4A2923415EBE1FE910A0E1C25BDF501309F3C0857F5B0D6FD5D67D25C72
        SHA-512:9A5D30E40FC16E1A8CE1EDB6E8A5D74CB1C5FA1C5CDB6387E93133E1873E634F0F94960A889CF60869304BA99CE510657EADA4756DD1E9F6F6D4CC3664563629
        Malicious:false
        Antivirus:
        • Antivirus: Virustotal, Detection: 3%, Browse
        • Antivirus: ReversingLabs, Detection: 2%
        Reputation:low
        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................Z...........0.......p....@..........................................................................s........... ...........................................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata...@...@...........................rsrc.... ......."...t..............@..@................................................................................................................................................................................................................................................................................................................................................
        C:\Users\user\AppData\Local\Temp\m0pzrwos.ivt\unarchiver.log
        Process:C:\Windows\SysWOW64\unarchiver.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1793
        Entropy (8bit):5.292995680959723
        Encrypted:false
        SSDEEP:48:qpuGGYCGvYCGbvYCGvYCGpdYCGmYCGvYCGp0YCGbpYCGtYCGXYCGmYCGvYCGMYCU:MordfLifU
        MD5:BAF463D4F13C40F19D41B8F07C093CD6
        SHA1:B96BD98CF8B45F066DE65697E058E9029B5C780B
        SHA-256:2D762AD15210BC9396BF38987FB09B841D64487CC7A91138CB0FC999CA9C113E
        SHA-512:15CF7CAC21A1E77BD24B6423F9C706AE800AD7D570DE6CA7D597AEB9A2E7FE229391EDF3A77DB28C8C178CA8EE962533E665A35382957B9A5292CEC607522A75
        Malicious:false
        Reputation:low
        Preview: 06/09/2021 8:58 PM: Unpack: C:\Users\user\Desktop\download\06212019-General-SMARTPSS-Win32-ChnEng-IS.zip..06/09/2021 8:58 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\j3sovef2.qui..06/09/2021 8:58 PM: Received from standard out: ..06/09/2021 8:58 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..06/09/2021 8:58 PM: Received from standard out: ..06/09/2021 8:58 PM: Received from standard out: Scanning the drive for archives:..06/09/2021 8:58 PM: Received from standard out: 1 file, 132401731 bytes (127 MiB)..06/09/2021 8:58 PM: Received from standard out: ..06/09/2021 8:58 PM: Received from standard out: Extracting archive: C:\Users\user\Desktop\download\06212019-General-SMARTPSS-Win32-ChnEng-IS.zip..06/09/2021 8:58 PM: Received from standard out: --..06/09/2021 8:58 PM: Received from standard out: Path = C:\Users\user\Desktop\download\06212019-General-SMARTPSS-Win32-ChnEng-IS.zip..06/09/2021 8:58 PM: Received from standard out: Ty
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\ButtonEvent.dll
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):4096
        Entropy (8bit):3.716022460746859
        Encrypted:false
        SSDEEP:48:qCniZEBGLqV0u+Z40xqyMo3AeSj/eDQcZ1:9nXGLq9+u0kyZ3AeKeDZ
        MD5:FAD9D09FC0267E8513B8628E767B2604
        SHA1:BEA76A7621C07B30ED90BEDEF4D608A5B9E15300
        SHA-256:5D913C6BE9C9E13801ACC5D78B11D9F3CD42C1B3B3CAD8272EB6E1BFB06730C2
        SHA-512:B39C5EA8AEA0640F5A32A1FC03E8C8382A621C168980B3BC5E2897932878003B2B8EF75B3AD68149C35420D652143E2EF763B6A47D84EC73621017F0273E2805
        Malicious:false
        Antivirus:
        • Antivirus: Virustotal, Detection: 1%, Browse
        • Antivirus: Metadefender, Detection: 0%, Browse
        • Antivirus: ReversingLabs, Detection: 0%
        Reputation:low
        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..k..k..k..k..`.....n..m..j.....j..Richk..........................PE..L....c.F...........!................2........ ...............................P......................................`!......4 ..<............................@....................................................... ..4............................text...A........................... ..`.rdata....... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\FindProcDLL.dll
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):31744
        Entropy (8bit):5.124320488199201
        Encrypted:false
        SSDEEP:384:1NWlNdqdAnhTKMLE2oIM05fnqCiWg3Yy9kflIinokN:1NWtqdihTKCldkYwkdpnoy
        MD5:83CD62EAB980E3D64C131799608C8371
        SHA1:5B57A6842A154997E31FAB573C5754B358F5DD1C
        SHA-256:A6122E80F1C51DC72770B4F56C7C482F7A9571143FBF83B19C4D141D0CB19294
        SHA-512:91CFBCC125600EC341F5571DCF1E4A814CF7673F82CF42F32155BD54791BBF32619F2BB14AE871D7996E9DDECDFCC5DB40CAA0979D6DFBA3E73CFE8E69C163C9
        Malicious:false
        Antivirus:
        • Antivirus: Virustotal, Detection: 0%, Browse
        • Antivirus: Metadefender, Detection: 0%, Browse
        • Antivirus: ReversingLabs, Detection: 0%
        Reputation:low
        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........QI,.0'..0'..0'../,..0'../-..0'..,)..0'../4..0'..0&..0'......0'.{.#..0'.Rich.0'.........PE..L...Kc.@...........!.....B...<......E........`......................................................................Ph..K...Hd..<....................................................................................`...............................text...nA.......B.................. ..`.rdata.......`.......F..............@..@.data...(*...p...&...P..............@....reloc..n............v..............@..B........................................................................................................................................................................................................................................................................................................................................................................................
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\KillProcess.bat
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):29
        Entropy (8bit):3.9262723741395074
        Encrypted:false
        SSDEEP:3:noIS2mBLN2:noX2m9N2
        MD5:E2B0144B6BA83EB0B56995ABA6F45920
        SHA1:D5058B8D0B39FE8EC0B1500F6F9B13236DBB8B2D
        SHA-256:EACDEEB21745BE8C1D7D59DF37CD6DB54E3A711A1562FD280542C89EFA7DE2AA
        SHA-512:8FFC816A0A32353D319AD5571E225E29B8A4DC74A3E5A7F98B931972AD0C1037D6358C68650D67BA0AB2F34FB122809C04E3702420F4F2BAD79FA23188FCEE96
        Malicious:false
        Reputation:low
        Preview: taskkill /im DSSClient.exe /f
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\LangStr_cs.ini
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:ISO-8859 text, with CRLF line terminators
        Category:dropped
        Size (bytes):4232
        Entropy (8bit):4.82361991067855
        Encrypted:false
        SSDEEP:96:QjdPZNbWb6e5UkOVdZxTw06LdGUnpzuKSryhn:Q5Pre5U7ZxTwBvEKzt
        MD5:BB0EEE891DC159C17462C22F6857A434
        SHA1:E7296808204A46D10AA9C6884FCF92676248A848
        SHA-256:C521DA3C0222B31C1D91EBB45E28045EDE7C11B7B168E613DEE97EEF055FB191
        SHA-512:BB26749A3A90ED6130321C3013063CA85773BEB1CD324392F6AFD382476535B50CBEAFCF49BB23621887A47F46F705B4E49E87940770D283F8DD1319968B6EBE
        Malicious:false
        Reputation:low
        Preview: [Language]..lang="English"..langId=1033..selectlang="Select language:"..readagreement="I have read and agree the"..agreement="agreement"..uninstallText="Uninstall"..btnback="Back"..next="Next"..cancle="Cancel"..BaseClient="SmartPSS"..PC_NVR="Storage Service"..BtnBrouse="Browse"..InstallText="Install"..BaseClientContext="Wholly new, flexible realtime preview with abundant functions "..Context2="Playback interface based on user experiences "..Context3="Local storage, PC-NVR"..Context4="New tour settings, new alarm configuration, new.."..UpperClient="UpperClient"..UpperClientContext="Upper client-end: It refers to the GUI client-end of the platform. It works with the corresponding service. It supports real-time video play, record search and storage. It can add alarm plan, realize video tour and bidirectional talk function and etc."..Remove="Uninstall"..Version="Version"..Welcome="Welcome to use SmartPSS Operator Installation"..Introduce="Service-end of the SmartPSS platform includes two
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\LangStr_da.ini
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:ISO-8859 text, with CRLF line terminators
        Category:dropped
        Size (bytes):4232
        Entropy (8bit):4.82361991067855
        Encrypted:false
        SSDEEP:96:QjdPZNbWb6e5UkOVdZxTw06LdGUnpzuKSryhn:Q5Pre5U7ZxTwBvEKzt
        MD5:BB0EEE891DC159C17462C22F6857A434
        SHA1:E7296808204A46D10AA9C6884FCF92676248A848
        SHA-256:C521DA3C0222B31C1D91EBB45E28045EDE7C11B7B168E613DEE97EEF055FB191
        SHA-512:BB26749A3A90ED6130321C3013063CA85773BEB1CD324392F6AFD382476535B50CBEAFCF49BB23621887A47F46F705B4E49E87940770D283F8DD1319968B6EBE
        Malicious:false
        Reputation:low
        Preview: [Language]..lang="English"..langId=1033..selectlang="Select language:"..readagreement="I have read and agree the"..agreement="agreement"..uninstallText="Uninstall"..btnback="Back"..next="Next"..cancle="Cancel"..BaseClient="SmartPSS"..PC_NVR="Storage Service"..BtnBrouse="Browse"..InstallText="Install"..BaseClientContext="Wholly new, flexible realtime preview with abundant functions "..Context2="Playback interface based on user experiences "..Context3="Local storage, PC-NVR"..Context4="New tour settings, new alarm configuration, new.."..UpperClient="UpperClient"..UpperClientContext="Upper client-end: It refers to the GUI client-end of the platform. It works with the corresponding service. It supports real-time video play, record search and storage. It can add alarm plan, realize video tour and bidirectional talk function and etc."..Remove="Uninstall"..Version="Version"..Welcome="Welcome to use SmartPSS Operator Installation"..Introduce="Service-end of the SmartPSS platform includes two
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\LangStr_de.ini
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:ISO-8859 text, with CRLF line terminators
        Category:dropped
        Size (bytes):4232
        Entropy (8bit):4.82361991067855
        Encrypted:false
        SSDEEP:96:QjdPZNbWb6e5UkOVdZxTw06LdGUnpzuKSryhn:Q5Pre5U7ZxTwBvEKzt
        MD5:BB0EEE891DC159C17462C22F6857A434
        SHA1:E7296808204A46D10AA9C6884FCF92676248A848
        SHA-256:C521DA3C0222B31C1D91EBB45E28045EDE7C11B7B168E613DEE97EEF055FB191
        SHA-512:BB26749A3A90ED6130321C3013063CA85773BEB1CD324392F6AFD382476535B50CBEAFCF49BB23621887A47F46F705B4E49E87940770D283F8DD1319968B6EBE
        Malicious:false
        Reputation:low
        Preview: [Language]..lang="English"..langId=1033..selectlang="Select language:"..readagreement="I have read and agree the"..agreement="agreement"..uninstallText="Uninstall"..btnback="Back"..next="Next"..cancle="Cancel"..BaseClient="SmartPSS"..PC_NVR="Storage Service"..BtnBrouse="Browse"..InstallText="Install"..BaseClientContext="Wholly new, flexible realtime preview with abundant functions "..Context2="Playback interface based on user experiences "..Context3="Local storage, PC-NVR"..Context4="New tour settings, new alarm configuration, new.."..UpperClient="UpperClient"..UpperClientContext="Upper client-end: It refers to the GUI client-end of the platform. It works with the corresponding service. It supports real-time video play, record search and storage. It can add alarm plan, realize video tour and bidirectional talk function and etc."..Remove="Uninstall"..Version="Version"..Welcome="Welcome to use SmartPSS Operator Installation"..Introduce="Service-end of the SmartPSS platform includes two
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\LangStr_el.ini
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:ISO-8859 text, with CRLF line terminators
        Category:dropped
        Size (bytes):4232
        Entropy (8bit):4.82361991067855
        Encrypted:false
        SSDEEP:96:QjdPZNbWb6e5UkOVdZxTw06LdGUnpzuKSryhn:Q5Pre5U7ZxTwBvEKzt
        MD5:BB0EEE891DC159C17462C22F6857A434
        SHA1:E7296808204A46D10AA9C6884FCF92676248A848
        SHA-256:C521DA3C0222B31C1D91EBB45E28045EDE7C11B7B168E613DEE97EEF055FB191
        SHA-512:BB26749A3A90ED6130321C3013063CA85773BEB1CD324392F6AFD382476535B50CBEAFCF49BB23621887A47F46F705B4E49E87940770D283F8DD1319968B6EBE
        Malicious:false
        Reputation:low
        Preview: [Language]..lang="English"..langId=1033..selectlang="Select language:"..readagreement="I have read and agree the"..agreement="agreement"..uninstallText="Uninstall"..btnback="Back"..next="Next"..cancle="Cancel"..BaseClient="SmartPSS"..PC_NVR="Storage Service"..BtnBrouse="Browse"..InstallText="Install"..BaseClientContext="Wholly new, flexible realtime preview with abundant functions "..Context2="Playback interface based on user experiences "..Context3="Local storage, PC-NVR"..Context4="New tour settings, new alarm configuration, new.."..UpperClient="UpperClient"..UpperClientContext="Upper client-end: It refers to the GUI client-end of the platform. It works with the corresponding service. It supports real-time video play, record search and storage. It can add alarm plan, realize video tour and bidirectional talk function and etc."..Remove="Uninstall"..Version="Version"..Welcome="Welcome to use SmartPSS Operator Installation"..Introduce="Service-end of the SmartPSS platform includes two
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\LangStr_en.ini
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:ISO-8859 text, with CRLF line terminators
        Category:dropped
        Size (bytes):4341
        Entropy (8bit):4.824733543182524
        Encrypted:false
        SSDEEP:96:QjdPZNbWb6e5UkOVdZxTw06LdGUnpzuKSry/n:Q5Pre5U7ZxTwBvEKz/
        MD5:95C41687B134704A69210EE8CCC5D523
        SHA1:06B50D05CC665A6A501C4F2E015A77A0F74081FF
        SHA-256:A5344C220305C598FB13DFAC6FDF85C7F7DBC9E8FEF849DF8C7A778D62C8CE05
        SHA-512:2247B2DF2B4D180D91A6FA6A3F06A501E357422B875F1F6066AE8CBA1A9BB431A8DC91D9E555F8D18E38C90BC9A1CB5EA6AC260D8697F52C258E822F17488448
        Malicious:false
        Reputation:low
        Preview: [Language]..lang="English"..langId=1033..selectlang="Select language:"..readagreement="I have read and agree the"..agreement="agreement"..uninstallText="Uninstall"..btnback="Back"..next="Next"..cancle="Cancel"..BaseClient="SmartPSS"..PC_NVR="Storage Service"..BtnBrouse="Browse"..InstallText="Install"..BaseClientContext="Wholly new, flexible realtime preview with abundant functions "..Context2="Playback interface based on user experiences "..Context3="Local storage, PC-NVR"..Context4="New tour settings, new alarm configuration, new.."..UpperClient="UpperClient"..UpperClientContext="Upper client-end: It refers to the GUI client-end of the platform. It works with the corresponding service. It supports real-time video play, record search and storage. It can add alarm plan, realize video tour and bidirectional talk function and etc."..Remove="Uninstall"..Version="Version"..Welcome="Welcome to use SmartPSS Operator Installation"..Introduce="Service-end of the SmartPSS platform includes two
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\LangStr_es.ini
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:ISO-8859 text, with CRLF line terminators
        Category:dropped
        Size (bytes):4232
        Entropy (8bit):4.82361991067855
        Encrypted:false
        SSDEEP:96:QjdPZNbWb6e5UkOVdZxTw06LdGUnpzuKSryhn:Q5Pre5U7ZxTwBvEKzt
        MD5:BB0EEE891DC159C17462C22F6857A434
        SHA1:E7296808204A46D10AA9C6884FCF92676248A848
        SHA-256:C521DA3C0222B31C1D91EBB45E28045EDE7C11B7B168E613DEE97EEF055FB191
        SHA-512:BB26749A3A90ED6130321C3013063CA85773BEB1CD324392F6AFD382476535B50CBEAFCF49BB23621887A47F46F705B4E49E87940770D283F8DD1319968B6EBE
        Malicious:false
        Reputation:low
        Preview: [Language]..lang="English"..langId=1033..selectlang="Select language:"..readagreement="I have read and agree the"..agreement="agreement"..uninstallText="Uninstall"..btnback="Back"..next="Next"..cancle="Cancel"..BaseClient="SmartPSS"..PC_NVR="Storage Service"..BtnBrouse="Browse"..InstallText="Install"..BaseClientContext="Wholly new, flexible realtime preview with abundant functions "..Context2="Playback interface based on user experiences "..Context3="Local storage, PC-NVR"..Context4="New tour settings, new alarm configuration, new.."..UpperClient="UpperClient"..UpperClientContext="Upper client-end: It refers to the GUI client-end of the platform. It works with the corresponding service. It supports real-time video play, record search and storage. It can add alarm plan, realize video tour and bidirectional talk function and etc."..Remove="Uninstall"..Version="Version"..Welcome="Welcome to use SmartPSS Operator Installation"..Introduce="Service-end of the SmartPSS platform includes two
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\LangStr_fi.ini
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:ISO-8859 text, with CRLF line terminators
        Category:dropped
        Size (bytes):4232
        Entropy (8bit):4.82361991067855
        Encrypted:false
        SSDEEP:96:QjdPZNbWb6e5UkOVdZxTw06LdGUnpzuKSryhn:Q5Pre5U7ZxTwBvEKzt
        MD5:BB0EEE891DC159C17462C22F6857A434
        SHA1:E7296808204A46D10AA9C6884FCF92676248A848
        SHA-256:C521DA3C0222B31C1D91EBB45E28045EDE7C11B7B168E613DEE97EEF055FB191
        SHA-512:BB26749A3A90ED6130321C3013063CA85773BEB1CD324392F6AFD382476535B50CBEAFCF49BB23621887A47F46F705B4E49E87940770D283F8DD1319968B6EBE
        Malicious:false
        Reputation:low
        Preview: [Language]..lang="English"..langId=1033..selectlang="Select language:"..readagreement="I have read and agree the"..agreement="agreement"..uninstallText="Uninstall"..btnback="Back"..next="Next"..cancle="Cancel"..BaseClient="SmartPSS"..PC_NVR="Storage Service"..BtnBrouse="Browse"..InstallText="Install"..BaseClientContext="Wholly new, flexible realtime preview with abundant functions "..Context2="Playback interface based on user experiences "..Context3="Local storage, PC-NVR"..Context4="New tour settings, new alarm configuration, new.."..UpperClient="UpperClient"..UpperClientContext="Upper client-end: It refers to the GUI client-end of the platform. It works with the corresponding service. It supports real-time video play, record search and storage. It can add alarm plan, realize video tour and bidirectional talk function and etc."..Remove="Uninstall"..Version="Version"..Welcome="Welcome to use SmartPSS Operator Installation"..Introduce="Service-end of the SmartPSS platform includes two
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\LangStr_it.ini
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:ISO-8859 text, with CRLF line terminators
        Category:dropped
        Size (bytes):4232
        Entropy (8bit):4.82361991067855
        Encrypted:false
        SSDEEP:96:QjdPZNbWb6e5UkOVdZxTw06LdGUnpzuKSryhn:Q5Pre5U7ZxTwBvEKzt
        MD5:BB0EEE891DC159C17462C22F6857A434
        SHA1:E7296808204A46D10AA9C6884FCF92676248A848
        SHA-256:C521DA3C0222B31C1D91EBB45E28045EDE7C11B7B168E613DEE97EEF055FB191
        SHA-512:BB26749A3A90ED6130321C3013063CA85773BEB1CD324392F6AFD382476535B50CBEAFCF49BB23621887A47F46F705B4E49E87940770D283F8DD1319968B6EBE
        Malicious:false
        Reputation:low
        Preview: [Language]..lang="English"..langId=1033..selectlang="Select language:"..readagreement="I have read and agree the"..agreement="agreement"..uninstallText="Uninstall"..btnback="Back"..next="Next"..cancle="Cancel"..BaseClient="SmartPSS"..PC_NVR="Storage Service"..BtnBrouse="Browse"..InstallText="Install"..BaseClientContext="Wholly new, flexible realtime preview with abundant functions "..Context2="Playback interface based on user experiences "..Context3="Local storage, PC-NVR"..Context4="New tour settings, new alarm configuration, new.."..UpperClient="UpperClient"..UpperClientContext="Upper client-end: It refers to the GUI client-end of the platform. It works with the corresponding service. It supports real-time video play, record search and storage. It can add alarm plan, realize video tour and bidirectional talk function and etc."..Remove="Uninstall"..Version="Version"..Welcome="Welcome to use SmartPSS Operator Installation"..Introduce="Service-end of the SmartPSS platform includes two
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\LangStr_ja.ini
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:ISO-8859 text, with CRLF line terminators
        Category:dropped
        Size (bytes):4232
        Entropy (8bit):4.82361991067855
        Encrypted:false
        SSDEEP:96:QjdPZNbWb6e5UkOVdZxTw06LdGUnpzuKSryhn:Q5Pre5U7ZxTwBvEKzt
        MD5:BB0EEE891DC159C17462C22F6857A434
        SHA1:E7296808204A46D10AA9C6884FCF92676248A848
        SHA-256:C521DA3C0222B31C1D91EBB45E28045EDE7C11B7B168E613DEE97EEF055FB191
        SHA-512:BB26749A3A90ED6130321C3013063CA85773BEB1CD324392F6AFD382476535B50CBEAFCF49BB23621887A47F46F705B4E49E87940770D283F8DD1319968B6EBE
        Malicious:false
        Reputation:low
        Preview: [Language]..lang="English"..langId=1033..selectlang="Select language:"..readagreement="I have read and agree the"..agreement="agreement"..uninstallText="Uninstall"..btnback="Back"..next="Next"..cancle="Cancel"..BaseClient="SmartPSS"..PC_NVR="Storage Service"..BtnBrouse="Browse"..InstallText="Install"..BaseClientContext="Wholly new, flexible realtime preview with abundant functions "..Context2="Playback interface based on user experiences "..Context3="Local storage, PC-NVR"..Context4="New tour settings, new alarm configuration, new.."..UpperClient="UpperClient"..UpperClientContext="Upper client-end: It refers to the GUI client-end of the platform. It works with the corresponding service. It supports real-time video play, record search and storage. It can add alarm plan, realize video tour and bidirectional talk function and etc."..Remove="Uninstall"..Version="Version"..Welcome="Welcome to use SmartPSS Operator Installation"..Introduce="Service-end of the SmartPSS platform includes two
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\LangStr_ko.ini
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:ISO-8859 text, with CRLF line terminators
        Category:dropped
        Size (bytes):4232
        Entropy (8bit):4.82361991067855
        Encrypted:false
        SSDEEP:96:QjdPZNbWb6e5UkOVdZxTw06LdGUnpzuKSryhn:Q5Pre5U7ZxTwBvEKzt
        MD5:BB0EEE891DC159C17462C22F6857A434
        SHA1:E7296808204A46D10AA9C6884FCF92676248A848
        SHA-256:C521DA3C0222B31C1D91EBB45E28045EDE7C11B7B168E613DEE97EEF055FB191
        SHA-512:BB26749A3A90ED6130321C3013063CA85773BEB1CD324392F6AFD382476535B50CBEAFCF49BB23621887A47F46F705B4E49E87940770D283F8DD1319968B6EBE
        Malicious:false
        Reputation:low
        Preview: [Language]..lang="English"..langId=1033..selectlang="Select language:"..readagreement="I have read and agree the"..agreement="agreement"..uninstallText="Uninstall"..btnback="Back"..next="Next"..cancle="Cancel"..BaseClient="SmartPSS"..PC_NVR="Storage Service"..BtnBrouse="Browse"..InstallText="Install"..BaseClientContext="Wholly new, flexible realtime preview with abundant functions "..Context2="Playback interface based on user experiences "..Context3="Local storage, PC-NVR"..Context4="New tour settings, new alarm configuration, new.."..UpperClient="UpperClient"..UpperClientContext="Upper client-end: It refers to the GUI client-end of the platform. It works with the corresponding service. It supports real-time video play, record search and storage. It can add alarm plan, realize video tour and bidirectional talk function and etc."..Remove="Uninstall"..Version="Version"..Welcome="Welcome to use SmartPSS Operator Installation"..Introduce="Service-end of the SmartPSS platform includes two
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\LangStr_nl.ini
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:ISO-8859 text, with CRLF line terminators
        Category:dropped
        Size (bytes):4232
        Entropy (8bit):4.82361991067855
        Encrypted:false
        SSDEEP:96:QjdPZNbWb6e5UkOVdZxTw06LdGUnpzuKSryhn:Q5Pre5U7ZxTwBvEKzt
        MD5:BB0EEE891DC159C17462C22F6857A434
        SHA1:E7296808204A46D10AA9C6884FCF92676248A848
        SHA-256:C521DA3C0222B31C1D91EBB45E28045EDE7C11B7B168E613DEE97EEF055FB191
        SHA-512:BB26749A3A90ED6130321C3013063CA85773BEB1CD324392F6AFD382476535B50CBEAFCF49BB23621887A47F46F705B4E49E87940770D283F8DD1319968B6EBE
        Malicious:false
        Reputation:low
        Preview: [Language]..lang="English"..langId=1033..selectlang="Select language:"..readagreement="I have read and agree the"..agreement="agreement"..uninstallText="Uninstall"..btnback="Back"..next="Next"..cancle="Cancel"..BaseClient="SmartPSS"..PC_NVR="Storage Service"..BtnBrouse="Browse"..InstallText="Install"..BaseClientContext="Wholly new, flexible realtime preview with abundant functions "..Context2="Playback interface based on user experiences "..Context3="Local storage, PC-NVR"..Context4="New tour settings, new alarm configuration, new.."..UpperClient="UpperClient"..UpperClientContext="Upper client-end: It refers to the GUI client-end of the platform. It works with the corresponding service. It supports real-time video play, record search and storage. It can add alarm plan, realize video tour and bidirectional talk function and etc."..Remove="Uninstall"..Version="Version"..Welcome="Welcome to use SmartPSS Operator Installation"..Introduce="Service-end of the SmartPSS platform includes two
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\LangStr_pl.ini
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:ISO-8859 text, with CRLF line terminators
        Category:dropped
        Size (bytes):4232
        Entropy (8bit):4.82361991067855
        Encrypted:false
        SSDEEP:96:QjdPZNbWb6e5UkOVdZxTw06LdGUnpzuKSryhn:Q5Pre5U7ZxTwBvEKzt
        MD5:BB0EEE891DC159C17462C22F6857A434
        SHA1:E7296808204A46D10AA9C6884FCF92676248A848
        SHA-256:C521DA3C0222B31C1D91EBB45E28045EDE7C11B7B168E613DEE97EEF055FB191
        SHA-512:BB26749A3A90ED6130321C3013063CA85773BEB1CD324392F6AFD382476535B50CBEAFCF49BB23621887A47F46F705B4E49E87940770D283F8DD1319968B6EBE
        Malicious:false
        Reputation:low
        Preview: [Language]..lang="English"..langId=1033..selectlang="Select language:"..readagreement="I have read and agree the"..agreement="agreement"..uninstallText="Uninstall"..btnback="Back"..next="Next"..cancle="Cancel"..BaseClient="SmartPSS"..PC_NVR="Storage Service"..BtnBrouse="Browse"..InstallText="Install"..BaseClientContext="Wholly new, flexible realtime preview with abundant functions "..Context2="Playback interface based on user experiences "..Context3="Local storage, PC-NVR"..Context4="New tour settings, new alarm configuration, new.."..UpperClient="UpperClient"..UpperClientContext="Upper client-end: It refers to the GUI client-end of the platform. It works with the corresponding service. It supports real-time video play, record search and storage. It can add alarm plan, realize video tour and bidirectional talk function and etc."..Remove="Uninstall"..Version="Version"..Welcome="Welcome to use SmartPSS Operator Installation"..Introduce="Service-end of the SmartPSS platform includes two
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\LangStr_pt.ini
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:ISO-8859 text, with CRLF line terminators
        Category:dropped
        Size (bytes):4232
        Entropy (8bit):4.82361991067855
        Encrypted:false
        SSDEEP:96:QjdPZNbWb6e5UkOVdZxTw06LdGUnpzuKSryhn:Q5Pre5U7ZxTwBvEKzt
        MD5:BB0EEE891DC159C17462C22F6857A434
        SHA1:E7296808204A46D10AA9C6884FCF92676248A848
        SHA-256:C521DA3C0222B31C1D91EBB45E28045EDE7C11B7B168E613DEE97EEF055FB191
        SHA-512:BB26749A3A90ED6130321C3013063CA85773BEB1CD324392F6AFD382476535B50CBEAFCF49BB23621887A47F46F705B4E49E87940770D283F8DD1319968B6EBE
        Malicious:false
        Reputation:low
        Preview: [Language]..lang="English"..langId=1033..selectlang="Select language:"..readagreement="I have read and agree the"..agreement="agreement"..uninstallText="Uninstall"..btnback="Back"..next="Next"..cancle="Cancel"..BaseClient="SmartPSS"..PC_NVR="Storage Service"..BtnBrouse="Browse"..InstallText="Install"..BaseClientContext="Wholly new, flexible realtime preview with abundant functions "..Context2="Playback interface based on user experiences "..Context3="Local storage, PC-NVR"..Context4="New tour settings, new alarm configuration, new.."..UpperClient="UpperClient"..UpperClientContext="Upper client-end: It refers to the GUI client-end of the platform. It works with the corresponding service. It supports real-time video play, record search and storage. It can add alarm plan, realize video tour and bidirectional talk function and etc."..Remove="Uninstall"..Version="Version"..Welcome="Welcome to use SmartPSS Operator Installation"..Introduce="Service-end of the SmartPSS platform includes two
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\LangStr_ru.ini
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:ISO-8859 text, with CRLF line terminators
        Category:dropped
        Size (bytes):4232
        Entropy (8bit):4.82361991067855
        Encrypted:false
        SSDEEP:96:QjdPZNbWb6e5UkOVdZxTw06LdGUnpzuKSryhn:Q5Pre5U7ZxTwBvEKzt
        MD5:BB0EEE891DC159C17462C22F6857A434
        SHA1:E7296808204A46D10AA9C6884FCF92676248A848
        SHA-256:C521DA3C0222B31C1D91EBB45E28045EDE7C11B7B168E613DEE97EEF055FB191
        SHA-512:BB26749A3A90ED6130321C3013063CA85773BEB1CD324392F6AFD382476535B50CBEAFCF49BB23621887A47F46F705B4E49E87940770D283F8DD1319968B6EBE
        Malicious:false
        Reputation:low
        Preview: [Language]..lang="English"..langId=1033..selectlang="Select language:"..readagreement="I have read and agree the"..agreement="agreement"..uninstallText="Uninstall"..btnback="Back"..next="Next"..cancle="Cancel"..BaseClient="SmartPSS"..PC_NVR="Storage Service"..BtnBrouse="Browse"..InstallText="Install"..BaseClientContext="Wholly new, flexible realtime preview with abundant functions "..Context2="Playback interface based on user experiences "..Context3="Local storage, PC-NVR"..Context4="New tour settings, new alarm configuration, new.."..UpperClient="UpperClient"..UpperClientContext="Upper client-end: It refers to the GUI client-end of the platform. It works with the corresponding service. It supports real-time video play, record search and storage. It can add alarm plan, realize video tour and bidirectional talk function and etc."..Remove="Uninstall"..Version="Version"..Welcome="Welcome to use SmartPSS Operator Installation"..Introduce="Service-end of the SmartPSS platform includes two
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\LangStr_tc.ini
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:ISO-8859 text, with CRLF line terminators
        Category:dropped
        Size (bytes):4232
        Entropy (8bit):4.82361991067855
        Encrypted:false
        SSDEEP:96:QjdPZNbWb6e5UkOVdZxTw06LdGUnpzuKSryhn:Q5Pre5U7ZxTwBvEKzt
        MD5:BB0EEE891DC159C17462C22F6857A434
        SHA1:E7296808204A46D10AA9C6884FCF92676248A848
        SHA-256:C521DA3C0222B31C1D91EBB45E28045EDE7C11B7B168E613DEE97EEF055FB191
        SHA-512:BB26749A3A90ED6130321C3013063CA85773BEB1CD324392F6AFD382476535B50CBEAFCF49BB23621887A47F46F705B4E49E87940770D283F8DD1319968B6EBE
        Malicious:false
        Reputation:low
        Preview: [Language]..lang="English"..langId=1033..selectlang="Select language:"..readagreement="I have read and agree the"..agreement="agreement"..uninstallText="Uninstall"..btnback="Back"..next="Next"..cancle="Cancel"..BaseClient="SmartPSS"..PC_NVR="Storage Service"..BtnBrouse="Browse"..InstallText="Install"..BaseClientContext="Wholly new, flexible realtime preview with abundant functions "..Context2="Playback interface based on user experiences "..Context3="Local storage, PC-NVR"..Context4="New tour settings, new alarm configuration, new.."..UpperClient="UpperClient"..UpperClientContext="Upper client-end: It refers to the GUI client-end of the platform. It works with the corresponding service. It supports real-time video play, record search and storage. It can add alarm plan, realize video tour and bidirectional talk function and etc."..Remove="Uninstall"..Version="Version"..Welcome="Welcome to use SmartPSS Operator Installation"..Introduce="Service-end of the SmartPSS platform includes two
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\LangStr_th.ini
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:ISO-8859 text, with CRLF line terminators
        Category:dropped
        Size (bytes):4232
        Entropy (8bit):4.82361991067855
        Encrypted:false
        SSDEEP:96:QjdPZNbWb6e5UkOVdZxTw06LdGUnpzuKSryhn:Q5Pre5U7ZxTwBvEKzt
        MD5:BB0EEE891DC159C17462C22F6857A434
        SHA1:E7296808204A46D10AA9C6884FCF92676248A848
        SHA-256:C521DA3C0222B31C1D91EBB45E28045EDE7C11B7B168E613DEE97EEF055FB191
        SHA-512:BB26749A3A90ED6130321C3013063CA85773BEB1CD324392F6AFD382476535B50CBEAFCF49BB23621887A47F46F705B4E49E87940770D283F8DD1319968B6EBE
        Malicious:false
        Reputation:low
        Preview: [Language]..lang="English"..langId=1033..selectlang="Select language:"..readagreement="I have read and agree the"..agreement="agreement"..uninstallText="Uninstall"..btnback="Back"..next="Next"..cancle="Cancel"..BaseClient="SmartPSS"..PC_NVR="Storage Service"..BtnBrouse="Browse"..InstallText="Install"..BaseClientContext="Wholly new, flexible realtime preview with abundant functions "..Context2="Playback interface based on user experiences "..Context3="Local storage, PC-NVR"..Context4="New tour settings, new alarm configuration, new.."..UpperClient="UpperClient"..UpperClientContext="Upper client-end: It refers to the GUI client-end of the platform. It works with the corresponding service. It supports real-time video play, record search and storage. It can add alarm plan, realize video tour and bidirectional talk function and etc."..Remove="Uninstall"..Version="Version"..Welcome="Welcome to use SmartPSS Operator Installation"..Introduce="Service-end of the SmartPSS platform includes two
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\LangStr_vn.ini
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:ISO-8859 text, with CRLF line terminators
        Category:dropped
        Size (bytes):4232
        Entropy (8bit):4.82361991067855
        Encrypted:false
        SSDEEP:96:QjdPZNbWb6e5UkOVdZxTw06LdGUnpzuKSryhn:Q5Pre5U7ZxTwBvEKzt
        MD5:BB0EEE891DC159C17462C22F6857A434
        SHA1:E7296808204A46D10AA9C6884FCF92676248A848
        SHA-256:C521DA3C0222B31C1D91EBB45E28045EDE7C11B7B168E613DEE97EEF055FB191
        SHA-512:BB26749A3A90ED6130321C3013063CA85773BEB1CD324392F6AFD382476535B50CBEAFCF49BB23621887A47F46F705B4E49E87940770D283F8DD1319968B6EBE
        Malicious:false
        Reputation:low
        Preview: [Language]..lang="English"..langId=1033..selectlang="Select language:"..readagreement="I have read and agree the"..agreement="agreement"..uninstallText="Uninstall"..btnback="Back"..next="Next"..cancle="Cancel"..BaseClient="SmartPSS"..PC_NVR="Storage Service"..BtnBrouse="Browse"..InstallText="Install"..BaseClientContext="Wholly new, flexible realtime preview with abundant functions "..Context2="Playback interface based on user experiences "..Context3="Local storage, PC-NVR"..Context4="New tour settings, new alarm configuration, new.."..UpperClient="UpperClient"..UpperClientContext="Upper client-end: It refers to the GUI client-end of the platform. It works with the corresponding service. It supports real-time video play, record search and storage. It can add alarm plan, realize video tour and bidirectional talk function and etc."..Remove="Uninstall"..Version="Version"..Welcome="Welcome to use SmartPSS Operator Installation"..Introduce="Service-end of the SmartPSS platform includes two
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\LangStr_zh.ini
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:ISO-8859 text, with CRLF line terminators
        Category:dropped
        Size (bytes):3122
        Entropy (8bit):6.571124013873112
        Encrypted:false
        SSDEEP:96:reCN+/59lN+hbksiDCRLflaSV++NSx/bMnnuQ:rz+9v+usiDCJoSVLNSlbMnnuQ
        MD5:2B12A9690EB635C2AC728E82CE30FBFF
        SHA1:FCDEA0A6774B8D5E3BED67366EB80EA5AFA18F2A
        SHA-256:2977D1F2E661F0E2767613E9B91E828BC2C6BA6B5CB6F9232811925BC172FFF3
        SHA-512:74EA052CE6B6C9946AD42524FDC8AC051935EBF0D11581A6DA31A84109790F30E2DEAE32B485175632BB6ABA0390407159905690E56A56C4D702974E6305E517
        Malicious:false
        Reputation:low
        Preview: [Language]..lang="........"..langId=2052..selectlang="..........."..readagreement="..........SmartPSS..."..agreement="......"..uninstallText="..."..btnback="....."..next="....."..cancle="..."..BaseClient="SmartPSS"..PC_NVR="PC-NVR"..BtnBrouse=". .."..InstallText="......."..BaseClientContext="..................."..Context2=".................."..Context3=".......PC-NVR"..Context4="......................"..UpperClient="......."..UpperClientContext="..................GUI............................................................................................................"..Remove="..."..Version=".."..Welcome="......SmartPSS V2.0.."..Introduce="SmartPSS................................................"..FinishReadme="......"..Run="........"..Newtrait="......."..SelectItem"............."..Finish="..."..Accept="...."..Refuse="......"..DirectoryPage="...................[
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Progress.bmp
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:PC bitmap, Windows 3.x format, 4 x 7 x 24
        Category:dropped
        Size (bytes):138
        Entropy (8bit):2.893107781280629
        Encrypted:false
        SSDEEP:3:iFlqlslFlbXE7dAIIIIckx:vlsto/kx
        MD5:6127AE387CECD18490F86A8CDE10B131
        SHA1:DF2B1313C5A1A0E6C3FD6DA8EF4D55EA9F9F3E83
        SHA-256:128DDE1475CD384098A90E6D387E271BC554F1F0250B420EF8BA344BFF79444E
        SHA-512:32DE4D51249FCC2F6495CE56CB179A06C79935D8A45FC0F6170AAE18F3F9DCF820EDA40D792F50683062F2D5AFDC203BE1571A9BB84DC275CEA6CA5416D783B7
        Malicious:false
        Reputation:low
        Preview: BM........6...(...................T.......................................................................................................
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\ProgressBar.bmp
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:PC bitmap, Windows 3.x format, 118 x 7 x 24
        Category:dropped
        Size (bytes):2546
        Entropy (8bit):2.6212000448255957
        Encrypted:false
        SSDEEP:24:3CNC44444444444444444444444444444444444444444444444444444444444U:z
        MD5:D9C4B0EA04B23E2B004862C0556AB1E9
        SHA1:F8A13251A6DB3471AE601EDAF5C6A3A5130EE57D
        SHA-256:E3FE4E13820E515E6F469B7552DCEFAA6A8AF655FC172552D20DDE944FB13DAD
        SHA-512:8A8A1F5722F2D60846CA8435AEB50887E329791C56C46649C7F68652527DBA072F57D1965D746031F376A936C9B2C574BF6DBDDD2C7AEF504BC488F324E5ED5A
        Malicious:false
        Reputation:low
        Preview: BM........6...(...v.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\SkinBtn.dll
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):4608
        Entropy (8bit):4.699273371699171
        Encrypted:false
        SSDEEP:48:iIf3aEDfeWm8JHFQbUrUPJJDFoetaxn/pFW3GNivz187eqzI/kMr8oX0Zbj:lv9Dfw8DQbhD2iaxn/PHmiNI/dQFZH
        MD5:E4EC95271FF1BCEBAB49BDFED6817A22
        SHA1:2C03E97F4773AEA80ECDB98A1482E5896FE4677B
        SHA-256:EE1C06692A757473737B0EBDEF16F77B63AFAC864D0890022D905E4873737DD6
        SHA-512:771A527133806307A1B17B7E956D6A3C16E9BC675BF084B43204AE784A057DAC2726DBF90645692876043A4E7365BA8825C167621FDE4760C79CD84679E2AA3D
        Malicious:false
        Reputation:low
        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......... K.sK.sK.s...s@.sK.sV.sN..sI.sN..sJ.sN..sJ.sRichK.s........PE..L.....)N...........!......................... ...............................P......................................P#..c.... ..x............................@....................................................... ..x............................text............................... ..`.rdata....... ......................@..@.data........0......................@....reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slide 01.jpg
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:[TIFF image data, big-endian, direntries=5], baseline, precision 8, 670x320, frames 3
        Category:dropped
        Size (bytes):14250
        Entropy (8bit):7.815117374347581
        Encrypted:false
        SSDEEP:192:mgsjxlVNCDk/HQXm55luPNdUqnCWUoyD1O9z722azH5qTAqabSIbxKLIMRkVj:mt1/ek/HL55luPNd/TUOA2kq+bAEMOVj
        MD5:504067DE4F6F63BB720D829D9538C29A
        SHA1:01939C763F7BA5562ADFAC5B9684F7237233E626
        SHA-256:1351A8E4A54CD6C1D959C3B61537A31BD792AAF41682BE0E59ED714130AE7A4D
        SHA-512:2FE0FA4FC60A5C2706B00F8DA236FBC5F8AA869BFC897F64841A99623763B6286AD354D0F0D405C7F3CCC41480B73F2A8A358F05605B86C8A77FA8A1D59BAD2E
        Malicious:false
        Reputation:low
        Preview: ......JFIF.....`.`.....ZExif..MM.*.................J............Q...........Q...........Q..........................C....................................................................C.......................................................................@...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..C..+.8.(...(...(...(...(...(...(.....*.(..=W...T.t.....QRAj....z.v.:.o.3.'.=;.{5...i.MMG...5.v...P[.....g..)......q..\c.6.)....J.@..*...i.5..)..n.QTw.<dT.]0........,QMIU...Z....QHrh.f.0..Sd...4..J.....MU)...3..I....o.dFP.J..To.T..5...R...w.(...5..AlT0#...8.Q..N.(....(...(
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slide 02.jpg
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:[TIFF image data, big-endian, direntries=5], baseline, precision 8, 670x320, frames 3
        Category:dropped
        Size (bytes):14250
        Entropy (8bit):7.815117374347581
        Encrypted:false
        SSDEEP:192:mgsjxlVNCDk/HQXm55luPNdUqnCWUoyD1O9z722azH5qTAqabSIbxKLIMRkVj:mt1/ek/HL55luPNd/TUOA2kq+bAEMOVj
        MD5:504067DE4F6F63BB720D829D9538C29A
        SHA1:01939C763F7BA5562ADFAC5B9684F7237233E626
        SHA-256:1351A8E4A54CD6C1D959C3B61537A31BD792AAF41682BE0E59ED714130AE7A4D
        SHA-512:2FE0FA4FC60A5C2706B00F8DA236FBC5F8AA869BFC897F64841A99623763B6286AD354D0F0D405C7F3CCC41480B73F2A8A358F05605B86C8A77FA8A1D59BAD2E
        Malicious:false
        Reputation:low
        Preview: ......JFIF.....`.`.....ZExif..MM.*.................J............Q...........Q...........Q..........................C....................................................................C.......................................................................@...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..C..+.8.(...(...(...(...(...(...(.....*.(..=W...T.t.....QRAj....z.v.:.o.3.'.=;.{5...i.MMG...5.v...P[.....g..)......q..\c.6.)....J.@..*...i.5..)..n.QTw.<dT.]0........,QMIU...Z....QHrh.f.0..Sd...4..J.....MU)...3..I....o.dFP.J..To.T..5...R...w.(...5..AlT0#...8.Q..N.(....(...(
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slide 03.jpg
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:[TIFF image data, big-endian, direntries=5], baseline, precision 8, 670x320, frames 3
        Category:dropped
        Size (bytes):14250
        Entropy (8bit):7.815117374347581
        Encrypted:false
        SSDEEP:192:mgsjxlVNCDk/HQXm55luPNdUqnCWUoyD1O9z722azH5qTAqabSIbxKLIMRkVj:mt1/ek/HL55luPNd/TUOA2kq+bAEMOVj
        MD5:504067DE4F6F63BB720D829D9538C29A
        SHA1:01939C763F7BA5562ADFAC5B9684F7237233E626
        SHA-256:1351A8E4A54CD6C1D959C3B61537A31BD792AAF41682BE0E59ED714130AE7A4D
        SHA-512:2FE0FA4FC60A5C2706B00F8DA236FBC5F8AA869BFC897F64841A99623763B6286AD354D0F0D405C7F3CCC41480B73F2A8A358F05605B86C8A77FA8A1D59BAD2E
        Malicious:false
        Reputation:low
        Preview: ......JFIF.....`.`.....ZExif..MM.*.................J............Q...........Q...........Q..........................C....................................................................C.......................................................................@...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..C..+.8.(...(...(...(...(...(...(.....*.(..=W...T.t.....QRAj....z.v.:.o.3.'.=;.{5...i.MMG...5.v...P[.....g..)......q..\c.6.)....J.@..*...i.5..)..n.QTw.<dT.]0........,QMIU...Z....QHrh.f.0..Sd...4..J.....MU)...3..I....o.dFP.J..To.T..5...R...w.(...5..AlT0#...8.Q..N.(....(...(
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slide 04.jpg
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:[TIFF image data, big-endian, direntries=5], baseline, precision 8, 670x320, frames 3
        Category:dropped
        Size (bytes):14250
        Entropy (8bit):7.815117374347581
        Encrypted:false
        SSDEEP:192:mgsjxlVNCDk/HQXm55luPNdUqnCWUoyD1O9z722azH5qTAqabSIbxKLIMRkVj:mt1/ek/HL55luPNd/TUOA2kq+bAEMOVj
        MD5:504067DE4F6F63BB720D829D9538C29A
        SHA1:01939C763F7BA5562ADFAC5B9684F7237233E626
        SHA-256:1351A8E4A54CD6C1D959C3B61537A31BD792AAF41682BE0E59ED714130AE7A4D
        SHA-512:2FE0FA4FC60A5C2706B00F8DA236FBC5F8AA869BFC897F64841A99623763B6286AD354D0F0D405C7F3CCC41480B73F2A8A358F05605B86C8A77FA8A1D59BAD2E
        Malicious:false
        Reputation:low
        Preview: ......JFIF.....`.`.....ZExif..MM.*.................J............Q...........Q...........Q..........................C....................................................................C.......................................................................@...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..C..+.8.(...(...(...(...(...(...(.....*.(..=W...T.t.....QRAj....z.v.:.o.3.'.=;.{5...i.MMG...5.v...P[.....g..)......q..\c.6.)....J.@..*...i.5..)..n.QTw.<dT.]0........,QMIU...Z....QHrh.f.0..Sd...4..J.....MU)...3..I....o.dFP.J..To.T..5...R...w.(...5..AlT0#...8.Q..N.(....(...(
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slide 05.jpg
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:[TIFF image data, big-endian, direntries=5], baseline, precision 8, 670x320, frames 3
        Category:dropped
        Size (bytes):14250
        Entropy (8bit):7.815117374347581
        Encrypted:false
        SSDEEP:192:mgsjxlVNCDk/HQXm55luPNdUqnCWUoyD1O9z722azH5qTAqabSIbxKLIMRkVj:mt1/ek/HL55luPNd/TUOA2kq+bAEMOVj
        MD5:504067DE4F6F63BB720D829D9538C29A
        SHA1:01939C763F7BA5562ADFAC5B9684F7237233E626
        SHA-256:1351A8E4A54CD6C1D959C3B61537A31BD792AAF41682BE0E59ED714130AE7A4D
        SHA-512:2FE0FA4FC60A5C2706B00F8DA236FBC5F8AA869BFC897F64841A99623763B6286AD354D0F0D405C7F3CCC41480B73F2A8A358F05605B86C8A77FA8A1D59BAD2E
        Malicious:false
        Reputation:low
        Preview: ......JFIF.....`.`.....ZExif..MM.*.................J............Q...........Q...........Q..........................C....................................................................C.......................................................................@...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..C..+.8.(...(...(...(...(...(...(.....*.(..=W...T.t.....QRAj....z.v.:.o.3.'.=;.{5...i.MMG...5.v...P[.....g..)......q..\c.6.)....J.@..*...i.5..)..n.QTw.<dT.]0........,QMIU...Z....QHrh.f.0..Sd...4..J.....MU)...3..I....o.dFP.J..To.T..5...R...w.(...5..AlT0#...8.Q..N.(....(...(
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slide 06.jpg
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:[TIFF image data, big-endian, direntries=5], baseline, precision 8, 670x320, frames 3
        Category:dropped
        Size (bytes):14250
        Entropy (8bit):7.815117374347581
        Encrypted:false
        SSDEEP:192:mgsjxlVNCDk/HQXm55luPNdUqnCWUoyD1O9z722azH5qTAqabSIbxKLIMRkVj:mt1/ek/HL55luPNd/TUOA2kq+bAEMOVj
        MD5:504067DE4F6F63BB720D829D9538C29A
        SHA1:01939C763F7BA5562ADFAC5B9684F7237233E626
        SHA-256:1351A8E4A54CD6C1D959C3B61537A31BD792AAF41682BE0E59ED714130AE7A4D
        SHA-512:2FE0FA4FC60A5C2706B00F8DA236FBC5F8AA869BFC897F64841A99623763B6286AD354D0F0D405C7F3CCC41480B73F2A8A358F05605B86C8A77FA8A1D59BAD2E
        Malicious:false
        Reputation:low
        Preview: ......JFIF.....`.`.....ZExif..MM.*.................J............Q...........Q...........Q..........................C....................................................................C.......................................................................@...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..C..+.8.(...(...(...(...(...(...(.....*.(..=W...T.t.....QRAj....z.v.:.o.3.'.=;.{5...i.MMG...5.v...P[.....g..)......q..\c.6.)....J.@..*...i.5..)..n.QTw.<dT.]0........,QMIU...Z....QHrh.f.0..Sd...4..J.....MU)...3..I....o.dFP.J..To.T..5...R...w.(...5..AlT0#...8.Q..N.(....(...(
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slide 07.jpg
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:[TIFF image data, big-endian, direntries=5], baseline, precision 8, 670x320, frames 3
        Category:dropped
        Size (bytes):14250
        Entropy (8bit):7.815117374347581
        Encrypted:false
        SSDEEP:192:mgsjxlVNCDk/HQXm55luPNdUqnCWUoyD1O9z722azH5qTAqabSIbxKLIMRkVj:mt1/ek/HL55luPNd/TUOA2kq+bAEMOVj
        MD5:504067DE4F6F63BB720D829D9538C29A
        SHA1:01939C763F7BA5562ADFAC5B9684F7237233E626
        SHA-256:1351A8E4A54CD6C1D959C3B61537A31BD792AAF41682BE0E59ED714130AE7A4D
        SHA-512:2FE0FA4FC60A5C2706B00F8DA236FBC5F8AA869BFC897F64841A99623763B6286AD354D0F0D405C7F3CCC41480B73F2A8A358F05605B86C8A77FA8A1D59BAD2E
        Malicious:false
        Reputation:low
        Preview: ......JFIF.....`.`.....ZExif..MM.*.................J............Q...........Q...........Q..........................C....................................................................C.......................................................................@...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..C..+.8.(...(...(...(...(...(...(.....*.(..=W...T.t.....QRAj....z.v.:.o.3.'.=;.{5...i.MMG...5.v...P[.....g..)......q..\c.6.)....J.@..*...i.5..)..n.QTw.<dT.]0........,QMIU...Z....QHrh.f.0..Sd...4..J.....MU)...3..I....o.dFP.J..To.T..5...R...w.(...5..AlT0#...8.Q..N.(....(...(
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slides.dat
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
        Category:dropped
        Size (bytes):1014
        Entropy (8bit):3.466546561678331
        Encrypted:false
        SSDEEP:12:QP7lSav/UatDUFlO+uNJ6kGdhWFMa2KLCchWMaiDKJW4XQ4Xj4Xi4XNd14Xc4XvP:QDlXUVFlRu+4wJscp5z9
        MD5:B3B23910AAA6C04BD554364562834599
        SHA1:DC039FF34F0C0F6FAB37AE3301E13E53BBBB2B8D
        SHA-256:C22548FF332707FAD9B30D9566491692D1DC4DCBEBE2DC085B2459DE99E54DF1
        SHA-512:44A7E5616405D9E05261C30B70DDB36CC400E006E5F1C9FEC76B50CDBBA18DB4500FBA1F8082DB1DFC0DD6CE0A22BA9A5A2ED4AD46EF4302630A1D91A1EFCD64
        Malicious:false
        Reputation:low
        Preview: ..;. .N.o.t.e. .t.h.a.t. .t.h.i.s. .f.i.l.e. .c.a.n. .b.e. .i.n. .A.N.S.I. .(.u.s.e. .a.d.e.q.u.a.t.e. .l.o.c.a.l.e. .c.o.d.e.p.a.g.e.s.). .o.r. .U.n.i.c.o.d.e.......;. .I.n. .t.h.i.s. .s.a.m.p.l.e.,. .t.h.e. .3.r.d. .s.l.i.d.e. .c.o.n.t.a.i.n. .a. .U.n.i.c.o.d.e. .c.h.a.r.a.c.t.e.r. .t.h.a.t. .w.i.l.l. .d.i.s.p.l.a.y. .a.s. .'.?.'.....;. . .i.f. .y.o.u. .u.s.e. .A.N.S.I. .N.S.I.S.,. .a.n.d. .d.i.s.p.l.a.y. .c.o.r.r.e.c.t.l.y. .i.f. .y.o.u. .u.s.e. .U.n.i.c.o.d.e. .N.S.I.S.........[.2.0.5.2.].....=.S.l.i.d.e. .0.1...j.p.g.,.1.0.0.0.,.1.0.0.0.,.".".....=.S.l.i.d.e. .0.2...j.p.g.,.1.0.0.0.,.1.0.0.0.,.".".....=.S.l.i.d.e. .0.3...j.p.g.,.1.0.0.0.,.1.0.0.0.,.".".....=.S.l.i.d.e. .0.4...j.p.g.,.1.0.0.0.,.1.0.0.0.,.".".....=.S.l.i.d.e. .0.5...j.p.g.,.1.0.0.0.,.1.0.0.0.,.".".....=.S.l.i.d.e. .0.6...j.p.g.,.1.0.0.0.,.1.0.0.0.,.".".....=.S.l.i.d.e. .0.7...j.p.g.,.1.0.0.0.,.1.0.0.0.,.".".............;. .e.n.d.i.n.g. .w.i.t.h. .a. .p.e.r.i.o.d. .(...). .=.>. .s.l.i.d.e.s.h.o.w. .w.i.l.l. .n.o.t. .
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slides\Slide 01.jpg
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:[TIFF image data, big-endian, direntries=5], baseline, precision 8, 670x320, frames 3
        Category:dropped
        Size (bytes):14250
        Entropy (8bit):7.815117374347581
        Encrypted:false
        SSDEEP:192:mgsjxlVNCDk/HQXm55luPNdUqnCWUoyD1O9z722azH5qTAqabSIbxKLIMRkVj:mt1/ek/HL55luPNd/TUOA2kq+bAEMOVj
        MD5:504067DE4F6F63BB720D829D9538C29A
        SHA1:01939C763F7BA5562ADFAC5B9684F7237233E626
        SHA-256:1351A8E4A54CD6C1D959C3B61537A31BD792AAF41682BE0E59ED714130AE7A4D
        SHA-512:2FE0FA4FC60A5C2706B00F8DA236FBC5F8AA869BFC897F64841A99623763B6286AD354D0F0D405C7F3CCC41480B73F2A8A358F05605B86C8A77FA8A1D59BAD2E
        Malicious:false
        Reputation:low
        Preview: ......JFIF.....`.`.....ZExif..MM.*.................J............Q...........Q...........Q..........................C....................................................................C.......................................................................@...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..C..+.8.(...(...(...(...(...(...(.....*.(..=W...T.t.....QRAj....z.v.:.o.3.'.=;.{5...i.MMG...5.v...P[.....g..)......q..\c.6.)....J.@..*...i.5..)..n.QTw.<dT.]0........,QMIU...Z....QHrh.f.0..Sd...4..J.....MU)...3..I....o.dFP.J..To.T..5...R...w.(...5..AlT0#...8.Q..N.(....(...(
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slides\Slide 02.jpg
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:[TIFF image data, big-endian, direntries=5], baseline, precision 8, 670x320, frames 3
        Category:dropped
        Size (bytes):14250
        Entropy (8bit):7.815117374347581
        Encrypted:false
        SSDEEP:192:mgsjxlVNCDk/HQXm55luPNdUqnCWUoyD1O9z722azH5qTAqabSIbxKLIMRkVj:mt1/ek/HL55luPNd/TUOA2kq+bAEMOVj
        MD5:504067DE4F6F63BB720D829D9538C29A
        SHA1:01939C763F7BA5562ADFAC5B9684F7237233E626
        SHA-256:1351A8E4A54CD6C1D959C3B61537A31BD792AAF41682BE0E59ED714130AE7A4D
        SHA-512:2FE0FA4FC60A5C2706B00F8DA236FBC5F8AA869BFC897F64841A99623763B6286AD354D0F0D405C7F3CCC41480B73F2A8A358F05605B86C8A77FA8A1D59BAD2E
        Malicious:false
        Reputation:low
        Preview: ......JFIF.....`.`.....ZExif..MM.*.................J............Q...........Q...........Q..........................C....................................................................C.......................................................................@...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..C..+.8.(...(...(...(...(...(...(.....*.(..=W...T.t.....QRAj....z.v.:.o.3.'.=;.{5...i.MMG...5.v...P[.....g..)......q..\c.6.)....J.@..*...i.5..)..n.QTw.<dT.]0........,QMIU...Z....QHrh.f.0..Sd...4..J.....MU)...3..I....o.dFP.J..To.T..5...R...w.(...5..AlT0#...8.Q..N.(....(...(
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slides\Slide 03.jpg
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:[TIFF image data, big-endian, direntries=5], baseline, precision 8, 670x320, frames 3
        Category:dropped
        Size (bytes):14250
        Entropy (8bit):7.815117374347581
        Encrypted:false
        SSDEEP:192:mgsjxlVNCDk/HQXm55luPNdUqnCWUoyD1O9z722azH5qTAqabSIbxKLIMRkVj:mt1/ek/HL55luPNd/TUOA2kq+bAEMOVj
        MD5:504067DE4F6F63BB720D829D9538C29A
        SHA1:01939C763F7BA5562ADFAC5B9684F7237233E626
        SHA-256:1351A8E4A54CD6C1D959C3B61537A31BD792AAF41682BE0E59ED714130AE7A4D
        SHA-512:2FE0FA4FC60A5C2706B00F8DA236FBC5F8AA869BFC897F64841A99623763B6286AD354D0F0D405C7F3CCC41480B73F2A8A358F05605B86C8A77FA8A1D59BAD2E
        Malicious:false
        Reputation:low
        Preview: ......JFIF.....`.`.....ZExif..MM.*.................J............Q...........Q...........Q..........................C....................................................................C.......................................................................@...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..C..+.8.(...(...(...(...(...(...(.....*.(..=W...T.t.....QRAj....z.v.:.o.3.'.=;.{5...i.MMG...5.v...P[.....g..)......q..\c.6.)....J.@..*...i.5..)..n.QTw.<dT.]0........,QMIU...Z....QHrh.f.0..Sd...4..J.....MU)...3..I....o.dFP.J..To.T..5...R...w.(...5..AlT0#...8.Q..N.(....(...(
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slides\Slide 04.jpg
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:[TIFF image data, big-endian, direntries=5], baseline, precision 8, 670x320, frames 3
        Category:dropped
        Size (bytes):14250
        Entropy (8bit):7.815117374347581
        Encrypted:false
        SSDEEP:192:mgsjxlVNCDk/HQXm55luPNdUqnCWUoyD1O9z722azH5qTAqabSIbxKLIMRkVj:mt1/ek/HL55luPNd/TUOA2kq+bAEMOVj
        MD5:504067DE4F6F63BB720D829D9538C29A
        SHA1:01939C763F7BA5562ADFAC5B9684F7237233E626
        SHA-256:1351A8E4A54CD6C1D959C3B61537A31BD792AAF41682BE0E59ED714130AE7A4D
        SHA-512:2FE0FA4FC60A5C2706B00F8DA236FBC5F8AA869BFC897F64841A99623763B6286AD354D0F0D405C7F3CCC41480B73F2A8A358F05605B86C8A77FA8A1D59BAD2E
        Malicious:false
        Reputation:low
        Preview: ......JFIF.....`.`.....ZExif..MM.*.................J............Q...........Q...........Q..........................C....................................................................C.......................................................................@...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..C..+.8.(...(...(...(...(...(...(.....*.(..=W...T.t.....QRAj....z.v.:.o.3.'.=;.{5...i.MMG...5.v...P[.....g..)......q..\c.6.)....J.@..*...i.5..)..n.QTw.<dT.]0........,QMIU...Z....QHrh.f.0..Sd...4..J.....MU)...3..I....o.dFP.J..To.T..5...R...w.(...5..AlT0#...8.Q..N.(....(...(
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slides\Slide 05.jpg
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:[TIFF image data, big-endian, direntries=5], baseline, precision 8, 670x320, frames 3
        Category:dropped
        Size (bytes):14250
        Entropy (8bit):7.815117374347581
        Encrypted:false
        SSDEEP:192:mgsjxlVNCDk/HQXm55luPNdUqnCWUoyD1O9z722azH5qTAqabSIbxKLIMRkVj:mt1/ek/HL55luPNd/TUOA2kq+bAEMOVj
        MD5:504067DE4F6F63BB720D829D9538C29A
        SHA1:01939C763F7BA5562ADFAC5B9684F7237233E626
        SHA-256:1351A8E4A54CD6C1D959C3B61537A31BD792AAF41682BE0E59ED714130AE7A4D
        SHA-512:2FE0FA4FC60A5C2706B00F8DA236FBC5F8AA869BFC897F64841A99623763B6286AD354D0F0D405C7F3CCC41480B73F2A8A358F05605B86C8A77FA8A1D59BAD2E
        Malicious:false
        Reputation:low
        Preview: ......JFIF.....`.`.....ZExif..MM.*.................J............Q...........Q...........Q..........................C....................................................................C.......................................................................@...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..C..+.8.(...(...(...(...(...(...(.....*.(..=W...T.t.....QRAj....z.v.:.o.3.'.=;.{5...i.MMG...5.v...P[.....g..)......q..\c.6.)....J.@..*...i.5..)..n.QTw.<dT.]0........,QMIU...Z....QHrh.f.0..Sd...4..J.....MU)...3..I....o.dFP.J..To.T..5...R...w.(...5..AlT0#...8.Q..N.(....(...(
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slides\Slide 06.jpg
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:[TIFF image data, big-endian, direntries=5], baseline, precision 8, 670x320, frames 3
        Category:dropped
        Size (bytes):14250
        Entropy (8bit):7.815117374347581
        Encrypted:false
        SSDEEP:192:mgsjxlVNCDk/HQXm55luPNdUqnCWUoyD1O9z722azH5qTAqabSIbxKLIMRkVj:mt1/ek/HL55luPNd/TUOA2kq+bAEMOVj
        MD5:504067DE4F6F63BB720D829D9538C29A
        SHA1:01939C763F7BA5562ADFAC5B9684F7237233E626
        SHA-256:1351A8E4A54CD6C1D959C3B61537A31BD792AAF41682BE0E59ED714130AE7A4D
        SHA-512:2FE0FA4FC60A5C2706B00F8DA236FBC5F8AA869BFC897F64841A99623763B6286AD354D0F0D405C7F3CCC41480B73F2A8A358F05605B86C8A77FA8A1D59BAD2E
        Malicious:false
        Reputation:low
        Preview: ......JFIF.....`.`.....ZExif..MM.*.................J............Q...........Q...........Q..........................C....................................................................C.......................................................................@...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..C..+.8.(...(...(...(...(...(...(.....*.(..=W...T.t.....QRAj....z.v.:.o.3.'.=;.{5...i.MMG...5.v...P[.....g..)......q..\c.6.)....J.@..*...i.5..)..n.QTw.<dT.]0........,QMIU...Z....QHrh.f.0..Sd...4..J.....MU)...3..I....o.dFP.J..To.T..5...R...w.(...5..AlT0#...8.Q..N.(....(...(
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slides\Slide 07.jpg
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:[TIFF image data, big-endian, direntries=5], baseline, precision 8, 670x320, frames 3
        Category:dropped
        Size (bytes):14250
        Entropy (8bit):7.815117374347581
        Encrypted:false
        SSDEEP:192:mgsjxlVNCDk/HQXm55luPNdUqnCWUoyD1O9z722azH5qTAqabSIbxKLIMRkVj:mt1/ek/HL55luPNd/TUOA2kq+bAEMOVj
        MD5:504067DE4F6F63BB720D829D9538C29A
        SHA1:01939C763F7BA5562ADFAC5B9684F7237233E626
        SHA-256:1351A8E4A54CD6C1D959C3B61537A31BD792AAF41682BE0E59ED714130AE7A4D
        SHA-512:2FE0FA4FC60A5C2706B00F8DA236FBC5F8AA869BFC897F64841A99623763B6286AD354D0F0D405C7F3CCC41480B73F2A8A358F05605B86C8A77FA8A1D59BAD2E
        Malicious:false
        Reputation:low
        Preview: ......JFIF.....`.`.....ZExif..MM.*.................J............Q...........Q...........Q..........................C....................................................................C.......................................................................@...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..C..+.8.(...(...(...(...(...(...(.....*.(..=W...T.t.....QRAj....z.v.:.o.3.'.=;.{5...i.MMG...5.v...P[.....g..)......q..\c.6.)....J.@..*...i.5..)..n.QTw.<dT.]0........,QMIU...Z....QHrh.f.0..Sd...4..J.....MU)...3..I....o.dFP.J..To.T..5...R...w.(...5..AlT0#...8.Q..N.(....(...(
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slides\Slides.dat
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
        Category:dropped
        Size (bytes):1014
        Entropy (8bit):3.466546561678331
        Encrypted:false
        SSDEEP:12:QP7lSav/UatDUFlO+uNJ6kGdhWFMa2KLCchWMaiDKJW4XQ4Xj4Xi4XNd14Xc4XvP:QDlXUVFlRu+4wJscp5z9
        MD5:B3B23910AAA6C04BD554364562834599
        SHA1:DC039FF34F0C0F6FAB37AE3301E13E53BBBB2B8D
        SHA-256:C22548FF332707FAD9B30D9566491692D1DC4DCBEBE2DC085B2459DE99E54DF1
        SHA-512:44A7E5616405D9E05261C30B70DDB36CC400E006E5F1C9FEC76B50CDBBA18DB4500FBA1F8082DB1DFC0DD6CE0A22BA9A5A2ED4AD46EF4302630A1D91A1EFCD64
        Malicious:false
        Reputation:low
        Preview: ..;. .N.o.t.e. .t.h.a.t. .t.h.i.s. .f.i.l.e. .c.a.n. .b.e. .i.n. .A.N.S.I. .(.u.s.e. .a.d.e.q.u.a.t.e. .l.o.c.a.l.e. .c.o.d.e.p.a.g.e.s.). .o.r. .U.n.i.c.o.d.e.......;. .I.n. .t.h.i.s. .s.a.m.p.l.e.,. .t.h.e. .3.r.d. .s.l.i.d.e. .c.o.n.t.a.i.n. .a. .U.n.i.c.o.d.e. .c.h.a.r.a.c.t.e.r. .t.h.a.t. .w.i.l.l. .d.i.s.p.l.a.y. .a.s. .'.?.'.....;. . .i.f. .y.o.u. .u.s.e. .A.N.S.I. .N.S.I.S.,. .a.n.d. .d.i.s.p.l.a.y. .c.o.r.r.e.c.t.l.y. .i.f. .y.o.u. .u.s.e. .U.n.i.c.o.d.e. .N.S.I.S.........[.2.0.5.2.].....=.S.l.i.d.e. .0.1...j.p.g.,.1.0.0.0.,.1.0.0.0.,.".".....=.S.l.i.d.e. .0.2...j.p.g.,.1.0.0.0.,.1.0.0.0.,.".".....=.S.l.i.d.e. .0.3...j.p.g.,.1.0.0.0.,.1.0.0.0.,.".".....=.S.l.i.d.e. .0.4...j.p.g.,.1.0.0.0.,.1.0.0.0.,.".".....=.S.l.i.d.e. .0.5...j.p.g.,.1.0.0.0.,.1.0.0.0.,.".".....=.S.l.i.d.e. .0.6...j.p.g.,.1.0.0.0.,.1.0.0.0.,.".".....=.S.l.i.d.e. .0.7...j.p.g.,.1.0.0.0.,.1.0.0.0.,.".".............;. .e.n.d.i.n.g. .w.i.t.h. .a. .p.e.r.i.o.d. .(...). .=.>. .s.l.i.d.e.s.h.o.w. .w.i.l.l. .n.o.t. .
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\System.dll
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):11264
        Entropy (8bit):5.568877095847681
        Encrypted:false
        SSDEEP:192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
        MD5:C17103AE9072A06DA581DEC998343FC1
        SHA1:B72148C6BDFAADA8B8C3F950E610EE7CF1DA1F8D
        SHA-256:DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
        SHA-512:D32A71AAEF18E993F28096D536E41C4D016850721B31171513CE28BBD805A54FD290B7C3E9D935F72E676A1ACFB4F0DCC89D95040A0DD29F2B6975855C18986F
        Malicious:false
        Reputation:low
        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j....l.9..i....l.Richm.........................PE..L......K...........!................0).......0...............................`......................................p2......t0..P............................P.......................................................0..X............................text...1........................... ..`.rdata.......0......."..............@..@.data...d....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\WndProc.dll
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):3072
        Entropy (8bit):4.016092951747232
        Encrypted:false
        SSDEEP:24:eFGSLysSWGet9SQvcpuO8VBveu+5ed5otWi30vh7kguseZFOe5M+g7dDO1ngmqAT:iIW/t4uOEReR5edWtWW05kguAD4yJ
        MD5:F0CB331DD4BD92A6EBCE45E7CD1CF5EF
        SHA1:B66EA0C10B08750295F2DC7C170B370402393214
        SHA-256:E7B3115FA2CE4A8FA09BEEEFA4FB634A474197F38A2854CE9BE60D0A26016458
        SHA-512:7C33418F39B91AE0D4CC8B560F516BAC293593EEF539832815028878C2058BF1691C2D767A039CF312989839071F2F6F0B6D9D59835ACDFFF6B448BF1FFEA271
        Malicious:false
        Reputation:low
        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............u...u...u...t...u.P.(...u...*...u.l.q...u.Rich..u.................PE..L......M...........!......................... ...............................P......................................0!..I...8 ..<............................@..X.................................................... ..(............................text............................... ..`.rdata..y.... ......................@..@.data........0......................@....reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\bg_finish.bmp
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:PC bitmap, Windows 3.x format, 670 x 320 x 24
        Category:dropped
        Size (bytes):643896
        Entropy (8bit):4.642016702879608
        Encrypted:false
        SSDEEP:1536:c5sss8apdT+Sio4eUXa/rRbsXwoRmyyyyyyjyyyyyyyyyyyyaydyyyyyyyQPfyvg:NP
        MD5:BFCB1576878D425C964AE4370CDA710A
        SHA1:53E41001E5F7AE1470BACB06683F6E52EF32FCD7
        SHA-256:1CBB496F530DEAD56C8109F9350FBE903512E626F07D8033A536CE080DD5647F
        SHA-512:39FF116C4837DCFD02A2E7EECFE90DC163519787EB350C0CBA360F6001966D26DCF233BDC8E61E5C45E5D782BBC4263AA2E24ECF9A67FD67F44176954E5CF98D
        Malicious:false
        Reputation:low
        Preview: BM8.......6...(.......@.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\bg_top.bmp
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:PC bitmap, Windows 3.x format, 670 x 320 x 24
        Category:dropped
        Size (bytes):643894
        Entropy (8bit):4.693876806455245
        Encrypted:false
        SSDEEP:1536:lpsss3B81P7L2sG/re4AsPQHXQiJZyy7yyyyyyyyyyyy0yyyyyyyyyyyymFyyyRw:YBEV
        MD5:2269ADBE4AE945AA938F4723D66274FB
        SHA1:20DBDAC27939898D779E07F495C137D818CD0444
        SHA-256:77734FEC9F111FC4EA6E8E1670DB4FF74CE48C072F51ECB81283B04D49FECA92
        SHA-512:9119EDEB3C728E3CEC57732E6EB7CC5FE3C34CDFD79C9F8672201428077F697FE0EB47583781B8AFA34EC2AA718381023A1C7F0521F2A30C9766C80779A72260
        Malicious:false
        Reputation:low
        Preview: BM6.......6...(.......@.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\bg_top2.bmp
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:PC bitmap, Windows 3.x format, 670 x 60 x 24
        Category:dropped
        Size (bytes):120774
        Entropy (8bit):4.394301363385595
        Encrypted:false
        SSDEEP:192:cbbi8li/BhMQopNrB6T+vysPzh2222222Kl8222aINYMB/6Bxojk65Pkh+0UkIJ1:S1G2Y4DD0UkIJg13dzlzf8mcT
        MD5:CB3EC19AE129608BB1FFB16AC4D5DCAE
        SHA1:3CA534C0BF8F32F56DCE33C7D9AB924C0734653E
        SHA-256:DFAF5952DE7E6330D723E254AD8DB082250EC448E82EA52C8CEA0D2FA313AFB3
        SHA-512:891A4A9926BEF8C394401EB38230B57676C35772777AEE97D897C2CA217476FEA3FEDF3098F675949C49A7C58FE363A64FD7015F3E50F1C55B0224788D1400F8
        Malicious:false
        Reputation:low
        Preview: BM........6...(.......<....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... .. .. .. .. .. ..!..!..!..!..!.."..".."..".."..#..#..#..#..#..$..$..$..$..%..%..%..%..%..&..&..&..&..&..&..'..'..'..'..'..'..'..(..(..(..(..(..(..(..(..(..(..(..(..(..(..(..'..'..'..'..'..'..'..&..&..&..&..&..&..%..%..%..%..%..$..$..$..$..#..#..#..#..#.."..".."..".."..!..!..!..!..!.. .. .. .. ..
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\big.bmp
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:PC bitmap, Windows 3.x format, 670 x 440 x 24
        Category:dropped
        Size (bytes):885334
        Entropy (8bit):4.681633041788928
        Encrypted:false
        SSDEEP:1536:0gCgqcQ0ad3n9hRrUT7Gpsss3B81P7L2sG/re4AsPQHXQ+zUyyoyyyyyyyyyyyyU:Kd18BEvwnJ
        MD5:D349866C797CE6AFAC45E33DB623B958
        SHA1:4F1170B1D644C7F9E22BC4C26292C3C5033B4FB9
        SHA-256:A88F23B0859819A7C7B8F98EA4B2A35A7DD03C6F5125C4377E1DD6FFAA5721F0
        SHA-512:17E62EBA39DDF5B4DE5E2692B8042CC4A732E83F7A64098D6D730829A115CEC81821E123126F8393BE5B4C1EC151BA6DFDB6275C162733FE029F6CA55BCF18C1
        Malicious:false
        Reputation:low
        Preview: BMV.......6...(................... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\btn1.bmp
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:PC bitmap, Windows 3.x format, 70 x 120 x 24
        Category:dropped
        Size (bytes):25496
        Entropy (8bit):5.023106110786282
        Encrypted:false
        SSDEEP:48:T7kO48OOOG6mzhASfVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVK:T7nclmfmWc
        MD5:46F6375C72C8FCCDFCD0328F15C66631
        SHA1:9800E91D64C392906AE86D0FACF3B1AEE59E08AB
        SHA-256:30CCE626F7E2E4486C9088B1DB2CA295A1C94EFE946E9948220FDE2B6E8F272D
        SHA-512:D748464E33329522385431CD3A763664E372A9A18E403E7401353DBDA1074FF170ED8EF0B3DC5207583F67678D531978053920E9160267229E0DC4F66CD4192F
        Malicious:false
        Reputation:low
        Preview: BM.c......6...(...F...x...........bc..................V*..m..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..k.V*...l..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..m...x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x...x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x...x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x..x
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\btn2.bmp
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:PC bitmap, Windows 3.x format, 70 x 120 x 24
        Category:dropped
        Size (bytes):25496
        Entropy (8bit):4.707696851445522
        Encrypted:false
        SSDEEP:48:Tfmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmq:TFafK5v3
        MD5:274E7732E79BEA325F6C14E5B4A79518
        SHA1:39636F26723ECEACDB73D9FA721269823E933209
        SHA-256:2A174C4BE4D8496B5EC23FD8261680AFF1D286BA92EEED78B11A5D7536C92E83
        SHA-512:AEDBF2277301BC44AC7312EBBE0AF3CFC6CBC01010213A59A41F3F1EC6F235200290D5E8C614C475CD25E1907D664BE09200901C13A4B6482DC87B7A41EEB220
        Malicious:false
        Reputation:low
        Preview: BM.c......6...(...F...x...........bc....................................................................................................................................................................................................................................t...................................................................................................................................................................................................................t...................................................................................................................................................................................................................t...................................................................................................................................................................................................................t...................................................................................................
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\btn_clos.bmp
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:PC bitmap, Windows 3.x format, 14 x 70 x 16
        Category:dropped
        Size (bytes):2016
        Entropy (8bit):3.0328266462267655
        Encrypted:false
        SSDEEP:24:PZBGe4GOGpG/GOGZGvGOGBGehRYGe4GOGpG/GOGZGvGOGBGeoy0BGUEU8O0RIthr:hvRHPHhr
        MD5:F0EE3CE6DDECC22AA217AF312E761B26
        SHA1:B744DDB94BB0D6BF426ABF7040CF3619393D8D55
        SHA-256:7C511C6A8455D356FDBB6E656E1E875962BD63EE5A99AADF826A761AE93DC685
        SHA-512:64ECCC6929BA2E88FC95FB478F10875E5EF9DF5ECB0E4041DD65A025D47B645CDB145D2EA860B16FBD55DE31AEB9ED6B94A7D9312490B1D6FF5C80B1AC107978
        Malicious:false
        Reputation:low
        Preview: BM........6...(.......F...............................C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.d...C.C.C.C.C.C.C...d.C.C.C....c.!C.C.C.C.C..!.c..C.C.C.C..!.c.!C.C.C..!.c.!C.C.C.C.C.C..!.c.!C..!.c.!C.C.C.C.C.C.C.C..!.c.5.c.!C.C.C.C.C.C.C.C.C.C..5Zk.5C.C.C.C.C.C.C.C.C.C..!.c.5.c.!C.C.C.C.C.C.C.C..!.c.!C..!.c.!C.C.C.C.C.C..!.c.!C.C.C..!.c.!C.C.C.C....c.!C.C.C.C.C..!.c..C.C.C.d...C.C.C.C.C.C.C...d.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.D...C.C.C.C.C.C.C...D.C.C.C....9..C.C.C.C.C....9..C.C.C.C....9..C.C.C....9..C.C.C.C.C.C....9..C....9..C.C.C.C.C.C.C.C....9.!.9..C.C.C.C.C.C.C.C.C.C....=..C.C.C.C.C.C.C.C.C.C....9.!.9..C.C.C.C.C.C.C.C....9..C....9..C.C.C.C.C.C....9..C.C.C....9..C.C.C.C....9..C.C.C.C.C....9..C.C.C.D...C.C.C.C.C.C.C...D.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.d...C.C.C.C.C.C.C...d.C.C.C....c.!C.C.C.C.C..!.c..C.C.C.C..!.c.!C.C.C..!.c.!C.C.C.C.C.C..!.c.!C..!.c.!C.C.C.C.C.C.C.C..!.c.5.c.!C.
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\btn_finish.bmp
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:PC bitmap, Windows 3.x format, 140 x 200 x 24
        Category:dropped
        Size (bytes):84056
        Entropy (8bit):4.932944073674027
        Encrypted:false
        SSDEEP:48:gixwaEt5AwaEt5gkVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVt:gixwdAwdgnwso
        MD5:63E905EF52A76930EB9911629660D61F
        SHA1:9C290E01B2383705AAFBF934E93A01ED5EF84A54
        SHA-256:1E186526F6AD6DCEB0A1AFBF36E46169761CB3B968F7D72CDA8474EBDD104018
        SHA-512:9D876CA183F87EA5B2849209C312B8684840C885CD0C5FED16ED9A2821A6333AEFE26C7C97FA02E5C68F44316E8B1B36454D0D7F41E5001378CE94CF4EDF677C
        Malicious:false
        Reputation:low
        Preview: BMXH......6...(..................."H..................U*..m..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..k.U*..l..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..m..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\btn_mini.bmp
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:PC bitmap, Windows 3.x format, 14 x 70 x 24
        Category:dropped
        Size (bytes):3136
        Entropy (8bit):2.442364756240094
        Encrypted:false
        SSDEEP:24:4zi/fffwPCf3YY71PdG0yGMGHo8D5LgwjxC:2iwQIY71Pd8KTdNk
        MD5:16498F0B88E304022A5D2336C1C6C399
        SHA1:8B6D22569ADDE6637623B20B9D8E8DF09D98C504
        SHA-256:26FBA88035D9604B811EBC35745AC07D506AFA6D36B6D9CA8A6A21C9871C6E0D
        SHA-512:F7715770763F16EEB83AA3BDEDB6CD22B9C45560E413D4E8E973BD22EAEFA72E92615FA421A383E0D4D3685E700BB9F05061B21A901924FB213A6EC2AB516A98
        Malicious:false
        Reputation:low
        Preview: BM@.......6...(.......F.....................................................................................................................................................................................................................................................nc..........................................el...xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx....'..........................................g:......................................................................................li..........................................dt..........................................ca..........................................$/..........................................al.........................................._F..........................................up..........................................al......................................................................................to..........................................do...xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...ia......................
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\btn_scan.bmp
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:PC bitmap, Windows 3.x format, 73 x 130 x 24
        Category:dropped
        Size (bytes):28656
        Entropy (8bit):4.1613303738546845
        Encrypted:false
        SSDEEP:96:2rvskYEFFFFFFFFFFFFFFFFFFFFFtHO+YlLVH:2gknFFFFFFFFFFFFFFFFFFFFFtu95VH
        MD5:01F752D735B59B8155F8C8F1855B8F6C
        SHA1:CA10018DFFA802B0CDAE03BDF60C60C0F9CB9792
        SHA-256:E160971C77B3345A1B6030046AE54FAAB63F7509FAAC62DCAF220F94CB63A00A
        SHA-512:65046D0CA84B16A341BABBAF0EBBB2640675E7FF278AD933CB33BD1241C48E44D5D6719C071685524B912AC2F331680A7DB39C4A1FB29C5529E558133CDA0691
        Malicious:false
        Reputation:low
        Preview: BM.o......6...(...I................o..........................................................................................................................................................................................................................................E@= .......................................................................................................................................................................................................................... .......................................................................................................................................................................................................................... .......................................................................................................................................................................................................................... ..................................................................
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\checkbox1.bmp
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:PC bitmap, Windows 3.x format, 12 x 60 x 24
        Category:dropped
        Size (bytes):2214
        Entropy (8bit):4.450562521920535
        Encrypted:false
        SSDEEP:48:v35+MSSSSSgp1X1X1X1rIu3z5SSSSS0SSSSSZNNNNNNxz5SSSSSX52:vJ+Yp1X1X1X1rIuDyNNNNNNZ42
        MD5:463FC13B0099366E652BF3B0FDB29662
        SHA1:707DB2B0E1316D27DAF8C6F143813CF02062931D
        SHA-256:35ED59A370F824085AA0B47234E628DC0A6FC29B55882892E20CD09B13007CDA
        SHA-512:74D24E582AFB23656526B4121FE60AC3376EE191A740ACAA1D6D975C75CD119D302D1A524C047C77E019915FFA0C337E62C40BAA1F45DB15BD70B70F6D1BA939
        Malicious:false
        Reputation:low
        Preview: BM........6...(.......<...........p..........................................................uon........................uon......................................................................................................................................................................................................................................................................................................uom........................uom..............................................................................wnl.zx.zx.zx.zx.zx.zx.zx.zxwnl.......zx.zx.zx.zx.zx.zx.zx.zx.zx.zx.......zx.zx.zx.zx.zx.zx.zx.zx.zx.zx.......zx.zx.zx.zx.zx.zx.zx.zx.zx.zx.......zx.zx.zx.zx.zx.zx.zx.zx.zx.zx.......zx.zx.zx.zx.zx.zx.zx.zx.zx.zx.......zx.zx.zx.zx.zx.zx.zx.zx.zx.zx.......zx.zx.zx.zx.zx.zx.zx.zx.zx.zx.......zx.zx.zx.zx.zx.zx.zx.zx.zx.zx......wnl.zx.zx.zx.zx.zx.zx.zx.zxwnl......&" ........................&" ...V...B..H..H..H..H..H..H..H..H..A.V...B...d.....x..v..v..v..v..x.....d.B..H......p.
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\checkbox2.bmp
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:PC bitmap, Windows 3.x format, 12 x 60 x 24
        Category:dropped
        Size (bytes):2216
        Entropy (8bit):5.762056242130042
        Encrypted:false
        SSDEEP:48:T3ShdoodCdIdp4SSSSSptVFcUoXtDb3z5SSSSSG5SSSSSSDfrtPoNOC//SSSSSSo:TCkoPVGUoXdbDxjtANOC/an
        MD5:4570A5AF4E87ED2CD34411FCDE26726C
        SHA1:E54531C85954E523C41CAEBE2D56BF4DD5C22955
        SHA-256:29548A3DE597DDC78CEA9CB2D58C7997A0C51807E061C50EB838D33A26F2B868
        SHA-512:EADAB23C7A64178EFB49CCC1652AB368BA35163DAD6E3293081F8D9CC8C534D927BAD4DE12257E9ADEA64EE2FE0197200F3C0A1F487B538DC7AA8B9BEC4A9E26
        Malicious:false
        Reputation:low
        Preview: BM........6...(.......<...........r..........................................................uon.......{b.kC............uon.............{b.I..H..y]......................{b.I..H..H..K...v................~f.I..H..oJ.g;.H..Q.................e8.H..oJ.......Z".H..\%.................u.............P..H..j@.............................s.J..H..z_............................wZ.H..^)................................m.........uom........................uom.......................................&..SKHZROZROZROZROZROZROZROZRORJG&..SKHwnl.zx.zxwnkofd.zx.zx.zx.zxwnlSKHZRO.zx.zxwnk^VS^VSvmj.zx.zx.zx.zxZROZRO.zxwnk^VS^VS^VS_WT|sq.zx.zx.zxZROZROxol^VS^VSqhfmdb^VSbZW.wu.zx.zxZROZROlda^VSqhf.zx.ywg^[^VSh_\.yw.zxZROZRO.xv|sp.zx.zx.zx.vtbZW^VSofc.zxZROZRO.zx.zx.zx.zx.zx.zx|rp_WT^VSvmkZROZRO.zx.zx.zx.zx.zx.zx.zxuli^VSi`]ZROZRO.zx.zx.zx.zx.zx.zx.zx.zxzpn.usZROSKHwnl.zx.zx.zx.zx.zx.zx.zx.zxwnlSKH&..SKHZROZROZROZROZROZROZROZROSKH&..V...B..H..H..H..H..H..H..H..H..A.V...B...d.....x..N.n5..v..v..x.....d.B..H......p.
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\license1.rtf
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:Rich Text Format data, version 1, unknown character set
        Category:dropped
        Size (bytes):104486
        Entropy (8bit):4.901095162669656
        Encrypted:false
        SSDEEP:768:YwEfSZghUZLyOntT4HXzcYI6X7gPWonz3zYzuzlLGaZTyAop/ztXsb453CKv3Ymy:YwNghmmUOTg8o
        MD5:67B2FA306B1D2EDEC16B06AD53C83397
        SHA1:5A67CB55423C17C42AA3B1D5E1606435894B1A4A
        SHA-256:6D48DC5E8C21FF8375372659CBFA3113AEFC645509D8E0DA707B35B7ADBA3354
        SHA-512:F9AD497CF0F196D18BBA97ED91768BEDA65F5155B3D47B8A391A7451AD695D648BB0EA507FE1CE4463016F303304885BBBA7D8A22C818ECD0871CB027E3733CC
        Malicious:false
        Reputation:low
        Preview: {\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'cb\'ce\'cc\'e5{\*\falt SimSun};}{\f17\fbidi \fmodern\fcharset134\fprq1{\*\panose 02010609060101010101}\'ba\'da\'cc\'e5{\*\falt SimHei};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f35\fbidi \fswiss\fcharset134\fprq2{\*\panose 020b0604020202020204}Arial Unicode MS;}{\f37\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0502020204030204}Calibri;}..{\f38\fbidi \fnil\fcharset134\fprq2{\*\panose 00000000000000000000}@\'cb\'ce\'cc\'e5;}{\f39\fbidi \fmodern\fcharset134\fprq1{\*\panose 00000000000000000000}@\'ba\'da\'cc\'e5;}..{\f40\fbidi \fswiss\fcharset
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseCS.rtf
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:Rich Text Format data, version 1, unknown character set
        Category:dropped
        Size (bytes):65485
        Entropy (8bit):5.077278736394721
        Encrypted:false
        SSDEEP:768:YwfoZghUZLyOntT4HXzcYI6X7gP+8z3zYzuzdzIRFRm46IDLeAEkI0zvHZnQSJOE:YwWghmxzIPRd6QLejkI0zfOTg8M
        MD5:E6E36D4F5D374E08336BCC218E56DF57
        SHA1:9F9FDC1685832A8C183FCF7DCE06D69C7CCE68E8
        SHA-256:C4B8C123E131B50A3086CD7C65ACC94B3B73BE9859951FF3DFFEC2FE106165A4
        SHA-512:8C75437BA58A9A6C7BBEF13B21DF90D24AC15AC1F73DAAB6EAE85DF68EB6F5BB439132F24C69F63B6CCA4C75B39E083AEE0BFADBCC436D22E82CDE70A592F83F
        Malicious:false
        Reputation:low
        Preview: {\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'cb\'ce\'cc\'e5{\*\falt SimSun};}{\f17\fbidi \fmodern\fcharset134\fprq1{\*\panose 02010609060101010101}\'ba\'da\'cc\'e5{\*\falt SimHei};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f35\fbidi \fswiss\fcharset134\fprq2{\*\panose 020b0604020202020204}Arial Unicode MS;}{\f38\fbidi \fnil\fcharset134\fprq2{\*\panose 00000000000000000000}@\'cb\'ce\'cc\'e5;}..{\f39\fbidi \fmodern\fcharset134\fprq1{\*\panose 00000000000000000000}@\'ba\'da\'cc\'e5;}{\f40\fbidi \fswiss\fcharset134\fprq2{\*\panose 00000000000000000000}@Arial Unicode MS;}..{\flomajor\f3150
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseDA.rtf
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:Rich Text Format data, version 1, unknown character set
        Category:dropped
        Size (bytes):65485
        Entropy (8bit):5.077278736394721
        Encrypted:false
        SSDEEP:768:YwfoZghUZLyOntT4HXzcYI6X7gP+8z3zYzuzdzIRFRm46IDLeAEkI0zvHZnQSJOE:YwWghmxzIPRd6QLejkI0zfOTg8M
        MD5:E6E36D4F5D374E08336BCC218E56DF57
        SHA1:9F9FDC1685832A8C183FCF7DCE06D69C7CCE68E8
        SHA-256:C4B8C123E131B50A3086CD7C65ACC94B3B73BE9859951FF3DFFEC2FE106165A4
        SHA-512:8C75437BA58A9A6C7BBEF13B21DF90D24AC15AC1F73DAAB6EAE85DF68EB6F5BB439132F24C69F63B6CCA4C75B39E083AEE0BFADBCC436D22E82CDE70A592F83F
        Malicious:false
        Reputation:low
        Preview: {\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'cb\'ce\'cc\'e5{\*\falt SimSun};}{\f17\fbidi \fmodern\fcharset134\fprq1{\*\panose 02010609060101010101}\'ba\'da\'cc\'e5{\*\falt SimHei};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f35\fbidi \fswiss\fcharset134\fprq2{\*\panose 020b0604020202020204}Arial Unicode MS;}{\f38\fbidi \fnil\fcharset134\fprq2{\*\panose 00000000000000000000}@\'cb\'ce\'cc\'e5;}..{\f39\fbidi \fmodern\fcharset134\fprq1{\*\panose 00000000000000000000}@\'ba\'da\'cc\'e5;}{\f40\fbidi \fswiss\fcharset134\fprq2{\*\panose 00000000000000000000}@Arial Unicode MS;}..{\flomajor\f3150
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseDE.rtf
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:Rich Text Format data, version 1, unknown character set
        Category:dropped
        Size (bytes):65485
        Entropy (8bit):5.077278736394721
        Encrypted:false
        SSDEEP:768:YwfoZghUZLyOntT4HXzcYI6X7gP+8z3zYzuzdzIRFRm46IDLeAEkI0zvHZnQSJOE:YwWghmxzIPRd6QLejkI0zfOTg8M
        MD5:E6E36D4F5D374E08336BCC218E56DF57
        SHA1:9F9FDC1685832A8C183FCF7DCE06D69C7CCE68E8
        SHA-256:C4B8C123E131B50A3086CD7C65ACC94B3B73BE9859951FF3DFFEC2FE106165A4
        SHA-512:8C75437BA58A9A6C7BBEF13B21DF90D24AC15AC1F73DAAB6EAE85DF68EB6F5BB439132F24C69F63B6CCA4C75B39E083AEE0BFADBCC436D22E82CDE70A592F83F
        Malicious:false
        Reputation:low
        Preview: {\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'cb\'ce\'cc\'e5{\*\falt SimSun};}{\f17\fbidi \fmodern\fcharset134\fprq1{\*\panose 02010609060101010101}\'ba\'da\'cc\'e5{\*\falt SimHei};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f35\fbidi \fswiss\fcharset134\fprq2{\*\panose 020b0604020202020204}Arial Unicode MS;}{\f38\fbidi \fnil\fcharset134\fprq2{\*\panose 00000000000000000000}@\'cb\'ce\'cc\'e5;}..{\f39\fbidi \fmodern\fcharset134\fprq1{\*\panose 00000000000000000000}@\'ba\'da\'cc\'e5;}{\f40\fbidi \fswiss\fcharset134\fprq2{\*\panose 00000000000000000000}@Arial Unicode MS;}..{\flomajor\f3150
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseEL.rtf
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:Rich Text Format data, version 1, unknown character set
        Category:dropped
        Size (bytes):65485
        Entropy (8bit):5.077278736394721
        Encrypted:false
        SSDEEP:768:YwfoZghUZLyOntT4HXzcYI6X7gP+8z3zYzuzdzIRFRm46IDLeAEkI0zvHZnQSJOE:YwWghmxzIPRd6QLejkI0zfOTg8M
        MD5:E6E36D4F5D374E08336BCC218E56DF57
        SHA1:9F9FDC1685832A8C183FCF7DCE06D69C7CCE68E8
        SHA-256:C4B8C123E131B50A3086CD7C65ACC94B3B73BE9859951FF3DFFEC2FE106165A4
        SHA-512:8C75437BA58A9A6C7BBEF13B21DF90D24AC15AC1F73DAAB6EAE85DF68EB6F5BB439132F24C69F63B6CCA4C75B39E083AEE0BFADBCC436D22E82CDE70A592F83F
        Malicious:false
        Reputation:low
        Preview: {\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'cb\'ce\'cc\'e5{\*\falt SimSun};}{\f17\fbidi \fmodern\fcharset134\fprq1{\*\panose 02010609060101010101}\'ba\'da\'cc\'e5{\*\falt SimHei};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f35\fbidi \fswiss\fcharset134\fprq2{\*\panose 020b0604020202020204}Arial Unicode MS;}{\f38\fbidi \fnil\fcharset134\fprq2{\*\panose 00000000000000000000}@\'cb\'ce\'cc\'e5;}..{\f39\fbidi \fmodern\fcharset134\fprq1{\*\panose 00000000000000000000}@\'ba\'da\'cc\'e5;}{\f40\fbidi \fswiss\fcharset134\fprq2{\*\panose 00000000000000000000}@Arial Unicode MS;}..{\flomajor\f3150
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseEN.rtf
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:Rich Text Format data, version 1, unknown character set
        Category:dropped
        Size (bytes):65485
        Entropy (8bit):5.077278736394721
        Encrypted:false
        SSDEEP:768:YwfoZghUZLyOntT4HXzcYI6X7gP+8z3zYzuzdzIRFRm46IDLeAEkI0zvHZnQSJOE:YwWghmxzIPRd6QLejkI0zfOTg8M
        MD5:E6E36D4F5D374E08336BCC218E56DF57
        SHA1:9F9FDC1685832A8C183FCF7DCE06D69C7CCE68E8
        SHA-256:C4B8C123E131B50A3086CD7C65ACC94B3B73BE9859951FF3DFFEC2FE106165A4
        SHA-512:8C75437BA58A9A6C7BBEF13B21DF90D24AC15AC1F73DAAB6EAE85DF68EB6F5BB439132F24C69F63B6CCA4C75B39E083AEE0BFADBCC436D22E82CDE70A592F83F
        Malicious:false
        Reputation:low
        Preview: {\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'cb\'ce\'cc\'e5{\*\falt SimSun};}{\f17\fbidi \fmodern\fcharset134\fprq1{\*\panose 02010609060101010101}\'ba\'da\'cc\'e5{\*\falt SimHei};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f35\fbidi \fswiss\fcharset134\fprq2{\*\panose 020b0604020202020204}Arial Unicode MS;}{\f38\fbidi \fnil\fcharset134\fprq2{\*\panose 00000000000000000000}@\'cb\'ce\'cc\'e5;}..{\f39\fbidi \fmodern\fcharset134\fprq1{\*\panose 00000000000000000000}@\'ba\'da\'cc\'e5;}{\f40\fbidi \fswiss\fcharset134\fprq2{\*\panose 00000000000000000000}@Arial Unicode MS;}..{\flomajor\f3150
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseES.rtf
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:Rich Text Format data, version 1, unknown character set
        Category:dropped
        Size (bytes):65485
        Entropy (8bit):5.077278736394721
        Encrypted:false
        SSDEEP:768:YwfoZghUZLyOntT4HXzcYI6X7gP+8z3zYzuzdzIRFRm46IDLeAEkI0zvHZnQSJOE:YwWghmxzIPRd6QLejkI0zfOTg8M
        MD5:E6E36D4F5D374E08336BCC218E56DF57
        SHA1:9F9FDC1685832A8C183FCF7DCE06D69C7CCE68E8
        SHA-256:C4B8C123E131B50A3086CD7C65ACC94B3B73BE9859951FF3DFFEC2FE106165A4
        SHA-512:8C75437BA58A9A6C7BBEF13B21DF90D24AC15AC1F73DAAB6EAE85DF68EB6F5BB439132F24C69F63B6CCA4C75B39E083AEE0BFADBCC436D22E82CDE70A592F83F
        Malicious:false
        Reputation:low
        Preview: {\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'cb\'ce\'cc\'e5{\*\falt SimSun};}{\f17\fbidi \fmodern\fcharset134\fprq1{\*\panose 02010609060101010101}\'ba\'da\'cc\'e5{\*\falt SimHei};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f35\fbidi \fswiss\fcharset134\fprq2{\*\panose 020b0604020202020204}Arial Unicode MS;}{\f38\fbidi \fnil\fcharset134\fprq2{\*\panose 00000000000000000000}@\'cb\'ce\'cc\'e5;}..{\f39\fbidi \fmodern\fcharset134\fprq1{\*\panose 00000000000000000000}@\'ba\'da\'cc\'e5;}{\f40\fbidi \fswiss\fcharset134\fprq2{\*\panose 00000000000000000000}@Arial Unicode MS;}..{\flomajor\f3150
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseFI.rtf
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:Rich Text Format data, version 1, unknown character set
        Category:dropped
        Size (bytes):65485
        Entropy (8bit):5.077278736394721
        Encrypted:false
        SSDEEP:768:YwfoZghUZLyOntT4HXzcYI6X7gP+8z3zYzuzdzIRFRm46IDLeAEkI0zvHZnQSJOE:YwWghmxzIPRd6QLejkI0zfOTg8M
        MD5:E6E36D4F5D374E08336BCC218E56DF57
        SHA1:9F9FDC1685832A8C183FCF7DCE06D69C7CCE68E8
        SHA-256:C4B8C123E131B50A3086CD7C65ACC94B3B73BE9859951FF3DFFEC2FE106165A4
        SHA-512:8C75437BA58A9A6C7BBEF13B21DF90D24AC15AC1F73DAAB6EAE85DF68EB6F5BB439132F24C69F63B6CCA4C75B39E083AEE0BFADBCC436D22E82CDE70A592F83F
        Malicious:false
        Reputation:low
        Preview: {\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'cb\'ce\'cc\'e5{\*\falt SimSun};}{\f17\fbidi \fmodern\fcharset134\fprq1{\*\panose 02010609060101010101}\'ba\'da\'cc\'e5{\*\falt SimHei};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f35\fbidi \fswiss\fcharset134\fprq2{\*\panose 020b0604020202020204}Arial Unicode MS;}{\f38\fbidi \fnil\fcharset134\fprq2{\*\panose 00000000000000000000}@\'cb\'ce\'cc\'e5;}..{\f39\fbidi \fmodern\fcharset134\fprq1{\*\panose 00000000000000000000}@\'ba\'da\'cc\'e5;}{\f40\fbidi \fswiss\fcharset134\fprq2{\*\panose 00000000000000000000}@Arial Unicode MS;}..{\flomajor\f3150
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseFR.rtf
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:Rich Text Format data, version 1, unknown character set
        Category:dropped
        Size (bytes):65485
        Entropy (8bit):5.077278736394721
        Encrypted:false
        SSDEEP:768:YwfoZghUZLyOntT4HXzcYI6X7gP+8z3zYzuzdzIRFRm46IDLeAEkI0zvHZnQSJOE:YwWghmxzIPRd6QLejkI0zfOTg8M
        MD5:E6E36D4F5D374E08336BCC218E56DF57
        SHA1:9F9FDC1685832A8C183FCF7DCE06D69C7CCE68E8
        SHA-256:C4B8C123E131B50A3086CD7C65ACC94B3B73BE9859951FF3DFFEC2FE106165A4
        SHA-512:8C75437BA58A9A6C7BBEF13B21DF90D24AC15AC1F73DAAB6EAE85DF68EB6F5BB439132F24C69F63B6CCA4C75B39E083AEE0BFADBCC436D22E82CDE70A592F83F
        Malicious:false
        Reputation:low
        Preview: {\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'cb\'ce\'cc\'e5{\*\falt SimSun};}{\f17\fbidi \fmodern\fcharset134\fprq1{\*\panose 02010609060101010101}\'ba\'da\'cc\'e5{\*\falt SimHei};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f35\fbidi \fswiss\fcharset134\fprq2{\*\panose 020b0604020202020204}Arial Unicode MS;}{\f38\fbidi \fnil\fcharset134\fprq2{\*\panose 00000000000000000000}@\'cb\'ce\'cc\'e5;}..{\f39\fbidi \fmodern\fcharset134\fprq1{\*\panose 00000000000000000000}@\'ba\'da\'cc\'e5;}{\f40\fbidi \fswiss\fcharset134\fprq2{\*\panose 00000000000000000000}@Arial Unicode MS;}..{\flomajor\f3150
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseIT.rtf
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:Rich Text Format data, version 1, unknown character set
        Category:dropped
        Size (bytes):65485
        Entropy (8bit):5.077278736394721
        Encrypted:false
        SSDEEP:768:YwfoZghUZLyOntT4HXzcYI6X7gP+8z3zYzuzdzIRFRm46IDLeAEkI0zvHZnQSJOE:YwWghmxzIPRd6QLejkI0zfOTg8M
        MD5:E6E36D4F5D374E08336BCC218E56DF57
        SHA1:9F9FDC1685832A8C183FCF7DCE06D69C7CCE68E8
        SHA-256:C4B8C123E131B50A3086CD7C65ACC94B3B73BE9859951FF3DFFEC2FE106165A4
        SHA-512:8C75437BA58A9A6C7BBEF13B21DF90D24AC15AC1F73DAAB6EAE85DF68EB6F5BB439132F24C69F63B6CCA4C75B39E083AEE0BFADBCC436D22E82CDE70A592F83F
        Malicious:false
        Reputation:low
        Preview: {\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'cb\'ce\'cc\'e5{\*\falt SimSun};}{\f17\fbidi \fmodern\fcharset134\fprq1{\*\panose 02010609060101010101}\'ba\'da\'cc\'e5{\*\falt SimHei};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f35\fbidi \fswiss\fcharset134\fprq2{\*\panose 020b0604020202020204}Arial Unicode MS;}{\f38\fbidi \fnil\fcharset134\fprq2{\*\panose 00000000000000000000}@\'cb\'ce\'cc\'e5;}..{\f39\fbidi \fmodern\fcharset134\fprq1{\*\panose 00000000000000000000}@\'ba\'da\'cc\'e5;}{\f40\fbidi \fswiss\fcharset134\fprq2{\*\panose 00000000000000000000}@Arial Unicode MS;}..{\flomajor\f3150
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseJA.rtf
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:Rich Text Format data, version 1, unknown character set
        Category:dropped
        Size (bytes):65485
        Entropy (8bit):5.077278736394721
        Encrypted:false
        SSDEEP:768:YwfoZghUZLyOntT4HXzcYI6X7gP+8z3zYzuzdzIRFRm46IDLeAEkI0zvHZnQSJOE:YwWghmxzIPRd6QLejkI0zfOTg8M
        MD5:E6E36D4F5D374E08336BCC218E56DF57
        SHA1:9F9FDC1685832A8C183FCF7DCE06D69C7CCE68E8
        SHA-256:C4B8C123E131B50A3086CD7C65ACC94B3B73BE9859951FF3DFFEC2FE106165A4
        SHA-512:8C75437BA58A9A6C7BBEF13B21DF90D24AC15AC1F73DAAB6EAE85DF68EB6F5BB439132F24C69F63B6CCA4C75B39E083AEE0BFADBCC436D22E82CDE70A592F83F
        Malicious:false
        Reputation:low
        Preview: {\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'cb\'ce\'cc\'e5{\*\falt SimSun};}{\f17\fbidi \fmodern\fcharset134\fprq1{\*\panose 02010609060101010101}\'ba\'da\'cc\'e5{\*\falt SimHei};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f35\fbidi \fswiss\fcharset134\fprq2{\*\panose 020b0604020202020204}Arial Unicode MS;}{\f38\fbidi \fnil\fcharset134\fprq2{\*\panose 00000000000000000000}@\'cb\'ce\'cc\'e5;}..{\f39\fbidi \fmodern\fcharset134\fprq1{\*\panose 00000000000000000000}@\'ba\'da\'cc\'e5;}{\f40\fbidi \fswiss\fcharset134\fprq2{\*\panose 00000000000000000000}@Arial Unicode MS;}..{\flomajor\f3150
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseKO.rtf
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:Rich Text Format data, version 1, unknown character set
        Category:dropped
        Size (bytes):65485
        Entropy (8bit):5.077278736394721
        Encrypted:false
        SSDEEP:768:YwfoZghUZLyOntT4HXzcYI6X7gP+8z3zYzuzdzIRFRm46IDLeAEkI0zvHZnQSJOE:YwWghmxzIPRd6QLejkI0zfOTg8M
        MD5:E6E36D4F5D374E08336BCC218E56DF57
        SHA1:9F9FDC1685832A8C183FCF7DCE06D69C7CCE68E8
        SHA-256:C4B8C123E131B50A3086CD7C65ACC94B3B73BE9859951FF3DFFEC2FE106165A4
        SHA-512:8C75437BA58A9A6C7BBEF13B21DF90D24AC15AC1F73DAAB6EAE85DF68EB6F5BB439132F24C69F63B6CCA4C75B39E083AEE0BFADBCC436D22E82CDE70A592F83F
        Malicious:false
        Reputation:low
        Preview: {\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'cb\'ce\'cc\'e5{\*\falt SimSun};}{\f17\fbidi \fmodern\fcharset134\fprq1{\*\panose 02010609060101010101}\'ba\'da\'cc\'e5{\*\falt SimHei};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f35\fbidi \fswiss\fcharset134\fprq2{\*\panose 020b0604020202020204}Arial Unicode MS;}{\f38\fbidi \fnil\fcharset134\fprq2{\*\panose 00000000000000000000}@\'cb\'ce\'cc\'e5;}..{\f39\fbidi \fmodern\fcharset134\fprq1{\*\panose 00000000000000000000}@\'ba\'da\'cc\'e5;}{\f40\fbidi \fswiss\fcharset134\fprq2{\*\panose 00000000000000000000}@Arial Unicode MS;}..{\flomajor\f3150
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseNL.rtf
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:Rich Text Format data, version 1, unknown character set
        Category:dropped
        Size (bytes):65485
        Entropy (8bit):5.077278736394721
        Encrypted:false
        SSDEEP:768:YwfoZghUZLyOntT4HXzcYI6X7gP+8z3zYzuzdzIRFRm46IDLeAEkI0zvHZnQSJOE:YwWghmxzIPRd6QLejkI0zfOTg8M
        MD5:E6E36D4F5D374E08336BCC218E56DF57
        SHA1:9F9FDC1685832A8C183FCF7DCE06D69C7CCE68E8
        SHA-256:C4B8C123E131B50A3086CD7C65ACC94B3B73BE9859951FF3DFFEC2FE106165A4
        SHA-512:8C75437BA58A9A6C7BBEF13B21DF90D24AC15AC1F73DAAB6EAE85DF68EB6F5BB439132F24C69F63B6CCA4C75B39E083AEE0BFADBCC436D22E82CDE70A592F83F
        Malicious:false
        Reputation:low
        Preview: {\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'cb\'ce\'cc\'e5{\*\falt SimSun};}{\f17\fbidi \fmodern\fcharset134\fprq1{\*\panose 02010609060101010101}\'ba\'da\'cc\'e5{\*\falt SimHei};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f35\fbidi \fswiss\fcharset134\fprq2{\*\panose 020b0604020202020204}Arial Unicode MS;}{\f38\fbidi \fnil\fcharset134\fprq2{\*\panose 00000000000000000000}@\'cb\'ce\'cc\'e5;}..{\f39\fbidi \fmodern\fcharset134\fprq1{\*\panose 00000000000000000000}@\'ba\'da\'cc\'e5;}{\f40\fbidi \fswiss\fcharset134\fprq2{\*\panose 00000000000000000000}@Arial Unicode MS;}..{\flomajor\f3150
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licensePL.rtf
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:Rich Text Format data, version 1, unknown character set
        Category:dropped
        Size (bytes):65485
        Entropy (8bit):5.077278736394721
        Encrypted:false
        SSDEEP:768:YwfoZghUZLyOntT4HXzcYI6X7gP+8z3zYzuzdzIRFRm46IDLeAEkI0zvHZnQSJOE:YwWghmxzIPRd6QLejkI0zfOTg8M
        MD5:E6E36D4F5D374E08336BCC218E56DF57
        SHA1:9F9FDC1685832A8C183FCF7DCE06D69C7CCE68E8
        SHA-256:C4B8C123E131B50A3086CD7C65ACC94B3B73BE9859951FF3DFFEC2FE106165A4
        SHA-512:8C75437BA58A9A6C7BBEF13B21DF90D24AC15AC1F73DAAB6EAE85DF68EB6F5BB439132F24C69F63B6CCA4C75B39E083AEE0BFADBCC436D22E82CDE70A592F83F
        Malicious:false
        Reputation:low
        Preview: {\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'cb\'ce\'cc\'e5{\*\falt SimSun};}{\f17\fbidi \fmodern\fcharset134\fprq1{\*\panose 02010609060101010101}\'ba\'da\'cc\'e5{\*\falt SimHei};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f35\fbidi \fswiss\fcharset134\fprq2{\*\panose 020b0604020202020204}Arial Unicode MS;}{\f38\fbidi \fnil\fcharset134\fprq2{\*\panose 00000000000000000000}@\'cb\'ce\'cc\'e5;}..{\f39\fbidi \fmodern\fcharset134\fprq1{\*\panose 00000000000000000000}@\'ba\'da\'cc\'e5;}{\f40\fbidi \fswiss\fcharset134\fprq2{\*\panose 00000000000000000000}@Arial Unicode MS;}..{\flomajor\f3150
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licensePT.rtf
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:Rich Text Format data, version 1, unknown character set
        Category:dropped
        Size (bytes):65485
        Entropy (8bit):5.077278736394721
        Encrypted:false
        SSDEEP:768:YwfoZghUZLyOntT4HXzcYI6X7gP+8z3zYzuzdzIRFRm46IDLeAEkI0zvHZnQSJOE:YwWghmxzIPRd6QLejkI0zfOTg8M
        MD5:E6E36D4F5D374E08336BCC218E56DF57
        SHA1:9F9FDC1685832A8C183FCF7DCE06D69C7CCE68E8
        SHA-256:C4B8C123E131B50A3086CD7C65ACC94B3B73BE9859951FF3DFFEC2FE106165A4
        SHA-512:8C75437BA58A9A6C7BBEF13B21DF90D24AC15AC1F73DAAB6EAE85DF68EB6F5BB439132F24C69F63B6CCA4C75B39E083AEE0BFADBCC436D22E82CDE70A592F83F
        Malicious:false
        Reputation:low
        Preview: {\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'cb\'ce\'cc\'e5{\*\falt SimSun};}{\f17\fbidi \fmodern\fcharset134\fprq1{\*\panose 02010609060101010101}\'ba\'da\'cc\'e5{\*\falt SimHei};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f35\fbidi \fswiss\fcharset134\fprq2{\*\panose 020b0604020202020204}Arial Unicode MS;}{\f38\fbidi \fnil\fcharset134\fprq2{\*\panose 00000000000000000000}@\'cb\'ce\'cc\'e5;}..{\f39\fbidi \fmodern\fcharset134\fprq1{\*\panose 00000000000000000000}@\'ba\'da\'cc\'e5;}{\f40\fbidi \fswiss\fcharset134\fprq2{\*\panose 00000000000000000000}@Arial Unicode MS;}..{\flomajor\f3150
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseRU.rtf
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:Rich Text Format data, version 1, unknown character set
        Category:dropped
        Size (bytes):65485
        Entropy (8bit):5.077278736394721
        Encrypted:false
        SSDEEP:768:YwfoZghUZLyOntT4HXzcYI6X7gP+8z3zYzuzdzIRFRm46IDLeAEkI0zvHZnQSJOE:YwWghmxzIPRd6QLejkI0zfOTg8M
        MD5:E6E36D4F5D374E08336BCC218E56DF57
        SHA1:9F9FDC1685832A8C183FCF7DCE06D69C7CCE68E8
        SHA-256:C4B8C123E131B50A3086CD7C65ACC94B3B73BE9859951FF3DFFEC2FE106165A4
        SHA-512:8C75437BA58A9A6C7BBEF13B21DF90D24AC15AC1F73DAAB6EAE85DF68EB6F5BB439132F24C69F63B6CCA4C75B39E083AEE0BFADBCC436D22E82CDE70A592F83F
        Malicious:false
        Reputation:low
        Preview: {\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'cb\'ce\'cc\'e5{\*\falt SimSun};}{\f17\fbidi \fmodern\fcharset134\fprq1{\*\panose 02010609060101010101}\'ba\'da\'cc\'e5{\*\falt SimHei};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f35\fbidi \fswiss\fcharset134\fprq2{\*\panose 020b0604020202020204}Arial Unicode MS;}{\f38\fbidi \fnil\fcharset134\fprq2{\*\panose 00000000000000000000}@\'cb\'ce\'cc\'e5;}..{\f39\fbidi \fmodern\fcharset134\fprq1{\*\panose 00000000000000000000}@\'ba\'da\'cc\'e5;}{\f40\fbidi \fswiss\fcharset134\fprq2{\*\panose 00000000000000000000}@Arial Unicode MS;}..{\flomajor\f3150
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseTC.rtf
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:Rich Text Format data, version 1, unknown character set
        Category:dropped
        Size (bytes):65485
        Entropy (8bit):5.077278736394721
        Encrypted:false
        SSDEEP:768:YwfoZghUZLyOntT4HXzcYI6X7gP+8z3zYzuzdzIRFRm46IDLeAEkI0zvHZnQSJOE:YwWghmxzIPRd6QLejkI0zfOTg8M
        MD5:E6E36D4F5D374E08336BCC218E56DF57
        SHA1:9F9FDC1685832A8C183FCF7DCE06D69C7CCE68E8
        SHA-256:C4B8C123E131B50A3086CD7C65ACC94B3B73BE9859951FF3DFFEC2FE106165A4
        SHA-512:8C75437BA58A9A6C7BBEF13B21DF90D24AC15AC1F73DAAB6EAE85DF68EB6F5BB439132F24C69F63B6CCA4C75B39E083AEE0BFADBCC436D22E82CDE70A592F83F
        Malicious:false
        Reputation:low
        Preview: {\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'cb\'ce\'cc\'e5{\*\falt SimSun};}{\f17\fbidi \fmodern\fcharset134\fprq1{\*\panose 02010609060101010101}\'ba\'da\'cc\'e5{\*\falt SimHei};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f35\fbidi \fswiss\fcharset134\fprq2{\*\panose 020b0604020202020204}Arial Unicode MS;}{\f38\fbidi \fnil\fcharset134\fprq2{\*\panose 00000000000000000000}@\'cb\'ce\'cc\'e5;}..{\f39\fbidi \fmodern\fcharset134\fprq1{\*\panose 00000000000000000000}@\'ba\'da\'cc\'e5;}{\f40\fbidi \fswiss\fcharset134\fprq2{\*\panose 00000000000000000000}@Arial Unicode MS;}..{\flomajor\f3150
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseTH.rtf
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:Rich Text Format data, version 1, unknown character set
        Category:dropped
        Size (bytes):65485
        Entropy (8bit):5.077278736394721
        Encrypted:false
        SSDEEP:768:YwfoZghUZLyOntT4HXzcYI6X7gP+8z3zYzuzdzIRFRm46IDLeAEkI0zvHZnQSJOE:YwWghmxzIPRd6QLejkI0zfOTg8M
        MD5:E6E36D4F5D374E08336BCC218E56DF57
        SHA1:9F9FDC1685832A8C183FCF7DCE06D69C7CCE68E8
        SHA-256:C4B8C123E131B50A3086CD7C65ACC94B3B73BE9859951FF3DFFEC2FE106165A4
        SHA-512:8C75437BA58A9A6C7BBEF13B21DF90D24AC15AC1F73DAAB6EAE85DF68EB6F5BB439132F24C69F63B6CCA4C75B39E083AEE0BFADBCC436D22E82CDE70A592F83F
        Malicious:false
        Reputation:low
        Preview: {\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'cb\'ce\'cc\'e5{\*\falt SimSun};}{\f17\fbidi \fmodern\fcharset134\fprq1{\*\panose 02010609060101010101}\'ba\'da\'cc\'e5{\*\falt SimHei};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f35\fbidi \fswiss\fcharset134\fprq2{\*\panose 020b0604020202020204}Arial Unicode MS;}{\f38\fbidi \fnil\fcharset134\fprq2{\*\panose 00000000000000000000}@\'cb\'ce\'cc\'e5;}..{\f39\fbidi \fmodern\fcharset134\fprq1{\*\panose 00000000000000000000}@\'ba\'da\'cc\'e5;}{\f40\fbidi \fswiss\fcharset134\fprq2{\*\panose 00000000000000000000}@Arial Unicode MS;}..{\flomajor\f3150
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\licenseVN.rtf
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:Rich Text Format data, version 1, unknown character set
        Category:dropped
        Size (bytes):65485
        Entropy (8bit):5.077278736394721
        Encrypted:false
        SSDEEP:768:YwfoZghUZLyOntT4HXzcYI6X7gP+8z3zYzuzdzIRFRm46IDLeAEkI0zvHZnQSJOE:YwWghmxzIPRd6QLejkI0zfOTg8M
        MD5:E6E36D4F5D374E08336BCC218E56DF57
        SHA1:9F9FDC1685832A8C183FCF7DCE06D69C7CCE68E8
        SHA-256:C4B8C123E131B50A3086CD7C65ACC94B3B73BE9859951FF3DFFEC2FE106165A4
        SHA-512:8C75437BA58A9A6C7BBEF13B21DF90D24AC15AC1F73DAAB6EAE85DF68EB6F5BB439132F24C69F63B6CCA4C75B39E083AEE0BFADBCC436D22E82CDE70A592F83F
        Malicious:false
        Reputation:low
        Preview: {\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'cb\'ce\'cc\'e5{\*\falt SimSun};}{\f17\fbidi \fmodern\fcharset134\fprq1{\*\panose 02010609060101010101}\'ba\'da\'cc\'e5{\*\falt SimHei};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f35\fbidi \fswiss\fcharset134\fprq2{\*\panose 020b0604020202020204}Arial Unicode MS;}{\f38\fbidi \fnil\fcharset134\fprq2{\*\panose 00000000000000000000}@\'cb\'ce\'cc\'e5;}..{\f39\fbidi \fmodern\fcharset134\fprq1{\*\panose 00000000000000000000}@\'ba\'da\'cc\'e5;}{\f40\fbidi \fswiss\fcharset134\fprq2{\*\panose 00000000000000000000}@Arial Unicode MS;}..{\flomajor\f3150
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\nsDialogs.dll
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):9728
        Entropy (8bit):5.054726426952
        Encrypted:false
        SSDEEP:96:hBABCcnl5TKhkfLxSslykcxM2DjDf3GE+Xv8Xav+Yx4VndY7ndS27gA:h6n+0SAfRE+/8ZYxMdqn420
        MD5:C10E04DD4AD4277D5ADC951BB331C777
        SHA1:B1E30808198A3AE6D6D1CCA62DF8893DC2A7AD43
        SHA-256:E31AD6C6E82E603378CB6B80E67D0E0DCD9CF384E1199AC5A65CB4935680021A
        SHA-512:853A5564BF751D40484EA482444C6958457CB4A17FB973CF870F03F201B8B2643BE41BCCDE00F6B2026DC0C3D113E6481B0DC4C7B0F3AE7966D38C92C6B5862E
        Malicious:false
        Reputation:low
        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.cXN`0XN`0XN`0XNa0mN`0.A=0UN`0.mP0]N`0.Hf0YN`0.nd0YN`0RichXN`0........................PE..L......K...........!......... ...............0.......................................................................6..k....0.......`.......................p.......................................................0...............................text...G........................... ..`.rdata..k....0......................@..@.data........@......................@....rsrc........`....... ..............@..@.reloc..<....p......."..............@..B................................................................................................................................................................................................................................................................................................................................................
        C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\tip.bmp
        Process:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        File Type:PC bitmap, Windows 3.x format, 360 x 165 x 24
        Category:dropped
        Size (bytes):178254
        Entropy (8bit):2.838387262667009
        Encrypted:false
        SSDEEP:96:uuGGkemYi0eIk3eIlE9Yeo50dLe+ObOe4dIkesIIYeunZe2u8OO+EeuHoeYiReuE:8mHtpVg5Z5L+
        MD5:6A96774C0A02AB9C584F7C061F902E73
        SHA1:17166F531EF5BB508FBAD62F2320B909A2C86FF0
        SHA-256:C5C5414535C3492B53193BBBD89922A0017577C3D41A3ED2EBECC90385657BE7
        SHA-512:A495BBE32AA45F4E525A67F6EBC86A08DB41160EC67CB74B7D71A66FF8EE4B417FDB2EEA3D65C9E97E0E4492FFA78A791A27D3C49EB018318E2313319502E3D5
        Malicious:false
        Reputation:low
        Preview: BMN.......6...(...h...................................Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z).Z
        C:\Users\user\Desktop\cmdline.out
        Process:C:\Windows\SysWOW64\wget.exe
        File Type:ASCII text, with CRLF line terminators
        Category:modified
        Size (bytes):181703
        Entropy (8bit):1.7779797907145694
        Encrypted:false
        SSDEEP:768:erIj/D2c7tg3JLkXU84cpoagrMPUO9v1Bfz1qamb184NjNtol1aQES:erQ96APigBR+19xePh
        MD5:93D01C03372781A9BD90DBADECF730E6
        SHA1:6671993C286C6426FC7BCD53216C2ECFD4FB3F01
        SHA-256:8EDE3BEBECF7064F4016B287F153D5FB4DC797B84B28913CB795AFC92C972153
        SHA-512:74C66AA819C7FE4F3DE5609C34F894350D9DD6E4B2037B07A2447AF705DA3B8075D9653683E7EA4E70013BEB64716A195E49B5A9B6A7E6F9056E0AD45F919B0E
        Malicious:false
        Reputation:low
        Preview: --2021-06-09 20:56:40-- https://www.cctvsecuritypros.com/content/pages/software/06212019-General-SMARTPSS-Win32-ChnEng-IS.zip..Resolving www.cctvsecuritypros.com (www.cctvsecuritypros.com)... 35.241.47.235..Connecting to www.cctvsecuritypros.com (www.cctvsecuritypros.com)|35.241.47.235|:443... connected...HTTP request sent, awaiting response... 200 OK..Length: unspecified [application/zip]..Saving to: 'C:/Users/user/Desktop/download/06212019-General-SMARTPSS-Win32-ChnEng-IS.zip'.... 0K .......... .......... .......... .......... .......... 247K.. 50K .......... .......... .......... .......... .......... 555K.. 100K .......... .......... .......... .......... .......... 904K.. 150K .......... .......... .......... .......... .......... 930K.. 200K .......... .......... .......... .......... .......... 1.73M.. 250K .......... .......... .......... .......... .......... 1.25M.. 300K .......... .......... .......... .......... .......... 821K.. 350K .......... ..
        C:\Users\user\Desktop\download\06212019-General-SMARTPSS-Win32-ChnEng-IS.zip
        Process:C:\Windows\SysWOW64\wget.exe
        File Type:Zip archive data, at least v1.0 to extract
        Category:dropped
        Size (bytes):132401731
        Entropy (8bit):7.999997066509763
        Encrypted:true
        SSDEEP:3145728:uBRiJ62ZG+8gcGGKuVoRo8mmqIXP7UhvIbnf6AoChXoSwM:u/v2wGGKwoo8mmVfAUfvoCh/
        MD5:F98FC331892F47A29CB1879303831643
        SHA1:D69C5D52FBF41F1771701FC2288F5B08E75877DE
        SHA-256:47D4A8595B088EBC8541C31939453D07B2AACF094E72A98098AF19DF1B3B53F7
        SHA-512:0A02E06F44E4A9C0FDFD4D5E352081C1C9BC8AE57A6FC1F7E4EF928F0E7F811A3B2A95E08FA947A69853F7ACDB9BFAFDF738EFF4D27B7CCD35047231389E94F7
        Malicious:false
        Reputation:low
        Preview: PK........{b.N............;...General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023/PK........%.WMrM...G......y...General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023/SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe..\Te.8~...00.MQn...x!..A..AL....5QI.aD 8.K......m.iZY[...@M..(].6w.r.Cc-............m.......O..9.y..>..y/g.[..Q0... .a.0.?=......z.y........D/....+o..Z.[]TQQ..n(.Us....].u&.....~~>.R...h..}.E..^:.b.zz.,...\V.e.w.,...s../c.\T.....h`..2......]u..F.+.d.epsJF.~;....U.H5^.E~xJ|...{....:.....}.....a^..:O.G.`.m...m...OfK6.P~.DBh.;..?...\]\..1.....@...m$n.'....._...~.er..P...C#X..k.W3.....3.J...2.....+..../..5l........=7T..5..b..J#.S.NEBr..LW.h...l...=.#}....K.0....pN.3B._.m/.f...*x.T....H...W ..%...}...<...H..[..y>Ti^ZX..'(Z.............}...0T.~......l.`t....0...t...""j....!\09i7..ZA.m=!.y.aK.d....jl.w...Vm.Y....z....=c....uK,.W..OY...rZ$..vF...M..%tD5<....D.,...+.Z.?~X...b.......Me....-.b...a9{].M.$...4<....-;...e*^u
        C:\Users\user\Desktop\extract\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
        Category:dropped
        Size (bytes):133090997
        Entropy (8bit):7.999920909132232
        Encrypted:true
        SSDEEP:3145728:2RZEVFOR4IWmfkkr3BZynOzY9E1rzMlbszvVCIOUFLLWkH:2zOOHkkrRZoOzYSZ4OVJOUFH
        MD5:B540B8A341C20DCED4BAD4E568B4CBF9
        SHA1:9A9742F9465375DE68386C73B5386D54F25B5353
        SHA-256:BFC7B4A2923415EBE1FE910A0E1C25BDF501309F3C0857F5B0D6FD5D67D25C72
        SHA-512:9A5D30E40FC16E1A8CE1EDB6E8A5D74CB1C5FA1C5CDB6387E93133E1873E634F0F94960A889CF60869304BA99CE510657EADA4756DD1E9F6F6D4CC3664563629
        Malicious:false
        Reputation:low
        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................Z...........0.......p....@..........................................................................s........... ...........................................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata...@...@...........................rsrc.... ......."...t..............@..@................................................................................................................................................................................................................................................................................................................................................
        \Device\ConDrv
        Process:C:\Windows\SysWOW64\7za.exe
        File Type:ASCII text, with CRLF, CR line terminators
        Category:dropped
        Size (bytes):7461
        Entropy (8bit):3.428716033023254
        Encrypted:false
        SSDEEP:192:QSfhnSfvSfqSfOSfISfPSfASfdSffSfbSfCOSfRSfVSf0SfgSfrSfpSfNSfxSfyt:QSfhnSfvSfqSfOSfISfPSfASfdSffSfA
        MD5:FEB315B137B31F64D70800BC255EFC2D
        SHA1:0B96E586AF1616B10EEEB63DA0E6E70A1DC784AF
        SHA-256:7C21705C57D8CC21C13554E39DCA80B9345A90E275983F81D251F8906F6159C5
        SHA-512:37379B22F52200E17159DD7FFCFE20D2AAF75D6F6E8336FB6DADB32792AE039956F19789A03E2A193C6626855D665FA8941F95D8E06C6C2A4ACBFF73F286057A
        Malicious:false
        Reputation:low
        Preview: ..7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30....Scanning the drive for archives:.. 0M Scan C:\Users\user\Desktop\download\. .1 file, 132401731 bytes (127 MiB)....Extracting archive: C:\Users\user\Desktop\download\06212019-General-SMARTPSS-Win32-ChnEng-IS.zip..--..Path = C:\Users\user\Desktop\download\06212019-General-SMARTPSS-Win32-ChnEng-IS.zip..Type = zip..Physical Size = 132401731.... 0%. . 3% 1 - General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.1 . Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe. . 6% 1 - General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.1 . Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe. . 8% 1 - General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000

        Static File Info

        No static file info

        Network Behavior

        No network behavior found

        Code Manipulations

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        Behavior

        Click to jump to process

        System Behavior

        Analysis Process: cmd.exe PID: 5440 Parent PID: 5112

        General

        Start time:20:56:38
        Start date:09/06/2021
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.cctvsecuritypros.com/content/pages/software/06212019-General-SMARTPSS-Win32-ChnEng-IS.zip' > cmdline.out 2>&1
        Imagebase:0xbd0000
        File size:232960 bytes
        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low

        Chronological Activities

        Analysis Process: conhost.exe PID: 5424 Parent PID: 5440

        General

        Start time:20:56:39
        Start date:09/06/2021
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff6b2800000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low

        Chronological Activities

        Analysis Process: wget.exe PID: 5940 Parent PID: 5440

        General

        Start time:20:56:40
        Start date:09/06/2021
        Path:C:\Windows\SysWOW64\wget.exe
        Wow64 process (32bit):true
        Commandline:wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.cctvsecuritypros.com/content/pages/software/06212019-General-SMARTPSS-Win32-ChnEng-IS.zip'
        Imagebase:0x400000
        File size:3895184 bytes
        MD5 hash:3DADB6E2ECE9C4B3E1E322E617658B60
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low

        Chronological Activities

        Analysis Process: 7za.exe PID: 2132 Parent PID: 5112

        General

        Start time:20:57:50
        Start date:09/06/2021
        Path:C:\Windows\SysWOW64\7za.exe
        Wow64 process (32bit):true
        Commandline:7za x -y -pinfected -o'C:\Users\user\Desktop\extract' 'C:\Users\user\Desktop\download\06212019-General-SMARTPSS-Win32-ChnEng-IS.zip'
        Imagebase:0x11d0000
        File size:289792 bytes
        MD5 hash:77E556CDFDC5C592F5C46DB4127C6F4C
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low

        Chronological Activities

        Analysis Process: conhost.exe PID: 4000 Parent PID: 2132

        General

        Start time:20:57:50
        Start date:09/06/2021
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff6b2800000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low

        Chronological Activities

        Analysis Process: unarchiver.exe PID: 2648 Parent PID: 5620

        General

        Start time:20:58:01
        Start date:09/06/2021
        Path:C:\Windows\SysWOW64\unarchiver.exe
        Wow64 process (32bit):true
        Commandline:'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\download\06212019-General-SMARTPSS-Win32-ChnEng-IS.zip'
        Imagebase:0xd60000
        File size:10240 bytes
        MD5 hash:DB55139D9DD29F24AE8EA8F0E5606901
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Reputation:low

        Chronological Activities

        Analysis Process: 7za.exe PID: 5540 Parent PID: 2648

        General

        Start time:20:58:03
        Start date:09/06/2021
        Path:C:\Windows\SysWOW64\7za.exe
        Wow64 process (32bit):true
        Commandline:'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\j3sovef2.qui' 'C:\Users\user\Desktop\download\06212019-General-SMARTPSS-Win32-ChnEng-IS.zip'
        Imagebase:0x11d0000
        File size:289792 bytes
        MD5 hash:77E556CDFDC5C592F5C46DB4127C6F4C
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low

        Chronological Activities

        Analysis Process: conhost.exe PID: 4732 Parent PID: 5540

        General

        Start time:20:58:03
        Start date:09/06/2021
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff6b2800000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low

        Chronological Activities

        Analysis Process: cmd.exe PID: 5428 Parent PID: 2648

        General

        Start time:20:58:15
        Start date:09/06/2021
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe'
        Imagebase:0xdb0000
        File size:232960 bytes
        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low

        Chronological Activities

        Analysis Process: conhost.exe PID: 5284 Parent PID: 5428

        General

        Start time:20:58:15
        Start date:09/06/2021
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff6b2800000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low

        Chronological Activities

        Analysis Process: SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe PID: 5016 Parent PID: 5428

        General

        Start time:20:58:42
        Start date:09/06/2021
        Path:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        Wow64 process (32bit):true
        Commandline:C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
        Imagebase:0x400000
        File size:133090997 bytes
        MD5 hash:B540B8A341C20DCED4BAD4E568B4CBF9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Antivirus matches:
        • Detection: 3%, Virustotal, Browse
        • Detection: 2%, ReversingLabs
        Reputation:low

        Chronological Activities

        Disassembly

        Code Analysis

        Reset < >

          Analysis Process: unarchiver.exe PID: 2648 Parent PID: 5620 unarchiver.exeCOMMON

          Execution Graph

          Execution Coverage:21.4%
          Dynamic/Decrypted Code Coverage:100%
          Signature Coverage:6%
          Total number of Nodes:67
          Total number of Limit Nodes:4

          Graph

          execution_graph 1081 154a25e 1082 154a2b3 1081->1082 1083 154a28a SetErrorMode 1081->1083 1082->1083 1084 154a29f 1083->1084 1085 154ae1e 1086 154ae7c 1085->1086 1087 154ae4a FindClose 1085->1087 1086->1087 1088 154ae5f 1087->1088 1121 154a85f 1123 154a88e ReadFile 1121->1123 1124 154a8f5 1123->1124 1145 154a504 1146 154a52a CreateFileW 1145->1146 1148 154a5b1 1146->1148 1149 154a600 1150 154a60e FindCloseChangeNotification 1149->1150 1152 154a67c 1150->1152 1089 154b042 1090 154b06e GetSystemInfo 1089->1090 1092 154b0a4 1089->1092 1091 154b07c 1090->1091 1092->1090 1093 154a642 1094 154a6ad 1093->1094 1095 154a66e FindCloseChangeNotification 1093->1095 1094->1095 1096 154a67c 1095->1096 1105 154a88e 1107 154a8c3 ReadFile 1105->1107 1108 154a8f5 1107->1108 1125 154a448 1126 154a46a CreateDirectoryW 1125->1126 1128 154a4b7 1126->1128 1129 154adf7 1130 154ae1e FindClose 1129->1130 1132 154ae5f 1130->1132 1133 154ab70 1134 154ab96 DuplicateHandle 1133->1134 1136 154ac1b 1134->1136 1078 154a172 1079 154a1c2 FindNextFileW 1078->1079 1080 154a1ca 1079->1080 1137 154a77c 1139 154a7ae SetFilePointer 1137->1139 1140 154a812 1139->1140 1157 154a23c 1158 154a25e SetErrorMode 1157->1158 1160 154a29f 1158->1160 1161 154a6bb 1162 154a6ee GetFileType 1161->1162 1164 154a750 1162->1164 1165 154a120 1166 154a172 FindNextFileW 1165->1166 1168 154a1ca 1166->1168 1169 154b020 1170 154b042 GetSystemInfo 1169->1170 1172 154b07c 1170->1172 1141 154a9e2 1142 154aa52 CreatePipe 1141->1142 1144 154aaaa 1142->1144 1109 154a7ae 1111 154a7e3 SetFilePointer 1109->1111 1112 154a812 1111->1112 1113 154a46a 1115 154a490 CreateDirectoryW 1113->1115 1116 154a4b7 1115->1116 1117 154a52a 1120 154a562 CreateFileW 1117->1120 1119 154a5b1 1120->1119

          Callgraph

          • Executed
          • Not Executed
          • Opacity -> Relevance
          • Disassembly available
          callgraph 0 Function_03080708 1 Function_0308000C 2 Function_0154AA52 3 Function_03080001 4 Function_0154A25E 5 Function_0154A85F 6 Function_01542458 7 Function_01542C58 8 Function_01542044 9 Function_0308081E 10 Function_0154B042 11 Function_0154A642 12 Function_02FC0DEA 15 Function_02FC0AD8 12->15 13 Function_0154A448 14 Function_0154AB70 29 Function_02FC0BBF 15->29 16 Function_0154AC71 17 Function_0154A972 18 Function_0154A172 19 Function_0154A77C 20 Function_0154A078 21 Function_02FC0ED0 21->15 22 Function_0154A37B 23 Function_03080638 36 Function_0308065A 23->36 24 Function_01542264 25 Function_01542364 26 Function_02FC0AC9 26->29 27 Function_0154AD6C 28 Function_0154A46A 30 Function_02FC0EBF 30->15 31 Function_01542310 32 Function_0154AD1E 33 Function_0154AE1E 34 Function_0154A504 35 Function_0154A005 37 Function_01542006 38 Function_0308005C 39 Function_0154A600 40 Function_02FC02A8 40->15 40->26 85 Function_030805CF 40->85 87 Function_02FC0C30 40->87 105 Function_030805F6 40->105 41 Function_0154B30A 42 Function_0154B20A 43 Function_02FC0BA3 44 Function_0154A937 45 Function_02FC099F 46 Function_01542430 47 Function_02FC0299 47->15 47->26 47->85 47->87 47->105 48 Function_0308066F 49 Function_0154213C 50 Function_0154A23C 51 Function_0154A120 52 Function_0154B020 53 Function_0154A02E 54 Function_03080774 55 Function_0154A52A 56 Function_0154B2D7 57 Function_015420D0 58 Function_0154A3D2 59 Function_0154AAD8 60 Function_02FC0070 61 Function_0154A2C1 62 Function_0154AFC9 63 Function_030805A8 64 Function_015423F4 65 Function_0154A1F4 66 Function_0154ADF7 67 Function_015421F0 68 Function_0154A2F2 69 Function_030805AF 70 Function_030807A2 71 Function_0154A4FE 72 Function_0154AAFA 73 Function_030807A6 74 Function_030805B8 75 Function_02FC0E48 75->15 76 Function_0154B0E2 77 Function_0154A9E2 78 Function_030805BF 79 Function_0154ACE3 80 Function_0154A6EE 81 Function_030805C8 82 Function_01542194 83 Function_0154AB96 84 Function_02FC0E38 84->15 86 Function_01542098 88 Function_0154A09A 89 Function_01542680 90 Function_0154AF8D 91 Function_0154A88E 92 Function_0154AD8E 93 Function_0154AE8A 94 Function_015422B4 95 Function_02FC0A18 96 Function_0154B0B2 97 Function_015423BC 98 Function_0154B1BD 99 Function_0154AEBE 100 Function_0154A6BB 101 Function_030807F8 102 Function_02FC0A08 103 Function_0154A7AE 104 Function_02FC0006

          Executed Functions

          Function 02FC02A8, Relevance: 3.0, Strings: 2, Instructions: 481COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 0 2fc02a8-2fc02d1 1 2fc02d8-2fc0377 0->1 2 2fc02d3 0->2 7 2fc037e-2fc03a2 1->7 8 2fc0379 1->8 2->1 10 2fc03a8-2fc03c3 7->10 11 2fc0591-2fc05b1 7->11 8->7 16 2fc03c9-2fc0579 10->16 17 2fc057b-2fc0589 10->17 14 2fc098b-2fc099d 11->14 15 2fc05b7-2fc05c5 11->15 24 2fc09f5-2fc09fe 14->24 18 2fc05cc-2fc05da 15->18 19 2fc05c7 15->19 25 2fc058a-2fc099d 16->25 17->25 103 2fc05e0 call 2fc0ad8 18->103 104 2fc05e0 call 2fc0ac9 18->104 105 2fc05e0 call 30805cf 18->105 106 2fc05e0 call 30805f6 18->106 19->18 25->24 28 2fc05e6-2fc0610 109 2fc0616 call 2fc0ad8 28->109 110 2fc0616 call 2fc0ac9 28->110 34 2fc061c-2fc0681 43 2fc0688-2fc06ce call 2fc0c30 34->43 44 2fc0683 34->44 114 2fc06d4 call 2fc0ad8 43->114 115 2fc06d4 call 2fc0ac9 43->115 44->43 54 2fc06da-2fc0748 107 2fc074e call 2fc0ad8 54->107 108 2fc074e call 2fc0ac9 54->108 61 2fc0754-2fc0785 63 2fc0940-2fc0956 61->63 64 2fc095c-2fc096d 63->64 65 2fc078a-2fc0793 63->65 68 2fc096f-2fc0986 64->68 69 2fc0987-2fc0989 64->69 66 2fc079a-2fc07b3 65->66 67 2fc0795 65->67 70 2fc092c-2fc0932 66->70 71 2fc07b9-2fc07ef 66->71 67->66 68->69 73 2fc0939-2fc093d 70->73 74 2fc0934 70->74 78 2fc07f5 71->78 79 2fc07f1-2fc07f3 71->79 73->63 74->73 80 2fc07fa-2fc0801 78->80 79->80 81 2fc0908-2fc092a 80->81 82 2fc0807-2fc081c 80->82 91 2fc092b 81->91 83 2fc0890-2fc08a6 82->83 85 2fc08ac-2fc08bd 83->85 86 2fc081e-2fc0827 83->86 87 2fc08bf-2fc08d4 85->87 88 2fc0904-2fc0906 85->88 89 2fc082e-2fc0881 86->89 90 2fc0829 86->90 112 2fc08da call 2fc0ad8 87->112 113 2fc08da call 2fc0ac9 87->113 88->91 101 2fc088c-2fc088d 89->101 102 2fc0883-2fc088b 89->102 90->89 91->70 95 2fc08e0-2fc08ec call 2fc0c30 97 2fc08f2-2fc08f9 95->97 99 2fc08fb 97->99 100 2fc0900-2fc0903 97->100 99->100 100->88 101->83 102->101 103->28 104->28 105->28 106->28 107->61 108->61 109->34 110->34 112->95 113->95 114->54 115->54
          Strings
          Memory Dump Source
          • Source File: 00000013.00000002.1463312459.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_2fc0000_unarchiver.jbxd
          Similarity
          • API ID:
          • String ID: :@:r$X1ar
          • API String ID: 0-3821969665
          • Opcode ID: 124b8da018b8e505517bc244608e7e705afbd14976adaf3abb110f7964b2a9f9
          • Instruction ID: d60bf8c3b38a3f630c8ca1cc2373149f6f8b9460b5589161b5c8484f74ee5401
          • Opcode Fuzzy Hash: 124b8da018b8e505517bc244608e7e705afbd14976adaf3abb110f7964b2a9f9
          • Instruction Fuzzy Hash: 17221674E01218CFEB24CFA5D994B9DBBB2FB89301F1091AADA09A7354DB749D85CF10
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154B042, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
          Download Yara Rule
          APIs
          • GetSystemInfo.KERNELBASE(?), ref: 0154B074
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: InfoSystem
          • String ID:
          • API String ID: 31276548-0
          • Opcode ID: 2363e4c8c2ab3b05e7dbf9e333c7d921da9a53651f720230a6700d7cede927c1
          • Instruction ID: 6712b9c984a761a1ebe91cb31b8f70ab56251f814b39691e6d2e6cbaf51ce175
          • Opcode Fuzzy Hash: 2363e4c8c2ab3b05e7dbf9e333c7d921da9a53651f720230a6700d7cede927c1
          • Instruction Fuzzy Hash: EC01A270800244DFDB10CF29D88475AFFD4EF44225F18C8AADD498F252D2B5E504CB62
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154B0B2, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 117 154b0b2-154b157 122 154b1af-154b1b4 117->122 123 154b159-154b161 DuplicateHandle 117->123 122->123 125 154b167-154b179 123->125 126 154b1b6-154b1bb 125->126 127 154b17b-154b1ac 125->127 126->127
          APIs
          • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 0154B15F
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: DuplicateHandle
          • String ID:
          • API String ID: 3793708945-0
          • Opcode ID: 7d37d5f6ed36df6eb6059aafa2370a2a089cb1cbedc50fd1a34c17c89727f8ed
          • Instruction ID: abb8997cc86f590321e6c5794f8d5ce906ee66c1c533afc7d7fbd8aa97cf9f5c
          • Opcode Fuzzy Hash: 7d37d5f6ed36df6eb6059aafa2370a2a089cb1cbedc50fd1a34c17c89727f8ed
          • Instruction Fuzzy Hash: 05319272504344AFEB228F65DC44F66BFBCEF46310F04859AFD85DB152D224A919CB71
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154AB70, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 131 154ab70-154ac0b 136 154ac63-154ac68 131->136 137 154ac0d-154ac15 DuplicateHandle 131->137 136->137 139 154ac1b-154ac2d 137->139 140 154ac2f-154ac60 139->140 141 154ac6a-154ac6f 139->141 141->140
          APIs
          • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 0154AC13
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: DuplicateHandle
          • String ID:
          • API String ID: 3793708945-0
          • Opcode ID: 79b6732cdf250a5c24c4a39792a0f4cf8c2c33714b63022e9e50f56a699f7396
          • Instruction ID: a4de891a60b759e5ce958d55c87ae48886e28dce0eafcbbabfd5edaf48985126
          • Opcode Fuzzy Hash: 79b6732cdf250a5c24c4a39792a0f4cf8c2c33714b63022e9e50f56a699f7396
          • Instruction Fuzzy Hash: BF31D372004344BFEB228B65CC44F67BFACEF46310F0488AAF985CB152D224A819CB60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154A504, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 145 154a504-154a582 149 154a584 145->149 150 154a587-154a593 145->150 149->150 151 154a595 150->151 152 154a598-154a5a1 150->152 151->152 153 154a5f2-154a5f7 152->153 154 154a5a3-154a5c7 CreateFileW 152->154 153->154 157 154a5f9-154a5fe 154->157 158 154a5c9-154a5ef 154->158 157->158
          APIs
          • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0154A5A9
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: CreateFile
          • String ID:
          • API String ID: 823142352-0
          • Opcode ID: f479dcfb1ce349451da8e2308f69a9ce15a14b67080e352cb0bb343a1962991f
          • Instruction ID: c31c16eb71914176dd0f21fc253e1f9f55f8b98dfff5a0bb41fd1588faf19c7e
          • Opcode Fuzzy Hash: f479dcfb1ce349451da8e2308f69a9ce15a14b67080e352cb0bb343a1962991f
          • Instruction Fuzzy Hash: 82318FB1504380AFE722CF25DD44FA6BFE8EF45214F08849EE9858B252D375E905CB71
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154A9E2, Relevance: 1.6, APIs: 1, Instructions: 91pipeCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 161 154a9e2-154aa4f 162 154aa52-154aaa4 CreatePipe 161->162 164 154aaaa-154aad3 162->164
          APIs
          • CreatePipe.KERNELBASE(?,00000E2C,?,?), ref: 0154AAA2
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: CreatePipe
          • String ID:
          • API String ID: 2719314638-0
          • Opcode ID: d5537a9ba9ea5e70aa997d47d100c28007f2b83db845c65ef66b07b01686d42e
          • Instruction ID: 889c173376616ff708fee2991718c322910dfcf98db9d0240fa4fbeeb700744a
          • Opcode Fuzzy Hash: d5537a9ba9ea5e70aa997d47d100c28007f2b83db845c65ef66b07b01686d42e
          • Instruction Fuzzy Hash: 4D318F7640E3C06FD3138B718C61A55BFB4AF47610F1D84CBD8C48F2A3D2686919C7A2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154A120, Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 166 154a120-154a1f3 FindNextFileW
          APIs
          • FindNextFileW.KERNELBASE(?,00000E2C,?,?), ref: 0154A1C2
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: FileFindNext
          • String ID:
          • API String ID: 2029273394-0
          • Opcode ID: 0d3a27c7281ebddebec5d37fdb51863a1a818dd5c1c92cc325ee27414e214905
          • Instruction ID: 55b2679ff6bf727353c2249408ed0bc18642f7e35980032436830df20dae7006
          • Opcode Fuzzy Hash: 0d3a27c7281ebddebec5d37fdb51863a1a818dd5c1c92cc325ee27414e214905
          • Instruction Fuzzy Hash: 1621A67140D3C06FD7128B758C51B62BFB4EF47610F1985DBED848F193D225A919C7A2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154B0E2, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 184 154b0e2-154b157 188 154b1af-154b1b4 184->188 189 154b159-154b161 DuplicateHandle 184->189 188->189 191 154b167-154b179 189->191 192 154b1b6-154b1bb 191->192 193 154b17b-154b1ac 191->193 192->193
          APIs
          • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 0154B15F
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: DuplicateHandle
          • String ID:
          • API String ID: 3793708945-0
          • Opcode ID: 14c89ae8ec29974a7735eb49305787e663c256e430550108b0632a1e7a506e53
          • Instruction ID: 5685f43ad1cfb9898b1310cf4a332526bcba37dbd04d117cad4bdadb5475c73e
          • Opcode Fuzzy Hash: 14c89ae8ec29974a7735eb49305787e663c256e430550108b0632a1e7a506e53
          • Instruction Fuzzy Hash: 0E219D72500204AFEB219F69DC84F6BFBACEF48320F14896AEE459B251D670E5188B61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154AB96, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 171 154ab96-154ac0b 175 154ac63-154ac68 171->175 176 154ac0d-154ac15 DuplicateHandle 171->176 175->176 178 154ac1b-154ac2d 176->178 179 154ac2f-154ac60 178->179 180 154ac6a-154ac6f 178->180 180->179
          APIs
          • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 0154AC13
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: DuplicateHandle
          • String ID:
          • API String ID: 3793708945-0
          • Opcode ID: 40d910fd760888807ec1c9eb7063fa721557775d6e5733094069919189a6a31f
          • Instruction ID: 7a1639b09048ea38155c04463f4979d5c2e27883cc902cd77138967d7f3eaa1e
          • Opcode Fuzzy Hash: 40d910fd760888807ec1c9eb7063fa721557775d6e5733094069919189a6a31f
          • Instruction Fuzzy Hash: 1321C172500204AFEB21CF69DC84F6BFBECEF44310F04896AFE469B251D670A5188BB5
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154A77C, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 197 154a77c-154a802 201 154a804-154a824 SetFilePointer 197->201 202 154a846-154a84b 197->202 205 154a826-154a843 201->205 206 154a84d-154a852 201->206 202->201 206->205
          APIs
          • SetFilePointer.KERNELBASE(?,00000E2C,7164F59B,00000000,00000000,00000000,00000000), ref: 0154A80A
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: FilePointer
          • String ID:
          • API String ID: 973152223-0
          • Opcode ID: 699da723380df8b6d590683c39e65aaa500a9c0b40db24283f254af6fad1aaf5
          • Instruction ID: 4bd99ae9d0137b5db1d917f8c4ae4a50547577457f53d4ba553476eb7646a160
          • Opcode Fuzzy Hash: 699da723380df8b6d590683c39e65aaa500a9c0b40db24283f254af6fad1aaf5
          • Instruction Fuzzy Hash: FA21A171408380AFE7128B25DC40F66BFB8EF46714F0884EBED859F153D264A909CB71
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154A85F, Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 209 154a85f-154a8e5 213 154a8e7-154a907 ReadFile 209->213 214 154a929-154a92e 209->214 217 154a930-154a935 213->217 218 154a909-154a926 213->218 214->213 217->218
          APIs
          • ReadFile.KERNELBASE(?,00000E2C,7164F59B,00000000,00000000,00000000,00000000), ref: 0154A8ED
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: FileRead
          • String ID:
          • API String ID: 2738559852-0
          • Opcode ID: 9bc1b0ac8ab005fbaeb51696c382011929932e5f9a06c05cc5eab4c81aeb35ef
          • Instruction ID: 703629d87d9e48b7e88c29d5dd9995d3a962bfb69e5bfdf8e55502b3a0e021aa
          • Opcode Fuzzy Hash: 9bc1b0ac8ab005fbaeb51696c382011929932e5f9a06c05cc5eab4c81aeb35ef
          • Instruction Fuzzy Hash: DC218171409380AFEB228F65DC44F56BFB8EF46310F08859BEA859F152C275A509CB61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154A52A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 221 154a52a-154a582 224 154a584 221->224 225 154a587-154a593 221->225 224->225 226 154a595 225->226 227 154a598-154a5a1 225->227 226->227 228 154a5f2-154a5f7 227->228 229 154a5a3-154a5ab CreateFileW 227->229 228->229 230 154a5b1-154a5c7 229->230 232 154a5f9-154a5fe 230->232 233 154a5c9-154a5ef 230->233 232->233
          APIs
          • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0154A5A9
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: CreateFile
          • String ID:
          • API String ID: 823142352-0
          • Opcode ID: 8941a0ff98f3cb1505b2d732a01d0c0ac9be813266ea37d2c752cc3b496e1490
          • Instruction ID: fe71a551b56e595d4dfd260a642adba8f73a3a1b422cd8f68bbe0e1fec2be557
          • Opcode Fuzzy Hash: 8941a0ff98f3cb1505b2d732a01d0c0ac9be813266ea37d2c752cc3b496e1490
          • Instruction Fuzzy Hash: 65219F71500600AFEB21CF29C944FA6FBE8FF08214F14846AEE858F252D771E504CBB1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154A6BB, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 236 154a6bb-154a739 240 154a76e-154a773 236->240 241 154a73b-154a74e GetFileType 236->241 240->241 242 154a775-154a77a 241->242 243 154a750-154a76d 241->243 242->243
          APIs
          • GetFileType.KERNELBASE(?,00000E2C,7164F59B,00000000,00000000,00000000,00000000), ref: 0154A741
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: FileType
          • String ID:
          • API String ID: 3081899298-0
          • Opcode ID: d591a3d4269af1ff6c2f43ef8730e118b0bb6a8869c35235d34ae642137aef1a
          • Instruction ID: 3055e542caa31673a448ec30bd9d8545035ae993e061ae7b06a764d7c85e2557
          • Opcode Fuzzy Hash: d591a3d4269af1ff6c2f43ef8730e118b0bb6a8869c35235d34ae642137aef1a
          • Instruction Fuzzy Hash: FA21A4B54483806FE7128B25DC40FA6BFA8EF47714F1880D7ED859F253D264A909C771
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154A600, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 247 154a600-154a60c 248 154a626-154a66c 247->248 249 154a60e-154a625 247->249 251 154a6ad-154a6b2 248->251 252 154a66e-154a676 FindCloseChangeNotification 248->252 249->248 251->252 253 154a67c-154a68e 252->253 255 154a6b4-154a6b9 253->255 256 154a690-154a6ac 253->256 255->256
          APIs
          • FindCloseChangeNotification.KERNELBASE(?), ref: 0154A674
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: ChangeCloseFindNotification
          • String ID:
          • API String ID: 2591292051-0
          • Opcode ID: dc13965fd5699d74cc034443b69420192ced709f6dd9afb16df07a6a522a2f21
          • Instruction ID: dfb0dbe6c40b719d3d4eebc53139e95ec80e7f75a709fe07ea1704891c05178c
          • Opcode Fuzzy Hash: dc13965fd5699d74cc034443b69420192ced709f6dd9afb16df07a6a522a2f21
          • Instruction Fuzzy Hash: 3621AFB58093C0AFD7138B299C55696BFB4AF43220F0980DBED858F1A3D2699908C762
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154A448, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 258 154a448-154a48e 260 154a490 258->260 261 154a493-154a499 258->261 260->261 262 154a49e-154a4a7 261->262 263 154a49b 261->263 264 154a4e8-154a4ed 262->264 265 154a4a9-154a4c9 CreateDirectoryW 262->265 263->262 264->265 268 154a4ef-154a4f4 265->268 269 154a4cb-154a4e7 265->269 268->269
          APIs
          • CreateDirectoryW.KERNELBASE(?,?), ref: 0154A4AF
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: CreateDirectory
          • String ID:
          • API String ID: 4241100979-0
          • Opcode ID: ed255eb7d3782729a6507e8a3355d90cc34ba4c4b4401bcf1e60cc324bbfebd1
          • Instruction ID: 86f2fd0e324a23e6d4bbf73de70fc1921d55147ee620e57b434485d6cebfc229
          • Opcode Fuzzy Hash: ed255eb7d3782729a6507e8a3355d90cc34ba4c4b4401bcf1e60cc324bbfebd1
          • Instruction Fuzzy Hash: D71181715453809FE716CF29DC89B5ABFE8EF46220F0884AAED46CF252D274E904CB61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154A88E, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 271 154a88e-154a8e5 274 154a8e7-154a8ef ReadFile 271->274 275 154a929-154a92e 271->275 277 154a8f5-154a907 274->277 275->274 278 154a930-154a935 277->278 279 154a909-154a926 277->279 278->279
          APIs
          • ReadFile.KERNELBASE(?,00000E2C,7164F59B,00000000,00000000,00000000,00000000), ref: 0154A8ED
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: FileRead
          • String ID:
          • API String ID: 2738559852-0
          • Opcode ID: 1b698d8ec57ae2883658a6061d9c8188082ea452b31e7ebc4041a7fe09426e09
          • Instruction ID: ac04fa165fc11203da34621f2657450328d75f45fc1f68df709b6ea1b83c4769
          • Opcode Fuzzy Hash: 1b698d8ec57ae2883658a6061d9c8188082ea452b31e7ebc4041a7fe09426e09
          • Instruction Fuzzy Hash: 8C11BF76400204EFEB218F59DC40F6AFBA8EF44720F14886BEE499F251D674A5098BB1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154A7AE, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
          Download Yara Rule
          APIs
          • SetFilePointer.KERNELBASE(?,00000E2C,7164F59B,00000000,00000000,00000000,00000000), ref: 0154A80A
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: FilePointer
          • String ID:
          • API String ID: 973152223-0
          • Opcode ID: d8d23fbb9f2d4f17f19bc52795279c6cae5fb712d4578009e60c7233056e2015
          • Instruction ID: a047d6f9a74b253fce6d1069dd6682531a5ce0da1e17fe4952d48d796ab1a1d3
          • Opcode Fuzzy Hash: d8d23fbb9f2d4f17f19bc52795279c6cae5fb712d4578009e60c7233056e2015
          • Instruction Fuzzy Hash: 4911C171400200EFEB21CF69DC80F6AFFA8EF44320F14886BEE499F241D674A5098BB1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154ADF7, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: CloseFind
          • String ID:
          • API String ID: 1863332320-0
          • Opcode ID: ac8e7f7c78a79443613850d27eb79f13bdb619333f28adb6df54dd47271b433d
          • Instruction ID: 7a7cc20c89b7d9c441a498ed2ff33f043763204810f375a74a86217712cfe645
          • Opcode Fuzzy Hash: ac8e7f7c78a79443613850d27eb79f13bdb619333f28adb6df54dd47271b433d
          • Instruction Fuzzy Hash: 1311A075509380AFD7128B29DC45A56FFF4EF06220F0984DBED858F263C274A958CB61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154A6EE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
          Download Yara Rule
          APIs
          • GetFileType.KERNELBASE(?,00000E2C,7164F59B,00000000,00000000,00000000,00000000), ref: 0154A741
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: FileType
          • String ID:
          • API String ID: 3081899298-0
          • Opcode ID: da00898d3532475dfb0d1c15a9bebe428c30d2d85df5b99f958acd587ca20ca8
          • Instruction ID: 7d587850ea4f0cc85c54dedeab6053c6f2c39ad3f953505542b3a4c1fe9efee1
          • Opcode Fuzzy Hash: da00898d3532475dfb0d1c15a9bebe428c30d2d85df5b99f958acd587ca20ca8
          • Instruction Fuzzy Hash: FE012271500200EFE720CF19CC84F6AFBA8EF45720F148497EE469F241D6B4A508CBB1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154A46A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
          Download Yara Rule
          APIs
          • CreateDirectoryW.KERNELBASE(?,?), ref: 0154A4AF
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: CreateDirectory
          • String ID:
          • API String ID: 4241100979-0
          • Opcode ID: 6700be4b029954c98fa8bd983b2fd3d8b6c4ef8875846a3116f6ecdcab95098e
          • Instruction ID: 3cd9b0c5770635ad411d53ce89c87e459effc64ec25e6bb992e542a37464bd2e
          • Opcode Fuzzy Hash: 6700be4b029954c98fa8bd983b2fd3d8b6c4ef8875846a3116f6ecdcab95098e
          • Instruction Fuzzy Hash: C01161716406009FEB50CF69D889B6AFFD8EF04224F18C4AADD4ACF652E674E504CB61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154B020, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
          Download Yara Rule
          APIs
          • GetSystemInfo.KERNELBASE(?), ref: 0154B074
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: InfoSystem
          • String ID:
          • API String ID: 31276548-0
          • Opcode ID: d936b1affcd1fd802666e225355b873b7759faf2d5a406d02f54c3723e7de1d1
          • Instruction ID: 2866a127149713438affc6181fb90fac3ea0d14bac9f8d20a3d9962245be5db6
          • Opcode Fuzzy Hash: d936b1affcd1fd802666e225355b873b7759faf2d5a406d02f54c3723e7de1d1
          • Instruction Fuzzy Hash: D811A371409380AFD712CF15DC44B56FFA4EF46220F0884DAED888F253D275A908CB62
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154A23C, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
          Download Yara Rule
          APIs
          • SetErrorMode.KERNELBASE(?), ref: 0154A290
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: ErrorMode
          • String ID:
          • API String ID: 2340568224-0
          • Opcode ID: b62ea3e2baf536667972bf4422b8dd1b7899a2b2f136a27d66cef85366224446
          • Instruction ID: 5a23b8808f16c38bbc60d9444473e33aa59524d149fb233ac16fe0d9ca4e87cd
          • Opcode Fuzzy Hash: b62ea3e2baf536667972bf4422b8dd1b7899a2b2f136a27d66cef85366224446
          • Instruction Fuzzy Hash: 94118471409384AFD7128F15DC44B62FFB4EF46624F0880DAED858F253D275A908DBB2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154AA52, Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON
          Download Yara Rule
          APIs
          • CreatePipe.KERNELBASE(?,00000E2C,?,?), ref: 0154AAA2
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: CreatePipe
          • String ID:
          • API String ID: 2719314638-0
          • Opcode ID: 366a3dcc0f37eb71065418b7aaf9f58fb700c7d6921b14383313f11cb6a90221
          • Instruction ID: 43cd6454077adc704291ae8b93622644dd2f0bde338396c9001a4000a21ed843
          • Opcode Fuzzy Hash: 366a3dcc0f37eb71065418b7aaf9f58fb700c7d6921b14383313f11cb6a90221
          • Instruction Fuzzy Hash: 56017172500600ABE714DF16DC85F26FBA8FB88B20F14856AED489B741E731B915CBE5
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154A172, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
          Download Yara Rule
          APIs
          • FindNextFileW.KERNELBASE(?,00000E2C,?,?), ref: 0154A1C2
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: FileFindNext
          • String ID:
          • API String ID: 2029273394-0
          • Opcode ID: 029f9b973474c3e52fe5948c45acbd6380f8c78ce369c79bacec865a7fc65419
          • Instruction ID: 9e08a681d0ca35a03171ab612db19085268fe1a28294c9b5029efe5a76b193b8
          • Opcode Fuzzy Hash: 029f9b973474c3e52fe5948c45acbd6380f8c78ce369c79bacec865a7fc65419
          • Instruction Fuzzy Hash: DF017171500600ABE714DF16DC85F26FBA8FB88A20F14856AED089B741E735B915CBE5
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154A642, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
          Download Yara Rule
          APIs
          • FindCloseChangeNotification.KERNELBASE(?), ref: 0154A674
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: ChangeCloseFindNotification
          • String ID:
          • API String ID: 2591292051-0
          • Opcode ID: db6b1aaa7866e77bb09ab02f884b51a5c2f36360518c050c1fb20e18c0f00786
          • Instruction ID: 1d7c14b1865a46017a9b0cf03f236f37c1918fed4db8c10786cee39928640f39
          • Opcode Fuzzy Hash: db6b1aaa7866e77bb09ab02f884b51a5c2f36360518c050c1fb20e18c0f00786
          • Instruction Fuzzy Hash: BB01A271940240DFEB51CF29D88476AFFE4EF84224F18C4ABDD4A8F256D6B5A508CF61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154AE1E, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: CloseFind
          • String ID:
          • API String ID: 1863332320-0
          • Opcode ID: 265453dc7eb31938ca66bb230fa15ee7909c5aba71d17e6e9a4ab5a47b1e5a4f
          • Instruction ID: a820f43ab13b1ea7fa3f63bcb2b6a6829ad316e99eb6448fe2dc840a6ceda533
          • Opcode Fuzzy Hash: 265453dc7eb31938ca66bb230fa15ee7909c5aba71d17e6e9a4ab5a47b1e5a4f
          • Instruction Fuzzy Hash: A201D175500640DFDB608F1AD885766FFD4EF04224F08C0AADD4A8F252D6B5A518CBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0154A25E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
          Download Yara Rule
          APIs
          • SetErrorMode.KERNELBASE(?), ref: 0154A290
          Memory Dump Source
          • Source File: 00000013.00000002.1462649385.000000000154A000.00000040.00000001.sdmp, Offset: 0154A000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_154a000_unarchiver.jbxd
          Similarity
          • API ID: ErrorMode
          • String ID:
          • API String ID: 2340568224-0
          • Opcode ID: 1101f6e51a892d4911c55d319d321a2c0c6babac30909ca1d9cb8a65c47562f5
          • Instruction ID: 7d261263a6a8344b5e2dd8dee6f6a575b86ad88c83344eca7e2326ebb664a464
          • Opcode Fuzzy Hash: 1101f6e51a892d4911c55d319d321a2c0c6babac30909ca1d9cb8a65c47562f5
          • Instruction Fuzzy Hash: DAF0FF30908600EFDB508F09D888766FFE0EF08324F08C09ADD4A0F342D2B6A508DEA2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 02FC0C30, Relevance: .2, Instructions: 157COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000013.00000002.1463312459.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_2fc0000_unarchiver.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 86d3299fcd2de60c5fec2ecdcc51dce216469dbcb2485106cbeaf0736e096229
          • Instruction ID: 8f58eee31f9638d73656fde0c4e8fe5f881b072b73897ddc96aa649e2bfe18b8
          • Opcode Fuzzy Hash: 86d3299fcd2de60c5fec2ecdcc51dce216469dbcb2485106cbeaf0736e096229
          • Instruction Fuzzy Hash: 9551F770E42208DFCB19DFB9D490AAEBBB2FF8A304F249469E405A7350DB359942CF54
          Uniqueness

          Uniqueness Score: -1.00%

          Function 02FC0AC9, Relevance: .1, Instructions: 77COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000013.00000002.1463312459.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_2fc0000_unarchiver.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: a783fd68b4031ae701fa10c5611ba7a14932b394e93d944bccb31697c9c32744
          • Instruction ID: 850e81f544dd537cbffed4270aa835011354a1e6c50555ef331de082c7878ab1
          • Opcode Fuzzy Hash: a783fd68b4031ae701fa10c5611ba7a14932b394e93d944bccb31697c9c32744
          • Instruction Fuzzy Hash: 6B211371D02208CFDB15CFA8E5956EEBBB6FF89314F20816AD904A7250DA746E06CF50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 02FC0AD8, Relevance: .1, Instructions: 71COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000013.00000002.1463312459.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_2fc0000_unarchiver.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 2432533be355ce6c3f601f443eff9eb4a988d242c1db14e9ca64c0546523084a
          • Instruction ID: 44a8d1b1c8c97619c551c3b726f82431778cfba8142d7f4ac5e9d54bf81380e1
          • Opcode Fuzzy Hash: 2432533be355ce6c3f601f443eff9eb4a988d242c1db14e9ca64c0546523084a
          • Instruction Fuzzy Hash: 74213575D02208CFDB04DFA9E5846EEBBB6FB89304F20852AD904B3254DB746E06CF90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 030807F8, Relevance: .1, Instructions: 51COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000013.00000002.1463458127.0000000003080000.00000040.00000040.sdmp, Offset: 03080000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_3080000_unarchiver.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 51eb0e4b3e5d2962d320dfed8a68c293196863ef27608102cd48ea5b4bb723ba
          • Instruction ID: 609e31dd3d045e8ecc9e2b2bcb1f741dcc7e0ddd120ea31e365b35aede4a3110
          • Opcode Fuzzy Hash: 51eb0e4b3e5d2962d320dfed8a68c293196863ef27608102cd48ea5b4bb723ba
          • Instruction Fuzzy Hash: 030184B64493906FD701CB159C41C56BFFCDF86520B08C9AFFD898B202D2756A18CBA2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 030805CF, Relevance: .0, Instructions: 46COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000013.00000002.1463458127.0000000003080000.00000040.00000040.sdmp, Offset: 03080000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_3080000_unarchiver.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 9022b984e505c298d0b94a9fec03f1d6f93bef4e86003f17cb2c135c495e15a3
          • Instruction ID: fa6264614e2f189641c3105070de905c00b7357f3e0606e0c30cbb2023a028bb
          • Opcode Fuzzy Hash: 9022b984e505c298d0b94a9fec03f1d6f93bef4e86003f17cb2c135c495e15a3
          • Instruction Fuzzy Hash: 3301DBB15097406FD702DF06DC40862FFA8EB46670709C4AFED498B612D225B908CB71
          Uniqueness

          Uniqueness Score: -1.00%

          Function 02FC0E38, Relevance: .0, Instructions: 43COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000013.00000002.1463312459.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_2fc0000_unarchiver.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 33cda130eeb3cf035f6c15cab6f362a48c80c02327ed009a379f50ecdb1abda3
          • Instruction ID: b7a50796f18f9404a4ca24b1603dcd8324c5fd1b2e0d12ceed590383e19cc8b8
          • Opcode Fuzzy Hash: 33cda130eeb3cf035f6c15cab6f362a48c80c02327ed009a379f50ecdb1abda3
          • Instruction Fuzzy Hash: 08011370C41349CFCB08DFB4D5546BEBBB1AF45304F2084AEC41067280C7755A84CF90
          Uniqueness

          Uniqueness Score: -1.00%

          Function 02FC0BBF, Relevance: .0, Instructions: 39COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000013.00000002.1463312459.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_2fc0000_unarchiver.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d267c3817f50eabe688bd0a6908acb7b61d5f867d769327e0edaf5281d7cbc02
          • Instruction ID: f15ed41fa8bb4c6a637465121057d4e492b1fe95dd9cf5891055fef49e11e0cf
          • Opcode Fuzzy Hash: d267c3817f50eabe688bd0a6908acb7b61d5f867d769327e0edaf5281d7cbc02
          • Instruction Fuzzy Hash: 960124B0D05309DFCB04DFA9C5516AEBFF1AF86300F2084AA8805A7311EB345A05DB50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 02FC0E48, Relevance: .0, Instructions: 39COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000013.00000002.1463312459.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_2fc0000_unarchiver.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 75c3360d941461fc586ffb3b38467b1827bb8cc40ba9cb053e3bcb3592c6f2d1
          • Instruction ID: 45f802584524a7f20e1a5724ca5eef95bed10b0cd0b73a9b2c3f1d66771e735e
          • Opcode Fuzzy Hash: 75c3360d941461fc586ffb3b38467b1827bb8cc40ba9cb053e3bcb3592c6f2d1
          • Instruction Fuzzy Hash: C1010CB0C02209CFCB08EFA8C5407AEBBB1BB04301F2088ADC01067280CB789A85CF84
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0308081E, Relevance: .0, Instructions: 34COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000013.00000002.1463458127.0000000003080000.00000040.00000040.sdmp, Offset: 03080000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_3080000_unarchiver.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 3e20ad5407060ea6fe296e3fe33fe4121b69e1146ce1f810b5862bfb324b7f55
          • Instruction ID: 9ad3b7cb3c832d80f872a7412d6b6ba52c98caf13abe66006afdacf2c6588b05
          • Opcode Fuzzy Hash: 3e20ad5407060ea6fe296e3fe33fe4121b69e1146ce1f810b5862bfb324b7f55
          • Instruction Fuzzy Hash: E2F082B2905204ABD240DF05EC41896F7ECDFC4921F14C56EFC498B300E276AA144AF2
          Uniqueness

          Uniqueness Score: -1.00%

          Function 030805F6, Relevance: .0, Instructions: 27COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000013.00000002.1463458127.0000000003080000.00000040.00000040.sdmp, Offset: 03080000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_3080000_unarchiver.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 2bb5bafa449d846f501f5dc6ca467424bf8247f2a1e6b2195dace74bd0e5fedf
          • Instruction ID: bcc1388c2b6b96d8aa55bb428956ab14329209a9d29204e4e584c16a4e7b1498
          • Opcode Fuzzy Hash: 2bb5bafa449d846f501f5dc6ca467424bf8247f2a1e6b2195dace74bd0e5fedf
          • Instruction Fuzzy Hash: 80E092B66006009BD754CF0BEC41452F7D8EB88630B18C47FDC4D8B700E635B604CEA5
          Uniqueness

          Uniqueness Score: -1.00%

          Function 015423F4, Relevance: .0, Instructions: 15COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000013.00000002.1462610769.0000000001542000.00000040.00000001.sdmp, Offset: 01542000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_1542000_unarchiver.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 469aae425c335a412483e967622a1d73ebf1231ef026cd6691f25a5adfd128ac
          • Instruction ID: 4fb695e10c2cdcad9978eb5a980b1606dbfb7fee2c15cbdabb8bc4da63140988
          • Opcode Fuzzy Hash: 469aae425c335a412483e967622a1d73ebf1231ef026cd6691f25a5adfd128ac
          • Instruction Fuzzy Hash: A2D05E79215A918FE3268A1CD1A8BA93FA4FB51B08F4644FDF8008F6A3C768D981D200
          Uniqueness

          Uniqueness Score: -1.00%

          Function 015423BC, Relevance: .0, Instructions: 14COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000013.00000002.1462610769.0000000001542000.00000040.00000001.sdmp, Offset: 01542000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_1542000_unarchiver.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 452be9aec26089de85af1630b8e8e5a97fcd94336fc6ff79427d5638986294ac
          • Instruction ID: 14d34c79be31954ee5083d196c89b06bc7a41b518163096445dfd7c633eea4dc
          • Opcode Fuzzy Hash: 452be9aec26089de85af1630b8e8e5a97fcd94336fc6ff79427d5638986294ac
          • Instruction Fuzzy Hash: 11D05E342002818BD715DB0CD594F5D3BE4BB41B04F0644E8BD008F662C3B4D881C600
          Uniqueness

          Uniqueness Score: -1.00%

          Non-executed Functions

          Function 02FC0299, Relevance: .2, Instructions: 204COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000013.00000002.1463312459.0000000002FC0000.00000040.00000001.sdmp, Offset: 02FC0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_19_2_2fc0000_unarchiver.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: f756df76f8ba13ebf05b565b70b9c007d91e7bd4fa4f95ee91bd57446e01af52
          • Instruction ID: 026aced2b630880b81bb90af57de09f0d4fe9f0af228d14b4ba6804db2631c6c
          • Opcode Fuzzy Hash: f756df76f8ba13ebf05b565b70b9c007d91e7bd4fa4f95ee91bd57446e01af52
          • Instruction Fuzzy Hash: 96911974D01214DFEB19CFA5E854A9DBBB3FB8A301F1480A9EA09AB364CB745945DF20
          Uniqueness

          Uniqueness Score: -1.00%

          Analysis Process: SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe PID: 5016 Parent PID: 5428 SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exeCOMMON

          Execution Graph

          Execution Coverage:19.5%
          Dynamic/Decrypted Code Coverage:26.7%
          Signature Coverage:14.4%
          Total number of Nodes:1791
          Total number of Limit Nodes:54

          Graph

          execution_graph 5607 3b113b3 5608 3b113eb 5607->5608 5609 3b113de SetWindowLongA 5607->5609 5609->5608 4604 10001505 GetPropA 4605 10001526 4604->4605 4606 1000158b 4604->4606 4607 10001566 4605->4607 4608 1000152b 4605->4608 4615 1000123f 4606->4615 4623 100013ac RemovePropA GlobalFree 4607->4623 4610 10001571 CallWindowProcA 4608->4610 4613 1000153d GetPropA 4608->4613 4612 10001562 4610->4612 4613->4610 4614 1000154b 4613->4614 4614->4610 4614->4612 4616 10001253 GetPropA 4615->4616 4617 10001336 4615->4617 4616->4617 4619 1000126b 4616->4619 4617->4614 4618 100012b9 CreateCompatibleDC GetObjectA SelectObject TransparentBlt 4620 10001314 4618->4620 4619->4617 4619->4618 4624 1000118f SendMessageA 4620->4624 4623->4614 4625 10001237 DeleteDC 4624->4625 4626 100011ba DrawTextA 4624->4626 4625->4617 4627 100011e8 4626->4627 4628 100011f9 SetBkMode DrawStateA 4626->4628 4627->4628 4628->4625 5610 401645 5611 4029f6 18 API calls 5610->5611 5612 40164c 5611->5612 5613 4029f6 18 API calls 5612->5613 5614 401655 5613->5614 5615 4029f6 18 API calls 5614->5615 5616 40165e MoveFileA 5615->5616 5617 401671 5616->5617 5623 40166a 5616->5623 5618 405cd8 2 API calls 5617->5618 5621 402169 5617->5621 5620 401680 5618->5620 5619 401423 25 API calls 5619->5621 5620->5621 5622 40572b 38 API calls 5620->5622 5622->5623 5623->5619 5624 3b21bb4 5625 3b21fc2 2 API calls 5624->5625 5626 3b21bba 5625->5626 5627 3b21fc2 2 API calls 5626->5627 5628 3b21bc1 5627->5628 5629 3b21bdc 5628->5629 5630 3b21bc9 SetTimer 5628->5630 5630->5629 5631 406247 5632 405e2c 5631->5632 5633 406797 5632->5633 5634 405eb6 GlobalAlloc 5632->5634 5635 405ead GlobalFree 5632->5635 5636 405f24 GlobalFree 5632->5636 5637 405f2d GlobalAlloc 5632->5637 5634->5632 5634->5633 5635->5634 5636->5637 5637->5632 5637->5633 5638 3081000 5645 30817fe 5638->5645 5640 3081017 5641 308101b 5640->5641 5642 308101e GlobalAlloc 5640->5642 5643 3081825 3 API calls 5641->5643 5642->5641 5644 308102d 5643->5644 5646 3081561 3 API calls 5645->5646 5647 3081804 5646->5647 5648 308180a 5647->5648 5649 3081816 GlobalFree 5647->5649 5648->5640 5649->5640 5082 42f1120 GetPropA 5083 42f115b wsprintfA lstrcpyA 5082->5083 5084 42f1154 5082->5084 5085 42f1188 6 API calls 5083->5085 5084->5085 5086 42f121d 5085->5086 5087 42f122b SetWindowLongA GlobalFree 5086->5087 5088 42f1244 5086->5088 5087->5088 5089 42f126b CallWindowProcA 5088->5089 5090 42f1248 5088->5090 5650 3b112a1 GlobalAlloc 5651 3b11334 2 API calls 5650->5651 5652 3b112e3 5651->5652 5653 3b11329 GlobalFree 5652->5653 5107 401f51 5108 401f63 5107->5108 5109 402012 5107->5109 5110 4029f6 18 API calls 5108->5110 5111 401423 25 API calls 5109->5111 5112 401f6a 5110->5112 5117 402169 5111->5117 5113 4029f6 18 API calls 5112->5113 5114 401f73 5113->5114 5115 401f88 LoadLibraryExA 5114->5115 5116 401f7b GetModuleHandleA 5114->5116 5115->5109 5118 401f98 GetProcAddress 5115->5118 5116->5115 5116->5118 5119 401fe5 5118->5119 5120 401fa8 5118->5120 5123 404d7b 25 API calls 5119->5123 5121 401fb0 5120->5121 5122 401fc7 5120->5122 5236 401423 5121->5236 5133 3b21c59 SendMessageA ShowWindow 5122->5133 5140 10001161 GetModuleHandleA LoadImageA 5122->5140 5141 308198f 5122->5141 5183 3b21855 GetProcessHeap HeapAlloc 5122->5183 5214 3b21759 5122->5214 5223 3b11123 5122->5223 5125 401fb8 5123->5125 5125->5117 5126 402006 FreeLibrary 5125->5126 5126->5117 5134 3b21cde SetWindowLongA 5133->5134 5135 3b21c8d 5133->5135 5134->5125 5136 3b21c94 KiUserCallbackDispatcher IsDialogMessageA 5135->5136 5139 3b21cdd 5135->5139 5136->5135 5137 3b21cb1 IsDialogMessageA 5136->5137 5137->5135 5138 3b21cc1 TranslateMessage DispatchMessageA 5137->5138 5138->5135 5139->5134 5140->5125 5142 30819bf 5141->5142 5239 3081d3b 5142->5239 5144 30819c6 5145 3081adc 5144->5145 5146 30819de 5144->5146 5147 30819d7 5144->5147 5145->5125 5266 3082440 5146->5266 5288 30823f6 5147->5288 5152 3081a42 5156 3081a48 5152->5156 5157 3081a84 5152->5157 5153 3081a24 5298 30825fe 5153->5298 5155 30819f4 5160 3081a05 5155->5160 5170 3081a0b 5155->5170 5279 308120c 5155->5279 5162 30818a1 3 API calls 5156->5162 5164 30825fe 14 API calls 5157->5164 5158 3081a0d 5158->5170 5285 30814c7 5158->5285 5292 30827cc 5160->5292 5169 3081a5e 5162->5169 5165 3081a76 5164->5165 5171 3081a8b 5165->5171 5173 30825fe 14 API calls 5169->5173 5170->5152 5170->5153 5174 3081acb 5171->5174 5324 30825c4 5171->5324 5173->5165 5174->5145 5178 3081ad5 GlobalFree 5174->5178 5178->5145 5180 3081ab7 5180->5174 5328 3081825 wsprintfA 5180->5328 5181 3081ab0 FreeLibrary 5181->5180 5184 3b2189a 5183->5184 5185 3b2188b 5183->5185 5360 3b21dd9 5184->5360 5382 3b21e27 5185->5382 5189 3b21b1e 5189->5125 5190 3b218d7 5191 3b21e27 2 API calls 5190->5191 5193 3b218e1 GetProcessHeap 5191->5193 5192 3b218a2 5192->5190 5365 3b21252 GetClientRect 5192->5365 5194 3b21b17 HeapFree 5193->5194 5194->5189 5196 3b218cb 5197 3b21dd9 2 API calls 5196->5197 5198 3b218d3 5197->5198 5198->5190 5199 3b218eb GetProcessHeap HeapReAlloc lstrcmpiA 5198->5199 5200 3b21946 lstrcmpiA 5199->5200 5203 3b2192b 5199->5203 5201 3b2196d lstrcmpiA 5200->5201 5200->5203 5202 3b21994 lstrcmpiA 5201->5202 5201->5203 5202->5203 5205 3b219bb lstrcmpiA 5202->5205 5204 3b21a66 lstrcmpiA 5203->5204 5206 3b21a72 5204->5206 5207 3b21a77 CreateWindowExA SetPropA SendMessageA SendMessageA 5204->5207 5205->5203 5208 3b219df lstrcmpiA 5205->5208 5206->5207 5209 3b21b06 GetProcessHeap 5207->5209 5210 3b21aeb SetWindowLongA 5207->5210 5208->5203 5211 3b21a03 lstrcmpiA 5208->5211 5209->5194 5210->5209 5211->5203 5212 3b21a27 lstrcmpiA 5211->5212 5212->5203 5215 3b2178a 5214->5215 5392 3b21fc2 5215->5392 5217 3b2179e GetDlgItem GetWindowRect MapWindowPoints CreateDialogParamA 5218 3b217eb SetWindowPos SetWindowLongA GetProcessHeap HeapAlloc 5217->5218 5219 3b217df 5217->5219 5221 3b2184e 5218->5221 5220 3b21e27 2 API calls 5219->5220 5222 3b217e9 5220->5222 5221->5125 5222->5221 5224 3b11248 5223->5224 5225 3b1115d GlobalAlloc 5223->5225 5224->5125 5395 3b11334 5225->5395 5227 3b1123e GlobalFree 5227->5224 5228 3b11171 5228->5227 5229 3b11334 2 API calls 5228->5229 5234 3b111c3 5228->5234 5230 3b111ab 5229->5230 5230->5227 5231 3b111b3 lstrcmpiA 5230->5231 5231->5234 5232 3b111fb SetWindowLongA 5233 3b1120c GetDlgItem 5232->5233 5233->5227 5235 3b1121a FindWindowExA SetWindowLongA 5233->5235 5234->5232 5234->5233 5235->5227 5237 404d7b 25 API calls 5236->5237 5238 401431 5237->5238 5238->5125 5331 3081541 GlobalAlloc 5239->5331 5241 3081d5c 5332 3081541 GlobalAlloc 5241->5332 5243 3081d67 5333 3081561 5243->5333 5245 3081f77 GlobalFree GlobalFree GlobalFree 5246 3081f94 5245->5246 5258 3081fde 5245->5258 5248 30822c0 5246->5248 5254 3081fa9 5246->5254 5246->5258 5247 3081e21 GlobalAlloc 5263 3081d6f 5247->5263 5249 30822d9 GetModuleHandleA 5248->5249 5248->5258 5252 30822ea LoadLibraryA 5249->5252 5253 30822fb GetProcAddress 5249->5253 5250 3081e70 lstrcpyA 5255 3081e7a lstrcpyA 5250->5255 5251 3081e95 GlobalFree 5251->5263 5252->5253 5252->5258 5256 308231a lstrcatA GetProcAddress 5253->5256 5253->5258 5254->5258 5340 3081550 5254->5340 5255->5263 5256->5258 5258->5144 5260 3082267 lstrcpyA 5260->5263 5261 308212b GlobalFree 5261->5263 5262 3081ed7 5262->5263 5338 308187c GlobalSize GlobalAlloc 5262->5338 5263->5245 5263->5247 5263->5250 5263->5251 5263->5255 5263->5260 5263->5261 5263->5262 5265 3081550 2 API calls 5263->5265 5343 3081541 GlobalAlloc 5263->5343 5265->5263 5268 3082458 5266->5268 5267 3081561 3 API calls 5267->5268 5268->5267 5270 308258d GlobalFree 5268->5270 5272 3081550 GlobalAlloc lstrcpyA 5268->5272 5273 3082515 GlobalAlloc MultiByteToWideChar 5268->5273 5276 30824f4 lstrlenA 5268->5276 5346 308276e 5268->5346 5349 30815e5 5268->5349 5270->5268 5271 30819e4 5270->5271 5271->5155 5271->5158 5271->5170 5272->5268 5274 3082562 5273->5274 5275 3082542 GlobalAlloc 5273->5275 5274->5270 5277 3082559 GlobalFree 5275->5277 5276->5268 5276->5270 5277->5270 5281 308121e 5279->5281 5280 30812c3 LoadImageA 5282 30812e1 5280->5282 5281->5280 5283 30813dd KiUserCallbackDispatcher 5282->5283 5284 30813d2 GetLastError 5282->5284 5283->5160 5284->5283 5286 30814d2 5285->5286 5287 3081512 GlobalFree 5286->5287 5289 30819dd 5288->5289 5290 3082406 5288->5290 5289->5146 5290->5289 5291 3082418 GlobalAlloc 5290->5291 5291->5290 5293 30827e9 5292->5293 5294 308282a 5293->5294 5295 3082817 GlobalAlloc 5293->5295 5296 3082830 GlobalSize 5294->5296 5297 308283a 5294->5297 5295->5297 5296->5297 5297->5170 5299 3082619 5298->5299 5301 3082706 lstrcpyA 5299->5301 5302 3082659 wsprintfA 5299->5302 5303 30826c6 lstrlenA 5299->5303 5304 3082727 GlobalFree 5299->5304 5305 3082750 GlobalFree 5299->5305 5306 30826dc lstrcpynA 5299->5306 5307 30826b0 WideCharToMultiByte 5299->5307 5309 308159e 2 API calls 5299->5309 5310 308266d GlobalAlloc 5299->5310 5354 3081541 GlobalAlloc 5299->5354 5355 308160e 5299->5355 5301->5299 5302->5299 5303->5299 5303->5306 5304->5299 5305->5299 5308 3081a2a 5305->5308 5306->5299 5307->5299 5313 30818a1 5308->5313 5309->5299 5312 3082690 WideCharToMultiByte GlobalFree 5310->5312 5312->5299 5359 3081541 GlobalAlloc 5313->5359 5315 30818a7 5316 30818b4 lstrcpyA 5315->5316 5318 30818ce 5315->5318 5319 30818e8 5316->5319 5318->5319 5320 30818d3 wsprintfA 5318->5320 5321 308159e 5319->5321 5320->5319 5322 30815e0 GlobalFree 5321->5322 5323 30815a7 GlobalAlloc lstrcpynA 5321->5323 5322->5171 5323->5322 5325 3081a97 5324->5325 5326 30825d2 5324->5326 5325->5180 5325->5181 5326->5325 5327 30825eb GlobalFree 5326->5327 5327->5326 5329 308159e 2 API calls 5328->5329 5330 308184f 5329->5330 5330->5174 5331->5241 5332->5243 5334 308159a 5333->5334 5335 308156b 5333->5335 5334->5263 5335->5334 5344 3081541 GlobalAlloc 5335->5344 5337 3081577 lstrcpyA GlobalFree 5337->5263 5339 308189a 5338->5339 5339->5262 5345 3081541 GlobalAlloc 5340->5345 5342 3081559 lstrcpyA 5342->5258 5343->5263 5344->5337 5345->5342 5347 308277c VirtualAlloc 5346->5347 5348 30827c4 5346->5348 5347->5348 5348->5268 5350 3081609 5349->5350 5351 30815ed 5349->5351 5350->5350 5351->5350 5352 3081550 2 API calls 5351->5352 5353 3081607 5352->5353 5353->5268 5354->5299 5356 308163c 5355->5356 5357 3081617 5355->5357 5356->5299 5357->5356 5358 3081623 lstrcpyA 5357->5358 5358->5356 5359->5315 5361 3b21e20 5360->5361 5363 3b21de3 5360->5363 5361->5192 5362 3b21e11 GlobalFree 5362->5361 5363->5361 5363->5362 5364 3b21dfd lstrcpynA 5363->5364 5364->5362 5366 3b21dd9 2 API calls 5365->5366 5367 3b21289 5366->5367 5368 3b212fa 5367->5368 5385 3b21329 lstrlenA CharPrevA 5367->5385 5368->5196 5371 3b21dd9 2 API calls 5372 3b212ad 5371->5372 5372->5368 5373 3b21329 4 API calls 5372->5373 5374 3b212c0 5373->5374 5375 3b21dd9 2 API calls 5374->5375 5376 3b212d2 5375->5376 5376->5368 5377 3b21329 4 API calls 5376->5377 5378 3b212e4 5377->5378 5379 3b21dd9 2 API calls 5378->5379 5380 3b212f6 5379->5380 5380->5368 5381 3b21329 4 API calls 5380->5381 5381->5368 5383 3b21e30 GlobalAlloc lstrcpynA 5382->5383 5384 3b21895 5382->5384 5383->5384 5384->5189 5386 3b2134d 5385->5386 5387 3b21354 MulDiv 5386->5387 5388 3b21369 5386->5388 5390 3b2129b 5387->5390 5388->5390 5391 3b2136e MapDialogRect 5388->5391 5390->5371 5391->5390 5393 3b21dd9 2 API calls 5392->5393 5394 3b21fd9 5393->5394 5394->5217 5396 3b11367 5395->5396 5397 3b1133e 5395->5397 5396->5228 5397->5396 5398 3b11344 lstrcpyA GlobalFree 5397->5398 5398->5396 5500 1000141c GetPropA 5501 100014d4 5500->5501 5509 1000144a 5500->5509 5502 100014e2 5501->5502 5503 100014db DeleteObject 5501->5503 5512 100013ac RemovePropA GlobalFree 5502->5512 5503->5502 5505 1000145b 5508 100014a9 5505->5508 5510 1000146c InvalidateRect 5505->5510 5506 100014f8 CallWindowProcA 5507 100014cd 5506->5507 5508->5506 5508->5507 5509->5505 5509->5508 5511 10001486 _TrackMouseEvent 5509->5511 5510->5508 5511->5510 5512->5508 5659 3b110ae 5660 3b110bf 5659->5660 5664 3b110e2 5659->5664 5661 3b11107 CallWindowProcA 5660->5661 5662 3b110ca GetDlgItem 5660->5662 5662->5661 5663 3b110dc 5662->5663 5666 3b11000 5663->5666 5664->5661 5667 3b1100b 5666->5667 5668 3b1105e 5666->5668 5667->5668 5669 3b11024 PostMessageA 5667->5669 5668->5664 5669->5667 5677 402866 SendMessageA 5678 402880 InvalidateRect 5677->5678 5679 40288b 5677->5679 5678->5679 4656 402267 4657 4029f6 18 API calls 4656->4657 4658 402275 4657->4658 4659 4029f6 18 API calls 4658->4659 4660 40227e 4659->4660 4661 4029f6 18 API calls 4660->4661 4662 402288 GetPrivateProfileStringA 4661->4662 5680 308102f 5681 3081561 3 API calls 5680->5681 5683 308104b 5681->5683 5682 30810b3 5683->5682 5684 3081068 5683->5684 5685 30817fe 4 API calls 5683->5685 5686 30817fe 4 API calls 5684->5686 5685->5684 5687 3081078 5686->5687 5688 3081088 5687->5688 5689 308107f GlobalSize 5687->5689 5690 308108c GlobalAlloc 5688->5690 5691 308109d 5688->5691 5689->5688 5692 3081825 3 API calls 5690->5692 5693 30810a8 GlobalFree 5691->5693 5692->5691 5693->5682 5694 401c6d 5695 4029d9 18 API calls 5694->5695 5696 401c73 IsWindow 5695->5696 5697 4019d6 5696->5697 5399 3b21480 5405 3b213c6 GetPropA 5399->5405 5402 3b214c6 5403 3b21495 LoadCursorA SetCursor 5403->5402 5404 3b214ae CallWindowProcA 5404->5402 5406 3b213d9 5405->5406 5406->5402 5406->5403 5406->5404 5698 402172 5699 4029f6 18 API calls 5698->5699 5700 402178 5699->5700 5701 4029f6 18 API calls 5700->5701 5702 402181 5701->5702 5703 4029f6 18 API calls 5702->5703 5704 40218a 5703->5704 5705 405cd8 2 API calls 5704->5705 5706 402193 5705->5706 5707 4021a4 lstrlenA lstrlenA 5706->5707 5708 402197 5706->5708 5710 404d7b 25 API calls 5707->5710 5709 404d7b 25 API calls 5708->5709 5711 40219f 5708->5711 5709->5711 5712 4021e0 SHFileOperationA 5710->5712 5712->5708 5712->5711 5475 3082930 5476 308297b 5475->5476 5477 3082940 VirtualProtect 5475->5477 5477->5476 5713 40267c 5714 4029f6 18 API calls 5713->5714 5716 40268a 5714->5716 5715 4026a0 5718 405695 2 API calls 5715->5718 5716->5715 5717 4029f6 18 API calls 5716->5717 5717->5715 5719 4026a6 5718->5719 5739 4056b4 GetFileAttributesA CreateFileA 5719->5739 5721 4026b3 5722 40275c 5721->5722 5723 4026bf GlobalAlloc 5721->5723 5726 402764 DeleteFileA 5722->5726 5727 402777 5722->5727 5724 402753 CloseHandle 5723->5724 5725 4026d8 5723->5725 5724->5722 5740 403080 SetFilePointer 5725->5740 5726->5727 5729 4026de 5730 40304e ReadFile 5729->5730 5731 4026e7 GlobalAlloc 5730->5731 5732 4026f7 5731->5732 5733 40272b WriteFile GlobalFree 5731->5733 5734 402e5b 37 API calls 5732->5734 5735 402e5b 37 API calls 5733->5735 5738 402704 5734->5738 5736 402750 5735->5736 5736->5724 5737 402722 GlobalFree 5737->5733 5738->5737 5739->5721 5740->5729 5741 1000133e 5742 10001375 5741->5742 5747 10001000 5742->5747 5745 10001396 5748 10001047 5747->5748 5751 1000100a 5747->5751 5748->5745 5752 10001161 GetModuleHandleA LoadImageA 5748->5752 5749 10001038 GlobalFree 5749->5748 5750 10001024 lstrcpynA 5750->5749 5751->5748 5751->5749 5751->5750 5752->5745 5753 401000 5754 401037 BeginPaint GetClientRect 5753->5754 5755 40100c DefWindowProcA 5753->5755 5757 4010f3 5754->5757 5758 401179 5755->5758 5759 401073 CreateBrushIndirect FillRect DeleteObject 5757->5759 5760 4010fc 5757->5760 5759->5757 5761 401102 CreateFontIndirectA 5760->5761 5762 401167 EndPaint 5760->5762 5761->5762 5763 401112 6 API calls 5761->5763 5762->5758 5763->5762 5764 404502 5765 404512 5764->5765 5766 40452e 5764->5766 5775 405282 GetDlgItemTextA 5765->5775 5767 404561 5766->5767 5768 404534 SHGetPathFromIDListA 5766->5768 5770 404544 5768->5770 5774 40454b SendMessageA 5768->5774 5772 40140b 2 API calls 5770->5772 5771 40451f SendMessageA 5771->5766 5772->5774 5774->5767 5775->5771 5776 402803 5777 4029d9 18 API calls 5776->5777 5778 402809 5777->5778 5779 40283a 5778->5779 5780 40265c 5778->5780 5782 402817 5778->5782 5779->5780 5781 4059ff 18 API calls 5779->5781 5781->5780 5782->5780 5784 40593b wsprintfA 5782->5784 5784->5780 5785 402303 5786 402309 5785->5786 5787 4029f6 18 API calls 5786->5787 5788 40231b 5787->5788 5789 4029f6 18 API calls 5788->5789 5790 402325 RegCreateKeyExA 5789->5790 5791 40265c 5790->5791 5792 40234f 5790->5792 5793 402367 5792->5793 5794 4029f6 18 API calls 5792->5794 5795 402373 5793->5795 5797 4029d9 18 API calls 5793->5797 5796 402360 lstrlenA 5794->5796 5798 40238e RegSetValueExA 5795->5798 5799 402e5b 37 API calls 5795->5799 5796->5793 5797->5795 5800 4023a4 RegCloseKey 5798->5800 5799->5798 5800->5791 4629 401b06 4630 401b57 4629->4630 4632 401b13 4629->4632 4633 401b80 GlobalAlloc 4630->4633 4634 401b5b 4630->4634 4631 4021fb 4635 4059ff 18 API calls 4631->4635 4632->4631 4638 401b2a 4632->4638 4636 4059ff 18 API calls 4633->4636 4642 401b9b 4634->4642 4650 4059dd lstrcpynA 4634->4650 4637 402208 4635->4637 4636->4642 4637->4642 4651 40529e 4637->4651 4648 4059dd lstrcpynA 4638->4648 4641 401b6d GlobalFree 4641->4642 4644 401b39 4649 4059dd lstrcpynA 4644->4649 4646 401b48 4655 4059dd lstrcpynA 4646->4655 4648->4644 4649->4646 4650->4641 4652 4052b3 4651->4652 4653 4052ff 4652->4653 4654 4052c7 MessageBoxIndirectA 4652->4654 4653->4642 4654->4653 4655->4642 5802 402506 5803 4029d9 18 API calls 5802->5803 5808 402510 5803->5808 5804 402586 5805 402544 ReadFile 5805->5804 5805->5808 5806 402588 5811 40593b wsprintfA 5806->5811 5807 402598 5807->5804 5810 4025ae SetFilePointer 5807->5810 5808->5804 5808->5805 5808->5806 5808->5807 5810->5804 5811->5804 5812 3b213fb 5813 3b21428 CallWindowProcA 5812->5813 5814 3b21409 5812->5814 5815 3b21424 5813->5815 5816 3b21448 5813->5816 5814->5813 5814->5815 5816->5815 5817 3b2144c DestroyWindow GetProcessHeap HeapFree 5816->5817 5817->5815 5818 402615 5819 402618 5818->5819 5821 402630 5818->5821 5820 402625 FindNextFileA 5819->5820 5820->5821 5822 40266f 5820->5822 5824 4059dd lstrcpynA 5822->5824 5824->5821 5825 401e1b 5826 4029f6 18 API calls 5825->5826 5827 401e21 5826->5827 5828 404d7b 25 API calls 5827->5828 5829 401e2b 5828->5829 5830 40523d 2 API calls 5829->5830 5831 401e31 5830->5831 5832 401e87 CloseHandle 5831->5832 5833 40265c 5831->5833 5834 401e50 WaitForSingleObject 5831->5834 5836 405d38 2 API calls 5831->5836 5832->5833 5834->5831 5835 401e5e GetExitCodeProcess 5834->5835 5837 401e70 5835->5837 5838 401e79 5835->5838 5836->5834 5840 40593b wsprintfA 5837->5840 5838->5832 5840->5838 5841 401d1b GetDC GetDeviceCaps 5842 4029d9 18 API calls 5841->5842 5843 401d37 MulDiv 5842->5843 5844 4029d9 18 API calls 5843->5844 5845 401d4c 5844->5845 5846 4059ff 18 API calls 5845->5846 5847 401d85 CreateFontIndirectA 5846->5847 5848 4024b8 5847->5848 5849 3b210ef 5850 3b21dd9 2 API calls 5849->5850 5851 3b21151 5850->5851 5852 3b21dd9 2 API calls 5851->5852 5853 3b21158 5852->5853 5854 3b21dd9 2 API calls 5853->5854 5855 3b2115f lstrcmpiA GetFileAttributesA 5854->5855 5856 3b211a7 5855->5856 5857 3b21185 5855->5857 5859 3b211b0 lstrcpyA 5856->5859 5860 3b211bc 5856->5860 5857->5856 5858 3b21189 lstrcpyA 5857->5858 5858->5856 5859->5860 5861 3b211de GetCurrentDirectoryA 5860->5861 5862 3b211d2 CharNextA 5860->5862 5863 3b21205 GetOpenFileNameA 5861->5863 5864 3b211fd GetSaveFileNameA 5861->5864 5862->5860 5865 3b21207 5863->5865 5864->5865 5866 3b21231 5865->5866 5867 3b2120b CommDlgExtendedError 5865->5867 5869 3b21e27 2 API calls 5866->5869 5867->5866 5868 3b21218 5867->5868 5870 3b21227 GetSaveFileNameA 5868->5870 5871 3b2122f GetOpenFileNameA 5868->5871 5872 3b21246 SetCurrentDirectoryA 5869->5872 5870->5866 5871->5866 5873 402020 5874 4029f6 18 API calls 5873->5874 5875 402027 5874->5875 5876 4029f6 18 API calls 5875->5876 5877 402031 5876->5877 5878 4029f6 18 API calls 5877->5878 5879 40203a 5878->5879 5880 4029f6 18 API calls 5879->5880 5881 402044 5880->5881 5882 4029f6 18 API calls 5881->5882 5884 40204e 5882->5884 5883 402062 CoCreateInstance 5888 402081 5883->5888 5889 402137 5883->5889 5884->5883 5885 4029f6 18 API calls 5884->5885 5885->5883 5886 401423 25 API calls 5887 402169 5886->5887 5888->5889 5890 402116 MultiByteToWideChar 5888->5890 5889->5886 5889->5887 5890->5889 4549 401721 4555 4029f6 4549->4555 4553 40172f 4554 4056e3 2 API calls 4553->4554 4554->4553 4556 402a02 4555->4556 4565 4059ff 4556->4565 4559 401728 4561 4056e3 4559->4561 4562 4056ee GetTickCount GetTempFileNameA 4561->4562 4563 40571a 4562->4563 4564 40571e 4562->4564 4563->4562 4563->4564 4564->4553 4571 405a0c 4565->4571 4566 405c26 4567 402a23 4566->4567 4599 4059dd lstrcpynA 4566->4599 4567->4559 4583 405c3f 4567->4583 4569 405aa4 GetVersion 4569->4571 4570 405bfd lstrlenA 4570->4571 4571->4566 4571->4569 4571->4570 4573 4059ff 10 API calls 4571->4573 4576 405b1c GetSystemDirectoryA 4571->4576 4577 405b2f GetWindowsDirectoryA 4571->4577 4578 405c3f 5 API calls 4571->4578 4579 4059ff 10 API calls 4571->4579 4580 405ba6 lstrcatA 4571->4580 4581 405b63 SHGetSpecialFolderLocation 4571->4581 4592 4058c4 RegOpenKeyExA 4571->4592 4597 40593b wsprintfA 4571->4597 4598 4059dd lstrcpynA 4571->4598 4573->4570 4576->4571 4577->4571 4578->4571 4579->4571 4580->4571 4581->4571 4582 405b7b SHGetPathFromIDListA CoTaskMemFree 4581->4582 4582->4571 4589 405c4b 4583->4589 4584 405cb3 4585 405cb7 CharPrevA 4584->4585 4588 405cd2 4584->4588 4585->4584 4586 405ca8 CharNextA 4586->4584 4586->4589 4588->4559 4589->4584 4589->4586 4590 405c96 CharNextA 4589->4590 4591 405ca3 CharNextA 4589->4591 4600 4054fb 4589->4600 4590->4589 4591->4586 4593 405935 4592->4593 4594 4058f7 RegQueryValueExA 4592->4594 4593->4571 4596 405918 RegCloseKey 4594->4596 4596->4593 4597->4571 4598->4571 4599->4567 4601 405501 4600->4601 4602 405514 4601->4602 4603 405507 CharNextA 4601->4603 4602->4589 4603->4601 5891 401922 5892 4029f6 18 API calls 5891->5892 5893 401929 lstrlenA 5892->5893 5894 4024b8 5893->5894 5895 402223 5896 402231 5895->5896 5897 40222b 5895->5897 5898 402241 5896->5898 5900 4029f6 18 API calls 5896->5900 5899 4029f6 18 API calls 5897->5899 5901 4029f6 18 API calls 5898->5901 5903 40224f 5898->5903 5899->5896 5900->5898 5901->5903 5902 4029f6 18 API calls 5904 402258 WritePrivateProfileStringA 5902->5904 5903->5902 5905 401a26 5906 4029d9 18 API calls 5905->5906 5907 401a2c 5906->5907 5908 4029d9 18 API calls 5907->5908 5909 4019d6 5908->5909 5910 402427 5911 402b00 19 API calls 5910->5911 5912 402431 5911->5912 5913 4029d9 18 API calls 5912->5913 5914 40243a 5913->5914 5915 402451 RegEnumKeyA 5914->5915 5916 40245d RegEnumValueA 5914->5916 5917 40265c 5914->5917 5918 402476 RegCloseKey 5915->5918 5916->5917 5916->5918 5918->5917 5920 3b21bde 5921 3b21fc2 2 API calls 5920->5921 5922 3b21be3 KillTimer 5921->5922 5426 401734 5427 4029f6 18 API calls 5426->5427 5428 40173b 5427->5428 5429 401761 5428->5429 5430 401759 5428->5430 5466 4059dd lstrcpynA 5429->5466 5465 4059dd lstrcpynA 5430->5465 5433 40175f 5437 405c3f 5 API calls 5433->5437 5434 40176c 5435 4054d0 3 API calls 5434->5435 5436 401772 lstrcatA 5435->5436 5436->5433 5457 40177e 5437->5457 5438 405cd8 2 API calls 5438->5457 5439 405695 2 API calls 5439->5457 5441 401795 CompareFileTime 5441->5457 5442 401859 5443 404d7b 25 API calls 5442->5443 5445 401863 5443->5445 5444 401830 5446 404d7b 25 API calls 5444->5446 5453 401845 5444->5453 5447 402e5b 37 API calls 5445->5447 5446->5453 5449 401876 5447->5449 5448 4059dd lstrcpynA 5448->5457 5450 40188a SetFileTime 5449->5450 5452 40189c FindCloseChangeNotification 5449->5452 5450->5452 5451 4059ff 18 API calls 5451->5457 5452->5453 5454 4018ad 5452->5454 5455 4018b2 5454->5455 5456 4018c5 5454->5456 5458 4059ff 18 API calls 5455->5458 5459 4059ff 18 API calls 5456->5459 5457->5438 5457->5439 5457->5441 5457->5442 5457->5444 5457->5448 5457->5451 5460 40529e MessageBoxIndirectA 5457->5460 5464 4056b4 GetFileAttributesA CreateFileA 5457->5464 5461 4018ba lstrcatA 5458->5461 5462 4018cd 5459->5462 5460->5457 5461->5462 5462->5453 5463 40529e MessageBoxIndirectA 5462->5463 5463->5453 5464->5457 5465->5433 5466->5434 5923 401634 5924 4029f6 18 API calls 5923->5924 5925 40163a 5924->5925 5926 405cd8 2 API calls 5925->5926 5927 401640 5926->5927 5928 401934 5929 4029d9 18 API calls 5928->5929 5930 40193b 5929->5930 5931 4029d9 18 API calls 5930->5931 5932 401945 5931->5932 5933 4029f6 18 API calls 5932->5933 5934 40194e 5933->5934 5935 401961 lstrlenA 5934->5935 5936 40199c 5934->5936 5937 40196b 5935->5937 5937->5936 5941 4059dd lstrcpynA 5937->5941 5939 401985 5939->5936 5940 401992 lstrlenA 5939->5940 5940->5936 5941->5939 5478 3b214ca 5479 3b21722 5478->5479 5480 3b214e2 5478->5480 5482 3b2172e RemovePropA 5479->5482 5496 3b21549 5479->5496 5483 3b215d7 5480->5483 5484 3b214f7 5480->5484 5490 3b215de 5480->5490 5481 3b213c6 GetPropA 5485 3b21636 5481->5485 5482->5482 5482->5496 5486 3b213c6 GetPropA 5483->5486 5487 3b21533 GetDlgItem 5484->5487 5488 3b214fe 5484->5488 5489 3b2163e GetWindowTextA DrawTextA 5485->5489 5485->5496 5486->5490 5491 3b213c6 GetPropA 5487->5491 5492 3b2151b SendMessageA 5488->5492 5488->5496 5493 3b21691 5489->5493 5490->5481 5490->5496 5491->5496 5492->5496 5494 3b216c5 GetWindowLongA 5493->5494 5495 3b216f8 5493->5495 5497 3b216e2 DrawTextA 5494->5497 5498 3b216d4 SetTextColor 5494->5498 5495->5496 5499 3b21710 DrawFocusRect 5495->5499 5497->5495 5498->5497 5499->5496 5942 402b3b 5943 402b4a SetTimer 5942->5943 5945 402b63 5942->5945 5943->5945 5944 402bb8 5945->5944 5946 402b7d MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 5945->5946 5946->5944 5947 40263e 5948 4029f6 18 API calls 5947->5948 5949 402645 FindFirstFileA 5948->5949 5950 402668 5949->5950 5954 402658 5949->5954 5951 40266f 5950->5951 5955 40593b wsprintfA 5950->5955 5956 4059dd lstrcpynA 5951->5956 5955->5951 5956->5954 5957 401cc1 GetDlgItem GetClientRect 5958 4029f6 18 API calls 5957->5958 5959 401cf1 LoadImageA SendMessageA 5958->5959 5960 40288b 5959->5960 5961 401d0f DeleteObject 5959->5961 5961->5960 5962 401dc1 5963 4029f6 18 API calls 5962->5963 5964 401dc7 5963->5964 5965 4029f6 18 API calls 5964->5965 5966 401dd0 5965->5966 5967 4029f6 18 API calls 5966->5967 5968 401dd9 5967->5968 5969 4029f6 18 API calls 5968->5969 5970 401de2 5969->5970 5971 401423 25 API calls 5970->5971 5972 401de9 ShellExecuteA 5971->5972 5973 401e16 5972->5973 5974 401ec5 5975 4029f6 18 API calls 5974->5975 5976 401ecc GetFileVersionInfoSizeA 5975->5976 5977 401eef GlobalAlloc 5976->5977 5978 401f45 5976->5978 5977->5978 5979 401f03 GetFileVersionInfoA 5977->5979 5979->5978 5980 401f14 VerQueryValueA 5979->5980 5980->5978 5981 401f2d 5980->5981 5985 40593b wsprintfA 5981->5985 5983 401f39 5986 40593b wsprintfA 5983->5986 5985->5983 5986->5978 5987 4046ca GetDlgItem GetDlgItem 5988 40471e 7 API calls 5987->5988 5991 40493b 5987->5991 5989 4047c4 DeleteObject 5988->5989 5990 4047b7 SendMessageA 5988->5990 5992 4047cf 5989->5992 5990->5989 6004 404a25 5991->6004 6019 4049af 5991->6019 6040 40464a SendMessageA 5991->6040 5993 404806 5992->5993 5994 4059ff 18 API calls 5992->5994 5995 403d8f 19 API calls 5993->5995 5998 4047e8 SendMessageA SendMessageA 5994->5998 6001 40481a 5995->6001 5996 404ad4 5999 404ae9 5996->5999 6000 404add SendMessageA 5996->6000 5997 40492e 6003 403df6 8 API calls 5997->6003 5998->5992 6011 404b02 5999->6011 6012 404afb ImageList_Destroy 5999->6012 6016 404b12 5999->6016 6000->5999 6007 403d8f 19 API calls 6001->6007 6002 404a7e SendMessageA 6002->5997 6009 404a93 SendMessageA 6002->6009 6010 404cc4 6003->6010 6004->5996 6004->5997 6004->6002 6005 404a17 SendMessageA 6005->6004 6020 404828 6007->6020 6008 404c78 6008->5997 6017 404c8a ShowWindow GetDlgItem ShowWindow 6008->6017 6014 404aa6 6009->6014 6015 404b0b GlobalFree 6011->6015 6011->6016 6012->6011 6013 4048fc GetWindowLongA SetWindowLongA 6018 404915 6013->6018 6025 404ab7 SendMessageA 6014->6025 6015->6016 6016->6008 6024 40140b 2 API calls 6016->6024 6034 404b44 6016->6034 6017->5997 6021 404933 6018->6021 6022 40491b ShowWindow 6018->6022 6019->6004 6019->6005 6020->6013 6023 404877 SendMessageA 6020->6023 6026 4048f6 6020->6026 6029 4048b3 SendMessageA 6020->6029 6030 4048c4 SendMessageA 6020->6030 6039 403dc4 SendMessageA 6021->6039 6038 403dc4 SendMessageA 6022->6038 6023->6020 6024->6034 6025->5996 6026->6013 6026->6018 6029->6020 6030->6020 6031 404c4e InvalidateRect 6031->6008 6032 404c64 6031->6032 6045 404568 6032->6045 6033 404b72 SendMessageA 6037 404b88 6033->6037 6034->6033 6034->6037 6036 404bfc SendMessageA SendMessageA 6036->6037 6037->6031 6037->6036 6038->5997 6039->5991 6041 4046a9 SendMessageA 6040->6041 6042 40466d GetMessagePos ScreenToClient SendMessageA 6040->6042 6043 4046a1 6041->6043 6042->6043 6044 4046a6 6042->6044 6043->6019 6044->6041 6046 404582 6045->6046 6047 4059ff 18 API calls 6046->6047 6048 4045b7 6047->6048 6049 4059ff 18 API calls 6048->6049 6050 4045c2 6049->6050 6051 4059ff 18 API calls 6050->6051 6052 4045f3 lstrlenA wsprintfA SetDlgItemTextA 6051->6052 6052->6008 4663 4030cb #17 SetErrorMode OleInitialize 4733 405cff GetModuleHandleA 4663->4733 4667 403139 GetCommandLineA 4738 4059dd lstrcpynA 4667->4738 4669 40314b GetModuleHandleA 4670 403162 4669->4670 4671 4054fb CharNextA 4670->4671 4672 403176 CharNextA 4671->4672 4674 403183 4672->4674 4673 4031ec 4675 4031ff GetTempPathA 4673->4675 4674->4673 4674->4674 4678 4054fb CharNextA 4674->4678 4684 4031ee 4674->4684 4739 403097 4675->4739 4677 403215 4679 403239 DeleteFileA 4677->4679 4680 403219 GetWindowsDirectoryA lstrcatA 4677->4680 4678->4674 4747 402c22 GetTickCount GetModuleFileNameA 4679->4747 4682 403097 11 API calls 4680->4682 4685 403235 4682->4685 4683 40324a 4686 4032b3 4683->4686 4688 4032a3 4683->4688 4691 4054fb CharNextA 4683->4691 4829 4059dd lstrcpynA 4684->4829 4685->4679 4685->4686 4846 40344c 4686->4846 4775 403526 4688->4775 4693 403261 4691->4693 4702 4032e2 lstrcatA lstrcmpiA 4693->4702 4703 40327e 4693->4703 4694 4033b1 4696 403434 ExitProcess 4694->4696 4698 405cff 3 API calls 4694->4698 4695 4032cc 4697 40529e MessageBoxIndirectA 4695->4697 4700 4032da ExitProcess 4697->4700 4701 4033c0 4698->4701 4704 405cff 3 API calls 4701->4704 4702->4686 4706 4032fe CreateDirectoryA SetCurrentDirectoryA 4702->4706 4830 4055b1 4703->4830 4707 4033c9 4704->4707 4709 403320 4706->4709 4710 403315 4706->4710 4712 405cff 3 API calls 4707->4712 4854 4059dd lstrcpynA 4709->4854 4853 4059dd lstrcpynA 4710->4853 4714 4033d2 4712->4714 4717 403420 ExitWindowsEx 4714->4717 4723 4033e0 GetCurrentProcess 4714->4723 4716 403298 4845 4059dd lstrcpynA 4716->4845 4717->4696 4720 40342d 4717->4720 4719 4059ff 18 API calls 4721 403350 DeleteFileA 4719->4721 4884 40140b 4720->4884 4724 40335d CopyFileA 4721->4724 4730 40332e 4721->4730 4726 4033f0 4723->4726 4724->4730 4725 4033a5 4727 40572b 38 API calls 4725->4727 4726->4717 4727->4686 4729 4059ff 18 API calls 4729->4730 4730->4719 4730->4725 4730->4729 4732 403391 CloseHandle 4730->4732 4855 40572b 4730->4855 4881 40523d CreateProcessA 4730->4881 4732->4730 4734 405d26 GetProcAddress 4733->4734 4735 405d1b LoadLibraryA 4733->4735 4736 40310e SHGetFileInfoA 4734->4736 4735->4734 4735->4736 4737 4059dd lstrcpynA 4736->4737 4737->4667 4738->4669 4740 405c3f 5 API calls 4739->4740 4741 4030a3 4740->4741 4742 4030ad 4741->4742 4887 4054d0 lstrlenA CharPrevA 4741->4887 4742->4677 4745 4056e3 2 API calls 4746 4030c9 4745->4746 4746->4677 4890 4056b4 GetFileAttributesA CreateFileA 4747->4890 4749 402c62 4774 402c72 4749->4774 4891 4059dd lstrcpynA 4749->4891 4751 402c88 4892 405517 lstrlenA 4751->4892 4755 402c99 GetFileSize 4767 402cb0 4755->4767 4771 402d95 4755->4771 4757 402d9e 4759 402dce GlobalAlloc 4757->4759 4757->4774 4910 403080 SetFilePointer 4757->4910 4911 403080 SetFilePointer 4759->4911 4761 402e01 4763 402bbe 6 API calls 4761->4763 4763->4774 4764 402db7 4766 40304e ReadFile 4764->4766 4765 402de9 4912 402e5b 4765->4912 4769 402dc2 4766->4769 4767->4761 4770 402bbe 6 API calls 4767->4770 4767->4771 4767->4774 4897 40304e ReadFile 4767->4897 4769->4759 4769->4774 4770->4767 4899 402bbe 4771->4899 4772 402df5 4772->4772 4773 402e32 SetFilePointer 4772->4773 4772->4774 4773->4774 4774->4683 4776 405cff 3 API calls 4775->4776 4777 40353a 4776->4777 4778 403540 4777->4778 4779 403552 4777->4779 4965 40593b wsprintfA 4778->4965 4780 4058c4 3 API calls 4779->4780 4781 403573 4780->4781 4783 403591 lstrcatA 4781->4783 4785 4058c4 3 API calls 4781->4785 4784 403550 4783->4784 4956 4037ef 4784->4956 4785->4783 4788 4055b1 18 API calls 4789 4035c3 4788->4789 4790 40364c 4789->4790 4792 4058c4 3 API calls 4789->4792 4791 4055b1 18 API calls 4790->4791 4793 403652 4791->4793 4794 4035ef 4792->4794 4795 403662 LoadImageA 4793->4795 4796 4059ff 18 API calls 4793->4796 4794->4790 4799 40360b lstrlenA 4794->4799 4803 4054fb CharNextA 4794->4803 4797 403716 4795->4797 4798 40368d RegisterClassA 4795->4798 4796->4795 4802 40140b 2 API calls 4797->4802 4800 403720 4798->4800 4801 4036c9 SystemParametersInfoA CreateWindowExA 4798->4801 4804 403619 lstrcmpiA 4799->4804 4805 40363f 4799->4805 4800->4686 4801->4797 4806 40371c 4802->4806 4808 403609 4803->4808 4804->4805 4809 403629 GetFileAttributesA 4804->4809 4807 4054d0 3 API calls 4805->4807 4806->4800 4810 4037ef 19 API calls 4806->4810 4811 403645 4807->4811 4808->4799 4812 403635 4809->4812 4814 40372d 4810->4814 4966 4059dd lstrcpynA 4811->4966 4812->4805 4813 405517 2 API calls 4812->4813 4813->4805 4816 403739 ShowWindow LoadLibraryA 4814->4816 4817 4037bc 4814->4817 4818 403758 LoadLibraryA 4816->4818 4819 40375f GetClassInfoA 4816->4819 4967 404e4d OleInitialize 4817->4967 4818->4819 4821 403773 GetClassInfoA RegisterClassA 4819->4821 4822 403789 DialogBoxParamA 4819->4822 4821->4822 4826 40140b 2 API calls 4822->4826 4823 4037c2 4824 4037c6 4823->4824 4825 4037de 4823->4825 4824->4800 4828 40140b 2 API calls 4824->4828 4827 40140b 2 API calls 4825->4827 4826->4800 4827->4800 4828->4800 4829->4675 4982 4059dd lstrcpynA 4830->4982 4832 4055c2 4983 405564 CharNextA CharNextA 4832->4983 4835 403289 4835->4686 4844 4059dd lstrcpynA 4835->4844 4836 405c3f 5 API calls 4842 4055d8 4836->4842 4837 405603 lstrlenA 4838 40560e 4837->4838 4837->4842 4839 4054d0 3 API calls 4838->4839 4841 405613 GetFileAttributesA 4839->4841 4841->4835 4842->4835 4842->4837 4843 405517 2 API calls 4842->4843 4989 405cd8 FindFirstFileA 4842->4989 4843->4837 4844->4716 4845->4688 4847 403464 4846->4847 4848 403456 CloseHandle 4846->4848 4992 403491 4847->4992 4848->4847 4853->4709 4854->4730 4856 405cff 3 API calls 4855->4856 4857 405736 4856->4857 4858 405793 GetShortPathNameA 4857->4858 4863 405888 4857->4863 5043 4056b4 GetFileAttributesA CreateFileA 4857->5043 4860 4057a8 4858->4860 4858->4863 4862 4057b0 wsprintfA 4860->4862 4860->4863 4861 405777 CloseHandle GetShortPathNameA 4861->4863 4864 40578b 4861->4864 4865 4059ff 18 API calls 4862->4865 4863->4730 4864->4858 4864->4863 4866 4057d8 4865->4866 5044 4056b4 GetFileAttributesA CreateFileA 4866->5044 4868 4057e5 4868->4863 4869 4057f4 GetFileSize GlobalAlloc 4868->4869 4870 405881 CloseHandle 4869->4870 4871 405812 ReadFile 4869->4871 4870->4863 4871->4870 4872 405826 4871->4872 4872->4870 5045 405629 lstrlenA 4872->5045 4875 405895 4878 405629 4 API calls 4875->4878 4876 40583b 5050 4059dd lstrcpynA 4876->5050 4879 405849 4878->4879 4880 40585c SetFilePointer WriteFile GlobalFree 4879->4880 4880->4870 4882 405278 4881->4882 4883 40526c CloseHandle 4881->4883 4882->4730 4883->4882 4885 401389 2 API calls 4884->4885 4886 401420 4885->4886 4886->4696 4888 4030b5 CreateDirectoryA 4887->4888 4889 4054ea lstrcatA 4887->4889 4888->4745 4889->4888 4890->4749 4891->4751 4893 405524 4892->4893 4894 402c8e 4893->4894 4895 405529 CharPrevA 4893->4895 4896 4059dd lstrcpynA 4894->4896 4895->4893 4895->4894 4896->4755 4898 40306f 4897->4898 4898->4767 4900 402bc7 4899->4900 4901 402bdf 4899->4901 4904 402bd0 DestroyWindow 4900->4904 4905 402bd7 4900->4905 4902 402be7 4901->4902 4903 402bef GetTickCount 4901->4903 4933 405d38 4902->4933 4907 402c20 4903->4907 4908 402bfd CreateDialogParamA ShowWindow 4903->4908 4904->4905 4905->4757 4907->4757 4908->4907 4910->4764 4911->4765 4914 402e71 4912->4914 4913 402e9c 4916 40304e ReadFile 4913->4916 4914->4913 4944 403080 SetFilePointer 4914->4944 4917 402ea7 4916->4917 4918 402fe2 4917->4918 4919 402eb9 GetTickCount 4917->4919 4921 402fcd 4917->4921 4920 402fe6 4918->4920 4925 402ffe 4918->4925 4930 402ecc 4919->4930 4922 40304e ReadFile 4920->4922 4921->4772 4922->4921 4923 40304e ReadFile 4923->4925 4924 40304e ReadFile 4924->4930 4925->4921 4925->4923 4926 403019 WriteFile 4925->4926 4926->4921 4926->4925 4928 402f32 GetTickCount 4928->4930 4929 402f5b MulDiv wsprintfA 4945 404d7b 4929->4945 4930->4921 4930->4924 4930->4928 4930->4929 4932 402f99 WriteFile 4930->4932 4937 405df9 4930->4937 4932->4921 4932->4930 4934 405d55 PeekMessageA 4933->4934 4935 402bed 4934->4935 4936 405d4b DispatchMessageA 4934->4936 4935->4757 4936->4934 4938 405e1e 4937->4938 4939 405e26 4937->4939 4938->4930 4939->4938 4940 405eb6 GlobalAlloc 4939->4940 4941 405ead GlobalFree 4939->4941 4942 405f24 GlobalFree 4939->4942 4943 405f2d GlobalAlloc 4939->4943 4940->4938 4940->4939 4941->4940 4942->4943 4943->4938 4943->4939 4944->4913 4946 404d96 4945->4946 4955 404e39 4945->4955 4947 404db3 lstrlenA 4946->4947 4950 4059ff 18 API calls 4946->4950 4948 404dc1 lstrlenA 4947->4948 4949 404ddc 4947->4949 4951 404dd3 lstrcatA 4948->4951 4948->4955 4952 404de2 SetWindowTextA 4949->4952 4953 404def 4949->4953 4950->4947 4951->4949 4952->4953 4954 404df5 SendMessageA SendMessageA SendMessageA 4953->4954 4953->4955 4954->4955 4955->4930 4957 403803 4956->4957 4974 40593b wsprintfA 4957->4974 4959 403874 4960 4059ff 18 API calls 4959->4960 4961 403880 SetWindowTextA 4960->4961 4962 4035a1 4961->4962 4963 40389c 4961->4963 4962->4788 4963->4962 4964 4059ff 18 API calls 4963->4964 4964->4963 4965->4784 4966->4790 4975 403ddb 4967->4975 4969 404e97 4970 403ddb SendMessageA 4969->4970 4971 404ea9 OleUninitialize 4970->4971 4971->4823 4972 404e70 4972->4969 4978 401389 4972->4978 4974->4959 4976 403df3 4975->4976 4977 403de4 SendMessageA 4975->4977 4976->4972 4977->4976 4980 401390 4978->4980 4979 4013fe 4979->4972 4980->4979 4981 4013cb MulDiv SendMessageA 4980->4981 4981->4980 4982->4832 4984 40558a 4983->4984 4985 40557e 4983->4985 4987 4054fb CharNextA 4984->4987 4988 4055a7 4984->4988 4985->4984 4986 405585 CharNextA 4985->4986 4986->4988 4987->4984 4988->4835 4988->4836 4990 405cf9 4989->4990 4991 405cee FindClose 4989->4991 4990->4842 4991->4990 4993 40349f 4992->4993 4994 403469 4993->4994 4995 4034a4 FreeLibrary GlobalFree 4993->4995 4996 405302 4994->4996 4995->4994 4995->4995 4997 4055b1 18 API calls 4996->4997 4998 405316 4997->4998 4999 405336 4998->4999 5000 40531f DeleteFileA 4998->5000 5006 405475 4999->5006 5038 4059dd lstrcpynA 4999->5038 5005 4032bc OleUninitialize 5000->5005 5002 405360 5003 405371 5002->5003 5004 405364 lstrcatA 5002->5004 5008 405517 2 API calls 5003->5008 5007 405377 5004->5007 5005->4694 5005->4695 5006->5005 5009 405cd8 2 API calls 5006->5009 5010 405385 lstrcatA 5007->5010 5011 40537c 5007->5011 5008->5007 5012 405490 5009->5012 5013 405390 lstrlenA FindFirstFileA 5010->5013 5011->5010 5011->5013 5012->5005 5015 4054d0 3 API calls 5012->5015 5014 40546b 5013->5014 5036 4053b4 5013->5036 5014->5006 5017 40549a 5015->5017 5016 4054fb CharNextA 5016->5036 5018 405695 2 API calls 5017->5018 5019 4054a0 RemoveDirectoryA 5018->5019 5020 4054c2 5019->5020 5021 4054ab 5019->5021 5024 404d7b 25 API calls 5020->5024 5021->5005 5023 4054b1 5021->5023 5026 404d7b 25 API calls 5023->5026 5024->5005 5025 40544a FindNextFileA 5027 405462 FindClose 5025->5027 5025->5036 5028 4054b9 5026->5028 5027->5014 5029 40572b 38 API calls 5028->5029 5032 4054c0 5029->5032 5031 405302 59 API calls 5031->5036 5032->5005 5034 404d7b 25 API calls 5034->5025 5035 404d7b 25 API calls 5035->5036 5036->5016 5036->5025 5036->5031 5036->5034 5036->5035 5037 40572b 38 API calls 5036->5037 5039 4059dd lstrcpynA 5036->5039 5040 405695 GetFileAttributesA 5036->5040 5037->5036 5038->5002 5039->5036 5041 405417 DeleteFileA 5040->5041 5042 4056a4 SetFileAttributesA 5040->5042 5041->5036 5042->5041 5043->4861 5044->4868 5046 40565f lstrlenA 5045->5046 5047 405669 5046->5047 5048 40563d lstrcmpiA 5046->5048 5047->4875 5047->4876 5048->5047 5049 405656 CharNextA 5048->5049 5049->5046 5050->4879 6056 404ccb 6057 404cf0 6056->6057 6058 404cd9 6056->6058 6059 404cfe IsWindowVisible 6057->6059 6066 404d15 6057->6066 6060 404cdf 6058->6060 6074 404d59 6058->6074 6061 404d0b 6059->6061 6059->6074 6063 403ddb SendMessageA 6060->6063 6064 40464a 5 API calls 6061->6064 6062 404d5f CallWindowProcA 6065 404ce9 6062->6065 6063->6065 6064->6066 6066->6062 6075 4059dd lstrcpynA 6066->6075 6068 404d44 6076 40593b wsprintfA 6068->6076 6070 404d4b 6071 40140b 2 API calls 6070->6071 6072 404d52 6071->6072 6077 4059dd lstrcpynA 6072->6077 6074->6062 6075->6068 6076->6070 6077->6074 6078 3b21c39 6081 3b21bf1 6078->6081 6082 3b21fc2 2 API calls 6081->6082 6083 3b21bf8 6082->6083 6084 3b21fc2 2 API calls 6083->6084 6085 3b21bff IsWindow 6084->6085 6086 3b21c12 6085->6086 6087 3b21c0c 6085->6087 6088 3b213c6 GetPropA 6087->6088 6088->6086 6089 4025cc 6090 4025d3 6089->6090 6091 402838 6089->6091 6092 4029d9 18 API calls 6090->6092 6093 4025de 6092->6093 6094 4025e5 SetFilePointer 6093->6094 6094->6091 6095 4025f5 6094->6095 6097 40593b wsprintfA 6095->6097 6097->6091 6098 3b21b3f 6099 3b21fc2 2 API calls 6098->6099 6100 3b21b45 IsWindow 6099->6100 6101 3b21b52 6100->6101 6102 3b213c6 GetPropA 6101->6102 6103 3b21b5e 6102->6103 6104 3b21b70 6103->6104 6105 3b21dd9 2 API calls 6103->6105 6105->6104 6106 4041cd 6107 40420b 6106->6107 6108 4041fe 6106->6108 6110 404214 GetDlgItem 6107->6110 6113 404277 6107->6113 6167 405282 GetDlgItemTextA 6108->6167 6112 404228 6110->6112 6111 404205 6114 405c3f 5 API calls 6111->6114 6115 40423c SetWindowTextA 6112->6115 6121 405564 4 API calls 6112->6121 6118 4059ff 18 API calls 6113->6118 6129 40435b 6113->6129 6165 4044e7 6113->6165 6114->6107 6117 403d8f 19 API calls 6115->6117 6122 40425a 6117->6122 6123 4042ed SHBrowseForFolderA 6118->6123 6119 404387 6124 4055b1 18 API calls 6119->6124 6120 403df6 8 API calls 6125 4044fb 6120->6125 6126 404232 6121->6126 6127 403d8f 19 API calls 6122->6127 6128 404305 CoTaskMemFree 6123->6128 6123->6129 6130 40438d 6124->6130 6126->6115 6133 4054d0 3 API calls 6126->6133 6131 404268 6127->6131 6132 4054d0 3 API calls 6128->6132 6129->6165 6169 405282 GetDlgItemTextA 6129->6169 6170 4059dd lstrcpynA 6130->6170 6168 403dc4 SendMessageA 6131->6168 6135 404312 6132->6135 6133->6115 6138 404349 SetDlgItemTextA 6135->6138 6142 4059ff 18 API calls 6135->6142 6137 404270 6140 405cff 3 API calls 6137->6140 6138->6129 6139 4043a4 6141 405cff 3 API calls 6139->6141 6140->6113 6149 4043ac 6141->6149 6143 404331 lstrcmpiA 6142->6143 6143->6138 6146 404342 lstrcatA 6143->6146 6144 4043e6 6171 4059dd lstrcpynA 6144->6171 6146->6138 6147 4043ef 6148 405564 4 API calls 6147->6148 6150 4043f5 GetDiskFreeSpaceA 6148->6150 6149->6144 6152 405517 2 API calls 6149->6152 6154 404439 6149->6154 6153 404417 MulDiv 6150->6153 6150->6154 6152->6149 6153->6154 6155 404496 6154->6155 6156 404568 21 API calls 6154->6156 6157 4044b9 6155->6157 6159 40140b 2 API calls 6155->6159 6158 404488 6156->6158 6172 403db1 EnableWindow 6157->6172 6161 404498 SetDlgItemTextA 6158->6161 6162 40448d 6158->6162 6159->6157 6161->6155 6164 404568 21 API calls 6162->6164 6163 4044d5 6163->6165 6173 404162 6163->6173 6164->6155 6165->6120 6167->6111 6168->6137 6169->6119 6170->6139 6171->6147 6172->6163 6174 404170 6173->6174 6175 404175 SendMessageA 6173->6175 6174->6175 6175->6165 6176 3b21b23 CreateControl 6177 3b21021 6178 3b21dd9 2 API calls 6177->6178 6179 3b21054 6178->6179 6180 3b210b4 6179->6180 6181 3b21dd9 2 API calls 6179->6181 6182 3b21e27 2 API calls 6180->6182 6183 3b21069 6181->6183 6184 3b210be 6182->6184 6183->6180 6185 3b2106d SHBrowseForFolderA 6183->6185 6185->6180 6186 3b210c0 SHGetPathFromIDListA 6185->6186 6187 3b210d2 6186->6187 6188 3b21e27 2 API calls 6187->6188 6189 3b210e5 CoTaskMemFree 6188->6189 6189->6184 6190 4014d6 6191 4029d9 18 API calls 6190->6191 6192 4014dc Sleep 6191->6192 6194 40288b 6192->6194 6195 403ed7 6196 403eed 6195->6196 6198 403ffa 6195->6198 6200 403d8f 19 API calls 6196->6200 6197 404069 6199 40413d 6197->6199 6201 404073 GetDlgItem 6197->6201 6198->6197 6198->6199 6205 40403e GetDlgItem SendMessageA 6198->6205 6206 403df6 8 API calls 6199->6206 6202 403f43 6200->6202 6203 404089 6201->6203 6204 4040fb 6201->6204 6207 403d8f 19 API calls 6202->6207 6203->6204 6212 4040af 6 API calls 6203->6212 6204->6199 6208 40410d 6204->6208 6226 403db1 EnableWindow 6205->6226 6210 404138 6206->6210 6211 403f50 CheckDlgButton 6207->6211 6213 404113 SendMessageA 6208->6213 6214 404124 6208->6214 6224 403db1 EnableWindow 6211->6224 6212->6204 6213->6214 6214->6210 6217 40412a SendMessageA 6214->6217 6215 404064 6218 404162 SendMessageA 6215->6218 6217->6210 6218->6197 6219 403f6e GetDlgItem 6225 403dc4 SendMessageA 6219->6225 6221 403f84 SendMessageA 6222 403fa2 GetSysColor 6221->6222 6223 403fab SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 6221->6223 6222->6223 6223->6210 6224->6219 6225->6221 6226->6215 6227 4018d8 6228 40190f 6227->6228 6229 4029f6 18 API calls 6228->6229 6230 401914 6229->6230 6231 405302 68 API calls 6230->6231 6232 40191d 6231->6232 6233 4018db 6234 4029f6 18 API calls 6233->6234 6235 4018e2 6234->6235 6236 40529e MessageBoxIndirectA 6235->6236 6237 4018eb 6236->6237 6238 1000159c 6248 100010f0 6238->6248 6240 100015a3 6241 100010f0 2 API calls 6240->6241 6242 100015aa 6241->6242 6251 100013c2 GetWindowLongA 6242->6251 6245 100015e1 6246 100015c5 GetParent 6247 100013c2 5 API calls 6246->6247 6247->6245 6249 10001000 2 API calls 6248->6249 6250 10001107 6249->6250 6250->6240 6252 10001416 6251->6252 6253 100013d9 6251->6253 6252->6245 6252->6246 6254 100013ec GlobalAlloc 6253->6254 6255 100013de GetPropA 6253->6255 6254->6252 6256 100013fd SetPropA SetWindowLongA 6254->6256 6255->6252 6256->6252 6271 42f12b0 6272 42f12c3 6271->6272 6283 42f1000 6272->6283 6274 42f1336 6275 42f1000 2 API calls 6274->6275 6276 42f134c 6275->6276 6278 42f1356 GetPropA 6276->6278 6277 42f1302 6277->6274 6279 42f1000 2 API calls 6277->6279 6280 42f136a GlobalAlloc 6278->6280 6281 42f1397 6278->6281 6279->6277 6280->6281 6282 42f137a SetPropA SetWindowLongA 6280->6282 6282->6281 6284 42f100a 6283->6284 6285 42f1035 6283->6285 6284->6285 6286 42f1010 lstrcpyA GlobalFree 6284->6286 6285->6277 6286->6277 6287 4034e4 6288 4034ef 6287->6288 6289 4034f3 6288->6289 6290 4034f6 GlobalAlloc 6288->6290 6290->6289 6291 401ae5 6292 4029f6 18 API calls 6291->6292 6293 401aec 6292->6293 6294 4029d9 18 API calls 6293->6294 6295 401af5 wsprintfA 6294->6295 6296 40288b 6295->6296 6297 4019e6 6298 4029f6 18 API calls 6297->6298 6299 4019ef ExpandEnvironmentStringsA 6298->6299 6300 401a03 6299->6300 6302 401a16 6299->6302 6301 401a08 lstrcmpA 6300->6301 6300->6302 6301->6302 6303 30823a1 6304 308243c 6303->6304 6305 3082406 6303->6305 6305->6304 6306 3082418 GlobalAlloc 6305->6306 6306->6305 6307 4014f0 SetForegroundWindow 6308 40288b 6307->6308 6309 3b21000 6310 3b21007 SendMessageA 6309->6310 6311 3b2101c 6309->6311 6310->6311 6312 3b21d01 6313 3b21fc2 2 API calls 6312->6313 6314 3b21d06 6313->6314 6322 4021f4 6323 4021fb 6322->6323 6326 40220e 6322->6326 6324 4059ff 18 API calls 6323->6324 6325 402208 6324->6325 6325->6326 6327 40529e MessageBoxIndirectA 6325->6327 6327->6326 6328 4016fa 6329 4029f6 18 API calls 6328->6329 6330 401701 SearchPathA 6329->6330 6331 40171c 6330->6331 6332 4025fb 6333 402602 6332->6333 6334 40288b 6332->6334 6335 402608 FindClose 6333->6335 6335->6334 6336 4014fe 6337 401506 6336->6337 6339 401519 6336->6339 6338 4029d9 18 API calls 6337->6338 6338->6339 6340 30810b7 6341 30817fe 4 API calls 6340->6341 6342 30810ce GlobalFree 6341->6342 6343 3b21b72 6344 3b21fc2 2 API calls 6343->6344 6345 3b21b78 IsWindow 6344->6345 6346 3b21b85 6345->6346 6348 3b21b8b 6345->6348 6347 3b213c6 GetPropA 6346->6347 6347->6348 6349 3b21e27 2 API calls 6348->6349 6350 3b21b9f 6349->6350 6351 404186 6352 404196 6351->6352 6353 4041bc 6351->6353 6355 403d8f 19 API calls 6352->6355 6354 403df6 8 API calls 6353->6354 6356 4041c8 6354->6356 6357 4041a3 SetDlgItemTextA 6355->6357 6357->6353 6358 401c8a 6359 4029d9 18 API calls 6358->6359 6360 401c91 6359->6360 6361 4029d9 18 API calls 6360->6361 6362 401c99 GetDlgItem 6361->6362 6363 4024b8 6362->6363 6371 401490 6372 404d7b 25 API calls 6371->6372 6373 401497 6372->6373 6374 3b11060 6375 3b11091 CallWindowProcA 6374->6375 6376 3b1106d 6374->6376 6376->6375 6377 3b11078 GetDlgItem 6376->6377 6377->6375 6378 3b1108a 6377->6378 6379 3b11000 PostMessageA 6378->6379 6380 3b11090 6379->6380 6380->6375 5467 401d95 5468 4029d9 18 API calls 5467->5468 5469 401d9b 5468->5469 5470 4029d9 18 API calls 5469->5470 5471 401da4 5470->5471 5472 401db6 KiUserCallbackDispatcher 5471->5472 5473 401dab ShowWindow 5471->5473 5474 40288b 5472->5474 5473->5474 6381 401e95 6382 4029f6 18 API calls 6381->6382 6383 401e9c 6382->6383 6384 405cd8 2 API calls 6383->6384 6385 401ea2 6384->6385 6387 401eb4 6385->6387 6388 40593b wsprintfA 6385->6388 6388->6387 6389 401595 6390 4029f6 18 API calls 6389->6390 6391 40159c SetFileAttributesA 6390->6391 6392 4015ae 6391->6392 6393 401696 6394 4029f6 18 API calls 6393->6394 6395 40169c GetFullPathNameA 6394->6395 6396 4016d4 6395->6396 6397 4016b3 6395->6397 6398 4016e8 GetShortPathNameA 6396->6398 6399 40288b 6396->6399 6397->6396 6400 405cd8 2 API calls 6397->6400 6398->6399 6401 4016c4 6400->6401 6401->6396 6403 4059dd lstrcpynA 6401->6403 6403->6396 6404 3081adf 6405 3081561 3 API calls 6404->6405 6406 3081b05 6405->6406 6407 3081561 3 API calls 6406->6407 6409 3081b0d 6407->6409 6408 3081b4a __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 6413 308159e 2 API calls 6408->6413 6409->6408 6410 3081561 3 API calls 6409->6410 6411 3081b2f 6410->6411 6412 3081b38 GlobalFree 6411->6412 6412->6408 6414 3081cc1 GlobalFree GlobalFree 6413->6414 6422 40249c 6423 4029f6 18 API calls 6422->6423 6424 4024a3 6423->6424 6427 4056b4 GetFileAttributesA CreateFileA 6424->6427 6426 4024af 6427->6426 6428 30810d6 6429 3081104 6428->6429 6430 3081561 3 API calls 6429->6430 6436 3081114 6430->6436 6431 30811ba GlobalFree 6432 30815e5 2 API calls 6432->6436 6433 3081561 3 API calls 6433->6436 6434 30811b9 6434->6431 6435 30811e0 GlobalFree 6435->6436 6436->6431 6436->6432 6436->6433 6436->6434 6436->6435 6437 308159e 2 API calls 6436->6437 6438 308114b GlobalAlloc 6436->6438 6439 308160e lstrcpyA 6436->6439 6440 30811a7 GlobalFree 6436->6440 6437->6440 6438->6436 6439->6436 6440->6436 6441 403ea3 lstrcpynA lstrlenA 6442 3b21c51 6445 3b21c26 6442->6445 6446 3b21fc2 2 API calls 6445->6446 6447 3b21c2b 6446->6447 6448 30818ec 6449 308191b 6448->6449 6450 3081d3b 20 API calls 6449->6450 6451 3081922 6450->6451 6452 3081929 6451->6452 6453 3081935 6451->6453 6454 308159e 2 API calls 6452->6454 6455 308195c 6453->6455 6456 308193f 6453->6456 6459 3081933 6454->6459 6457 3081962 6455->6457 6458 3081986 6455->6458 6460 3081825 3 API calls 6456->6460 6461 30818a1 3 API calls 6457->6461 6462 3081825 3 API calls 6458->6462 6463 3081944 6460->6463 6464 3081967 6461->6464 6462->6459 6465 30818a1 3 API calls 6463->6465 6466 308159e 2 API calls 6464->6466 6467 308194a 6465->6467 6468 308196d GlobalFree 6466->6468 6469 308159e 2 API calls 6467->6469 6468->6459 6471 3081981 GlobalFree 6468->6471 6470 3081950 GlobalFree 6469->6470 6470->6459 6471->6459 6472 401ca5 6473 4029d9 18 API calls 6472->6473 6474 401cb5 SetWindowLongA 6473->6474 6475 40288b 6474->6475 6476 4022a7 6477 4022d7 6476->6477 6478 4022ac 6476->6478 6480 4029f6 18 API calls 6477->6480 6479 402b00 19 API calls 6478->6479 6481 4022b3 6479->6481 6482 4022de 6480->6482 6483 4029f6 18 API calls 6481->6483 6484 4022f4 6481->6484 6487 402a36 RegOpenKeyExA 6482->6487 6486 4022c4 RegDeleteValueA RegCloseKey 6483->6486 6486->6484 6494 402aad 6487->6494 6495 402a61 6487->6495 6488 402a87 RegEnumKeyA 6489 402a99 RegCloseKey 6488->6489 6488->6495 6490 405cff 3 API calls 6489->6490 6493 402aa9 6490->6493 6491 402abe RegCloseKey 6491->6494 6492 402a36 3 API calls 6492->6495 6493->6494 6496 402ad9 RegDeleteKeyA 6493->6496 6494->6484 6495->6488 6495->6489 6495->6491 6495->6492 6496->6494 6497 100015e7 6499 100015f0 6497->6499 6498 10001000 2 API calls 6498->6499 6499->6498 6500 1000161c 6499->6500 6511 1000111a lstrcpynA lstrcmpiA 6499->6511 6502 100013c2 5 API calls 6500->6502 6503 1000163e 6502->6503 6504 1000166d SendMessageA GetParent 6503->6504 6505 10001657 DeleteObject 6503->6505 6506 1000165e 6503->6506 6509 1000169c 6503->6509 6507 100013c2 5 API calls 6504->6507 6505->6506 6514 10001161 GetModuleHandleA LoadImageA 6506->6514 6507->6509 6510 1000166a 6510->6504 6512 10001146 6511->6512 6513 1000114a lstrcpynA 6511->6513 6512->6499 6513->6512 6514->6510 6515 405fa8 6517 405e2c 6515->6517 6516 406797 6517->6516 6517->6517 6518 405eb6 GlobalAlloc 6517->6518 6519 405ead GlobalFree 6517->6519 6520 405f24 GlobalFree 6517->6520 6521 405f2d GlobalAlloc 6517->6521 6518->6516 6518->6517 6519->6518 6520->6521 6521->6516 6521->6517 5057 401bad 5079 4029d9 5057->5079 5059 401bb4 5060 4029d9 18 API calls 5059->5060 5061 401bbe 5060->5061 5062 401bce 5061->5062 5063 4029f6 18 API calls 5061->5063 5064 401bde 5062->5064 5065 4029f6 18 API calls 5062->5065 5063->5062 5066 401be9 5064->5066 5067 401c2d 5064->5067 5065->5064 5068 4029d9 18 API calls 5066->5068 5069 4029f6 18 API calls 5067->5069 5070 401bee 5068->5070 5071 401c32 5069->5071 5072 4029d9 18 API calls 5070->5072 5073 4029f6 18 API calls 5071->5073 5074 401bf7 5072->5074 5075 401c3b FindWindowExA 5073->5075 5076 401c1d SendMessageA 5074->5076 5077 401bff SendMessageTimeoutA 5074->5077 5078 401c59 5075->5078 5076->5078 5077->5078 5080 4059ff 18 API calls 5079->5080 5081 4029ed 5080->5081 5081->5059 5091 4023af 5102 402b00 5091->5102 5093 4023b9 5094 4029f6 18 API calls 5093->5094 5095 4023c2 5094->5095 5096 4023cc RegQueryValueExA 5095->5096 5099 40265c 5095->5099 5097 4023f2 RegCloseKey 5096->5097 5098 4023ec 5096->5098 5097->5099 5098->5097 5106 40593b wsprintfA 5098->5106 5103 4029f6 18 API calls 5102->5103 5104 402b19 5103->5104 5105 402b27 RegOpenKeyExA 5104->5105 5105->5093 5106->5097 6522 30813e7 6523 30813ff 6522->6523 6524 308187c 2 API calls 6523->6524 6525 308141a 6524->6525 5407 4015b3 5408 4029f6 18 API calls 5407->5408 5409 4015ba 5408->5409 5410 405564 4 API calls 5409->5410 5411 4015c2 5410->5411 5412 40160a 5411->5412 5413 4054fb CharNextA 5411->5413 5414 40162d 5412->5414 5415 40160f 5412->5415 5416 4015d0 CreateDirectoryA 5413->5416 5420 401423 25 API calls 5414->5420 5417 401423 25 API calls 5415->5417 5416->5411 5418 4015e5 GetLastError 5416->5418 5419 401616 5417->5419 5418->5411 5421 4015f2 GetFileAttributesA 5418->5421 5425 4059dd lstrcpynA 5419->5425 5424 402169 5420->5424 5421->5411 5423 401621 SetCurrentDirectoryA 5423->5424 5425->5423 6533 3b21c41 6534 3b21bf1 4 API calls 6533->6534 6535 3b21c48 6534->6535 6536 4019b5 6537 4029f6 18 API calls 6536->6537 6538 4019bc 6537->6538 6539 4029f6 18 API calls 6538->6539 6540 4019c5 6539->6540 6541 4019cc lstrcmpiA 6540->6541 6542 4019de lstrcmpA 6540->6542 6543 4019d2 6541->6543 6542->6543 6544 4014b7 6545 4014bd 6544->6545 6546 401389 2 API calls 6545->6546 6547 4014c5 6546->6547 6548 404eb9 6549 405065 6548->6549 6550 404eda GetDlgItem GetDlgItem GetDlgItem 6548->6550 6552 405096 6549->6552 6553 40506e GetDlgItem CreateThread CloseHandle 6549->6553 6594 403dc4 SendMessageA 6550->6594 6555 4050c1 6552->6555 6556 4050e3 6552->6556 6557 4050ad ShowWindow ShowWindow 6552->6557 6553->6552 6554 404f4b 6562 404f52 GetClientRect GetSystemMetrics SendMessageA SendMessageA 6554->6562 6558 40511f 6555->6558 6559 4050d2 6555->6559 6560 4050f8 ShowWindow 6555->6560 6561 403df6 8 API calls 6556->6561 6596 403dc4 SendMessageA 6557->6596 6558->6556 6570 40512a SendMessageA 6558->6570 6564 403d68 SendMessageA 6559->6564 6566 405118 6560->6566 6567 40510a 6560->6567 6565 4050f1 6561->6565 6568 404fc1 6562->6568 6569 404fa5 SendMessageA SendMessageA 6562->6569 6564->6556 6572 403d68 SendMessageA 6566->6572 6571 404d7b 25 API calls 6567->6571 6573 404fd4 6568->6573 6574 404fc6 SendMessageA 6568->6574 6569->6568 6570->6565 6575 405143 CreatePopupMenu 6570->6575 6571->6566 6572->6558 6577 403d8f 19 API calls 6573->6577 6574->6573 6576 4059ff 18 API calls 6575->6576 6579 405153 AppendMenuA 6576->6579 6578 404fe4 6577->6578 6582 405021 GetDlgItem SendMessageA 6578->6582 6583 404fed ShowWindow 6578->6583 6580 405166 GetWindowRect 6579->6580 6581 405179 6579->6581 6584 405182 TrackPopupMenu 6580->6584 6581->6584 6582->6565 6587 405048 SendMessageA SendMessageA 6582->6587 6585 405010 6583->6585 6586 405003 ShowWindow 6583->6586 6584->6565 6588 4051a0 6584->6588 6595 403dc4 SendMessageA 6585->6595 6586->6585 6587->6565 6589 4051bc SendMessageA 6588->6589 6589->6589 6591 4051d9 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 6589->6591 6592 4051fb SendMessageA 6591->6592 6592->6592 6593 40521c GlobalUnlock SetClipboardData CloseClipboard 6592->6593 6593->6565 6594->6554 6595->6582 6596->6555 6600 3b1124a wsprintfA 6603 3b1136e 6600->6603 6604 3b11298 6603->6604 6605 3b11377 GlobalAlloc lstrcpynA 6603->6605 6605->6604 5513 4038bc 5514 4038d4 5513->5514 5515 403a0f 5513->5515 5514->5515 5516 4038e0 5514->5516 5517 403a20 GetDlgItem GetDlgItem 5515->5517 5518 403a60 5515->5518 5520 4038eb SetWindowPos 5516->5520 5521 4038fe 5516->5521 5584 403d8f 5517->5584 5519 403aba 5518->5519 5530 401389 2 API calls 5518->5530 5523 403ddb SendMessageA 5519->5523 5545 403a0a 5519->5545 5520->5521 5524 403903 ShowWindow 5521->5524 5525 40391b 5521->5525 5552 403acc 5523->5552 5524->5525 5527 403923 DestroyWindow 5525->5527 5528 40393d 5525->5528 5526 403a4a KiUserCallbackDispatcher 5529 40140b 2 API calls 5526->5529 5531 403d39 5527->5531 5532 403942 SetWindowLongA 5528->5532 5533 403953 5528->5533 5529->5518 5534 403a92 5530->5534 5543 403d49 ShowWindow 5531->5543 5531->5545 5532->5545 5535 4039fc 5533->5535 5536 40395f GetDlgItem 5533->5536 5534->5519 5537 403a96 SendMessageA 5534->5537 5593 403df6 5535->5593 5540 403972 SendMessageA IsWindowEnabled 5536->5540 5541 40398f 5536->5541 5537->5545 5538 40140b 2 API calls 5538->5552 5539 403d1a DestroyWindow EndDialog 5539->5531 5540->5541 5540->5545 5546 40399c 5541->5546 5549 4039e3 SendMessageA 5541->5549 5550 4039af 5541->5550 5558 403994 5541->5558 5543->5545 5544 4059ff 18 API calls 5544->5552 5546->5549 5546->5558 5548 403d8f 19 API calls 5548->5552 5549->5535 5553 4039b7 5550->5553 5554 4039cc 5550->5554 5551 4039ca 5551->5535 5552->5538 5552->5539 5552->5544 5552->5545 5552->5548 5559 403d8f 19 API calls 5552->5559 5574 403c5a DestroyWindow 5552->5574 5556 40140b 2 API calls 5553->5556 5555 40140b 2 API calls 5554->5555 5557 4039d3 5555->5557 5556->5558 5557->5535 5557->5558 5590 403d68 5558->5590 5560 403b47 GetDlgItem 5559->5560 5561 403b64 ShowWindow KiUserCallbackDispatcher 5560->5561 5562 403b5c 5560->5562 5587 403db1 EnableWindow 5561->5587 5562->5561 5564 403b8e EnableWindow 5567 403ba2 5564->5567 5565 403ba7 GetSystemMenu EnableMenuItem SendMessageA 5566 403bd7 SendMessageA 5565->5566 5565->5567 5566->5567 5567->5565 5588 403dc4 SendMessageA 5567->5588 5589 4059dd lstrcpynA 5567->5589 5570 403c05 lstrlenA 5571 4059ff 18 API calls 5570->5571 5572 403c16 SetWindowTextA 5571->5572 5573 401389 2 API calls 5572->5573 5573->5552 5574->5531 5575 403c74 CreateDialogParamA 5574->5575 5575->5531 5576 403ca7 5575->5576 5577 403d8f 19 API calls 5576->5577 5578 403cb2 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 5577->5578 5579 401389 2 API calls 5578->5579 5580 403cf8 5579->5580 5580->5545 5581 403d00 ShowWindow 5580->5581 5582 403ddb SendMessageA 5581->5582 5583 403d18 5582->5583 5583->5531 5585 4059ff 18 API calls 5584->5585 5586 403d9a SetDlgItemTextA 5585->5586 5586->5526 5587->5564 5588->5567 5589->5570 5591 403d75 SendMessageA 5590->5591 5592 403d6f 5590->5592 5591->5551 5592->5591 5594 403e0e GetWindowLongA 5593->5594 5604 403e97 5593->5604 5595 403e1f 5594->5595 5594->5604 5596 403e31 5595->5596 5597 403e2e GetSysColor 5595->5597 5598 403e41 SetBkMode 5596->5598 5599 403e37 SetTextColor 5596->5599 5597->5596 5600 403e59 GetSysColor 5598->5600 5601 403e5f 5598->5601 5599->5598 5600->5601 5602 403e70 5601->5602 5603 403e66 SetBkColor 5601->5603 5602->5604 5605 403e83 DeleteObject 5602->5605 5606 403e8a CreateBrushIndirect 5602->5606 5603->5602 5604->5545 5605->5606 5606->5604 6606 4024be 6607 4024c3 6606->6607 6608 4024d4 6606->6608 6609 4029d9 18 API calls 6607->6609 6610 4029f6 18 API calls 6608->6610 6612 4024ca 6609->6612 6611 4024db lstrlenA 6610->6611 6611->6612 6613 4024fa WriteFile 6612->6613 6614 40265c 6612->6614 6613->6614

          Executed Functions

          Function 004030CB, Relevance: 73.8, APIs: 23, Strings: 19, Instructions: 270filestringcomCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 0 4030cb-403160 #17 SetErrorMode OleInitialize call 405cff SHGetFileInfoA call 4059dd GetCommandLineA call 4059dd GetModuleHandleA 7 403162-403167 0->7 8 40316c-403181 call 4054fb CharNextA 0->8 7->8 11 4031e6-4031ea 8->11 12 403183-403186 11->12 13 4031ec 11->13 14 403188-40318c 12->14 15 40318e-403196 12->15 16 4031ff-403217 GetTempPathA call 403097 13->16 14->14 14->15 17 403198-403199 15->17 18 40319e-4031a1 15->18 26 403239-403250 DeleteFileA call 402c22 16->26 27 403219-403237 GetWindowsDirectoryA lstrcatA call 403097 16->27 17->18 20 4031a3-4031a7 18->20 21 4031d6-4031e3 call 4054fb 18->21 24 4031b7-4031bd 20->24 25 4031a9-4031b2 20->25 21->11 37 4031e5 21->37 32 4031cd-4031d4 24->32 33 4031bf-4031c8 24->33 25->24 30 4031b4 25->30 39 4032b7-4032c6 call 40344c OleUninitialize 26->39 40 403252-403258 26->40 27->26 27->39 30->24 32->21 36 4031ee-4031fa call 4059dd 32->36 33->32 34 4031ca 33->34 34->32 36->16 37->11 50 4033b1-4033b7 39->50 51 4032cc-4032dc call 40529e ExitProcess 39->51 42 4032a7-4032ae call 403526 40->42 43 40325a-403263 call 4054fb 40->43 48 4032b3 42->48 54 40326e-403270 43->54 48->39 52 403434-40343c 50->52 53 4033b9-4033d6 call 405cff * 3 50->53 57 403442-403446 ExitProcess 52->57 58 40343e 52->58 82 403420-40342b ExitWindowsEx 53->82 83 4033d8-4033da 53->83 59 403272-40327c 54->59 60 403265-40326b 54->60 58->57 64 4032e2-4032fc lstrcatA lstrcmpiA 59->64 65 40327e-40328b call 4055b1 59->65 60->59 63 40326d 60->63 63->54 64->39 68 4032fe-403313 CreateDirectoryA SetCurrentDirectoryA 64->68 65->39 75 40328d-4032a3 call 4059dd * 2 65->75 71 403320-40333a call 4059dd 68->71 72 403315-40331b call 4059dd 68->72 81 40333f-40335b call 4059ff DeleteFileA 71->81 72->71 75->42 92 40339c-4033a3 81->92 93 40335d-40336d CopyFileA 81->93 82->52 86 40342d-40342f call 40140b 82->86 83->82 87 4033dc-4033de 83->87 86->52 87->82 91 4033e0-4033f2 GetCurrentProcess 87->91 91->82 97 4033f4-403416 91->97 92->81 94 4033a5-4033ac call 40572b 92->94 93->92 95 40336f-40338f call 40572b call 4059ff call 40523d 93->95 94->39 95->92 107 403391-403398 CloseHandle 95->107 97->82 107->92
          C-Code - Quality: 83%
          			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				intOrPtr _t71;
				intOrPtr _t77;
				void* _t79;
				void* _t89;
				void* _t91;
				char* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				CHAR* _t105;
				signed int _t106;
				intOrPtr _t113;
				char _t120;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x423f38 = _t34;
				 *0x423e84 = E00405CFF(8);
				SHGetFileInfoA(0x41f430, 0,  &_v360, 0x160, 0); // executed
				E004059DD("SmartPSS 2.002.0000007.0 Setup", "NSIS Error");
				_t39 = GetCommandLineA();
				_t96 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\j3sovef2.qui\\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe";
				E004059DD(_t96, _t39);
				 *0x423e80 = GetModuleHandleA(0);
				_t42 = _t96;
				if("C:\\Users\\hardz\\AppData\\Local\\Temp\\j3sovef2.qui\\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe" == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00429001;
				}
				_t44 = CharNextA(E004054FB(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E004054FB(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								_t45 = _t44 + 2;
								__eflags = _t44 + 2;
								E004059DD("C:\\Program Files (x86)\\Smart Professional Surveillance System", _t45);
								L20:
								_t105 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t105);
								_t48 = E00403097(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t50 = E00402C22(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E0040344C();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x423f14; // 0x0
											if(__eflags != 0) {
												_t106 = E00405CFF(3);
												_t100 = E00405CFF(4);
												_t55 = E00405CFF(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x423f2c; // 0xffffffff
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E0040529E(_v408, 0x200010);
										ExitProcess(2);
									}
									_t113 =  *0x423e9c; // 0x0
									if(_t113 == 0) {
										L31:
										 *0x423f2c =  *0x423f2c | 0xffffffff;
										_v400 = E00403526();
										goto L32;
									}
									_t103 = E004054FB(_t96, 0);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - _t96;
									_v408 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t105, "~nsu.tmp");
										_t101 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\j3sovef2.qui\\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023";
										if(lstrcmpiA(_t105, "C:\\Users\\hardz\\AppData\\Local\\Temp\\j3sovef2.qui\\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t105, 0);
										SetCurrentDirectoryA(_t105);
										_t120 = "C:\\Program Files (x86)\\Smart Professional Surveillance System"; // 0x43
										if(_t120 == 0) {
											E004059DD("C:\\Program Files (x86)\\Smart Professional Surveillance System", _t101);
										}
										E004059DD("3846", _v396);
										"131498" = 0x41;
										_t98 = 0x1a;
										do {
											_t71 =  *0x423e90; // 0x687488
											E004059FF(0, _t98, 0x41f030, 0x41f030,  *((intOrPtr*)(_t71 + 0x120)));
											DeleteFileA(0x41f030);
											if(_v416 != 0 && CopyFileA("C:\\Users\\hardz\\AppData\\Local\\Temp\\j3sovef2.qui\\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe", 0x41f030, 1) != 0) {
												_push(0);
												_push(0x41f030);
												E0040572B();
												_t77 =  *0x423e90; // 0x687488
												E004059FF(0, _t98, 0x41f030, 0x41f030,  *((intOrPtr*)(_t77 + 0x124)));
												_t79 = E0040523D(0x41f030);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											"131498" =  &("131498"[1]);
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(_t105);
										E0040572B();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E004055B1(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E004059DD("C:\\Program Files (x86)\\Smart Professional Surveillance System", _t104);
									E004059DD("C:\\Users\\hardz\\AppData\\Local\\Temp\\nsy6C45.tmp\\Slides", _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t105, 0x3fb);
								lstrcatA(_t105, "\\Temp");
								_t89 = E00403097(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}









































          0x004030d7
          0x004030db
          0x004030e3
          0x004030e5
          0x004030ea
          0x004030f5
          0x004030fc
          0x00403104
          0x0040310e
          0x00403124
          0x00403134
          0x00403139
          0x0040313f
          0x00403146
          0x00403159
          0x0040315e
          0x00403160
          0x00403162
          0x00403167
          0x00403167
          0x00403177
          0x0040317d
          0x004031e6
          0x004031e6
          0x004031e8
          0x004031ea
          0x00000000
          0x00000000
          0x00403183
          0x00403186
          0x0040318e
          0x0040318e
          0x00403191
          0x00403196
          0x00403198
          0x00403198
          0x00403199
          0x00403199
          0x0040319e
          0x004031a1
          0x004031d6
          0x004031db
          0x004031e0
          0x004031e3
          0x004031e5
          0x004031e5
          0x004031e5
          0x00000000
          0x004031a3
          0x004031a3
          0x004031a4
          0x004031a7
          0x004031af
          0x004031b2
          0x004031b4
          0x004031b4
          0x004031b4
          0x004031b2
          0x004031b7
          0x004031bd
          0x004031c5
          0x004031c8
          0x004031ca
          0x004031ca
          0x004031ca
          0x004031c8
          0x004031cd
          0x004031d4
          0x004031ee
          0x004031f1
          0x004031f1
          0x004031fa
          0x004031ff
          0x004031ff
          0x0040320a
          0x00403210
          0x00403215
          0x00403217
          0x00403239
          0x0040323e
          0x00403245
          0x0040324c
          0x00403250
          0x004032b7
          0x004032b7
          0x004032bc
          0x004032c6
          0x004033b1
          0x004033b7
          0x004033c2
          0x004033cb
          0x004033cd
          0x004033d2
          0x004033d4
          0x004033d6
          0x004033d8
          0x004033da
          0x004033dc
          0x004033de
          0x004033ee
          0x004033f0
          0x004033f2
          0x004033ff
          0x0040340e
          0x00403416
          0x0040341e
          0x0040341e
          0x004033f2
          0x004033de
          0x004033da
          0x00403423
          0x00403429
          0x0040342b
          0x0040342f
          0x0040342f
          0x0040342b
          0x00403434
          0x00403439
          0x0040343c
          0x0040343e
          0x0040343e
          0x00403446
          0x00403446
          0x004032d5
          0x004032dc
          0x004032dc
          0x00403252
          0x00403258
          0x004032a7
          0x004032a7
          0x004032b3
          0x00000000
          0x004032b3
          0x00403261
          0x0040326e
          0x00403265
          0x0040326b
          0x00000000
          0x00000000
          0x0040326d
          0x0040326d
          0x0040326d
          0x00403272
          0x00403274
          0x0040327c
          0x004032e8
          0x004032ed
          0x004032fc
          0x00000000
          0x00000000
          0x00403300
          0x00403307
          0x0040330d
          0x00403313
          0x0040331b
          0x0040331b
          0x00403329
          0x00403330
          0x00403339
          0x0040333f
          0x0040333f
          0x0040334b
          0x00403351
          0x0040335b
          0x0040336f
          0x00403370
          0x00403371
          0x00403376
          0x00403382
          0x00403388
          0x0040338f
          0x00403392
          0x00403398
          0x00403398
          0x0040338f
          0x0040339c
          0x004033a2
          0x004033a2
          0x004033a5
          0x004033a6
          0x004033a7
          0x00000000
          0x004033a7
          0x0040327e
          0x00403280
          0x0040328b
          0x00000000
          0x00000000
          0x00403293
          0x0040329e
          0x004032a3
          0x00000000
          0x004032a3
          0x0040321f
          0x0040322b
          0x00403230
          0x00403235
          0x00403237
          0x00000000
          0x00000000
          0x00000000
          0x00403237
          0x00000000
          0x004031d4
          0x00000000
          0x00000000
          0x00000000
          0x00403188
          0x00403188
          0x00403188
          0x00403189
          0x00403189
          0x00000000
          0x00403188
          0x00000000

          APIs
          • #17.COMCTL32 ref: 004030EA
          • SetErrorMode.KERNEL32(00008001), ref: 004030F5
          • OleInitialize.OLE32(00000000), ref: 004030FC
            • Part of subcall function 00405CFF: GetModuleHandleA.KERNEL32(?,?,00000000,0040310E,00000008), ref: 00405D11
            • Part of subcall function 00405CFF: LoadLibraryA.KERNEL32(?,?,00000000,0040310E,00000008), ref: 00405D1C
            • Part of subcall function 00405CFF: GetProcAddress.KERNEL32(00000000,?), ref: 00405D2D
          • SHGetFileInfoA.SHELL32(0041F430,00000000,?,00000160,00000000,00000008), ref: 00403124
            • Part of subcall function 004059DD: lstrcpynA.KERNEL32(?,?,00000400,00403139,SmartPSS 2.002.0000007.0 Setup,NSIS Error), ref: 004059EA
          • GetCommandLineA.KERNEL32(SmartPSS 2.002.0000007.0 Setup,NSIS Error), ref: 00403139
          • GetModuleHandleA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,00000000), ref: 0040314C
          • CharNextA.USER32(00000000,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,00000020), ref: 00403177
          • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 0040320A
          • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040321F
          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040322B
          • DeleteFileA.KERNEL32(1033), ref: 0040323E
          • OleUninitialize.OLE32(00000000), ref: 004032BC
          • ExitProcess.KERNEL32 ref: 004032DC
          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,00000000,00000000), ref: 004032E8
          • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,00000000,00000000), ref: 004032F4
          • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403300
          • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403307
          • DeleteFileA.KERNEL32(0041F030,0041F030,?,3846,?), ref: 00403351
          • CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,0041F030,00000001), ref: 00403365
          • CloseHandle.KERNEL32(00000000,0041F030,0041F030,?,0041F030,00000000), ref: 00403392
          • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004033E7
          • ExitWindowsEx.USER32(00000002,00000000), ref: 00403423
          • ExitProcess.KERNEL32 ref: 00403446
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
          • String ID: /D=$ _?=$"$1033$131498$3846$C:\Program Files (x86)\Smart Professional Surveillance System$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023$C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe$C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe$C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slides$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$SmartPSS 2.002.0000007.0 Setup$\Temp$~nsu.tmp
          • API String ID: 2278157092-2281047010
          • Opcode ID: 18bac99d11730f14b0acc6261ea0ba9ec0ce08f9548eef4df67a57252120fdcb
          • Instruction ID: cc286ec977d2638fbe9c092aa5ad16f4889e12429ffafd7da1ab197300c5bae6
          • Opcode Fuzzy Hash: 18bac99d11730f14b0acc6261ea0ba9ec0ce08f9548eef4df67a57252120fdcb
          • Instruction Fuzzy Hash: 9691B170A08340AED7216F619D49B6B7EACEB0530AF44047FF581B62D2C77C9E458B6E
          Uniqueness

          Uniqueness Score: -1.00%

          Function 03B21855, Relevance: 54.5, APIs: 21, Strings: 10, Instructions: 215memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          C-Code - Quality: 89%
          			E03B21855() {
				signed int _v8;
				long _v12;
				long _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				CHAR* _v36;
				void* _v40;
				CHAR* _v44;
				int _t64;
				void* _t66;
				int _t73;
				signed int _t74;
				signed int _t75;
				void* _t78;
				int _t79;
				int _t80;
				int _t81;
				int _t82;
				int _t83;
				int _t84;
				int _t85;
				int _t86;
				void* _t87;
				int _t92;
				struct HWND__* _t95;
				void* _t100;
				CHAR* _t110;
				struct HWND__* _t111;
				signed int _t118;

				_t110 = HeapAlloc(GetProcessHeap(), 8,  *0x3b250dc +  *0x3b250dc);
				_t113 =  *0x3b250dc + _t110;
				_v44 = _t110;
				_v36 =  *0x3b250dc + _t110;
				if(_t110 == 0) {
					return E03B21E27("error");
				}
				_t64 = E03B21DD9(_t110, 0);
				__eflags = _t64;
				if(__eflags != 0) {
					L4:
					E03B21E27("error");
					_push(_t110);
					_push(0);
					_t66 = GetProcessHeap();
					goto L27;
				} else {
					L03B21FEC();
					_v12 = _t64;
					L03B21FEC();
					_v16 = _t64;
					E03B21252(__eflags,  &_v32,  &_v28,  &_v24,  &_v20);
					_t73 = E03B21DD9(_t113, 0);
					__eflags = _t73;
					if(_t73 == 0) {
						_t74 =  *0x3b250d4;
						_v8 = _t74;
						_t75 = _t74 + 1;
						_v40 = _t75;
						 *0x3b250d4 = _t75;
						_t78 = HeapReAlloc(GetProcessHeap(), 8,  *0x3b250d8, _t75 * 0x418); // executed
						 *0x3b250d8 = _t78;
						_t79 = lstrcmpiA(_t110, "BUTTON");
						__eflags = _t79;
						if(_t79 != 0) {
							_t80 = lstrcmpiA(_t110, "EDIT");
							__eflags = _t80;
							if(_t80 != 0) {
								_t81 = lstrcmpiA(_t110, "COMBOBOX");
								__eflags = _t81;
								if(_t81 != 0) {
									_t82 = lstrcmpiA(_t110, "LISTBOX");
									__eflags = _t82;
									if(_t82 != 0) {
										_t83 = lstrcmpiA(_t110, "RichEdit");
										__eflags = _t83;
										if(_t83 != 0) {
											_t84 = lstrcmpiA(_t110, "RICHEDIT_CLASS");
											__eflags = _t84;
											if(_t84 != 0) {
												_t85 = lstrcmpiA(_t110, "STATIC");
												__eflags = _t85;
												if(_t85 != 0) {
													_t86 = lstrcmpiA(_t110, "LINK");
													_t118 = _v8 * 0x418;
													__eflags = _t86;
													_t87 =  *0x3b250d8;
													if(_t86 != 0) {
														_t36 = _t118 + _t87 + 4;
														 *_t36 =  *(_t118 + _t87 + 4) & 0x00000000;
														__eflags =  *_t36;
													} else {
														 *(_t118 + _t87 + 4) = 8;
													}
												} else {
													_t118 = _v8 * 0x418;
													 *(_t118 +  *0x3b250d8 + 4) = 7;
												}
											} else {
												_t118 = _v8 * 0x418;
												 *(_t118 +  *0x3b250d8 + 4) = 6;
											}
										} else {
											_t118 = _v8 * 0x418;
											 *(_t118 +  *0x3b250d8 + 4) = 5;
										}
									} else {
										_t118 = _v8 * 0x418;
										 *(_t118 +  *0x3b250d8 + 4) = 4;
									}
								} else {
									_t118 = _v8 * 0x418;
									 *(_t118 +  *0x3b250d8 + 4) = 3;
								}
							} else {
								_t118 = _v8 * 0x418;
								 *(_t118 +  *0x3b250d8 + 4) = 2;
							}
						} else {
							_t118 = _v8 * 0x418;
							 *(_t118 +  *0x3b250d8 + 4) = 1;
						}
						E03B21D0C( *(_t118 +  *0x3b250d8 + 4),  &_v12,  &_v16);
						_t92 = lstrcmpiA(_t110, "LINK");
						__eflags = _t92;
						if(_t92 == 0) {
							_t110 = "BUTTON";
						}
						_t95 = CreateWindowExA(_v16, _t110, _v36, _v12, _v32, _v28, _v24, _v20,  *0x3b250c0, _v8 + 0x4b0,  *0x3b250a4, 0); // executed
						_t111 = _t95;
						 *( *0x3b250d8 + _t118) = _t111;
						SetPropA(_t111, "NSIS: nsControl pointer property", _v40);
						SendMessageA(_t111, 0x30, SendMessageA( *0x3b250c4, 0x31, 0, 0), 1); // executed
						_t100 =  *0x3b250d8;
						__eflags =  *((intOrPtr*)(_t118 + _t100 + 4)) - 8;
						if( *((intOrPtr*)(_t118 + _t100 + 4)) == 8) {
							 *((intOrPtr*)(_t118 +  *0x3b250d8 + 0x414)) = SetWindowLongA(_t111, 0xfffffffc, E03B21480);
						}
						_push(_t111);
						L03B22016();
						_push(_v44);
						_push(0);
						_t66 = GetProcessHeap();
						L27:
						return HeapFree(_t66, ??, ??);
					}
					goto L4;
				}
			}


































          0x03b21877
          0x03b21880
          0x03b21883
          0x03b21886
          0x03b21889
          0x00000000
          0x03b21890
          0x03b2189d
          0x03b218a2
          0x03b218a4
          0x03b218d7
          0x03b218dc
          0x03b218e1
          0x03b218e2
          0x03b218e4
          0x00000000
          0x03b218a6
          0x03b218a6
          0x03b218ab
          0x03b218ae
          0x03b218b3
          0x03b218c6
          0x03b218ce
          0x03b218d3
          0x03b218d5
          0x03b218eb
          0x03b218f0
          0x03b218f3
          0x03b218f4
          0x03b218f7
          0x03b2190e
          0x03b21920
          0x03b21925
          0x03b21927
          0x03b21929
          0x03b2194c
          0x03b2194e
          0x03b21950
          0x03b21973
          0x03b21975
          0x03b21977
          0x03b2199a
          0x03b2199c
          0x03b2199e
          0x03b219c1
          0x03b219c3
          0x03b219c5
          0x03b219e5
          0x03b219e7
          0x03b219e9
          0x03b21a09
          0x03b21a0b
          0x03b21a0d
          0x03b21a2d
          0x03b21a32
          0x03b21a38
          0x03b21a3a
          0x03b21a3f
          0x03b21a4b
          0x03b21a4b
          0x03b21a4b
          0x03b21a41
          0x03b21a41
          0x03b21a41
          0x03b21a0f
          0x03b21a17
          0x03b21a1d
          0x03b21a1d
          0x03b219eb
          0x03b219f3
          0x03b219f9
          0x03b219f9
          0x03b219c7
          0x03b219cf
          0x03b219d5
          0x03b219d5
          0x03b219a0
          0x03b219a8
          0x03b219ae
          0x03b219ae
          0x03b21979
          0x03b21981
          0x03b21987
          0x03b21987
          0x03b21952
          0x03b2195a
          0x03b21960
          0x03b21960
          0x03b2192b
          0x03b21933
          0x03b21939
          0x03b21939
          0x03b21a61
          0x03b21a6c
          0x03b21a6e
          0x03b21a70
          0x03b21a72
          0x03b21a72
          0x03b21aa4
          0x03b21aad
          0x03b21aba
          0x03b21abd
          0x03b21add
          0x03b21adf
          0x03b21ae4
          0x03b21ae9
          0x03b21aff
          0x03b21aff
          0x03b21b06
          0x03b21b07
          0x03b21b0c
          0x03b21b0f
          0x03b21b11
          0x03b21b17
          0x00000000
          0x03b21b18
          0x00000000
          0x03b218d5

          APIs
          • GetProcessHeap.KERNEL32(00000008,?), ref: 03B2186E
          • HeapAlloc.KERNEL32(00000000), ref: 03B21871
          • GetProcessHeap.KERNEL32(00000000,00000000,error,00000000,00000000), ref: 03B218E4
          • HeapFree.KERNEL32(00000000), ref: 03B21B18
            • Part of subcall function 03B21E27: GlobalAlloc.KERNEL32(00000040,?,?,03B210BE,error,?,00000104), ref: 03B21E3C
            • Part of subcall function 03B21E27: lstrcpynA.KERNEL32(00000004,?,?,03B210BE,error,?,00000104), ref: 03B21E52
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1466805189.0000000003B21000.00000020.00020000.sdmp, Offset: 03B20000, based on PE: true
          • Associated: 0000001A.00000002.1466777534.0000000003B20000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466819410.0000000003B23000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466836423.0000000003B24000.00000008.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466863759.0000000003B27000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_3b20000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Heap$AllocProcess$FreeGloballstrcpyn
          • String ID: BUTTON$COMBOBOX$EDIT$LINK$LISTBOX$NSIS: nsControl pointer property$RICHEDIT_CLASS$RichEdit$STATIC$error
          • API String ID: 1913068523-3375361224
          • Opcode ID: fcd03e2adff21de228593869cbd082cb4c865736c3c5231ce30ceb509d5d48b9
          • Instruction ID: 59770fc784a9de18cfd804eb012e852c85d98587aa60f1533ac1baebb6dcf08c
          • Opcode Fuzzy Hash: fcd03e2adff21de228593869cbd082cb4c865736c3c5231ce30ceb509d5d48b9
          • Instruction Fuzzy Hash: FC81C4B2900228ABD730EBA5DE45F9FBFFCEB1570CF0142B6EA09B7545C63498448B64
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004059FF, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 197stringCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 586 4059ff-405a0a 587 405a0c-405a1b 586->587 588 405a1d-405a3a 586->588 587->588 589 405a40-405a47 588->589 590 405c1c-405c20 588->590 589->590 591 405c26-405c30 590->591 592 405a4c-405a56 590->592 594 405c32-405c36 call 4059dd 591->594 595 405c3b-405c3c 591->595 592->591 593 405a5c-405a63 592->593 596 405a69-405a9e 593->596 597 405c0f 593->597 594->595 599 405aa4-405aaf GetVersion 596->599 600 405bb9-405bbc 596->600 601 405c11-405c17 597->601 602 405c19-405c1b 597->602 603 405ab1-405ab5 599->603 604 405ac9 599->604 605 405bec-405bef 600->605 606 405bbe-405bc1 600->606 601->590 602->590 603->604 609 405ab7-405abb 603->609 612 405ad0-405ad7 604->612 607 405bf1-405bf8 call 4059ff 605->607 608 405bfd-405c0d lstrlenA 605->608 610 405bd1-405bdd call 4059dd 606->610 611 405bc3-405bcf call 40593b 606->611 607->608 608->590 609->604 617 405abd-405ac1 609->617 621 405be2-405be8 610->621 611->621 613 405ad9-405adb 612->613 614 405adc-405ade 612->614 613->614 619 405ae0-405afb call 4058c4 614->619 620 405b17-405b1a 614->620 617->604 622 405ac3-405ac7 617->622 628 405b00-405b03 619->628 626 405b2a-405b2d 620->626 627 405b1c-405b28 GetSystemDirectoryA 620->627 621->608 625 405bea 621->625 622->612 629 405bb1-405bb7 call 405c3f 625->629 631 405b97-405b99 626->631 632 405b2f-405b3d GetWindowsDirectoryA 626->632 630 405b9b-405b9e 627->630 633 405ba0-405ba4 628->633 634 405b09-405b12 call 4059ff 628->634 629->608 630->629 630->633 631->630 635 405b3f-405b49 631->635 632->631 633->629 638 405ba6-405bac lstrcatA 633->638 634->630 640 405b63-405b79 SHGetSpecialFolderLocation 635->640 641 405b4b-405b4e 635->641 638->629 642 405b94 640->642 643 405b7b-405b92 SHGetPathFromIDListA CoTaskMemFree 640->643 641->640 645 405b50-405b61 641->645 642->631 643->630 643->642 645->630 645->640
          C-Code - Quality: 74%
          			E004059FF(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				int _t40;
				char _t50;
				char _t51;
				char _t53;
				char _t55;
				void* _t63;
				signed int _t69;
				intOrPtr _t73;
				signed int _t74;
				signed int _t75;
				intOrPtr _t79;
				char _t83;
				void* _t85;
				CHAR* _t86;
				void* _t88;
				signed int _t95;
				signed int _t97;
				void* _t98;

				_t88 = __esi;
				_t85 = __edi;
				_t63 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t79 =  *0x42365c; // 0x6c43be
					_t36 =  *(_t79 - 4 + _t36 * 4);
				}
				_t73 =  *0x423eb8; // 0x6b61f8
				_t74 = _t73 + _t36;
				_t37 = 0x422e20;
				_push(_t63);
				_push(_t88);
				_push(_t85);
				_t86 = 0x422e20;
				if(_a4 - 0x422e20 < 0x800) {
					_t86 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t83 =  *_t74;
					if(_t83 == 0) {
						break;
					}
					__eflags = _t86 - _t37 - 0x400;
					if(_t86 - _t37 >= 0x400) {
						break;
					}
					_t74 = _t74 + 1;
					__eflags = _t83 - 0xfc;
					_a8 = _t74;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t86 = _t83;
							_t86 =  &(_t86[1]);
							__eflags = _t86;
						} else {
							 *_t86 =  *_t74;
							_t86 =  &(_t86[1]);
							_t74 = _t74 + 1;
						}
						continue;
					}
					_t39 =  *(_t74 + 1);
					_t75 =  *_t74;
					_t95 = (_t39 & 0x0000007f) << 0x00000007 | _t75 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t75 | 0x00000080;
					_t69 = _t75;
					_v24 = _t69;
					__eflags = _t83 - 0xfe;
					_v20 = _t39 | 0x00000080;
					_v16 = _t39;
					if(_t83 != 0xfe) {
						__eflags = _t83 - 0xfd;
						if(_t83 != 0xfd) {
							__eflags = _t83 - 0xff;
							if(_t83 == 0xff) {
								__eflags = (_t39 | 0xffffffff) - _t95;
								E004059FF(_t69, _t86, _t95, _t86, (_t39 | 0xffffffff) - _t95);
							}
							L41:
							_t40 = lstrlenA(_t86);
							_t74 = _a8;
							_t86 =  &(_t86[_t40]);
							_t37 = 0x422e20;
							continue;
						}
						__eflags = _t95 - 0x1d;
						if(_t95 != 0x1d) {
							__eflags = (_t95 << 0xa) + 0x424000;
							E004059DD(_t86, (_t95 << 0xa) + 0x424000);
						} else {
							E0040593B(_t86,  *0x423e88);
						}
						__eflags = _t95 + 0xffffffeb - 7;
						if(_t95 + 0xffffffeb < 7) {
							L32:
							E00405C3F(_t86);
						}
						goto L41;
					}
					_t97 = 2;
					_t50 = GetVersion();
					__eflags = _t50;
					if(_t50 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x423f04;
						if( *0x423f04 != 0) {
							_t97 = 4;
						}
						__eflags = _t69;
						if(_t69 >= 0) {
							__eflags = _t69 - 0x25;
							if(_t69 != 0x25) {
								__eflags = _t69 - 0x24;
								if(_t69 == 0x24) {
									GetWindowsDirectoryA(_t86, 0x400);
									_t97 = 0;
								}
								while(1) {
									__eflags = _t97;
									if(_t97 == 0) {
										goto L29;
									}
									_t51 =  *0x423e84; // 0x74691340
									_t97 = _t97 - 1;
									__eflags = _t51;
									if(_t51 == 0) {
										L25:
										_t53 = SHGetSpecialFolderLocation( *0x423e88,  *(_t98 + _t97 * 4 - 0x18),  &_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											L27:
											 *_t86 =  *_t86 & 0x00000000;
											__eflags =  *_t86;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t86);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t55 =  *_t51( *0x423e88,  *(_t98 + _t97 * 4 - 0x18), 0, 0, _t86);
									__eflags = _t55;
									if(_t55 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t86, 0x400);
							goto L29;
						} else {
							_t72 = (_t69 & 0x0000003f) +  *0x423eb8;
							E004058C4(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t69 & 0x0000003f) +  *0x423eb8, _t86, _t69 & 0x00000040); // executed
							__eflags =  *_t86;
							if( *_t86 != 0) {
								L30:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t86, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E004059FF(_t72, _t86, _t97, _t86, _v16);
							L29:
							__eflags =  *_t86;
							if( *_t86 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t50 - 0x5a04;
					if(_t50 == 0x5a04) {
						goto L12;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L12;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t86 =  *_t86 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E004059DD(_a4, _t37);
			}






























          0x004059ff
          0x004059ff
          0x004059ff
          0x00405a05
          0x00405a0a
          0x00405a0c
          0x00405a1b
          0x00405a1b
          0x00405a1d
          0x00405a26
          0x00405a28
          0x00405a2d
          0x00405a30
          0x00405a31
          0x00405a38
          0x00405a3a
          0x00405a40
          0x00405a43
          0x00405a43
          0x00405c1c
          0x00405c1c
          0x00405c20
          0x00000000
          0x00000000
          0x00405a50
          0x00405a56
          0x00000000
          0x00000000
          0x00405a5c
          0x00405a5d
          0x00405a60
          0x00405a63
          0x00405c0f
          0x00405c19
          0x00405c1b
          0x00405c1b
          0x00405c11
          0x00405c13
          0x00405c15
          0x00405c16
          0x00405c16
          0x00000000
          0x00405c0f
          0x00405a69
          0x00405a6d
          0x00405a7d
          0x00405a81
          0x00405a88
          0x00405a8b
          0x00405a8f
          0x00405a95
          0x00405a98
          0x00405a9b
          0x00405a9e
          0x00405bb9
          0x00405bbc
          0x00405bec
          0x00405bef
          0x00405bf4
          0x00405bf8
          0x00405bf8
          0x00405bfd
          0x00405bfe
          0x00405c03
          0x00405c06
          0x00405c08
          0x00000000
          0x00405c08
          0x00405bbe
          0x00405bc1
          0x00405bd6
          0x00405bdd
          0x00405bc3
          0x00405bca
          0x00405bca
          0x00405be5
          0x00405be8
          0x00405bb1
          0x00405bb2
          0x00405bb2
          0x00000000
          0x00405be8
          0x00405aa6
          0x00405aa7
          0x00405aad
          0x00405aaf
          0x00405ac9
          0x00405ac9
          0x00405ad0
          0x00405ad0
          0x00405ad7
          0x00405adb
          0x00405adb
          0x00405adc
          0x00405ade
          0x00405b17
          0x00405b1a
          0x00405b2a
          0x00405b2d
          0x00405b35
          0x00405b3b
          0x00405b3b
          0x00405b97
          0x00405b97
          0x00405b99
          0x00000000
          0x00000000
          0x00405b3f
          0x00405b46
          0x00405b47
          0x00405b49
          0x00405b63
          0x00405b71
          0x00405b77
          0x00405b79
          0x00405b94
          0x00405b94
          0x00405b94
          0x00000000
          0x00405b94
          0x00405b7f
          0x00405b8a
          0x00405b90
          0x00405b92
          0x00000000
          0x00000000
          0x00000000
          0x00405b92
          0x00405b4b
          0x00405b4e
          0x00000000
          0x00000000
          0x00405b5d
          0x00405b5f
          0x00405b61
          0x00000000
          0x00000000
          0x00000000
          0x00405b61
          0x00000000
          0x00405b97
          0x00405b22
          0x00000000
          0x00405ae0
          0x00405ae5
          0x00405afb
          0x00405b00
          0x00405b03
          0x00405ba0
          0x00405ba0
          0x00405ba4
          0x00405bac
          0x00405bac
          0x00000000
          0x00405ba4
          0x00405b0d
          0x00405b9b
          0x00405b9b
          0x00405b9e
          0x00000000
          0x00000000
          0x00000000
          0x00405b9e
          0x00405ade
          0x00405ab1
          0x00405ab5
          0x00000000
          0x00000000
          0x00405ab7
          0x00405abb
          0x00000000
          0x00000000
          0x00405abd
          0x00405ac1
          0x00000000
          0x00405ac3
          0x00405ac3
          0x00000000
          0x00405ac3
          0x00405ac1
          0x00405c26
          0x00405c30
          0x00405c3c
          0x00405c3c
          0x00000000

          APIs
          • GetVersion.KERNEL32(00000006,0041FC50,00000000,00404DB3,0041FC50,00000000), ref: 00405AA7
          • GetSystemDirectoryA.KERNEL32 ref: 00405B22
          • GetWindowsDirectoryA.KERNEL32(0x0201,00000400), ref: 00405B35
          • SHGetSpecialFolderLocation.SHELL32(?,0040F020), ref: 00405B71
          • SHGetPathFromIDListA.SHELL32(0040F020,0x0201), ref: 00405B7F
          • CoTaskMemFree.OLE32(0040F020), ref: 00405B8A
          • lstrcatA.KERNEL32(0x0201,\Microsoft\Internet Explorer\Quick Launch), ref: 00405BAC
          • lstrlenA.KERNEL32(0x0201,00000006,0041FC50,00000000,00404DB3,0041FC50,00000000), ref: 00405BFE
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
          • String ID: 0x0201$3846$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
          • API String ID: 900638850-2722367558
          • Opcode ID: cf957b5ec98df0255b1371310b3b184a1fd6d9caa64e1831fbef5174ed328289
          • Instruction ID: d3edd175ae4d098aa1e1d30cbcff8d3f456ad99068bf2b680a9da6a8a672f2a4
          • Opcode Fuzzy Hash: cf957b5ec98df0255b1371310b3b184a1fd6d9caa64e1831fbef5174ed328289
          • Instruction Fuzzy Hash: 30511471A04A04ABEB215F68DC84B7F3BB4EB55324F14423BE911B62D1D27C6981DF4E
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00405302, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 647 405302-40531d call 4055b1 650 405336-405340 647->650 651 40531f-405331 DeleteFileA 647->651 653 405342-405344 650->653 654 405354-405362 call 4059dd 650->654 652 4054ca-4054cd 651->652 655 405475-40547b 653->655 656 40534a-40534e 653->656 660 405371-405372 call 405517 654->660 661 405364-40536f lstrcatA 654->661 655->652 658 40547d-405480 655->658 656->654 656->655 662 405482-405488 658->662 663 40548a-405492 call 405cd8 658->663 664 405377-40537a 660->664 661->664 662->652 663->652 671 405494-4054a9 call 4054d0 call 405695 RemoveDirectoryA 663->671 667 405385-40538b lstrcatA 664->667 668 40537c-405383 664->668 670 405390-4053ae lstrlenA FindFirstFileA 667->670 668->667 668->670 672 4053b4-4053cb call 4054fb 670->672 673 40546b-40546f 670->673 683 4054c2-4054c5 call 404d7b 671->683 684 4054ab-4054af 671->684 681 4053d6-4053d9 672->681 682 4053cd-4053d1 672->682 673->655 675 405471 673->675 675->655 686 4053db-4053e0 681->686 687 4053ec-4053fa call 4059dd 681->687 682->681 685 4053d3 682->685 683->652 684->662 689 4054b1-4054c0 call 404d7b call 40572b 684->689 685->681 691 4053e2-4053e4 686->691 692 40544a-40545c FindNextFileA 686->692 697 405411-405420 call 405695 DeleteFileA 687->697 698 4053fc-405404 687->698 689->652 691->687 696 4053e6-4053ea 691->696 692->672 695 405462-405465 FindClose 692->695 695->673 696->687 696->692 707 405442-405445 call 404d7b 697->707 708 405422-405426 697->708 698->692 700 405406-40540f call 405302 698->700 700->692 707->692 710 405428-405438 call 404d7b call 40572b 708->710 711 40543a-405440 708->711 710->692 711->692
          C-Code - Quality: 94%
          			E00405302(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E004055B1(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x423f08 =  *0x423f08 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E004059DD(0x421480, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E00405517(_t72);
					} else {
						lstrcatA(0x421480, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x409010);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x421480,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004054FB( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E004059DD(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E00405695(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404D7B(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x423f08 =  *0x423f08 + 1;
										} else {
											E00404D7B(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E0040572B();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405302(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x421480 - 0x5c;
					if( *0x421480 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405CD8(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E004054D0(_t72);
							E00405695(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404D7B(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404D7B(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E0040572B();
						}
						L33:
						 *0x423f08 =  *0x423f08 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

















          0x0040530d
          0x00405311
          0x0040531a
          0x0040531d
          0x00405320
          0x00405328
          0x0040532a
          0x0040532b
          0x00000000
          0x0040532b
          0x0040533a
          0x0040533a
          0x0040533d
          0x00405340
          0x00405354
          0x0040535b
          0x00405360
          0x00405362
          0x00405372
          0x00405364
          0x0040536a
          0x0040536a
          0x00405377
          0x0040537a
          0x00405385
          0x0040538b
          0x00405390
          0x004053a0
          0x004053a2
          0x004053a8
          0x004053ab
          0x004053ae
          0x0040546b
          0x0040546b
          0x0040546f
          0x00405471
          0x00405471
          0x00405471
          0x00405471
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x004053b4
          0x004053b4
          0x004053bd
          0x004053c3
          0x004053c8
          0x004053cb
          0x004053cd
          0x004053d1
          0x004053d3
          0x004053d3
          0x004053d1
          0x004053d6
          0x004053d9
          0x004053ec
          0x004053ee
          0x004053f3
          0x004053fa
          0x00405412
          0x00405418
          0x0040541e
          0x00405420
          0x00405445
          0x00405422
          0x00405422
          0x00405426
          0x0040543a
          0x00405428
          0x0040542b
          0x00405430
          0x00405432
          0x00405433
          0x00405433
          0x00405426
          0x004053fc
          0x00405402
          0x00405404
          0x0040540a
          0x0040540a
          0x00405404
          0x00000000
          0x004053fa
          0x004053db
          0x004053de
          0x004053e0
          0x00000000
          0x00000000
          0x004053e2
          0x004053e4
          0x00000000
          0x00000000
          0x004053e6
          0x004053ea
          0x00000000
          0x00000000
          0x00000000
          0x0040544a
          0x00405454
          0x0040545a
          0x0040545a
          0x00405465
          0x00000000
          0x00405465
          0x0040537c
          0x00405383
          0x00000000
          0x00000000
          0x00000000
          0x00405342
          0x00405342
          0x00405344
          0x00405475
          0x00405478
          0x0040547b
          0x004054cd
          0x004054cd
          0x004054cd
          0x0040547d
          0x00405480
          0x0040548b
          0x00405490
          0x00405492
          0x00000000
          0x00000000
          0x00405495
          0x0040549b
          0x004054a1
          0x004054a7
          0x004054a9
          0x00000000
          0x004054c5
          0x004054ab
          0x004054af
          0x00000000
          0x00000000
          0x004054b4
          0x004054b9
          0x004054ba
          0x00000000
          0x004054bb
          0x00405482
          0x00405482
          0x00000000
          0x00405482
          0x0040534a
          0x0040534e
          0x00000000
          0x00000000
          0x00000000
          0x0040534e

          APIs
          • DeleteFileA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,00000000), ref: 00405320
          • lstrcatA.KERNEL32(00421480,\*.*,00421480,?,00000000,?,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,00000000), ref: 0040536A
          • lstrcatA.KERNEL32(?,00409010,?,00421480,?,00000000,?,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,00000000), ref: 0040538B
          • lstrlenA.KERNEL32(?,?,00409010,?,00421480,?,00000000,?,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,00000000), ref: 00405391
          • FindFirstFileA.KERNEL32(00421480,?,?,?,00409010,?,00421480,?,00000000,?,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,00000000), ref: 004053A2
          • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 00405454
          • FindClose.KERNEL32(?), ref: 00405465
          Strings
          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405302
          • C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe, xrefs: 0040530C
          • \*.*, xrefs: 00405364
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
          • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe$\*.*
          • API String ID: 2035342205-705660622
          • Opcode ID: 839bd3744fd32e7d0185c0b890ed2fdcf981fbc651edb5541a67b6ee6968ffb2
          • Instruction ID: 4b200e60d3e8d58e0ab6cbb93b3ca9934a2dcfa31e3b076817fab6d13423d761
          • Opcode Fuzzy Hash: 839bd3744fd32e7d0185c0b890ed2fdcf981fbc651edb5541a67b6ee6968ffb2
          • Instruction Fuzzy Hash: 45511230844A48B6DB226B228C45BFF3A78DF4275AF14813BF845751D1C77C4981DE6E
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00405FA8, Relevance: 5.4, APIs: 4, Instructions: 382COMMONCrypto
          Download Yara Rule
          C-Code - Quality: 98%
          			E00405FA8() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M0040684B))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4)); // executed
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8)); // executed
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













          0x00000000
          0x00405fa8
          0x00405fa8
          0x00405fad
          0x00406024
          0x0040602b
          0x00406035
          0x00406614
          0x00406614
          0x00406617
          0x00406617
          0x0040661d
          0x00406623
          0x00406629
          0x00406643
          0x00406646
          0x0040664c
          0x00406657
          0x00406659
          0x0040662b
          0x0040662b
          0x0040663a
          0x0040663e
          0x0040663e
          0x00406663
          0x0040668a
          0x0040668a
          0x00406690
          0x00406690
          0x00000000
          0x00406665
          0x00406665
          0x00406669
          0x00406818
          0x00000000
          0x00406818
          0x00406675
          0x0040667c
          0x00406684
          0x00406687
          0x00000000
          0x00406687
          0x00405faf
          0x00405faf
          0x00405fb3
          0x00405fbb
          0x00405fbe
          0x00405fc0
          0x00405fc3
          0x00405fc5
          0x00405fca
          0x00405fcd
          0x00405fd4
          0x00405fdb
          0x00405fde
          0x00405fe9
          0x00405ff1
          0x00405ff1
          0x00405feb
          0x00405feb
          0x00405feb
          0x00405fe0
          0x00405fe0
          0x00405fe0
          0x00405ff8
          0x00406016
          0x00406018
          0x004061eb
          0x004061eb
          0x004061ee
          0x004061f1
          0x004061f4
          0x004061f7
          0x004061fa
          0x004061fd
          0x00406200
          0x00406203
          0x00406209
          0x00406221
          0x00406224
          0x00406227
          0x0040622a
          0x0040622a
          0x0040622d
          0x00406233
          0x0040620b
          0x0040620b
          0x00406213
          0x00406218
          0x0040621a
          0x0040621c
          0x0040621c
          0x0040623d
          0x00406240
          0x004061e3
          0x004061e9
          0x00000000
          0x00000000
          0x00000000
          0x00406242
          0x004061be
          0x004061c2
          0x004067ca
          0x00000000
          0x004067ca
          0x004061c8
          0x004061cb
          0x004061ce
          0x004061d2
          0x004061d5
          0x004061db
          0x004061dd
          0x004061dd
          0x004061e0
          0x00000000
          0x004061e0
          0x00405ffa
          0x00405ffa
          0x00405ffd
          0x00406003
          0x00406005
          0x00406005
          0x00406008
          0x0040600b
          0x0040600d
          0x0040600e
          0x00406011
          0x0040607e
          0x0040607e
          0x00406082
          0x00406085
          0x00406088
          0x0040608b
          0x0040608e
          0x0040608f
          0x00406092
          0x00406094
          0x0040609a
          0x0040609d
          0x004060a0
          0x004060a3
          0x004060a6
          0x004060ac
          0x004060c8
          0x004060cb
          0x004060ce
          0x004060d1
          0x004060d8
          0x004060de
          0x004060e2
          0x004060ae
          0x004060ae
          0x004060b2
          0x004060ba
          0x004060bf
          0x004060c1
          0x004060c3
          0x004060c3
          0x004060ec
          0x004060ef
          0x00406066
          0x00406066
          0x0040606c
          0x0040611f
          0x00406125
          0x00000000
          0x00000000
          0x00406127
          0x0040612a
          0x0040612d
          0x00406130
          0x00406133
          0x00406136
          0x00406139
          0x0040613c
          0x0040613f
          0x00406145
          0x0040615d
          0x00406160
          0x00406163
          0x00406166
          0x00406166
          0x00406169
          0x0040616f
          0x00406147
          0x00406147
          0x0040614f
          0x00406154
          0x00406156
          0x00406158
          0x00406158
          0x00406179
          0x0040617c
          0x004060fa
          0x004060fe
          0x004067be
          0x00000000
          0x004067be
          0x00406104
          0x00406107
          0x0040610a
          0x0040610e
          0x00406111
          0x00406117
          0x00406119
          0x00406119
          0x0040611c
          0x0040611c
          0x0040617c
          0x00406183
          0x00406183
          0x00406183
          0x00406187
          0x00406187
          0x0040618a
          0x0040618d
          0x00406191
          0x004067d6
          0x00000000
          0x004067d6
          0x00406197
          0x0040619a
          0x0040619d
          0x004061a0
          0x004061a3
          0x004061a6
          0x004061a9
          0x004061ab
          0x004061ae
          0x004061b1
          0x004061b4
          0x004061b6
          0x004061b6
          0x004061b6
          0x00406353
          0x00406353
          0x00406356
          0x00406356
          0x00000000
          0x00406356
          0x00406078
          0x00000000
          0x00000000
          0x00000000
          0x004060f5
          0x00406041
          0x00406045
          0x004067b2
          0x0040682e
          0x00406836
          0x0040683d
          0x0040683f
          0x00406846
          0x0040684a
          0x0040684a
          0x0040604b
          0x0040604e
          0x00406051
          0x00406055
          0x00406058
          0x0040605e
          0x00406060
          0x00406060
          0x00406063
          0x00000000
          0x00406063
          0x004060ef
          0x00405ff8
          0x00405e2c
          0x00405e2c
          0x00405e35
          0x00406843
          0x00406843
          0x00000000
          0x00406843
          0x00405e3b
          0x00000000
          0x00405e46
          0x00000000
          0x00000000
          0x00405e4f
          0x00405e52
          0x00405e55
          0x00405e59
          0x00000000
          0x00000000
          0x00405e5f
          0x00405e62
          0x00405e64
          0x00405e65
          0x00405e68
          0x00405e6a
          0x00405e6b
          0x00405e6d
          0x00405e70
          0x00405e75
          0x00405e7a
          0x00405e83
          0x00405e96
          0x00405e99
          0x00405ea5
          0x00405ecd
          0x00405ecf
          0x00405edd
          0x00405edd
          0x00405ee1
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00405ed1
          0x00405ed1
          0x00405ed4
          0x00405ed5
          0x00405ed5
          0x00000000
          0x00405ed1
          0x00405eab
          0x00405eb0
          0x00405eb0
          0x00405eb9
          0x00405ec1
          0x00405ec4
          0x00000000
          0x00405eca
          0x00405eca
          0x00000000
          0x00405eca
          0x00000000
          0x00405ee7
          0x00405ee7
          0x00405eeb
          0x00406797
          0x00000000
          0x00406797
          0x00405ef4
          0x00405f04
          0x00405f07
          0x00405f0a
          0x00405f0a
          0x00405f0a
          0x00405f0d
          0x00405f11
          0x00000000
          0x00000000
          0x00405f13
          0x00405f19
          0x00405f43
          0x00405f49
          0x00405f50
          0x00000000
          0x00405f50
          0x00405f1f
          0x00405f22
          0x00405f27
          0x00405f27
          0x00405f32
          0x00405f3a
          0x00405f3d
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00405f82
          0x00405f88
          0x00405f8b
          0x00405f98
          0x00405fa0
          0x00000000
          0x00000000
          0x00405f57
          0x00405f57
          0x00405f5b
          0x004067a6
          0x00000000
          0x004067a6
          0x00405f67
          0x00405f72
          0x00405f72
          0x00405f72
          0x00405f75
          0x00405f78
          0x00405f7b
          0x00405f80
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00406247
          0x0040624b
          0x00406269
          0x0040626c
          0x00406273
          0x00406276
          0x00406279
          0x0040627c
          0x0040627f
          0x00406282
          0x00406284
          0x0040628b
          0x0040628c
          0x0040628e
          0x00406291
          0x00406294
          0x00406297
          0x00406297
          0x0040629c
          0x00000000
          0x0040629c
          0x0040624d
          0x00406250
          0x00406253
          0x0040625d
          0x00000000
          0x00000000
          0x004062b1
          0x004062b5
          0x004062d8
          0x004062db
          0x004062de
          0x004062e8
          0x004062b7
          0x004062b7
          0x004062ba
          0x004062bd
          0x004062c0
          0x004062cd
          0x004062d0
          0x004062d0
          0x00000000
          0x00000000
          0x004062f4
          0x004062f8
          0x00000000
          0x00000000
          0x004062fe
          0x00406302
          0x00000000
          0x00000000
          0x00406308
          0x0040630a
          0x0040630e
          0x0040630e
          0x00406311
          0x00406315
          0x00000000
          0x00000000
          0x00406365
          0x00406369
          0x00406370
          0x00406373
          0x00406376
          0x00406380
          0x00000000
          0x00406380
          0x0040636b
          0x00000000
          0x00000000
          0x0040638c
          0x00406390
          0x00406397
          0x0040639a
          0x0040639d
          0x00406392
          0x00406392
          0x00406392
          0x004063a0
          0x004063a3
          0x004063a6
          0x004063a6
          0x004063a9
          0x004063ac
          0x004063af
          0x004063af
          0x004063b2
          0x004063b9
          0x004063be
          0x00000000
          0x00000000
          0x0040644c
          0x0040644c
          0x00406450
          0x004067ee
          0x00000000
          0x004067ee
          0x00406456
          0x00406459
          0x0040645c
          0x00406460
          0x00406463
          0x00406469
          0x0040646b
          0x0040646b
          0x0040646b
          0x0040646e
          0x00406471
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x004064cf
          0x004064cf
          0x004064d3
          0x004067fa
          0x00000000
          0x004067fa
          0x004064d9
          0x004064dc
          0x004064df
          0x004064e3
          0x004064e6
          0x004064ec
          0x004064ee
          0x004064ee
          0x004064ee
          0x004064f1
          0x00000000
          0x00000000
          0x0040629f
          0x0040629f
          0x004062a2
          0x00000000
          0x00000000
          0x004065de
          0x004065e2
          0x00406604
          0x00406607
          0x00406611
          0x00000000
          0x00406611
          0x004065e4
          0x004065e7
          0x004065eb
          0x004065ee
          0x004065ee
          0x004065f1
          0x00000000
          0x00000000
          0x0040669b
          0x0040669f
          0x004066bd
          0x004066bd
          0x004066bd
          0x004066c4
          0x004066cb
          0x004066d2
          0x004066d2
          0x00000000
          0x004066d2
          0x004066a1
          0x004066a4
          0x004066a7
          0x004066aa
          0x004066b1
          0x004065f5
          0x004065f5
          0x004065f8
          0x00000000
          0x00000000
          0x0040678c
          0x0040678f
          0x00000000
          0x00000000
          0x004063c6
          0x004063c8
          0x004063cf
          0x004063d0
          0x004063d2
          0x004063d5
          0x00000000
          0x00000000
          0x004063dd
          0x004063e0
          0x004063e3
          0x004063e5
          0x004063e7
          0x004063e7
          0x004063e8
          0x004063eb
          0x004063f2
          0x004063f5
          0x00406403
          0x00000000
          0x00000000
          0x004066d9
          0x004066d9
          0x004066dc
          0x004066e3
          0x00000000
          0x00000000
          0x004066e8
          0x004066e8
          0x004066ec
          0x00406824
          0x00000000
          0x00406824
          0x004066f2
          0x004066f5
          0x004066f8
          0x004066fc
          0x004066ff
          0x00406705
          0x00406707
          0x00406707
          0x00406707
          0x0040670a
          0x0040670d
          0x0040670d
          0x0040670d
          0x0040670d
          0x00406710
          0x00406710
          0x00406714
          0x00406774
          0x00406777
          0x0040677c
          0x0040677d
          0x0040677f
          0x00406781
          0x00406784
          0x00000000
          0x00406784
          0x00406716
          0x0040671c
          0x0040671f
          0x00406722
          0x00406725
          0x00406728
          0x0040672b
          0x0040672e
          0x00406731
          0x00406734
          0x00406737
          0x00406750
          0x00406753
          0x00406756
          0x00406759
          0x0040675d
          0x0040675f
          0x0040675f
          0x00406760
          0x00406763
          0x00406739
          0x00406739
          0x00406741
          0x00406746
          0x00406748
          0x0040674b
          0x0040674b
          0x00406766
          0x0040676d
          0x00000000
          0x0040676f
          0x00000000
          0x0040676f
          0x00000000
          0x0040640b
          0x0040640e
          0x00406444
          0x00406574
          0x00406574
          0x00406574
          0x00406574
          0x00406577
          0x00406577
          0x0040657a
          0x0040657c
          0x00406806
          0x00000000
          0x00406806
          0x00406582
          0x00406585
          0x00000000
          0x00000000
          0x0040658b
          0x0040658f
          0x00406592
          0x00406592
          0x00406592
          0x00000000
          0x00406592
          0x00406410
          0x00406412
          0x00406414
          0x00406416
          0x00406419
          0x0040641a
          0x0040641c
          0x0040641e
          0x00406421
          0x00406424
          0x0040643a
          0x0040643f
          0x00406477
          0x00406477
          0x0040647b
          0x004064a7
          0x004064a9
          0x004064b0
          0x004064b3
          0x004064b6
          0x004064b6
          0x004064bb
          0x004064bb
          0x004064bd
          0x004064c0
          0x004064c7
          0x004064ca
          0x004064f7
          0x004064f7
          0x004064fa
          0x004064fd
          0x00406571
          0x00406571
          0x00406571
          0x00000000
          0x00406571
          0x004064ff
          0x00406505
          0x00406508
          0x0040650b
          0x0040650e
          0x00406511
          0x00406514
          0x00406517
          0x0040651a
          0x0040651d
          0x00406520
          0x00406539
          0x0040653b
          0x0040653e
          0x0040653f
          0x00406542
          0x00406544
          0x00406547
          0x00406549
          0x0040654b
          0x0040654e
          0x00406550
          0x00406553
          0x00406557
          0x00406559
          0x00406559
          0x0040655a
          0x0040655d
          0x00406560
          0x00406522
          0x00406522
          0x0040652a
          0x0040652f
          0x00406531
          0x00406534
          0x00406534
          0x00406563
          0x0040656a
          0x004064f4
          0x004064f4
          0x004064f4
          0x004064f4
          0x00000000
          0x0040656c
          0x00000000
          0x0040656c
          0x0040656a
          0x0040647d
          0x00406480
          0x00406482
          0x00406485
          0x00406488
          0x0040648b
          0x0040648d
          0x00406490
          0x00406493
          0x00406493
          0x00406496
          0x00406496
          0x00406499
          0x004064a0
          0x00406474
          0x00406474
          0x00406474
          0x00406474
          0x00000000
          0x004064a2
          0x00000000
          0x004064a2
          0x004064a0
          0x00406426
          0x00406429
          0x0040642b
          0x0040642e
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00406318
          0x00406318
          0x0040631c
          0x004067e2
          0x00000000
          0x004067e2
          0x00406322
          0x00406325
          0x00406328
          0x0040632b
          0x0040632d
          0x0040632d
          0x0040632d
          0x00406330
          0x00406333
          0x00406336
          0x00406339
          0x0040633c
          0x0040633f
          0x00406340
          0x00406342
          0x00406342
          0x00406342
          0x00406345
          0x00406348
          0x0040634b
          0x0040634e
          0x0040634e
          0x0040634e
          0x00406351
          0x00000000
          0x00000000
          0x00406595
          0x00406595
          0x00406595
          0x00406599
          0x00000000
          0x00000000
          0x0040659f
          0x004065a2
          0x004065a5
          0x004065a8
          0x004065aa
          0x004065aa
          0x004065aa
          0x004065ad
          0x004065b0
          0x004065b3
          0x004065b6
          0x004065b9
          0x004065bc
          0x004065bd
          0x004065bf
          0x004065bf
          0x004065bf
          0x004065c2
          0x004065c5
          0x004065c8
          0x004065cb
          0x004065ce
          0x004065d2
          0x004065d4
          0x004065d7
          0x00000000
          0x004065d9
          0x00000000
          0x004065d9
          0x004065d7
          0x0040680c
          0x00000000
          0x00000000
          0x00405e3b

          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 9b666163c1661dbd9b8a2e81cbf380ba9933516b4cb578f4d51b52d9bda143bb
          • Instruction ID: ffbedf2a53f09e030cb941e21afd419a8c3069ec791793070072d3341ca218b9
          • Opcode Fuzzy Hash: 9b666163c1661dbd9b8a2e81cbf380ba9933516b4cb578f4d51b52d9bda143bb
          • Instruction Fuzzy Hash: 17F16571D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A86CF44
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00405CFF, Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
          Download Yara Rule
          APIs
          • GetModuleHandleA.KERNEL32(?,?,00000000,0040310E,00000008), ref: 00405D11
          • LoadLibraryA.KERNEL32(?,?,00000000,0040310E,00000008), ref: 00405D1C
          • GetProcAddress.KERNEL32(00000000,?), ref: 00405D2D
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: AddressHandleLibraryLoadModuleProc
          • String ID:
          • API String ID: 310444273-0
          • Opcode ID: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
          • Instruction ID: d69b72dbe4010a9b48e4a262f362438d38f190b8a9031efe6831075815a54aa0
          • Opcode Fuzzy Hash: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
          • Instruction Fuzzy Hash: 5DE08C32A04610BBD3215B20AE0896B73A8EED9B403004C7EF615F6251D734AC11DBBA
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00405CD8, Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
          Download Yara Rule
          APIs
          • FindFirstFileA.KERNEL32(?,004224C8,00421880,004055F4,00421880,00421880,00000000,00421880,00421880,?,?,00000000,00405316,?,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,00000000), ref: 00405CE3
          • FindClose.KERNEL32(00000000), ref: 00405CEF
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Find$CloseFileFirst
          • String ID:
          • API String ID: 2295610775-0
          • Opcode ID: eaa6d706d35b9193dbeff2470bba944fadabcf5bc74d52a04f68ed274a91c94e
          • Instruction ID: 9a18407f5d3c0b203e51d924b64f4f6f4a008a27543408caa796c3d3b713bef8
          • Opcode Fuzzy Hash: eaa6d706d35b9193dbeff2470bba944fadabcf5bc74d52a04f68ed274a91c94e
          • Instruction Fuzzy Hash: 91D0C93594D620ABD6012728AD0884B6A589B153317508B32F46AE22E0C7748C529AA9
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004038BC, Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345windowstringCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 108 4038bc-4038ce 109 4038d4-4038da 108->109 110 403a0f-403a1e 108->110 109->110 111 4038e0-4038e9 109->111 112 403a20-403a5b GetDlgItem * 2 call 403d8f KiUserCallbackDispatcher call 40140b 110->112 113 403a6d-403a82 110->113 116 4038eb-4038f8 SetWindowPos 111->116 117 4038fe-403901 111->117 132 403a60-403a68 112->132 114 403ac2-403ac7 call 403ddb 113->114 115 403a84-403a87 113->115 130 403acc-403ae7 114->130 119 403a89-403a94 call 401389 115->119 120 403aba-403abc 115->120 116->117 122 403903-403915 ShowWindow 117->122 123 40391b-403921 117->123 119->120 141 403a96-403ab5 SendMessageA 119->141 120->114 129 403d5c 120->129 122->123 125 403923-403938 DestroyWindow 123->125 126 40393d-403940 123->126 131 403d39-403d3f 125->131 133 403942-40394e SetWindowLongA 126->133 134 403953-403959 126->134 138 403d5e-403d65 129->138 136 403af0-403af6 130->136 137 403ae9-403aeb call 40140b 130->137 131->129 142 403d41-403d47 131->142 132->113 133->138 139 4039fc-403a0a call 403df6 134->139 140 40395f-403970 GetDlgItem 134->140 144 403d1a-403d33 DestroyWindow EndDialog 136->144 145 403afc-403b07 136->145 137->136 139->138 147 403972-403989 SendMessageA IsWindowEnabled 140->147 148 40398f-403992 140->148 141->138 142->129 150 403d49-403d52 ShowWindow 142->150 144->131 145->144 146 403b0d-403b5a call 4059ff call 403d8f * 3 GetDlgItem 145->146 178 403b64-403ba0 ShowWindow KiUserCallbackDispatcher call 403db1 EnableWindow 146->178 179 403b5c-403b61 146->179 147->129 147->148 152 403994-403995 148->152 153 403997-40399a 148->153 150->129 156 4039c5-4039ca call 403d68 152->156 157 4039a8-4039ad 153->157 158 40399c-4039a2 153->158 156->139 161 4039e3-4039f6 SendMessageA 157->161 163 4039af-4039b5 157->163 158->161 162 4039a4-4039a6 158->162 161->139 162->156 166 4039b7-4039bd call 40140b 163->166 167 4039cc-4039d5 call 40140b 163->167 174 4039c3 166->174 167->139 176 4039d7-4039e1 167->176 174->156 176->174 182 403ba2-403ba3 178->182 183 403ba5 178->183 179->178 184 403ba7-403bd5 GetSystemMenu EnableMenuItem SendMessageA 182->184 183->184 185 403bd7-403be8 SendMessageA 184->185 186 403bea 184->186 187 403bf0-403c22 call 403dc4 call 4059dd lstrlenA call 4059ff SetWindowTextA call 401389 185->187 186->187 195 403c27-403c29 187->195 195->130 196 403c2f-403c31 195->196 196->130 197 403c37-403c3b 196->197 198 403c5a-403c6e DestroyWindow 197->198 199 403c3d-403c43 197->199 198->131 200 403c74-403ca1 CreateDialogParamA 198->200 199->129 201 403c49-403c4f 199->201 200->131 202 403ca7-403cfe call 403d8f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 200->202 201->130 203 403c55 201->203 202->129 208 403d00-403d18 ShowWindow call 403ddb 202->208 203->129 208->131
          C-Code - Quality: 84%
          			E004038BC(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42045c = _t35;
					if(_t115 == 0x110) {
						 *0x423e88 = _t125;
						 *0x420470 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f438 = _t91;
						E00403D8F(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423668); // executed
						 *0x42364c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42045c = 1;
					}
					_t122 =  *0x4091a4; // 0x0
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423ea0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403DDB(0x40b);
						while(1) {
							_t37 =  *0x42045c;
							 *0x4091a4 =  *0x4091a4 + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091a4; // 0x0
							__eflags = _t39 -  *0x423ea4; // 0x6
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x42364c - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x423ea4; // 0x6
							__eflags =  *0x4091a4 - _t44; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E004059FF(_t116, _t125, _t130, "Click Next to continue.",  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403D8F(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403D8F(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403D8F(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x423f0c - _t133; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008); // executed
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100); // executed
							E00403DB1(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f438, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x423f0c - _t133; // 0x0
							if(__eflags == 0) {
								_push( *0x420470);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f438);
							}
							E00403DC4();
							E004059DD(0x420478, "SmartPSS 2.002.0000007.0 Setup");
							E004059FF(0x420478, _t125, _t130,  &(0x420478[lstrlenA(0x420478)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x420478); // executed
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x423658);
									 *0x41fc48 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423e80,  *_t130 +  *0x423660 & 0x0000ffff, _t125,  *(0x4091a8 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x423658 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403D8F(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x423658, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42364c - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x423658, 8);
									E00403DDB(0x405);
									goto L58;
								}
								__eflags =  *0x423f0c - _t133; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x423f00 - _t133; // 0x0
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423658);
						 *0x423e88 = _t133;
						EndDialog(_t125,  *0x41f840);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x423658, 0x40f, 0, 1);
						__eflags =  *0x42364c - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420450, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420450,  ~(_a12 - 1) & _t115); // executed
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403DF6(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x423658, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x423f0c - _t133; // 0x0
										if(__eflags == 0) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f840 = 1;
											L21:
											_push(0x78);
											L22:
											E00403D68();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f840 = _t127;
										goto L21;
									}
									__eflags =  *0x4091a4 - _t133; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x423658); // executed
						 *0x423658 = _a12;
						L58:
						if( *0x421478 == _t133) {
							_t142 =  *0x423658 - _t133; // 0x20198
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa); // executed
								 *0x421478 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}
































          0x004038c5
          0x004038ce
          0x00403a0f
          0x00403a13
          0x00403a17
          0x00403a19
          0x00403a1e
          0x00403a29
          0x00403a34
          0x00403a39
          0x00403a3b
          0x00403a3d
          0x00403a40
          0x00403a45
          0x00403a53
          0x00403a60
          0x00403a67
          0x00403a67
          0x00403a68
          0x00403a68
          0x00403a6d
          0x00403a73
          0x00403a7a
          0x00403a80
          0x00403a82
          0x00403ac2
          0x00403ac7
          0x00403acc
          0x00403acc
          0x00403ad1
          0x00403ada
          0x00403adc
          0x00403ae1
          0x00403ae7
          0x00403aeb
          0x00403aeb
          0x00403af0
          0x00403af6
          0x00000000
          0x00000000
          0x00403afc
          0x00403b01
          0x00403b07
          0x00000000
          0x00000000
          0x00403b10
          0x00403b18
          0x00403b1d
          0x00403b20
          0x00403b26
          0x00403b2b
          0x00403b2e
          0x00403b34
          0x00403b39
          0x00403b3c
          0x00403b42
          0x00403b4a
          0x00403b50
          0x00403b56
          0x00403b5a
          0x00403b61
          0x00403b61
          0x00403b61
          0x00403b6b
          0x00403b7d
          0x00403b89
          0x00403b8e
          0x00403b98
          0x00403b9e
          0x00403ba0
          0x00403ba5
          0x00403ba2
          0x00403ba2
          0x00403ba2
          0x00403bb5
          0x00403bcd
          0x00403bcf
          0x00403bd5
          0x00403bea
          0x00403bd7
          0x00403be0
          0x00403be2
          0x00403be2
          0x00403bf0
          0x00403c00
          0x00403c11
          0x00403c18
          0x00403c1e
          0x00403c22
          0x00403c27
          0x00403c29
          0x00000000
          0x00403c2f
          0x00403c2f
          0x00403c31
          0x00000000
          0x00000000
          0x00403c37
          0x00403c3b
          0x00403c60
          0x00403c66
          0x00403c6c
          0x00403c6e
          0x00000000
          0x00000000
          0x00403c94
          0x00403c9a
          0x00403c9c
          0x00403ca1
          0x00000000
          0x00000000
          0x00403ca7
          0x00403caa
          0x00403cad
          0x00403cc4
          0x00403cd0
          0x00403ce9
          0x00403cef
          0x00403cf3
          0x00403cf8
          0x00403cfe
          0x00000000
          0x00000000
          0x00403d08
          0x00403d13
          0x00000000
          0x00403d13
          0x00403c3d
          0x00403c43
          0x00000000
          0x00000000
          0x00403c49
          0x00403c4f
          0x00000000
          0x00000000
          0x00000000
          0x00403c55
          0x00403c29
          0x00403d20
          0x00403d2c
          0x00403d33
          0x00000000
          0x00403a84
          0x00403a84
          0x00403a87
          0x00403aba
          0x00403aba
          0x00403abc
          0x00000000
          0x00000000
          0x00000000
          0x00403abc
          0x00403a89
          0x00403a8d
          0x00403a92
          0x00403a94
          0x00000000
          0x00000000
          0x00403aa4
          0x00403aac
          0x00000000
          0x00403ab2
          0x004038e0
          0x004038e0
          0x004038e4
          0x004038e9
          0x004038f8
          0x004038f8
          0x00403901
          0x0040390a
          0x00403915
          0x00403915
          0x00403921
          0x0040393d
          0x00403940
          0x00403953
          0x00403959
          0x004039fc
          0x00000000
          0x00403a05
          0x0040395f
          0x0040396c
          0x0040396e
          0x00403970
          0x0040398f
          0x0040398f
          0x00403992
          0x00403997
          0x0040399a
          0x004039aa
          0x004039ab
          0x004039ad
          0x004039e3
          0x004039f6
          0x00000000
          0x004039f6
          0x004039af
          0x004039b5
          0x004039ce
          0x004039d3
          0x004039d5
          0x00000000
          0x00000000
          0x004039d7
          0x004039c3
          0x004039c3
          0x004039c5
          0x004039c5
          0x00000000
          0x004039c5
          0x004039b8
          0x004039bd
          0x00000000
          0x004039bd
          0x0040399c
          0x004039a2
          0x00000000
          0x00000000
          0x004039a4
          0x00000000
          0x004039a4
          0x00403994
          0x00000000
          0x00403994
          0x0040397a
          0x00403981
          0x00403987
          0x00403989
          0x00000000
          0x00000000
          0x00000000
          0x00403989
          0x00403945
          0x00000000
          0x00403923
          0x00403929
          0x00403933
          0x00403d39
          0x00403d3f
          0x00403d41
          0x00403d47
          0x00403d4c
          0x00403d52
          0x00403d52
          0x00403d47
          0x00403d5c
          0x00000000
          0x00403d5c
          0x00403921

          APIs
          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004038F8
          • ShowWindow.USER32(?), ref: 00403915
          • DestroyWindow.USER32 ref: 00403929
          • SetWindowLongA.USER32 ref: 00403945
          • GetDlgItem.USER32 ref: 00403966
          • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 0040397A
          • IsWindowEnabled.USER32(00000000), ref: 00403981
          • GetDlgItem.USER32 ref: 00403A2F
          • GetDlgItem.USER32 ref: 00403A39
          • KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403A53
          • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403AA4
          • GetDlgItem.USER32 ref: 00403B4A
          • ShowWindow.USER32(00000000,?), ref: 00403B6B
          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403B7D
          • EnableWindow.USER32(?,?), ref: 00403B98
          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403BAE
          • EnableMenuItem.USER32 ref: 00403BB5
          • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403BCD
          • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403BE0
          • lstrlenA.KERNEL32(00420478,?,00420478,SmartPSS 2.002.0000007.0 Setup), ref: 00403C09
          • SetWindowTextA.USER32(?,00420478), ref: 00403C18
          • ShowWindow.USER32(?,0000000A), ref: 00403D4C
          Strings
          • SmartPSS 2.002.0000007.0 Setup, xrefs: 00403BFA
          • Click Next to continue., xrefs: 00403B13
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Window$Item$MessageSend$Show$CallbackDispatcherEnableMenuUser$DestroyEnabledLongSystemTextlstrlen
          • String ID: Click Next to continue.$SmartPSS 2.002.0000007.0 Setup
          • API String ID: 3906175533-1734983454
          • Opcode ID: a36106c2b4bf7a61c516ecf05d7c7cb4784be2155d7523413b8bca70cf2e36d9
          • Instruction ID: 874aaf0cc80a4ada72e8b6aceb9d73cb056a569e4b675a7f159d56e4bf17f1bf
          • Opcode Fuzzy Hash: a36106c2b4bf7a61c516ecf05d7c7cb4784be2155d7523413b8bca70cf2e36d9
          • Instruction Fuzzy Hash: F9C18E71A04204BBDB206F21ED85E2B3E7CEB05746F40453EF641B52F1C779AA429B2E
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00403526, Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216stringregistrylibraryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 257 403526-40353e call 405cff 260 403540-403550 call 40593b 257->260 261 403552-403579 call 4058c4 257->261 270 40359c-4035c5 call 4037ef call 4055b1 260->270 266 403591-403597 lstrcatA 261->266 267 40357b-40358c call 4058c4 261->267 266->270 267->266 275 4035cb-4035d0 270->275 276 40364c-403654 call 4055b1 270->276 275->276 277 4035d2-4035ea call 4058c4 275->277 282 403662-403687 LoadImageA 276->282 283 403656-40365d call 4059ff 276->283 281 4035ef-4035f6 277->281 281->276 284 4035f8-4035fa 281->284 286 403716-40371e call 40140b 282->286 287 40368d-4036c3 RegisterClassA 282->287 283->282 288 40360b-403617 lstrlenA 284->288 289 4035fc-403609 call 4054fb 284->289 298 403720-403723 286->298 299 403728-403733 call 4037ef 286->299 290 4037e5 287->290 291 4036c9-403711 SystemParametersInfoA CreateWindowExA 287->291 295 403619-403627 lstrcmpiA 288->295 296 40363f-403647 call 4054d0 call 4059dd 288->296 289->288 293 4037e7-4037ee 290->293 291->286 295->296 302 403629-403633 GetFileAttributesA 295->302 296->276 298->293 310 403739-403756 ShowWindow LoadLibraryA 299->310 311 4037bc-4037c4 call 404e4d 299->311 305 403635-403637 302->305 306 403639-40363a call 405517 302->306 305->296 305->306 306->296 312 403758-40375d LoadLibraryA 310->312 313 40375f-403771 GetClassInfoA 310->313 318 4037c6-4037cc 311->318 319 4037de-4037e0 call 40140b 311->319 312->313 315 403773-403783 GetClassInfoA RegisterClassA 313->315 316 403789-4037ac DialogBoxParamA call 40140b 313->316 315->316 323 4037b1-4037ba call 403476 316->323 318->298 321 4037d2-4037d9 call 40140b 318->321 319->290 321->298 323->293
          C-Code - Quality: 96%
          			E00403526() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				signed int _t24;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t60;
				char _t62;
				CHAR* _t64;
				signed char _t68;
				struct HINSTANCE__* _t76;
				CHAR* _t79;
				intOrPtr _t81;
				CHAR* _t86;

				_t81 =  *0x423e90; // 0x687488
				_t20 = E00405CFF(6);
				_t88 = _t20;
				if(_t20 == 0) {
					_t79 = 0x420478;
					"1033" = 0x7830;
					E004058C4(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420478, 0);
					__eflags =  *0x420478;
					if(__eflags == 0) {
						E004058C4(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x420478, 0);
					}
					lstrcatA("1033", _t79);
				} else {
					E0040593B("1033",  *_t20() & 0x0000ffff);
				}
				E004037EF(_t76, _t88);
				_t24 =  *0x423e98; // 0x81
				_t85 = "C:\\Program Files (x86)\\Smart Professional Surveillance System";
				 *0x423f00 = _t24 & 0x00000020;
				 *0x423f1c = 0x10000;
				if(E004055B1(_t88, "C:\\Program Files (x86)\\Smart Professional Surveillance System") != 0) {
					L16:
					if(E004055B1(_t96, _t85) == 0) {
						E004059FF(0, _t79, _t81, _t85,  *((intOrPtr*)(_t81 + 0x118))); // executed
					}
					_t28 = LoadImageA( *0x423e80, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423668 = _t28;
					if( *((intOrPtr*)(_t81 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E004037EF(_t76, __eflags);
							__eflags =  *0x423f20; // 0x0
							if(__eflags != 0) {
								_t31 = E00404E4D(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42364c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420450, 5); // executed
							_t37 = LoadLibraryA("RichEd20"); // executed
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t86 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t86, 0x423620);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423620);
								 *0x423644 = _t86;
								RegisterClassA(0x423620);
							}
							_t39 =  *0x423660; // 0x64
							_t42 = DialogBoxParamA( *0x423e80, _t39 + 0x00000069 & 0x0000ffff, 0, E004038BC, 0); // executed
							E00403476(E0040140B(5), 1);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t76 =  *0x423e80; // 0x400000
						 *0x423634 = _t28;
						_v20 = 0x624e5f;
						 *0x423624 = E00401000;
						 *0x423630 = _t76;
						 *0x423644 =  &_v20;
						if(RegisterClassA(0x423620) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420450 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423e80, 0);
						goto L21;
					}
				} else {
					_t76 =  *(_t81 + 0x48);
					if(_t76 == 0) {
						goto L16;
					}
					_t60 =  *0x423eb8; // 0x6b61f8
					_t79 = 0x422e20;
					E004058C4( *((intOrPtr*)(_t81 + 0x44)), _t76,  *((intOrPtr*)(_t81 + 0x4c)) + _t60, 0x422e20, 0);
					_t62 =  *0x422e20; // 0x30
					if(_t62 == 0) {
						goto L16;
					}
					if(_t62 == 0x22) {
						_t79 = 0x422e21;
						 *((char*)(E004054FB(0x422e21, 0x22))) = 0;
					}
					_t64 = lstrlenA(_t79) + _t79 - 4;
					if(_t64 <= _t79 || lstrcmpiA(_t64, ?str?) != 0) {
						L15:
						E004059DD(_t85, E004054D0(_t79));
						goto L16;
					} else {
						_t68 = GetFileAttributesA(_t79);
						if(_t68 == 0xffffffff) {
							L14:
							E00405517(_t79);
							goto L15;
						}
						_t96 = _t68 & 0x00000010;
						if((_t68 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}





























          0x0040352c
          0x00403535
          0x0040353c
          0x0040353e
          0x00403552
          0x00403564
          0x0040356e
          0x00403573
          0x00403579
          0x0040358c
          0x0040358c
          0x00403597
          0x00403540
          0x0040354b
          0x0040354b
          0x0040359c
          0x004035a1
          0x004035a6
          0x004035af
          0x004035b4
          0x004035c5
          0x0040364c
          0x00403654
          0x0040365d
          0x0040365d
          0x00403673
          0x00403679
          0x00403687
          0x00403716
          0x0040371e
          0x00403728
          0x0040372d
          0x00403733
          0x004037bd
          0x004037c2
          0x004037c4
          0x004037e0
          0x00000000
          0x004037e0
          0x004037c6
          0x004037cc
          0x004037d4
          0x004037d4
          0x00000000
          0x004037cc
          0x00403741
          0x00403752
          0x00403754
          0x00403756
          0x0040375d
          0x0040375d
          0x00403765
          0x0040376d
          0x0040376f
          0x00403771
          0x0040377a
          0x0040377d
          0x00403783
          0x00403783
          0x00403789
          0x004037a2
          0x004037b3
          0x00000000
          0x004037b8
          0x00403720
          0x00403722
          0x00000000
          0x0040368d
          0x0040368d
          0x00403693
          0x0040369d
          0x004036a5
          0x004036af
          0x004036b5
          0x004036c3
          0x004037e5
          0x004037e5
          0x00000000
          0x004037e5
          0x004036c9
          0x004036d2
          0x00403711
          0x00000000
          0x00403711
          0x004035cb
          0x004035cb
          0x004035d0
          0x00000000
          0x00000000
          0x004035d5
          0x004035da
          0x004035ea
          0x004035ef
          0x004035f6
          0x00000000
          0x00000000
          0x004035fa
          0x004035fc
          0x00403609
          0x00403609
          0x00403611
          0x00403617
          0x0040363f
          0x00403647
          0x00000000
          0x00403629
          0x0040362a
          0x00403633
          0x00403639
          0x0040363a
          0x00000000
          0x0040363a
          0x00403635
          0x00403637
          0x00000000
          0x00000000
          0x00000000
          0x00403637
          0x00403617

          APIs
            • Part of subcall function 00405CFF: GetModuleHandleA.KERNEL32(?,?,00000000,0040310E,00000008), ref: 00405D11
            • Part of subcall function 00405CFF: LoadLibraryA.KERNEL32(?,?,00000000,0040310E,00000008), ref: 00405D1C
            • Part of subcall function 00405CFF: GetProcAddress.KERNEL32(00000000,?), ref: 00405D2D
          • lstrcatA.KERNEL32(1033,00420478,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420478,00000000,00000006,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403597
          • lstrlenA.KERNEL32(0x0201,?,?,?,0x0201,00000000,C:\Program Files (x86)\Smart Professional Surveillance System,1033,00420478,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420478,00000000,00000006,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe), ref: 0040360C
          • lstrcmpiA.KERNEL32(?,.exe,0x0201,?,?,?,0x0201,00000000,C:\Program Files (x86)\Smart Professional Surveillance System,1033,00420478,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420478,00000000), ref: 0040361F
          • GetFileAttributesA.KERNEL32(0x0201), ref: 0040362A
          • LoadImageA.USER32 ref: 00403673
            • Part of subcall function 0040593B: wsprintfA.USER32 ref: 00405948
          • RegisterClassA.USER32 ref: 004036BA
          • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004036D2
          • CreateWindowExA.USER32 ref: 0040370B
          • ShowWindow.USER32(00000005,00000000), ref: 00403741
          • LoadLibraryA.KERNEL32(RichEd20), ref: 00403752
          • LoadLibraryA.KERNEL32(RichEd32), ref: 0040375D
          • GetClassInfoA.USER32 ref: 0040376D
          • GetClassInfoA.USER32 ref: 0040377A
          • RegisterClassA.USER32 ref: 00403783
          • DialogBoxParamA.USER32 ref: 004037A2
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
          • String ID: .DEFAULT\Control Panel\International$.exe$0x0201$1033$C:\Program Files (x86)\Smart Professional Surveillance System$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
          • API String ID: 914957316-3404438993
          • Opcode ID: 965c5268411445b709751c3b8e541e8ce921e343f084eba9753039d45b44ed40
          • Instruction ID: 0f3f48bff709b167bb3a38cee6451da723a784a17f6d38f49bc0c0f1e25ee8dd
          • Opcode Fuzzy Hash: 965c5268411445b709751c3b8e541e8ce921e343f084eba9753039d45b44ed40
          • Instruction Fuzzy Hash: 9261C5B1A04200BAD6206F659C45E3B3A6DE74474AF40453FF941B62E1D67D9E028B3E
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00402C22, Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 182COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 328 402c22-402c70 GetTickCount GetModuleFileNameA call 4056b4 331 402c72-402c77 328->331 332 402c7c-402caa call 4059dd call 405517 call 4059dd GetFileSize 328->332 333 402e54-402e58 331->333 340 402cb0 332->340 341 402d97-402da5 call 402bbe 332->341 343 402cb5-402ccc 340->343 347 402da7-402daa 341->347 348 402dfa-402dff 341->348 345 402cd0-402cd2 call 40304e 343->345 346 402cce 343->346 352 402cd7-402cd9 345->352 346->345 350 402dac-402dbd call 403080 call 40304e 347->350 351 402dce-402df8 GlobalAlloc call 403080 call 402e5b 347->351 348->333 368 402dc2-402dc4 350->368 351->348 379 402e0b-402e1c 351->379 354 402e01-402e09 call 402bbe 352->354 355 402cdf-402ce6 352->355 354->348 359 402d62-402d66 355->359 360 402ce8-402cfc call 405675 355->360 364 402d70-402d76 359->364 365 402d68-402d6f call 402bbe 359->365 360->364 377 402cfe-402d05 360->377 370 402d85-402d8f 364->370 371 402d78-402d82 call 405d6b 364->371 365->364 368->348 374 402dc6-402dcc 368->374 370->343 378 402d95 370->378 371->370 374->348 374->351 377->364 383 402d07-402d0e 377->383 378->341 380 402e24-402e29 379->380 381 402e1e 379->381 384 402e2a-402e30 380->384 381->380 383->364 385 402d10-402d17 383->385 384->384 386 402e32-402e4d SetFilePointer call 405675 384->386 385->364 387 402d19-402d20 385->387 391 402e52 386->391 387->364 388 402d22-402d42 387->388 388->348 390 402d48-402d4c 388->390 392 402d54-402d5c 390->392 393 402d4e-402d52 390->393 391->333 392->364 394 402d5e-402d60 392->394 393->378 393->392 394->364
          C-Code - Quality: 80%
          			E00402C22(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				signed int _t54;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\j3sovef2.qui\\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe";
				 *0x423e8c = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\hardz\\AppData\\Local\\Temp\\j3sovef2.qui\\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe", 0x400);
				_t89 = E004056B4(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x409014 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\j3sovef2.qui\\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023";
				E004059DD("C:\\Users\\hardz\\AppData\\Local\\Temp\\j3sovef2.qui\\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023", _t91);
				E004059DD("SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe", E00405517(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x41f028 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402BBE(1);
					__eflags =  *0x423e94 - _t82; // 0x39600
					if(__eflags == 0) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						_t54 =  *0x423e94; // 0x39600
						E00403080(_t54 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00402E5B(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x423e90 = _t94;
							 *0x423e98 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x423e9c =  *0x423e9c + 1;
								__eflags =  *0x423e9c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405675(0x423ea0, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403080( *0x40b018);
					_t65 = E0040304E( &_a4, 4); // executed
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t67 =  *0x423e94; // 0x39600
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~_t67 & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E0040304E(0x417028, _t90); // executed
						__eflags = _t71;
						if(_t71 == 0) {
							E00402BBE(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x423e94;
						if( *0x423e94 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BBE(0);
							}
							goto L20;
						}
						E00405675( &_v44, 0x417028, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x40b018; // 0x7eeceb1
						 *0x423f20 =  *0x423f20 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x423e94 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40915c
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x41f028;
						if(_t93 <  *0x41f028) {
							_v12 = E00405D6B(_v12, 0x417028, _t90);
						}
						 *0x40b018 =  *0x40b018 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

































          0x00402c2a
          0x00402c2d
          0x00402c30
          0x00402c33
          0x00402c39
          0x00402c4a
          0x00402c4f
          0x00402c62
          0x00402c67
          0x00402c6a
          0x00402c70
          0x00000000
          0x00402c72
          0x00402c7d
          0x00402c83
          0x00402c94
          0x00402c9b
          0x00402ca1
          0x00402ca3
          0x00402ca8
          0x00402caa
          0x00402d97
          0x00402d99
          0x00402d9e
          0x00402da5
          0x00000000
          0x00000000
          0x00402da7
          0x00402daa
          0x00402dce
          0x00402dd3
          0x00402dd9
          0x00402ddb
          0x00402de4
          0x00402de9
          0x00402dec
          0x00402ded
          0x00402dee
          0x00402df0
          0x00402df5
          0x00402df8
          0x00402e0b
          0x00402e0f
          0x00402e17
          0x00402e1c
          0x00402e1e
          0x00402e1e
          0x00402e1e
          0x00402e26
          0x00402e26
          0x00402e29
          0x00402e2a
          0x00402e2a
          0x00402e2d
          0x00402e2f
          0x00402e2f
          0x00402e2f
          0x00402e39
          0x00402e3f
          0x00402e4d
          0x00402e52
          0x00000000
          0x00402e52
          0x00000000
          0x00402df8
          0x00402db2
          0x00402dbd
          0x00402dc2
          0x00402dc4
          0x00000000
          0x00000000
          0x00402dc9
          0x00402dcc
          0x00000000
          0x00000000
          0x00000000
          0x00402cb0
          0x00402cb5
          0x00402cb5
          0x00402cba
          0x00402cbe
          0x00402cc5
          0x00402cca
          0x00402ccc
          0x00402cce
          0x00402cce
          0x00402cd2
          0x00402cd7
          0x00402cd9
          0x00402e03
          0x00402dfa
          0x00000000
          0x00402dfa
          0x00402cdf
          0x00402ce6
          0x00402d62
          0x00402d66
          0x00402d6a
          0x00402d6f
          0x00000000
          0x00402d66
          0x00402cef
          0x00402cf4
          0x00402cf7
          0x00402cfc
          0x00000000
          0x00000000
          0x00402cfe
          0x00402d05
          0x00000000
          0x00000000
          0x00402d07
          0x00402d0e
          0x00000000
          0x00000000
          0x00402d10
          0x00402d17
          0x00000000
          0x00000000
          0x00402d19
          0x00402d20
          0x00000000
          0x00000000
          0x00402d22
          0x00402d28
          0x00402d31
          0x00402d37
          0x00402d3a
          0x00402d3c
          0x00402d42
          0x00000000
          0x00000000
          0x00402d48
          0x00402d4c
          0x00402d54
          0x00402d54
          0x00402d57
          0x00402d57
          0x00402d5a
          0x00402d5c
          0x00402d5e
          0x00402d5e
          0x00000000
          0x00402d5c
          0x00402d4e
          0x00402d52
          0x00000000
          0x00000000
          0x00000000
          0x00402d70
          0x00402d70
          0x00402d76
          0x00402d82
          0x00402d82
          0x00402d85
          0x00402d8b
          0x00402d8d
          0x00402d8d
          0x00402d95
          0x00402d95
          0x00000000
          0x00402d95

          APIs
          • GetTickCount.KERNEL32 ref: 00402C33
          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,00000400), ref: 00402C4F
            • Part of subcall function 004056B4: GetFileAttributesA.KERNEL32(00000003,00402C62,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,80000000,00000003), ref: 004056B8
            • Part of subcall function 004056B4: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004056DA
          • GetFileSize.KERNEL32(00000000,00000000,SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,00000000,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,80000000,00000003), ref: 00402C9B
          Strings
          • C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe, xrefs: 00402C39, 00402C48, 00402C5C, 00402C7C
          • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C22
          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402DFA
          • C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023, xrefs: 00402C7D, 00402C82, 00402C88
          • Inst, xrefs: 00402D07
          • soft, xrefs: 00402D10
          • DlV, xrefs: 00402C4A
          • SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe, xrefs: 00402C8F
          • Null, xrefs: 00402D19
          • Error launching installer, xrefs: 00402C72
          • C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe, xrefs: 00402C2C
          • (pA, xrefs: 00402CB0
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: File$AttributesCountCreateModuleNameSizeTick
          • String ID: (pA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023$C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe$C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe$DlV$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe$soft
          • API String ID: 4283519449-2035083089
          • Opcode ID: f0b155bb72d4673e8e2538c02c47e4f576f948850c8845f4e559d72db7119d93
          • Instruction ID: bb8333a86194dcf573844375b596ab0c7c07cd824b72df89bd2f0bbec4532e5a
          • Opcode Fuzzy Hash: f0b155bb72d4673e8e2538c02c47e4f576f948850c8845f4e559d72db7119d93
          • Instruction Fuzzy Hash: 21511971A00214ABDB209F65DE89B9E7BB4EF04319F10403BF904B62D1D7BC9E458BAD
          Uniqueness

          Uniqueness Score: -1.00%

          Function 042F1120, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 129stringCOMMON
          Download Yara Rule

          Control-flow Graph

          C-Code - Quality: 100%
          			E042F1120() {
				intOrPtr* _t47;
				void* _t48;
				long _t50;
				intOrPtr _t51;
				int _t56;
				intOrPtr _t68;
				void* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				void* _t91;
				void* _t92;

				_t88 = GetPropA( *(_t89 + 0x14), "WP:nsWnd");
				_t82 =  *(_t88 + 4);
				 *(_t89 + 0x10) =  *_t88;
				if(_t82 != 0xffffffff) {
					wsprintfA(_t89 + 0x18, 0x42f2028,  *((intOrPtr*)(_t89 + 0x24)));
					_t89 = _t89 + 0xc;
					lstrcpyA( *0x42f300c * _t82 +  *0x42f3010, _t89 + 0x14);
					_t83 = _t82 + 1;
				} else {
					_t83 = 0x20;
				}
				wsprintfA(_t89 + 0x18, 0x42f2028,  *((intOrPtr*)(_t89 + 0x28)));
				_t90 = _t89 + 0xc;
				lstrcpyA( *0x42f300c * _t83 +  *0x42f3010, _t90 + 0x14);
				wsprintfA(_t90 + 0x18, 0x42f2028,  *((intOrPtr*)(_t90 + 0x2c)));
				_t91 = _t90 + 0xc;
				lstrcpyA((_t83 + 1) *  *0x42f300c +  *0x42f3010, _t91 + 0x14);
				wsprintfA(_t91 + 0x18, 0x42f2028,  *((intOrPtr*)(_t91 + 0x30)));
				_t92 = _t91 + 0xc;
				lstrcpyA((_t83 + 2) *  *0x42f300c +  *0x42f3010, _t92 + 0x14);
				_t47 =  *0x42f3004;
				_t87 =  *((intOrPtr*)( *_t47 + 0x2c));
				_t48 =  *((intOrPtr*)(_t47 + 4))( *((intOrPtr*)(_t88 + 8)), 0);
				_t56 =  *(_t92 + 0x28);
				_t81 = _t48;
				if(_t56 == 0x82) {
					SetWindowLongA( *(_t92 + 0x24), 0xfffffffc,  *(_t92 + 0x10));
					GlobalFree(_t88);
				}
				if(_t81 == 0) {
					_t50 = CallWindowProcA( *(_t92 + 0x14),  *(_t92 + 0x24), _t56,  *(_t92 + 0x2c),  *(_t92 + 0x30)); // executed
					return _t50;
				} else {
					_t68 =  *((intOrPtr*)( *0x42f3004));
					_t51 =  *((intOrPtr*)(_t68 + 0x2c));
					if(_t51 == _t87 && _t87 == 0xffffffff) {
						_t51 = 0;
					}
					 *((intOrPtr*)(_t68 + 0x2c)) = _t87;
					return _t51;
				}
			}


















          0x042f1143
          0x042f1145
          0x042f114e
          0x042f1152
          0x042f116a
          0x042f117a
          0x042f1185
          0x042f1187
          0x042f1154
          0x042f1154
          0x042f1154
          0x042f1197
          0x042f11a1
          0x042f11b0
          0x042f11c1
          0x042f11cd
          0x042f11dc
          0x042f11ed
          0x042f11f9
          0x042f1208
          0x042f120a
          0x042f1214
          0x042f121a
          0x042f121d
          0x042f1227
          0x042f1229
          0x042f1237
          0x042f123e
          0x042f123e
          0x042f1246
          0x042f1280
          0x042f128d
          0x042f1248
          0x042f124e
          0x042f1250
          0x042f1255
          0x042f125c
          0x042f125c
          0x042f125f
          0x042f1268
          0x042f1268

          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1467866291.00000000042F1000.00000020.00020000.sdmp, Offset: 042F0000, based on PE: true
          • Associated: 0000001A.00000002.1467802165.00000000042F0000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1467915407.00000000042F2000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1467962244.00000000042F4000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_42f0000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: lstrcpywsprintf$Window$CallFreeGlobalLongProcProp
          • String ID: WP:nsWnd
          • API String ID: 1027557982-992998857
          • Opcode ID: 4a5dd344b4a9505181b801ee93417dac6c9ee0777ac76f37a847c1ffc5397a43
          • Instruction ID: 9de0e77638f99f6c13571d8fa84b8e78c082762ed6e42b2caec44165722e70ba
          • Opcode Fuzzy Hash: 4a5dd344b4a9505181b801ee93417dac6c9ee0777ac76f37a847c1ffc5397a43
          • Instruction Fuzzy Hash: 4F417F76704210EBC310DF58EC84D6BB7A9EB98720F844A6EFE5597280D735ED05CBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 03081D3B, Relevance: 21.5, APIs: 14, Instructions: 499stringlibraryloaderCOMMON
          Download Yara Rule
          C-Code - Quality: 95%
          			E03081D3B() {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				CHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				CHAR* _v44;
				intOrPtr _v48;
				void* _v52;
				CHAR* _t180;
				void* _t182;
				signed int _t183;
				void* _t186;
				void* _t188;
				CHAR* _t190;
				void* _t198;
				struct HINSTANCE__* _t199;
				_Unknown_base(*)()* _t200;
				_Unknown_base(*)()* _t202;
				struct HINSTANCE__* _t203;
				void* _t205;
				char* _t206;
				_Unknown_base(*)()* _t207;
				void* _t218;
				signed char _t219;
				void* _t224;
				struct HINSTANCE__* _t226;
				void* _t227;
				void* _t228;
				void* _t232;
				void* _t235;
				void* _t237;
				void* _t244;
				void* _t245;
				void* _t248;
				struct HINSTANCE__* _t253;
				CHAR* _t254;
				signed char _t257;
				void _t258;
				void* _t259;
				void* _t266;
				void* _t267;
				void* _t271;
				void* _t272;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t279;
				signed char _t282;
				signed int _t283;
				CHAR* _t284;
				CHAR* _t286;
				struct HINSTANCE__* _t288;
				void* _t290;
				void* _t291;

				_t253 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v12 = 0;
				_v40 = 0;
				_t291 = 0;
				_t180 = E03081541();
				_v24 = _t180;
				_v28 = _t180;
				_v44 = E03081541();
				_t182 = E03081561();
				_v52 = _t182;
				_v8 = _t182;
				while(1) {
					_t183 = _v32;
					_t283 = 3;
					_v48 = _t183;
					if(_t183 != _t253 && _t291 == _t253) {
						break;
					}
					_t282 =  *_v8;
					_t257 = _t282;
					_t186 = _t257 - _t253;
					if(_t186 == 0) {
						_t29 =  &_v32;
						 *_t29 = _v32 | 0xffffffff;
						__eflags =  *_t29;
						L13:
						_t188 = _v48 - _t253;
						if(_t188 == 0) {
							 *_v28 =  *_v28 & 0x00000000;
							__eflags = _t291 - _t253;
							if(_t291 == _t253) {
								_t224 = GlobalAlloc(0x40, 0x14a4); // executed
								_t291 = _t224;
								 *(_t291 + 0x810) = _t253;
								 *(_t291 + 0x814) = _t253;
							}
							_t258 = _v36;
							_t39 = _t291 + 8; // 0x8
							_t190 = _t39;
							_t40 = _t291 + 0x408; // 0x408
							_t284 = _t40;
							 *_t291 = _t258;
							 *_t190 =  *_t190 & 0x00000000;
							 *(_t291 + 0x808) = _t253;
							 *_t284 =  *_t284 & 0x00000000;
							_t259 = _t258 - _t253;
							__eflags = _t259;
							 *(_t291 + 0x80c) = _t253;
							 *(_t291 + 4) = _t253;
							if(_t259 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L56;
								}
								_t290 = 0;
								GlobalFree(_t291);
								_t291 = E03081641(_v24);
								__eflags = _t291 - _t253;
								if(_t291 == _t253) {
									goto L56;
								} else {
									goto L28;
								}
								while(1) {
									L28:
									_t218 =  *(_t291 + 0x14a0);
									__eflags = _t218 - _t253;
									if(_t218 == _t253) {
										break;
									}
									_t290 = _t291;
									_t291 = _t218;
									__eflags = _t291 - _t253;
									if(_t291 != _t253) {
										continue;
									}
									break;
								}
								__eflags = _t290 - _t253;
								if(_t290 != _t253) {
									 *(_t290 + 0x14a0) = _t253;
								}
								_t219 =  *(_t291 + 0x810);
								__eflags = _t219 & 0x00000008;
								if((_t219 & 0x00000008) == 0) {
									 *(_t291 + 0x810) = _t219 | 0x00000002;
								} else {
									_t291 = E0308187C(_t291);
									 *(_t291 + 0x810) =  *(_t291 + 0x810) & 0xfffffff5;
								}
								goto L56;
							} else {
								_t266 = _t259 - 1;
								__eflags = _t266;
								if(_t266 == 0) {
									L24:
									lstrcpyA(_t190, _v44);
									L25:
									lstrcpyA(_t284, _v24);
									L56:
									_v28 = _v24;
									L57:
									_v8 = _v8 + 1;
									if(_v32 != 0xffffffff) {
										continue;
									}
									break;
								}
								_t267 = _t266 - 1;
								__eflags = _t267;
								if(_t267 == 0) {
									goto L25;
								}
								__eflags = _t267 != 1;
								if(_t267 != 1) {
									goto L56;
								}
								goto L24;
							}
						}
						if(_t188 == 1) {
							_t226 = _v16;
							if(_v40 == _t253) {
								_t226 = _t226 - 1;
							}
							 *(_t291 + 0x814) = _t226;
						}
						goto L56;
					}
					_t227 = _t186 - 0x23;
					if(_t227 == 0) {
						_v32 = _t253;
						_v36 = _t253;
						goto L13;
					}
					_t228 = _t227 - 5;
					if(_t228 == 0) {
						__eflags = _v36 - _t283;
						_v32 = 1;
						_v12 = _t253;
						_v20 = _t253;
						_v16 = (0 | _v36 == _t283) + 1;
						_v40 = _t253;
						goto L13;
					}
					_t232 = _t228 - 1;
					if(_t232 == 0) {
						_v32 = 2;
						_v12 = _t253;
						_v20 = _t253;
						goto L13;
					}
					if(_t232 != 0x16) {
						_t235 = _v32 - _t253;
						__eflags = _t235;
						if(_t235 == 0) {
							__eflags = _t282 - 0x2a;
							if(_t282 == 0x2a) {
								_v36 = 2;
								L55:
								_t253 = 0;
								__eflags = 0;
								goto L56;
							}
							__eflags = _t282 - 0x2d;
							if(_t282 == 0x2d) {
								L124:
								_t237 = _v8 + 1;
								__eflags =  *_t237 - 0x3e;
								if( *_t237 != 0x3e) {
									L126:
									_t237 = _v8 + 1;
									__eflags =  *_t237 - 0x3a;
									if( *_t237 != 0x3a) {
										L133:
										_v28 =  &(_v28[1]);
										 *_v28 = _t282;
										goto L57;
									}
									__eflags = _t282 - 0x2d;
									if(_t282 == 0x2d) {
										goto L133;
									}
									_v36 = 1;
									L129:
									_v8 = _t237;
									__eflags = _v28 - _v24;
									if(_v28 <= _v24) {
										 *_v44 =  *_v44 & 0x00000000;
									} else {
										 *_v28 =  *_v28 & 0x00000000;
										lstrcpyA(_v44, _v24);
									}
									goto L55;
								}
								_v36 = _t283;
								goto L129;
							}
							__eflags = _t282 - 0x3a;
							if(_t282 != 0x3a) {
								goto L133;
							}
							__eflags = _t282 - 0x2d;
							if(_t282 != 0x2d) {
								goto L126;
							}
							goto L124;
						}
						_t244 = _t235 - 1;
						__eflags = _t244;
						if(_t244 == 0) {
							L68:
							_t245 = _t257 - 0x22;
							__eflags = _t245 - 0x55;
							if(_t245 > 0x55) {
								goto L55;
							}
							switch( *((intOrPtr*)(( *(_t245 + 0x30823a0) & 0x000000ff) * 4 +  &M03082344))) {
								case 0:
									__eax = _v24;
									__edi = _v8;
									while(1) {
										__edi = __edi + 1;
										_v8 = __edi;
										__cl =  *__edi;
										__eflags = __cl - __dl;
										if(__cl != __dl) {
											goto L108;
										}
										L107:
										__eflags =  *(__edi + 1) - __dl;
										if( *(__edi + 1) != __dl) {
											L112:
											 *__eax =  *__eax & 0x00000000;
											__ebx = E03081550(_v24);
											goto L84;
										}
										L108:
										__eflags = __cl;
										if(__cl == 0) {
											goto L112;
										}
										__eflags = __cl - __dl;
										if(__cl == __dl) {
											__edi = __edi + 1;
											__eflags = __edi;
										}
										__cl =  *__edi;
										 *__eax =  *__edi;
										__eax = __eax + 1;
										__edi = __edi + 1;
										_v8 = __edi;
										__cl =  *__edi;
										__eflags = __cl - __dl;
										if(__cl != __dl) {
											goto L108;
										}
										goto L107;
									}
								case 1:
									_v12 = 1;
									goto L55;
								case 2:
									_v12 = _v12 | 0xffffffff;
									goto L55;
								case 3:
									_v12 = _v12 & 0x00000000;
									_v20 = _v20 & 0x00000000;
									_v16 = _v16 + 1;
									goto L73;
								case 4:
									__eflags = _v20;
									if(_v20 != 0) {
										goto L55;
									}
									_v8 = _v8 - 1;
									__ebx = E03081541();
									 &_v8 = E03081CD9( &_v8);
									__eax = E0308176C(__edx, __eax, __edx, __ebx);
									goto L84;
								case 5:
									L92:
									_v20 = _v20 + 1;
									goto L55;
								case 6:
									_push(0x19);
									goto L119;
								case 7:
									_push(0x15);
									goto L119;
								case 8:
									_push(0x16);
									goto L119;
								case 9:
									_push(0x18);
									goto L119;
								case 0xa:
									_push(5);
									goto L99;
								case 0xb:
									__eax = 0;
									__eax = 1;
									goto L78;
								case 0xc:
									_push(6);
									goto L99;
								case 0xd:
									_push(2);
									goto L99;
								case 0xe:
									_push(3);
									goto L99;
								case 0xf:
									_push(0x17);
									L119:
									_pop(__ebx);
									goto L85;
								case 0x10:
									__eax =  &_v8;
									__eax = E03081CD9( &_v8);
									__ebx = __eax;
									__ebx = __eax + 1;
									__eflags = __ebx - 0xb;
									if(__ebx < 0xb) {
										__ebx = __ebx + 0xa;
									}
									goto L84;
								case 0x11:
									__ebx = 0xffffffff;
									goto L85;
								case 0x12:
									__eax = 0;
									__eflags = 0;
									goto L78;
								case 0x13:
									_push(4);
									L99:
									_pop(__eax);
									L78:
									__edx = _v16;
									__ecx = 0;
									__edx = _v16 << 5;
									__ecx = 1;
									__eflags = _v12 - 0xffffffff;
									__edi = (_v16 << 5) + __esi;
									_v40 = 1;
									 *(__edi + 0x818) = __eax;
									if(_v12 == 0xffffffff) {
										L80:
										__eax = __ecx;
										L81:
										__eflags = _v12 - __ecx;
										 *(__edi + 0x828) = __eax;
										if(_v12 == __ecx) {
											__eax =  &_v8;
											__eax = E03081CD9( &_v8);
											__eax = __eax + 1;
											__eflags = __eax;
											_v12 = __eax;
										}
										__eax = _v12;
										 *((intOrPtr*)(__edi + 0x81c)) = _v12;
										_t126 = _v16 + 0x41; // 0x41
										_t126 = _t126 << 5;
										__eax = 0;
										__eflags = 0;
										 *((intOrPtr*)((_t126 << 5) + __esi)) = 0;
										 *((intOrPtr*)(__edi + 0x82c)) = 0;
										 *((intOrPtr*)(__edi + 0x830)) = 0;
										goto L84;
									}
									__eax =  *(0x3083058 + __eax * 4);
									__eflags = __eax;
									if(__eax > 0) {
										goto L81;
									}
									goto L80;
								case 0x14:
									_t247 =  *(_t291 + 0x814);
									__eflags = _t247 - _v16;
									if(_t247 > _v16) {
										_v16 = _t247;
									}
									_v12 = _v12 & 0x00000000;
									_v20 = _v20 & 0x00000000;
									_v36 - 3 = _t247 - (_v36 == 3);
									if(_t247 != _v36 == 3) {
										L73:
										_v40 = 1;
									}
									goto L55;
								case 0x15:
									__eax =  &_v8;
									__eax = E03081CD9( &_v8);
									__ebx = __eax;
									__ebx = __eax + 1;
									L84:
									__eflags = __ebx;
									if(__ebx == 0) {
										goto L55;
									}
									L85:
									__eflags = _v20;
									_v40 = 1;
									if(_v20 != 0) {
										L90:
										__eflags = _v20 - 1;
										if(_v20 == 1) {
											__eax = _v16;
											__eax = _v16 << 5;
											__eflags = __eax;
											 *(__eax + __esi + 0x830) = __ebx;
										}
										goto L92;
									}
									_v16 = _v16 << 5;
									_t134 = __esi + 0x82c; // 0x82c
									__edi = (_v16 << 5) + _t134;
									__eax =  *__edi;
									__eflags = __eax - 0xffffffff;
									if(__eax <= 0xffffffff) {
										L88:
										__eax = GlobalFree(__eax);
										L89:
										 *__edi = __ebx;
										goto L90;
									}
									__eflags = __eax - 0x19;
									if(__eax <= 0x19) {
										goto L89;
									}
									goto L88;
								case 0x16:
									goto L55;
							}
						}
						_t248 = _t244 - 1;
						__eflags = _t248;
						if(_t248 == 0) {
							_v16 = _t253;
							goto L68;
						}
						__eflags = _t248 != 1;
						if(_t248 != 1) {
							goto L133;
						}
						_t271 = _t257 - 0x21;
						__eflags = _t271;
						if(_t271 == 0) {
							_v12 =  ~_v12;
							goto L55;
						}
						_t272 = _t271 - 0x42;
						__eflags = _t272;
						if(_t272 == 0) {
							L51:
							__eflags = _v12 - 1;
							if(_v12 != 1) {
								_t84 = _t291 + 0x810;
								 *_t84 =  *(_t291 + 0x810) &  !0x00000001;
								__eflags =  *_t84;
							} else {
								 *(_t291 + 0x810) =  *(_t291 + 0x810) | 1;
							}
							_v12 = 1;
							goto L55;
						}
						_t276 = _t272;
						__eflags = _t276;
						if(_t276 == 0) {
							_push(0x20);
							L50:
							_pop(1);
							goto L51;
						}
						_t277 = _t276 - 9;
						__eflags = _t277;
						if(_t277 == 0) {
							_push(8);
							goto L50;
						}
						_push(4);
						_pop(1);
						_t278 = _t277 - 1;
						__eflags = _t278;
						if(_t278 == 0) {
							goto L51;
						}
						_t279 = _t278 - 1;
						__eflags = _t279;
						if(_t279 == 0) {
							_push(0x10);
							goto L50;
						}
						__eflags = _t279 != 0;
						if(_t279 != 0) {
							goto L55;
						}
						_push(0x40);
						goto L50;
					} else {
						_v32 = _t283;
						_v12 = 1;
						goto L13;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t291 == _t253 ||  *(_t291 + 0x80c) != _t253) {
					L145:
					return _t291;
				} else {
					_t198 =  *_t291 - 1;
					if(_t198 == 0) {
						_t169 = _t291 + 8; // 0x8
						_t286 = _t169;
						__eflags =  *_t286;
						if( *_t286 != 0) {
							_t199 = GetModuleHandleA(_t286);
							__eflags = _t199 - _t253;
							 *(_t291 + 0x808) = _t199;
							if(_t199 != _t253) {
								L141:
								_t173 = _t291 + 0x408; // 0x408
								_t254 = _t173;
								_t200 = GetProcAddress( *(_t291 + 0x808), _t254);
								__eflags = _t200;
								 *(_t291 + 0x80c) = _t200;
								if(_t200 != 0) {
									goto L145;
								}
								lstrcatA(_t254, 0x3084024);
								_t202 = GetProcAddress( *(_t291 + 0x808), _t254);
								__eflags = _t202;
								L143:
								 *(_t291 + 0x80c) = _t202;
								if(__eflags != 0) {
									goto L145;
								}
								L144:
								_t178 = _t291 + 4;
								 *_t178 =  *(_t291 + 4) | 0xffffffff;
								__eflags =  *_t178;
								goto L145;
							}
							_t203 = LoadLibraryA(_t286);
							__eflags = _t203 - _t253;
							 *(_t291 + 0x808) = _t203;
							if(_t203 == _t253) {
								goto L144;
							}
							goto L141;
						}
						_t170 = _t291 + 0x408; // 0x408
						_t202 = E03081641(_t170);
						__eflags = _t202 - _t253;
						goto L143;
					}
					_t205 = _t198 - 1;
					if(_t205 == 0) {
						_t167 = _t291 + 0x408; // 0x408
						_t206 = _t167;
						__eflags =  *_t206;
						if( *_t206 == 0) {
							goto L145;
						}
						_t207 = E03081641(_t206);
						L136:
						 *(_t291 + 0x80c) = _t207;
						goto L145;
					}
					if(_t205 != 1) {
						goto L145;
					}
					_t72 = _t291 + 8; // 0x8
					_t255 = _t72;
					_t288 = E03081641(_t72);
					 *(_t291 + 0x808) = _t288;
					if(_t288 == 0) {
						goto L144;
					}
					 *(_t291 + 0x850) =  *(_t291 + 0x850) & 0x00000000;
					 *((intOrPtr*)(_t291 + 0x84c)) = E03081550(_t255);
					 *(_t291 + 0x83c) =  *(_t291 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t291 + 0x848)) = 1;
					 *((intOrPtr*)(_t291 + 0x838)) = 1;
					_t81 = _t291 + 0x408; // 0x408
					_t207 =  *(_t288->i + E03081641(_t81) * 4);
					goto L136;
				}
			}





























































          0x03081d43
          0x03081d46
          0x03081d49
          0x03081d4c
          0x03081d4f
          0x03081d52
          0x03081d55
          0x03081d57
          0x03081d5c
          0x03081d5f
          0x03081d67
          0x03081d6a
          0x03081d6f
          0x03081d72
          0x03081d75
          0x03081d75
          0x03081d7c
          0x03081d7d
          0x03081d80
          0x00000000
          0x00000000
          0x03081d8d
          0x03081d8f
          0x03081d94
          0x03081d96
          0x03081def
          0x03081def
          0x03081def
          0x03081df3
          0x03081df6
          0x03081df8
          0x03081e1a
          0x03081e1d
          0x03081e1f
          0x03081e28
          0x03081e2e
          0x03081e30
          0x03081e36
          0x03081e36
          0x03081e3c
          0x03081e3f
          0x03081e3f
          0x03081e42
          0x03081e42
          0x03081e48
          0x03081e4a
          0x03081e4d
          0x03081e53
          0x03081e56
          0x03081e56
          0x03081e58
          0x03081e5e
          0x03081e61
          0x03081e8c
          0x03081e8f
          0x00000000
          0x00000000
          0x03081e96
          0x03081e98
          0x03081ea6
          0x03081ea9
          0x03081eab
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x03081eb1
          0x03081eb1
          0x03081eb1
          0x03081eb7
          0x03081eb9
          0x00000000
          0x00000000
          0x03081ebb
          0x03081ebd
          0x03081ebf
          0x03081ec1
          0x00000000
          0x00000000
          0x00000000
          0x03081ec1
          0x03081ec3
          0x03081ec5
          0x03081ec7
          0x03081ec7
          0x03081ecd
          0x03081ed3
          0x03081ed5
          0x03081eeb
          0x03081ed7
          0x03081edd
          0x03081ee0
          0x03081ee0
          0x00000000
          0x03081e63
          0x03081e63
          0x03081e63
          0x03081e64
          0x03081e70
          0x03081e74
          0x03081e7a
          0x03081e7e
          0x03081f64
          0x03081f67
          0x03081f6a
          0x03081f6a
          0x03081f71
          0x00000000
          0x00000000
          0x00000000
          0x03081f71
          0x03081e66
          0x03081e66
          0x03081e67
          0x00000000
          0x00000000
          0x03081e69
          0x03081e6a
          0x00000000
          0x00000000
          0x00000000
          0x03081e6a
          0x03081e61
          0x03081dfb
          0x03081e04
          0x03081e07
          0x03081e14
          0x03081e14
          0x03081e09
          0x03081e09
          0x00000000
          0x03081dfb
          0x03081d98
          0x03081d9b
          0x03081de7
          0x03081dea
          0x00000000
          0x03081dea
          0x03081d9d
          0x03081da0
          0x03081dcb
          0x03081dce
          0x03081dd5
          0x03081ddc
          0x03081ddf
          0x03081de2
          0x00000000
          0x03081de2
          0x03081da2
          0x03081da3
          0x03081dba
          0x03081dc1
          0x03081dc4
          0x00000000
          0x03081dc4
          0x03081da8
          0x03081ef6
          0x03081ef6
          0x03081ef8
          0x03082225
          0x03082228
          0x03082289
          0x03081f62
          0x03081f62
          0x03081f62
          0x00000000
          0x03081f62
          0x0308222a
          0x0308222d
          0x03082239
          0x0308223c
          0x0308223d
          0x03082240
          0x03082247
          0x0308224a
          0x0308224b
          0x0308224e
          0x03082295
          0x03082298
          0x0308229b
          0x00000000
          0x0308229b
          0x03082250
          0x03082253
          0x00000000
          0x00000000
          0x03082255
          0x0308225c
          0x0308225c
          0x03082262
          0x03082265
          0x03082281
          0x03082267
          0x03082270
          0x03082273
          0x03082273
          0x00000000
          0x03082265
          0x03082242
          0x00000000
          0x03082242
          0x0308222f
          0x03082232
          0x00000000
          0x00000000
          0x03082234
          0x03082237
          0x00000000
          0x00000000
          0x00000000
          0x03082237
          0x03081efe
          0x03081efe
          0x03081eff
          0x03082026
          0x03082026
          0x0308202b
          0x0308202e
          0x00000000
          0x00000000
          0x0308203b
          0x00000000
          0x030821cd
          0x030821d0
          0x030821d3
          0x030821d3
          0x030821d4
          0x030821d7
          0x030821d9
          0x030821db
          0x00000000
          0x00000000
          0x030821dd
          0x030821dd
          0x030821e0
          0x030821f2
          0x030821f5
          0x030821fe
          0x00000000
          0x030821fe
          0x030821e2
          0x030821e2
          0x030821e4
          0x00000000
          0x00000000
          0x030821e6
          0x030821e8
          0x030821ea
          0x030821ea
          0x030821ea
          0x030821eb
          0x030821ed
          0x030821ef
          0x030821d3
          0x030821d4
          0x030821d7
          0x030821d9
          0x030821db
          0x00000000
          0x00000000
          0x00000000
          0x030821db
          0x00000000
          0x03082082
          0x00000000
          0x00000000
          0x0308208e
          0x00000000
          0x00000000
          0x03082075
          0x03082079
          0x0308207d
          0x00000000
          0x00000000
          0x0308219f
          0x030821a3
          0x00000000
          0x00000000
          0x030821a9
          0x030821b1
          0x030821b8
          0x030821c0
          0x00000000
          0x00000000
          0x03082147
          0x03082147
          0x00000000
          0x00000000
          0x0308221d
          0x00000000
          0x00000000
          0x0308220d
          0x00000000
          0x00000000
          0x03082211
          0x00000000
          0x00000000
          0x03082219
          0x00000000
          0x00000000
          0x0308215f
          0x00000000
          0x00000000
          0x0308214f
          0x03082151
          0x00000000
          0x00000000
          0x03082167
          0x00000000
          0x00000000
          0x03082157
          0x00000000
          0x00000000
          0x0308215b
          0x00000000
          0x00000000
          0x03082215
          0x0308221f
          0x0308221f
          0x00000000
          0x00000000
          0x0308216f
          0x03082173
          0x03082178
          0x0308217b
          0x0308217c
          0x0308217f
          0x03082185
          0x03082185
          0x00000000
          0x00000000
          0x03082205
          0x00000000
          0x00000000
          0x03082097
          0x03082097
          0x00000000
          0x00000000
          0x03082163
          0x03082169
          0x03082169
          0x03082099
          0x03082099
          0x0308209c
          0x0308209e
          0x030820a1
          0x030820a2
          0x030820a6
          0x030820a9
          0x030820ac
          0x030820b2
          0x030820bf
          0x030820bf
          0x030820c1
          0x030820c1
          0x030820c4
          0x030820ca
          0x030820cc
          0x030820d0
          0x030820d5
          0x030820d5
          0x030820d7
          0x030820d7
          0x030820da
          0x030820dd
          0x030820e6
          0x030820e9
          0x030820ec
          0x030820ec
          0x030820ee
          0x030820f1
          0x030820f7
          0x00000000
          0x030820f7
          0x030820b4
          0x030820bb
          0x030820bd
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x03082042
          0x03082048
          0x0308204b
          0x0308204d
          0x0308204d
          0x03082050
          0x03082054
          0x03082061
          0x03082063
          0x03082069
          0x03082069
          0x03082069
          0x00000000
          0x00000000
          0x0308218d
          0x03082191
          0x03082196
          0x03082199
          0x030820fd
          0x030820fd
          0x030820ff
          0x00000000
          0x00000000
          0x03082105
          0x03082105
          0x03082109
          0x03082110
          0x03082134
          0x03082134
          0x03082138
          0x0308213a
          0x0308213d
          0x0308213d
          0x03082140
          0x03082140
          0x00000000
          0x03082138
          0x03082115
          0x03082118
          0x03082118
          0x0308211f
          0x03082121
          0x03082124
          0x0308212b
          0x0308212c
          0x03082132
          0x03082132
          0x00000000
          0x03082132
          0x03082126
          0x03082129
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x0308203b
          0x03081f05
          0x03081f05
          0x03081f06
          0x03082023
          0x00000000
          0x03082023
          0x03081f0c
          0x03081f0d
          0x00000000
          0x00000000
          0x03081f13
          0x03081f13
          0x03081f16
          0x03081f5f
          0x00000000
          0x03081f5f
          0x03081f18
          0x03081f18
          0x03081f1b
          0x03081f43
          0x03081f46
          0x03081f49
          0x03082015
          0x03082015
          0x03082015
          0x03081f4f
          0x03081f4f
          0x03081f4f
          0x0308201b
          0x00000000
          0x0308201b
          0x03081f1e
          0x03081f1e
          0x03081f1f
          0x03081f40
          0x03081f42
          0x03081f42
          0x00000000
          0x03081f42
          0x03081f21
          0x03081f21
          0x03081f24
          0x03081f3c
          0x00000000
          0x03081f3c
          0x03081f26
          0x03081f28
          0x03081f29
          0x03081f29
          0x03081f2b
          0x00000000
          0x00000000
          0x03081f2d
          0x03081f2d
          0x03081f2e
          0x03081f38
          0x00000000
          0x03081f38
          0x03081f31
          0x03081f32
          0x00000000
          0x00000000
          0x03081f34
          0x00000000
          0x03081dae
          0x03081dae
          0x03081db1
          0x00000000
          0x03081db1
          0x03081da8
          0x03081f80
          0x03081f85
          0x03081f8a
          0x03081f8e
          0x0308233d
          0x03082343
          0x03081fa0
          0x03081fa2
          0x03081fa3
          0x030822c0
          0x030822c0
          0x030822c3
          0x030822c6
          0x030822da
          0x030822e0
          0x030822e2
          0x030822e8
          0x030822fb
          0x03082301
          0x03082301
          0x0308230e
          0x03082310
          0x03082312
          0x03082318
          0x00000000
          0x00000000
          0x03082320
          0x0308232d
          0x0308232f
          0x03082331
          0x03082331
          0x03082337
          0x00000000
          0x00000000
          0x03082339
          0x03082339
          0x03082339
          0x03082339
          0x00000000
          0x03082339
          0x030822eb
          0x030822f1
          0x030822f3
          0x030822f9
          0x00000000
          0x00000000
          0x00000000
          0x030822f9
          0x030822c8
          0x030822cf
          0x030822d5
          0x00000000
          0x030822d5
          0x03081fa9
          0x03081faa
          0x030822a2
          0x030822a2
          0x030822a8
          0x030822ab
          0x00000000
          0x00000000
          0x030822b2
          0x030822b7
          0x030822b8
          0x00000000
          0x030822b8
          0x03081fb1
          0x00000000
          0x00000000
          0x03081fb7
          0x03081fb7
          0x03081fc0
          0x03081fc5
          0x03081fcb
          0x00000000
          0x00000000
          0x03081fd1
          0x03081fde
          0x03081fe4
          0x03081fee
          0x03081ff4
          0x03081ffc
          0x0308200c
          0x00000000
          0x0308200c

          APIs
            • Part of subcall function 03081541: GlobalAlloc.KERNELBASE(00000040,03081577,?,?,03081804,?,03081017), ref: 03081549
            • Part of subcall function 03081561: lstrcpyA.KERNEL32(00000000,?,?,?,03081804,?,03081017), ref: 0308157E
            • Part of subcall function 03081561: GlobalFree.KERNEL32 ref: 0308158F
          • GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 03081E28
          • lstrcpyA.KERNEL32(00000008,?), ref: 03081E74
          • lstrcpyA.KERNEL32(00000408,?), ref: 03081E7E
          • GlobalFree.KERNEL32 ref: 03081E98
          • GlobalFree.KERNEL32 ref: 03081F80
          • GlobalFree.KERNEL32 ref: 03081F85
          • GlobalFree.KERNEL32 ref: 03081F8A
          • GlobalFree.KERNEL32 ref: 0308212C
          • lstrcpyA.KERNEL32(?,?), ref: 03082273
          • GetModuleHandleA.KERNEL32(00000008), ref: 030822DA
          • LoadLibraryA.KERNEL32(00000008), ref: 030822EB
          • GetProcAddress.KERNEL32(?,00000408), ref: 0308230E
          • lstrcatA.KERNEL32(00000408,03084024), ref: 03082320
          • GetProcAddress.KERNEL32(?,00000408), ref: 0308232D
          Memory Dump Source
          • Source File: 0000001A.00000002.1465933337.0000000003081000.00000020.00020000.sdmp, Offset: 03080000, based on PE: true
          • Associated: 0000001A.00000002.1465906253.0000000003080000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1465954717.0000000003083000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1465973703.0000000003085000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_3080000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Global$Free$lstrcpy$AddressAllocProc$HandleLibraryLoadModulelstrcat
          • String ID:
          • API String ID: 2432367840-0
          • Opcode ID: 5e48f9390d195436fb59f51d3e3a6b68c93a307244e2babe3a84648b583a5ca2
          • Instruction ID: 7b5c43d1c00cae1672358d784fffbfacd899aef662ac8d3c077da8fbe1b190ba
          • Opcode Fuzzy Hash: 5e48f9390d195436fb59f51d3e3a6b68c93a307244e2babe3a84648b583a5ca2
          • Instruction Fuzzy Hash: A1026D75906309DFCB64EFA8C4847EEBBF8BF04304F18496AD1E6A6281D7749682CF50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 03B214CA, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 202windowCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 716 3b214ca-3b214dc 717 3b21722-3b2172a 716->717 718 3b214e2-3b214e8 716->718 719 3b21750 717->719 720 3b2172c 717->720 721 3b21618-3b21638 call 3b213c6 718->721 722 3b214ee-3b214f1 718->722 725 3b21752-3b21756 719->725 724 3b2172e-3b2174e RemovePropA 720->724 721->719 732 3b2163e-3b2168f GetWindowTextA DrawTextA 721->732 726 3b215d7-3b215e0 call 3b213c6 722->726 727 3b214f7-3b214fc 722->727 724->719 724->724 726->719 739 3b215e6-3b215ef 726->739 730 3b21533-3b2154d GetDlgItem call 3b213c6 727->730 731 3b214fe-3b21503 727->731 730->719 742 3b21553-3b2155c 730->742 731->719 734 3b21509-3b2150e 731->734 737 3b21691 732->737 738 3b21694-3b2169b 732->738 740 3b21510-3b21515 734->740 741 3b2151b-3b2152e SendMessageA 734->741 737->738 743 3b216a8-3b216ac 738->743 744 3b2169d-3b216a5 738->744 739->719 745 3b215f5-3b21610 739->745 740->719 740->741 741->725 746 3b2156b-3b21570 742->746 747 3b2155e-3b21564 742->747 748 3b216f8-3b216fc 743->748 749 3b216ae-3b216bd 743->749 744->743 745->721 752 3b21572-3b21576 746->752 753 3b21578-3b2157c 746->753 750 3b21566-3b21569 747->750 751 3b215cf-3b215d5 747->751 757 3b21704-3b21708 748->757 758 3b216fe-3b21702 748->758 754 3b216c5-3b216d2 GetWindowLongA 749->754 755 3b216bf 749->755 750->746 750->751 761 3b2159c-3b2159e 751->761 752->753 762 3b21596 752->762 763 3b21584-3b21588 753->763 764 3b2157e-3b21582 753->764 765 3b216e2-3b216f6 DrawTextA 754->765 766 3b216d4-3b216dc SetTextColor 754->766 755->754 759 3b2170a-3b2170e 757->759 760 3b2171d-3b21720 757->760 758->757 758->759 759->760 767 3b21710-3b21717 DrawFocusRect 759->767 760->725 761->719 770 3b215a4-3b215b7 761->770 762->761 768 3b21590-3b21594 763->768 769 3b2158a-3b2158e 763->769 764->762 764->763 765->748 766->765 767->760 768->762 772 3b215bc-3b215bf 768->772 769->768 769->772 770->719 772->719 773 3b215c5-3b215c9 772->773 773->719 773->751
          C-Code - Quality: 93%
          			E03B214CA(struct HWND__* _a4, int _a8, unsigned int _a12, long _a16) {
				struct tagRECT _v20;
				char _v1044;
				int _t62;
				signed int _t66;
				intOrPtr _t75;
				signed int _t76;
				void* _t88;
				void* _t95;
				intOrPtr* _t101;
				struct HWND__* _t102;
				intOrPtr _t105;
				intOrPtr _t106;
				unsigned int _t110;
				void* _t111;
				void* _t115;
				signed int _t117;
				intOrPtr* _t119;
				intOrPtr* _t120;

				_t62 = _a8;
				if(_t62 == 2) {
					_t111 = 0;
					if( *0x3b250d4 <= 0) {
						L48:
						return 0;
					}
					_t115 = 0;
					do {
						RemovePropA( *(_t115 +  *0x3b250d8), "NSIS: nsControl pointer property");
						_t111 = _t111 + 1;
						_t115 = _t115 + 0x418;
					} while (_t111 <  *0x3b250d4);
					goto L48;
				}
				_t101 = _a16;
				if(_t62 == 0x2b) {
					L28:
					_t66 =  *(_t101 + 0x10);
					_a12 = _t66 & 0x00000100;
					_a16 = _t66 & 0x00000200;
					if(E03B213C6( *(_t101 + 0x14)) == 0) {
						goto L48;
					}
					asm("movsd");
					asm("movsd");
					_v1044 = _v1044 & 0x00000000;
					asm("movsd");
					asm("movsd"); // executed
					GetWindowTextA( *(_t101 + 0x14),  &_v1044, 0x400); // executed
					DrawTextA( *(_t101 + 0x18),  &_v1044, 0xffffffff,  &_v20, 0x414);
					_t105 =  *((intOrPtr*)(_t101 + 0x24));
					_t75 = _v20.right + 2;
					_v20.right = _t75;
					if(_t75 >= _t105) {
						_v20.right = _t105;
					}
					_t76 =  *0x3b250cc;
					if(_t76 != 0) {
						_v20.right = _t105;
						_v20.left = _v20.left + _t105 - _v20.right;
					}
					if(( *(_t101 + 0xc) & 0x00000001) != 0) {
						asm("sbb eax, eax");
						_t117 =  ~_t76 & 0x00020000;
						if(_a12 != 0) {
							_t117 = _t117 | 0x00100000;
						}
						if(GetWindowLongA( *(_t101 + 0x14), 0xffffffeb) == 0) {
							SetTextColor( *(_t101 + 0x18), 0xff0000);
						}
						DrawTextA( *(_t101 + 0x18),  &_v1044, 0xffffffff,  &_v20, _t117 | 0x00000015);
					}
					if(( *(_t101 + 0x10) & 0x00000010) == 0 || ( *(_t101 + 0xc) & 0x00000001) == 0) {
						if(( *(_t101 + 0xc) & 0x00000004) == 0) {
							goto L44;
						}
						goto L42;
					} else {
						L42:
						if(_a16 == 0) {
							DrawFocusRect( *(_t101 + 0x18),  &_v20);
						}
						L44:
						return 1;
					}
				}
				if(_t62 == 0x4e) {
					_t88 = E03B213C6( *_t101);
					if(_t88 == 0) {
						goto L48;
					}
					_t16 = _t88 + 0x410; // 0x410
					_t119 = _t16;
					if( *_t119 == 0) {
						goto L48;
					}
					L03B22016();
					L03B22016();
					L03B22016();
					 *((intOrPtr*)( *0x3b250a0 + 4))( *_t119 - 1, 0,  *_t101,  *((intOrPtr*)(_t101 + 8)), _t101);
					goto L28;
				}
				if(_t62 == 0x111) {
					_t102 = GetDlgItem(_a4, _a12 & 0x0000ffff);
					_t95 = E03B213C6(_t102);
					if(_t95 == 0) {
						goto L48;
					}
					_t110 = _a12 >> 0x10;
					if(_t110 != 0) {
						L12:
						if(_t110 != 0x300 ||  *((intOrPtr*)(_t95 + 4)) != 2) {
							if(_t110 != 1 ||  *((intOrPtr*)(_t95 + 4)) != 4) {
								if(_t110 == 6 || _t110 == 1) {
									if( *((intOrPtr*)(_t95 + 4)) != 3) {
										goto L22;
									}
									goto L19;
								} else {
									L22:
									if(_t110 != 0 ||  *((intOrPtr*)(_t95 + 4)) != 7) {
										goto L48;
									} else {
										L24:
										_t15 = _t95 + 0x408; // 0x408
										_t120 = _t15;
										goto L20;
									}
								}
							} else {
								goto L19;
							}
						} else {
							L19:
							_t12 = _t95 + 0x40c; // 0x40c
							_t120 = _t12;
							L20:
							if( *_t120 != 0) {
								L03B22016();
								 *((intOrPtr*)( *0x3b250a0 + 4))( *_t120 - 1, 0, _t102);
							}
							goto L48;
						}
					}
					_t106 =  *((intOrPtr*)(_t95 + 4));
					if(_t106 == 1 || _t106 == 8) {
						goto L24;
					} else {
						goto L12;
					}
				}
				if(_t62 > 0x132 && (_t62 <= 0x136 || _t62 == 0x138)) {
					return SendMessageA( *0x3b250c4, _t62, _a12, _a16);
				}
				goto L48;
			}





















          0x03b214d3
          0x03b214dc
          0x03b21722
          0x03b2172a
          0x03b21750
          0x00000000
          0x03b21750
          0x03b2172c
          0x03b2172e
          0x03b2173b
          0x03b21741
          0x03b21742
          0x03b21748
          0x00000000
          0x03b2172e
          0x03b214e2
          0x03b214e8
          0x03b21618
          0x03b21618
          0x03b2162b
          0x03b2162e
          0x03b21638
          0x00000000
          0x00000000
          0x03b21644
          0x03b21645
          0x03b21646
          0x03b21653
          0x03b2165d
          0x03b2165e
          0x03b2167f
          0x03b21684
          0x03b21687
          0x03b2168c
          0x03b2168f
          0x03b21691
          0x03b21691
          0x03b21694
          0x03b2169b
          0x03b216a2
          0x03b216a5
          0x03b216a5
          0x03b216ac
          0x03b216b0
          0x03b216bb
          0x03b216bd
          0x03b216bf
          0x03b216bf
          0x03b216d2
          0x03b216dc
          0x03b216dc
          0x03b216f6
          0x03b216f6
          0x03b216fc
          0x03b21708
          0x00000000
          0x00000000
          0x00000000
          0x03b2170a
          0x03b2170a
          0x03b2170e
          0x03b21717
          0x03b21717
          0x03b2171d
          0x00000000
          0x03b2171f
          0x03b216fc
          0x03b214f1
          0x03b215d9
          0x03b215e0
          0x00000000
          0x00000000
          0x03b215e6
          0x03b215e6
          0x03b215ef
          0x00000000
          0x00000000
          0x03b215f6
          0x03b215fe
          0x03b21605
          0x03b21615
          0x00000000
          0x03b21615
          0x03b214fc
          0x03b21541
          0x03b21544
          0x03b2154d
          0x00000000
          0x00000000
          0x03b21556
          0x03b2155c
          0x03b2156b
          0x03b21570
          0x03b2157c
          0x03b21588
          0x03b21594
          0x00000000
          0x00000000
          0x00000000
          0x03b215bc
          0x03b215bc
          0x03b215bf
          0x00000000
          0x03b215cf
          0x03b215cf
          0x03b215cf
          0x03b215cf
          0x00000000
          0x03b215cf
          0x03b215bf
          0x00000000
          0x00000000
          0x00000000
          0x03b21596
          0x03b21596
          0x03b21596
          0x03b21596
          0x03b2159c
          0x03b2159e
          0x03b215a5
          0x03b215b4
          0x03b215b4
          0x00000000
          0x03b2159e
          0x03b21570
          0x03b2155e
          0x03b21564
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x03b21564
          0x03b21503
          0x00000000
          0x03b21528
          0x00000000

          APIs
          • SendMessageA.USER32(?,?,?), ref: 03B21528
          • GetDlgItem.USER32 ref: 03B2153B
          • GetWindowTextA.USER32 ref: 03B2165E
          • DrawTextA.USER32(?,00000000,000000FF,?,00000414), ref: 03B2167F
          • GetWindowLongA.USER32 ref: 03B216CA
          • SetTextColor.GDI32(?,00FF0000), ref: 03B216DC
          • DrawTextA.USER32(?,00000000,000000FF,00000000,?), ref: 03B216F6
          • DrawFocusRect.USER32 ref: 03B21717
          • RemovePropA.USER32 ref: 03B2173B
          Strings
          • NSIS: nsControl pointer property, xrefs: 03B21733
          Memory Dump Source
          • Source File: 0000001A.00000002.1466805189.0000000003B21000.00000020.00020000.sdmp, Offset: 03B20000, based on PE: true
          • Associated: 0000001A.00000002.1466777534.0000000003B20000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466819410.0000000003B23000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466836423.0000000003B24000.00000008.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466863759.0000000003B27000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_3b20000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Text$Draw$Window$ColorFocusItemLongMessagePropRectRemoveSend
          • String ID: NSIS: nsControl pointer property
          • API String ID: 2331901045-1714965683
          • Opcode ID: 06238a8c8ac43bba88fb3bb67ed3f98c75718b7ff658d77aa8c2e6191e93a2dd
          • Instruction ID: 11250941226cef310e52f2028cefe46708ed545ad52fff2a156eab7558ba6fd5
          • Opcode Fuzzy Hash: 06238a8c8ac43bba88fb3bb67ed3f98c75718b7ff658d77aa8c2e6191e93a2dd
          • Instruction Fuzzy Hash: 797182B0500625AFDF21DF58CD84BAABFA9FB44308F1847F5E919971A9C775D880CBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 777 401734-401757 call 4029f6 call 40553d 782 401761-401773 call 4059dd call 4054d0 lstrcatA 777->782 783 401759-40175f call 4059dd 777->783 788 401778-40177e call 405c3f 782->788 783->788 793 401783-401787 788->793 794 401789-401793 call 405cd8 793->794 795 4017ba-4017bd 793->795 802 4017a5-4017b7 794->802 803 401795-4017a3 CompareFileTime 794->803 797 4017c5-4017e1 call 4056b4 795->797 798 4017bf-4017c0 call 405695 795->798 805 4017e3-4017e6 797->805 806 401859-401882 call 404d7b call 402e5b 797->806 798->797 802->795 803->802 808 4017e8-40182a call 4059dd * 2 call 4059ff call 4059dd call 40529e 805->808 809 40183b-401845 call 404d7b 805->809 819 401884-401888 806->819 820 40188a-401896 SetFileTime 806->820 808->793 842 401830-401831 808->842 821 40184e-401854 809->821 819->820 824 40189c-4018a7 FindCloseChangeNotification 819->824 820->824 822 402894 821->822 825 402896-40289a 822->825 827 40288b-40288e 824->827 828 4018ad-4018b0 824->828 827->822 830 4018b2-4018c3 call 4059ff lstrcatA 828->830 831 4018c5-4018c8 call 4059ff 828->831 837 4018cd-402209 830->837 831->837 840 40220e-402213 837->840 841 402209 call 40529e 837->841 840->825 841->840 842->821 843 401833-401834 842->843 843->809
          C-Code - Quality: 60%
          			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029F6(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E0040553D(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E004054D0(E004059DD(0x409b50, "C:\\Users\\hardz\\AppData\\Local\\Temp\\nsy6C45.tmp\\Slides")), ??);
				} else {
					_push(0x409b50);
					E004059DD();
				}
				E00405C3F(0x409b50);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405CD8(0x409b50);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405695(0x409b50);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E004056B4(0x409b50, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404D7B(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423f08 =  *0x423f08 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423f08;
						goto L32;
					} else {
						E004059DD(0x40a350, "3846");
						E004059DD("3846", 0x409b50);
						E004059FF(_t75, 0x40a350, 0x409b50, "C:\Users\hardz\AppData\Local\Temp\nsy6C45.tmp\System.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E004059DD("3846", 0x40a350);
						_t62 = E0040529E("C:\Users\hardz\AppData\Local\Temp\nsy6C45.tmp\System.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423f08 =  &( *0x423f08->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b50);
								_push(0xfffffffa);
								E00404D7B();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404D7B(0xffffffea,  *(_t85 - 8));
				 *0x423f34 =  *0x423f34 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0x34));
				_push( *((intOrPtr*)(_t85 - 0x1c)));
				_t43 = E00402E5B(); // executed
				 *0x423f34 =  *0x423f34 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E004059FF(_t75, _t80, 0x409b50, 0x409b50, 0xffffffee);
					} else {
						E004059FF(_t75, _t80, 0x409b50, 0x409b50, 0xffffffe9);
						lstrcatA(0x409b50,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b50);
					E0040529E();
					goto L29;
				}
				goto L33;
			}
















          0x00401734
          0x0040173b
          0x00401744
          0x00401747
          0x0040174a
          0x0040174f
          0x00401757
          0x00401773
          0x00401759
          0x00401759
          0x0040175a
          0x0040175a
          0x00401779
          0x00401783
          0x00401783
          0x00401787
          0x0040178a
          0x0040178f
          0x00401791
          0x00401793
          0x00401798
          0x00401798
          0x004017a3
          0x004017a3
          0x004017b4
          0x004017b6
          0x004017b6
          0x004017b7
          0x004017b7
          0x004017ba
          0x004017bd
          0x004017c0
          0x004017c0
          0x004017c7
          0x004017d6
          0x004017db
          0x004017de
          0x004017e1
          0x00000000
          0x00000000
          0x004017e3
          0x004017e6
          0x00401840
          0x00401845
          0x004015a8
          0x0040265c
          0x0040265c
          0x0040288b
          0x0040288e
          0x0040288e
          0x00000000
          0x004017e8
          0x004017ee
          0x004017f9
          0x00401806
          0x00401811
          0x00401827
          0x00401827
          0x0040182a
          0x00000000
          0x00401830
          0x00401830
          0x00401831
          0x0040184e
          0x00402894
          0x00402894
          0x00402894
          0x00401833
          0x00401833
          0x00401834
          0x00401492
          0x0040220e
          0x0040220e
          0x0040220e
          0x00401831
          0x0040182a
          0x00402896
          0x0040289a
          0x0040289a
          0x0040185e
          0x00401863
          0x00401869
          0x0040186a
          0x0040186b
          0x0040186e
          0x00401871
          0x00401876
          0x0040187c
          0x00401880
          0x00401882
          0x0040188a
          0x00401896
          0x00401884
          0x00401884
          0x00401888
          0x00000000
          0x00000000
          0x00401888
          0x0040189f
          0x004018a5
          0x004018a7
          0x00000000
          0x004018ad
          0x004018ad
          0x004018b0
          0x004018c8
          0x004018b2
          0x004018b5
          0x004018be
          0x004018be
          0x004018cd
          0x004018d2
          0x00402209
          0x00000000
          0x00402209
          0x00000000

          APIs
          • lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slides,00000000,00000000,00000031), ref: 00401773
          • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slides,00000000,00000000,00000031), ref: 0040179D
            • Part of subcall function 004059DD: lstrcpynA.KERNEL32(?,?,00000400,00403139,SmartPSS 2.002.0000007.0 Setup,NSIS Error), ref: 004059EA
            • Part of subcall function 00404D7B: lstrlenA.KERNEL32(0041FC50,00000000,0040F020,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000,?), ref: 00404DB4
            • Part of subcall function 00404D7B: lstrlenA.KERNEL32(00402F8B,0041FC50,00000000,0040F020,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000), ref: 00404DC4
            • Part of subcall function 00404D7B: lstrcatA.KERNEL32(0041FC50,00402F8B,00402F8B,0041FC50,00000000,0040F020,00000000), ref: 00404DD7
            • Part of subcall function 00404D7B: SetWindowTextA.USER32(0041FC50,0041FC50), ref: 00404DE9
            • Part of subcall function 00404D7B: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E0F
            • Part of subcall function 00404D7B: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E29
            • Part of subcall function 00404D7B: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E37
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
          • String ID: 3846$C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slides$C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\System.dll$Call
          • API String ID: 1941528284-234453157
          • Opcode ID: 0a199ca22b29851047362e9d0c5cb953937fd193bdb6a2626d58fafcb50e8ad8
          • Instruction ID: 7896ef4f757b45501086316f909c91b804aeab5b8a53035332c5850d51b772f7
          • Opcode Fuzzy Hash: 0a199ca22b29851047362e9d0c5cb953937fd193bdb6a2626d58fafcb50e8ad8
          • Instruction Fuzzy Hash: FA41C272900615BACF10BBA5DD46EAF3A79EF01329B20433BF515F11E1D63C4A419AAD
          Uniqueness

          Uniqueness Score: -1.00%

          Function 03B21759, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 77memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          C-Code - Quality: 95%
          			E03B21759(void* __eflags, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct HWND__* _t24;
				void* _t28;
				int _t33;
				void* _t34;
				intOrPtr _t35;
				struct HWND__* _t38;

				 *0x3b250dc = _a8;
				_t35 = _a20;
				 *0x3b250e0 = _a16;
				 *0x3b250e4 = _a12;
				 *((intOrPtr*)(_t35 + 0xc))( *0x3b250a4, E03B21852, _t34);
				_t38 = _a4;
				 *0x3b250a0 = _t35;
				 *0x3b250c4 = _t38;
				GetWindowRect(GetDlgItem(_t38, E03B21FC2(__eflags)),  &_v20);
				MapWindowPoints(0, _t38,  &_v20, 2);
				_t24 = CreateDialogParamA( *0x3b250a4, 1, _t38, E03B214CA, 0); // executed
				 *0x3b250c0 = _t24;
				if(_t24 != 0) {
					_t33 = _v12 - _v20.x;
					__eflags = _t33;
					SetWindowPos(_t24, 0, _v20, _v20.y, _t33, _v8 - _v20.y, 0x14);
					 *0x3b250c8 = SetWindowLongA(_t38, 4, E03B213FB);
					 *0x3b250cc = 0;
					 *0x3b250d4 = 0;
					_t28 = HeapAlloc(GetProcessHeap(), 8, 0);
					_push( *0x3b250c0);
					 *0x3b250d8 = _t28;
					 *0x3b250d0 = 0;
					L03B22016();
				} else {
					_t28 = E03B21E27("error");
				}
				return _t28;
			}












          0x03b21763
          0x03b2176c
          0x03b21774
          0x03b21782
          0x03b21787
          0x03b2178a
          0x03b2178d
          0x03b21793
          0x03b217ab
          0x03b217bb
          0x03b217d0
          0x03b217d8
          0x03b217dd
          0x03b217f7
          0x03b217f7
          0x03b21803
          0x03b2181a
          0x03b2181f
          0x03b21825
          0x03b21832
          0x03b21838
          0x03b2183e
          0x03b21843
          0x03b21849
          0x03b217df
          0x03b217e4
          0x03b217e4
          0x03b21851

          APIs
          • GetDlgItem.USER32 ref: 03B217A0
          • GetWindowRect.USER32 ref: 03B217AB
          • MapWindowPoints.USER32 ref: 03B217BB
          • CreateDialogParamA.USER32(00000001,?,03B214CA,00000000), ref: 03B217D0
          • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000014), ref: 03B21803
          • SetWindowLongA.USER32 ref: 03B21811
          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 03B2182B
          • HeapAlloc.KERNEL32(00000000), ref: 03B21832
            • Part of subcall function 03B21E27: GlobalAlloc.KERNEL32(00000040,?,?,03B210BE,error,?,00000104), ref: 03B21E3C
            • Part of subcall function 03B21E27: lstrcpynA.KERNEL32(00000004,?,?,03B210BE,error,?,00000104), ref: 03B21E52
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1466805189.0000000003B21000.00000020.00020000.sdmp, Offset: 03B20000, based on PE: true
          • Associated: 0000001A.00000002.1466777534.0000000003B20000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466819410.0000000003B23000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466836423.0000000003B24000.00000008.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466863759.0000000003B27000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_3b20000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Window$AllocHeap$CreateDialogGlobalItemLongParamPointsProcessRectlstrcpyn
          • String ID: error
          • API String ID: 1928716940-1574812785
          • Opcode ID: de8d75a3a8f0fbc6913acf4d999f1f02175139d78a57da052247c56e19a76ffb
          • Instruction ID: df2442e89253524fbcc2ecaadcc349f5750d6cbe3ed50033fb99b704ce7d18dd
          • Opcode Fuzzy Hash: de8d75a3a8f0fbc6913acf4d999f1f02175139d78a57da052247c56e19a76ffb
          • Instruction Fuzzy Hash: 8D212B75900214AFCB30EFA4EE49EAFBFB8FB6A709B00475AF61997554D7745400CBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 1000123F, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 92windowCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 853 1000123f-1000124d 854 10001253-10001265 GetPropA 853->854 855 10001336 853->855 854->855 856 1000126b-10001270 854->856 857 10001338-1000133b 855->857 856->855 858 10001276-1000127b 856->858 859 10001282-1000128a 858->859 860 1000127d 858->860 861 10001295-10001297 859->861 862 1000128c-10001293 859->862 860->859 864 100012a2-100012a9 861->864 865 10001299-100012a0 861->865 863 100012b9-10001312 CreateCompatibleDC GetObjectA SelectObject TransparentBlt 862->863 868 10001314-10001316 863->868 869 10001317-10001324 call 1000118f 863->869 866 100012b0-100012b6 864->866 867 100012ab-100012ae 864->867 865->863 866->863 867->863 868->869 871 10001329-10001334 DeleteDC 869->871 871->857
          C-Code - Quality: 71%
          			E1000123F(signed int _a4) {
				void* _v8;
				signed int _v24;
				intOrPtr _v28;
				void _v32;
				void* _t38;
				unsigned int _t39;
				signed int _t46;
				signed int _t47;
				void* _t54;
				struct HDC__* _t55;
				signed int _t59;
				signed int _t60;
				void* _t61;
				intOrPtr* _t63;

				_t63 = _a4;
				if( *_t63 != 4) {
					L15:
					return 0;
				}
				_t61 = GetPropA( *(_t63 + 0x14), "nsSkinBtn");
				if(_t61 == 0 ||  *(_t61 + 0xe) == 0) {
					goto L15;
				} else {
					_t38 =  *((intOrPtr*)(_t61 + 8));
					if(_t38 == 0) {
						_t38 =  *0x10003000;
					}
					_v8 = _t38;
					_t39 =  *(_t63 + 0x10);
					if((_t39 & 0x00000004) == 0) {
						if((_t39 & 0x00000001) == 0) {
							if( *((intOrPtr*)(_t61 + 0xc)) != 1) {
								_a4 = _t39 >> 0x00000002 & 0x00000004;
							} else {
								_a4 = 1;
							}
						} else {
							_a4 = 2;
						}
					} else {
						_a4 = 3;
					}
					_t55 = CreateCompatibleDC( *(_t63 + 0x18));
					GetObjectA(_v8, 0x18,  &_v32);
					SelectObject(_t55, _v8);
					_t46 = _v24;
					_t59 =  *(_t61 + 0xe) & 0x0000ffff;
					asm("cdq");
					_t47 = _t46 / _t59;
					_t60 = _t46 % _t59;
					_v24 = _t47;
					__imp__TransparentBlt( *(_t63 + 0x18), 0, 0,  *((intOrPtr*)(_t63 + 0x24)),  *((intOrPtr*)(_t63 + 0x28)), _t55, 0, _t47 * _a4, _v28, _t47, 0xff00ff, _t54);
					if(_a4 == 3) {
						_push(0x20);
						_pop(0);
					}
					E1000118F(_t60,  *(_t63 + 0x14),  *(_t63 + 0x18), _t63 + 0x1c, 0, 1); // executed
					DeleteDC(_t55);
					return 1;
				}
			}

















          0x10001246
          0x1000124d
          0x10001336
          0x00000000
          0x10001336
          0x10001261
          0x10001265
          0x00000000
          0x10001276
          0x10001276
          0x1000127b
          0x1000127d
          0x1000127d
          0x10001282
          0x10001285
          0x1000128a
          0x10001297
          0x100012a9
          0x100012b6
          0x100012ab
          0x100012ab
          0x100012ab
          0x10001299
          0x10001299
          0x10001299
          0x1000128c
          0x1000128c
          0x1000128c
          0x100012c3
          0x100012ce
          0x100012d8
          0x100012de
          0x100012e1
          0x100012e5
          0x100012e6
          0x100012e6
          0x100012f3
          0x10001308
          0x10001312
          0x10001314
          0x10001316
          0x10001316
          0x10001324
          0x1000132a
          0x00000000
          0x10001333

          APIs
          • GetPropA.USER32 ref: 1000125B
          • CreateCompatibleDC.GDI32(?), ref: 100012BD
          • GetObjectA.GDI32(?,00000018,?), ref: 100012CE
          • SelectObject.GDI32(00000000,?), ref: 100012D8
          • TransparentBlt.MSIMG32(?,00000000,00000000,00FF00FF,?,00000000,00000000,?,?,?,00FF00FF), ref: 10001308
          • DeleteDC.GDI32(00000000), ref: 1000132A
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1477975469.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
          • Associated: 0000001A.00000002.1477962903.0000000010000000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1477985458.0000000010002000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1477995969.0000000010004000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_10000000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Object$CompatibleCreateDeletePropSelectTransparent
          • String ID: nsSkinBtn$nsSkinDlg
          • API String ID: 3923734743-1428530612
          • Opcode ID: e145a6663483ff7df944a81806da2480ceec43e5d34a1e4e348d9f2765856531
          • Instruction ID: 43608d3dd8cb680db8194a75929d7de71f9754de62325807d91c8aaaa99b7672
          • Opcode Fuzzy Hash: e145a6663483ff7df944a81806da2480ceec43e5d34a1e4e348d9f2765856531
          • Instruction Fuzzy Hash: CC318BB1500605FFFB21CF50CC85AABBBF9EB443C4B108129F946D6569D730EAA5DBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00402E5B, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166fileCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 872 402e5b-402e6f 873 402e71 872->873 874 402e78-402e80 872->874 873->874 875 402e82 874->875 876 402e87-402e8c 874->876 875->876 877 402e9c-402ea9 call 40304e 876->877 878 402e8e-402e97 call 403080 876->878 882 402ff9 877->882 883 402eaf-402eb3 877->883 878->877 886 402ffb-402ffc 882->886 884 402fe2-402fe4 883->884 885 402eb9-402ed9 GetTickCount call 405dd9 883->885 888 402fe6-402fe9 884->888 889 403039-40303d 884->889 898 403044 885->898 900 402edf-402ee7 885->900 887 403047-40304b 886->887 893 402feb 888->893 894 402fee-402ff7 call 40304e 888->894 891 402ffe-403004 889->891 892 40303f 889->892 896 403006 891->896 897 403009-403017 call 40304e 891->897 892->898 893->894 894->882 907 403041 894->907 896->897 897->882 909 403019-40302c WriteFile 897->909 898->887 903 402ee9 900->903 904 402eec-402efa call 40304e 900->904 903->904 904->882 910 402f00-402f09 904->910 907->898 911 402fde-402fe0 909->911 912 40302e-403031 909->912 913 402f0f-402f2c call 405df9 910->913 911->886 912->911 914 403033-403036 912->914 917 402f32-402f49 GetTickCount 913->917 918 402fda-402fdc 913->918 914->889 919 402f4b-402f53 917->919 920 402f8e-402f92 917->920 918->886 921 402f55-402f59 919->921 922 402f5b-402f8b MulDiv wsprintfA call 404d7b 919->922 923 402f94-402f97 920->923 924 402fcf-402fd2 920->924 921->920 921->922 922->920 927 402fb7-402fbd 923->927 928 402f99-402fab WriteFile 923->928 924->900 925 402fd8 924->925 925->898 929 402fc3-402fc7 927->929 928->911 931 402fad-402fb0 928->931 929->913 933 402fcd 929->933 931->911 932 402fb2-402fb5 931->932 932->929 933->898
          C-Code - Quality: 94%
          			E00402E5B(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				signed int _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t62;
				void* _t63;
				int _t66;
				intOrPtr _t74;
				long _t75;
				int _t78;
				void* _t88;
				intOrPtr _t91;
				void* _t93;
				long _t96;
				signed int _t97;
				long _t98;
				int _t99;
				void* _t100;
				long _t101;
				void* _t102;

				_t97 = _a16;
				_t93 = _a12;
				_v12 = _t97;
				if(_t93 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_t88 = _t93;
				if(_t93 == 0) {
					_t88 = 0x40f020;
				}
				_t60 = _a4;
				if(_a4 >= 0) {
					_t91 =  *0x423ed8; // 0x41b64
					E00403080(_t91 + _t60);
				}
				_t62 = E0040304E( &_a16, 4); // executed
				if(_t62 == 0) {
					L34:
					_push(0xfffffffd);
					goto L35;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t93 == 0) {
							while(_a16 > 0) {
								_t98 = _v12;
								if(_a16 < _t98) {
									_t98 = _a16;
								}
								if(E0040304E(0x40b020, _t98) == 0) {
									goto L34;
								} else {
									_t66 = WriteFile(_a8, 0x40b020, _t98,  &_a12, 0); // executed
									if(_t66 == 0 || _t98 != _a12) {
										L29:
										_push(0xfffffffe);
										L35:
										_pop(_t63);
										return _t63;
									} else {
										_v8 = _v8 + _t98;
										_a16 = _a16 - _t98;
										continue;
									}
								}
							}
							L45:
							return _v8;
						}
						if(_a16 < _t97) {
							_t97 = _a16;
						}
						if(E0040304E(_t93, _t97) != 0) {
							_v8 = _t97;
							goto L45;
						} else {
							goto L34;
						}
					}
					_v16 = GetTickCount();
					E00405DD9(0x40af90);
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L45;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E0040304E(0x40b020, _t99) == 0) {
							goto L34;
						}
						_a16 = _a16 - _t99;
						 *0x40afa8 = 0x40b020;
						 *0x40afac = _t99;
						while(1) {
							 *0x40afb0 = _t88;
							 *0x40afb4 = _v12; // executed
							_t74 = E00405DF9(0x40af90); // executed
							_v24 = _t74;
							if(_t74 < 0) {
								break;
							}
							_t100 =  *0x40afb0; // 0x40f020
							_t101 = _t100 - _t88;
							_t75 = GetTickCount();
							_t96 = _t75;
							if(( *0x423f34 & 0x00000001) != 0 && (_t75 - _v16 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E00404D7B(0,  &_v88);
								_v16 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L45;
							} else {
								if(_a12 != 0) {
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_t88 =  *0x40afb0; // 0x40f020
									L24:
									if(_v24 != 1) {
										continue;
									}
									goto L45;
								}
								_t78 = WriteFile(_a8, _t88, _t101,  &_v20, 0); // executed
								if(_t78 == 0 || _v20 != _t101) {
									goto L29;
								} else {
									_v8 = _v8 + _t101;
									goto L24;
								}
							}
						}
						_push(0xfffffffc);
						goto L35;
					}
					goto L34;
				}
			}

























          0x00402e63
          0x00402e67
          0x00402e6a
          0x00402e6f
          0x00402e71
          0x00402e71
          0x00402e78
          0x00402e7c
          0x00402e80
          0x00402e82
          0x00402e82
          0x00402e87
          0x00402e8c
          0x00402e8e
          0x00402e97
          0x00402e97
          0x00402ea2
          0x00402ea9
          0x00402ff9
          0x00402ff9
          0x00000000
          0x00402eaf
          0x00402eb3
          0x00402fe4
          0x00403039
          0x00402ffe
          0x00403004
          0x00403006
          0x00403006
          0x00403017
          0x00000000
          0x00403019
          0x00403024
          0x0040302c
          0x00402fde
          0x00402fde
          0x00402ffb
          0x00402ffb
          0x00000000
          0x00403033
          0x00403033
          0x00403036
          0x00000000
          0x00403036
          0x0040302c
          0x00403017
          0x00403044
          0x00000000
          0x00403044
          0x00402fe9
          0x00402feb
          0x00402feb
          0x00402ff7
          0x00403041
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00402ff7
          0x00402ec4
          0x00402ec7
          0x00402ecc
          0x00402ecc
          0x00402ed6
          0x00402ed9
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00402edf
          0x00402edf
          0x00402edf
          0x00402ee7
          0x00402ee9
          0x00402ee9
          0x00402efa
          0x00000000
          0x00000000
          0x00402f00
          0x00402f03
          0x00402f09
          0x00402f0f
          0x00402f17
          0x00402f1d
          0x00402f22
          0x00402f29
          0x00402f2c
          0x00000000
          0x00000000
          0x00402f32
          0x00402f38
          0x00402f3a
          0x00402f47
          0x00402f49
          0x00402f77
          0x00402f7d
          0x00402f86
          0x00402f8b
          0x00402f8b
          0x00402f92
          0x00402fd2
          0x00000000
          0x00000000
          0x00000000
          0x00402f94
          0x00402f97
          0x00402fb7
          0x00402fba
          0x00402fbd
          0x00402fc3
          0x00402fc7
          0x00000000
          0x00000000
          0x00000000
          0x00402fcd
          0x00402fa3
          0x00402fab
          0x00000000
          0x00402fb2
          0x00402fb2
          0x00000000
          0x00402fb2
          0x00402fab
          0x00402f92
          0x00402fda
          0x00000000
          0x00402fda
          0x00000000
          0x00402edf

          APIs
          • GetTickCount.KERNEL32 ref: 00402EB9
          • GetTickCount.KERNEL32 ref: 00402F3A
          • MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F67
          • wsprintfA.USER32 ref: 00402F77
          • WriteFile.KERNEL32(00000000,00000000,0040F020,00000000,00000000), ref: 00402FA3
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: CountTick$FileWritewsprintf
          • String ID: ... %d%%
          • API String ID: 4209647438-2449383134
          • Opcode ID: c92cbd3e3d4075a18ca6a835e36108bdbc166e0133a86f0c276232396de1e17b
          • Instruction ID: 77f196e3f4de2b0f7ff2a56d5fa3bb7e3b28ee40e2402e388f788a2720e93e15
          • Opcode Fuzzy Hash: c92cbd3e3d4075a18ca6a835e36108bdbc166e0133a86f0c276232396de1e17b
          • Instruction Fuzzy Hash: F151917190121A9BCF10CF55DA48AAF7B78AF04795F10413BF810B72C0D7B89E50DBAA
          Uniqueness

          Uniqueness Score: -1.00%

          Function 03B21C59, Relevance: 12.1, APIs: 8, Instructions: 51windowCOMMON
          Download Yara Rule

          Control-flow Graph

          C-Code - Quality: 100%
          			E03B21C59(struct HWND__* _a4) {
				struct tagMSG _v32;
				int _t14;

				SendMessageA(_a4, 0x40d,  *0x3b250c0, 0);
				ShowWindow( *0x3b250c0, 8); // executed
				if( *0x3b250c0 != 0) {
					do {
						GetMessageA( &_v32, 0, 0, 0); // executed
						_t14 = IsDialogMessageA( *0x3b250c0,  &_v32); // executed
						if(_t14 == 0 && IsDialogMessageA( *0x3b250c4,  &_v32) == 0) {
							TranslateMessage( &_v32);
							DispatchMessageA( &_v32); // executed
						}
					} while ( *0x3b250c0 != 0);
				}
				return SetWindowLongA(_a4, 4,  *0x3b250c8);
			}





          0x03b21c71
          0x03b21c7f
          0x03b21c8b
          0x03b21c94
          0x03b21c9b
          0x03b21cab
          0x03b21caf
          0x03b21cc5
          0x03b21ccf
          0x03b21ccf
          0x03b21cd5
          0x03b21cdd
          0x03b21cf1

          APIs
          • SendMessageA.USER32(?,0000040D,00000000), ref: 03B21C71
          • ShowWindow.USER32(00000008), ref: 03B21C7F
          • KiUserCallbackDispatcher.NTDLL ref: 03B21C9B
          • IsDialogMessageA.USER32(?), ref: 03B21CAB
          • IsDialogMessageA.USER32(?), ref: 03B21CBB
          • TranslateMessage.USER32(?), ref: 03B21CC5
          • DispatchMessageA.USER32 ref: 03B21CCF
          • SetWindowLongA.USER32 ref: 03B21CE9
          Memory Dump Source
          • Source File: 0000001A.00000002.1466805189.0000000003B21000.00000020.00020000.sdmp, Offset: 03B20000, based on PE: true
          • Associated: 0000001A.00000002.1466777534.0000000003B20000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466819410.0000000003B23000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466836423.0000000003B24000.00000008.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466863759.0000000003B27000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_3b20000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Message$DialogWindow$CallbackDispatchDispatcherLongSendShowTranslateUser
          • String ID:
          • API String ID: 4159918924-0
          • Opcode ID: 82b6a4bc2c3d22a7442c4565fc3c71a4cb6188f45fa42fd1697b512b83ae607c
          • Instruction ID: ba1f635c1f5631e27415c4dadd1c32a3a8539dd330f29e46ae6af8a8eb98cf9a
          • Opcode Fuzzy Hash: 82b6a4bc2c3d22a7442c4565fc3c71a4cb6188f45fa42fd1697b512b83ae607c
          • Instruction Fuzzy Hash: 66115235900209EBCB30BB95EE09EAB7FBEFB56709B404362F60597418D7388405CBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 03B11123, Relevance: 10.6, APIs: 7, Instructions: 90memorystringCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 942 3b11123-3b11157 943 3b11248-3b11249 942->943 944 3b1115d-3b11173 GlobalAlloc call 3b11334 942->944 947 3b11179-3b1118b call 3b113ec 944->947 948 3b1123e-3b11247 GlobalFree 944->948 951 3b1118d 947->951 952 3b1119e-3b111ad call 3b11334 947->952 948->943 953 3b11192-3b11194 951->953 952->948 958 3b111b3-3b111c1 lstrcmpiA 952->958 955 3b11196-3b1119c 953->955 956 3b111ec-3b111f9 953->956 955->952 955->953 959 3b111fb-3b11207 SetWindowLongA 956->959 960 3b1120c-3b11218 GetDlgItem 956->960 961 3b111c3-3b111d0 958->961 962 3b111d2-3b111df call 3b113ec 958->962 959->960 960->948 963 3b1121a-3b11239 FindWindowExA SetWindowLongA 960->963 964 3b111e6 961->964 962->964 963->948 964->956
          C-Code - Quality: 100%
          			E03B11123(struct HWND__* _a4, long _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				long _t19;
				signed int _t24;
				struct HWND__* _t28;
				struct HWND__* _t29;
				CHAR* _t34;
				void* _t39;
				intOrPtr* _t42;
				int _t45;

				 *0x3b13014 = _a4;
				 *0x3b13070 = _a16;
				 *0x3b1306c = _a20;
				_t19 = _a8;
				 *0x3b13078 = _a12;
				 *0x3b13044 = _t19;
				if( *0x3b1307c == 8) {
					return _t19;
				}
				_t34 = GlobalAlloc(0x40, _t19);
				if(E03B11334(_t34) != 0) {
					L15:
					return GlobalFree(_t34);
				}
				_t45 = E03B113EC(_t34);
				_t24 =  *0x3b1307c;
				_t39 = 0;
				if(_t24 <= 0) {
					L6:
					 *(0x3b13048 + _t24 * 4) = _t45;
					if(E03B11334(_t34) != 0) {
						goto L15;
					}
					if(lstrcmpiA(_t34, 0x3b13008) != 0) {
						 *(0x3b13020 +  *0x3b1307c * 4) = E03B113EC(_t34);
					} else {
						 *(0x3b13020 +  *0x3b1307c * 4) =  *(0x3b13020 +  *0x3b1307c * 4) | 0xffffffff;
					}
					 *0x3b1307c =  *0x3b1307c + 1;
					L11:
					if( *0x3b13018 == 0) {
						 *0x3b13018 = SetWindowLongA(_a4, 4, E03B110AE);
					}
					_t28 = GetDlgItem(_a4, _t45);
					if(_t28 == 0) {
						_t29 = FindWindowExA(_a4, _t28, 0x3b13000, _t28); // executed
						 *0x3b13068 = _t29;
						 *0x3b13074 = SetWindowLongA(_t29, 4, E03B11060);
					}
					goto L15;
				}
				_t42 = 0x3b13048;
				while( *_t42 != _t45) {
					_t39 = _t39 + 1;
					_t42 = _t42 + 4;
					if(_t39 < _t24) {
						continue;
					}
					goto L6;
				}
				goto L11;
			}











          0x03b11133
          0x03b1113b
          0x03b11144
          0x03b11149
          0x03b1114c
          0x03b11152
          0x03b11157
          0x03b11249
          0x03b11249
          0x03b11169
          0x03b11173
          0x03b1123e
          0x00000000
          0x03b11247
          0x03b11180
          0x03b11182
          0x03b11187
          0x03b1118b
          0x03b1119e
          0x03b1119f
          0x03b111ad
          0x00000000
          0x00000000
          0x03b111c1
          0x03b111df
          0x03b111c3
          0x03b111c8
          0x03b111c8
          0x03b111e6
          0x03b111ec
          0x03b111f9
          0x03b11207
          0x03b11207
          0x03b11210
          0x03b11218
          0x03b11224
          0x03b11232
          0x03b11239
          0x03b11239
          0x00000000
          0x03b11218
          0x03b1118d
          0x03b11192
          0x03b11196
          0x03b11197
          0x03b1119c
          0x00000000
          0x00000000
          0x00000000
          0x03b1119c
          0x00000000

          APIs
          • GlobalAlloc.KERNEL32(00000040,?), ref: 03B11163
            • Part of subcall function 03B11334: lstrcpyA.KERNEL32(?,?,?,03B11171,00000000), ref: 03B1134C
            • Part of subcall function 03B11334: GlobalFree.KERNEL32 ref: 03B1135D
          • lstrcmpiA.KERNEL32(00000000,03B13008,00000000,00000000), ref: 03B111B9
          • SetWindowLongA.USER32 ref: 03B11205
          • GetDlgItem.USER32 ref: 03B11210
          • FindWindowExA.USER32 ref: 03B11224
          • SetWindowLongA.USER32 ref: 03B11237
          • GlobalFree.KERNEL32 ref: 03B1123F
          Memory Dump Source
          • Source File: 0000001A.00000002.1466713559.0000000003B11000.00000020.00020000.sdmp, Offset: 03B10000, based on PE: true
          • Associated: 0000001A.00000002.1466680974.0000000003B10000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466743773.0000000003B12000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466760757.0000000003B14000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_3b10000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: GlobalWindow$FreeLong$AllocFindItemlstrcmpilstrcpy
          • String ID:
          • API String ID: 1156966252-0
          • Opcode ID: ebf2aa5d82074040139e7ec12ac89b962e50a35cdaa7e7ec4f41006c9293d7e2
          • Instruction ID: 018f4241e0e457442ef3aa21b3d47001fd9a8820c4582a46e0fe1e677ce74dc2
          • Opcode Fuzzy Hash: ebf2aa5d82074040139e7ec12ac89b962e50a35cdaa7e7ec4f41006c9293d7e2
          • Instruction Fuzzy Hash: 7C3121B8600304ABD710EF28FA48B297BE9E70875D7C04575EA99D7A58E7309560CB50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 1000141C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81COMMON
          Download Yara Rule
          APIs
          • GetPropA.USER32 ref: 1000142F
          • InvalidateRect.USER32(?,00000000,00000001), ref: 10001470
          • _TrackMouseEvent.COMCTL32(?), ref: 1000149B
          • DeleteObject.GDI32(?), ref: 100014DC
          • CallWindowProcA.USER32 ref: 100014F8
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1477975469.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
          • Associated: 0000001A.00000002.1477962903.0000000010000000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1477985458.0000000010002000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1477995969.0000000010004000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_10000000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: CallDeleteEventInvalidateMouseObjectProcPropRectTrackWindow
          • String ID: nsSkinBtn
          • API String ID: 3493112117-4259702871
          • Opcode ID: 18449c8b43e8ef4b8111e1d260395b898f2962c8184b6adff7a3b8241d5b8d25
          • Instruction ID: d19ae69334d6ee0f7ad8cdb13b6390f22bca0b4e14600087c5ad07237fd38f3f
          • Opcode Fuzzy Hash: 18449c8b43e8ef4b8111e1d260395b898f2962c8184b6adff7a3b8241d5b8d25
          • Instruction Fuzzy Hash: 9B217C32800315AAEB21CF65CC88ADB7BF8FB443D0F018519F996965B9C7B49981DB51
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401F51, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73libraryloaderCOMMON
          Download Yara Rule
          C-Code - Quality: 60%
          			E00401F51(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x423f38");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x423f08 =  *0x423f08 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E004029F6(0xfffffff0);
				 *(_t34 + 8) = E004029F6(1);
				if( *((intOrPtr*)(_t34 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00404D7B(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x1c)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 0x34)), 0x400, "3846", "8Jt", 0x409000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x1c)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x18)) == _t27 && E004034C6(_t30) != 0) {
						FreeLibrary(_t30); // executed
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}










          0x00401f51
          0x00401f51
          0x00401f56
          0x00401f5d
          0x00402019
          0x00402164
          0x00402164
          0x0040288b
          0x0040288e
          0x0040289a
          0x0040289a
          0x00401f6c
          0x00401f76
          0x00401f79
          0x00401f88
          0x00401f8c
          0x00401f92
          0x00401f96
          0x00402012
          0x00000000
          0x00402012
          0x00401f98
          0x00401fa2
          0x00401fa6
          0x00401fea
          0x00401fa8
          0x00401fab
          0x00401fae
          0x00401fde
          0x00401fb0
          0x00401fb3
          0x00401fbc
          0x00401fbe
          0x00401fbe
          0x00401fbc
          0x00401fae
          0x00401ff2
          0x00402007
          0x00402007
          0x00000000
          0x00401ff2
          0x00401f7c
          0x00401f82
          0x00401f86
          0x00000000
          0x00000000
          0x00000000

          APIs
          • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F7C
            • Part of subcall function 00404D7B: lstrlenA.KERNEL32(0041FC50,00000000,0040F020,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000,?), ref: 00404DB4
            • Part of subcall function 00404D7B: lstrlenA.KERNEL32(00402F8B,0041FC50,00000000,0040F020,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000), ref: 00404DC4
            • Part of subcall function 00404D7B: lstrcatA.KERNEL32(0041FC50,00402F8B,00402F8B,0041FC50,00000000,0040F020,00000000), ref: 00404DD7
            • Part of subcall function 00404D7B: SetWindowTextA.USER32(0041FC50,0041FC50), ref: 00404DE9
            • Part of subcall function 00404D7B: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E0F
            • Part of subcall function 00404D7B: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E29
            • Part of subcall function 00404D7B: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E37
          • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
          • GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
          • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402007
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
          • String ID: 3846$8Jt
          • API String ID: 2987980305-481359540
          • Opcode ID: 71306b1134231061c89694e0e173e72c12ff72d2ee8c3f8387a1942ab3f7262f
          • Instruction ID: d4347cebb671b603d0a5d412fc90ce50d757f993dc699470b494ace3858b78d6
          • Opcode Fuzzy Hash: 71306b1134231061c89694e0e173e72c12ff72d2ee8c3f8387a1942ab3f7262f
          • Instruction Fuzzy Hash: 7221EE72D04216ABCF107FA4DE89A6E75B06B44359F204337F611B52E0D77C4941965E
          Uniqueness

          Uniqueness Score: -1.00%

          Function 10001505, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON
          Download Yara Rule
          C-Code - Quality: 90%
          			E10001505(void* __edx, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* _t15;
				void* _t16;
				long _t17;
				void* _t20;
				void* _t25;
				intOrPtr _t26;
				_Unknown_base(*)()* _t31;

				_t31 =  *(GetPropA(_a4, "nsSkinDlg"));
				_t15 = _a8 - 0x2b;
				if(_t15 == 0) {
					_t16 = E1000123F(_a16); // executed
					if(_t16 == 0) {
						L9:
						_t17 = CallWindowProcA(_t31, _a4, _a8, _a12, _a16); // executed
						return _t17;
					}
					return 1;
				}
				_t20 = _t15 - 0x57;
				if(_t20 == 0) {
					E100013AC(_a4, "nsSkinDlg");
					goto L9;
				}
				if(_t20 != 0x8f || _a12 >> 0x10 != 0) {
					goto L9;
				} else {
					_t25 = GetPropA(_a16, "nsSkinBtn");
					if(_t25 == 0) {
						goto L9;
					}
					_t26 =  *((intOrPtr*)(_t25 + 4));
					if(_t26 == 0) {
						goto L9;
					}
					_push(0);
					_push(_t26 - 1);
					if( *((intOrPtr*)( *0x10003008 + 4))() == 0) {
						goto L9;
					}
					return 0;
				}
			}










          0x1000151c
          0x10001521
          0x10001524
          0x1000158e
          0x10001595
          0x10001571
          0x1000157e
          0x00000000
          0x1000157e
          0x00000000
          0x10001599
          0x10001526
          0x10001529
          0x1000156a
          0x00000000
          0x10001570
          0x10001530
          0x00000000
          0x1000153d
          0x10001545
          0x10001549
          0x00000000
          0x00000000
          0x1000154b
          0x10001550
          0x00000000
          0x00000000
          0x10001553
          0x10001555
          0x10001560
          0x00000000
          0x00000000
          0x00000000
          0x10001562

          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1477975469.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
          • Associated: 0000001A.00000002.1477962903.0000000010000000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1477985458.0000000010002000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1477995969.0000000010004000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_10000000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Prop$CallProcWindow
          • String ID: nsSkinBtn$nsSkinDlg
          • API String ID: 1345539330-1428530612
          • Opcode ID: 262a27479858243417199ab25d5d238ec33e367e7b568fca7aa4f5762314bc74
          • Instruction ID: 4a896ec3b45322573b5eaf9bd3f335e136e3e061eb7b103ea6ea746b84f3b19b
          • Opcode Fuzzy Hash: 262a27479858243417199ab25d5d238ec33e367e7b568fca7aa4f5762314bc74
          • Instruction Fuzzy Hash: 8F113035604A4AEFFB10DF68DD85EEB3BA9EB842D1B004021F906DA069DA21DD11DB60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
          Download Yara Rule
          C-Code - Quality: 85%
          			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029F6(0xfffffff0);
				_t10 = E00405564(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E004054FB(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E004059DD("C:\\Users\\hardz\\AppData\\Local\\Temp\\nsy6C45.tmp\\Slides", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x423f08 =  *0x423f08 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











          0x004015b3
          0x004015ba
          0x004015bd
          0x004015c2
          0x004015c6
          0x004015c8
          0x004015d0
          0x004015d6
          0x004015d8
          0x004015db
          0x004015e3
          0x004015f0
          0x004015fd
          0x004015fd
          0x004015f2
          0x004015f3
          0x004015fb
          0x00000000
          0x00000000
          0x004015fb
          0x004015f0
          0x00401600
          0x00401603
          0x00401605
          0x00401606
          0x004015c8
          0x0040160d
          0x0040162d
          0x00402164
          0x0040160f
          0x00401611
          0x0040161c
          0x00401622
          0x00401622
          0x0040288e
          0x0040289a

          APIs
            • Part of subcall function 00405564: CharNextA.USER32(00405316,?,00421880,00000000,004055C8,00421880,00421880,?,?,00000000,00405316,?,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,00000000), ref: 00405572
            • Part of subcall function 00405564: CharNextA.USER32(00000000), ref: 00405577
            • Part of subcall function 00405564: CharNextA.USER32(00000000), ref: 00405586
          • CreateDirectoryA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
          • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
          • GetFileAttributesA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
          • SetCurrentDirectoryA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slides,00000000,00000000,000000F0), ref: 00401622
          Strings
          • C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slides, xrefs: 00401617
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
          • String ID: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slides
          • API String ID: 3751793516-166301797
          • Opcode ID: eca45e4f265b5310bf3876cc38f450248989b20858a3f8b45370c7433c2b44d3
          • Instruction ID: ffaaac8e814952d4dd163c137c14166a37b00a477d69e33f5cc6849720afcf5a
          • Opcode Fuzzy Hash: eca45e4f265b5310bf3876cc38f450248989b20858a3f8b45370c7433c2b44d3
          • Instruction Fuzzy Hash: 86010831908180ABDB116F795D44D6F27B0DA52365728473BF491B22E2C23C4942962E
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004056E3, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E004056E3(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








          0x004056e7
          0x004056ed
          0x004056ee
          0x004056ee
          0x004056ef
          0x004056f6
          0x00405700
          0x0040570d
          0x00405710
          0x00405718
          0x00000000
          0x00000000
          0x0040571c
          0x00000000
          0x00000000
          0x0040571e
          0x00000000
          0x0040571e
          0x00000000

          APIs
          • GetTickCount.KERNEL32 ref: 004056F6
          • GetTempFileNameA.KERNEL32(?,0061736E,00000000,?), ref: 00405710
          Strings
          • nsa, xrefs: 004056EF
          • C:\Users\user\AppData\Local\Temp\, xrefs: 004056E3, 004056E6
          • C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe, xrefs: 004056EA
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: CountFileNameTempTick
          • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe$nsa
          • API String ID: 1716503409-3308429589
          • Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
          • Instruction ID: 090c9869d25c952b380026dfe3028592f3e254e5657c021594612e0629f183dd
          • Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
          • Instruction Fuzzy Hash: AFF0A736348204B7D7104F55EC04B9B7F5DDF91750F14C027F944DA1C0D6B1995597A5
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0308198F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
          Download Yara Rule
          C-Code - Quality: 94%
          			E0308198F(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				void* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x3084058 = _a8;
				 *0x308405c = _a16;
				 *0x3084060 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x3084038, E0308189E);
				_push(1); // executed
				_t34 = E03081D3B(); // executed
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E030823F6(_t50);
					}
					E03082440(_t65, _t50);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_t34 = E030825FE(_t65, _t50);
							} else {
								_push(_t74);
								_push(_t66);
								_t12 = _t50 + 0x818; // 0x818
								_t57 = 8;
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E030818A1(_t50);
								_t15 = _t50 + 0x818; // 0x818
								_t70 = _t15;
								 *((intOrPtr*)(_t50 + 0x820)) = _t38;
								 *_t70 = 3;
								E030825FE(_t65, _t50);
								_t61 = 8;
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							E030825FE(_t65, _t50);
							_t34 = GlobalFree(E0308159E(E030818A1(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E030825C4(_t50);
							if(( *(_t50 + 0x810) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x808);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x810) & 0x00000020) != 0) {
								_t34 = E03081825( *0x3084054);
							}
						}
						if(( *(_t50 + 0x810) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t50);
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E030814C7(_t50); // executed
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E0308120C(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E030827CC(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

















          0x0308198f
          0x0308198f
          0x0308198f
          0x03081999
          0x030819a1
          0x030819ae
          0x030819bc
          0x030819bf
          0x030819c1
          0x030819c6
          0x030819cb
          0x03081ade
          0x03081ade
          0x030819d1
          0x030819d5
          0x030819d8
          0x030819dd
          0x030819df
          0x030819e5
          0x030819eb
          0x03081a1b
          0x03081a22
          0x03081a46
          0x03081a85
          0x03081a48
          0x03081a48
          0x03081a49
          0x03081a4c
          0x03081a52
          0x03081a56
          0x03081a59
          0x03081a5e
          0x03081a5e
          0x03081a65
          0x03081a6b
          0x03081a71
          0x03081a7d
          0x03081a7e
          0x03081a81
          0x03081a24
          0x03081a25
          0x03081a3a
          0x03081a3a
          0x03081a8f
          0x03081a92
          0x03081a9f
          0x03081aa6
          0x03081aae
          0x03081ab1
          0x03081ab1
          0x03081aae
          0x03081abe
          0x03081ac6
          0x03081acb
          0x03081abe
          0x03081ad3
          0x00000000
          0x03081ad5
          0x00000000
          0x03081ad6
          0x03081ad3
          0x030819ef
          0x030819f2
          0x03081a10
          0x00000000
          0x00000000
          0x03081a13
          0x03081a18
          0x03081a18
          0x03081a1a
          0x00000000
          0x03081a1a
          0x030819f4
          0x030819f5
          0x030819fd
          0x030819fe
          0x00000000
          0x030819fe
          0x030819f7
          0x030819f8
          0x03081a06
          0x00000000
          0x03081a06
          0x030819fb
          0x00000000
          0x00000000
          0x00000000
          0x030819fb

          APIs
            • Part of subcall function 03081D3B: GlobalFree.KERNEL32 ref: 03081F80
            • Part of subcall function 03081D3B: GlobalFree.KERNEL32 ref: 03081F85
            • Part of subcall function 03081D3B: GlobalFree.KERNEL32 ref: 03081F8A
          • GlobalFree.KERNEL32 ref: 03081A3A
          • FreeLibrary.KERNEL32(?), ref: 03081AB1
          • GlobalFree.KERNEL32 ref: 03081AD6
            • Part of subcall function 030823F6: GlobalAlloc.KERNEL32(00000040,E8002080), ref: 03082428
            • Part of subcall function 030827CC: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,?,03081A0B,00000000), ref: 0308281C
            • Part of subcall function 030818A1: lstrcpyA.KERNEL32(00000000,03084018,00000000,03081967,00000000), ref: 030818BA
            • Part of subcall function 030825FE: wsprintfA.USER32 ref: 0308265F
            • Part of subcall function 030825FE: GlobalFree.KERNEL32 ref: 03082728
            • Part of subcall function 030825FE: GlobalFree.KERNEL32 ref: 03082751
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1465933337.0000000003081000.00000020.00020000.sdmp, Offset: 03080000, based on PE: true
          • Associated: 0000001A.00000002.1465906253.0000000003080000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1465954717.0000000003083000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1465973703.0000000003085000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_3080000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Global$Free$Alloc$Librarylstrcpywsprintf
          • String ID:
          • API String ID: 1767494692-3916222277
          • Opcode ID: 6218e33d33ad8f10b0d306603186f2f098244db630fe2076fa360536fdbd1d8a
          • Instruction ID: 45b90193ce6caf6fd8e052ee4ff3174f87cd5ea92bdadd428f515f4b123a63da
          • Opcode Fuzzy Hash: 6218e33d33ad8f10b0d306603186f2f098244db630fe2076fa360536fdbd1d8a
          • Instruction Fuzzy Hash: 013162795023059BCB5CFF64D894BDA7BECBF44214F088865E9C6AE186DF788047CBA0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401BAD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
          Download Yara Rule
          C-Code - Quality: 51%
          			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029D9(3);
				 *(_t55 + 8) = E004029D9(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029F6(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029F6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029F6();
					_t28 = E004029F6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28); // executed
					goto L10;
				} else {
					_t52 = E004029D9();
					_t37 = E004029D9();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8)); // executed
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E0040593B();
				}
				 *0x423f08 =  *0x423f08 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}












          0x00401bb6
          0x00401bc2
          0x00401bc5
          0x00401bce
          0x00401bce
          0x00401bd1
          0x00401bd5
          0x00401bde
          0x00401bde
          0x00401be1
          0x00401be5
          0x00401be7
          0x00401c34
          0x00401c36
          0x00401c3f
          0x00401c47
          0x00401c4a
          0x00401c4a
          0x00401c53
          0x00000000
          0x00401be9
          0x00401bf0
          0x00401bf2
          0x00401bfa
          0x00401bfd
          0x00401c25
          0x00401c59
          0x00401c59
          0x00401bff
          0x00401c0d
          0x00401c15
          0x00401c18
          0x00401c18
          0x00401bfd
          0x00401c5c
          0x00401c5f
          0x00401c65
          0x00402833
          0x00402833
          0x0040288e
          0x0040289a

          APIs
          • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
          • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: MessageSend$Timeout
          • String ID: !
          • API String ID: 1777923405-2657877971
          • Opcode ID: a21e9fedaf10b3d0faf8ff8eb7872d1ba6ab3a41dfe2fcd52b90142743086bd6
          • Instruction ID: 089b6e11c3ee5c2ceb15467343933f82bc3488a694e04e66c57418204d538f9a
          • Opcode Fuzzy Hash: a21e9fedaf10b3d0faf8ff8eb7872d1ba6ab3a41dfe2fcd52b90142743086bd6
          • Instruction Fuzzy Hash: B321C4B1A44209BFEF01AFB4CE4AAAE7B75EF40344F14053EF602B60D1D6B84980E718
          Uniqueness

          Uniqueness Score: -1.00%

          Function 03B21480, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E03B21480(void* __eflags, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* _t8;
				long _t9;

				_t8 = E03B213C6(_a4);
				if(_t8 != 0) {
					if(_a8 != 0x20) {
						_t9 = CallWindowProcA( *(_t8 + 0x414), _a4, _a8, _a12, _a16); // executed
						return _t9;
					}
					SetCursor(LoadCursorA(0, 0x7f89));
					return 1;
				}
				return _t8;
			}





          0x03b21486
          0x03b2148d
          0x03b21493
          0x03b214c0
          0x00000000
          0x03b214c0
          0x03b214a3
          0x00000000
          0x03b214ab
          0x03b214c7

          APIs
            • Part of subcall function 03B213C6: GetPropA.USER32 ref: 03B213CF
          • LoadCursorA.USER32 ref: 03B2149C
          • SetCursor.USER32(00000000,?,?,?), ref: 03B214A3
          • CallWindowProcA.USER32 ref: 03B214C0
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1466805189.0000000003B21000.00000020.00020000.sdmp, Offset: 03B20000, based on PE: true
          • Associated: 0000001A.00000002.1466777534.0000000003B20000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466819410.0000000003B23000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466836423.0000000003B24000.00000008.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466863759.0000000003B27000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_3b20000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Cursor$CallLoadProcPropWindow
          • String ID:
          • API String ID: 1635134901-3916222277
          • Opcode ID: b1e14ec7971cf6b007e9e8c3b2e9adbf8f73bff7fa53a1209c7fa50ab36fd2d3
          • Instruction ID: aa5549ae033796f064b45e4160542a0a327cc16d9633703700985b9f5330bf1c
          • Opcode Fuzzy Hash: b1e14ec7971cf6b007e9e8c3b2e9adbf8f73bff7fa53a1209c7fa50ab36fd2d3
          • Instruction Fuzzy Hash: DEE03936504209BBCF21AFA4DD04AAA3FAAEF08359F048270FA5D89460C77580609FA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401B06, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 72memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 59%
          			E00401B06(void* __ebx, void* __edx) {
				intOrPtr _t7;
				void* _t8;
				void _t11;
				void* _t13;
				void* _t21;
				void* _t24;
				void* _t30;
				void* _t33;
				void* _t34;
				void* _t37;

				_t27 = __ebx;
				_t7 =  *((intOrPtr*)(_t37 - 0x1c));
				_t30 =  *0x40af50; // 0x744a38
				if(_t7 == __ebx) {
					if(__edx == __ebx) {
						_t8 = GlobalAlloc(0x40, 0x404); // executed
						_t34 = _t8;
						_t4 = _t34 + 4; // 0x4
						E004059FF(__ebx, _t30, _t34, _t4,  *((intOrPtr*)(_t37 - 0x24)));
						_t11 =  *0x40af50; // 0x744a38
						 *_t34 = _t11;
						 *0x40af50 = _t34;
					} else {
						if(_t30 == __ebx) {
							 *((intOrPtr*)(_t37 - 4)) = 1;
						} else {
							_t2 = _t30 + 4; // 0x744a3c
							E004059DD(_t33, _t2);
							_push(_t30);
							 *0x40af50 =  *_t30;
							GlobalFree();
						}
					}
					goto L15;
				} else {
					while(1) {
						_t7 = _t7 - 1;
						if(_t30 == _t27) {
							break;
						}
						_t30 =  *_t30;
						if(_t7 != _t27) {
							continue;
						} else {
							if(_t30 == _t27) {
								break;
							} else {
								_t32 = _t30 + 4;
								E004059DD(0x409b50, _t30 + 4);
								_t21 =  *0x40af50; // 0x744a38
								E004059DD(_t32, _t21 + 4);
								_t24 =  *0x40af50; // 0x744a38
								_push(0x409b50);
								_push(_t24 + 4);
								E004059DD();
								L15:
								 *0x423f08 =  *0x423f08 +  *((intOrPtr*)(_t37 - 4));
								_t13 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push(E004059FF(_t27, _t30, _t33, _t27, 0xffffffe8));
					E0040529E();
					_t13 = 0x7fffffff;
				}
				L17:
				return _t13;
			}













          0x00401b06
          0x00401b06
          0x00401b09
          0x00401b11
          0x00401b59
          0x00401b87
          0x00401b90
          0x00401b92
          0x00401b96
          0x00401b9b
          0x00401ba0
          0x00401ba2
          0x00401b5b
          0x00401b5d
          0x0040265c
          0x00401b63
          0x00401b63
          0x00401b68
          0x00401b6f
          0x00401b70
          0x00401b75
          0x00401b75
          0x00401b5d
          0x00000000
          0x00401b13
          0x00401b13
          0x00401b13
          0x00401b16
          0x00000000
          0x00000000
          0x00401b1c
          0x00401b20
          0x00000000
          0x00401b22
          0x00401b24
          0x00000000
          0x00401b2a
          0x00401b2a
          0x00401b34
          0x00401b39
          0x00401b43
          0x00401b48
          0x00401b4d
          0x00401b51
          0x004027b1
          0x0040288b
          0x0040288e
          0x00402894
          0x00402894
          0x00401b24
          0x00000000
          0x00401b20
          0x004021fb
          0x00402208
          0x00402209
          0x0040220e
          0x0040220e
          0x00402896
          0x0040289a

          APIs
          • GlobalFree.KERNEL32 ref: 00401B75
          • GlobalAlloc.KERNEL32(00000040,00000404), ref: 00401B87
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Global$AllocFree
          • String ID: 8Jt$Call
          • API String ID: 3394109436-981148825
          • Opcode ID: 2786a859b8e849ebe1f9841ed566f1da068b002bab6d4096f16c2e16f142c763
          • Instruction ID: dedcc356a049729cc32aa0533657a7b943fc31f5ec42b7739970f76d43a2a4df
          • Opcode Fuzzy Hash: 2786a859b8e849ebe1f9841ed566f1da068b002bab6d4096f16c2e16f142c763
          • Instruction Fuzzy Hash: D221A8B2604202DBD710FBA4DE8595F73A4FB44328724453BF606F32D0EB78A8119B6E
          Uniqueness

          Uniqueness Score: -1.00%

          Function 1000118F, Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
          Download Yara Rule
          C-Code - Quality: 53%
          			E1000118F(void* __edx, struct HWND__* _a4, struct HDC__* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20) {
				struct tagRECT _v20;
				void* _v280;
				long _t25;
				void* _t45;

				_t45 = __edx;
				_t25 = SendMessageA(_a4, 0xd, 0x104,  &_v280); // executed
				if(_v280 != 0) {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd"); // executed
					DrawTextA(_a8,  &_v280, 0xffffffff,  &_v20, 0x400); // executed
					if(_a20 != 0) {
						asm("cdq");
						_v20.left =  *((intOrPtr*)(_a12 + 8)) - _v20.right - _t45 >> 1;
					}
					asm("cdq");
					_v20.top =  *((intOrPtr*)(_a12 + 0xc)) - _v20.bottom - _t45 >> 1;
					SetBkMode(_a8, 1);
					return DrawStateA(_a8, 0, 0,  &_v280, 0, _v20, _v20.top, 0, 0, _a16 | 0x00000002);
				}
				return _t25;
			}







          0x1000118f
          0x100011aa
          0x100011b8
          0x100011c2
          0x100011c8
          0x100011d5
          0x100011da
          0x100011db
          0x100011e6
          0x100011f1
          0x100011f6
          0x100011f6
          0x10001207
          0x1000120c
          0x1000120f
          0x00000000
          0x10001231
          0x10001239

          APIs
          • SendMessageA.USER32(00000001,0000000D,00000104,?), ref: 100011AA
          • DrawTextA.USER32(00000000,?,000000FF,?,00000400), ref: 100011DB
          • SetBkMode.GDI32(00000000,00000001), ref: 1000120F
          • DrawStateA.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?), ref: 10001231
          Memory Dump Source
          • Source File: 0000001A.00000002.1477975469.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
          • Associated: 0000001A.00000002.1477962903.0000000010000000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1477985458.0000000010002000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1477995969.0000000010004000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_10000000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Draw$MessageModeSendStateText
          • String ID:
          • API String ID: 3519253648-0
          • Opcode ID: 7ea2cb0fcb7c691ddb96fcaa5c40e03beac6cef6a1c61056525391aad1f6e14d
          • Instruction ID: 69651a43a86d0b03a7080a28e3fa4d956e21140dced910b08523c25c94c7bba2
          • Opcode Fuzzy Hash: 7ea2cb0fcb7c691ddb96fcaa5c40e03beac6cef6a1c61056525391aad1f6e14d
          • Instruction Fuzzy Hash: 9921E4B190021DAFEB10CFA8CC85DEE7BBDFB04754F048555FA14AA1A5D370AA54CB60
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00403097, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
          Download Yara Rule
          C-Code - Quality: 84%
          			E00403097(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
				E00405C3F(_t6);
				_t2 = E0040553D(_t6);
				if(_t2 != 0) {
					E004054D0(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E004056E3("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}






          0x00403098
          0x0040309e
          0x004030a4
          0x004030ab
          0x004030b0
          0x004030b8
          0x004030c4
          0x004030ca
          0x004030ae
          0x004030ae
          0x004030ae

          APIs
            • Part of subcall function 00405C3F: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405C97
            • Part of subcall function 00405C3F: CharNextA.USER32(?,?,?,00000000), ref: 00405CA4
            • Part of subcall function 00405C3F: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CA9
            • Part of subcall function 00405C3F: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CB9
          • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 004030B8
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Char$Next$CreateDirectoryPrev
          • String ID: 1033$C:\Users\user\AppData\Local\Temp\
          • API String ID: 4115351271-1075807775
          • Opcode ID: 6fc6148b77ece9d346d6d7cc43375dab10df03dac4f70bfb46dffa123947e942
          • Instruction ID: 14cf73edb083f9294524d0cb591bdba299ebaa8e37fda96f2dae1f3ab35ccfa6
          • Opcode Fuzzy Hash: 6fc6148b77ece9d346d6d7cc43375dab10df03dac4f70bfb46dffa123947e942
          • Instruction Fuzzy Hash: 95D0C92160BD3032D66136263D0AFDF155C8F5236EFA1447BF809B61CA5B6C6A8219FF
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004063DD, Relevance: 5.2, APIs: 4, Instructions: 236COMMON
          Download Yara Rule
          C-Code - Quality: 99%
          			E004063DD() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M0040684B))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4)); // executed
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8)); // executed
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}















          0x004063dd
          0x004063dd
          0x004063dd
          0x004063dd
          0x004063e3
          0x004063e7
          0x004063eb
          0x004063f5
          0x00406403
          0x004066d9
          0x004066d9
          0x004066dc
          0x004066e3
          0x00406710
          0x00406710
          0x00406714
          0x00000000
          0x00000000
          0x00406716
          0x0040671f
          0x00406725
          0x00406728
          0x0040672b
          0x0040672e
          0x00406731
          0x00406737
          0x00406750
          0x00406753
          0x0040675f
          0x00406760
          0x00406763
          0x00406739
          0x00406739
          0x00406748
          0x0040674b
          0x0040674b
          0x0040676d
          0x0040670d
          0x0040670d
          0x0040670d
          0x00406710
          0x00406714
          0x00000000
          0x00000000
          0x00000000
          0x0040676f
          0x0040676f
          0x004066e8
          0x004066ec
          0x00406824
          0x00406824
          0x0040682e
          0x00406836
          0x0040683d
          0x0040683f
          0x00406846
          0x0040684a
          0x0040684a
          0x004066f2
          0x004066f8
          0x004066ff
          0x00406707
          0x00406707
          0x0040670a
          0x00000000
          0x0040670a
          0x00406774
          0x00406781
          0x00406784
          0x00406690
          0x00406690
          0x00406690
          0x00405e2c
          0x00405e2c
          0x00405e2c
          0x00405e35
          0x00000000
          0x00000000
          0x00405e3b
          0x00405e3b
          0x00000000
          0x00405e42
          0x00405e46
          0x00000000
          0x00000000
          0x00405e4c
          0x00405e4f
          0x00405e52
          0x00405e55
          0x00405e59
          0x00000000
          0x00000000
          0x00405e5f
          0x00405e5f
          0x00405e62
          0x00405e64
          0x00405e65
          0x00405e68
          0x00405e6a
          0x00405e6b
          0x00405e6d
          0x00405e70
          0x00405e75
          0x00405e7a
          0x00405e83
          0x00405e96
          0x00405e99
          0x00405ea5
          0x00405ecd
          0x00405ecf
          0x00405edd
          0x00405edd
          0x00405ee1
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00405ed1
          0x00405ed1
          0x00405ed4
          0x00405ed5
          0x00405ed5
          0x00000000
          0x00405ed1
          0x00405ea7
          0x00405eab
          0x00405eb0
          0x00405eb0
          0x00405eb9
          0x00405ec1
          0x00405ec4
          0x00000000
          0x00405eca
          0x00405eca
          0x00000000
          0x00405eca
          0x00000000
          0x00405ee7
          0x00405ee7
          0x00405eeb
          0x00406797
          0x00406797
          0x00000000
          0x00406797
          0x00405ef1
          0x00405ef4
          0x00405f04
          0x00405f07
          0x00405f0a
          0x00405f0a
          0x00405f0a
          0x00405f0d
          0x00405f11
          0x00000000
          0x00000000
          0x00405f13
          0x00405f13
          0x00405f19
          0x00405f43
          0x00405f49
          0x00405f50
          0x00000000
          0x00405f50
          0x00405f1b
          0x00405f1f
          0x00405f22
          0x00405f27
          0x00405f27
          0x00405f32
          0x00405f3a
          0x00405f3d
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00405f82
          0x00405f88
          0x00405f8b
          0x00405f98
          0x00405fa0
          0x00000000
          0x00000000
          0x00405f57
          0x00405f57
          0x00405f5b
          0x004067a6
          0x004067a6
          0x00000000
          0x004067a6
          0x00405f61
          0x00405f67
          0x00405f72
          0x00405f72
          0x00405f72
          0x00405f75
          0x00405f78
          0x00405f7b
          0x00405f80
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00406617
          0x00406617
          0x0040661d
          0x00406623
          0x00406629
          0x00406643
          0x00406646
          0x0040664c
          0x00406657
          0x00406657
          0x00406659
          0x0040662b
          0x0040662b
          0x0040663a
          0x0040663e
          0x0040663e
          0x00406663
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00406665
          0x00406669
          0x00406818
          0x00406818
          0x00000000
          0x00406818
          0x0040666f
          0x00406675
          0x0040667c
          0x00406684
          0x00406687
          0x0040668a
          0x0040668a
          0x00406690
          0x00406690
          0x00000000
          0x00000000
          0x00405fa8
          0x00405fa8
          0x00405faa
          0x00405fad
          0x0040601e
          0x0040601e
          0x00406021
          0x00406024
          0x0040602b
          0x00406035
          0x00000000
          0x00406035
          0x00405faf
          0x00405faf
          0x00405fb3
          0x00405fb6
          0x00405fb8
          0x00405fbb
          0x00405fbe
          0x00405fc0
          0x00405fc3
          0x00405fc5
          0x00405fca
          0x00405fcd
          0x00405fd0
          0x00405fd4
          0x00405fdb
          0x00405fde
          0x00405fe5
          0x00405fe9
          0x00405ff1
          0x00405ff1
          0x00405ff1
          0x00405feb
          0x00405feb
          0x00405feb
          0x00405fe0
          0x00405fe0
          0x00405fe0
          0x00405ff5
          0x00405ff8
          0x00406016
          0x00406016
          0x00406018
          0x00000000
          0x00405ffa
          0x00405ffa
          0x00405ffa
          0x00405ffd
          0x00406000
          0x00406003
          0x00406005
          0x00406005
          0x00406005
          0x00406008
          0x0040600b
          0x0040600d
          0x0040600e
          0x00406011
          0x00000000
          0x00406011
          0x00000000
          0x00406247
          0x00406247
          0x0040624b
          0x00406269
          0x00406269
          0x0040626c
          0x00406273
          0x00406276
          0x00406279
          0x0040627c
          0x0040627f
          0x00406282
          0x00406284
          0x0040628b
          0x0040628c
          0x0040628e
          0x00406291
          0x00406294
          0x00406297
          0x00406297
          0x0040629c
          0x00000000
          0x0040629c
          0x0040624d
          0x0040624d
          0x00406250
          0x00406253
          0x0040625d
          0x00000000
          0x00000000
          0x004062b1
          0x004062b1
          0x004062b5
          0x004062d8
          0x004062db
          0x004062de
          0x004062e8
          0x004062b7
          0x004062b7
          0x004062ba
          0x004062bd
          0x004062c0
          0x004062cd
          0x004062d0
          0x004062d0
          0x00000000
          0x00000000
          0x004062f4
          0x004062f4
          0x004062f8
          0x00000000
          0x00000000
          0x004062fe
          0x004062fe
          0x00406302
          0x00000000
          0x00000000
          0x00406308
          0x00406308
          0x0040630a
          0x0040630e
          0x0040630e
          0x00406311
          0x00406315
          0x00000000
          0x00000000
          0x00406365
          0x00406365
          0x00406369
          0x00406370
          0x00406370
          0x00406373
          0x00406376
          0x00406380
          0x00000000
          0x00406380
          0x0040636b
          0x0040636b
          0x00000000
          0x00000000
          0x0040638c
          0x0040638c
          0x00406390
          0x00406397
          0x0040639a
          0x0040639d
          0x00406392
          0x00406392
          0x00406392
          0x004063a0
          0x004063a3
          0x004063a6
          0x004063a6
          0x004063a9
          0x004063ac
          0x004063af
          0x004063af
          0x004063b2
          0x004063b9
          0x004063be
          0x00000000
          0x00000000
          0x0040644c
          0x0040644c
          0x00406450
          0x004067ee
          0x004067ee
          0x00000000
          0x004067ee
          0x00406456
          0x00406456
          0x00406459
          0x0040645c
          0x00406460
          0x00406463
          0x00406469
          0x0040646b
          0x0040646b
          0x0040646b
          0x0040646e
          0x00406471
          0x00000000
          0x00000000
          0x00406041
          0x00406041
          0x00406045
          0x004067b2
          0x004067b2
          0x00000000
          0x004067b2
          0x0040604b
          0x0040604b
          0x0040604e
          0x00406051
          0x00406055
          0x00406058
          0x0040605e
          0x00406060
          0x00406060
          0x00406060
          0x00406063
          0x00406066
          0x00406066
          0x00406069
          0x0040606c
          0x00000000
          0x00000000
          0x00406072
          0x00406072
          0x00406078
          0x00000000
          0x00000000
          0x0040607e
          0x0040607e
          0x00406082
          0x00406085
          0x00406088
          0x0040608b
          0x0040608e
          0x0040608f
          0x00406092
          0x00406094
          0x0040609a
          0x0040609d
          0x004060a0
          0x004060a3
          0x004060a6
          0x004060a9
          0x004060ac
          0x004060c8
          0x004060cb
          0x004060ce
          0x004060d1
          0x004060d8
          0x004060dc
          0x004060de
          0x004060e2
          0x004060ae
          0x004060ae
          0x004060b2
          0x004060ba
          0x004060bf
          0x004060c1
          0x004060c3
          0x004060c3
          0x004060e5
          0x004060ec
          0x004060ef
          0x00000000
          0x004060f5
          0x004060f5
          0x00000000
          0x004060f5
          0x00000000
          0x004060fa
          0x004060fa
          0x004060fe
          0x004067be
          0x004067be
          0x00000000
          0x004067be
          0x00406104
          0x00406104
          0x00406107
          0x0040610a
          0x0040610e
          0x00406111
          0x00406117
          0x00406119
          0x00406119
          0x00406119
          0x0040611c
          0x0040611f
          0x0040611f
          0x0040611f
          0x00406125
          0x00000000
          0x00000000
          0x00406127
          0x00406127
          0x0040612a
          0x0040612d
          0x00406130
          0x00406133
          0x00406136
          0x00406139
          0x0040613c
          0x0040613f
          0x00406142
          0x00406145
          0x0040615d
          0x00406160
          0x00406163
          0x00406166
          0x00406166
          0x00406169
          0x0040616d
          0x0040616f
          0x00406147
          0x00406147
          0x0040614f
          0x00406154
          0x00406156
          0x00406158
          0x00406158
          0x00406172
          0x00406179
          0x0040617c
          0x00000000
          0x0040617e
          0x0040617e
          0x00000000
          0x0040617e
          0x0040617c
          0x00406183
          0x00406183
          0x00406183
          0x00406183
          0x00000000
          0x00000000
          0x004061be
          0x004061be
          0x004061c2
          0x004067ca
          0x004067ca
          0x00000000
          0x004067ca
          0x004061c8
          0x004061c8
          0x004061cb
          0x004061ce
          0x004061d2
          0x004061d5
          0x004061db
          0x004061dd
          0x004061dd
          0x004061dd
          0x004061e0
          0x004061e3
          0x004061e3
          0x004061e9
          0x00406187
          0x00406187
          0x0040618a
          0x00000000
          0x0040618a
          0x004061eb
          0x004061eb
          0x004061ee
          0x004061f1
          0x004061f4
          0x004061f7
          0x004061fa
          0x004061fd
          0x00406200
          0x00406203
          0x00406206
          0x00406209
          0x00406221
          0x00406224
          0x00406227
          0x0040622a
          0x0040622a
          0x0040622d
          0x00406231
          0x00406233
          0x0040620b
          0x0040620b
          0x00406213
          0x00406218
          0x0040621a
          0x0040621c
          0x0040621c
          0x00406236
          0x0040623d
          0x00406240
          0x00000000
          0x00406242
          0x00406242
          0x00000000
          0x00406242
          0x00000000
          0x004064cf
          0x004064cf
          0x004064d3
          0x004067fa
          0x004067fa
          0x00000000
          0x004067fa
          0x004064d9
          0x004064d9
          0x004064dc
          0x004064df
          0x004064e3
          0x004064e6
          0x004064ec
          0x004064ee
          0x004064ee
          0x004064ee
          0x004064f1
          0x00000000
          0x00000000
          0x0040629f
          0x0040629f
          0x004062a2
          0x00000000
          0x00000000
          0x004065de
          0x004065de
          0x004065e2
          0x00406604
          0x00406604
          0x00406607
          0x00406611
          0x00406614
          0x00406614
          0x00000000
          0x00406614
          0x004065e4
          0x004065e4
          0x004065e7
          0x004065eb
          0x004065ee
          0x004065ee
          0x004065f1
          0x00000000
          0x00000000
          0x0040669b
          0x0040669b
          0x0040669f
          0x004066bd
          0x004066bd
          0x004066bd
          0x004066bd
          0x004066c4
          0x004066cb
          0x004066d2
          0x004066d2
          0x004066d9
          0x004066dc
          0x004066e3
          0x00000000
          0x004066e6
          0x004066a1
          0x004066a1
          0x004066a4
          0x004066a7
          0x004066aa
          0x004066b1
          0x004065f5
          0x004065f5
          0x004065f8
          0x00000000
          0x00000000
          0x0040678c
          0x0040678c
          0x0040678f
          0x00406690
          0x00406690
          0x00406690
          0x00000000
          0x00406696
          0x00000000
          0x004063c6
          0x004063c6
          0x004063c8
          0x004063cf
          0x004063d0
          0x004063d2
          0x004063d5
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x004066d9
          0x004066d9
          0x004066dc
          0x004066e3
          0x00000000
          0x004066e6
          0x00000000
          0x00000000
          0x00000000
          0x0040640b
          0x0040640b
          0x0040640e
          0x00406444
          0x00406444
          0x00406574
          0x00406574
          0x00406574
          0x00406574
          0x00406577
          0x00406577
          0x0040657a
          0x0040657c
          0x00406806
          0x00406806
          0x00000000
          0x00406806
          0x00406582
          0x00406582
          0x00406585
          0x00000000
          0x00000000
          0x0040658b
          0x0040658b
          0x0040658f
          0x00406592
          0x00406592
          0x00406592
          0x00000000
          0x00406592
          0x00406410
          0x00406410
          0x00406412
          0x00406414
          0x00406416
          0x00406419
          0x0040641a
          0x0040641c
          0x0040641e
          0x00406421
          0x00406424
          0x0040643a
          0x0040643a
          0x0040643f
          0x00406477
          0x00406477
          0x0040647b
          0x004064a4
          0x004064a7
          0x004064a9
          0x004064b0
          0x004064b3
          0x004064b6
          0x004064b6
          0x004064bb
          0x004064bb
          0x004064bd
          0x004064c0
          0x004064c7
          0x004064ca
          0x004064f7
          0x004064f7
          0x004064fa
          0x004064fd
          0x00406571
          0x00406571
          0x00406571
          0x00406571
          0x00000000
          0x00406571
          0x004064ff
          0x004064ff
          0x00406505
          0x00406508
          0x0040650b
          0x0040650e
          0x00406511
          0x00406514
          0x00406517
          0x0040651a
          0x0040651d
          0x00406520
          0x00406539
          0x0040653b
          0x0040653e
          0x0040653f
          0x00406542
          0x00406544
          0x00406547
          0x00406549
          0x0040654b
          0x0040654e
          0x00406550
          0x00406553
          0x00406557
          0x00406559
          0x00406559
          0x0040655a
          0x0040655d
          0x00406560
          0x00406522
          0x00406522
          0x0040652a
          0x0040652f
          0x00406531
          0x00406534
          0x00406534
          0x00406563
          0x0040656a
          0x004064f4
          0x004064f4
          0x004064f4
          0x004064f4
          0x00000000
          0x0040656c
          0x0040656c
          0x00000000
          0x0040656c
          0x0040656a
          0x0040647d
          0x0040647d
          0x00406480
          0x00406482
          0x00406485
          0x00406488
          0x0040648b
          0x0040648d
          0x00406490
          0x00406493
          0x00406493
          0x00406496
          0x00406496
          0x00406499
          0x004064a0
          0x00406474
          0x00406474
          0x00406474
          0x00406474
          0x00000000
          0x004064a2
          0x004064a2
          0x00000000
          0x004064a2
          0x004064a0
          0x00406426
          0x00406426
          0x00406429
          0x0040642b
          0x0040642e
          0x00000000
          0x00000000
          0x0040618d
          0x0040618d
          0x00406191
          0x004067d6
          0x004067d6
          0x00000000
          0x004067d6
          0x00406197
          0x00406197
          0x0040619a
          0x0040619d
          0x004061a0
          0x004061a3
          0x004061a6
          0x004061a9
          0x004061ab
          0x004061ae
          0x004061b1
          0x004061b4
          0x004061b6
          0x004061b6
          0x004061b6
          0x00000000
          0x00000000
          0x00406318
          0x00406318
          0x0040631c
          0x004067e2
          0x004067e2
          0x00000000
          0x004067e2
          0x00406322
          0x00406322
          0x00406325
          0x00406328
          0x0040632b
          0x0040632d
          0x0040632d
          0x0040632d
          0x00406330
          0x00406333
          0x00406336
          0x00406339
          0x0040633c
          0x0040633f
          0x00406340
          0x00406342
          0x00406342
          0x00406342
          0x00406345
          0x00406348
          0x0040634b
          0x0040634e
          0x0040634e
          0x0040634e
          0x00406351
          0x00406353
          0x00406353
          0x00000000
          0x00000000
          0x00406595
          0x00406595
          0x00406595
          0x00406599
          0x00000000
          0x00000000
          0x0040659f
          0x0040659f
          0x004065a2
          0x004065a5
          0x004065a8
          0x004065aa
          0x004065aa
          0x004065aa
          0x004065ad
          0x004065b0
          0x004065b3
          0x004065b6
          0x004065b9
          0x004065bc
          0x004065bd
          0x004065bf
          0x004065bf
          0x004065bf
          0x004065c2
          0x004065c5
          0x004065c8
          0x004065cb
          0x004065ce
          0x004065d2
          0x004065d4
          0x004065d7
          0x00000000
          0x004065d9
          0x004065d9
          0x00406356
          0x00406356
          0x00000000
          0x00406356
          0x004065d7
          0x0040680c
          0x0040680c
          0x00000000
          0x00000000
          0x00405e3b
          0x00406843
          0x00406843
          0x00000000
          0x00406843
          0x00406690
          0x00406710
          0x004066d9

          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 8ad8b3a7fce677aa33c13c02e3180aa90519ee056083dbfcd0f6a1ae91265e6c
          • Instruction ID: 95af8839098f806f541805b71f16133a603fad5641f47eebb8f014e75b9041d1
          • Opcode Fuzzy Hash: 8ad8b3a7fce677aa33c13c02e3180aa90519ee056083dbfcd0f6a1ae91265e6c
          • Instruction Fuzzy Hash: 58A13371D00229CBDF28CFA8C8447ADBBB1FF44305F25856AD856BB281D7789A86DF44
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004065DE, Relevance: 5.2, APIs: 4, Instructions: 208COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b486484d64dd4cde6c37fee08c13c94b86683911648eeb5affe32ba80e56590e
          • Instruction ID: 736e54d1ea8bc2ffbcc58a3ee687e8f06aed80bce92bf0dad63538ea203c4f31
          • Opcode Fuzzy Hash: b486484d64dd4cde6c37fee08c13c94b86683911648eeb5affe32ba80e56590e
          • Instruction Fuzzy Hash: 77913271D00229CBDF28CF98C844BADBBB1FF44305F15816AD856BB281D7789A86DF54
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004062F4, Relevance: 5.2, APIs: 4, Instructions: 205COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: a5c1a6d88fbf3736e083e35a306841f5f7567a3339756a66f66144e6d7487cc4
          • Instruction ID: c975835c63a62796fcb7e955cfffcd5e326eaa1512836fcadbce1623bdfadb04
          • Opcode Fuzzy Hash: a5c1a6d88fbf3736e083e35a306841f5f7567a3339756a66f66144e6d7487cc4
          • Instruction Fuzzy Hash: AF816671D00229CFDF24CFA8C8447AEBBB1FB44305F25816AD856BB281C7789A86DF54
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00405DF9, Relevance: 5.2, APIs: 4, Instructions: 198COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 797fef13bb3e8e171cff3cae9b41bd7abdeca14a353df9249488f574514014e3
          • Instruction ID: 0ba87498709856dc17a0c5f751d6ecfe3ae25d7b1153355424f504aba8ac83cf
          • Opcode Fuzzy Hash: 797fef13bb3e8e171cff3cae9b41bd7abdeca14a353df9249488f574514014e3
          • Instruction Fuzzy Hash: B4817772D04229CBDF24CFA8C8447AEBBB0FB44305F25816AD856BB2C0D7785A86DF44
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00406247, Relevance: 5.2, APIs: 4, Instructions: 180COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ab0e96aa9de7783a5fbfa8537471c17f47562fab6ccc56c1d015952012775d3a
          • Instruction ID: 47c5cb8fc101d284839cddc633a7ca9263ac2e2456f843b1234a04abf02d33d1
          • Opcode Fuzzy Hash: ab0e96aa9de7783a5fbfa8537471c17f47562fab6ccc56c1d015952012775d3a
          • Instruction Fuzzy Hash: 0C713371D00229CBDF28CFA8C844BADBBF1FB44305F15806AD816BB281D7785A86DF54
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00406365, Relevance: 5.2, APIs: 4, Instructions: 170COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 204a14aa4723f8bacec733d7555320540fe203445ac57d520a52ca53e11fdb0c
          • Instruction ID: aa40489b15165fca9e2d73c9723ecf3d5b4a768092768a0400057c9dc9ec6b69
          • Opcode Fuzzy Hash: 204a14aa4723f8bacec733d7555320540fe203445ac57d520a52ca53e11fdb0c
          • Instruction Fuzzy Hash: F6714471D04229CFDF28CF98C844BAEBBB1FB44305F25816AD816BB281D7785A86DF54
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004062B1, Relevance: 5.2, APIs: 4, Instructions: 168COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: be6e9d30e93fbb49eb3c361b8f1c94b7932ac8d56391751c3e2361f0828e0a06
          • Instruction ID: f7c6f07f586ed293a1c67bf574783cb577a0acbc2814a7f5ecfd539a56c9ebac
          • Opcode Fuzzy Hash: be6e9d30e93fbb49eb3c361b8f1c94b7932ac8d56391751c3e2361f0828e0a06
          • Instruction Fuzzy Hash: AF715671D00229CBDF28CF98C844BADBBB1FF44305F15816AD816BB281C7785A46DF54
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004058C4, Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON
          Download Yara Rule
          APIs
          • RegOpenKeyExA.KERNEL32(80000002,00405B00,00000000,00000002,?,00000002,00292341,?,00405B00,80000002,Software\Microsoft\Windows\CurrentVersion,00292341,0x0201,006B61F9), ref: 004058ED
          • RegQueryValueExA.KERNEL32(00292341,?,00000000,00405B00,00292341,00405B00), ref: 0040590E
          • RegCloseKey.KERNEL32(?), ref: 0040592F
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: CloseOpenQueryValue
          • String ID:
          • API String ID: 3677997916-0
          • Opcode ID: 20ca1dc64cf80f35bde4a5a459f169022cfe0f17446037da1f5ac97088a586f8
          • Instruction ID: 4090c2ea748c6a1ef83dea1f090ecbfc83cda06d8c091eb14dd66de5cad0d057
          • Opcode Fuzzy Hash: 20ca1dc64cf80f35bde4a5a459f169022cfe0f17446037da1f5ac97088a586f8
          • Instruction Fuzzy Hash: DA0156B144020EEFDF228F64EC48AEB3FACEF143A4F004436F944A6220D235D964DBA5
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00402267, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
          Download Yara Rule
          APIs
          • GetPrivateProfileStringA.KERNEL32(00000000,?,!N~,?,000003FF,00000000), ref: 00402297
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: PrivateProfileString
          • String ID: !N~
          • API String ID: 1096422788-529124213
          • Opcode ID: 83959307df37686c86d75e4de7286cd2fa4b3ebc5ce89ae33a3a58613c6f73fc
          • Instruction ID: 21cd7503a9a85725414fd2f210def48a3ed87e9b9f52c0cacc02f36f79452d1c
          • Opcode Fuzzy Hash: 83959307df37686c86d75e4de7286cd2fa4b3ebc5ce89ae33a3a58613c6f73fc
          • Instruction Fuzzy Hash: E4E04F71900208BBDB50AFA1CD49DAE3AA8BF043C4F100129FA10AB1C1DBB89541AB55
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0308120C, Relevance: 3.2, APIs: 2, Instructions: 156COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 0000001A.00000002.1465933337.0000000003081000.00000020.00020000.sdmp, Offset: 03080000, based on PE: true
          • Associated: 0000001A.00000002.1465906253.0000000003080000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1465954717.0000000003083000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1465973703.0000000003085000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_3080000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: ErrorImageLastLoad
          • String ID:
          • API String ID: 2189606529-0
          • Opcode ID: c8ffcf0f1555773ab14a53e14854caad4099b6b436143220d165b40f6cb74441
          • Instruction ID: 221123989462b44fa934634a28fc6783cc2b211b169055487b6ce38dc86aab88
          • Opcode Fuzzy Hash: c8ffcf0f1555773ab14a53e14854caad4099b6b436143220d165b40f6cb74441
          • Instruction Fuzzy Hash: C851707A903305DFDB24FFA5E880BAA77A9EF84354F24482AE5C4CB204D7389492DF55
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004023AF, Relevance: 3.1, APIs: 2, Instructions: 57registryCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00402B00: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B28
          • RegQueryValueExA.ADVAPI32(00000000,00000000,?,000003FF,?,?,?,?,00000033), ref: 004023DF
          • RegCloseKey.ADVAPI32(?,?,?,0040A350,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040247D
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: CloseOpenQueryValue
          • String ID:
          • API String ID: 3677997916-0
          • Opcode ID: 46d7ce6d7bd0a7dbc87bf49d1de74a2cba97a5ff35d84cd5209359167a5b0a75
          • Instruction ID: 77d51f223b4f01b007ab8b3a7146475204ba0a4990bfb8161fa5a86846697e19
          • Opcode Fuzzy Hash: 46d7ce6d7bd0a7dbc87bf49d1de74a2cba97a5ff35d84cd5209359167a5b0a75
          • Instruction Fuzzy Hash: 8611E371901205EFDB15DF64CA889AF7BB4EF14348F20807FE442B72C1D2B88A45EB5A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
          Download Yara Rule
          APIs
          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
          • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: MessageSend
          • String ID:
          • API String ID: 3850602802-0
          • Opcode ID: 1c916d205157ad73d7dec8fa4d75793a4825b6d15c61c30e95467a340dd2df53
          • Instruction ID: 9357c62ddf9e7b3c824d0b87f8e4bad160879ee2cb8093492041203a2cf1b2c1
          • Opcode Fuzzy Hash: 1c916d205157ad73d7dec8fa4d75793a4825b6d15c61c30e95467a340dd2df53
          • Instruction Fuzzy Hash: A301F431724210ABE7295B389D04B2A36ADF710355F10427BF855F66F1D67CDC028B4D
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401D95, Relevance: 3.0, APIs: 2, Instructions: 21COMMON
          Download Yara Rule
          APIs
          • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DAB
          • KiUserCallbackDispatcher.NTDLL(00000000,00000000), ref: 00401DB6
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: CallbackDispatcherShowUserWindow
          • String ID:
          • API String ID: 82835404-0
          • Opcode ID: 180e04144bc7a0d59582f7e45b03d1942a0b442326c071ed28d9fde4447ebb30
          • Instruction ID: 6b7a785092ec91fc8b74b141f8716fcdbeee11c7e0160613a2a2c5ad315415b5
          • Opcode Fuzzy Hash: 180e04144bc7a0d59582f7e45b03d1942a0b442326c071ed28d9fde4447ebb30
          • Instruction Fuzzy Hash: 96E0C272F08210DBD710FBB4AE899AE3674DB403A9B10453BF503F20C1D2B89C8196EE
          Uniqueness

          Uniqueness Score: -1.00%

          Function 10001161, Relevance: 3.0, APIs: 2, Instructions: 18COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E10001161(CHAR* _a4) {
				void* _t6;

				_t4 = _a4;
				_t6 = LoadImageA(GetModuleHandleA(0), _a4, 0, 0, 0, ((0 |  *_t4 != 0x00000023) - 0x00000001 & 0x00007ff0) + 0x10); // executed
				return _t6;
			}




          0x10001161
          0x10001186
          0x1000118c

          APIs
          • GetModuleHandleA.KERNEL32(00000000,00000104,00000000,00000000,00000000,-00000011,10001396,?,?,00000104), ref: 1000117F
          • LoadImageA.USER32 ref: 10001186
          Memory Dump Source
          • Source File: 0000001A.00000002.1477975469.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
          • Associated: 0000001A.00000002.1477962903.0000000010000000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1477985458.0000000010002000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1477995969.0000000010004000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_10000000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: HandleImageLoadModule
          • String ID:
          • API String ID: 2603579926-0
          • Opcode ID: 49e2632b460cb7faeeecad7e0bd6315e38e10511a77ed95459c82087ddae2cf5
          • Instruction ID: 9b3c9697a54928a784d9f3fba3c34fdc02fbdadafb742fc7da767c10891cf934
          • Opcode Fuzzy Hash: 49e2632b460cb7faeeecad7e0bd6315e38e10511a77ed95459c82087ddae2cf5
          • Instruction Fuzzy Hash: C5D092F69242117FFB0D9720CE6FE3B265CDB14240B09462DF14685096E9A8AD108634
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004056B4, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
          Download Yara Rule
          APIs
          • GetFileAttributesA.KERNEL32(00000003,00402C62,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,80000000,00000003), ref: 004056B8
          • CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004056DA
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: File$AttributesCreate
          • String ID:
          • API String ID: 415043291-0
          • Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
          • Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
          • Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
          • Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00405695, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
          Download Yara Rule
          APIs
          • GetFileAttributesA.KERNEL32(?,004054A0,?,?,?), ref: 00405699
          • SetFileAttributesA.KERNEL32(?,00000000), ref: 004056AB
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: AttributesFile
          • String ID:
          • API String ID: 3188754299-0
          • Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
          • Instruction ID: 6114cdacef20a61ffb1e354697c2a54f95ff97830a0005cd613603337fba2c3c
          • Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
          • Instruction Fuzzy Hash: 72C04CB1808501BBD6015B24DF0D81F7B66EB51321B508F35F56DE00F1C7355CA6DA1A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040304E, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
          Download Yara Rule
          APIs
          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,00402EA7,000000FF,00000004,00000000,00000000,00000000), ref: 00403065
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: FileRead
          • String ID:
          • API String ID: 2738559852-0
          • Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
          • Instruction ID: cf04fcf122da41e7499d2f74f705547a68887b1f6d4f421339b8fb166199a16f
          • Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
          • Instruction Fuzzy Hash: 2AE08C32901118BBCF205E619C00EAB3B5CEB053A2F00C032FA14E52A0D630EA11DBAA
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00402B00, Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
          Download Yara Rule
          APIs
          • RegOpenKeyExA.KERNEL32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B28
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Open
          • String ID:
          • API String ID: 71445658-0
          • Opcode ID: 75536f55a61c7ddeae545d3e58a4254d3b1e603d9243d6840a97648cae86c977
          • Instruction ID: b114426f85d9896a426a267f97d2c69b4d85675bc1c8818fcc54ad92fcdded5e
          • Opcode Fuzzy Hash: 75536f55a61c7ddeae545d3e58a4254d3b1e603d9243d6840a97648cae86c977
          • Instruction Fuzzy Hash: D5E08CB6650108BFDB50EFA4ED4BFDA77ECBB04340F008821BA08E7091CA78E5409B68
          Uniqueness

          Uniqueness Score: -1.00%

          Function 03082930, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x3084038 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x308404c, 4, 0x40, 0x308403c); // executed
					 *0x308404c = 0xc2;
					 *0x308403c = 0;
					 *0x3084044 = 0;
					 *0x3084054 = 0;
					 *0x3084048 = 0;
					 *0x3084040 = 0;
					 *0x308404e = 0;
				}
				return 1;
			}



          0x03082939
          0x0308293e
          0x0308294e
          0x03082956
          0x0308295d
          0x03082962
          0x03082967
          0x0308296c
          0x03082971
          0x03082976
          0x03082976
          0x0308297e

          APIs
          • VirtualProtect.KERNELBASE(0308404C,00000004,00000040,0308403C), ref: 0308294E
          Memory Dump Source
          • Source File: 0000001A.00000002.1465933337.0000000003081000.00000020.00020000.sdmp, Offset: 03080000, based on PE: true
          • Associated: 0000001A.00000002.1465906253.0000000003080000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1465954717.0000000003083000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1465973703.0000000003085000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_3080000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: ProtectVirtual
          • String ID:
          • API String ID: 544645111-0
          • Opcode ID: df55837f234f29787cf71da2fd3f65dbad13bd5c1d1a57370bc81fc2388815dc
          • Instruction ID: badef81b4f6882c01ace63b4348f7af079a1e792b4ebacee02a38e12f30a0b27
          • Opcode Fuzzy Hash: df55837f234f29787cf71da2fd3f65dbad13bd5c1d1a57370bc81fc2388815dc
          • Instruction Fuzzy Hash: 66E0C2B164B342DEC360FF7AA8457073EE0A318748B02886AE2D8DB249E37C40449F1A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00403D8F, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: ItemText
          • String ID:
          • API String ID: 3367045223-0
          • Opcode ID: e65bc35160ed5513600404499191e6285347109cacf77d99fb514981775c36ca
          • Instruction ID: 5f24766654b0959f9fafa4a482421e3f7ee2751b64636ea9b5eff0debf90db41
          • Opcode Fuzzy Hash: e65bc35160ed5513600404499191e6285347109cacf77d99fb514981775c36ca
          • Instruction Fuzzy Hash: 1CC04C76148600BFD641E755CC42F1FB799EFA4325F00C52EB15CA11D1CA3588209F26
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00403080, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
          Download Yara Rule
          APIs
          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00402DE9,000395E4), ref: 0040308E
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: FilePointer
          • String ID:
          • API String ID: 973152223-0
          • Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
          • Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
          • Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
          • Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0308276E, Relevance: 1.3, APIs: 1, Instructions: 27memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E0308276E(intOrPtr _a4) {
				void* _t10;
				intOrPtr* _t11;
				char* _t12;
				intOrPtr _t17;

				_t17 = _a4;
				if( *(_t17 + 0x80c) == 0) {
					 *0x3084040 =  *0x3084040 + 1;
					 *(_t17 + 0x810) =  *(_t17 + 0x810) | 0x00000002;
					 *((intOrPtr*)(_t17 + 0x1498)) =  *0x3084040;
					_t10 = VirtualAlloc(0, 0xa, 0x1000, 0x40); // executed
					 *(_t17 + 0x80c) = _t10;
					 *_t10 = 0xb8;
					_t11 = _t10 + 1;
					 *_t11 = _t17;
					_t12 = _t11 + 4;
					 *_t12 = 0xe9;
					 *((intOrPtr*)(_t12 + 1)) = E030813E7 - _t12 + 1 - 4;
				}
				return  *(_t17 + 0x80c);
			}







          0x0308276f
          0x0308277a
          0x0308277c
          0x03082787
          0x03082799
          0x0308279f
          0x030827a5
          0x030827ab
          0x030827ae
          0x030827b4
          0x030827b6
          0x030827b9
          0x030827c2
          0x030827c2
          0x030827cb

          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000000A,00001000,00000040,00000818,0308250F,00000000,?), ref: 0308279F
          Memory Dump Source
          • Source File: 0000001A.00000002.1465933337.0000000003081000.00000020.00020000.sdmp, Offset: 03080000, based on PE: true
          • Associated: 0000001A.00000002.1465906253.0000000003080000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1465954717.0000000003083000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1465973703.0000000003085000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_3080000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 22dc91f32728159b820707add33a33d8f3614f8f1fdb795a5e297e449dcf0d12
          • Instruction ID: 1c6e826a4b89f37f954d213520dae97335ff1042d385af5e758790727ad7216d
          • Opcode Fuzzy Hash: 22dc91f32728159b820707add33a33d8f3614f8f1fdb795a5e297e449dcf0d12
          • Instruction Fuzzy Hash: DCF05E705017418FE7659F38D4557827BE0FB06714F118698E2EBAB2D4C3786845CF94
          Uniqueness

          Uniqueness Score: -1.00%

          Function 03081541, Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E03081541() {
				void* _t1;

				_t1 = GlobalAlloc(0x40,  *0x3084058); // executed
				return _t1;
			}




          0x03081549
          0x0308154f

          APIs
          • GlobalAlloc.KERNELBASE(00000040,03081577,?,?,03081804,?,03081017), ref: 03081549
          Memory Dump Source
          • Source File: 0000001A.00000002.1465933337.0000000003081000.00000020.00020000.sdmp, Offset: 03080000, based on PE: true
          • Associated: 0000001A.00000002.1465906253.0000000003080000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1465954717.0000000003083000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1465973703.0000000003085000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_3080000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: AllocGlobal
          • String ID:
          • API String ID: 3761449716-0
          • Opcode ID: 662bec7ee5e20fca4d9b9f9b6475ec5a2f823082ebf9c368a65d3df2becb9067
          • Instruction ID: 1c43b46fe6efed7a87089dce6788d701a068f0d9d4f5fce35dc662bd2189e1b5
          • Opcode Fuzzy Hash: 662bec7ee5e20fca4d9b9f9b6475ec5a2f823082ebf9c368a65d3df2becb9067
          • Instruction Fuzzy Hash: CAA0027A5425419BDE457BD1A92EF453F21F784B01F220080E7E965098867D0064EF15
          Uniqueness

          Uniqueness Score: -1.00%

          Non-executed Functions

          Function 004046CA, Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 478windowmemoryCOMMONCrypto
          Download Yara Rule
          C-Code - Quality: 98%
          			E004046CA(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				intOrPtr _t183;
				int _t189;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				signed int _t242;
				signed int _t245;
				signed int _t247;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				signed int* _t284;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				int _t294;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				intOrPtr _t309;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;
				void* _t328;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423ea8; // 0x687734
				_t320 = SendMessageA;
				_v8 = _t182;
				_t183 =  *0x423e90; // 0x687488
				_t315 = 0;
				_v32 = _t280;
				_v20 = _t183 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t289;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x423e99 & 0x00000002;
							if(( *0x423e99 & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t315;
								if(_v16 != _t315) {
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									__eflags =  *((intOrPtr*)(_t233 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t233 + 0xc)) - 2;
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											_t284 =  *(_t233 + 0x5c) * 0x418 + _t280 + 8;
											 *_t284 =  *_t284 & 0xffffffdf;
											__eflags =  *_t284;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E0040464A(_v8, _a8 != 0x413);
								__eflags = _t240 - _t315;
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									__eflags = _t289 & 0x00000010;
									if((_t289 & 0x00000010) == 0) {
										__eflags = _t289 & 0x00000040;
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
											__eflags = _t298;
										} else {
											_t300 = _t289 ^ 0x00000080;
											__eflags = _t300;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t242 =  *0x423e98; // 0x81
										_t289 = 1;
										_a8 = 0x40f;
										_t245 =  !_t242 >> 0x00000008 & 1;
										__eflags = _t245;
										_a12 = 1;
										_a16 = _t245;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							__eflags =  *((intOrPtr*)(_t289 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t289 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t289 + 4)) - 0x408;
						if( *((intOrPtr*)(_t289 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t315, _t315);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t220 =  *0x420454;
									__eflags = _t220 - _t315;
									if(_t220 != _t315) {
										ImageList_Destroy(_t220);
									}
									_t221 =  *0x42046c;
									__eflags = _t221 - _t315;
									if(_t221 != _t315) {
										GlobalFree(_t221);
									}
									 *0x420454 = _t315;
									 *0x42046c = _t315;
									 *0x423ee0 = _t315;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L86:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x423e99 & 0x00000001;
										if(( *0x423e99 & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t189 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t189;
											_t316 = _t189;
											ShowWindow(_v8, _t316);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
										}
									}
									goto L89;
								} else {
									E004011EF(_t289, _t315, _t315);
									__eflags = _a12 - _t315;
									if(_a12 != _t315) {
										E0040140B(8);
									}
									__eflags = _a16 - _t315;
									if(_a16 == _t315) {
										L73:
										E004011EF(_t289, _t315, _t315);
										__eflags =  *0x423eac - _t315; // 0x6
										_v32 =  *0x42046c;
										_t196 =  *0x423ea8; // 0x687734
										_v60 = 0xf030;
										_v16 = _t315;
										if(__eflags <= 0) {
											L84:
											InvalidateRect(_v8, _t315, 1);
											_t198 =  *0x42365c; // 0x6c43be
											__eflags =  *((intOrPtr*)(_t198 + 0x10)) - _t315;
											if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
												E00404568(0x3ff, 0xfffffffb, E0040461D(5));
											}
											goto L86;
										} else {
											_t142 = _t196 + 8; // 0x68773c
											_t281 = _t142;
											do {
												_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
												__eflags = _t202 - _t315;
												if(_t202 != _t315) {
													_t291 =  *_t281;
													_v68 = _t202;
													__eflags = _t291 & 0x00000001;
													_v72 = 8;
													if((_t291 & 0x00000001) != 0) {
														_t151 =  &(_t281[4]); // 0x68774c
														_v72 = 9;
														_v56 = _t151;
														_t154 =  &(_t281[0]);
														 *_t154 = _t281[0] & 0x000000fe;
														__eflags =  *_t154;
													}
													__eflags = _t291 & 0x00000040;
													if((_t291 & 0x00000040) == 0) {
														_t206 = (_t291 & 0x00000001) + 1;
														__eflags = _t291 & 0x00000010;
														if((_t291 & 0x00000010) != 0) {
															_t206 = _t206 + 3;
															__eflags = _t206;
														}
													} else {
														_t206 = 3;
													}
													_t294 = (_t291 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t294;
													_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t294, _v68);
													SendMessageA(_v8, 0x110d, _t315,  &_v72);
												}
												_v16 = _v16 + 1;
												_t281 =  &(_t281[0x106]);
												__eflags = _v16 -  *0x423eac; // 0x6
											} while (__eflags < 0);
											goto L84;
										}
									} else {
										_t282 = E004012E2( *0x42046c);
										E00401299(_t282);
										_t217 = 0;
										_t289 = 0;
										__eflags = _t282 - _t315;
										if(_t282 <= _t315) {
											L72:
											SendMessageA(_v12, 0x14e, _t289, _t315);
											_a16 = _t282;
											_a8 = 0x420;
											goto L73;
										} else {
											goto L69;
										}
										do {
											L69:
											_t309 = _v20;
											__eflags =  *((intOrPtr*)(_t309 + _t217 * 4)) - _t315;
											if( *((intOrPtr*)(_t309 + _t217 * 4)) != _t315) {
												_t289 = _t289 + 1;
												__eflags = _t289;
											}
											_t217 = _t217 + 1;
											__eflags = _t217 - _t282;
										} while (_t217 < _t282);
										goto L72;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L89;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L89;
							}
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							__eflags = _t227 - 0xffffffff;
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							__eflags = _t283 - 0xffffffff;
							if(_t283 == 0xffffffff) {
								L54:
								_t283 = 0x20;
								L55:
								E00401299(_t283);
								SendMessageA(_a4, 0x420, _t315, _t283);
								_a12 = 1;
								_a16 = _t315;
								_a8 = 0x40f;
								goto L56;
							}
							_t231 = _v20;
							__eflags =  *((intOrPtr*)(_t231 + _t283 * 4)) - _t315;
							if( *((intOrPtr*)(_t231 + _t283 * 4)) != _t315) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					 *0x423ee0 = _a4;
					_t247 =  *0x423eac; // 0x6
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42046c = GlobalAlloc(0x40, _t247 << 2);
					_t250 = LoadBitmapA( *0x423e80, 0x6e);
					 *0x420460 =  *0x420460 | 0xffffffff;
					_v24 = _t250;
					 *0x420468 = SetWindowLongA(_v8, 0xfffffffc, E00404CCB);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x420454 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x420454);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E004059FF(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403D8F(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403D8F(_a4);
					_t318 = 0;
					_t288 = 0;
					_t328 =  *0x423eac - _t318; // 0x6
					if(_t328 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									__eflags = _t269 & 0x00000004;
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42046c + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42046c + _t318 * 4) = _t274;
									_t288 =  *( *0x42046c + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_t331 = _t318 -  *0x423eac; // 0x6
							_v24 = _t311;
						} while (_t331 < 0);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403DC4(_v8);
								_t280 = _v32;
								_t315 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403DC4(_v12);
								L89:
								return E00403DF6(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}






































































          0x004046e8
          0x004046ee
          0x004046f0
          0x004046f6
          0x004046fc
          0x004046ff
          0x00404709
          0x00404712
          0x00404715
          0x00404718
          0x00404940
          0x00404940
          0x00404947
          0x0040495b
          0x00404949
          0x0040494b
          0x0040494e
          0x0040494f
          0x00404956
          0x00404956
          0x0040495e
          0x00404967
          0x00404972
          0x00404972
          0x00404975
          0x00404978
          0x00404987
          0x00404987
          0x0040498e
          0x00404a06
          0x00404a06
          0x00404a09
          0x00404a0b
          0x00404a0e
          0x00404a15
          0x00404a23
          0x00404a23
          0x00404a25
          0x00404a28
          0x00404a2f
          0x00404a31
          0x00404a35
          0x00404a52
          0x00404a56
          0x00404a56
          0x00404a37
          0x00404a44
          0x00404a44
          0x00404a35
          0x00404a2f
          0x00000000
          0x00404a09
          0x00404990
          0x00404993
          0x0040499e
          0x004049a0
          0x004049a3
          0x004049aa
          0x004049af
          0x004049b1
          0x004049bb
          0x004049bb
          0x004049bf
          0x004049c1
          0x004049c4
          0x004049c6
          0x004049c9
          0x004049df
          0x004049df
          0x004049cb
          0x004049cb
          0x004049d1
          0x004049d3
          0x004049da
          0x004049d5
          0x004049d5
          0x004049d5
          0x004049d3
          0x004049e3
          0x004049e5
          0x004049ea
          0x004049f3
          0x004049f4
          0x004049fe
          0x004049fe
          0x00404a00
          0x00404a03
          0x00404a03
          0x004049c4
          0x00000000
          0x004049b1
          0x00404995
          0x00404998
          0x0040499c
          0x00000000
          0x00000000
          0x00000000
          0x0040499c
          0x0040497a
          0x00404981
          0x00000000
          0x00000000
          0x00000000
          0x00404969
          0x00404969
          0x0040496c
          0x00404a59
          0x00404a59
          0x00404a60
          0x00404ad4
          0x00404ad4
          0x00404adb
          0x00404ae7
          0x00404ae7
          0x00404ae9
          0x00404af0
          0x00404af2
          0x00404af7
          0x00404af9
          0x00404afc
          0x00404afc
          0x00404b02
          0x00404b07
          0x00404b09
          0x00404b0c
          0x00404b0c
          0x00404b12
          0x00404b18
          0x00404b1e
          0x00404b1e
          0x00404b24
          0x00404b2b
          0x00404c78
          0x00404c78
          0x00404c7f
          0x00404c81
          0x00404c88
          0x00404c8c
          0x00404c99
          0x00404c99
          0x00404c9c
          0x00404ca2
          0x00404cb4
          0x00404cb4
          0x00404c88
          0x00000000
          0x00404b31
          0x00404b33
          0x00404b38
          0x00404b3b
          0x00404b3f
          0x00404b3f
          0x00404b44
          0x00404b47
          0x00404b88
          0x00404b8a
          0x00404b94
          0x00404b9a
          0x00404b9d
          0x00404ba2
          0x00404ba9
          0x00404bac
          0x00404c4e
          0x00404c54
          0x00404c5a
          0x00404c5f
          0x00404c62
          0x00404c73
          0x00404c73
          0x00000000
          0x00404bb2
          0x00404bb2
          0x00404bb2
          0x00404bb5
          0x00404bbb
          0x00404bbe
          0x00404bc0
          0x00404bc2
          0x00404bc4
          0x00404bc7
          0x00404bca
          0x00404bd1
          0x00404bd3
          0x00404bd6
          0x00404bdd
          0x00404be0
          0x00404be0
          0x00404be0
          0x00404be0
          0x00404be4
          0x00404be7
          0x00404bf3
          0x00404bf4
          0x00404bf7
          0x00404bf9
          0x00404bf9
          0x00404bf9
          0x00404be9
          0x00404beb
          0x00404beb
          0x00404c18
          0x00404c18
          0x00404c19
          0x00404c25
          0x00404c34
          0x00404c34
          0x00404c36
          0x00404c39
          0x00404c42
          0x00404c42
          0x00000000
          0x00404bb5
          0x00404b49
          0x00404b54
          0x00404b57
          0x00404b5c
          0x00404b5e
          0x00404b60
          0x00404b62
          0x00404b72
          0x00404b7c
          0x00404b7e
          0x00404b81
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x00404b64
          0x00404b64
          0x00404b64
          0x00404b67
          0x00404b6a
          0x00404b6c
          0x00404b6c
          0x00404b6c
          0x00404b6d
          0x00404b6e
          0x00404b6e
          0x00000000
          0x00404b64
          0x00404b47
          0x00404b2b
          0x00404a62
          0x00404a68
          0x00000000
          0x00000000
          0x00404a74
          0x00404a78
          0x00000000
          0x00000000
          0x00404a88
          0x00404a8a
          0x00404a8d
          0x00000000
          0x00000000
          0x00404a9f
          0x00404aa1
          0x00404aa4
          0x00404aae
          0x00404ab0
          0x00404ab1
          0x00404ab2
          0x00404ac1
          0x00404ac3
          0x00404aca
          0x00404acd
          0x00000000
          0x00404acd
          0x00404aa6
          0x00404aa9
          0x00404aac
          0x00000000
          0x00000000
          0x00000000
          0x00404aac
          0x00000000
          0x0040496c
          0x0040471e
          0x00404723
          0x00404728
          0x0040472d
          0x0040472e
          0x00404737
          0x00404742
          0x0040474d
          0x00404753
          0x00404761
          0x00404776
          0x0040477b
          0x00404786
          0x0040478f
          0x004047a4
          0x004047b5
          0x004047c2
          0x004047c2
          0x004047c7
          0x004047cd
          0x004047cf
          0x004047d2
          0x004047d7
          0x004047dc
          0x004047de
          0x004047de
          0x004047fe
          0x004047fe
          0x00404800
          0x00404801
          0x00404806
          0x00404809
          0x0040480c
          0x00404810
          0x00404815
          0x0040481a
          0x0040481e
          0x00404823
          0x00404828
          0x0040482a
          0x0040482c
          0x00404832
          0x004048fc
          0x0040490f
          0x00000000
          0x00404838
          0x0040483b
          0x0040483e
          0x00404841
          0x00404841
          0x00404847
          0x0040484d
          0x00404850
          0x00404856
          0x00404857
          0x0040485c
          0x00404865
          0x0040486c
          0x0040486f
          0x00404872
          0x00404875
          0x004048af
          0x004048b1
          0x004048da
          0x004048b3
          0x004048c0
          0x004048c0
          0x00404877
          0x0040487a
          0x00404889
          0x00404893
          0x0040489b
          0x004048a2
          0x004048aa
          0x004048aa
          0x00404875
          0x004048e0
          0x004048e1
          0x004048e7
          0x004048ed
          0x004048ed
          0x004048fa
          0x00404915
          0x00404919
          0x00404936
          0x0040493b
          0x0040493e
          0x0040493e
          0x00000000
          0x0040491b
          0x00404920
          0x00404929
          0x00404cb6
          0x00404cc8
          0x00404cc8
          0x00404919
          0x00000000
          0x004048fa
          0x00404832

          APIs
          • GetDlgItem.USER32 ref: 004046E1
          • GetDlgItem.USER32 ref: 004046EE
          • GlobalAlloc.KERNEL32(00000040,00000006), ref: 0040473A
          • LoadBitmapA.USER32 ref: 0040474D
          • SetWindowLongA.USER32 ref: 00404767
          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040477B
          • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 0040478F
          • SendMessageA.USER32(?,00001109,00000002), ref: 004047A4
          • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004047B0
          • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004047C2
          • DeleteObject.GDI32(?), ref: 004047C7
          • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004047F2
          • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004047FE
          • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404893
          • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004048BE
          • SendMessageA.USER32(?,00001100,00000000,?), ref: 004048D2
          • GetWindowLongA.USER32 ref: 00404901
          • SetWindowLongA.USER32 ref: 0040490F
          • ShowWindow.USER32(?,00000005), ref: 00404920
          • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404A23
          • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404A88
          • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404A9D
          • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404AC1
          • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404AE7
          • ImageList_Destroy.COMCTL32(?), ref: 00404AFC
          • GlobalFree.KERNEL32 ref: 00404B0C
          • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404B7C
          • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404C25
          • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C34
          • InvalidateRect.USER32(?,00000000,00000001), ref: 00404C54
          • ShowWindow.USER32(?,00000000), ref: 00404CA2
          • GetDlgItem.USER32 ref: 00404CAD
          • ShowWindow.USER32(00000000), ref: 00404CB4
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
          • String ID: $4wh$M$N
          • API String ID: 1638840714-3440628190
          • Opcode ID: 290dd55b7ddd8d79f284e979b99eede8a94e8f4a12f58f36ef6b28206c7d1244
          • Instruction ID: 1ebc4e1f5dd1db854d7f91ec63dfd1d34711f9484ded547680f267f962745bc2
          • Opcode Fuzzy Hash: 290dd55b7ddd8d79f284e979b99eede8a94e8f4a12f58f36ef6b28206c7d1244
          • Instruction Fuzzy Hash: 0802ADB0A00208EFDB20DF65DC45AAE7BB5FB84315F10817AF610BA2E1D7799A41CF58
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00404EB9, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
          Download Yara Rule
          C-Code - Quality: 96%
          			E00404EB9(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423664; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404E4D, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t160 = CreatePopupMenu();
							AppendMenuA(_t160, _t149, 1, E004059FF(_t149, _t154, _t160, _t149, 0xffffffe1));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x420478;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x42364c - _t149; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x423e88, 8);
							__eflags =  *0x423f0c - _t149; // 0x0
							if(__eflags == 0) {
								E00404D7B( *((intOrPtr*)( *0x41fc48 + 0x34)), _t149);
							}
							E00403D68(1);
							goto L25;
						}
						 *0x41f840 = 2;
						E00403D68(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403DF6(_a8, _a12, _a16);
						}
						ShowWindow( *0x423650, _t149);
						ShowWindow(_t154, 8);
						E00403DC4(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423e90; // 0x687488
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x423650 = GetDlgItem(_a4, 0x403);
				 *0x423648 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423664 = _t127;
				_v8 = _t127;
				E00403DC4( *0x423650);
				 *0x423654 = E0040461D(4);
				 *0x42366c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403D8F(_a4);
				if(( *0x423e98 & 0x00000003) != 0) {
					ShowWindow( *0x423650, _t149);
					if(( *0x423e98 & 0x00000002) != 0) {
						 *0x423650 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403DC4( *0x423648);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423e98 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}


































          0x00404ec2
          0x00404ec8
          0x00404ed1
          0x00404ed4
          0x00405065
          0x0040506c
          0x00405090
          0x00405090
          0x00405096
          0x004050a3
          0x004050c1
          0x004050c1
          0x004050c8
          0x0040511f
          0x0040511f
          0x00405123
          0x00000000
          0x00000000
          0x00405125
          0x00405128
          0x00000000
          0x00000000
          0x00405132
          0x00405138
          0x0040513a
          0x0040513d
          0x00405236
          0x00000000
          0x00405236
          0x0040514c
          0x00405158
          0x0040515e
          0x00405161
          0x00405164
          0x00405179
          0x0040517c
          0x0040517c
          0x0040517f
          0x00405166
          0x0040516b
          0x00405171
          0x00405174
          0x00405174
          0x0040518f
          0x00405197
          0x00405198
          0x0040519a
          0x004051a3
          0x004051a6
          0x004051ad
          0x004051b4
          0x004051bc
          0x004051bc
          0x004051ca
          0x004051d0
          0x004051d3
          0x004051d3
          0x004051da
          0x004051e0
          0x004051e9
          0x004051f0
          0x004051f9
          0x004051fb
          0x004051fe
          0x0040520d
          0x0040520f
          0x00405215
          0x00405216
          0x00405217
          0x00405217
          0x0040521f
          0x0040522a
          0x00405230
          0x00405230
          0x00000000
          0x0040519a
          0x004050ca
          0x004050d0
          0x00405100
          0x00405102
          0x00405108
          0x00405113
          0x00405113
          0x0040511a
          0x00000000
          0x0040511a
          0x004050d4
          0x004050de
          0x00000000
          0x004050a5
          0x004050a5
          0x004050ab
          0x004050e3
          0x00000000
          0x004050ec
          0x004050b4
          0x004050b9
          0x004050bc
          0x00000000
          0x004050bc
          0x004050a3
          0x00404eda
          0x00404ede
          0x00404ee7
          0x00404eee
          0x00404ef1
          0x00404ef4
          0x00404ef7
          0x00404ef8
          0x00404ef9
          0x00404f12
          0x00404f15
          0x00404f1f
          0x00404f2e
          0x00404f36
          0x00404f3e
          0x00404f43
          0x00404f46
          0x00404f52
          0x00404f5b
          0x00404f64
          0x00404f87
          0x00404f8d
          0x00404f9e
          0x00404fa3
          0x00404fb1
          0x00404fbf
          0x00404fbf
          0x00404fc4
          0x00404fd2
          0x00404fd2
          0x00404fd7
          0x00404fda
          0x00404fdf
          0x00404feb
          0x00404ff4
          0x00405001
          0x00405010
          0x00405003
          0x00405008
          0x00405008
          0x0040501c
          0x0040501c
          0x00405030
          0x00405039
          0x00405042
          0x00405052
          0x0040505e
          0x0040505e
          0x00000000

          APIs
          • GetDlgItem.USER32 ref: 00404F18
          • GetDlgItem.USER32 ref: 00404F27
          • GetClientRect.USER32 ref: 00404F64
          • GetSystemMetrics.USER32 ref: 00404F6C
          • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404F8D
          • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404F9E
          • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404FB1
          • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404FBF
          • SendMessageA.USER32(?,00001024,00000000,?), ref: 00404FD2
          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00404FF4
          • ShowWindow.USER32(?,00000008), ref: 00405008
          • GetDlgItem.USER32 ref: 00405029
          • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405039
          • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405052
          • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 0040505E
          • GetDlgItem.USER32 ref: 00404F36
            • Part of subcall function 00403DC4: SendMessageA.USER32(00000028,?,00000001,00403BF5), ref: 00403DD2
          • GetDlgItem.USER32 ref: 0040507B
          • CreateThread.KERNEL32 ref: 00405089
          • CloseHandle.KERNEL32(00000000), ref: 00405090
          • ShowWindow.USER32(00000000), ref: 004050B4
          • ShowWindow.USER32(00000000,00000008), ref: 004050B9
          • ShowWindow.USER32(00000008), ref: 00405100
          • SendMessageA.USER32(00000000,00001004,00000000,00000000), ref: 00405132
          • CreatePopupMenu.USER32 ref: 00405143
          • AppendMenuA.USER32 ref: 00405158
          • GetWindowRect.USER32 ref: 0040516B
          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040518F
          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051CA
          • OpenClipboard.USER32(00000000), ref: 004051DA
          • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 004051E0
          • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004051E9
          • GlobalLock.KERNEL32 ref: 004051F3
          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405207
          • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040521F
          • SetClipboardData.USER32 ref: 0040522A
          • CloseClipboard.USER32 ref: 00405230
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
          • String ID: {
          • API String ID: 590372296-366298937
          • Opcode ID: a09508a77e82e9f2372ac60f1a12d9b87672f590a2102234efdf98f8fd5affeb
          • Instruction ID: d8c2bf4a41f8d47596d7e212a196e63f96e24a60825c263716f9721a4c55cacb
          • Opcode Fuzzy Hash: a09508a77e82e9f2372ac60f1a12d9b87672f590a2102234efdf98f8fd5affeb
          • Instruction Fuzzy Hash: 99A13A71900208BFDB219F60DD89EAE7F79FB04355F00817AFA04BA2A0C7799A51DF59
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004041CD, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 266stringCOMMON
          Download Yara Rule
          C-Code - Quality: 78%
          			E004041CD(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr _t124;
				intOrPtr* _t138;
				signed int* _t145;
				intOrPtr _t147;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x41fc48;
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x424000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E00405282(0x3fb, _t162);
					E00405C3F(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405282(0x3fb, _t162);
							if(E004055B1(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E004059DD(0x41f440, _t162);
							_t145 = 0;
							_t86 = E00405CFF(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E004059DD(0x41f440, _t162);
								_t88 = E00405564(0x41f440);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41f440,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x41f440) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x41f440,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E00405517(0x41f440) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x41f440) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E0040461D(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								_t147 =  *0x42365c; // 0x6c43be
								if( *((intOrPtr*)(_t147 + 0x10)) != _t145) {
									E00404568(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x41f430);
									} else {
										E00404568(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x423f24 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403DB1(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x420464 == _t145) {
									E00404162();
								}
								 *0x420464 = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x420478;
							_v56 = E00404502;
							_v52 = _t162;
							_v64 = E004059FF(0x3fb, 0x420478, _t162, 0x41f848, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E004054D0(_t162);
								_t124 =  *0x423e90; // 0x687488
								_t125 =  *((intOrPtr*)(_t124 + 0x11c));
								if( *((intOrPtr*)(_t124 + 0x11c)) != 0 && _t162 == "C:\\Program Files (x86)\\Smart Professional Surveillance System") {
									E004059FF(0x3fb, 0x420478, _t162, 0, _t125);
									if(lstrcmpiA(0x422e20, 0x420478) != 0) {
										lstrcatA(_t162, 0x422e20);
									}
								}
								 *0x420464 =  &(( *0x420464)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E0040553D(_t162) != 0 && E00405564(_t162) == 0) {
						E004054D0(_t162);
					}
					 *0x423658 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403D8F(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403D8F(_t159);
					E00403DC4(_v12);
					_t138 = E00405CFF(7);
					if(_t138 == 0) {
						L53:
						return E00403DF6(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}








































          0x004041d3
          0x004041da
          0x004041e6
          0x004041f4
          0x004041fc
          0x00404200
          0x00404206
          0x00404206
          0x00404212
          0x00404286
          0x0040428d
          0x00404362
          0x00404369
          0x00404378
          0x00404378
          0x0040437c
          0x00404382
          0x0040438f
          0x00404391
          0x00404391
          0x0040439f
          0x004043a4
          0x004043a7
          0x004043ae
          0x004043b1
          0x004043e8
          0x004043ea
          0x004043f0
          0x004043f7
          0x004043f9
          0x004043f9
          0x00404415
          0x00404451
          0x00000000
          0x00404417
          0x0040441a
          0x0040442e
          0x00404430
          0x00000000
          0x00404430
          0x004043b3
          0x004043b7
          0x004043e6
          0x004043e6
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x004043b9
          0x004043b9
          0x004043c6
          0x004043cb
          0x00000000
          0x00000000
          0x004043cf
          0x004043d1
          0x004043d1
          0x004043dc
          0x004043df
          0x004043e4
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x004043e4
          0x0040443f
          0x00404446
          0x0040444d
          0x00404454
          0x00404454
          0x00404459
          0x0040445b
          0x00404463
          0x00404469
          0x00404469
          0x00404470
          0x00404479
          0x00404483
          0x0040448b
          0x004044a1
          0x0040448d
          0x00404491
          0x00404491
          0x0040448b
          0x004044a6
          0x004044ab
          0x004044b0
          0x004044b9
          0x004044b9
          0x004044c2
          0x004044c4
          0x004044c4
          0x004044d0
          0x004044d8
          0x004044e2
          0x004044e2
          0x004044e7
          0x00000000
          0x004044e7
          0x004043b1
          0x0040436b
          0x00404372
          0x00000000
          0x00000000
          0x00000000
          0x00404372
          0x00404293
          0x00404299
          0x004042b3
          0x004042b8
          0x004042c2
          0x004042c9
          0x004042d8
          0x004042db
          0x004042de
          0x004042e5
          0x004042ed
          0x004042f0
          0x004042f4
          0x004042fb
          0x00404303
          0x0040435b
          0x00404305
          0x00404306
          0x0040430d
          0x00404312
          0x00404317
          0x0040431f
          0x0040432c
          0x00404340
          0x00404344
          0x00404344
          0x00404340
          0x00404349
          0x00404354
          0x00404354
          0x00404303
          0x00000000
          0x004042b8
          0x004042a6
          0x00000000
          0x00000000
          0x004042ac
          0x00000000
          0x00404214
          0x00404214
          0x00404220
          0x0040422a
          0x00404237
          0x00404237
          0x0040423d
          0x00404246
          0x0040424f
          0x00404252
          0x00404255
          0x0040425d
          0x00404260
          0x00404263
          0x0040426b
          0x00404272
          0x00404279
          0x004044ed
          0x004044ff
          0x004044ff
          0x00404284
          0x00000000
          0x00404284

          APIs
          • GetDlgItem.USER32 ref: 00404219
          • SetWindowTextA.USER32(?,?), ref: 00404246
          • SHBrowseForFolderA.SHELL32(?,0041F848,?), ref: 004042FB
          • CoTaskMemFree.OLE32(00000000), ref: 00404306
          • lstrcmpiA.KERNEL32(0x0201,00420478,00000000,?,?), ref: 00404338
          • lstrcatA.KERNEL32(?,0x0201), ref: 00404344
          • SetDlgItemTextA.USER32 ref: 00404354
            • Part of subcall function 00405282: GetDlgItemTextA.USER32 ref: 00405295
            • Part of subcall function 00405C3F: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405C97
            • Part of subcall function 00405C3F: CharNextA.USER32(?,?,?,00000000), ref: 00405CA4
            • Part of subcall function 00405C3F: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CA9
            • Part of subcall function 00405C3F: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CB9
          • GetDiskFreeSpaceA.KERNEL32(0041F440,?,?,0000040F,?,0041F440,0041F440,?,00000000,0041F440,?,?,000003FB,?), ref: 0040440D
          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404428
          • SetDlgItemTextA.USER32 ref: 004044A1
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
          • String ID: 0x0201$3846$A$C:\Program Files (x86)\Smart Professional Surveillance System
          • API String ID: 2246997448-3049006804
          • Opcode ID: a142e54af386520f9d2602635ab12a68e63039edce206af8eee2d1a9afcc8c6d
          • Instruction ID: b374e158efdd7287bf49babe660ec8015a33fdd664c905072b33ae798ddb7db4
          • Opcode Fuzzy Hash: a142e54af386520f9d2602635ab12a68e63039edce206af8eee2d1a9afcc8c6d
          • Instruction Fuzzy Hash: 4C9175B1A00219ABDF11AFA1CC84AAF7AB8EF44354F10407BFA04B62D1D77C9A41DB59
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00402020, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON
          Download Yara Rule
          C-Code - Quality: 74%
          			E00402020() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029F6(0xfffffff0);
				_t96 = E004029F6(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029F6(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029F6(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029F6(0x45);
				if(E0040553D(_t96) == 0) {
					E004029F6(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407384, _t75, 1, 0x407374, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407394, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\hardz\\AppData\\Local\\Temp\\nsy6C45.tmp\\Slides");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409348, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409348, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x423f08 =  *0x423f08 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















          0x00402029
          0x00402033
          0x0040203c
          0x00402046
          0x0040204f
          0x00402059
          0x0040205d
          0x0040205d
          0x00402062
          0x00402073
          0x0040207b
          0x0040215b
          0x0040215b
          0x00402162
          0x00402081
          0x00402081
          0x00402092
          0x00402096
          0x0040209c
          0x004020a6
          0x004020a8
          0x004020b3
          0x004020b6
          0x004020c3
          0x004020c5
          0x004020c7
          0x004020ce
          0x004020d1
          0x004020d1
          0x004020d4
          0x004020de
          0x004020e6
          0x004020eb
          0x004020f7
          0x004020f7
          0x004020fa
          0x00402103
          0x00402106
          0x0040210f
          0x00402114
          0x00402126
          0x00402135
          0x00402137
          0x00402143
          0x00402143
          0x00402135
          0x00402145
          0x0040214b
          0x0040214b
          0x0040214e
          0x00402154
          0x00402159
          0x0040216e
          0x00000000
          0x00000000
          0x00000000
          0x00402159
          0x00402164
          0x0040288e
          0x0040289a

          APIs
          • CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402073
          • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409348,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040212D
          Strings
          • C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slides, xrefs: 004020AB
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: ByteCharCreateInstanceMultiWide
          • String ID: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\Slides
          • API String ID: 123533781-166301797
          • Opcode ID: 71453fb45c89770e4f5e9780d50359adef83bdbe6145f3bfd3e7a5e9e412efc0
          • Instruction ID: ce0b4858a9f81ea3ddc308d80d774a06bef6b406c5dcff46aa6a4b0d76e862c7
          • Opcode Fuzzy Hash: 71453fb45c89770e4f5e9780d50359adef83bdbe6145f3bfd3e7a5e9e412efc0
          • Instruction Fuzzy Hash: AE418E75A00205BFCB40DFA4CD88E9E7BBABF48354B204269FA15FB2D1CA799D41CB54
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040263E, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
          Download Yara Rule
          APIs
          • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040264D
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: FileFindFirst
          • String ID:
          • API String ID: 1974802433-0
          • Opcode ID: 7ce125ca612887df162c36b751337e4c26a37c050d4ffda7300b23609ce4967c
          • Instruction ID: 14dcf34609860af9969e045d3f077fc7a18bb2554c958aa599433bfc977b1d94
          • Opcode Fuzzy Hash: 7ce125ca612887df162c36b751337e4c26a37c050d4ffda7300b23609ce4967c
          • Instruction Fuzzy Hash: 86F0E572A04101DFD700EBB49E49AEEB778DF51328FA0067BF101F20C1D2B84A45DB2A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00403ED7, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 204windowstringCOMMON
          Download Yara Rule
          C-Code - Quality: 93%
          			E00403ED7(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420458 =  *0x420458 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403DF6(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422e20;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423e88, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423e88, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420458 != 0) {
						goto L25;
					} else {
						_t112 =  *0x41fc48 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403DB1(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404162();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42365c; // 0x6c43be
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_t71 =  *0x423eb8; // 0x6b61f8
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 + _t71;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403EA3;
				E00403D8F(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403D8F(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403DB1( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403DC4(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t85 =  *0x423e90; // 0x687488
				_t86 =  *(_t85 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f43c =  *0x41f43c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x420458 =  *0x420458 & 0x00000000;
				return 0;
			}




















          0x00403ee7
          0x0040400d
          0x00404069
          0x0040406d
          0x00404144
          0x00404146
          0x00404146
          0x0040414c
          0x0040414c
          0x0040414f
          0x00000000
          0x00404156
          0x0040407b
          0x0040407d
          0x00404087
          0x00404092
          0x00404095
          0x00404098
          0x004040a3
          0x004040a6
          0x004040ad
          0x004040bb
          0x004040d3
          0x004040e6
          0x004040f6
          0x004040f8
          0x004040f8
          0x004040ad
          0x00404102
          0x00000000
          0x0040410d
          0x00404111
          0x00404122
          0x00404122
          0x00404128
          0x00404136
          0x00404136
          0x00000000
          0x0040413a
          0x00404102
          0x00404018
          0x00000000
          0x0040402c
          0x00404032
          0x00404038
          0x00000000
          0x00000000
          0x0040405d
          0x0040405f
          0x00404064
          0x00000000
          0x00404064
          0x00404018
          0x00403eed
          0x00403ef0
          0x00403ef5
          0x00403ef7
          0x00403f06
          0x00403f06
          0x00403f08
          0x00403f0d
          0x00403f10
          0x00403f12
          0x00403f17
          0x00403f20
          0x00403f26
          0x00403f32
          0x00403f35
          0x00403f3e
          0x00403f43
          0x00403f46
          0x00403f4b
          0x00403f62
          0x00403f69
          0x00403f7c
          0x00403f7f
          0x00403f94
          0x00403f96
          0x00403f9b
          0x00403fa0
          0x00403fa5
          0x00403fa5
          0x00403fb4
          0x00403fc3
          0x00403fc5
          0x00403fdb
          0x00403fea
          0x00403fec
          0x00000000

          APIs
          • CheckDlgButton.USER32 ref: 00403F62
          • GetDlgItem.USER32 ref: 00403F76
          • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403F94
          • GetSysColor.USER32(?), ref: 00403FA5
          • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403FB4
          • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403FC3
          • lstrlenA.KERNEL32(?), ref: 00403FCD
          • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00403FDB
          • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00403FEA
          • GetDlgItem.USER32 ref: 0040404D
          • SendMessageA.USER32(00000000), ref: 00404050
          • GetDlgItem.USER32 ref: 0040407B
          • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004040BB
          • LoadCursorA.USER32 ref: 004040CA
          • SetCursor.USER32(00000000), ref: 004040D3
          • ShellExecuteA.SHELL32(0000070B,open, .B,00000000,00000000,00000001), ref: 004040E6
          • LoadCursorA.USER32 ref: 004040F3
          • SetCursor.USER32(00000000), ref: 004040F6
          • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404122
          • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404136
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
          • String ID: .B$0x0201$N$open
          • API String ID: 3615053054-3751034972
          • Opcode ID: da112c14776137c7bd89e7c73a234b8b17dddee6ca60b81d448b510bce2e22e9
          • Instruction ID: 4310844e4bc5412d85e0e67e924f78a0a7df87fdbfd2fc52009ff806257c2229
          • Opcode Fuzzy Hash: da112c14776137c7bd89e7c73a234b8b17dddee6ca60b81d448b510bce2e22e9
          • Instruction Fuzzy Hash: 3161A1B1A40209BFEB109F60DC45F6A7B69EB54715F108036FB05BA2D1C7B8E951CF98
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
          Download Yara Rule
          C-Code - Quality: 90%
          			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423e90; // 0x687488
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "SmartPSS 2.002.0000007.0 Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x423e88; // 0x170228
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}














          0x0040100a
          0x00401039
          0x00401047
          0x0040104d
          0x00401051
          0x0040105b
          0x00401061
          0x00401064
          0x004010f3
          0x00401089
          0x0040108c
          0x004010a6
          0x004010bd
          0x004010cc
          0x004010cf
          0x004010d5
          0x004010d9
          0x004010e4
          0x004010ed
          0x004010ef
          0x004010ef
          0x00401100
          0x00401105
          0x0040110d
          0x00401110
          0x00401112
          0x00401118
          0x0040111f
          0x00401126
          0x00401130
          0x00401142
          0x00401156
          0x00401160
          0x00401165
          0x00401165
          0x00401110
          0x0040116e
          0x00000000
          0x00401178
          0x00401010
          0x00401013
          0x00401015
          0x00401019
          0x0040101f
          0x0040101f
          0x00000000

          APIs
          • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
          • BeginPaint.USER32(?,?), ref: 00401047
          • GetClientRect.USER32 ref: 0040105B
          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
          • FillRect.USER32 ref: 004010E4
          • DeleteObject.GDI32(?), ref: 004010ED
          • CreateFontIndirectA.GDI32(?), ref: 00401105
          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
          • SetTextColor.GDI32(00000000,?), ref: 00401130
          • SelectObject.GDI32(00000000,?), ref: 00401140
          • DrawTextA.USER32(00000000,SmartPSS 2.002.0000007.0 Setup,000000FF,00000010,00000820), ref: 00401156
          • SelectObject.GDI32(00000000,00000000), ref: 00401160
          • DeleteObject.GDI32(?), ref: 00401165
          • EndPaint.USER32(?,?), ref: 0040116E
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
          • String ID: F$SmartPSS 2.002.0000007.0 Setup
          • API String ID: 941294808-2735277122
          • Opcode ID: a16a50f16efb259b1f94ca86ef79a5d51e0f349a280e4e705ab109419a7a434d
          • Instruction ID: 87972a138d556bacb88ba9c7fcdf6f47da3ec758f00315b8b39b68d2b09e4b9a
          • Opcode Fuzzy Hash: a16a50f16efb259b1f94ca86ef79a5d51e0f349a280e4e705ab109419a7a434d
          • Instruction Fuzzy Hash: 6441BC71804249AFCB058FA4CD459BFBFB9FF44314F00812AF951AA1A0C378EA54DFA5
          Uniqueness

          Uniqueness Score: -1.00%

          Function 03B210EF, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 112stringCOMMON
          Download Yara Rule
          C-Code - Quality: 58%
          			E03B210EF(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v12;
				intOrPtr _v36;
				CHAR* _v44;
				long _v56;
				CHAR* _v60;
				CHAR* _v76;
				void _v84;
				char _v88;
				signed int _t33;
				signed char _t34;
				CHAR* _t35;
				int _t38;
				int _t43;
				signed int _t48;
				void* _t55;

				_t48 = 0x12;
				memset( &_v84, 0, _t48 << 2);
				 *0x3b250dc = _a8;
				 *0x3b250e0 = _a16;
				 *0x3b250e4 = _a12;
				_v84 = _a4;
				_v88 = 0x4c;
				_v76 = 0x3b244a0;
				_v60 = 0x3b248a0;
				_v56 = 0x400;
				_v36 = 0x82000;
				E03B21DD9( &_v12, 5);
				E03B21DD9(0x3b248a0, 0x400);
				E03B21DD9(0x3b244a0, 0x400);
				_t33 = lstrcmpiA( &_v12, "save");
				asm("sbb edi, edi");
				_t55 =  ~_t33 + 1;
				_t34 = GetFileAttributesA(0x3b248a0);
				if(_t34 != 0xffffffff && (_t34 & 0x00000010) != 0) {
					lstrcpyA(0x3b24ca0, 0x3b248a0);
					 *0x3b248a0 =  *0x3b248a0 & 0x00000000;
					_v44 = 0x3b24ca0;
				}
				if( *0x3b244a0 == 0) {
					lstrcpyA(0x3b244a0, "All Files|*.*");
				}
				_t35 = 0x3b244a0;
				if( *0x3b244a0 != 0) {
					do {
						if( *_t35 != 0x7c) {
							_t35 = CharNextA(_t35);
						} else {
							 *_t35 =  *_t35 & 0x00000000;
							_t35 =  &(_t35[1]);
						}
					} while ( *_t35 != 0);
				}
				_t35[1] = _t35[1] & 0x00000000;
				GetCurrentDirectoryA(0x400, 0x3b240a0);
				_push( &_v88);
				if(_t55 == 0) {
					_t38 = GetOpenFileNameA();
				} else {
					_t38 = GetSaveFileNameA();
				}
				if(_t38 != 0) {
					L19:
					_push(0x3b248a0);
				} else {
					if(CommDlgExtendedError() != 0x3002) {
						L20:
						_push(0x3b24098);
					} else {
						 *0x3b248a0 =  *0x3b248a0 & 0x00000000;
						_push( &_v88);
						if(_t55 == 0) {
							_t43 = GetOpenFileNameA();
						} else {
							_t43 = GetSaveFileNameA();
						}
						if(_t43 == 0) {
							goto L20;
						} else {
							goto L19;
						}
					}
				}
				E03B21E27();
				return SetCurrentDirectoryA(??);
			}


















          0x03b210fa
          0x03b21105
          0x03b2110f
          0x03b21117
          0x03b2111f
          0x03b21127
          0x03b21135
          0x03b2113c
          0x03b2113f
          0x03b21142
          0x03b21145
          0x03b2114c
          0x03b21153
          0x03b2115a
          0x03b21168
          0x03b21177
          0x03b21179
          0x03b2117a
          0x03b21183
          0x03b21193
          0x03b21199
          0x03b211a0
          0x03b211a0
          0x03b211ae
          0x03b211b6
          0x03b211b6
          0x03b211c3
          0x03b211c5
          0x03b211c7
          0x03b211ca
          0x03b211d3
          0x03b211cc
          0x03b211cc
          0x03b211cf
          0x03b211cf
          0x03b211d9
          0x03b211c7
          0x03b211de
          0x03b211e9
          0x03b211fa
          0x03b211fb
          0x03b21205
          0x03b211fd
          0x03b211fd
          0x03b211fd
          0x03b21209
          0x03b21235
          0x03b21235
          0x03b2120b
          0x03b21216
          0x03b2123c
          0x03b2123c
          0x03b21218
          0x03b21218
          0x03b21224
          0x03b21225
          0x03b2122f
          0x03b21227
          0x03b21227
          0x03b21227
          0x03b21233
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x03b21233
          0x03b21216
          0x03b21241
          0x03b21251

          APIs
            • Part of subcall function 03B21DD9: lstrcpynA.KERNEL32(03B21054,?,?,?,03B21054,?), ref: 03B21E06
            • Part of subcall function 03B21DD9: GlobalFree.KERNEL32 ref: 03B21E16
          • lstrcmpiA.KERNEL32(?,save,03B244A0,00000400,03B248A0,00000400,?,00000005), ref: 03B21168
          • GetFileAttributesA.KERNEL32(03B248A0), ref: 03B2117A
          • lstrcpyA.KERNEL32(03B24CA0,03B248A0), ref: 03B21193
          • lstrcpyA.KERNEL32(03B244A0,All Files|*.*), ref: 03B211B6
          • CharNextA.USER32(03B244A0), ref: 03B211D3
          • GetCurrentDirectoryA.KERNEL32(00000400,03B240A0), ref: 03B211E9
          • GetSaveFileNameA.COMDLG32(0000004C), ref: 03B211FD
          • GetOpenFileNameA.COMDLG32(0000004C), ref: 03B21205
          • CommDlgExtendedError.COMDLG32 ref: 03B2120B
          • GetSaveFileNameA.COMDLG32(0000004C), ref: 03B21227
          • GetOpenFileNameA.COMDLG32(0000004C), ref: 03B2122F
          • SetCurrentDirectoryA.KERNEL32(03B240A0,03B248A0), ref: 03B21247
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1466805189.0000000003B21000.00000020.00020000.sdmp, Offset: 03B20000, based on PE: true
          • Associated: 0000001A.00000002.1466777534.0000000003B20000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466819410.0000000003B23000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466836423.0000000003B24000.00000008.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466863759.0000000003B27000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_3b20000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: File$Name$CurrentDirectoryOpenSavelstrcpy$AttributesCharCommErrorExtendedFreeGlobalNextlstrcmpilstrcpyn
          • String ID: All Files|*.*$L$save
          • API String ID: 3853173656-601108453
          • Opcode ID: d484f7867bbc96e77d0d08cf1716925d5ae8f9062af637abab3719080cf15ccb
          • Instruction ID: ad8f2a7d2c5bc4e0a9569cbcc31fc923c515147eb749777d0a78e9d0deea2518
          • Opcode Fuzzy Hash: d484f7867bbc96e77d0d08cf1716925d5ae8f9062af637abab3719080cf15ccb
          • Instruction Fuzzy Hash: 8141D379A00278AFD720EF69D948B9F7FE8EB1A21CF0403A5E45DE7545C77484488B71
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040572B, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144filememoryCOMMON
          Download Yara Rule
          C-Code - Quality: 93%
          			E0040572B() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				intOrPtr _t18;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405CFF(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x423f10 =  *0x423f10 + 1;
						return _t20;
					}
				}
				 *0x422608 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x422080, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421c80, "%s=%s\r\n", 0x422608, 0x422080);
						_t18 =  *0x423e90; // 0x687488
						_t56 = _t55 + 0x10;
						E004059FF(_t43, 0x400, 0x422080, 0x422080,  *((intOrPtr*)(_t18 + 0x128)));
						_t20 = E004056B4(0x422080, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E00405629(_t51, "[Rename]\r\n") != 0) {
								_t28 = E00405629(_t26 + 0xa, 0x409330);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E00405675(_t51 + _t29, 0x421c80, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E004059DD(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E004056B4(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x422608, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}






















          0x00405731
          0x00405738
          0x0040573c
          0x00405745
          0x00405749
          0x00405888
          0x00405888
          0x00000000
          0x00405888
          0x00405749
          0x00405755
          0x0040576b
          0x00405793
          0x0040579e
          0x004057a2
          0x004057c2
          0x004057c4
          0x004057c9
          0x004057d3
          0x004057e0
          0x004057e5
          0x004057ea
          0x004057ee
          0x00000000
          0x00000000
          0x004057fd
          0x004057ff
          0x0040580c
          0x00405810
          0x00405881
          0x00405882
          0x00000000
          0x0040582c
          0x00405839
          0x0040589e
          0x004058a5
          0x0040584c
          0x0040584c
          0x0040584e
          0x00405857
          0x00405862
          0x00405874
          0x0040587b
          0x00000000
          0x0040587b
          0x004058a7
          0x004058a8
          0x004058ad
          0x004058af
          0x004058bc
          0x004058bc
          0x004058c0
          0x00000000
          0x00000000
          0x00000000
          0x00000000
          0x004058b1
          0x004058b1
          0x004058b4
          0x004058b7
          0x004058b8
          0x00000000
          0x004058b1
          0x00405844
          0x00405849
          0x00000000
          0x00405849
          0x00405810
          0x0040576d
          0x00405778
          0x00405781
          0x00405785
          0x00000000
          0x00000000
          0x00405785
          0x00405892

          APIs
            • Part of subcall function 00405CFF: GetModuleHandleA.KERNEL32(?,?,00000000,0040310E,00000008), ref: 00405D11
            • Part of subcall function 00405CFF: LoadLibraryA.KERNEL32(?,?,00000000,0040310E,00000008), ref: 00405D1C
            • Part of subcall function 00405CFF: GetProcAddress.KERNEL32(00000000,?), ref: 00405D2D
          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,004054C0,?,00000000,000000F1,?), ref: 00405778
          • GetShortPathNameA.KERNEL32 ref: 00405781
          • GetShortPathNameA.KERNEL32 ref: 0040579E
          • wsprintfA.USER32 ref: 004057BC
          • GetFileSize.KERNEL32(00000000,00000000,00422080,C0000000,00000004,00422080,?,?,?,00000000,000000F1,?), ref: 004057F7
          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405806
          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040581C
          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421C80,00000000,-0000000A,00409330,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405862
          • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405874
          • GlobalFree.KERNEL32 ref: 0040587B
          • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405882
            • Part of subcall function 00405629: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405837,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405630
            • Part of subcall function 00405629: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405837,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405660
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
          • String ID: %s=%s$[Rename]
          • API String ID: 3772915668-1727408572
          • Opcode ID: 5a5e54597e8e4c1194cc3c8b39739dcd5cca4c9654e6abf036cfede1500a64bd
          • Instruction ID: 243778ea09c2d6121d89995a0746b628a30f71b2b4e684d8516dd3187c24d480
          • Opcode Fuzzy Hash: 5a5e54597e8e4c1194cc3c8b39739dcd5cca4c9654e6abf036cfede1500a64bd
          • Instruction Fuzzy Hash: 0E412032A05B067BE3207B619C48F6B3A5CEB40754F004436FD05F62D2EA38A8018ABE
          Uniqueness

          Uniqueness Score: -1.00%

          Function 030825FE, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 140memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 87%
          			E030825FE(void* __edx, intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr* _t18;
				intOrPtr _t21;
				void* _t23;
				short* _t24;
				void* _t25;
				void* _t30;
				void* _t32;
				void* _t34;
				int _t36;
				void* _t39;
				void* _t42;
				intOrPtr _t52;
				short** _t55;
				void* _t60;
				int _t61;
				int _t62;
				void* _t63;
				short** _t64;
				void* _t65;
				void* _t66;

				_t60 = __edx;
				_t18 = _a4;
				_t52 =  *((intOrPtr*)(_t18 + 0x814));
				_v4 = _t52;
				_t55 = (_t52 + 0x41 << 5) + _t18;
				do {
					if( *((intOrPtr*)(_t55 - 4)) != 0xffffffff) {
						_t64 = _t55;
					} else {
						_t64 =  *_t55;
					}
					_t65 = E03081541();
					_t61 = 0;
					_t21 =  *((intOrPtr*)(_t55 - 8));
					if(_t21 == 0) {
						lstrcpyA(_t65, 0x3084034);
					} else {
						_t30 = _t21 - 1;
						if(_t30 == 0) {
							_push( *_t64);
							goto L12;
						} else {
							_t32 = _t30 - 1;
							if(_t32 == 0) {
								E0308176C(_t60,  *_t64, _t64[1], _t65);
								goto L13;
							} else {
								_t34 = _t32 - 1;
								if(_t34 == 0) {
									_t62 = lstrlenA( *_t64);
									_t36 =  *0x3084058;
									if(_t62 >= _t36) {
										_t62 = _t36 - 1;
									}
									_t7 = _t62 + 1; // 0x1
									lstrcpynA(_t65,  *_t64, _t7);
									 *(_t62 + _t65) =  *(_t62 + _t65) & 0x00000000;
									goto L15;
								} else {
									_t39 = _t34 - 1;
									if(_t39 == 0) {
										WideCharToMultiByte(0, 0,  *_t64,  *0x3084058, _t65,  *0x3084058, 0, 0);
									} else {
										_t42 = _t39 - 1;
										if(_t42 == 0) {
											_t63 = GlobalAlloc(0x40,  *0x3084058 +  *0x3084058);
											__imp__StringFromGUID2( *_t64, _t63,  *0x3084058 +  *0x3084058);
											WideCharToMultiByte(0, 0, _t63,  *0x3084058, _t65,  *0x3084058, 0, 0);
											GlobalFree(_t63);
											L15:
											_t61 = 0;
										} else {
											if(_t42 == 1) {
												_push( *_t55);
												L12:
												wsprintfA(_t65, 0x3084008);
												L13:
												_t66 = _t66 + 0xc;
											}
										}
									}
								}
							}
						}
					}
					_t23 = _t55[5];
					if(_t23 != _t61 && ( *_a4 != 2 ||  *((intOrPtr*)(_t55 - 4)) > _t61)) {
						GlobalFree(_t23);
					}
					_t24 = _t55[4];
					if(_t24 != _t61) {
						if(_t24 != 0xffffffff) {
							if(_t24 > _t61) {
								E0308160E(_t24 - 1, _t65);
								goto L32;
							}
						} else {
							E0308159E(_t65);
							L32:
						}
					}
					_t25 = GlobalFree(_t65);
					_v4 = _v4 - 1;
					_t55 = _t55 - 0x20;
				} while (_v4 >= _t61);
				return _t25;
			}
























          0x030825fe
          0x030825ff
          0x03082606
          0x0308260d
          0x03082617
          0x03082619
          0x0308261d
          0x03082623
          0x0308261f
          0x0308261f
          0x0308261f
          0x0308262a
          0x0308262f
          0x03082631
          0x03082633
          0x0308270c
          0x03082639
          0x03082639
          0x0308263a
          0x030826ff
          0x00000000
          0x03082640
          0x03082640
          0x03082641
          0x030826f5
          0x00000000
          0x03082647
          0x03082647
          0x03082648
          0x030826ce
          0x030826d0
          0x030826d7
          0x030826d9
          0x030826d9
          0x030826dc
          0x030826e3
          0x030826e9
          0x00000000
          0x0308264a
          0x0308264a
          0x0308264b
          0x030826be
          0x0308264d
          0x0308264d
          0x0308264e
          0x0308267d
          0x0308268a
          0x0308269f
          0x030826a6
          0x030826ac
          0x030826ac
          0x03082650
          0x03082651
          0x03082657
          0x03082659
          0x0308265f
          0x03082665
          0x03082665
          0x03082665
          0x03082651
          0x0308264e
          0x0308264b
          0x03082648
          0x03082641
          0x0308263a
          0x03082712
          0x03082717
          0x03082728
          0x03082728
          0x0308272e
          0x03082733
          0x03082738
          0x03082744
          0x03082749
          0x00000000
          0x0308274e
          0x0308273a
          0x0308273b
          0x0308274f
          0x0308274f
          0x03082738
          0x03082751
          0x03082757
          0x0308275b
          0x0308275e
          0x0308276d

          APIs
          • wsprintfA.USER32 ref: 0308265F
          • GlobalAlloc.KERNEL32(00000040,?,?,?,?,00000000,00000001,03081A8A,00000000), ref: 03082677
          • StringFromGUID2.OLE32(?,00000000,?,?,?,?,00000000,00000001,03081A8A,00000000), ref: 0308268A
          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000000,00000001,03081A8A,00000000), ref: 0308269F
          • GlobalFree.KERNEL32 ref: 030826A6
            • Part of subcall function 0308160E: lstrcpyA.KERNEL32(-03084047,00000000,?,0308118F,?,00000000), ref: 03081636
          • GlobalFree.KERNEL32 ref: 03082728
          • GlobalFree.KERNEL32 ref: 03082751
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1465933337.0000000003081000.00000020.00020000.sdmp, Offset: 03080000, based on PE: true
          • Associated: 0000001A.00000002.1465906253.0000000003080000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1465954717.0000000003083000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1465973703.0000000003085000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_3080000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Global$Free$AllocByteCharFromMultiStringWidelstrcpywsprintf
          • String ID: {t@ut
          • API String ID: 2278267121-3262140062
          • Opcode ID: 399039b2034f190e2e9bf3b759d94ea2af328f4b3729f42ce9de98c5115c8f27
          • Instruction ID: 57e9939fd31309b48e653cd9fc746648dff4d4ac04fe5a7517aa2b0cb2f750fd
          • Opcode Fuzzy Hash: 399039b2034f190e2e9bf3b759d94ea2af328f4b3729f42ce9de98c5115c8f27
          • Instruction Fuzzy Hash: 8841AC39202605EFDB20FF25DD88D2BBBFDFB847807190959F9D2CA144DB35A8209E21
          Uniqueness

          Uniqueness Score: -1.00%

          Function 03082440, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 136memorystringCOMMON
          Download Yara Rule
          C-Code - Quality: 91%
          			E03082440(void* __edx, intOrPtr _a4) {
				signed int _v4;
				CHAR* _t32;
				intOrPtr _t33;
				void* _t34;
				void* _t36;
				void* _t43;
				void** _t49;
				CHAR* _t58;
				void* _t59;
				signed int* _t60;
				void* _t61;
				intOrPtr* _t62;
				CHAR* _t63;
				void* _t73;

				_t59 = __edx;
				_v4 = 0 |  *((intOrPtr*)(_a4 + 0x814)) > 0x00000000;
				while(1) {
					_t9 = _a4 + 0x818; // 0x818
					_t62 = (_v4 << 5) + _t9;
					_t32 =  *(_t62 + 0x14);
					if(_t32 == 0) {
						goto L9;
					}
					_t58 = 0x1a;
					if(_t32 == _t58) {
						goto L9;
					}
					if(_t32 != 0xffffffff) {
						if(_t32 <= 0 || _t32 > 0x19) {
							 *(_t62 + 0x14) = _t58;
						} else {
							_t32 = E030815E5(_t32 - 1);
							L10:
						}
						goto L11;
					} else {
						_t32 = E03081561();
						L11:
						_t63 = _t32;
						_t13 = _t62 + 8; // 0x820
						_t60 = _t13;
						if( *((intOrPtr*)(_t62 + 4)) != 0xffffffff) {
							_t49 = _t60;
						} else {
							_t49 =  *_t60;
						}
						_t33 =  *_t62;
						 *(_t62 + 0x1c) =  *(_t62 + 0x1c) & 0x00000000;
						if(_t33 == 0) {
							 *_t60 =  *_t60 & 0x00000000;
						} else {
							if(_t33 == 1) {
								_t36 = E03081641(_t63);
								L27:
								 *_t49 = _t36;
								L31:
								_t34 = GlobalFree(_t63);
								if(_v4 == 0) {
									return _t34;
								}
								if(_v4 !=  *((intOrPtr*)(_a4 + 0x814))) {
									_v4 = _v4 + 1;
								} else {
									_v4 = _v4 & 0x00000000;
								}
								continue;
							}
							if(_t33 == 2) {
								 *_t49 = E03081641(_t63);
								_t49[1] = _t59;
								goto L31;
							}
							_t73 = _t33 - 3;
							if(_t73 == 0) {
								_t36 = E03081550(_t63);
								 *(_t62 + 0x1c) = _t36;
								goto L27;
							}
							if(_t73 > 0) {
								if(_t33 <= 5) {
									_t61 = GlobalAlloc(0x40,  *0x3084058 +  *0x3084058);
									 *(_t62 + 0x1c) = _t61;
									MultiByteToWideChar(0, 0, _t63,  *0x3084058, _t61,  *0x3084058);
									if( *_t62 != 5) {
										 *_t49 = _t61;
									} else {
										_t43 = GlobalAlloc(0x40, 0x10);
										 *(_t62 + 0x1c) = _t43;
										 *_t49 = _t43;
										__imp__CLSIDFromString(_t61, _t43);
										GlobalFree(_t61);
									}
								} else {
									if(_t33 == 6 && lstrlenA(_t63) > 0) {
										 *_t60 = E0308276E(E03081641(_t63));
									}
								}
							}
						}
						goto L31;
					}
					L9:
					_t32 = E03081550(0x3084034);
					goto L10;
				}
			}

















          0x03082440
          0x03082454
          0x03082458
          0x03082463
          0x03082463
          0x0308246a
          0x0308246f
          0x00000000
          0x00000000
          0x03082473
          0x03082476
          0x00000000
          0x00000000
          0x0308247b
          0x03082486
          0x03082496
          0x0308248d
          0x0308248f
          0x030824a5
          0x030824a5
          0x00000000
          0x0308247d
          0x0308247d
          0x030824a6
          0x030824aa
          0x030824ac
          0x030824ac
          0x030824af
          0x030824b5
          0x030824b1
          0x030824b1
          0x030824b1
          0x030824b7
          0x030824b9
          0x030824bf
          0x0308258a
          0x030824c5
          0x030824c8
          0x03082583
          0x0308256f
          0x03082570
          0x0308258d
          0x0308258e
          0x03082599
          0x030825c3
          0x030825c3
          0x030825a9
          0x030825b5
          0x030825ab
          0x030825ab
          0x030825ab
          0x00000000
          0x030825a9
          0x030824d1
          0x0308257b
          0x0308257d
          0x00000000
          0x0308257d
          0x030824d7
          0x030824da
          0x03082567
          0x0308256c
          0x00000000
          0x0308256c
          0x030824e0
          0x030824e9
          0x03082525
          0x03082527
          0x03082537
          0x03082540
          0x03082562
          0x03082542
          0x03082546
          0x0308254d
          0x03082551
          0x03082553
          0x0308255a
          0x0308255a
          0x030824eb
          0x030824ee
          0x03082510
          0x03082512
          0x030824ee
          0x030824e9
          0x030824e0
          0x00000000
          0x030824bf
          0x0308249b
          0x030824a0
          0x00000000
          0x030824a0

          APIs
          • lstrlenA.KERNEL32(?), ref: 030824F5
          • GlobalAlloc.KERNEL32(00000040,?), ref: 0308251F
          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 03082537
          • GlobalAlloc.KERNEL32(00000040,00000010), ref: 03082546
          • CLSIDFromString.OLE32(00000000,00000000), ref: 03082553
          • GlobalFree.KERNEL32 ref: 0308255A
          • GlobalFree.KERNEL32 ref: 0308258E
            • Part of subcall function 03081550: lstrcpyA.KERNEL32(00000000,?,03081607,?,030811A1,-000000A0), ref: 0308155A
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1465933337.0000000003081000.00000020.00020000.sdmp, Offset: 03080000, based on PE: true
          • Associated: 0000001A.00000002.1465906253.0000000003080000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1465954717.0000000003083000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1465973703.0000000003085000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_3080000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpylstrlen
          • String ID: @ut
          • API String ID: 520554397-3384101347
          • Opcode ID: 2f692dae7416c5c898f6b99c1a197b8d3319dcdd503a274b01718ec7097d5406
          • Instruction ID: 939b41d2ad3ff5be309b8203470204149658adb8cdd95d046fbf74418cbac551
          • Opcode Fuzzy Hash: 2f692dae7416c5c898f6b99c1a197b8d3319dcdd503a274b01718ec7097d5406
          • Instruction Fuzzy Hash: 1841A7751473029FD764FF688894B6AB7ECFF84320F280D69E4D6CA684DB74A4808B61
          Uniqueness

          Uniqueness Score: -1.00%

          Function 042F12B0, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E042F12B0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a20) {
				intOrPtr _v0;
				char _v13;
				intOrPtr _v14;
				char _v15;
				char _v16;
				char _v20;
				char _v24;
				void _t23;
				void* _t24;
				void* _t32;
				struct HWND__* _t41;
				void* _t42;
				intOrPtr _t43;
				signed int _t44;
				signed int _t45;

				_t45 = _t44 | 0xffffffff;
				if( *0x42f3004 == 0) {
					_t43 = _a20;
					 *((intOrPtr*)(_t43 + 0xc))( *0x42f3000, E042F1110);
					 *0x42f3004 = _t43;
					 *0x42f300c = _v0;
					 *0x42f3008 = _a8;
					 *0x42f3010 = _a4;
				}
				if(E042F1000( &_v16) == 0) {
					while(_v16 == 0x2f && _v15 == 0x72 && _v14 == 0x3d) {
						_t45 = E042F1040( &_v13);
						if(E042F1000( &_v20) == 0) {
							continue;
						}
						goto L8;
					}
				}
				L8:
				_t41 = E042F1040( &_v16);
				E042F1000( &_v20);
				_t32 = E042F1040( &_v24);
				_t23 = GetPropA(_t41, "WP:nsWnd");
				_t42 = _t23;
				if(_t42 != 0) {
					L11:
					 *((intOrPtr*)(_t42 + 8)) = _t32 - 1;
					 *(_t42 + 4) = _t45;
					return _t23;
				}
				_t24 = GlobalAlloc(0x40, 0xc);
				_t42 = _t24;
				if(_t42 != 0) {
					SetPropA(_t41, "WP:nsWnd", _t42);
					_t23 = SetWindowLongA(_t41, 0xfffffffc, E042F1120);
					 *_t42 = _t23;
					goto L11;
				}
				return _t24;
			}


















          0x042f12bb
          0x042f12c1
          0x042f12c8
          0x042f12d2
          0x042f12e1
          0x042f12e7
          0x042f12ed
          0x042f12f3
          0x042f12f3
          0x042f1304
          0x042f1308
          0x042f1326
          0x042f1334
          0x00000000
          0x00000000
          0x00000000
          0x042f1334
          0x042f1308
          0x042f1336
          0x042f1345
          0x042f1347
          0x042f135c
          0x042f135e
          0x042f1364
          0x042f1368
          0x042f1397
          0x042f1398
          0x042f139b
          0x00000000
          0x042f139b
          0x042f136e
          0x042f1374
          0x042f1378
          0x042f1381
          0x042f138f
          0x042f1395
          0x00000000
          0x042f1395
          0x042f13a5

          APIs
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1467866291.00000000042F1000.00000020.00020000.sdmp, Offset: 042F0000, based on PE: true
          • Associated: 0000001A.00000002.1467802165.00000000042F0000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1467915407.00000000042F2000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1467962244.00000000042F4000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_42f0000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Prop$AllocGlobalLongWindow
          • String ID: /$WP:nsWnd$r
          • API String ID: 4275602437-493528119
          • Opcode ID: 368d4f18d87ce92316f68250534fd1dabacb0523e3beb2273349a850478ccb5c
          • Instruction ID: c717e63c92020072dc805ba3ff5bc458b920f085c63aa6b2724ccd27ac2ed57a
          • Opcode Fuzzy Hash: 368d4f18d87ce92316f68250534fd1dabacb0523e3beb2273349a850478ccb5c
          • Instruction Fuzzy Hash: 45217E71715351EBE320EF689C48A7AFBA4EB85660FC00A3DFE9493240D739E9148B65
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00405C3F, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E00405C3F(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E0040553D(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004054FB("*?|<>/\":", _t5))) == 0) {
							E00405675(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








          0x00405c41
          0x00405c49
          0x00405c5d
          0x00405c5d
          0x00405c63
          0x00405c70
          0x00405c70
          0x00405c71
          0x00405c73
          0x00405c77
          0x00405c79
          0x00405c82
          0x00405c84
          0x00405c9e
          0x00405ca6
          0x00405ca6
          0x00405cab
          0x00405cad
          0x00405caf
          0x00405cb3
          0x00405cb4
          0x00405cb7
          0x00405cbf
          0x00405cc1
          0x00405cc5
          0x00000000
          0x00000000
          0x00405ccb
          0x00405cd0
          0x00000000
          0x00000000
          0x00000000
          0x00405cd0
          0x00405cd5

          APIs
          • CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405C97
          • CharNextA.USER32(?,?,?,00000000), ref: 00405CA4
          • CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CA9
          • CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,C:\Users\user\AppData\Local\Temp\,00000000,004030A3,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 00405CB9
          Strings
          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C40, 00405C7B
          • *?|<>/":, xrefs: 00405C87
          • C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe, xrefs: 00405C45
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Char$Next$Prev
          • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
          • API String ID: 589700163-2660906343
          • Opcode ID: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
          • Instruction ID: 6e21827f4117d195ccc2fee92ee9dbca2865e9be55a4e6ca6148cbd3e4a13511
          • Opcode Fuzzy Hash: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
          • Instruction Fuzzy Hash: F011905580CB942AFB3206384C48B776F99CB67764F58407BE8C4723C2D67C5C429B6D
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00403DF6, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E00403DF6(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








          0x00403e08
          0x00403e9c
          0x00000000
          0x00403e9c
          0x00403e19
          0x00403e1d
          0x00000000
          0x00000000
          0x00403e23
          0x00403e2c
          0x00403e2f
          0x00403e2f
          0x00403e35
          0x00403e3b
          0x00403e3b
          0x00403e47
          0x00403e4d
          0x00403e54
          0x00403e57
          0x00403e5a
          0x00403e5c
          0x00403e5c
          0x00403e64
          0x00403e6a
          0x00403e6a
          0x00403e74
          0x00403e79
          0x00403e7c
          0x00403e81
          0x00403e84
          0x00403e84
          0x00403e94
          0x00403e94
          0x00000000

          APIs
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
          • String ID:
          • API String ID: 2320649405-0
          • Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
          • Instruction ID: 6c7fdd900eb09a88ca35fb2207b5deae9db7ec429e3ae93f4f07cdddb38981b8
          • Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
          • Instruction Fuzzy Hash: 1F219671904744ABCB219F78DD08B4B7FF8AF00715F048A2AF856E22E1C338EA04CB95
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040267C, Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
          Download Yara Rule
          C-Code - Quality: 86%
          			E0040267C(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029F6(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E0040553D(_t52) == 0) {
					E004029F6(0xffffffed);
				}
				E00405695(_t52);
				_t27 = E004056B4(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x423e94; // 0x39600
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E00403080(_t47);
						E0040304E(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402E5B( *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E00405675( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402E5B(0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x423f08 =  *0x423f08 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}











          0x0040267c
          0x0040267e
          0x0040268a
          0x0040268d
          0x00402697
          0x0040269b
          0x0040269b
          0x004026a1
          0x004026ae
          0x004026b6
          0x004026b9
          0x004026bf
          0x004026cd
          0x004026d2
          0x004026d6
          0x004026d9
          0x004026e2
          0x004026ee
          0x004026f2
          0x004026f5
          0x004026ff
          0x0040271e
          0x00402706
          0x0040270b
          0x00402713
          0x00402716
          0x0040271b
          0x0040271b
          0x00402725
          0x00402725
          0x00402737
          0x0040273e
          0x00402750
          0x00402750
          0x00402756
          0x00402756
          0x00402761
          0x00402762
          0x00402766
          0x0040276a
          0x00402770
          0x00402770
          0x00402777
          0x00402164
          0x0040288e
          0x0040289a

          APIs
          • GlobalAlloc.KERNEL32(00000040,00039600,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D0
          • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026EC
          • GlobalFree.KERNEL32 ref: 00402725
          • WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402737
          • GlobalFree.KERNEL32 ref: 0040273E
          • CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402756
          • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040276A
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
          • String ID:
          • API String ID: 3294113728-0
          • Opcode ID: 6c70dd5e24678078cb6415e9c6392547dd21b53fc970282deceed51b45fe2952
          • Instruction ID: 12be5ee7c0a04460072f4a22dab7179149aa53ae67e7a866020ad89d1ba75591
          • Opcode Fuzzy Hash: 6c70dd5e24678078cb6415e9c6392547dd21b53fc970282deceed51b45fe2952
          • Instruction Fuzzy Hash: 5831C071C00128BBDF216FA5CD88EAE7E79EF04368F10423AF524762E0C7795D419BA8
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00404D7B, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E00404D7B(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423664; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x423f34; // 0x6
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004059FF(0, _t39, 0x41fc50, 0x41fc50, _a4);
					}
					_t26 = lstrlenA(0x41fc50);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423648, 0x41fc50);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41fc50;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fc50)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fc50, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















          0x00404d81
          0x00404d8d
          0x00404d90
          0x00404d96
          0x00404da2
          0x00404da5
          0x00404da8
          0x00404dae
          0x00404dae
          0x00404db4
          0x00404dbc
          0x00404dbf
          0x00404ddc
          0x00404de0
          0x00404de9
          0x00404de9
          0x00404df3
          0x00404dfc
          0x00404e08
          0x00404e0f
          0x00404e13
          0x00404e16
          0x00404e29
          0x00404e37
          0x00404e37
          0x00404e3b
          0x00404e3d
          0x00404e40
          0x00000000
          0x00404e40
          0x00404dc1
          0x00404dc9
          0x00404dd1
          0x00404dd7
          0x00000000
          0x00404dd7
          0x00404dd1
          0x00404dbf
          0x00404e4a

          APIs
          • lstrlenA.KERNEL32(0041FC50,00000000,0040F020,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000,?), ref: 00404DB4
          • lstrlenA.KERNEL32(00402F8B,0041FC50,00000000,0040F020,00000000,?,?,?,?,?,?,?,?,?,00402F8B,00000000), ref: 00404DC4
          • lstrcatA.KERNEL32(0041FC50,00402F8B,00402F8B,0041FC50,00000000,0040F020,00000000), ref: 00404DD7
          • SetWindowTextA.USER32(0041FC50,0041FC50), ref: 00404DE9
          • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E0F
          • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E29
          • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E37
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: MessageSend$lstrlen$TextWindowlstrcat
          • String ID:
          • API String ID: 2531174081-0
          • Opcode ID: 755fb27deed15ad51f0b6ca6a52287fab41ae346cf4f9cd6d71061e4e4cf4bc9
          • Instruction ID: 7f48be0438031ac4014e4461c76190d89e96d247d5b12388d0b77bfdc4e74ae1
          • Opcode Fuzzy Hash: 755fb27deed15ad51f0b6ca6a52287fab41ae346cf4f9cd6d71061e4e4cf4bc9
          • Instruction Fuzzy Hash: 09216DB1E00158BBDB119FA5CD84ADEBFB9FF45354F14807AFA04B6290C7398A419B98
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040464A, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E0040464A(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














          0x00404658
          0x00404665
          0x0040466b
          0x004046a9
          0x004046a9
          0x004046b8
          0x004046bf
          0x00000000
          0x004046c1
          0x0040466d
          0x0040467c
          0x00404684
          0x00404687
          0x00404699
          0x0040469f
          0x004046a6
          0x00000000
          0x004046a6
          0x00000000

          APIs
          • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404665
          • GetMessagePos.USER32 ref: 0040466D
          • ScreenToClient.USER32 ref: 00404687
          • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404699
          • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004046BF
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Message$Send$ClientScreen
          • String ID: f
          • API String ID: 41195575-1993550816
          • Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
          • Instruction ID: 811e074b116e6ce6d11e192741490be2760717d42b69e64a674173994bb84636
          • Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
          • Instruction Fuzzy Hash: 4E014C71D00219BADB00DBA4DC85FFEBBB8AB59711F10052ABA00B61D0D7B8A9058BA5
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00402B3B, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E00402B3B(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x40b018; // 0x7eeceb1
					_t11 =  *0x41f028;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






          0x00402b48
          0x00402b56
          0x00402b5c
          0x00402b5c
          0x00402b6a
          0x00402b6c
          0x00402b72
          0x00402b79
          0x00402b7b
          0x00402b7b
          0x00402b91
          0x00402ba1
          0x00402bb3
          0x00402bb3
          0x00402bbb

          APIs
          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
          • MulDiv.KERNEL32(07EECEB1,00000064,?), ref: 00402B81
          • wsprintfA.USER32 ref: 00402B91
          • SetWindowTextA.USER32(?,?), ref: 00402BA1
          • SetDlgItemTextA.USER32 ref: 00402BB3
          Strings
          • verifying installer: %d%%, xrefs: 00402B8B
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Text$ItemTimerWindowwsprintf
          • String ID: verifying installer: %d%%
          • API String ID: 1451636040-82062127
          • Opcode ID: f3f1fcc7189eae98cea7663936127ed749e31ae2b99ea46faa16fbfdb8aa3c1d
          • Instruction ID: e41715c37a5330c5740685503c003044c4943c79b663b03d39d41db920bc543d
          • Opcode Fuzzy Hash: f3f1fcc7189eae98cea7663936127ed749e31ae2b99ea46faa16fbfdb8aa3c1d
          • Instruction Fuzzy Hash: 34014470A00209ABDB249F60DD09EAE3779AB04345F008039FA16B92D1D7B49A559F99
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004037EF, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E004037EF(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				intOrPtr _t15;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405954(__ecx, "1033");
				while(1) {
					_t26 =  *0x423ec4; // 0x15
					if(_t26 == 0) {
						goto L7;
					}
					_t15 =  *0x423e90; // 0x687488
					_t16 =  *(_t15 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423ec0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423660 = _t18[1];
					 *0x423f28 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42365c = _t23;
						E0040593B(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420450, E004059FF(_t13, _t24, _t26, "SmartPSS 2.002.0000007.0 Setup", 0xfffffffe));
						_t11 =  *0x423eac; // 0x6
						_t27 =  *0x423ea8; // 0x687734
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t5 = _t27 + 0x18; // 0x68774c
								_t11 = E004059FF(_t13, _t25, _t27, _t5, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

















          0x004037f3
          0x004037f8
          0x004037fe
          0x00403803
          0x00403803
          0x0040380b
          0x00000000
          0x00000000
          0x0040380d
          0x00403813
          0x0040381b
          0x0040381d
          0x00403823
          0x00403823
          0x00403825
          0x00403831
          0x00000000
          0x00000000
          0x00403835
          0x00000000
          0x00000000
          0x00000000
          0x00403837
          0x0040383c
          0x00403845
          0x0040384b
          0x00403850
          0x00403864
          0x0040386f
          0x00403887
          0x0040388d
          0x00403892
          0x0040389a
          0x004038bb
          0x004038bb
          0x004038bb
          0x0040389c
          0x0040389e
          0x0040389e
          0x004038a2
          0x004038a5
          0x004038a9
          0x004038a9
          0x004038ae
          0x004038b4
          0x004038b4
          0x00000000
          0x0040389e
          0x00403852
          0x00403857
          0x00403860
          0x00403859
          0x00403859
          0x00403859
          0x00403857

          APIs
          • SetWindowTextA.USER32(00000000,SmartPSS 2.002.0000007.0 Setup), ref: 00403887
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: TextWindow
          • String ID: 1033$4wh$C:\Users\user\AppData\Local\Temp\$SmartPSS 2.002.0000007.0 Setup
          • API String ID: 530164218-2688042695
          • Opcode ID: 523a056db067f321579ff8859740d6accc16062196884a2215354ca4328a0a17
          • Instruction ID: 1abde7c3b4d11e9a2e55591403c44a3397e590d434b7b54f33d2a439c9831bdd
          • Opcode Fuzzy Hash: 523a056db067f321579ff8859740d6accc16062196884a2215354ca4328a0a17
          • Instruction Fuzzy Hash: 0711C276B002119BC730AF55D8809377BADEF4471631981BFE80167390C73D9E028B98
          Uniqueness

          Uniqueness Score: -1.00%

          Function 100015E7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60windowCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E100015E7(void* __ecx, void* __eflags) {
				char _v264;
				char _v524;
				void* _t14;
				void* _t17;
				void* _t24;
				struct HWND__* _t26;
				void* _t29;

				_t24 = __ecx;
				do {
				} while (E10001000( &_v264, 0x104) == 0 && E1000111A(_t24,  &_v524,  &_v264) != 0);
				_t26 = E1000104E( &_v264);
				_t14 = E100013C2(_t26, E1000141C, "nsSkinBtn", 0x10);
				_t29 = _t14;
				if(_t29 != 0) {
					if(_v524 != 0) {
						_t17 =  *(_t29 + 8);
						if(_t17 != 0) {
							DeleteObject(_t17);
						}
						 *(_t29 + 8) = E10001161( &_v524);
					}
					 *((short*)(_t29 + 0xe)) = 5;
					SendMessageA(_t26, 0xf4, 0xb, 0);
					_t14 = E100013C2(GetParent(_t26), E10001505, "nsSkinDlg", 4);
				}
				return _t14;
			}










          0x100015e7
          0x100015f0
          0x10001601
          0x10001631
          0x10001639
          0x1000163e
          0x10001645
          0x1000164e
          0x10001650
          0x10001655
          0x10001658
          0x10001658
          0x1000166a
          0x1000166a
          0x10001677
          0x1000167d
          0x10001697
          0x1000169c
          0x100016a2

          APIs
            • Part of subcall function 10001000: lstrcpynA.KERNEL32(?,?,10001386,?,10001386), ref: 1000102D
            • Part of subcall function 10001000: GlobalFree.KERNEL32 ref: 1000103D
          • DeleteObject.GDI32(?), ref: 10001658
          • SendMessageA.USER32(00000000,000000F4,0000000B,00000000), ref: 1000167D
          • GetParent.USER32(00000000), ref: 10001690
            • Part of subcall function 1000111A: lstrcpynA.KERNEL32(?,?,00000008,?,?,?,?,?,10001618,?,?,?,00000104), ref: 10001131
            • Part of subcall function 1000111A: lstrcmpiA.KERNEL32(?,/IMGID=,?,?,?,?,?,10001618,?,?,?,00000104), ref: 1000113C
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1477975469.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
          • Associated: 0000001A.00000002.1477962903.0000000010000000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1477985458.0000000010002000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1477995969.0000000010004000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_10000000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: lstrcpyn$DeleteFreeGlobalMessageObjectParentSendlstrcmpi
          • String ID: nsSkinBtn$nsSkinDlg
          • API String ID: 1728617356-1428530612
          • Opcode ID: 143bd2cb1e632e68345dd82bb0d7e65b977f6a5bc66b94674c1af3d5b08db17a
          • Instruction ID: 110404f70df917d93a718c7755ba2ef9529745cfc1c7cf7b8c184a31c642e5ea
          • Opcode Fuzzy Hash: 143bd2cb1e632e68345dd82bb0d7e65b977f6a5bc66b94674c1af3d5b08db17a
          • Instruction Fuzzy Hash: DE1152B5A4031576F720E7A08C89FDB76ECDB407C0F040555FB95E609AFAB5EAC48B50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 03B21021, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59COMMON
          Download Yara Rule
          C-Code - Quality: 16%
          			E03B21021(void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char* _v24;
				char* _v28;
				signed int _v32;
				char _v36;
				char _v296;
				char _v556;
				char _v1580;
				char* _t35;
				char* _t36;
				void* _t37;
				char* _t39;

				 *0x3b250dc = _a8;
				 *0x3b250e0 = _a16;
				 *0x3b250e4 = _a12;
				if(E03B21DD9( &_v1580, 0x104) != 0 || E03B21DD9( &_v556, 0x400) != 0) {
					L3:
					return E03B21E27("error");
				} else {
					_v32 = _v32 & 0x00000000;
					_v36 = _a4;
					_v28 =  &_v296;
					_v8 = _v8 & 0x00000000;
					_v24 =  &_v1580;
					_v20 = 0x45;
					_v12 =  &_v556;
					_t35 =  &_v36;
					_v16 = E03B21000;
					__imp__SHBrowseForFolderA(_t35);
					_t39 = _t35;
					if(_t39 != 0) {
						_t36 =  &_v296;
						__imp__SHGetPathFromIDListA(_t39, _t36);
						if(_t36 == 0) {
							_push("error");
						} else {
							_push( &_v296);
						}
						_t37 = E03B21E27();
						__imp__CoTaskMemFree();
						return _t37;
					}
					goto L3;
				}
			}


















          0x03b2102e
          0x03b21036
          0x03b2103e
          0x03b21056
          0x03b210b4
          0x00000000
          0x03b2106d
          0x03b21070
          0x03b21074
          0x03b2107d
          0x03b21086
          0x03b2108a
          0x03b21093
          0x03b2109a
          0x03b2109d
          0x03b210a1
          0x03b210a8
          0x03b210ae
          0x03b210b2
          0x03b210c0
          0x03b210c8
          0x03b210d0
          0x03b210db
          0x03b210d2
          0x03b210d8
          0x03b210d8
          0x03b210e0
          0x03b210e6
          0x00000000
          0x03b210e6
          0x00000000
          0x03b210b2

          APIs
            • Part of subcall function 03B21DD9: lstrcpynA.KERNEL32(03B21054,?,?,?,03B21054,?), ref: 03B21E06
            • Part of subcall function 03B21DD9: GlobalFree.KERNEL32 ref: 03B21E16
          • SHBrowseForFolderA.SHELL32(?,?,00000400,?,00000104), ref: 03B210A8
          • SHGetPathFromIDListA.SHELL32(00000000,?), ref: 03B210C8
          • CoTaskMemFree.OLE32(00000000,error), ref: 03B210E6
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1466805189.0000000003B21000.00000020.00020000.sdmp, Offset: 03B20000, based on PE: true
          • Associated: 0000001A.00000002.1466777534.0000000003B20000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466819410.0000000003B23000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466836423.0000000003B24000.00000008.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466863759.0000000003B27000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_3b20000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Free$BrowseFolderFromGlobalListPathTasklstrcpyn
          • String ID: E$error
          • API String ID: 1728609016-2359134700
          • Opcode ID: 751b500882220676b4b27c50aa47a2f0f723dee2a8880bcd82e76cabcf9b4deb
          • Instruction ID: c9f4a3db3fe717267e43ca6a52644dd7f7851f0a88a42104a15a975ef7d5c1e8
          • Opcode Fuzzy Hash: 751b500882220676b4b27c50aa47a2f0f723dee2a8880bcd82e76cabcf9b4deb
          • Instruction Fuzzy Hash: 3C214DB59012299FCB61EF99DD44BDFBBF8EB08349F0042A2E909E7104E734D6448FA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 03081ADF, Relevance: 7.7, APIs: 5, Instructions: 190COMMON
          Download Yara Rule
          C-Code - Quality: 97%
          			E03081ADF(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v148;
				void _t46;
				void _t47;
				signed int _t48;
				signed int _t49;
				signed int _t58;
				signed int _t59;
				signed int _t61;
				signed int _t62;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				signed int _t78;
				void* _t82;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				void* _t102;

				_t86 = __edx;
				 *0x3084058 = _a8;
				_t78 = 0;
				 *0x308405c = _a16;
				_v8 = 0;
				_a16 = E03081561();
				_a8 = E03081561();
				_t91 = E03081641(_a16);
				_t82 = _a8;
				_t88 = _t86;
				_t46 =  *_t82;
				if(_t46 != 0x7e && _t46 != 0x21) {
					_v16 = E03081561();
					_t78 = E03081641(_t75);
					_v8 = _t86;
					GlobalFree(_v16);
					_t82 = _a8;
				}
				_t47 =  *_t82;
				_t102 = _t47 - 0x2f;
				if(_t102 > 0) {
					_t48 = _t47 - 0x3c;
					__eflags = _t48;
					if(_t48 == 0) {
						__eflags =  *((char*)(_t82 + 1)) - 0x3c;
						if( *((char*)(_t82 + 1)) != 0x3c) {
							__eflags = _t88 - _v8;
							if(__eflags > 0) {
								L54:
								_t49 = 0;
								__eflags = 0;
								L55:
								asm("cdq");
								L56:
								_t91 = _t49;
								_t88 = _t86;
								L57:
								E0308176C(_t86, _t91, _t88,  &_v148);
								E0308159E( &_v148);
								GlobalFree(_a16);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L47:
								__eflags = 0;
								L48:
								_t49 = 1;
								goto L55;
							}
							__eflags = _t91 - _t78;
							if(_t91 < _t78) {
								goto L47;
							}
							goto L54;
						}
						_t86 = _t88;
						_t49 = E03082BF0(_t91, _t78, _t86);
						goto L56;
					}
					_t58 = _t48 - 1;
					__eflags = _t58;
					if(_t58 == 0) {
						__eflags = _t91 - _t78;
						if(_t91 != _t78) {
							goto L54;
						}
						__eflags = _t88 - _v8;
						if(_t88 != _v8) {
							goto L54;
						}
						goto L47;
					}
					_t59 = _t58 - 1;
					__eflags = _t59;
					if(_t59 == 0) {
						__eflags =  *((char*)(_t82 + 1)) - 0x3e;
						if( *((char*)(_t82 + 1)) != 0x3e) {
							__eflags = _t88 - _v8;
							if(__eflags < 0) {
								goto L54;
							}
							if(__eflags > 0) {
								goto L47;
							}
							__eflags = _t91 - _t78;
							if(_t91 <= _t78) {
								goto L54;
							}
							goto L47;
						}
						_t86 = _t88;
						_t49 = E03082C10(_t91, _t78, _t86);
						goto L56;
					}
					_t61 = _t59 - 0x20;
					__eflags = _t61;
					if(_t61 == 0) {
						_t91 = _t91 ^ _t78;
						_t88 = _t88 ^ _v8;
						goto L57;
					}
					_t62 = _t61 - 0x1e;
					__eflags = _t62;
					if(_t62 == 0) {
						__eflags =  *((char*)(_t82 + 1)) - 0x7c;
						if( *((char*)(_t82 + 1)) != 0x7c) {
							_t91 = _t91 | _t78;
							_t88 = _t88 | _v8;
							goto L57;
						}
						__eflags = _t91 | _t88;
						if((_t91 | _t88) != 0) {
							goto L47;
						}
						__eflags = _t78 | _v8;
						if((_t78 | _v8) != 0) {
							goto L47;
						}
						goto L54;
					}
					__eflags = _t62 == 0;
					if(_t62 == 0) {
						_t91 =  !_t91;
						_t88 =  !_t88;
					}
					goto L57;
				}
				if(_t102 == 0) {
					L21:
					__eflags = _t78 | _v8;
					if((_t78 | _v8) != 0) {
						_v20 = E03082A80(_t91, _t88, _t78, _v8);
						_v16 = _t86;
						_t49 = E03082B30(_t91, _t88, _t78, _v8);
						_t82 = _a8;
					} else {
						_v20 = _v20 & 0x00000000;
						_v16 = _v16 & 0x00000000;
						_t49 = _t91;
						_t86 = _t88;
					}
					__eflags =  *_t82 - 0x2f;
					if( *_t82 != 0x2f) {
						goto L56;
					} else {
						_t91 = _v20;
						_t88 = _v16;
						goto L57;
					}
				}
				_t68 = _t47 - 0x21;
				if(_t68 == 0) {
					_t49 = 0;
					__eflags = _t91 | _t88;
					if((_t91 | _t88) != 0) {
						goto L55;
					}
					goto L48;
				}
				_t69 = _t68 - 4;
				if(_t69 == 0) {
					goto L21;
				}
				_t70 = _t69 - 1;
				if(_t70 == 0) {
					__eflags =  *((char*)(_t82 + 1)) - 0x26;
					if( *((char*)(_t82 + 1)) != 0x26) {
						_t91 = _t91 & _t78;
						_t88 = _t88 & _v8;
						goto L57;
					}
					__eflags = _t91 | _t88;
					if((_t91 | _t88) == 0) {
						goto L54;
					}
					__eflags = _t78 | _v8;
					if((_t78 | _v8) == 0) {
						goto L54;
					}
					goto L47;
				}
				_t71 = _t70 - 4;
				if(_t71 == 0) {
					_t49 = E03082A40(_t91, _t88, _t78, _v8);
					goto L56;
				} else {
					_t72 = _t71 - 1;
					if(_t72 == 0) {
						_t91 = _t91 + _t78;
						asm("adc edi, [ebp-0x4]");
					} else {
						if(_t72 == 0) {
							_t91 = _t91 - _t78;
							asm("sbb edi, [ebp-0x4]");
						}
					}
					goto L57;
				}
			}


























          0x03081adf
          0x03081aec
          0x03081af5
          0x03081af8
          0x03081afd
          0x03081b05
          0x03081b10
          0x03081b19
          0x03081b1b
          0x03081b1e
          0x03081b20
          0x03081b24
          0x03081b30
          0x03081b39
          0x03081b3e
          0x03081b41
          0x03081b47
          0x03081b47
          0x03081b4a
          0x03081b4d
          0x03081b50
          0x03081c16
          0x03081c16
          0x03081c19
          0x03081c82
          0x03081c86
          0x03081c95
          0x03081c98
          0x03081ca0
          0x03081ca0
          0x03081ca0
          0x03081ca2
          0x03081ca2
          0x03081ca3
          0x03081ca3
          0x03081ca5
          0x03081ca7
          0x03081cb0
          0x03081cbc
          0x03081ccd
          0x03081cd8
          0x03081cd8
          0x03081c9a
          0x03081c7d
          0x03081c7d
          0x03081c7f
          0x03081c7f
          0x00000000
          0x03081c7f
          0x03081c9c
          0x03081c9e
          0x00000000
          0x00000000
          0x00000000
          0x03081c9e
          0x03081c8a
          0x03081c8e
          0x00000000
          0x03081c8e
          0x03081c1b
          0x03081c1b
          0x03081c1c
          0x03081c74
          0x03081c76
          0x00000000
          0x00000000
          0x03081c78
          0x03081c7b
          0x00000000
          0x00000000
          0x00000000
          0x03081c7b
          0x03081c1e
          0x03081c1e
          0x03081c1f
          0x03081c54
          0x03081c58
          0x03081c67
          0x03081c6a
          0x00000000
          0x00000000
          0x03081c6c
          0x00000000
          0x00000000
          0x03081c6e
          0x03081c70
          0x00000000
          0x00000000
          0x00000000
          0x03081c72
          0x03081c5c
          0x03081c60
          0x00000000
          0x03081c60
          0x03081c21
          0x03081c21
          0x03081c24
          0x03081c4d
          0x03081c4f
          0x00000000
          0x03081c4f
          0x03081c26
          0x03081c26
          0x03081c29
          0x03081c35
          0x03081c39
          0x03081c46
          0x03081c48
          0x00000000
          0x03081c48
          0x03081c3b
          0x03081c3d
          0x00000000
          0x00000000
          0x03081c3f
          0x03081c42
          0x00000000
          0x00000000
          0x00000000
          0x03081c44
          0x03081c2c
          0x03081c2d
          0x03081c2f
          0x03081c31
          0x03081c31
          0x00000000
          0x03081c2d
          0x03081b56
          0x03081bce
          0x03081bd0
          0x03081bd3
          0x03081bf1
          0x03081bf4
          0x03081bfa
          0x03081bff
          0x03081bd5
          0x03081bd5
          0x03081bd9
          0x03081bdd
          0x03081bdf
          0x03081bdf
          0x03081c02
          0x03081c05
          0x00000000
          0x03081c0b
          0x03081c0b
          0x03081c0e
          0x00000000
          0x03081c0e
          0x03081c05
          0x03081b58
          0x03081b5b
          0x03081bbf
          0x03081bc1
          0x03081bc3
          0x00000000
          0x00000000
          0x00000000
          0x03081bc9
          0x03081b5d
          0x03081b60
          0x00000000
          0x00000000
          0x03081b62
          0x03081b63
          0x03081b99
          0x03081b9d
          0x03081bb5
          0x03081bb7
          0x00000000
          0x03081bb7
          0x03081b9f
          0x03081ba1
          0x00000000
          0x00000000
          0x03081ba7
          0x03081baa
          0x00000000
          0x00000000
          0x00000000
          0x03081bb0
          0x03081b65
          0x03081b68
          0x03081b8f
          0x00000000
          0x03081b6a
          0x03081b6a
          0x03081b6b
          0x03081b7f
          0x03081b81
          0x03081b6d
          0x03081b6f
          0x03081b75
          0x03081b77
          0x03081b77
          0x03081b6f
          0x00000000
          0x03081b6b

          APIs
            • Part of subcall function 03081561: lstrcpyA.KERNEL32(00000000,?,?,?,03081804,?,03081017), ref: 0308157E
            • Part of subcall function 03081561: GlobalFree.KERNEL32 ref: 0308158F
          • GlobalFree.KERNEL32 ref: 03081B41
          • GlobalFree.KERNEL32 ref: 03081CCD
          • GlobalFree.KERNEL32 ref: 03081CD2
          Memory Dump Source
          • Source File: 0000001A.00000002.1465933337.0000000003081000.00000020.00020000.sdmp, Offset: 03080000, based on PE: true
          • Associated: 0000001A.00000002.1465906253.0000000003080000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1465954717.0000000003083000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1465973703.0000000003085000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_3080000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: FreeGlobal$lstrcpy
          • String ID:
          • API String ID: 176019282-0
          • Opcode ID: 1b59c6f1663f3bc8ec34af46d379dbe9730ea4bcea68bfa62569cf25dc95b3ad
          • Instruction ID: 07d395114ef0ffd500661985c39c753b80d989df2bc75da4d4cd8fff3aed1baa
          • Opcode Fuzzy Hash: 1b59c6f1663f3bc8ec34af46d379dbe9730ea4bcea68bfa62569cf25dc95b3ad
          • Instruction Fuzzy Hash: AB5106B2D0322CEACB6EFFA884855BDBBE9EF81250F194999D4C1E7100D6719E038B50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00402A36, Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
          Download Yara Rule
          C-Code - Quality: 84%
          			E00402A36(void* _a4, char* _a8, long _a12) {
				void* _v8;
				char _v272;
				signed char _t16;
				long _t18;
				long _t25;
				intOrPtr* _t27;
				long _t28;

				_t16 =  *0x423f30; // 0x0
				_t18 = RegOpenKeyExA(_a4, _a8, 0, _t16 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							__eflags = 1;
							return 1;
						}
						_t25 = E00402A36(_v8,  &_v272, 0);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405CFF(2);
					if(_t27 == 0) {
						__eflags =  *0x423f30; // 0x0
						if(__eflags != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x423f30, 0);
				}
				return _t18;
			}










          0x00402a46
          0x00402a57
          0x00402a5f
          0x00402a87
          0x00402a6e
          0x00402a71
          0x00402ac1
          0x00402ac7
          0x00402ac9
          0x00000000
          0x00402ac9
          0x00402a7e
          0x00402a83
          0x00402a85
          0x00000000
          0x00000000
          0x00402a85
          0x00402a9c
          0x00402aa4
          0x00402aab
          0x00402ad1
          0x00402ad7
          0x00000000
          0x00000000
          0x00402adf
          0x00402ae5
          0x00402ae7
          0x00000000
          0x00000000
          0x00000000
          0x00402ae7
          0x00000000
          0x00402aba
          0x00402ace

          APIs
          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A57
          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A93
          • RegCloseKey.ADVAPI32(?), ref: 00402A9C
          • RegCloseKey.ADVAPI32(?), ref: 00402AC1
          • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402ADF
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Close$DeleteEnumOpen
          • String ID:
          • API String ID: 1912718029-0
          • Opcode ID: 32cdae671697de7973d8bb2633bc31189b6b536a9ce7c2939538a07c10ae524a
          • Instruction ID: 582bceb6e4b24316922a1ee6e85d565da044e62c79b522cd3b8563d0d5e38007
          • Opcode Fuzzy Hash: 32cdae671697de7973d8bb2633bc31189b6b536a9ce7c2939538a07c10ae524a
          • Instruction Fuzzy Hash: E7111771A10049BEEF31AF90DE49DAF7B7DEB44345B104036F906A10A0DBB49E51AF69
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401CC1, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E004029F6(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423f08 =  *0x423f08 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







          0x00401ccb
          0x00401cd2
          0x00401d01
          0x00401d09
          0x00401d10
          0x00401d10
          0x0040288e
          0x0040289a

          APIs
          • GetDlgItem.USER32 ref: 00401CC5
          • GetClientRect.USER32 ref: 00401CD2
          • LoadImageA.USER32 ref: 00401CF3
          • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
          • DeleteObject.GDI32(00000000), ref: 00401D10
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
          • String ID:
          • API String ID: 1849352358-0
          • Opcode ID: aab1ff915591a61a6dff0f8bf18086dee3b735981cb00012526b248d1bc18b45
          • Instruction ID: c9eade559dcb8dabe12f7fb8fefc2ecb3bb817c4e851fb83d30c8e131ed4808d
          • Opcode Fuzzy Hash: aab1ff915591a61a6dff0f8bf18086dee3b735981cb00012526b248d1bc18b45
          • Instruction Fuzzy Hash: B5F01DB2E04105BFD700EFA4EE89DAFB7BDEB44345B104576F602F2190C6789D018B69
          Uniqueness

          Uniqueness Score: -1.00%

          Function 100013C2, Relevance: 7.5, APIs: 5, Instructions: 38memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E100013C2(struct HWND__* _a4, long _a8, CHAR* _a12, long _a16) {
				struct HWND__* _t13;
				void* _t14;

				_t13 = _a4;
				_t14 = GetWindowLongA(_t13, 0xfffffffc);
				if(_t14 != 0) {
					if(_t14 != _a8) {
						_t14 = GlobalAlloc(0x40, _a16);
						if(_t14 != 0) {
							SetPropA(_t13, _a12, _t14);
							 *_t14 = SetWindowLongA(_t13, 0xfffffffc, _a8);
						}
					} else {
						_t14 = GetPropA(_t13, _a12);
					}
				}
				return _t14;
			}





          0x100013c7
          0x100013d3
          0x100013d7
          0x100013dc
          0x100013f7
          0x100013fb
          0x10001402
          0x10001414
          0x10001414
          0x100013de
          0x100013e8
          0x100013e8
          0x100013dc
          0x1000141b

          APIs
          • GetWindowLongA.USER32 ref: 100013CD
          • GetPropA.USER32 ref: 100013E2
          • GlobalAlloc.KERNEL32(00000040,?,?,100015BE,00000000,1000141C,nsSkinBtn,00000010), ref: 100013F1
          • SetPropA.USER32 ref: 10001402
          • SetWindowLongA.USER32 ref: 1000140E
          Memory Dump Source
          • Source File: 0000001A.00000002.1477975469.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
          • Associated: 0000001A.00000002.1477962903.0000000010000000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1477985458.0000000010002000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1477995969.0000000010004000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_10000000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: LongPropWindow$AllocGlobal
          • String ID:
          • API String ID: 2298845349-0
          • Opcode ID: a260bab2740f07852d0ad284552d2d0d419460bf3542c2ff94a134c2b854dfe3
          • Instruction ID: d50c3d1f733f9e0a5039521a9e14a216fbf92ef5b0f6e2491d98cb917773b5b1
          • Opcode Fuzzy Hash: a260bab2740f07852d0ad284552d2d0d419460bf3542c2ff94a134c2b854dfe3
          • Instruction Fuzzy Hash: 50F09636404235BBEB126F949C488AF7FA8EF457F17014215FE14A2265C730D851DBA1
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00404568, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
          Download Yara Rule
          C-Code - Quality: 51%
          			E00404568(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E004059FF(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E004059FF(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E004059FF(_t34, 0, 0x420478, 0x420478, _a8);
				wsprintfA(_t26 + lstrlenA(0x420478), "%u.%u%s%s");
				return SetDlgItemTextA( *0x423658, _a4, 0x420478);
			}













          0x00404570
          0x00404574
          0x0040457c
          0x0040457f
          0x00404580
          0x00404582
          0x00404584
          0x00404587
          0x00404587
          0x0040458e
          0x00404594
          0x00404594
          0x0040459b
          0x004045a6
          0x004045a7
          0x004045aa
          0x004045aa
          0x004045b7
          0x004045c2
          0x004045c5
          0x004045d7
          0x004045de
          0x004045df
          0x004045ee
          0x004045fe
          0x0040461a

          APIs
          • lstrlenA.KERNEL32(00420478,00420478,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404488,000000DF,0000040F,00000400,00000000), ref: 004045F6
          • wsprintfA.USER32 ref: 004045FE
          • SetDlgItemTextA.USER32 ref: 00404611
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: ItemTextlstrlenwsprintf
          • String ID: %u.%u%s%s
          • API String ID: 3540041739-3551169577
          • Opcode ID: ff17ff2e20dbc87fffdb656abccf3ccec7411b7eaa0d2d1e1c912f438738e91b
          • Instruction ID: de100ae33fd703a766e80fabf1c0ef7e237f6bef08e04a4196497c65211e5d03
          • Opcode Fuzzy Hash: ff17ff2e20dbc87fffdb656abccf3ccec7411b7eaa0d2d1e1c912f438738e91b
          • Instruction Fuzzy Hash: 331104B370012477DB10666D9C05EAF329DDBC6334F14023BFA2AF61D1E9388C1186E8
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00404CCB, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E00404CCB(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420460 != _t22) {
							 *0x420460 = _t22;
							E004059DD(0x420478, 0x424000);
							E0040593B(0x424000, _t22);
							E0040140B(6);
							E004059DD(0x424000, 0x420478);
						}
						L11:
						return CallWindowProcA( *0x420468, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E0040464A(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403DDB(0x413);
				return 0;
			}




          0x00404cd7
          0x00404cfc
          0x00404d1c
          0x00404d1f
          0x00404d22
          0x00404d39
          0x00404d3f
          0x00404d46
          0x00404d4d
          0x00404d54
          0x00404d59
          0x00404d5f
          0x00000000
          0x00404d6f
          0x00404d09
          0x00404d5c
          0x00404d5c
          0x00000000
          0x00404d5c
          0x00404d15
          0x00404d17
          0x00000000
          0x00404d17
          0x00404cdd
          0x00000000
          0x00000000
          0x00404ce4
          0x00000000

          APIs
          • IsWindowVisible.USER32(?), ref: 00404D01
          • CallWindowProcA.USER32 ref: 00404D6F
            • Part of subcall function 00403DDB: SendMessageA.USER32(00020198,00000000,00000000,00000000), ref: 00403DED
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Window$CallMessageProcSendVisible
          • String ID: $3846
          • API String ID: 3748168415-1046063192
          • Opcode ID: 7ef91977e0255b1fc34b6530065b048aeb6426da5fc65d298478046c2303bded
          • Instruction ID: 2250b5ae86c5db7695da18b81197a994f129f58ca555af08ca8730d1192fac1c
          • Opcode Fuzzy Hash: 7ef91977e0255b1fc34b6530065b048aeb6426da5fc65d298478046c2303bded
          • Instruction Fuzzy Hash: 5A118CB1600208BBDF217F629C4099B3B69EF84765F00813BFB14392A2C77C8951CFA9
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040523D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E0040523D(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x422480->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x422480,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





          0x00405246
          0x00405262
          0x0040526a
          0x0040526f
          0x00000000
          0x00405275
          0x00405279

          APIs
          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00422480,Error launching installer), ref: 00405262
          • CloseHandle.KERNEL32(?), ref: 0040526F
          Strings
          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040523D
          • Error launching installer, xrefs: 00405250
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: CloseCreateHandleProcess
          • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
          • API String ID: 3712363035-2984075973
          • Opcode ID: 1f2f9ff3088062fdf2c67fe66ccdb0f341c5896b9e6aafa6ba1adbb34377fffc
          • Instruction ID: 0a3d69d2a3401d9d63374a1600280413a6fd3692a6ba6d2da32d4f839eaa01ec
          • Opcode Fuzzy Hash: 1f2f9ff3088062fdf2c67fe66ccdb0f341c5896b9e6aafa6ba1adbb34377fffc
          • Instruction Fuzzy Hash: BEE0E674A1010ABBDB00EF64DD09D6B7B7CFB00304B408621E911E2150D774E4108A79
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004054D0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E004054D0(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}




          0x004054d1
          0x004054e8
          0x004054f0
          0x004054f0
          0x004054f8

          APIs
          • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030B5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 004054D6
          • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030B5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403215), ref: 004054DF
          • lstrcatA.KERNEL32(?,00409010), ref: 004054F0
          Strings
          • C:\Users\user\AppData\Local\Temp\, xrefs: 004054D0
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: CharPrevlstrcatlstrlen
          • String ID: C:\Users\user\AppData\Local\Temp\
          • API String ID: 2659869361-3916508600
          • Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
          • Instruction ID: 18d73bba3a4f2c077241afd2b81ba446c35da1b9bd2d8ef2eba9fb39a34af30a
          • Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
          • Instruction Fuzzy Hash: 09D0A7B2505970AED20126195C05FCF2A08CF023117044423F640B21D2C63C5C819BFD
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00402303, Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
          Download Yara Rule
          C-Code - Quality: 85%
          			E00402303(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				signed int _t30;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402AEB(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029F6(2);
				_t18 = E004029F6(0x11);
				_t30 =  *0x423f30; // 0x0
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, _t30 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029F6(0x23);
						_t19 = lstrlenA(0x40a350) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029D9(3);
						 *0x40a350 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402E5B( *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a350, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a350, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x423f08 =  *0x423f08 +  *(_t37 - 4);
				return 0;
			}











          0x00402304
          0x00402309
          0x00402313
          0x0040231d
          0x00402320
          0x0040232a
          0x0040233a
          0x00402341
          0x00402349
          0x00402357
          0x0040235b
          0x00402366
          0x00402366
          0x0040236a
          0x0040236e
          0x00402374
          0x00402379
          0x00402379
          0x0040237d
          0x00402389
          0x00402389
          0x004023a2
          0x004023a4
          0x004023a4
          0x004023a7
          0x0040247d
          0x0040247d
          0x0040288e
          0x0040289a

          APIs
          • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402341
          • lstrlenA.KERNEL32(0040A350,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402361
          • RegSetValueExA.ADVAPI32(?,?,?,?,0040A350,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040239A
          • RegCloseKey.ADVAPI32(?,?,?,0040A350,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040247D
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: CloseCreateValuelstrlen
          • String ID:
          • API String ID: 1356686001-0
          • Opcode ID: 5d8f40909aefca36891dd1c1015adc756f6311e5ef501875a8ddbdac0a25d658
          • Instruction ID: 0c84a363429982d99d3a5a271a87b4b8d308e401ccf86a25fc22d5166c0076e5
          • Opcode Fuzzy Hash: 5d8f40909aefca36891dd1c1015adc756f6311e5ef501875a8ddbdac0a25d658
          • Instruction Fuzzy Hash: 781163B1E00209BFEB10AFA4DE49EAF767CFB40358F10413AF901B61D0D6B85D019669
          Uniqueness

          Uniqueness Score: -1.00%

          Function 03B21329, Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMON
          Download Yara Rule
          C-Code - Quality: 81%
          			E03B21329(CHAR* _a4, int _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				char _t31;
				long _t32;
				CHAR* _t33;
				int _t34;

				_t33 = _a4;
				_t31 =  *(CharPrevA(_t33,  &(_t33[lstrlenA(_t33)])));
				_t34 = E03B21E6C(_t33);
				if(_t31 != 0x25) {
					if(_t31 != 0x75) {
						if(_t34 >= 0) {
							return _t34;
						}
						return _a8 + _t34;
					}
					_v20.bottom = _v20.bottom & 0x00000000;
					_v20.right = _v20.right & 0x00000000;
					_v20.top = _t34;
					_v20.left = _t34;
					MapDialogRect( *0x3b250c4,  &_v20);
					if(_a12 == 0) {
						if(_t34 < 0) {
							_t32 = _v20.left;
							L12:
							return _a8 + _t32;
						}
						return _v20.left;
					}
					if(_t34 < 0) {
						_t32 = _v20.top;
						goto L12;
					}
					return _v20.top;
				}
				_push(0x64);
				if(_t34 < 0) {
					_t34 = _t34 + 0x64;
				}
				return MulDiv(_a8, _t34, ??);
			}








          0x03b21331
          0x03b21345
          0x03b21350
          0x03b21352
          0x03b2136c
          0x03b213b5
          0x00000000
          0x03b213be
          0x00000000
          0x03b213ba
          0x03b2136e
          0x03b21372
          0x03b21379
          0x03b2137d
          0x03b21386
          0x03b21390
          0x03b213a2
          0x03b213a9
          0x03b213ac
          0x00000000
          0x03b213af
          0x00000000
          0x03b213a4
          0x03b21394
          0x03b2139b
          0x00000000
          0x03b2139b
          0x00000000
          0x03b21396
          0x03b21356
          0x03b21358
          0x03b2135a
          0x03b2135a
          0x00000000

          APIs
          • lstrlenA.KERNEL32(74B04F20,00000400,?,00000400,?,74B04F20,00000000), ref: 03B21335
          • CharPrevA.USER32(74B04F20,00000000,?,74B04F20,00000000), ref: 03B2133F
          • MulDiv.KERNEL32(?,00000000,00000064), ref: 03B21361
          • MapDialogRect.USER32(74B04F20,74B04F20), ref: 03B21386
          Memory Dump Source
          • Source File: 0000001A.00000002.1466805189.0000000003B21000.00000020.00020000.sdmp, Offset: 03B20000, based on PE: true
          • Associated: 0000001A.00000002.1466777534.0000000003B20000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466819410.0000000003B23000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466836423.0000000003B24000.00000008.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466863759.0000000003B27000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_3b20000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: CharDialogPrevRectlstrlen
          • String ID:
          • API String ID: 3411278111-0
          • Opcode ID: 5e33265fb87cb4520be2769c5b2c64219bb853cd9d8d15d2172fe3f7ee408676
          • Instruction ID: 3a07b059152a1ede775d14998b63d1df9a81272361e83cb503a006629a59110f
          • Opcode Fuzzy Hash: 5e33265fb87cb4520be2769c5b2c64219bb853cd9d8d15d2172fe3f7ee408676
          • Instruction Fuzzy Hash: DA113D39D01638BBCB20DB48C904FAFBFBAAB15759F0447A1E81997645C3349B008BE4
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401EC5, Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 85%
          			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029F6(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x409010, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E0040593B(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E0040593B(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x423f08 =  *0x423f08 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}






          0x00401ec7
          0x00401ecf
          0x00401ed4
          0x00401ed9
          0x00401edd
          0x00401ee0
          0x00401ee2
          0x00401ee9
          0x00401ef2
          0x00401efa
          0x00401efd
          0x00401f12
          0x00401f18
          0x00401f2b
          0x00401f34
          0x00401f40
          0x00401f45
          0x00401f45
          0x00401f2b
          0x00401f48
          0x00401b75
          0x00401b75
          0x00401efd
          0x0040288e
          0x0040289a

          APIs
          • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
          • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
          • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
          • VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F24
            • Part of subcall function 0040593B: wsprintfA.USER32 ref: 00405948
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
          • String ID:
          • API String ID: 1404258612-0
          • Opcode ID: f9744f7992f8663f166aa538b3da0bee02a0a5d08582e8cd95fa90b08a46e0f1
          • Instruction ID: 4f4abe4324f754641e01f0e672b51484e064b7e428c6eed24e296c4d37409401
          • Opcode Fuzzy Hash: f9744f7992f8663f166aa538b3da0bee02a0a5d08582e8cd95fa90b08a46e0f1
          • Instruction Fuzzy Hash: 5F114CB2901109BFDB01EFA5D981DAEBBB9EF04354B20803AF501F61E1D7389A55DB28
          Uniqueness

          Uniqueness Score: -1.00%

          Function 03B213FB, Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 82%
          			E03B213FB(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t20;

				if(_a8 != 0x408 || _a12 != 0xffffffff) {
					L4:
					_t20 = CallWindowProcA( *0x3b250c8, _a4, _a8, _a12, _a16);
					if(_a8 == 0x408 && _t20 == 0) {
						DestroyWindow( *0x3b250c0);
						HeapFree(GetProcessHeap(), _t20,  *0x3b250d8);
						 *0x3b250c0 =  *0x3b250c0 & _t20;
						 *0x3b250d8 =  *0x3b250d8 & _t20;
					}
					return _t20;
				} else {
					_push(0);
					_push( *0x3b250d0 - 1);
					if( *((intOrPtr*)( *0x3b250a0 + 4))() == 0) {
						goto L4;
					}
					return 0;
				}
			}




          0x03b21407
          0x03b21428
          0x03b21444
          0x03b21446
          0x03b21452
          0x03b21466
          0x03b2146c
          0x03b21472
          0x03b21472
          0x00000000
          0x03b2140f
          0x03b21414
          0x03b21417
          0x03b21422
          0x00000000
          0x00000000
          0x00000000
          0x03b21424

          APIs
          • CallWindowProcA.USER32 ref: 03B2143B
          • DestroyWindow.USER32 ref: 03B21452
          • GetProcessHeap.KERNEL32(00000000), ref: 03B2145F
          • HeapFree.KERNEL32(00000000), ref: 03B21466
          Memory Dump Source
          • Source File: 0000001A.00000002.1466805189.0000000003B21000.00000020.00020000.sdmp, Offset: 03B20000, based on PE: true
          • Associated: 0000001A.00000002.1466777534.0000000003B20000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466819410.0000000003B23000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466836423.0000000003B24000.00000008.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1466863759.0000000003B27000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_3b20000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: HeapWindow$CallDestroyFreeProcProcess
          • String ID:
          • API String ID: 1278960361-0
          • Opcode ID: 07f9ee68814b074ec3109e428375c13bdbd17c746dea3c19fd4e00642b92d094
          • Instruction ID: b182aabf3849d64d02e9bec46acd600b3494fa90915ffcf9f89e6bcc141d185c
          • Opcode Fuzzy Hash: 07f9ee68814b074ec3109e428375c13bdbd17c746dea3c19fd4e00642b92d094
          • Instruction Fuzzy Hash: 12019232100215ABCB31AF58ED04AAB7BA9FB9532AB044376F65CC3414C3348450DFB0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401D1B, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
          Download Yara Rule
          C-Code - Quality: 67%
          			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af54->lfHeight =  ~(MulDiv(E004029D9(2), _t6, 0x48));
				 *0x40af64 = E004029D9(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af6b = 1;
				 *0x40af68 = _t11 & 0x00000001;
				 *0x40af69 = _t11 & 0x00000002;
				 *0x40af6a = _t11 & 0x00000004;
				E004059FF(_t18, _t24, _t26, 0x40af70,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af54);
				_push(_t14);
				_push(_t26);
				E0040593B();
				 *0x423f08 =  *0x423f08 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











          0x00401d29
          0x00401d42
          0x00401d4c
          0x00401d51
          0x00401d5c
          0x00401d63
          0x00401d75
          0x00401d7b
          0x00401d80
          0x00401d8a
          0x004024b8
          0x00401561
          0x00402833
          0x0040288e
          0x0040289a

          APIs
          • GetDC.USER32(?), ref: 00401D22
          • GetDeviceCaps.GDI32(00000000), ref: 00401D29
          • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
          • CreateFontIndirectA.GDI32(0040AF54), ref: 00401D8A
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: CapsCreateDeviceFontIndirect
          • String ID:
          • API String ID: 3272661963-0
          • Opcode ID: cf8446ef92b1be0f58e825a976e275d767ec16343de6a6b1501f97fcc28f78c0
          • Instruction ID: 822a585a95499be2ccb46a886614a983d19f7779af01092212c1c8a44adbdb5d
          • Opcode Fuzzy Hash: cf8446ef92b1be0f58e825a976e275d767ec16343de6a6b1501f97fcc28f78c0
          • Instruction Fuzzy Hash: 80F04FF1A49742AEE70167B0AE0AB9A3B659719306F14043AF242BA1E2C5BC0454DB7F
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00402BBE, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E00402BBE(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x417020; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x423e8c;
						if(_t2 >  *0x423e8c) {
							_t3 = CreateDialogParamA( *0x423e80, 0x6f, 0, E00402B3B, 0);
							 *0x417020 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00405D38(0);
					}
				} else {
					_t6 =  *0x417020; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x417020 = 0;
					return _t6;
				}
			}






          0x00402bc5
          0x00402bdf
          0x00402be5
          0x00402bef
          0x00402bf5
          0x00402bfb
          0x00402c0c
          0x00402c15
          0x00000000
          0x00402c1a
          0x00402c21
          0x00402be7
          0x00402bee
          0x00402bee
          0x00402bc7
          0x00402bc7
          0x00402bce
          0x00402bd1
          0x00402bd1
          0x00402bd7
          0x00402bde
          0x00402bde

          APIs
          • DestroyWindow.USER32(00000000,00000000,00402D9E,00000001), ref: 00402BD1
          • GetTickCount.KERNEL32 ref: 00402BEF
          • CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C0C
          • ShowWindow.USER32(00000000,00000005), ref: 00402C1A
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Window$CountCreateDestroyDialogParamShowTick
          • String ID:
          • API String ID: 2102729457-0
          • Opcode ID: bf07767b331bb76d3b5a2f8e5622a218379b171e4cdb58aec93dcc8b8375aee9
          • Instruction ID: f2d052a30a3472248e345e5832336eca953f0b1533712f6c56216133e551431f
          • Opcode Fuzzy Hash: bf07767b331bb76d3b5a2f8e5622a218379b171e4cdb58aec93dcc8b8375aee9
          • Instruction Fuzzy Hash: 2AF0DA31D09320ABC661AF14FD4CADB7B75BB09B127014936F101B52E8D77868818BAD
          Uniqueness

          Uniqueness Score: -1.00%

          Function 1000111A, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 32stringCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E1000111A(void* __ecx, CHAR* _a4, CHAR* _a8) {
				char _v12;
				void* _t11;
				CHAR* _t14;

				_t14 = _a8;
				lstrcpynA( &_v12, _t14, 8);
				if(lstrcmpiA( &_v12, "/IMGID=") == 0) {
					lstrcpynA(_a4,  &(_t14[7]), 0x104);
					_t11 = 1;
				} else {
					_t11 = 0;
				}
				return _t11;
			}






          0x10001127
          0x10001131
          0x10001144
          0x10001156
          0x1000115a
          0x10001146
          0x10001146
          0x10001146
          0x1000115e

          APIs
          • lstrcpynA.KERNEL32(?,?,00000008,?,?,?,?,?,10001618,?,?,?,00000104), ref: 10001131
          • lstrcmpiA.KERNEL32(?,/IMGID=,?,?,?,?,?,10001618,?,?,?,00000104), ref: 1000113C
          • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,10001618,?,?,?,00000104), ref: 10001156
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1477975469.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
          • Associated: 0000001A.00000002.1477962903.0000000010000000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1477985458.0000000010002000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1477995969.0000000010004000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_10000000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: lstrcpyn$lstrcmpi
          • String ID: /IMGID=
          • API String ID: 1729797886-2572697996
          • Opcode ID: e33c73f9f5b807de3ca5e4ced31ce9fb315d45f671b6be582b0301dd7df71185
          • Instruction ID: 78aa487b4afc356038d1e6299d25cf225c0d1adc81016d5de3e90bcc4e15a3de
          • Opcode Fuzzy Hash: e33c73f9f5b807de3ca5e4ced31ce9fb315d45f671b6be582b0301dd7df71185
          • Instruction Fuzzy Hash: 6FE06DB3E10218BBEB109BA5CC09DCF7BACEB89690F014426F701E3044E6B0E504CBB0
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004024BE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E004024BE(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E004029F6(0x11));
				} else {
					E004029D9(1);
					 *0x409f50 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405954(_t17 + 8, _t15), "C:\Users\hardz\AppData\Local\Temp\nsy6C45.tmp\System.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x423f08 =  *0x423f08 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









          0x004024be
          0x004024be
          0x004024c1
          0x004024dc
          0x004024c3
          0x004024c5
          0x004024ca
          0x004024d1
          0x004024e3
          0x0040265c
          0x0040265c
          0x004024e9
          0x004024fb
          0x004015a6
          0x004015a8
          0x00000000
          0x004015ae
          0x004015a8
          0x0040288e
          0x0040289a

          APIs
          • lstrlenA.KERNEL32(00000000,00000011), ref: 004024DC
          • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\System.dll,00000000,?,?,00000000,00000011), ref: 004024FB
          Strings
          • C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\System.dll, xrefs: 004024CA, 004024EF
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: FileWritelstrlen
          • String ID: C:\Users\user\AppData\Local\Temp\nsy6C45.tmp\System.dll
          • API String ID: 427699356-395492613
          • Opcode ID: df474f2c717a3cfcee664a55503633412dfe168159680f8467c13f76ba73a4c8
          • Instruction ID: 28baf68bc3b2ef7cd727d17ca875bc327529d04ff6cae4c8aacaeccaaba980a4
          • Opcode Fuzzy Hash: df474f2c717a3cfcee664a55503633412dfe168159680f8467c13f76ba73a4c8
          • Instruction Fuzzy Hash: 5AF0B4B2A04241FBDB40BBA09E49AAE37689B00348F10443BA206F51C2D6BC4982A76D
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00404E4D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32comCOMMON
          Download Yara Rule
          C-Code - Quality: 44%
          			E00404E4D(signed int __eax) {
				intOrPtr _v0;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t12;

				_t11 =  *0x423ea8; // 0x687734
				_t10 =  *0x423eac; // 0x6
				__imp__OleInitialize(0);
				 *0x423f38 =  *0x423f38 | __eax;
				E00403DDB(0);
				if(_t10 != 0) {
					_t12 = _t11 + 0xc;
					do {
						_t10 = _t10 - 1;
						if(( *(_t12 - 4) & 0x00000001) == 0) {
							goto L4;
						} else {
							_push(_v0);
							if(E00401389( *_t12) != 0) {
								 *0x423f0c =  *0x423f0c + 1;
							} else {
								goto L4;
							}
						}
						goto L7;
						L4:
						_t12 = _t12 + 0x418;
					} while (_t10 != 0);
				}
				L7:
				E00403DDB(0x404);
				__imp__OleUninitialize();
				_t8 =  *0x423f0c; // 0x0
				return _t8;
			}








          0x00404e4e
          0x00404e55
          0x00404e5d
          0x00404e63
          0x00404e6b
          0x00404e72
          0x00404e74
          0x00404e77
          0x00404e77
          0x00404e7c
          0x00000000
          0x00404e7e
          0x00404e7e
          0x00404e8b
          0x00404e99
          0x00000000
          0x00000000
          0x00000000
          0x00404e8b
          0x00000000
          0x00404e8d
          0x00404e8d
          0x00404e93
          0x00404e97
          0x00404e9f
          0x00404ea4
          0x00404ea9
          0x00404eaf
          0x00404eb6

          APIs
          • OleInitialize.OLE32(00000000), ref: 00404E5D
            • Part of subcall function 00403DDB: SendMessageA.USER32(00020198,00000000,00000000,00000000), ref: 00403DED
          • OleUninitialize.OLE32(00000404,00000000), ref: 00404EA9
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: InitializeMessageSendUninitialize
          • String ID: 4wh
          • API String ID: 2896919175-4281635333
          • Opcode ID: a71bf3315524e495bb63ac7db680478635d871b9932b013c5ee158b9648a44a1
          • Instruction ID: dd00d1d9fa511fdb2abfd92f861b37bc179417f7df103cd37a6f8771cbc5aef0
          • Opcode Fuzzy Hash: a71bf3315524e495bb63ac7db680478635d871b9932b013c5ee158b9648a44a1
          • Instruction Fuzzy Hash: D3F0F0B2A00200AAD7201F64ED00B167BB4ABC0316F06003BFF04B62E0D3795802869D
          Uniqueness

          Uniqueness Score: -1.00%

          Function 1000159C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E1000159C(void* __eflags) {
				void* _t4;
				intOrPtr _t7;
				struct HWND__* _t8;

				_t8 = E100010F0(__eflags);
				_t7 = E100010F0(__eflags);
				_t4 = E100013C2(_t8, E1000141C, "nsSkinBtn", 0x10);
				if(_t4 != 0) {
					 *((intOrPtr*)(_t4 + 4)) = _t7;
					return E100013C2(GetParent(_t8), E10001505, "nsSkinDlg", 4);
				}
				return _t4;
			}






          0x100015a3
          0x100015b7
          0x100015b9
          0x100015c3
          0x100015d2
          0x00000000
          0x100015e1
          0x100015e6

          APIs
            • Part of subcall function 100013C2: GetWindowLongA.USER32 ref: 100013CD
            • Part of subcall function 100013C2: GetPropA.USER32 ref: 100013E2
          • GetParent.USER32(00000000), ref: 100015D5
            • Part of subcall function 100013C2: GlobalAlloc.KERNEL32(00000040,?,?,100015BE,00000000,1000141C,nsSkinBtn,00000010), ref: 100013F1
            • Part of subcall function 100013C2: SetPropA.USER32 ref: 10001402
            • Part of subcall function 100013C2: SetWindowLongA.USER32 ref: 1000140E
          Strings
          Memory Dump Source
          • Source File: 0000001A.00000002.1477975469.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
          • Associated: 0000001A.00000002.1477962903.0000000010000000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1477985458.0000000010002000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1477995969.0000000010004000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_10000000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: LongPropWindow$AllocGlobalParent
          • String ID: nsSkinBtn$nsSkinDlg
          • API String ID: 1270831560-1428530612
          • Opcode ID: b4c58039e09862a60e5d82bd21f882664fb64d6ff1b919ec724f996830850fee
          • Instruction ID: f144d539a5eea70ebdd4bd7472f86fca9a0e907a2324ff8e06b8b9f3a2b41a24
          • Opcode Fuzzy Hash: b4c58039e09862a60e5d82bd21f882664fb64d6ff1b919ec724f996830850fee
          • Instruction Fuzzy Hash: 9EE08C76A0021072F620B7781C0AFEB18C8CB942D1F054862F744BB14FFEA8E68282A4
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00403491, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E00403491() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x41f434;
				_t3 = E00403476(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x41f434 =  *0x41f434 & 0x00000000;
				return _t3;
			}







          0x00403492
          0x0040349a
          0x004034a1
          0x004034a4
          0x004034a4
          0x004034a6
          0x004034ab
          0x004034b2
          0x004034b8
          0x004034bc
          0x004034bd
          0x004034c5

          APIs
          • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,00000000,00000000,00403469,004032BC,00000000), ref: 004034AB
          • GlobalFree.KERNEL32 ref: 004034B2
          Strings
          • C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe, xrefs: 004034A3
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Free$GlobalLibrary
          • String ID: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe
          • API String ID: 1100898210-1654298821
          • Opcode ID: 3e2f1a94e1730b0e2f77525ddf4d06804517b8e77a23c02aa7cd98468957b701
          • Instruction ID: 7bfc0464e02b508f879d35a29cae48101a6ab00b4f5f00e512934bdeb57274a8
          • Opcode Fuzzy Hash: 3e2f1a94e1730b0e2f77525ddf4d06804517b8e77a23c02aa7cd98468957b701
          • Instruction Fuzzy Hash: FBE08C3280653097C7221F05AE04B9AB66C6F94B22F068076E8407B3A1C3782C428AD8
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00405517, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E00405517(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





          0x00405518
          0x00405522
          0x00405524
          0x0040552b
          0x00405533
          0x00000000
          0x00000000
          0x00000000
          0x00405533
          0x00405535
          0x0040553a

          APIs
          • lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023,00402C8E,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,80000000,00000003), ref: 0040551D
          • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023,00402C8E,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023\SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023-General.exe,80000000,00000003), ref: 0040552B
          Strings
          • C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023, xrefs: 00405517
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: CharPrevlstrlen
          • String ID: C:\Users\user\AppData\Local\Temp\j3sovef2.qui\General_SMARTPSS-Win32_ChnEng_IS_V2.002.0000007.0.R.181023
          • API String ID: 2709904686-642687800
          • Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
          • Instruction ID: 1341b21386aa9ee456471dc2eb10899dbff8c866770b3e7d35d8712ddbbc4649
          • Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
          • Instruction Fuzzy Hash: D9D0C7B2509DB06EE7035614DC04B9F7B89DF17710F1944A2E540A61D5D27C5D418BFD
          Uniqueness

          Uniqueness Score: -1.00%

          Function 030810D6, Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON
          Download Yara Rule
          C-Code - Quality: 100%
          			E030810D6(void* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _t17;
				char _t19;
				void* _t20;
				void* _t24;
				void* _t27;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				signed int _t43;
				void* _t52;
				char* _t53;
				char* _t55;
				void* _t56;
				void* _t58;

				 *0x3084058 = _a8;
				 *0x308405c = _a16;
				 *0x3084060 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x3084038, E0308189E, _t52);
				_t43 =  *0x3084058 +  *0x3084058 * 4 << 2;
				_t17 = E03081561();
				_a8 = _t17;
				_t53 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_a8);
				} else {
					do {
						_t19 =  *_t53;
						_t55 = _t53 + 1;
						_t58 = _t19 - 0x6c;
						if(_t58 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t53 = _t55 + 1;
								_t24 = E0308159E(E030815E5( *_t55 - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t27 = _t20;
							if(_t27 == 0) {
								L10:
								_t53 = _t55 + 1;
								_t24 = E0308160E( *_t55 - 0x30, E03081561());
								goto L13;
							}
							L7:
							if(_t27 == 1) {
								_t31 = GlobalAlloc(0x40, _t43 + 4);
								 *_t31 =  *0x3084030;
								 *0x3084030 = _t31;
								E03081854(_t31 + 4,  *0x3084060, _t43);
								_t56 = _t56 + 0xc;
							}
							goto L14;
						}
						if(_t58 == 0) {
							L17:
							_t34 =  *0x3084030;
							if( *0x3084030 != 0) {
								E03081854( *0x3084060, _t34 + 4, _t43);
								_t37 =  *0x3084030;
								_t56 = _t56 + 0xc;
								GlobalFree(_t37);
								 *0x3084030 =  *_t37;
							}
							goto L14;
						}
						_t39 = _t19 - 0x4c;
						if(_t39 == 0) {
							goto L17;
						}
						_t40 = _t39 - 4;
						if(_t40 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L12;
						}
						_t27 = _t40;
						if(_t27 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t53 != 0);
					goto L16;
				}
			}


















          0x030810dd
          0x030810e5
          0x030810f9
          0x03081101
          0x0308110c
          0x0308110f
          0x03081117
          0x0308111a
          0x0308111c
          0x030811ba
          0x030811c6
          0x03081122
          0x03081123
          0x03081123
          0x03081126
          0x03081127
          0x0308112a
          0x030811f9
          0x030811fc
          0x03081194
          0x0308119a
          0x030811a2
          0x030811a7
          0x030811aa
          0x00000000
          0x030811aa
          0x030811ff
          0x03081200
          0x0308117c
          0x03081182
          0x0308118a
          0x00000000
          0x0308118a
          0x03081148
          0x03081149
          0x03081151
          0x0308115e
          0x03081166
          0x0308116f
          0x03081174
          0x03081174
          0x00000000
          0x03081149
          0x03081130
          0x030811c7
          0x030811c7
          0x030811ce
          0x030811db
          0x030811e0
          0x030811e5
          0x030811eb
          0x030811f1
          0x030811f1
          0x00000000
          0x030811ce
          0x03081136
          0x03081139
          0x00000000
          0x00000000
          0x0308113f
          0x03081142
          0x03081191
          0x00000000
          0x03081191
          0x03081145
          0x03081146
          0x03081179
          0x00000000
          0x03081179
          0x00000000
          0x030811b0
          0x030811b0
          0x00000000
          0x030811b9

          APIs
            • Part of subcall function 03081561: lstrcpyA.KERNEL32(00000000,?,?,?,03081804,?,03081017), ref: 0308157E
            • Part of subcall function 03081561: GlobalFree.KERNEL32 ref: 0308158F
          • GlobalAlloc.KERNEL32(00000040,?), ref: 03081151
          • GlobalFree.KERNEL32 ref: 030811AA
          • GlobalFree.KERNEL32 ref: 030811BD
          • GlobalFree.KERNEL32 ref: 030811EB
          Memory Dump Source
          • Source File: 0000001A.00000002.1465933337.0000000003081000.00000020.00020000.sdmp, Offset: 03080000, based on PE: true
          • Associated: 0000001A.00000002.1465906253.0000000003080000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1465954717.0000000003083000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1465973703.0000000003085000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_3080000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: Global$Free$Alloclstrcpy
          • String ID:
          • API String ID: 852173138-0
          • Opcode ID: 79354fbee28069066586fe98907f3b0eaa65cfa9e828f230e295b40e6b942bdc
          • Instruction ID: bec559a667d5f8c8c6b2d06a58a5c881a578065395acdf019fcf04f3c7e4eb73
          • Opcode Fuzzy Hash: 79354fbee28069066586fe98907f3b0eaa65cfa9e828f230e295b40e6b942bdc
          • Instruction Fuzzy Hash: 9E31C1B94072469FDB19FFADE888B6ABFF8FF45350B180455E8C5C6218E63894028F50
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00405629, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
          Download Yara Rule
          APIs
          • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405837,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405630
          • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405837,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405649
          • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405657
          • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405837,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405660
          Memory Dump Source
          • Source File: 0000001A.00000002.1461877492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 0000001A.00000002.1461847801.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461924765.0000000000407000.00000002.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1461963819.0000000000409000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462009527.0000000000416000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462041986.0000000000422000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462060714.0000000000429000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462071392.000000000043F000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462094289.0000000000443000.00000004.00020000.sdmp Download File
          • Associated: 0000001A.00000002.1462110786.0000000000468000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_26_2_400000_SMARTPSS-Win32_ChnEng_IS_V2.jbxd
          Similarity
          • API ID: lstrlen$CharNextlstrcmpi
          • String ID:
          • API String ID: 190613189-0
          • Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
          • Instruction ID: 25fbcb832c33ec4964fd827efed06e6d871dcd69bbe6b28132c6debe6a032c6a
          • Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
          • Instruction Fuzzy Hash: 02F0A736249D51DBC2025B355C04E6FAA94EF92354B54097AF444F2251D33A98129BBF
          Uniqueness

          Uniqueness Score: -1.00%