Loading ...

Play interactive tourEdit tour

Windows Analysis Report niPie.exe

Overview

General Information

Sample Name:niPie.exe
Analysis ID:502665
MD5:601fda01efb1a22e18a19793158b51fe
SHA1:925f30c4a425c133915ee92dd4c0900f31536c04
SHA256:5020bbc58ef082a5ac8e42e394c4235e88b9c5bd1ed3cdc126a24a649997ebf3
Infos:

Most interesting Screenshot:

Detection

Score:5
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Found evasive API chain (may stop execution after accessing registry keys)
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs

Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample crashes during execution, try analyze it on another analysis machine

Process Tree

  • System is w10x64
  • niPie.exe (PID: 4528 cmdline: 'C:\Users\user\Desktop\niPie.exe' -install MD5: 601FDA01EFB1A22E18A19793158B51FE)
  • niPie.exe (PID: 5808 cmdline: 'C:\Users\user\Desktop\niPie.exe' /install MD5: 601FDA01EFB1A22E18A19793158B51FE)
    • WerFault.exe (PID: 5344 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 528 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • niPie.exe (PID: 5332 cmdline: 'C:\Users\user\Desktop\niPie.exe' /load MD5: 601FDA01EFB1A22E18A19793158B51FE)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: niPie.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: niPie.exeStatic PE information: certificate valid
Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.289718140.00000000006E8000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb. source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: msi.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.290136004.00000000006E2000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.292596079.0000000000AB4000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.289723117.00000000006EE000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.289718140.00000000006E8000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb( source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbk source: WerFault.exe, 0000000B.00000003.292596079.0000000000AB4000.00000004.00000040.sdmp
Source: C:\Users\user\Desktop\niPie.exeCode function: 0_2_00401460 RegEnumValueA,FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00401460
Source: WerFault.exe, 0000000B.00000002.302967214.0000000004C80000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: niPie.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: niPie.exeString found in binary or memory: http://ocsp.thawte.com0
Source: niPie.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: niPie.exeString found in binary or memory: http://s.symcd.com06
Source: niPie.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: niPie.exeString found in binary or memory: http://s2.symcb.com0
Source: niPie.exeString found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: niPie.exeString found in binary or memory: http://sf.symcb.com/sf.crt0
Source: niPie.exeString found in binary or memory: http://sf.symcd.com0&
Source: niPie.exeString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: niPie.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: niPie.exeString found in binary or memory: http://sv.symcd.com0&
Source: niPie.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: niPie.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: niPie.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: niPie.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: niPie.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: niPie.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Amcache.hve.11.drString found in binary or memory: http://upx.sf.net
Source: niPie.exeString found in binary or memory: http://www.symauth.com/cps0(
Source: niPie.exeString found in binary or memory: http://www.symauth.com/rpa00
Source: niPie.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: niPie.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: niPie.exeString found in binary or memory: https://d.symcb.com/rpa0.
Source: niPie.exe, 00000000.00000002.276768438.00000000007AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: niPie.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: niPie.exe, 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe
Source: niPie.exe, 00000004.00000000.285248528.000000000040F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe
Source: niPie.exe, 0000000C.00000000.287069798.000000000040F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe
Source: niPie.exeBinary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe
Source: C:\Users\user\Desktop\niPie.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 528
Source: C:\Users\user\Desktop\niPie.exeCode function: 0_2_004021000_2_00402100
Source: niPie.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\niPie.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\niPie.exe 'C:\Users\user\Desktop\niPie.exe' -install
Source: unknownProcess created: C:\Users\user\Desktop\niPie.exe 'C:\Users\user\Desktop\niPie.exe' /install
Source: C:\Users\user\Desktop\niPie.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 528
Source: unknownProcess created: C:\Users\user\Desktop\niPie.exe 'C:\Users\user\Desktop\niPie.exe' /load
Source: C:\Users\user\Desktop\niPie.exeMutant created: \Sessions\1\BaseNamedObjects\_MSIExecute
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5808
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1B1.tmpJump to behavior
Source: niPie.exeString found in binary or memory: /install
Source: niPie.exeString found in binary or memory: /install
Source: niPie.exeString found in binary or memory: ^@INSTALL\Software\National Instruments\Common\Installer\Pending\PackagesSoftware\National Instruments\Common\Installer\Pending\Deletes...%s\%s%s\*.*Value-ValueNameKeySoftware\National Instruments\Common\Installer\Pending\Registry\DeleteSoftware\National Instruments\Common\Installer\Pending\Registry\AddSoftware\National Instruments\Common\Installer\Pending\Registry/sREMOVEALL%s %s/remove"/install/test/qMutex FailedNested Install_MSIExecute/qnmSoftware\National Instruments\Common\Installer\Pending/undo%s ,\FeaturesTrueLaunchedByUpgrade\ProductsSoftware\National Instruments\Common\InstallerNIUPDMGRtrue
Source: classification engineClassification label: clean5.winEXE@4/6@0/1
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: niPie.exeStatic PE information: certificate valid
Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.289718140.00000000006E8000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb. source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: msi.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.290136004.00000000006E2000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.292596079.0000000000AB4000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.292559485.0000000000AB1000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.289723117.00000000006EE000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.292590966.0000000000AB0000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.289718140.00000000006E8000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.292548116.0000000004AE1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb( source: WerFault.exe, 0000000B.00000003.292600941.0000000000AB7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbk source: WerFault.exe, 0000000B.00000003.292596079.0000000000AB4000.00000004.00000040.sdmp
Source: C:\Users\user\Desktop\niPie.exeCode function: 0_2_00402930 push eax; ret 0_2_0040295E
Source: C:\Users\user\Desktop\niPie.exeCode function: 4_2_0019CE94 push esp; retf 4_2_0019CE95
Source: C:\Users\user\Desktop\niPie.exeCode function: 0_2_00407AB8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00407AB8
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\niPie.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_0-3716
Source: C:\Users\user\Desktop\niPie.exeAPI coverage: 6.3 %
Source: C:\Users\user\Desktop\niPie.exeCode function: 0_2_00401460 RegEnumValueA,FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00401460
Source: C:\Users\user\Desktop\niPie.exeAPI call chain: ExitProcess graph end nodegraph_0-3939
Source: Amcache.hve.11.drBinary or memory string: VMware
Source: Amcache.hve.11.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.11.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.11.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.
Source: WerFault.exe, 0000000B.00000002.302919023.00000000047E1000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWPs}
Source: WerFault.exe, 0000000B.00000003.300055039.00000000047FA000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.drBinary or memory string: VMware7,1
Source: Amcache.hve.11.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 0000000B.00000002.302910267.00000000047D1000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.11.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.me
Source: Amcache.hve.11.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.11.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.11.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: C:\Users\user\Desktop\niPie.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\niPie.exeCode function: 0_2_00407AB8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00407AB8
Source: niPie.exe, 00000004.00000000.285424370.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Program Manager
Source: niPie.exe, 00000004.00000000.285424370.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
Source: niPie.exe, 00000004.00000000.285424370.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Progman
Source: niPie.exe, 00000004.00000000.285424370.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\niPie.exeCode function: 0_2_00405644 GetVersionExA,GetEnvironmentVariableA,GetModuleFileNameA,0_2_00405644
Source: Amcache.hve.11.drBinary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.11.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.drBinary or memory string: procexp.exe

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection2Virtualization/Sandbox Evasion1Input Capture1Security Software Discovery21Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection2LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 502665 Sample: niPie.exe Startdate: 14/10/2021 Architecture: WINDOWS Score: 5 5 niPie.exe 2->5         started        7 niPie.exe 2->7         started        9 niPie.exe 2->9         started        process3 11 WerFault.exe 23 9 5->11         started        dnsIp4 14 192.168.2.1 unknown unknown 11->14

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
niPie.exe0%MetadefenderBrowse
niPie.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ocsp.thawte.com00%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.11.drfalse
    high
    http://crl.thawte.com/ThawteTimestampingCA.crl0niPie.exefalse
      high
      http://www.symauth.com/cps0(niPie.exefalse
        high
        http://www.symauth.com/rpa00niPie.exefalse
          high
          http://ocsp.thawte.com0niPie.exefalse
          • URL Reputation: safe
          unknown

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious

          Private

          IP
          192.168.2.1

          General Information

          Joe Sandbox Version:33.0.0 White Diamond
          Analysis ID:502665
          Start date:14.10.2021
          Start time:08:40:23
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 4m 49s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:niPie.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Run name:Cmdline fuzzy
          Number of analysed new started processes analysed:28
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:CLEAN
          Classification:clean5.winEXE@4/6@0/1
          EGA Information:
          • Successful, ratio: 50%
          HDC Information:
          • Successful, ratio: 100% (good quality ratio 97.2%)
          • Quality average: 87.1%
          • Quality standard deviation: 22.3%
          HCA Information:Failed
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
          • Excluded IPs from analysis (whitelisted): 20.190.160.67, 20.190.160.129, 20.190.160.8, 20.190.160.4, 20.190.160.134, 20.190.160.132, 20.190.160.73, 20.190.160.75, 20.42.73.29, 20.82.210.154, 52.251.79.25, 20.54.110.249, 93.184.221.240, 8.253.95.121, 8.248.133.254, 67.26.83.254, 8.248.143.254, 8.248.145.254, 40.112.88.60, 20.199.120.182, 2.20.178.24, 2.20.178.33
          • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, www.tm.lg.prod.aadmsa.akadns.net, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, onedsblobprdeus15.eastus.cloudapp.azure.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
          • Execution Graph export aborted for target niPie.exe, PID 5808 because there are no executed function
          • Not all processes where analyzed, report is missing behavior information
          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/502665/sample/niPie.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          08:41:26API Interceptor1x Sleep call for process: WerFault.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASN

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_niPie.exe_e6cde1c574634daa1e46756134802be990d9bced_e1e15161_140105c6\Report.wer
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
          Category:dropped
          Size (bytes):65536
          Entropy (8bit):0.8703585320712506
          Encrypted:false
          SSDEEP:192:wIBNLyipHkgdbcDhRjgIh/u7sYS274ItU:wcNeiZk0c7jj/u7sYX4ItU
          MD5:C0D7310843F8F4325C1610FDDA4668E4
          SHA1:D4DFA0568167234554D7F1BADF51561DD2D2BA72
          SHA-256:6C26895BCFD43A4A1D61A701F664F5B6264B96335A8A71670F83D33B38405E6A
          SHA-512:D7E4F3F7EE44964FDB97D4B087FAA2401277EAD1529E4873D9F7F4498DEC637A6FC5B1D14C34B54C22532316AC767405110377D0D16BA4FE4CE23CD81868C957
          Malicious:false
          Reputation:low
          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.6.9.9.6.8.1.5.1.9.2.6.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.6.9.9.6.8.5.4.0.9.9.1.4.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.2.b.7.d.d.8.8.-.d.6.b.8.-.4.b.8.b.-.a.e.d.d.-.b.e.c.e.d.d.4.7.e.3.2.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.b.3.0.0.b.5.b.-.c.b.f.7.-.4.7.c.4.-.b.e.8.5.-.0.9.5.3.4.d.0.5.e.b.0.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.n.i.P.i.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.b.0.-.0.0.0.1.-.0.0.1.c.-.d.e.7.b.-.5.6.e.d.1.1.c.1.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.d.5.0.2.0.4.0.b.e.0.4.5.9.b.0.a.9.a.6.5.f.2.d.2.f.5.0.6.c.5.f.0.0.0.0.f.f.f.f.!.0.0.0.0.9.2.5.f.3.0.c.4.a.4.2.5.c.1.3.3.9.1.5.e.e.9.2.d.d.4.c.0.9.0.0.f.3.1.5.3.6.c.0.4.!.n.i.P.i.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.0.3././.
          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1B1.tmp.dmp
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:Mini DuMP crash report, 14 streams, Thu Oct 14 15:41:22 2021, 0x1205a4 type
          Category:dropped
          Size (bytes):54596
          Entropy (8bit):2.059817025510805
          Encrypted:false
          SSDEEP:192:1+4fNhNi0OC4OV6e6bzyN3SzEkMg96CQIhu2YlXalyCBKb:Bl+CfBX1bIhLyC8
          MD5:B9D0C19927DC3FC2628C9ACBCD0EA583
          SHA1:B056DEEF8A7A09F2BAB02DCD212D78466AE6579F
          SHA-256:D9BCDBA6ACD224A38C1DAF72FDA6590EFE7E013313452D72538E3FF3C0572653
          SHA-512:97F22935AC3882A0E500B0DB213BB7E4D6264D7D87446BE551E3194002EA323C6E62E5B0948AE48313D1A546CC8DDF0CE00C9BB4CCA441CD2EE816B936BDFD01
          Malicious:false
          Reputation:low
          Preview: MDMP....... ........Oha....................................d....0..........T.......8...........T...............D............................................................................................U...........B......d.......GenuineIntelW...........T............Oha.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
          C:\ProgramData\Microsoft\Windows\WER\Temp\WERF656.tmp.WERInternalMetadata.xml
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
          Category:dropped
          Size (bytes):8284
          Entropy (8bit):3.6902502451531936
          Encrypted:false
          SSDEEP:192:Rrl7r3GLNif66rY6YFPSUyogmfRSqXh7CprRc89b2vsfINjym:RrlsNiy606YtSUyogmfRSXJ2UfINH
          MD5:C197E246B6EBB950F52D55C6D5B459F4
          SHA1:BBBFDC67A29B9F7967EB16DF1BC7F4B984FDA502
          SHA-256:E9670D33B9E2A1F9B58E786B18C8932CF7541A02DD4F150C8803315151AA37EF
          SHA-512:ADC44F6500E8C3E4BEDD947688DDEA258B139652749F7F9D4B4507BB722F969E329E81DB8EFF4EEFF965FD81C538222A433467870216B1F3AFFDD41D3459115F
          Malicious:false
          Reputation:low
          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.0.8.<./.P.i.d.>.......
          C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA10.tmp.xml
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):4544
          Entropy (8bit):4.440570598188364
          Encrypted:false
          SSDEEP:48:cvIwSD8zsvJgtWI9iMWSC8BWM8fm8M4J46qE+L/bFbX+q8qsS7R/nhws60Xi8d:uITfR5lSNUxJ6Fws60Xi8d
          MD5:665AACD7328A47617D15C599E633FA94
          SHA1:1D6A3AE0B676DFB321924FF0E5CA24789ABB7336
          SHA-256:FA858B206ECE5CE3843078D4C1E489E086549140118E61652D1C9BBDA1C6A6AB
          SHA-512:89EE7E52E7157FB87E885A80DD40DD93DBE3BDA0DF9A12EA3125ED5E0D13BF3F8F40CAB187DC553285F4A95E637378C925E54246F5F31DE8DC5433B405E50A94
          Malicious:false
          Reputation:low
          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1209652" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
          C:\Windows\appcompat\Programs\Amcache.hve
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:MS Windows registry file, NT/2000 or above
          Category:dropped
          Size (bytes):1572864
          Entropy (8bit):4.275087550666143
          Encrypted:false
          SSDEEP:12288:FipMLJvchtjAw8z7nZ38GMARuhauEhP16N6xcqUEbGt4pVs1E9dZZd:UpMLJvchtjAw8zXN
          MD5:2C419893782E19E68C6EA20E61ADE4FD
          SHA1:684AF6925498E41E88494D73E2D447DB019EEA73
          SHA-256:4CEC7CBC5FF3A479E46BC0004A2DE16AD1CC45B998E527DE792CC85C0C57D7B0
          SHA-512:84A1721FBFD55B3E8147F0126A5E0577D12C8DA31C0356E144F7B48BEA86951BBC58E7EC121591C5DE46156AA4A037C9CC636A324B857E4A292AB718B3C12D87
          Malicious:false
          Reputation:low
          Preview: regfZ...Z...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmR.K...................................................................................................................................................................................................................................................................................................................................................O.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
          C:\Windows\appcompat\Programs\Amcache.hve.LOG1
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:MS Windows registry file, NT/2000 or above
          Category:dropped
          Size (bytes):32768
          Entropy (8bit):4.183354901830507
          Encrypted:false
          SSDEEP:768:nnUdC0MwqhBrOFftx1xJ4X7fFK7bBqXIeq5QMVyi6a74LXHuzEsFqb+v:VfB2xA/CReOhqC
          MD5:23FFAE33C71AB2637BA27D8CF7225580
          SHA1:1A345D8BBE40B02FB15DFBD9CF3EF167A3D695F1
          SHA-256:DB922318220427C790ED4E8F88672BD213D8AD2FF1D2C67C79A1B3F58F19D68E
          SHA-512:AA414C8B6D0646FB4A58D45108EEC1F1CD08F37275C534987B6B135424D0B249F48E7F54DC51E209B0205DFE3D329C97BEE2136DB3CCC8D57C56BA54D108F79F
          Malicious:false
          Reputation:low
          Preview: regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmR.K...................................................................................................................................................................................................................................................................................................................................................O.HvLE.~......Y.............`....)................ ....... .......0................... ..hbin................p.\..,..........nk,..2N..................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..2N......... ........................... .......Z.......................Root........lf......Root....nk ..2N......................}.............. ...............*...............DeviceCensus.......................vk..................WritePer

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):5.892836892157124
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:niPie.exe
          File size:73664
          MD5:601fda01efb1a22e18a19793158b51fe
          SHA1:925f30c4a425c133915ee92dd4c0900f31536c04
          SHA256:5020bbc58ef082a5ac8e42e394c4235e88b9c5bd1ed3cdc126a24a649997ebf3
          SHA512:0db9ac45dfa3e4530fa4a945e3cac301e1ee8b26fc2690739741d72e1b7712e205f4bf83463e51c70df141af663ffa54c4e281d93f3bc386487a42eb1778a03c
          SSDEEP:768:gjan8GnhwDHcnrkqAAO8IEwm8iNWTGzvtKsDsoxm3whvI:gjanoDGrkbAO80mhN/ZKsDnmghw
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..)k..zk..zk..z...zh..z...zx..z...zW..z...zc..z2..zl..zk..z,..zm..zo..z...zj..z...zj..zRichk..z................PE..L...j.I>...

          File Icon

          Icon Hash:00828e8e8686b000

          Static PE Info

          General

          Entrypoint:0x402d93
          Entrypoint Section:.text
          Digitally signed:true
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          DLL Characteristics:
          Time Stamp:0x3E49816A [Tue Feb 11 23:04:10 2003 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:8fcbb82d712dc622f705d3815ebb3266

          Authenticode Signature

          Signature Valid:true
          Signature Issuer:CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
          Signature Validation Error:The operation completed successfully
          Error Number:0
          Not Before, Not After
          • 4/11/2016 5:00:00 PM 7/12/2019 4:59:59 PM
          Subject Chain
          • CN=National Instruments Corporation, O=National Instruments Corporation, L=Austin, S=Texas, C=US
          Version:3
          Thumbprint MD5:1C8D1A5469552A41DE716974A986D673
          Thumbprint SHA-1:70B8BA3A50BCDBAD1DC2C86C6DEB1D78215EA111
          Thumbprint SHA-256:4750C8643DF6099EA03EB3ADA1157EEFC149A3BAC6DBB31760A4DC0AFC41C007
          Serial:61C3329855F6476CFCB4FCF359E55909

          Entrypoint Preview

          Instruction
          push ebp
          mov ebp, esp
          push FFFFFFFFh
          push 00409140h
          push 004058E4h
          mov eax, dword ptr fs:[00000000h]
          push eax
          mov dword ptr fs:[00000000h], esp
          sub esp, 58h
          push ebx
          push esi
          push edi
          mov dword ptr [ebp-18h], esp
          call dword ptr [00409094h]
          xor edx, edx
          mov dl, ah
          mov dword ptr [0040CBE0h], edx
          mov ecx, eax
          and ecx, 000000FFh
          mov dword ptr [0040CBDCh], ecx
          shl ecx, 08h
          add ecx, edx
          mov dword ptr [0040CBD8h], ecx
          shr eax, 10h
          mov dword ptr [0040CBD4h], eax
          xor esi, esi
          push esi
          call 00007FA6DC9FFF2Fh
          pop ecx
          test eax, eax
          jne 00007FA6DC9FD59Ah
          push 0000001Ch
          call 00007FA6DC9FD645h
          pop ecx
          mov dword ptr [ebp-04h], esi
          call 00007FA6DC9FFBFAh
          call dword ptr [00409090h]
          mov dword ptr [0040E108h], eax
          call 00007FA6DC9FFAB8h
          mov dword ptr [0040CBB4h], eax
          call 00007FA6DC9FF861h
          call 00007FA6DC9FF7A3h
          call 00007FA6DC9FF4C0h
          mov dword ptr [ebp-30h], esi
          lea eax, dword ptr [ebp-5Ch]
          push eax
          call dword ptr [0040908Ch]
          call 00007FA6DC9FF734h
          mov dword ptr [ebp-64h], eax
          test byte ptr [ebp-30h], 00000001h
          je 00007FA6DC9FD598h
          movzx eax, word ptr [ebp-2Ch]
          jmp 00007FA6DC9FD595h
          push 0000000Ah
          pop eax
          push eax
          push dword ptr [ebp-64h]
          push esi
          push esi
          call dword ptr [00409088h]

          Rich Headers

          Programming Language:
          • [EXP] VC++ 6.0 SP5 build 8804
          • [LNK] VC++ 6.0 SP5 build 8804

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x9bc00x72.rdata
          IMAGE_DIRECTORY_ENTRY_IMPORT0x95480x64.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000xa20.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0xe0000x3fc0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x90000x140.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x77220x8000False0.566650390625COM executable for DOS6.39486324672IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          .rdata0x90000xc320x1000False0.376708984375data4.52160108025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0xa0000x410c0x3000False0.0714518229167data0.996089583315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
          .rsrc0xf0000xa200x1000False0.26318359375data4.15843705735IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_DIALOG0xf1300xa0dataEnglishUnited States
          RT_STRING0xf1d00x144dataGermanGermany
          RT_STRING0xf3140x132dataEnglishUnited States
          RT_STRING0xf4480x150dataFrenchFrance
          RT_STRING0xf5980xd8dataJapaneseJapan
          RT_VERSION0xf6700x3b0dataEnglishUnited States

          Imports

          DLLImport
          KERNEL32.dllReleaseMutex, WaitForSingleObjectEx, CreateThread, Sleep, lstrlenA, FindFirstFileA, FindNextFileA, FindClose, RemoveDirectoryA, CreateMutexA, ExitProcess, GetCurrentProcess, UnhandledExceptionFilter, FlushFileBuffers, ReadFile, CloseHandle, LoadLibraryA, GetProcAddress, SetStdHandle, HeapReAlloc, VirtualAlloc, GetStringTypeW, GetStringTypeA, SetFilePointer, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, DeleteFileA, GetCPInfo, GetACP, GetOEMCP, WideCharToMultiByte, MultiByteToWideChar, LCMapStringA, LCMapStringW, HeapAlloc, HeapFree, TerminateProcess, GetLastError, GetFileType, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, RtlUnwind, WriteFile
          USER32.dllSendMessageA, SetDlgItemTextA, MessageBoxA, EndDialog, LoadStringA, DialogBoxParamA
          ADVAPI32.dllRegOpenKeyExA, RegEnumKeyExA, RegEnumValueA, RegCloseKey, RegQueryValueExA, RegSetValueExA, RegDeleteValueA, RegCreateKeyExA, RegDeleteKeyA
          Msi.dll

          Exports

          NameOrdinalAddress
          RFL_RegSetBinary20x401aa0
          _RFL_RegGetBinary@2010x401a70

          Version Infos

          DescriptionData
          LegalCopyrightCopyright 2002-2017. All Rights Reserved.
          InternalNameWinNestInst
          FileVersion17.5.0.170
          CompanyNameNational Instruments
          PrivateBuild
          LegalTrademarks
          Comments
          ProductNameNational Instruments UM Satellite
          SpecialBuild
          ProductVersion17.5.0
          FileDescriptionWinNestInst
          OriginalFilenameWinNestInst.exe

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States
          GermanGermany
          FrenchFrance
          JapaneseJapan

          Network Behavior

          No network behavior found

          Code Manipulations

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Start time:08:41:14
          Start date:14/10/2021
          Path:C:\Users\user\Desktop\niPie.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\niPie.exe' -install
          Imagebase:0x400000
          File size:73664 bytes
          MD5 hash:601FDA01EFB1A22E18A19793158B51FE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low

          General

          Start time:08:41:17
          Start date:14/10/2021
          Path:C:\Users\user\Desktop\niPie.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\niPie.exe' /install
          Imagebase:0x400000
          File size:73664 bytes
          MD5 hash:601FDA01EFB1A22E18A19793158B51FE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low

          General

          Start time:08:41:19
          Start date:14/10/2021
          Path:C:\Windows\SysWOW64\WerFault.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5808 -s 528
          Imagebase:0xd00000
          File size:434592 bytes
          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Start time:08:41:19
          Start date:14/10/2021
          Path:C:\Users\user\Desktop\niPie.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\niPie.exe' /load
          Imagebase:0x400000
          File size:73664 bytes
          MD5 hash:601FDA01EFB1A22E18A19793158B51FE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low

          Disassembly

          Code Analysis

          Reset < >

            Execution Graph

            Execution Coverage:2.7%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:6.3%
            Total number of Nodes:617
            Total number of Limit Nodes:17

            Graph

            execution_graph 3949 403f40 3950 403f4f 3949->3950 3951 403f54 MultiByteToWideChar 3950->3951 3952 403fba 3950->3952 3951->3952 3953 403f6d LCMapStringW 3951->3953 3953->3952 3954 403f88 3953->3954 3955 403f8e 3954->3955 3957 403fce 3954->3957 3955->3952 3956 403f9c LCMapStringW 3955->3956 3956->3952 3957->3952 3958 404006 LCMapStringW 3957->3958 3958->3952 3959 40401e WideCharToMultiByte 3958->3959 3959->3952 4017 401aa0 RegCreateKeyExA 4018 401ad4 RegSetValueExA 4017->4018 4019 401ace 4017->4019 4020 401af6 4018->4020 4021 401afc RegCloseKey 4018->4021 3961 406102 3962 406109 3961->3962 3963 406111 MultiByteToWideChar 3962->3963 3964 40613a 3962->3964 3963->3964 3965 40612a GetStringTypeW 3963->3965 3965->3964 3966 407f82 3967 402e89 7 API calls 3966->3967 3968 407f89 3967->3968 4022 4058e4 4023 405976 4022->4023 4025 405902 4022->4025 4024 4057ec RtlUnwind 4024->4025 4025->4023 4025->4024 3940 404da5 3941 404db1 GetCurrentProcess TerminateProcess 3940->3941 3942 404dc2 3940->3942 3941->3942 3943 404e3c 3942->3943 3944 404e2c ExitProcess 3942->3944 3945 404c4d 3946 404c76 3945->3946 3948 404c54 3945->3948 3947 404c79 12 API calls 3947->3948 3948->3946 3948->3947 4026 401a70 4027 4018f0 3 API calls 4026->4027 4028 401a8e 4027->4028 4029 401f70 4030 401fd8 EndDialog 4029->4030 4031 401f7f 4029->4031 4032 401f91 LoadStringA SetDlgItemTextA 4031->4032 4033 401f86 4031->4033 3326 402d93 GetVersion 3352 40578c HeapCreate 3326->3352 3328 402df2 3329 402df7 3328->3329 3330 402dff 3328->3330 3480 402eae 3329->3480 3364 40546c 3330->3364 3334 402e07 GetCommandLineA 3378 40533a 3334->3378 3338 402e21 3401 405034 3338->3401 3340 402e26 3341 402e2b GetStartupInfoA 3340->3341 3414 404fdc 3341->3414 3343 402e3d 3344 402e46 3343->3344 3345 402e4f GetModuleHandleA 3344->3345 3418 401c60 3345->3418 3347 402e61 3495 404d83 3347->3495 3353 4057e2 3352->3353 3354 4057ac 3352->3354 3353->3328 3502 405644 3354->3502 3357 4057c8 3360 4057e5 3357->3360 3516 406d42 3357->3516 3358 4057bb 3514 4064f1 HeapAlloc 3358->3514 3360->3328 3361 4057c5 3361->3360 3363 4057d6 HeapDestroy 3361->3363 3363->3353 3579 404c3b 3364->3579 3367 40548b GetStartupInfoA 3370 4054d7 3367->3370 3371 40559c 3367->3371 3370->3371 3374 404c3b 12 API calls 3370->3374 3377 405548 3370->3377 3372 405603 SetHandleCount 3371->3372 3373 4055c3 GetStdHandle 3371->3373 3372->3334 3373->3371 3375 4055d1 GetFileType 3373->3375 3374->3370 3375->3371 3376 40556a GetFileType 3376->3377 3377->3371 3377->3376 3379 405355 GetEnvironmentStringsW 3378->3379 3380 405388 3378->3380 3381 405369 GetEnvironmentStrings 3379->3381 3382 40535d 3379->3382 3380->3382 3383 405379 3380->3383 3381->3383 3384 402e17 3381->3384 3385 4053a1 WideCharToMultiByte 3382->3385 3386 405395 GetEnvironmentStringsW 3382->3386 3383->3384 3387 405427 3383->3387 3388 40541b GetEnvironmentStrings 3383->3388 3486 4050ed 3384->3486 3390 4053d5 3385->3390 3391 405407 FreeEnvironmentStringsW 3385->3391 3386->3384 3386->3385 3393 404c3b 12 API calls 3387->3393 3388->3384 3388->3387 3392 404c3b 12 API calls 3390->3392 3391->3384 3394 4053db 3392->3394 3399 405442 3393->3399 3394->3391 3395 4053e4 WideCharToMultiByte 3394->3395 3397 4053fe 3395->3397 3398 4053f5 3395->3398 3396 405458 FreeEnvironmentStringsA 3396->3384 3397->3391 3647 404ced 3398->3647 3399->3396 3402 405041 3401->3402 3404 405046 3401->3404 3677 403c68 3402->3677 3405 404c3b 12 API calls 3404->3405 3406 405073 3405->3406 3407 402e89 7 API calls 3406->3407 3413 405087 3406->3413 3407->3413 3408 4050ca 3409 404ced 7 API calls 3408->3409 3410 4050d6 3409->3410 3410->3340 3411 404c3b 12 API calls 3411->3413 3412 402e89 7 API calls 3412->3413 3413->3408 3413->3411 3413->3412 3415 404fe5 3414->3415 3417 404fea 3414->3417 3416 403c68 19 API calls 3415->3416 3416->3417 3417->3343 3417->3417 3701 402d46 3418->3701 3423 401cc8 3711 401b50 3423->3711 3424 401ceb 3426 402bd8 15 API calls 3424->3426 3428 401cfa 3426->3428 3430 401d01 3428->3430 3431 401d17 CreateMutexA 3428->3431 3726 401300 3430->3726 3432 401d56 WaitForSingleObjectEx 3431->3432 3433 401d79 3431->3433 3432->3433 3436 401d65 MessageBoxA 3432->3436 3437 402bd8 15 API calls 3433->3437 3436->3433 3440 401d88 3437->3440 3442 401dbd 3440->3442 3443 402bd8 15 API calls 3440->3443 3444 402bd8 15 API calls 3442->3444 3445 401d9e 3443->3445 3446 401dcc 3444->3446 3445->3442 3447 401da5 CreateThread 3445->3447 3448 401de3 #141 3446->3448 3449 401dd3 Sleep 3446->3449 3447->3442 3934 4020e0 DialogBoxParamA 3447->3934 3451 402bd8 15 API calls 3448->3451 3450 401f44 SendMessageA 3449->3450 3452 401f56 ReleaseMutex 3450->3452 3467 401dfb 3451->3467 3452->3347 3453 401e64 3454 402bd8 15 API calls 3453->3454 3455 401e73 3454->3455 3456 401ed8 3455->3456 3457 402d46 26 API calls 3455->3457 3458 402bd8 15 API calls 3456->3458 3459 401e92 #95 3457->3459 3460 401ee7 3458->3460 3459->3456 3461 401eab #144 #33 #8 3459->3461 3462 401f04 3460->3462 3463 402bd8 15 API calls 3460->3463 3461->3456 3758 402100 3462->3758 3466 401efd 3463->3466 3466->3462 3471 401f18 3466->3471 3467->3453 3468 401e3b #93 3467->3468 3468->3453 3469 401e4b #33 #8 3468->3469 3469->3453 3473 402bd8 15 API calls 3471->3473 3475 401f27 3473->3475 3474 401300 37 API calls 3476 401f13 3474->3476 3475->3452 3478 402bd8 15 API calls 3475->3478 3477 401590 29 API calls 3476->3477 3477->3471 3479 401f3d 3478->3479 3479->3450 3479->3452 3481 402eb7 3480->3481 3482 402ebc 3480->3482 3483 4059bc 7 API calls 3481->3483 3484 4059f5 7 API calls 3482->3484 3483->3482 3485 402ec5 ExitProcess 3484->3485 3487 405104 GetModuleFileNameA 3486->3487 3488 4050ff 3486->3488 3490 405127 3487->3490 3489 403c68 19 API calls 3488->3489 3489->3487 3491 404c3b 12 API calls 3490->3491 3492 405148 3491->3492 3493 405158 3492->3493 3494 402e89 7 API calls 3492->3494 3493->3338 3494->3493 3935 404da5 3495->3935 3498 404e58 3499 404e64 3498->3499 3500 404f8d UnhandledExceptionFilter 3499->3500 3501 402e7b 3499->3501 3500->3501 3525 402930 3502->3525 3505 405687 GetEnvironmentVariableA 3509 4056a6 3505->3509 3513 405764 3505->3513 3506 40566d 3506->3505 3508 40567f 3506->3508 3508->3357 3508->3358 3510 4056eb GetModuleFileNameA 3509->3510 3511 4056e3 3509->3511 3510->3511 3511->3513 3527 4077d5 3511->3527 3513->3508 3530 405617 GetModuleHandleA 3513->3530 3515 40650d 3514->3515 3515->3361 3517 406d56 HeapAlloc 3516->3517 3518 406d4f 3516->3518 3519 406d73 VirtualAlloc 3517->3519 3524 406dab 3517->3524 3518->3519 3520 406d93 VirtualAlloc 3519->3520 3521 406e68 3519->3521 3522 406e5a VirtualFree 3520->3522 3520->3524 3523 406e70 HeapFree 3521->3523 3521->3524 3522->3521 3523->3524 3524->3361 3526 40293c GetVersionExA 3525->3526 3526->3505 3526->3506 3532 4077ec 3527->3532 3531 40562e 3530->3531 3531->3508 3534 407804 3532->3534 3536 407834 3534->3536 3539 4037f1 3534->3539 3535 4037f1 6 API calls 3535->3536 3536->3535 3538 4077e8 3536->3538 3543 4084c5 3536->3543 3538->3513 3540 40380f 3539->3540 3542 403803 3539->3542 3549 406005 3540->3549 3542->3534 3544 4084f0 3543->3544 3548 4084d3 3543->3548 3545 40850c 3544->3545 3546 4037f1 6 API calls 3544->3546 3545->3548 3561 403e2c 3545->3561 3546->3545 3548->3536 3550 406036 GetStringTypeW 3549->3550 3552 40604e 3549->3552 3551 406052 GetStringTypeA 3550->3551 3550->3552 3551->3552 3555 40613a 3551->3555 3553 406079 GetStringTypeA 3552->3553 3554 40609d 3552->3554 3553->3555 3554->3555 3557 4060b3 MultiByteToWideChar 3554->3557 3555->3542 3557->3555 3558 4060d7 3557->3558 3558->3555 3559 406111 MultiByteToWideChar 3558->3559 3559->3555 3560 40612a GetStringTypeW 3559->3560 3560->3555 3562 403e78 3561->3562 3563 403e5c LCMapStringW 3561->3563 3565 403ec1 LCMapStringA 3562->3565 3566 403ede 3562->3566 3563->3562 3564 403e80 LCMapStringA 3563->3564 3564->3562 3567 403fba 3564->3567 3565->3567 3566->3567 3568 403ef4 MultiByteToWideChar 3566->3568 3567->3548 3568->3567 3569 403f1e 3568->3569 3569->3567 3570 403f54 MultiByteToWideChar 3569->3570 3570->3567 3571 403f6d LCMapStringW 3570->3571 3571->3567 3572 403f88 3571->3572 3573 403f8e 3572->3573 3575 403fce 3572->3575 3573->3567 3574 403f9c LCMapStringW 3573->3574 3574->3567 3575->3567 3576 404006 LCMapStringW 3575->3576 3576->3567 3577 40401e WideCharToMultiByte 3576->3577 3577->3567 3588 404c4d 3579->3588 3582 402e89 3583 402e92 3582->3583 3584 402e97 3582->3584 3627 4059bc 3583->3627 3633 4059f5 3584->3633 3589 404c4a 3588->3589 3591 404c54 3588->3591 3589->3367 3589->3582 3591->3589 3592 404c79 3591->3592 3593 404c88 3592->3593 3594 404c9d 3592->3594 3596 404c96 3593->3596 3603 40688d 3593->3603 3594->3596 3597 404cdc RtlAllocateHeap 3594->3597 3600 404cbd 3594->3600 3596->3597 3599 404c9b 3596->3599 3598 404ceb 3597->3598 3598->3591 3599->3591 3609 40703a 3600->3609 3602 404cc8 3602->3597 3602->3598 3606 4068bf 3603->3606 3604 40696d 3604->3596 3606->3604 3608 40695e 3606->3608 3616 406b96 3606->3616 3608->3604 3623 406c47 3608->3623 3610 407048 3609->3610 3611 407209 3610->3611 3613 407134 VirtualAlloc 3610->3613 3615 407105 3610->3615 3612 406d42 5 API calls 3611->3612 3612->3615 3613->3615 3615->3602 3617 406bd9 HeapAlloc 3616->3617 3618 406ba9 HeapReAlloc 3616->3618 3620 406c29 3617->3620 3621 406bff VirtualAlloc 3617->3621 3619 406bc8 3618->3619 3618->3620 3619->3617 3620->3608 3621->3620 3622 406c19 HeapFree 3621->3622 3622->3620 3624 406c59 VirtualAlloc 3623->3624 3626 406ca2 3624->3626 3626->3604 3628 4059c6 3627->3628 3629 4059f3 3628->3629 3630 4059f5 7 API calls 3628->3630 3629->3584 3631 4059dd 3630->3631 3632 4059f5 7 API calls 3631->3632 3632->3629 3635 405a08 3633->3635 3634 402ea0 3634->3367 3635->3634 3636 405b1f 3635->3636 3637 405a48 3635->3637 3639 405b32 GetStdHandle WriteFile 3636->3639 3637->3634 3638 405a54 GetModuleFileNameA 3637->3638 3640 405a6c 3638->3640 3639->3634 3642 407ab8 3640->3642 3643 407ac5 LoadLibraryA 3642->3643 3645 407b07 3642->3645 3644 407ad6 GetProcAddress 3643->3644 3643->3645 3644->3645 3646 407aed GetProcAddress GetProcAddress 3644->3646 3645->3634 3646->3645 3648 404cf9 3647->3648 3657 404d15 3647->3657 3649 404d03 3648->3649 3650 404d19 3648->3650 3652 404d45 HeapFree 3649->3652 3653 404d0f 3649->3653 3651 404d44 3650->3651 3654 404d33 3650->3654 3651->3652 3652->3657 3658 406564 3653->3658 3664 406ff5 3654->3664 3657->3397 3659 4065a2 3658->3659 3663 406858 3658->3663 3660 40679e VirtualFree 3659->3660 3659->3663 3661 406802 3660->3661 3662 406811 VirtualFree HeapFree 3661->3662 3661->3663 3662->3663 3663->3657 3665 407022 3664->3665 3666 407038 3664->3666 3665->3666 3668 406edc 3665->3668 3666->3657 3670 406ee9 3668->3670 3669 406f99 3669->3666 3670->3669 3671 406f0a VirtualFree 3670->3671 3673 406e86 VirtualFree 3670->3673 3671->3670 3674 406ea3 3673->3674 3675 406ed3 3674->3675 3676 406eb3 HeapFree 3674->3676 3675->3670 3676->3670 3678 403c71 3677->3678 3679 403c78 3677->3679 3681 4038a4 3678->3681 3679->3404 3688 403a3d 3681->3688 3683 403a31 3683->3679 3686 4038e7 GetCPInfo 3687 4038fb 3686->3687 3687->3683 3693 403ae3 GetCPInfo 3687->3693 3689 403a5d 3688->3689 3690 403a4d GetOEMCP 3688->3690 3691 4038b5 3689->3691 3692 403a62 GetACP 3689->3692 3690->3689 3691->3683 3691->3686 3691->3687 3692->3691 3694 403bce 3693->3694 3698 403b06 3693->3698 3694->3683 3695 406005 6 API calls 3696 403b82 3695->3696 3697 403e2c 9 API calls 3696->3697 3699 403ba6 3697->3699 3698->3695 3700 403e2c 9 API calls 3699->3700 3700->3694 3702 402d62 3701->3702 3793 40410c 3702->3793 3705 402bd8 3706 402bea 3705->3706 3708 402bfc 3705->3708 3826 404080 3706->3826 3709 403e2c 9 API calls 3708->3709 3710 401cc1 3708->3710 3709->3708 3710->3423 3710->3424 3830 401b70 3711->3830 3714 4025f0 3715 402930 3714->3715 3716 4025fa RegOpenKeyExA 3715->3716 3717 401cdf 3716->3717 3718 40264c RegEnumKeyExA 3716->3718 3717->3347 3718->3717 3719 40267e RegOpenKeyExA 3718->3719 3720 4028b5 RegEnumKeyExA 3719->3720 3721 40275e RegEnumKeyExA 3719->3721 3720->3717 3720->3719 3724 402782 3721->3724 3723 402885 RegEnumKeyExA 3723->3724 3724->3720 3724->3723 3839 401950 3724->3839 3842 401b10 RegOpenKeyExA 3724->3842 3727 402930 3726->3727 3728 40130a #141 RegOpenKeyExA 3727->3728 3729 401364 RegEnumValueA 3728->3729 3730 401437 3728->3730 3729->3730 3735 401395 3729->3735 3731 401b50 5 API calls 3730->3731 3733 401449 3731->3733 3732 401950 3 API calls 3732->3735 3738 401590 3733->3738 3734 401409 RegEnumValueA 3734->3730 3734->3735 3735->3732 3735->3734 3736 4013f1 DeleteFileA 3735->3736 3850 401460 3736->3850 3739 402930 3738->3739 3740 40159a #141 RegOpenKeyExA 3739->3740 3741 40174e RegOpenKeyExA 3740->3741 3742 40163f RegEnumKeyExA 3740->3742 3743 401771 RegEnumKeyExA 3741->3743 3744 4018cb 3741->3744 3742->3741 3749 40166a 3742->3749 3743->3744 3750 40179c 3743->3750 3746 401b50 5 API calls 3744->3746 3745 401950 RegOpenKeyExA RegQueryValueExA RegCloseKey 3745->3749 3747 4018dd 3746->3747 3747->3347 3748 401950 RegOpenKeyExA RegQueryValueExA RegCloseKey 3748->3750 3749->3745 3751 401b10 2 API calls 3749->3751 3752 401b50 5 API calls 3749->3752 3754 401720 RegEnumKeyExA 3749->3754 3750->3748 3756 40189d RegEnumKeyExA 3750->3756 3899 402a3c 3750->3899 3902 401a00 RegCreateKeyExA 3750->3902 3907 401980 RegCreateKeyExA 3750->3907 3751->3749 3752->3749 3754->3741 3754->3749 3756->3744 3756->3750 3759 402930 3758->3759 3760 40210a RegOpenKeyExA 3759->3760 3761 402548 3760->3761 3762 40215e RegEnumKeyExA 3760->3762 3922 402560 3761->3922 3762->3761 3763 402192 RegOpenKeyExA 3762->3763 3765 402271 RegEnumKeyExA 3763->3765 3766 402512 RegEnumKeyExA 3763->3766 3765->3766 3774 40229c 3765->3774 3766->3761 3766->3763 3767 401f09 3776 401000 3767->3776 3768 401950 3 API calls 3768->3774 3769 4024df RegEnumKeyExA 3769->3766 3769->3774 3770 401b10 2 API calls 3771 4023a4 RegOpenKeyExA 3770->3771 3771->3769 3772 4023fb RegEnumKeyExA 3771->3772 3773 402441 RegEnumKeyExA 3772->3773 3772->3774 3773->3773 3773->3774 3774->3768 3774->3769 3774->3770 3918 402000 3774->3918 3777 402930 3776->3777 3778 40100a #141 RegOpenKeyExA 3777->3778 3779 401060 RegEnumKeyExA 3778->3779 3780 4012d7 3778->3780 3779->3780 3785 401093 3779->3785 3781 401b50 5 API calls 3780->3781 3782 4012ea 3781->3782 3782->3474 3783 401950 3 API calls 3783->3785 3784 4012a1 RegEnumKeyExA 3784->3780 3784->3785 3785->3783 3785->3784 3786 40118e #93 RegOpenKeyExA 3785->3786 3787 4011c7 RegEnumValueA 3786->3787 3788 401288 #33 #8 3786->3788 3787->3788 3791 4011eb 3787->3791 3788->3784 3789 401950 3 API calls 3789->3791 3790 401261 RegEnumValueA 3790->3788 3790->3791 3791->3789 3791->3790 3792 40124a #144 3791->3792 3792->3790 3794 401cb2 3793->3794 3796 404131 3793->3796 3794->3705 3795 404b99 24 API calls 3795->3796 3796->3794 3796->3795 3798 404afb 3796->3798 3799 406348 6 API calls 3796->3799 3803 404ae2 3796->3803 3804 4037f1 6 API calls 3796->3804 3805 404b31 6 API calls 3796->3805 3806 404b82 12 API calls 3796->3806 3807 404b68 18 API calls 3796->3807 3809 406219 3796->3809 3800 404b82 12 API calls 3798->3800 3799->3796 3801 404b05 3800->3801 3802 404b82 12 API calls 3801->3802 3802->3794 3815 404b82 3803->3815 3804->3796 3805->3796 3806->3796 3807->3796 3810 406227 3809->3810 3811 406232 3809->3811 3810->3811 3812 4062ba MultiByteToWideChar 3810->3812 3813 40626d 3810->3813 3811->3796 3812->3811 3813->3811 3814 40627c MultiByteToWideChar 3813->3814 3814->3811 3816 404b96 3815->3816 3817 404b89 3815->3817 3816->3794 3819 406468 3817->3819 3820 406473 3819->3820 3822 406492 3819->3822 3820->3822 3823 405d8f 3820->3823 3822->3816 3824 404c3b 12 API calls 3823->3824 3825 405d9f 3824->3825 3825->3822 3828 4040d3 3826->3828 3829 404098 3826->3829 3827 40614e 15 API calls 3827->3828 3828->3827 3828->3829 3829->3710 3831 401b8d lstrlenA 3830->3831 3838 401b5f 3830->3838 3832 401b9c RegOpenKeyExA 3831->3832 3831->3838 3836 401bbe 3832->3836 3832->3838 3833 401bc5 RegEnumKeyExA 3834 401c19 RegDeleteKeyA 3833->3834 3833->3836 3835 401c17 RegCloseKey 3834->3835 3835->3838 3836->3833 3836->3835 3838->3714 3845 4018f0 RegOpenKeyExA 3839->3845 3841 401977 3841->3724 3843 401b33 RegDeleteValueA 3842->3843 3844 401b2d 3842->3844 3843->3724 3844->3724 3846 401910 3845->3846 3847 401916 RegQueryValueExA 3845->3847 3846->3841 3848 401941 RegCloseKey 3847->3848 3849 40193b 3847->3849 3848->3841 3849->3841 3860 40295f 3850->3860 3853 401573 RemoveDirectoryA 3853->3735 3854 40295f 19 API calls 3855 4014a3 3854->3855 3855->3854 3856 40154c DeleteFileA 3855->3856 3857 40155a FindNextFileA 3855->3857 3859 401460 19 API calls 3855->3859 3856->3857 3857->3855 3858 40156a FindClose 3857->3858 3858->3853 3859->3855 3865 402fe7 3860->3865 3863 401482 FindFirstFileA 3863->3853 3863->3855 3866 40298d 3865->3866 3868 40300c __aulldiv __aullrem 3865->3868 3866->3863 3872 402ed2 3866->3872 3867 403728 18 API calls 3867->3868 3868->3866 3868->3867 3869 40378e 18 API calls 3868->3869 3870 40375d 18 API calls 3868->3870 3871 405eb2 WideCharToMultiByte 3868->3871 3869->3868 3870->3868 3871->3868 3874 402ee8 3872->3874 3881 402f6c 3872->3881 3873 402f43 3875 402fb1 3873->3875 3876 402f4d 3873->3876 3874->3873 3880 405d8f 12 API calls 3874->3880 3874->3881 3877 405be2 6 API calls 3875->3877 3878 402f64 3876->3878 3882 402f74 3876->3882 3877->3881 3884 405be2 3878->3884 3880->3873 3881->3863 3882->3881 3894 405b48 3882->3894 3885 405bfd 3884->3885 3893 405c2c 3884->3893 3886 405b48 2 API calls 3885->3886 3888 405c40 3885->3888 3885->3893 3886->3888 3887 405d12 WriteFile 3889 405d34 GetLastError 3887->3889 3887->3893 3888->3887 3892 405c51 3888->3892 3889->3893 3890 405c9d WriteFile 3891 405d07 GetLastError 3890->3891 3890->3892 3891->3893 3892->3890 3892->3893 3893->3881 3895 405b57 3894->3895 3898 405b80 3894->3898 3896 405b8c SetFilePointer 3895->3896 3895->3898 3897 405ba4 GetLastError 3896->3897 3896->3898 3897->3898 3898->3881 3912 4029b1 3899->3912 3903 401a34 RegSetValueExA 3902->3903 3904 401a2e 3902->3904 3905 401a53 3903->3905 3906 401a59 RegCloseKey 3903->3906 3904->3750 3905->3750 3906->3750 3908 4019b4 RegSetValueExA 3907->3908 3909 4019ae 3907->3909 3910 4019e5 RegCloseKey 3908->3910 3911 4019df 3908->3911 3909->3750 3910->3750 3911->3750 3914 4029b9 3912->3914 3913 4037f1 6 API calls 3913->3914 3914->3913 3916 4029e7 3914->3916 3915 4037f1 6 API calls 3915->3916 3916->3915 3917 402a2e 3916->3917 3917->3750 3919 402012 3918->3919 3921 402068 3919->3921 3928 402d7a 3919->3928 3921->3774 3923 4025e6 3922->3923 3924 40256a 3922->3924 3923->3767 3925 40256b #95 #144 #144 #33 #8 3924->3925 3927 4025e1 3924->3927 3931 402d88 3925->3931 3927->3767 3929 404c4d 12 API calls 3928->3929 3930 402d85 3929->3930 3930->3921 3932 404ced 7 API calls 3931->3932 3933 402d91 3932->3933 3933->3924 3936 404db1 GetCurrentProcess TerminateProcess 3935->3936 3937 404dc2 3935->3937 3936->3937 3938 402e6a 3937->3938 3939 404e2c ExitProcess 3937->3939 3938->3498 4034 403ff4 4035 404002 4034->4035 4036 404006 LCMapStringW 4035->4036 4037 403fba 4035->4037 4036->4037 4038 40401e WideCharToMultiByte 4036->4038 4038->4037 4040 405df9 4041 405e06 4040->4041 4048 407d6c 4041->4048 4043 405e20 4044 407d6c 12 API calls 4043->4044 4046 405e4b 4043->4046 4045 405e39 4044->4045 4045->4046 4047 402e89 7 API calls 4045->4047 4047->4046 4052 407d80 4048->4052 4049 407dd7 HeapAlloc 4049->4052 4053 407e02 4049->4053 4050 40688d 5 API calls 4050->4052 4051 40703a 6 API calls 4051->4052 4052->4049 4052->4050 4052->4051 4052->4053 4053->4043 3969 4058dc 3971 4058e4 3969->3971 3970 405976 3971->3970 3973 4057ec RtlUnwind 3971->3973 3974 405804 3973->3974 3974->3971 3975 405e9e 3981 407f0c 3975->3981 3977 405eb1 3978 405ea3 3978->3977 3980 404ced 7 API calls 3978->3980 3984 408591 3978->3984 3980->3978 3994 407f15 3981->3994 3985 4085a1 3984->3985 3986 4085a6 3984->3986 3985->3978 3986->3985 3998 407eb0 3986->3998 3992 4085c0 3992->3985 3993 404ced 7 API calls 3992->3993 3993->3985 3995 407f13 3994->3995 3996 407f26 3994->3996 3995->3978 3996->3995 3997 407e75 8 API calls 3996->3997 3997->3996 3999 407ec6 3998->3999 4001 407ee1 3998->4001 4000 405be2 6 API calls 3999->4000 3999->4001 4000->4001 4002 4086f1 4001->4002 4003 4086fd 4002->4003 4005 4085b8 4002->4005 4004 404ced 7 API calls 4003->4004 4003->4005 4004->4005 4006 40863e 4005->4006 4009 4086bf 4006->4009 4010 408652 4006->4010 4007 4086b7 4013 407cb5 4007->4013 4009->3992 4010->4007 4010->4009 4011 4086a1 CloseHandle 4010->4011 4011->4007 4012 4086ad GetLastError 4011->4012 4012->4007 4014 407d0e 4013->4014 4015 407cc3 4013->4015 4014->4009 4015->4014 4016 407d08 SetStdHandle 4015->4016 4016->4014 4054 402e7e 4061 404d94 4054->4061 4056 402e89 4057 402e97 4056->4057 4058 4059bc 7 API calls 4056->4058 4059 4059f5 7 API calls 4057->4059 4058->4057 4060 402ea0 4059->4060 4062 404da5 3 API calls 4061->4062 4063 404da1 4062->4063 4063->4056

            Executed Functions

            Control-flow Graph

            C-Code - Quality: 34%
            			E00401C60(void* __esi, intOrPtr _a4, intOrPtr _a12) {
            				void _v259;
            				char _v260;
            				char _v268;
            				void _v519;
            				char _v520;
            				long _v524;
            				struct _SECURITY_ATTRIBUTES _v536;
            				char _v548;
            				char* _v556;
            				intOrPtr _v564;
            				intOrPtr _v568;
            				intOrPtr _v576;
            				void* _t43;
            				void* _t44;
            				void* _t46;
            				void* _t47;
            				void* _t48;
            				void* _t49;
            				void* _t51;
            				void* _t52;
            				void* _t57;
            				void* _t60;
            				struct HWND__* _t61;
            				void* _t64;
            				void* _t66;
            				void* _t68;
            				void* _t70;
            				void* _t71;
            				void* _t73;
            				long _t75;
            				void* _t90;
            				char _t92;
            				void* _t107;
            				void* _t108;
            				void* _t110;
            				void* _t113;
            				void* _t114;
            				void* _t115;
            				void* _t116;
            				void* _t117;
            				void* _t118;
            				void* _t119;
            				void* _t122;
            
            				_t107 = __esi;
            				_t92 =  *0x40cba0; // 0x0
            				_v520 = _t92;
            				memset( &_v519, 0, 0x40 << 2);
            				asm("stosw");
            				asm("stosb");
            				_v260 = _t92;
            				memset( &_v259, 0, 0x40 << 2);
            				asm("stosw");
            				asm("stosb");
            				_t106 = _a12;
            				E00402D46(_a12, "%s ",  &_v520);
            				_t87 =  &_v520;
            				_t43 = E00402BD8( &_v520,  &_v520, "/undo");
            				_t113 = _t110 + 0x2c;
            				_t124 = _t43;
            				if(_t43 != 0) {
            					_t44 = E00402BD8( &_v520,  &_v520, "/qnm");
            					_t114 = _t113 + 8;
            					__eflags = _t44;
            					if(__eflags != 0) {
            						_t88 =  &_v536;
            						 *0x40cba8 = _a4;
            						_v536.nLength = 0xc;
            						_v536.lpSecurityDescriptor = 0;
            						_v536.bInheritHandle = 1;
            						_t46 = CreateMutexA( &_v536, 0, "_MSIExecute"); // executed
            						__eflags = _t46;
            						 *0x40cba4 = _t46;
            						if(_t46 != 0) {
            							_t75 = WaitForSingleObjectEx(_t46, 0xffffffff, 0);
            							__eflags = _t75;
            							if(_t75 != 0) {
            								MessageBoxA(0, "Mutex Failed", "Nested Install", 0);
            							}
            						}
            						_t47 = E00402BD8(_t88,  &_v520, "/q");
            						_t115 = _t114 + 8;
            						__eflags = _t47;
            						if(_t47 != 0) {
            							_t73 = E00402BD8(_t88,  &_v520, "/qnm");
            							_t115 = _t115 + 8;
            							__eflags = _t73;
            							if(_t73 != 0) {
            								_t88 =  &_v524;
            								CreateThread(0, 0, E004020E0, 0, 0,  &_v524); // executed
            							}
            						}
            						_t48 = E00402BD8(_t88,  &_v520, "/test");
            						_t116 = _t115 + 8;
            						__eflags = _t48;
            						if(_t48 != 0) {
            							_push(0);
            							_push(2);
            							L00402918();
            							_t49 = E00402BD8(_t88,  &(_v536.bInheritHandle), "/install");
            							_t117 = _t116 + 8;
            							__eflags = _t49;
            							if(_t49 == 0) {
            								_t68 = E00402B65(_t106, 0x22);
            								_t122 = _t117 + 8;
            								__eflags = _t68;
            								if(_t68 == 0) {
            									_t68 = E00402B65(_t106, 0x20);
            									_t122 = _t122 + 8;
            								}
            								_push(_t107);
            								_t108 = E00402B4E(_t68);
            								_t70 = E00402ACE(_t88, _t108, "\"");
            								_t117 = _t122 + 0xc;
            								__eflags = _t70;
            								if(_t70 != 0) {
            									 *((char*)(_t70 + _t108)) = 0;
            								}
            								_t71 =  &_v548;
            								_push(_t71);
            								_push(_t108);
            								L00402912();
            								__eflags = _t71;
            								if(_t71 == 0) {
            									_t88 = _v556;
            									_push("INSTALL");
            									_push(_v556);
            									L00402906();
            									_push(_v564);
            									L00402900();
            								}
            							}
            							_t51 = E00402BD8(_t88,  &(_v536.bInheritHandle), "/remove");
            							_t118 = _t117 + 8;
            							__eflags = _t51;
            							if(_t51 == 0) {
            								_push( &_v268);
            								E00402D46(_t106, "%s %s",  &(_v536.bInheritHandle));
            								_t118 = _t118 + 0x10;
            								_t66 =  &_v548;
            								_t88 =  &_v268;
            								_push(_t66);
            								_push( &_v268);
            								L0040291E();
            								__eflags = _t66;
            								if(_t66 == 0) {
            									_push("ALL");
            									_push("REMOVE");
            									_push(_v556);
            									L0040290C();
            									_push("INSTALL");
            									_push(_v568);
            									L00402906();
            									_t88 = _v576;
            									_push(_v576);
            									L00402900();
            								}
            							}
            							_t52 = E00402BD8(_t88,  &(_v536.bInheritHandle), "/s");
            							_t119 = _t118 + 8;
            							__eflags = _t52;
            							if(__eflags == 0) {
            								L24:
            								E00402100(_t88, __eflags);
            								E00401000(_t88, __eflags);
            								E00401300(_t88, __eflags);
            								E00401590(_t88, __eflags);
            							} else {
            								_t64 = E00402BD8(_t88,  &(_v536.bInheritHandle), "/q");
            								_t119 = _t119 + 8;
            								__eflags = _t64;
            								if(__eflags == 0) {
            									goto L24;
            								}
            							}
            							_t57 = E00402BD8( &(_v536.bInheritHandle),  &(_v536.bInheritHandle), "/q");
            							__eflags = _t57;
            							if(_t57 != 0) {
            								_t60 = E00402BD8( &(_v536.bInheritHandle),  &(_v536.bInheritHandle), "/qnm");
            								__eflags = _t60;
            								if(_t60 != 0) {
            									goto L27;
            								}
            							}
            						} else {
            							Sleep(0x7d0);
            							L27:
            							_t61 =  *0x40cbac; // 0x0
            							SendMessageA(_t61, 0x12, 0, 0);
            						}
            						_t90 =  *0x40cba4; // 0x21c
            						ReleaseMutex(_t90);
            						__eflags = 0;
            						return 0;
            					} else {
            						E00401300( &_v520, __eflags);
            						E00401590(_t87, __eflags);
            						__eflags = 0;
            						return 0;
            					}
            				} else {
            					E00401B50(0x80000002, "Software\\National Instruments\\Common\\Installer\\Pending");
            					E004025F0( &_v520, _t124);
            					return 0;
            				}
            			}














































            0x00401c60
            0x00401c66
            0x00401c78
            0x00401c7c
            0x00401c7e
            0x00401c80
            0x00401c8f
            0x00401c96
            0x00401c98
            0x00401c9a
            0x00401c9b
            0x00401cad
            0x00401cb2
            0x00401cbc
            0x00401cc1
            0x00401cc4
            0x00401cc6
            0x00401cf5
            0x00401cfa
            0x00401cfd
            0x00401cff
            0x00401d23
            0x00401d2a
            0x00401d2f
            0x00401d37
            0x00401d3f
            0x00401d47
            0x00401d4d
            0x00401d4f
            0x00401d54
            0x00401d5b
            0x00401d61
            0x00401d63
            0x00401d73
            0x00401d73
            0x00401d63
            0x00401d83
            0x00401d88
            0x00401d8b
            0x00401d8d
            0x00401d99
            0x00401d9e
            0x00401da1
            0x00401da3
            0x00401da5
            0x00401db7
            0x00401db7
            0x00401da3
            0x00401dc7
            0x00401dcc
            0x00401dcf
            0x00401dd1
            0x00401de3
            0x00401de5
            0x00401de7
            0x00401df6
            0x00401dfb
            0x00401dfe
            0x00401e00
            0x00401e05
            0x00401e0a
            0x00401e0d
            0x00401e0f
            0x00401e14
            0x00401e19
            0x00401e19
            0x00401e1c
            0x00401e23
            0x00401e2b
            0x00401e30
            0x00401e33
            0x00401e35
            0x00401e37
            0x00401e37
            0x00401e3b
            0x00401e3f
            0x00401e40
            0x00401e41
            0x00401e46
            0x00401e49
            0x00401e4b
            0x00401e4f
            0x00401e54
            0x00401e55
            0x00401e5e
            0x00401e5f
            0x00401e5f
            0x00401e49
            0x00401e6e
            0x00401e73
            0x00401e76
            0x00401e78
            0x00401e85
            0x00401e8d
            0x00401e92
            0x00401e95
            0x00401e99
            0x00401ea0
            0x00401ea1
            0x00401ea2
            0x00401ea7
            0x00401ea9
            0x00401eaf
            0x00401eb4
            0x00401eb9
            0x00401eba
            0x00401ebf
            0x00401ec8
            0x00401ec9
            0x00401ece
            0x00401ed2
            0x00401ed3
            0x00401ed3
            0x00401ea9
            0x00401ee2
            0x00401ee7
            0x00401eea
            0x00401eec
            0x00401f04
            0x00401f04
            0x00401f09
            0x00401f0e
            0x00401f13
            0x00401eee
            0x00401ef8
            0x00401efd
            0x00401f00
            0x00401f02
            0x00000000
            0x00000000
            0x00401f02
            0x00401f22
            0x00401f2a
            0x00401f2c
            0x00401f38
            0x00401f40
            0x00401f42
            0x00000000
            0x00000000
            0x00401f42
            0x00401dd3
            0x00401dd8
            0x00401f44
            0x00401f44
            0x00401f50
            0x00401f50
            0x00401f56
            0x00401f5d
            0x00401f63
            0x00401f6c
            0x00401d01
            0x00401d01
            0x00401d06
            0x00401d0b
            0x00401d14
            0x00401d14
            0x00401cc8
            0x00401cd2
            0x00401cda
            0x00401ce8
            0x00401ce8

            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: EnumOpen
            • String ID: %s $%s %s$/install$/qnm$/remove$/test$/undo$ALL$INSTALL$Mutex Failed$Nested Install$REMOVE$Software\National Instruments\Common\Installer\Pending$_MSIExecute
            • API String ID: 3231578192-2645672969
            • Opcode ID: 5e8f4f860a25c24fe8fdd9723dcc3fe331090434a8b75d4b5ad922a940880f65
            • Instruction ID: 416d46b3562254dcf8fdf28cb97b855d8bd1d6bfebd8f94a9c40c6f65952fc5b
            • Opcode Fuzzy Hash: 5e8f4f860a25c24fe8fdd9723dcc3fe331090434a8b75d4b5ad922a940880f65
            • Instruction Fuzzy Hash: 117127B12443017AE610EB719E47F9F36A85F94749F00083EF944B52D2FABCE51886AF
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 78 404da5-404daf 79 404db1-404dbc GetCurrentProcess TerminateProcess 78->79 80 404dc2-404dd8 78->80 79->80 81 404e16-404e2a call 404e3e 80->81 82 404dda-404de1 80->82 93 404e3c-404e3d 81->93 94 404e2c-404e36 ExitProcess 81->94 83 404de3-404def 82->83 84 404e05-404e15 call 404e3e 82->84 86 404df1-404df5 83->86 87 404e04 83->87 84->81 90 404df7 86->90 91 404df9-404e02 86->91 87->84 90->91 91->86 91->87
            C-Code - Quality: 74%
            			E00404DA5(void* __esi, int _a4, intOrPtr _a8, char _a12) {
            				void* _t6;
            				intOrPtr _t7;
            				intOrPtr* _t9;
            				char _t14;
            				intOrPtr _t20;
            				intOrPtr _t21;
            				void* _t22;
            				intOrPtr* _t23;
            				void* _t25;
            				void* _t30;
            
            				_t22 = __esi;
            				_t21 = 1;
            				_t25 =  *0x40cc10 - _t21; // 0x1
            				if(_t25 == 0) {
            					TerminateProcess(GetCurrentProcess(), _a4);
            				}
            				_t14 = _a12;
            				 *0x40cc0c = _t21;
            				 *0x40cc08 = _t14;
            				if(_a8 == 0) {
            					_t7 =  *0x40ded0; // 0x0
            					if(_t7 != 0) {
            						_t20 =  *0x40decc; // 0x0
            						_push(_t22);
            						_t4 = _t20 - 4; // -4
            						_t23 = _t4;
            						if(_t23 >= _t7) {
            							do {
            								_t9 =  *_t23;
            								if(_t9 != 0) {
            									 *_t9();
            								}
            								_t23 = _t23 - 4;
            								_t30 = _t23 -  *0x40ded0; // 0x0
            							} while (_t30 >= 0);
            						}
            					}
            					E00404E3E(0x40a018, 0x40a020);
            				}
            				_t6 = E00404E3E(0x40a024, 0x40a028);
            				if(_t14 == 0) {
            					 *0x40cc10 = _t21; // executed
            					ExitProcess(_a4); // executed
            				}
            				return _t6;
            			}













            0x00404da5
            0x00404da8
            0x00404da9
            0x00404daf
            0x00404dbc
            0x00404dbc
            0x00404dc8
            0x00404dcc
            0x00404dd2
            0x00404dd8
            0x00404dda
            0x00404de1
            0x00404de3
            0x00404de9
            0x00404dea
            0x00404dea
            0x00404def
            0x00404df1
            0x00404df1
            0x00404df5
            0x00404df7
            0x00404df7
            0x00404df9
            0x00404dfc
            0x00404dfc
            0x00404df1
            0x00404e04
            0x00404e0f
            0x00404e15
            0x00404e20
            0x00404e2a
            0x00404e30
            0x00404e36
            0x00404e36
            0x00404e3d

            APIs
            • GetCurrentProcess.KERNEL32(?,?,00404D90,?,00000000,00000000,00402E6A,00000000,00000000), ref: 00404DB5
            • TerminateProcess.KERNEL32(00000000,?,00404D90,?,00000000,00000000,00402E6A,00000000,00000000), ref: 00404DBC
            • ExitProcess.KERNEL32 ref: 00404E36
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: Process$CurrentExitTerminate
            • String ID:
            • API String ID: 1703294689-0
            • Opcode ID: 1ce9184cf31c89b0503ddc8e1fc7d02da94ccca4b73070f3db8ca45870c343ee
            • Instruction ID: d067ad56b7422b1f12ee169717fbc2c8c9a16e46116dcc55f471bcf15b00e788
            • Opcode Fuzzy Hash: 1ce9184cf31c89b0503ddc8e1fc7d02da94ccca4b73070f3db8ca45870c343ee
            • Instruction Fuzzy Hash: 560180B1604301DBDA219F59EE8861A7BA5FBD1350B20413BF645771E0CB799C84CBAD
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 95 40578c-4057aa HeapCreate 96 4057e2-4057e4 95->96 97 4057ac-4057b9 call 405644 95->97 100 4057c8-4057cb 97->100 101 4057bb-4057c6 call 4064f1 97->101 103 4057e5-4057e8 100->103 104 4057cd call 406d42 100->104 107 4057d2-4057d4 101->107 104->107 107->103 108 4057d6-4057dc HeapDestroy 107->108 108->96
            C-Code - Quality: 100%
            			E0040578C(void* __ecx, intOrPtr _a4) {
            				void* _t6;
            				intOrPtr _t8;
            				void* _t9;
            				void* _t10;
            				void* _t12;
            
            				_t12 = __ecx;
            				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
            				_t15 = _t6;
            				 *0x40dda4 = _t6;
            				if(_t6 == 0) {
            					L7:
            					return 0;
            				} else {
            					_t8 = E00405644(_t12, _t15);
            					 *0x40dda8 = _t8;
            					if(_t8 != 3) {
            						__eflags = _t8 - 2;
            						if(_t8 != 2) {
            							goto L8;
            						} else {
            							_t10 = E00406D42();
            							goto L5;
            						}
            					} else {
            						_t10 = E004064F1(0x3f8);
            						L5:
            						if(_t10 != 0) {
            							L8:
            							_t9 = 1;
            							return _t9;
            						} else {
            							HeapDestroy( *0x40dda4);
            							goto L7;
            						}
            					}
            				}
            			}








            0x0040578c
            0x0040579d
            0x004057a3
            0x004057a5
            0x004057aa
            0x004057e2
            0x004057e4
            0x004057ac
            0x004057ac
            0x004057b4
            0x004057b9
            0x004057c8
            0x004057cb
            0x00000000
            0x004057cd
            0x004057cd
            0x00000000
            0x004057cd
            0x004057bb
            0x004057c0
            0x004057d2
            0x004057d4
            0x004057e5
            0x004057e7
            0x004057e8
            0x004057d6
            0x004057dc
            0x00000000
            0x004057dc
            0x004057d4
            0x004057b9

            APIs
            • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402DF2,00000000), ref: 0040579D
              • Part of subcall function 00405644: GetVersionExA.KERNEL32 ref: 00405663
            • HeapDestroy.KERNEL32 ref: 004057DC
              • Part of subcall function 004064F1: HeapAlloc.KERNEL32(00000000,00000140,004057C5,000003F8), ref: 004064FE
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: Heap$AllocCreateDestroyVersion
            • String ID:
            • API String ID: 2507506473-0
            • Opcode ID: 474817950941fb9feb30d70d4ccabb38241e53c2714eeb091da0a179b8fcc6ee
            • Instruction ID: b80333c318d8f42bacaf1e3d2714f2e368b36af800cabc9f556d8da5a3cfb0b9
            • Opcode Fuzzy Hash: 474817950941fb9feb30d70d4ccabb38241e53c2714eeb091da0a179b8fcc6ee
            • Instruction Fuzzy Hash: DDF06530A50701DADB602B759E8672B3698DF84746F20843BF905F91E1FA788980BD1D
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 109 404c79-404c86 110 404c88-404c8e 109->110 111 404c9d-404ca0 109->111 112 404c90-404c99 call 40688d 110->112 113 404ccf-404cd1 110->113 111->113 114 404ca2-404ca8 111->114 112->113 124 404c9b-404c9c 112->124 118 404cd3-404cd5 113->118 119 404cd6-404cd9 113->119 116 404cb2-404cb4 114->116 117 404caa-404cb0 114->117 122 404cb5-404cbb 116->122 117->122 118->119 120 404cdc-404ce5 RtlAllocateHeap 119->120 123 404ceb-404cec 120->123 122->120 125 404cbd-404ccb call 40703a 122->125 125->123 128 404ccd 125->128 128->120
            C-Code - Quality: 60%
            			E00404C79(long _a4) {
            				intOrPtr _t4;
            				void* _t5;
            				long _t6;
            				long _t9;
            				void* _t10;
            				void* _t11;
            				long _t14;
            				long _t16;
            				void* _t19;
            
            				_t4 =  *0x40dda8; // 0x1
            				_t14 = _a4;
            				if(_t4 != 3) {
            					__eflags = _t4 - 2;
            					if(_t4 != 2) {
            						goto L11;
            					}
            					_t6 = _a4;
            					__eflags = _t6;
            					if(_t6 == 0) {
            						_t16 = 0x10;
            					} else {
            						_t16 = _t6 + 0x0000000f & 0xfffffff0;
            					}
            					__eflags = _t16 -  *0x40ca24; // 0x1e0
            					if(__eflags > 0) {
            						goto L14;
            					}
            					_t9 = E0040703A(_t11, _t16 >> 4);
            					__eflags = _t9;
            					if(_t9 == 0) {
            						goto L14;
            					}
            					return _t9;
            				} else {
            					_t19 = _t14 -  *0x40cd7c; // 0x0
            					if(_t19 > 0) {
            						L11:
            						__eflags = _t14;
            						if(_t14 == 0) {
            							_t14 = 1;
            						}
            						_t16 = _t14 + 0x0000000f & 0xfffffff0;
            						__eflags = _t16;
            						L14:
            						_t5 = RtlAllocateHeap( *0x40dda4, 0, _t16); // executed
            						return _t5;
            					}
            					_push(_t14);
            					_t10 = E0040688D();
            					if(_t10 == 0) {
            						goto L11;
            					}
            					return _t10;
            				}
            			}












            0x00404c79
            0x00404c7f
            0x00404c86
            0x00404c9d
            0x00404ca0
            0x00000000
            0x00000000
            0x00404ca2
            0x00404ca6
            0x00404ca8
            0x00404cb4
            0x00404caa
            0x00404cad
            0x00404cad
            0x00404cb5
            0x00404cbb
            0x00000000
            0x00000000
            0x00404cc3
            0x00404cc8
            0x00404ccb
            0x00000000
            0x00404ccd
            0x00404cec
            0x00404c88
            0x00404c88
            0x00404c8e
            0x00404ccf
            0x00404ccf
            0x00404cd1
            0x00404cd5
            0x00404cd5
            0x00404cd9
            0x00404cd9
            0x00404cdc
            0x00404ce5
            0x00000000
            0x00404ce5
            0x00404c90
            0x00404c91
            0x00404c99
            0x00000000
            0x00000000
            0x00404c9c
            0x00404c9c

            APIs
            • RtlAllocateHeap.NTDLL(00000000,?,00000000,00404C5D,000000E0,00404C4A,?,0040547D,00000100,?,00000000), ref: 00404CE5
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 1bf8a30c976d370f554eb6e1815b7f352285f2be32f38b688eca5fd3c3194367
            • Instruction ID: b260cdd2eb4f7a27a84718a31416a646ca1a28bc6ef55e16d09debb9a966a00f
            • Opcode Fuzzy Hash: 1bf8a30c976d370f554eb6e1815b7f352285f2be32f38b688eca5fd3c3194367
            • Instruction Fuzzy Hash: C6F0D672A1B1205AFA20A758AD407D73344AF80764F170637FE44BB2D0D338AC91958D
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 129 402100-402158 call 402930 RegOpenKeyExA 132 402548-402559 call 402560 129->132 133 40215e-40218c RegEnumKeyExA 129->133 133->132 134 402192-40226b RegOpenKeyExA 133->134 136 402271-402296 RegEnumKeyExA 134->136 137 402512-402542 RegEnumKeyExA 134->137 136->137 139 40229c-40234a call 401950 136->139 137->132 137->134 142 402350-402355 139->142 143 4024df-40250c RegEnumKeyExA 139->143 144 40235c-402362 142->144 143->137 143->139 145 402380-402382 144->145 146 402364-402366 144->146 147 402385-402387 145->147 148 402368-402370 146->148 149 40237c-40237e 146->149 147->143 150 40238d-40239a 147->150 148->145 151 402372-40237a 148->151 149->147 152 40239f call 401b10 150->152 151->144 151->149 153 4023a4-4023f5 RegOpenKeyExA 152->153 153->143 154 4023fb-40243b RegEnumKeyExA 153->154 155 402441-4024c1 RegEnumKeyExA 154->155 156 4024c7-4024dc call 402000 154->156 155->155 155->156 156->143
            C-Code - Quality: 76%
            			E00402100(void* __ecx, void* __eflags, int _a4, void* _a8, int _a12, void* _a16, void* _a20, char _a24, char _a64, void _a65, char _a324, char _a584, char _a2632, char _a4680, char _a6728, void _a6775, char _a8776) {
            				int _v0;
            				int _t80;
            				int* _t83;
            				int* _t100;
            				int _t102;
            				void* _t117;
            				int _t119;
            				intOrPtr* _t121;
            				long _t130;
            				char _t131;
            				int* _t137;
            				char* _t138;
            				int* _t139;
            				int _t144;
            				int* _t152;
            				unsigned int _t154;
            				signed int _t155;
            				char* _t188;
            				unsigned int _t190;
            				signed int _t191;
            				signed int _t215;
            				signed int _t217;
            				signed int _t220;
            				char* _t228;
            				signed int _t231;
            				signed int _t234;
            				signed int _t265;
            				signed int _t267;
            				signed int _t271;
            				signed int _t275;
            				void* _t362;
            				void* _t363;
            				void* _t364;
            				void* _t365;
            				void* _t366;
            				void* _t367;
            				void* _t368;
            				intOrPtr* _t369;
            				void* _t370;
            				void* _t371;
            				void* _t372;
            				void* _t374;
            				void* _t376;
            				void* _t393;
            
            				E00402930(0x2a48, __ecx);
            				_t80 = memcpy( &_a6728, "Software\\National Instruments\\Common\\Installer", 0xb << 2);
            				asm("movsw");
            				asm("movsb");
            				memset( &_a6775, _t80, 0x1f4 << 2);
            				_t376 = _t374 + 0x18;
            				asm("stosb");
            				_t83 = RegOpenKeyExA(0x80000002,  &_a6728, 0, 0x10008,  &_a20);
            				if(_t83 == 0) {
            					_t152 = _a20;
            					_a12 = _t83;
            					_v0 = 0x800;
            					if(RegEnumKeyExA(_t152, 0,  &_a324,  &_v0, _t83, _t83, _t83, _t83) == 0) {
            						do {
            							asm("repne scasb");
            							_t154 =  !(_t152 | 0xffffffff);
            							_t362 =  &_a6728 - _t154;
            							_t155 = _t154 >> 2;
            							memcpy(_t362 + _t155 + _t155, _t362, memcpy( &_a2632, _t362, _t155 << 2) & 0x00000003);
            							asm("repne scasb");
            							_t363 = "\\";
            							asm("repne scasb");
            							memcpy( &_a2632 - 1, _t363, 0 << 2);
            							memcpy(_t363 + 0x175b75a, _t363, 0);
            							asm("repne scasb");
            							_t364 =  &_a324;
            							asm("repne scasb");
            							memcpy( &_a2632 - 1, _t364, 0 << 2);
            							memcpy(_t364 + 0x175b75a, _t364, 0);
            							asm("repne scasb");
            							_t365 = "\\Products";
            							asm("repne scasb");
            							memcpy( &_a2632 - 1, _t365, 0 << 2);
            							memcpy(_t365 + 0x175b75a, _t365, 0);
            							_t376 = _t376 + 0x60;
            							_t100 = RegOpenKeyExA(0x80000002,  &_a2632, 0, 0x10008,  &_a8);
            							if(_t100 == 0) {
            								_t188 = _a8;
            								_a4 = _t100;
            								_v0 = 0x800;
            								if(RegEnumKeyExA(_t188, 0,  &_a24,  &_v0, _t100, _t100, _t100, _t100) == 0) {
            									do {
            										asm("repne scasb");
            										_t190 =  !(_t188 | 0xffffffff);
            										_t366 =  &_a2632 - _t190;
            										_t191 = _t190 >> 2;
            										memcpy(_t366 + _t191 + _t191, _t366, memcpy( &_a584, _t366, _t191 << 2) & 0x00000003);
            										asm("repne scasb");
            										_t367 = "\\";
            										asm("repne scasb");
            										memcpy( &_a584 - 1, _t367, 0 << 2);
            										memcpy(_t367 + 0x175b75a, _t367, 0);
            										asm("repne scasb");
            										_t368 =  &_a24;
            										asm("repne scasb");
            										memcpy( &_a584 - 1, _t368, 0 << 2);
            										memcpy(_t368 + 0x175b75a, _t368, 0);
            										_t117 = E00401950( &_a584, 0x80000002,  &_a584, "LaunchedByUpgrade",  &_a8776);
            										_t376 = _t376 + 0x58;
            										if(_t117 == 0) {
            											_t369 = "True";
            											_t121 =  &_a8776;
            											while(1) {
            												_t265 =  *_t121;
            												_t215 = _t265;
            												if(_t265 !=  *_t369) {
            													break;
            												}
            												if(_t215 == 0) {
            													L10:
            													_t121 = 0;
            												} else {
            													_t275 =  *((intOrPtr*)(_t121 + 1));
            													_t215 = _t275;
            													if(_t275 !=  *((intOrPtr*)(_t369 + 1))) {
            														break;
            													} else {
            														_t121 = _t121 + 2;
            														_t369 = _t369 + 2;
            														if(_t215 != 0) {
            															continue;
            														} else {
            															goto L10;
            														}
            													}
            												}
            												L12:
            												if(_t121 == 0) {
            													E00401B10(0x80000002,  &_a584, "LaunchedByUpgrade");
            													asm("repne scasb");
            													_t217 =  !(_t215 | 0xffffffff);
            													_t370 = "\\Features" - _t217;
            													_t267 = _t217;
            													asm("repne scasb");
            													_t220 = _t267 >> 2;
            													memcpy( &_a584 - 1, _t370, _t220 << 2);
            													memcpy(_t370 + _t220 + _t220, _t370, _t267 & 0x00000003);
            													_t376 = _t376 + 0x24;
            													if(RegOpenKeyExA(0x80000002,  &_a584, 0, 0x10008,  &_a16) == 0) {
            														_t144 = 0;
            														_v0 = 0x800;
            														_t130 = RegEnumKeyExA(_a16, 0,  &_a4680,  &_v0, 0, 0, 0, 0);
            														_t131 =  *0x40cba0; // 0x0
            														_a64 = _t131;
            														memset( &_a65, 0, 0x40 << 2);
            														_t393 = _t376 + 0xc;
            														_t228 = 0;
            														asm("stosw");
            														asm("stosb");
            														if(_t130 == 0) {
            															do {
            																asm("repne scasb");
            																_t231 =  !(_t228 | 0xffffffff);
            																_t371 =  &_a4680 - _t231;
            																_t271 = _t231;
            																asm("repne scasb");
            																_t234 = _t271 >> 2;
            																_t137 = memcpy( &_a64 - 1, _t371, _t234 << 2);
            																_t138 = memcpy(_t371 + _t234 + _t234, _t371, _t271 & 0x00000003);
            																asm("repne scasb");
            																_t372 = ",";
            																asm("repne scasb");
            																_t139 = memcpy( &_a64 - 1, _t372, 0 << 2);
            																memcpy(_t372 + 0x175b75a, _t372, 0);
            																_t393 = _t393 + 0x30;
            																_t228 =  &_a4680;
            																_t144 = _t144 + 1;
            																_v0 = 0x800;
            															} while (RegEnumKeyExA(_a16, _t144, _t228,  &_v0, _t139, _t138, _t137, 0) == 0);
            														}
            														E00402000( &_a24,  &_a24,  &_a64);
            														_t376 = _t393 + 8;
            													}
            												}
            												goto L17;
            											}
            											asm("sbb eax, eax");
            											asm("sbb eax, 0xffffffff");
            											goto L12;
            										}
            										L17:
            										_t188 =  &_a24;
            										_t119 = _a4 + 1;
            										_v0 = 0x800;
            										_a4 = _t119;
            									} while (RegEnumKeyExA(_a8, _t119, _t188,  &_v0, 0, 0, 0, 0) == 0);
            								}
            							}
            							_t152 =  &_v0;
            							_t102 = _a12 + 1;
            							_a12 = _t102;
            							_v0 = 0x800;
            						} while (RegEnumKeyExA(_a20, _t102,  &_a324, _t152, 0, 0, 0, 0) == 0);
            					}
            				}
            				E00402560();
            				return 0;
            			}















































            0x00402105
            0x00402121
            0x00402123
            0x00402125
            0x00402132
            0x00402132
            0x00402141
            0x00402154
            0x00402158
            0x0040215e
            0x0040216b
            0x00402180
            0x0040218c
            0x00402192
            0x004021a5
            0x004021a7
            0x004021ad
            0x004021af
            0x004021c4
            0x004021ce
            0x004021d4
            0x004021dd
            0x004021e5
            0x004021f3
            0x004021ff
            0x00402205
            0x0040220e
            0x00402216
            0x00402224
            0x0040222e
            0x00402234
            0x0040223d
            0x00402245
            0x00402251
            0x00402251
            0x00402267
            0x0040226b
            0x00402271
            0x00402278
            0x0040228a
            0x00402296
            0x0040229c
            0x004022af
            0x004022b1
            0x004022b7
            0x004022b9
            0x004022ce
            0x004022d8
            0x004022de
            0x004022e7
            0x004022ef
            0x004022fd
            0x00402306
            0x0040230c
            0x00402315
            0x0040231d
            0x0040232c
            0x00402340
            0x00402345
            0x0040234a
            0x00402350
            0x00402355
            0x0040235c
            0x0040235c
            0x0040235e
            0x00402362
            0x00000000
            0x00000000
            0x00402366
            0x0040237c
            0x0040237c
            0x00402368
            0x00402368
            0x0040236b
            0x00402370
            0x00000000
            0x00402372
            0x00402372
            0x00402375
            0x0040237a
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0040237a
            0x00402370
            0x00402385
            0x00402387
            0x0040239f
            0x004023b1
            0x004023b3
            0x004023be
            0x004023c2
            0x004023c7
            0x004023cc
            0x004023cf
            0x004023db
            0x004023db
            0x004023f5
            0x004023ff
            0x00402414
            0x0040241c
            0x00402420
            0x00402425
            0x00402434
            0x00402434
            0x00402434
            0x00402436
            0x0040243a
            0x0040243b
            0x00402441
            0x00402451
            0x00402453
            0x00402458
            0x0040245c
            0x00402461
            0x00402466
            0x00402469
            0x00402475
            0x0040247f
            0x00402486
            0x0040248f
            0x00402497
            0x004024a3
            0x004024a3
            0x004024a9
            0x004024b0
            0x004024b5
            0x004024bf
            0x00402441
            0x004024d1
            0x004024dc
            0x004024dc
            0x004023f5
            0x00000000
            0x00402387
            0x00402380
            0x00402382
            0x00000000
            0x00402382
            0x004024df
            0x004024ef
            0x004024f3
            0x004024fc
            0x00402504
            0x0040250a
            0x0040229c
            0x00402296
            0x0040251c
            0x00402529
            0x0040252c
            0x00402535
            0x00402540
            0x00402192
            0x0040218c
            0x00402548
            0x00402559

            APIs
            • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00010008,?,?,00000000,?,?,00401F09,?,?,?,?,00000002,00000000), ref: 00402154
            • RegEnumKeyExA.ADVAPI32 ref: 00402188
            • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00010008,00000000), ref: 00402267
            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00402292
            • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00010008,?,?,?,?,00000000,?,?,00401F09), ref: 004023F1
            • RegEnumKeyExA.ADVAPI32 ref: 0040241C
            • RegEnumKeyExA.ADVAPI32(?,00000001,?,?,00000000,00000000,00000000,00000000), ref: 004024BD
            • RegEnumKeyExA.ADVAPI32 ref: 00402508
            • RegEnumKeyExA.ADVAPI32(?,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 0040253E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: Enum$Open
            • String ID: LaunchedByUpgrade$Software\National Instruments\Common\Installer$True$\Features$\Products
            • API String ID: 2886760741-2479498176
            • Opcode ID: 7dd44f7b7fb6cc3bb412674e3fca0227e08ebc00af2dfe5d1af8e540607f88c2
            • Instruction ID: e06a848dff5b1de540653e02ba3b4738d837672f7e5830e33102932e8d24d52f
            • Opcode Fuzzy Hash: 7dd44f7b7fb6cc3bb412674e3fca0227e08ebc00af2dfe5d1af8e540607f88c2
            • Instruction Fuzzy Hash: C1C102712047042BD728CA388C51BABB7DAFBC4360F144B2DF99AE72D0EEB49D088355
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 504 407ab8-407ac3 505 407ac5-407ad4 LoadLibraryA 504->505 506 407b07-407b0e 504->506 507 407ad6-407aeb GetProcAddress 505->507 508 407b3d-407b3f 505->508 509 407b10-407b16 506->509 510 407b26-407b32 506->510 507->508 511 407aed-407b02 GetProcAddress * 2 507->511 512 407b39-407b3c 508->512 509->510 514 407b18-407b1f 509->514 510->512 511->506 514->510 515 407b21-407b24 514->515 515->510
            C-Code - Quality: 46%
            			E00407AB8(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
            				intOrPtr* _t4;
            				intOrPtr* _t7;
            				_Unknown_base(*)()* _t11;
            				void* _t14;
            				struct HINSTANCE__* _t15;
            				void* _t17;
            
            				_t14 = 0;
            				_t17 =  *0x40cd58 - _t14; // 0x0
            				if(_t17 != 0) {
            					L4:
            					_t4 =  *0x40cd5c; // 0x0
            					if(_t4 != 0) {
            						_t14 =  *_t4();
            						if(_t14 != 0) {
            							_t7 =  *0x40cd60; // 0x0
            							if(_t7 != 0) {
            								_t14 =  *_t7(_t14);
            							}
            						}
            					}
            					return  *0x40cd58(_t14, _a4, _a8, _a12);
            				}
            				_t15 = LoadLibraryA("user32.dll");
            				if(_t15 == 0) {
            					L10:
            					return 0;
            				}
            				_t11 = GetProcAddress(_t15, "MessageBoxA");
            				 *0x40cd58 = _t11;
            				if(_t11 == 0) {
            					goto L10;
            				} else {
            					 *0x40cd5c = GetProcAddress(_t15, "GetActiveWindow");
            					 *0x40cd60 = GetProcAddress(_t15, "GetLastActivePopup");
            					goto L4;
            				}
            			}









            0x00407ab9
            0x00407abb
            0x00407ac3
            0x00407b07
            0x00407b07
            0x00407b0e
            0x00407b12
            0x00407b16
            0x00407b18
            0x00407b1f
            0x00407b24
            0x00407b24
            0x00407b1f
            0x00407b16
            0x00000000
            0x00407b33
            0x00407ad0
            0x00407ad4
            0x00407b3d
            0x00000000
            0x00407b3d
            0x00407ae2
            0x00407ae6
            0x00407aeb
            0x00000000
            0x00407aed
            0x00407afb
            0x00407b02
            0x00000000
            0x00407b02

            APIs
            • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00405B19,?,Microsoft Visual C++ Runtime Library,00012010,?,00409474,?,004094C4,?,?,?,Runtime Error!Program: ), ref: 00407ACA
            • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00407AE2
            • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00407AF3
            • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00407B00
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: AddressProc$LibraryLoad
            • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
            • API String ID: 2238633743-4044615076
            • Opcode ID: 26a4fcb85a41a32f21b6f054b90c880790b3519dd8e4857dbe18605639630098
            • Instruction ID: d07be468ec585ada6f77aa96810e5dc4b75004f387cc811d2131858bc41c197e
            • Opcode Fuzzy Hash: 26a4fcb85a41a32f21b6f054b90c880790b3519dd8e4857dbe18605639630098
            • Instruction Fuzzy Hash: 60012172B04311EBCB119FB59DC0E5B7FB8AF88654710053BA540F22A1D778B841DBAE
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 554 401460-40149d call 40295f FindFirstFileA 557 401573-401584 RemoveDirectoryA 554->557 558 4014a3-4014aa 554->558 559 4014ab-4014cc call 40295f 558->559 562 40154c-401554 DeleteFileA 559->562 563 4014ce-4014d3 559->563 564 40155a-401564 FindNextFileA 562->564 565 4014d7-4014dd 563->565 564->559 566 40156a-401572 FindClose 564->566 567 4014fb-4014fd 565->567 568 4014df-4014e1 565->568 566->557 569 401500-401502 567->569 570 4014e3-4014eb 568->570 571 4014f7-4014f9 568->571 569->564 573 401504-401509 569->573 570->567 572 4014ed-4014f5 570->572 571->569 572->565 572->571 574 40150d-401513 573->574 575 401531-401533 574->575 576 401515-401517 574->576 579 401536-401538 575->579 577 401519-401521 576->577 578 40152d-40152f 576->578 577->575 580 401523-40152b 577->580 578->579 579->564 581 40153a-40154a call 401460 579->581 580->574 580->578 581->564
            C-Code - Quality: 91%
            			E00401460(void* __ecx, CHAR* _a4) {
            				char _v260;
            				char _v520;
            				struct _WIN32_FIND_DATAA _v840;
            				intOrPtr* _t30;
            				intOrPtr* _t31;
            				intOrPtr _t41;
            				intOrPtr _t42;
            				intOrPtr _t43;
            				intOrPtr _t46;
            				intOrPtr _t47;
            				intOrPtr _t48;
            				intOrPtr _t49;
            				void* _t50;
            				char* _t52;
            				intOrPtr* _t54;
            				CHAR* _t55;
            				FILETIME* _t57;
            
            				_t55 = _a4;
            				E0040295F(__ecx,  &_v260, "%s\\*.*", _t55);
            				_t57 =  &( &_v840->ftLastAccessTime);
            				_t50 = FindFirstFileA( &_v260,  &_v840);
            				if(_t50 == 0xffffffff) {
            					L23:
            					RemoveDirectoryA(_t55);
            					return 0;
            				}
            				do {
            					_push( &(_v840.cFileName));
            					E0040295F( &_v520,  &_v520, "%s\\%s", _t55);
            					_t57 = _t57 + 0x10;
            					if((_v840.dwFileAttributes & 0x00000010) == 0) {
            						DeleteFileA( &_v520);
            						goto L21;
            					}
            					_t52 = ".";
            					_t30 =  &(_v840.cFileName);
            					while(1) {
            						_t46 =  *_t30;
            						_t41 = _t46;
            						if(_t46 !=  *_t52) {
            							break;
            						}
            						if(_t41 == 0) {
            							L8:
            							_t30 = 0;
            							L10:
            							if(_t30 == 0) {
            								goto L21;
            							}
            							_t54 = "..";
            							_t31 =  &(_v840.cFileName);
            							while(1) {
            								_t47 =  *_t31;
            								_t42 = _t47;
            								if(_t47 !=  *_t54) {
            									break;
            								}
            								if(_t42 == 0) {
            									L16:
            									_t31 = 0;
            									L18:
            									if(_t31 != 0) {
            										E00401460(_t42,  &_v520);
            										_t57 =  &(_t57->dwHighDateTime);
            									}
            									goto L21;
            								}
            								_t48 =  *((intOrPtr*)(_t31 + 1));
            								_t42 = _t48;
            								_t15 = _t54 + 1; // 0x2e00002e
            								if(_t48 !=  *_t15) {
            									break;
            								}
            								_t31 = _t31 + 2;
            								_t54 = _t54 + 2;
            								if(_t42 != 0) {
            									continue;
            								}
            								goto L16;
            							}
            							asm("sbb eax, eax");
            							asm("sbb eax, 0xffffffff");
            							goto L18;
            						}
            						_t49 =  *((intOrPtr*)(_t30 + 1));
            						_t43 = _t49;
            						_t12 =  &(_t52[1]); // 0x25000000
            						if(_t49 !=  *_t12) {
            							break;
            						}
            						_t30 = _t30 + 2;
            						_t52 =  &(_t52[2]);
            						if(_t43 != 0) {
            							continue;
            						}
            						goto L8;
            					}
            					asm("sbb eax, eax");
            					asm("sbb eax, 0xffffffff");
            					goto L10;
            					L21:
            				} while (FindNextFileA(_t50,  &_v840) != 0);
            				FindClose(_t50);
            				goto L23;
            			}




















            0x0040146e
            0x0040147d
            0x00401482
            0x00401498
            0x0040149d
            0x00401573
            0x00401574
            0x00401584
            0x00401584
            0x004014ab
            0x004014b6
            0x004014be
            0x004014c7
            0x004014cc
            0x00401554
            0x00000000
            0x00401554
            0x004014ce
            0x004014d3
            0x004014d7
            0x004014d7
            0x004014d9
            0x004014dd
            0x00000000
            0x00000000
            0x004014e1
            0x004014f7
            0x004014f7
            0x00401500
            0x00401502
            0x00000000
            0x00000000
            0x00401504
            0x00401509
            0x0040150d
            0x0040150d
            0x0040150f
            0x00401513
            0x00000000
            0x00000000
            0x00401517
            0x0040152d
            0x0040152d
            0x00401536
            0x00401538
            0x00401542
            0x00401547
            0x00401547
            0x00000000
            0x00401538
            0x00401519
            0x0040151c
            0x0040151e
            0x00401521
            0x00000000
            0x00000000
            0x00401523
            0x00401526
            0x0040152b
            0x00000000
            0x00000000
            0x00000000
            0x0040152b
            0x00401531
            0x00401533
            0x00000000
            0x00401533
            0x004014e3
            0x004014e6
            0x004014e8
            0x004014eb
            0x00000000
            0x00000000
            0x004014ed
            0x004014f0
            0x004014f5
            0x00000000
            0x00000000
            0x00000000
            0x004014f5
            0x004014fb
            0x004014fd
            0x00000000
            0x0040155a
            0x00401562
            0x0040156b
            0x00000000

            APIs
            • FindFirstFileA.KERNEL32(?,?,?,00000000,74B61C40), ref: 00401492
            • DeleteFileA.KERNEL32(?,?,?,0040CBA0,?,?,00000000,74B61C40), ref: 00401554
            • FindNextFileA.KERNEL32(00000000,?,?,?,0040CBA0,?,?,00000000,74B61C40), ref: 00401560
            • FindClose.KERNEL32(00000000,?,?,0040CBA0,?,?,00000000,74B61C40), ref: 0040156B
            • RemoveDirectoryA.KERNEL32(?,?,00000000,74B61C40), ref: 00401574
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: FileFind$CloseDeleteDirectoryFirstNextRemove
            • String ID: %s\%s$%s\*.*
            • API String ID: 196174304-1665845743
            • Opcode ID: 3678cd04db3b0f74ed4aa8336a0d5142d6ab49a620a3df1d3ae3a5551c7a0dae
            • Instruction ID: a4b4e18218f9134548ffb1cb0adcfa4e2250a669a534c6367b0391c9d43ce764
            • Opcode Fuzzy Hash: 3678cd04db3b0f74ed4aa8336a0d5142d6ab49a620a3df1d3ae3a5551c7a0dae
            • Instruction Fuzzy Hash: 4D3106714042456BC3209F749CA49BB7BED9B96314F48493AEC9AA73F1E23E99088319
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 91%
            			E00405644(void* __ecx, void* __eflags) {
            				char _v8;
            				struct _OSVERSIONINFOA _v156;
            				char _v416;
            				char _v4656;
            				void* _t24;
            				CHAR* _t32;
            				void* _t33;
            				intOrPtr* _t34;
            				void* _t35;
            				char _t36;
            				char _t38;
            				void* _t40;
            				char* _t44;
            				char* _t45;
            				char* _t50;
            
            				E00402930(0x122c, __ecx);
            				_v156.dwOSVersionInfoSize = 0x94;
            				if(GetVersionExA( &_v156) != 0 && _v156.dwPlatformId == 2 && _v156.dwMajorVersion >= 5) {
            					_t40 = 1;
            					return _t40;
            				}
            				if(GetEnvironmentVariableA("__MSVCRT_HEAP_SELECT",  &_v4656, 0x1090) == 0) {
            					L28:
            					_t24 = E00405617( &_v8);
            					asm("sbb eax, eax");
            					return _t24 + 3;
            				}
            				_t44 =  &_v4656;
            				if(_v4656 != 0) {
            					do {
            						_t38 =  *_t44;
            						if(_t38 >= 0x61 && _t38 <= 0x7a) {
            							 *_t44 = _t38 - 0x20;
            						}
            						_t44 = _t44 + 1;
            					} while ( *_t44 != 0);
            				}
            				if(E00407A80("__GLOBAL_HEAP_SELECTED",  &_v4656, 0x16) != 0) {
            					GetModuleFileNameA(0,  &_v416, 0x104);
            					_t45 =  &_v416;
            					if(_v416 != 0) {
            						do {
            							_t36 =  *_t45;
            							if(_t36 >= 0x61 && _t36 <= 0x7a) {
            								 *_t45 = _t36 - 0x20;
            							}
            							_t45 = _t45 + 1;
            						} while ( *_t45 != 0);
            					}
            					_t32 = E00407A00( &_v4656,  &_v416);
            				} else {
            					_t32 =  &_v4656;
            				}
            				if(_t32 == 0) {
            					goto L28;
            				}
            				_t33 = E00403D70(_t32, 0x2c);
            				if(_t33 == 0) {
            					goto L28;
            				}
            				_t34 = _t33 + 1;
            				_t50 = _t34;
            				if( *_t34 != 0) {
            					do {
            						if( *_t50 != 0x3b) {
            							_t50 = _t50 + 1;
            						} else {
            							 *_t50 = 0;
            						}
            					} while ( *_t50 != 0);
            				}
            				_t35 = E004077D5(_t34, 0, 0xa);
            				if(_t35 != 2 && _t35 != 3 && _t35 != 1) {
            					goto L28;
            				}
            				return _t35;
            			}


















            0x0040564c
            0x00405659
            0x0040566b
            0x00405681
            0x00000000
            0x00405681
            0x004056a0
            0x00405776
            0x0040577a
            0x00405784
            0x00000000
            0x00405786
            0x004056a8
            0x004056b4
            0x004056b6
            0x004056b6
            0x004056ba
            0x004056c2
            0x004056c2
            0x004056c4
            0x004056c5
            0x004056b6
            0x004056e1
            0x004056f8
            0x00405704
            0x0040570a
            0x0040570c
            0x0040570c
            0x00405710
            0x00405718
            0x00405718
            0x0040571a
            0x0040571b
            0x0040570c
            0x0040572d
            0x004056e3
            0x004056e3
            0x004056e3
            0x00405736
            0x00000000
            0x00000000
            0x0040573b
            0x00405744
            0x00000000
            0x00000000
            0x00405746
            0x00405747
            0x0040574b
            0x0040574d
            0x00405750
            0x00405756
            0x00405752
            0x00405752
            0x00405752
            0x00405757
            0x0040574d
            0x0040575f
            0x0040576a
            0x00000000
            0x00000000
            0x0040578b

            APIs
            • GetVersionExA.KERNEL32 ref: 00405663
            • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00405698
            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004056F8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: EnvironmentFileModuleNameVariableVersion
            • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
            • API String ID: 1385375860-4131005785
            • Opcode ID: d0bcb2e6f905d7873b2a5bc6778909478e401390e0628133efd947fe4d913409
            • Instruction ID: 3d048bbab899a3f2371943c2aff4e6104f34cc90a0bd094529bdcc32f6265c7a
            • Opcode Fuzzy Hash: d0bcb2e6f905d7873b2a5bc6778909478e401390e0628133efd947fe4d913409
            • Instruction Fuzzy Hash: 44312371901688ADEB3196705C45BEF3768CB02304F6404FBD189F72C2E63A8E899F29
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            C-Code - Quality: 71%
            			E00401590(void* __ecx, void* __eflags, void _a1, char _a2048, void _a2049, char _a4096, char _a6144, void _a6145, char _a8192, void _a8263, char _a10240, void _a10308, void _a12288, void _a12352) {
            				char _v0;
            				int _v4;
            				void* _v8;
            				int _t82;
            				void* _t122;
            				char _t169;
            				char _t177;
            				int _t211;
            				int _t212;
            				void* _t214;
            				void* _t220;
            				void* _t226;
            				void* _t229;
            
            				E00402930(0x3808, __ecx);
            				_push(0);
            				_push(2);
            				L00402918();
            				memset( &_a12352, memcpy( &_a12288, "Software\\National Instruments\\Common\\Installer\\Pending\\Registry", 0x10 << 2), 0x1f0 << 2);
            				memset( &_a10308, memcpy( &_a10240, "Software\\National Instruments\\Common\\Installer\\Pending\\Registry\\Add", 0x11 << 2), 0x1ef << 2);
            				_t82 = memcpy( &_a8192, "Software\\National Instruments\\Common\\Installer\\Pending\\Registry\\Delete", 0x11 << 2);
            				asm("movsw");
            				asm("movsb");
            				memset( &_a8263, _t82, 0x1ee << 2);
            				_t220 = _t214 + 0x48;
            				asm("stosb");
            				if(RegOpenKeyExA(0x80000002,  &_a8192, 0, 0x30019,  &_v8) == 0) {
            					_t212 = 0;
            					_v4 = 0x800;
            					if(RegEnumKeyExA(_v8, 0,  &_a4096,  &_v4, 0, 0, 0, 0) == 0) {
            						do {
            							_t177 =  *0x40cba0; // 0x0
            							_a2048 = _t177;
            							_v0 = _t177;
            							memset( &_a2049, 0, 0x1ff << 2);
            							asm("stosw");
            							asm("stosb");
            							memset( &_a1, 0, 0x1ff << 2);
            							asm("stosw");
            							asm("stosb");
            							E00401950(_v8, _v8,  &_a4096, "Key",  &_a2048);
            							E00401950(_v8, _v8,  &_a4096, "ValueName",  &_v0);
            							_t122 = E00402A47( &_v0, "-");
            							_t229 = _t220 + 0x40;
            							if(_t122 == 0) {
            								E00401B50(0x80000002,  &_a2048);
            								_t220 = _t229 + 8;
            							} else {
            								E00401B10(0x80000002,  &_a2048,  &_v0);
            								_t220 = _t229 + 0xc;
            							}
            							_t212 = _t212 + 1;
            							_v4 = 0x800;
            						} while (RegEnumKeyExA(_v8, _t212,  &_a4096,  &_v4, 0, 0, 0, 0) == 0);
            					}
            				}
            				if(RegOpenKeyExA(0x80000002,  &_a10240, 0, 0x30019,  &_v8) == 0) {
            					_t211 = 0;
            					_v4 = 0x800;
            					if(RegEnumKeyExA(_v8, 0,  &_a4096,  &_v4, 0, 0, 0, 0) == 0) {
            						do {
            							_t169 =  *0x40cba0; // 0x0
            							_a6144 = _t169;
            							_a2048 = _t169;
            							memset( &_a6145, 0, 0x1ff << 2);
            							asm("stosw");
            							asm("stosb");
            							_v0 = _t169;
            							memset( &_a2049, 0, 0x1ff << 2);
            							asm("stosw");
            							asm("stosb");
            							memset( &_a1, 0, 0x1ff << 2);
            							asm("stosw");
            							asm("stosb");
            							E00401950(_v8, _v8,  &_a4096, "Key",  &_a6144);
            							E00401950(_v8, _v8,  &_a4096, "ValueName",  &_a2048);
            							_t154 = _v8;
            							E00401950(_v8, _v8,  &_a4096, "Value",  &_v0);
            							_t226 = _t220 + 0x54;
            							if(_v0 != 0x23) {
            								E00401980(0x80000002,  &_a6144,  &_a2048,  &_v0);
            								_t220 = _t226 + 0x10;
            							} else {
            								E00401A00(0x80000002,  &_a6144,  &_a2048, E00402A3C(_t154,  &_a1));
            								_t220 = _t226 + 0x14;
            							}
            							_t211 = _t211 + 1;
            							_v4 = 0x800;
            						} while (RegEnumKeyExA(_v8, _t211,  &_a4096,  &_v4, 0, 0, 0, 0) == 0);
            					}
            				}
            				E00401B50(0x80000002,  &_a12288);
            				return 0;
            			}
















            0x00401595
            0x0040159e
            0x004015a0
            0x004015a2
            0x004015c8
            0x004015ef
            0x00401602
            0x00401604
            0x00401606
            0x00401613
            0x00401613
            0x00401615
            0x00401639
            0x00401643
            0x00401658
            0x00401664
            0x0040166a
            0x0040166a
            0x0040167e
            0x00401685
            0x00401689
            0x0040168b
            0x0040168d
            0x004016a0
            0x004016a7
            0x004016a9
            0x004016b8
            0x004016d4
            0x004016e3
            0x004016e8
            0x004016ed
            0x00401718
            0x0040171d
            0x004016ef
            0x00401701
            0x00401706
            0x00401706
            0x00401737
            0x0040173c
            0x00401746
            0x0040166a
            0x00401664
            0x0040176b
            0x00401775
            0x0040178a
            0x00401796
            0x0040179e
            0x0040179e
            0x004017b2
            0x004017b9
            0x004017c0
            0x004017c2
            0x004017c4
            0x004017d3
            0x004017d7
            0x004017d9
            0x004017db
            0x004017ee
            0x004017f5
            0x004017f7
            0x00401806
            0x00401825
            0x0040182a
            0x00401841
            0x0040184a
            0x0040184f
            0x00401895
            0x0040189a
            0x00401851
            0x00401871
            0x00401876
            0x00401876
            0x004018b4
            0x004018b9
            0x004018c3
            0x0040179e
            0x00401796
            0x004018d8
            0x004018ec

            APIs
            • #141.MSI(00000002,00000000,?,00000000,?,?,00401F18,?,?,?,?,00000002,00000000,?,?,00000000), ref: 004015A2
            • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00030019,00000000,00000002,00000000,?,00000000,?,?,00401F18), ref: 0040162F
            • RegEnumKeyExA.ADVAPI32 ref: 00401660
            • RegEnumKeyExA.ADVAPI32 ref: 00401744
              • Part of subcall function 00401B10: RegOpenKeyExA.ADVAPI32(?,?,00000000,00000002,?,004023A4,80000002,?,LaunchedByUpgrade,00000000,?,?,00401F09), ref: 00401B23
            • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00030019,?,?,?,00401F18,?,?,?,?,00000002,00000000), ref: 00401767
            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00401792
            • RegEnumKeyExA.ADVAPI32 ref: 004018C1
            Strings
            • Software\National Instruments\Common\Installer\Pending\Registry\Add, xrefs: 004015CF
            • Key, xrefs: 004016B1, 004017FF
            • Software\National Instruments\Common\Installer\Pending\Registry\Delete, xrefs: 004015F6
            • Software\National Instruments\Common\Installer\Pending\Registry, xrefs: 004015AC
            • ValueName, xrefs: 004016CD, 0040181E
            • Value, xrefs: 0040183A
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: Enum$Open$#141
            • String ID: Key$Software\National Instruments\Common\Installer\Pending\Registry$Software\National Instruments\Common\Installer\Pending\Registry\Add$Software\National Instruments\Common\Installer\Pending\Registry\Delete$Value$ValueName
            • API String ID: 2386238868-3649169837
            • Opcode ID: 0bc07cfdd67613d4aaf23d445e10788670e591f35f0d290892056c8f2a16d896
            • Instruction ID: de9825dd147b1e2ceb3ec80a2ef9a2be02f9c89fdebecb7e69e6a4943e4f0716
            • Opcode Fuzzy Hash: 0bc07cfdd67613d4aaf23d445e10788670e591f35f0d290892056c8f2a16d896
            • Instruction Fuzzy Hash: CE816271104385AAE320DA50CC55FEBB7EDEFC8344F00883DF68967191EAB5A609C7A6
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 199 401000-40105a call 402930 #141 RegOpenKeyExA 202 401060-40108d RegEnumKeyExA 199->202 203 4012d8-4012f8 call 401b50 199->203 202->203 205 401093-401094 202->205 207 40109a-40114b call 401950 205->207 210 4012a1-4012d1 RegEnumKeyExA 207->210 211 401151-401156 207->211 210->207 212 4012d7 210->212 213 40115d-401163 211->213 212->203 214 401181-401183 213->214 215 401165-401167 213->215 218 401186-401188 214->218 216 401169-401171 215->216 217 40117d-40117f 215->217 216->214 220 401173-40117b 216->220 217->218 218->210 219 40118e-4011c1 #93 RegOpenKeyExA 218->219 221 4011c7-4011e5 RegEnumValueA 219->221 222 401288-40129c #33 #8 219->222 220->213 220->217 221->222 223 4011eb-40120f call 401950 221->223 222->210 226 401261-401282 RegEnumValueA 223->226 227 401211-401216 223->227 226->222 226->223 228 40121d-401223 227->228 229 401241-401243 228->229 230 401225-401227 228->230 233 401246-401248 229->233 231 401229-401231 230->231 232 40123d-40123f 230->232 231->229 234 401233-40123b 231->234 232->233 233->226 235 40124a-40125c #144 233->235 234->228 234->232 235->226
            C-Code - Quality: 79%
            			E00401000(void* __ecx, void* __eflags, void* _a4, char _a8, int _a12, char _a268, char _a536, char _a796, char _a1048, void _a1056, char _a3104, void _a3168) {
            				void* _v0;
            				char _v8;
            				int _v12;
            				intOrPtr _v16;
            				intOrPtr _v24;
            				int* _t61;
            				void* _t77;
            				int _t79;
            				intOrPtr* _t81;
            				void* _t89;
            				intOrPtr* _t92;
            				char* _t101;
            				unsigned int _t103;
            				signed int _t104;
            				intOrPtr _t128;
            				intOrPtr _t134;
            				intOrPtr _t136;
            				intOrPtr _t137;
            				intOrPtr _t146;
            				intOrPtr _t151;
            				intOrPtr _t153;
            				intOrPtr _t154;
            				int _t183;
            				void* _t185;
            				void* _t186;
            				void* _t187;
            				intOrPtr* _t188;
            				intOrPtr* _t189;
            				void* _t193;
            				void* _t195;
            
            				E00402930(0x1428, __ecx);
            				_push(0);
            				_push(2);
            				L00402918();
            				memset( &_a3168, memcpy( &_a3104, "Software\\National Instruments\\Common\\Installer\\Pending\\Packages", 0x10 << 2), 0x1f0 << 2);
            				_t195 = _t193 + 0x18;
            				_t61 = RegOpenKeyExA(0x80000002,  &_a3104, 0, 0x10008,  &_a4);
            				if(_t61 != 0) {
            					L28:
            					E00401B50(0x80000002,  &_a3104);
            					return 0;
            				}
            				_t101 = _a4;
            				_a12 = _t61;
            				_v0 = 0x800;
            				if(RegEnumKeyExA(_t101, 0,  &_a536,  &_v0, _t61, _t61, _t61, _t61) != 0) {
            					goto L28;
            				}
            				do {
            					asm("repne scasb");
            					_t103 =  !(_t101 | 0xffffffff);
            					_t185 =  &_a3104 - _t103;
            					_t104 = _t103 >> 2;
            					memcpy(_t185 + _t104 + _t104, _t185, memcpy( &_a1056, _t185, _t104 << 2) & 0x00000003);
            					asm("repne scasb");
            					_t186 = "\\";
            					asm("repne scasb");
            					memcpy( &_a1056 - 1, _t186, 0 << 2);
            					memcpy(_t186 + 0x175b75a, _t186, 0);
            					asm("repne scasb");
            					_t187 =  &_a536;
            					asm("repne scasb");
            					memcpy( &_a1056 - 1, _t187, 0 << 2);
            					memcpy(_t187 + 0x175b75a, _t187, 0);
            					_t77 = E00401950( &_a1056, 0x80000002,  &_a1056, 0x40cba0,  &_a796);
            					_t195 = _t195 + 0x58;
            					if(_t77 != 0) {
            						goto L26;
            					}
            					_t188 = 0x40cba0;
            					_t81 =  &_a3104;
            					while(1) {
            						_t146 =  *_t81;
            						_t128 = _t146;
            						if(_t146 !=  *_t188) {
            							break;
            						}
            						if(_t128 == 0) {
            							L9:
            							_t81 = 0;
            							L11:
            							if(_t81 == 0) {
            								goto L26;
            							}
            							_push( &_v8);
            							_push( &_a796);
            							L00402912();
            							if(RegOpenKeyExA(0x80000002,  &_a1048, 0, 0x30019,  &_v0) != 0) {
            								L25:
            								_push("INSTALL");
            								_push(_v16);
            								L00402906();
            								_push(_v24);
            								L00402900();
            								goto L26;
            							}
            							_t183 = 0;
            							_v12 = 0x800;
            							if(RegEnumValueA(_v0, 0,  &_a8,  &_v12, 0, 0, 0, 0) != 0) {
            								goto L25;
            							} else {
            								goto L14;
            							}
            							do {
            								L14:
            								_t89 = E00401950( &_a268, 0x80000002,  &_a1048,  &_a8,  &_a268);
            								_t195 = _t195 + 0x10;
            								if(_t89 != 0) {
            									goto L24;
            								}
            								_t189 = 0x40cba0;
            								_t92 =  &_a268;
            								while(1) {
            									_t151 =  *_t92;
            									_t134 = _t151;
            									if(_t151 !=  *_t189) {
            										break;
            									}
            									if(_t134 == 0) {
            										L20:
            										_t92 = 0;
            										L22:
            										if(_t92 != 0) {
            											_push( &_a268);
            											_push( &_a8);
            											_push(_v16);
            											L0040290C();
            										}
            										goto L24;
            									}
            									_t153 =  *((intOrPtr*)(_t92 + 1));
            									_t136 = _t153;
            									_t38 = _t189 + 1; // 0x1c000000
            									if(_t153 !=  *_t38) {
            										break;
            									}
            									_t92 = _t92 + 2;
            									_t189 = _t189 + 2;
            									if(_t136 != 0) {
            										continue;
            									}
            									goto L20;
            								}
            								asm("sbb eax, eax");
            								asm("sbb eax, 0xffffffff");
            								goto L22;
            								L24:
            								_t183 = _t183 + 1;
            								_v12 = 0x800;
            							} while (RegEnumValueA(_v0, _t183,  &_a8,  &_v12, 0, 0, 0, 0) == 0);
            							goto L25;
            						}
            						_t154 =  *((intOrPtr*)(_t81 + 1));
            						_t137 = _t154;
            						_t24 = _t188 + 1; // 0x1c000000
            						if(_t154 !=  *_t24) {
            							break;
            						}
            						_t81 = _t81 + 2;
            						_t188 = _t188 + 2;
            						if(_t137 != 0) {
            							continue;
            						}
            						goto L9;
            					}
            					asm("sbb eax, eax");
            					asm("sbb eax, 0xffffffff");
            					goto L11;
            					L26:
            					_t101 =  &_a536;
            					_t79 = _a12 + 1;
            					_v0 = 0x800;
            					_a12 = _t79;
            				} while (RegEnumKeyExA(_a4, _t79, _t101,  &_v0, 0, 0, 0, 0) == 0);
            				goto L28;
            			}

































            0x00401005
            0x0040100d
            0x0040100f
            0x00401011
            0x00401037
            0x00401037
            0x00401052
            0x0040105a
            0x004012d8
            0x004012e5
            0x004012f8
            0x004012f8
            0x00401060
            0x00401067
            0x00401081
            0x0040108d
            0x00000000
            0x00000000
            0x0040109a
            0x004010ad
            0x004010af
            0x004010b5
            0x004010b7
            0x004010cc
            0x004010d6
            0x004010dc
            0x004010e5
            0x004010ed
            0x004010fb
            0x00401107
            0x0040110d
            0x00401116
            0x0040111e
            0x0040112d
            0x00401141
            0x00401146
            0x0040114b
            0x00000000
            0x00000000
            0x00401151
            0x00401156
            0x0040115d
            0x0040115d
            0x0040115f
            0x00401163
            0x00000000
            0x00000000
            0x00401167
            0x0040117d
            0x0040117d
            0x00401186
            0x00401188
            0x00000000
            0x00000000
            0x00401199
            0x0040119a
            0x0040119b
            0x004011c1
            0x00401288
            0x0040128c
            0x00401291
            0x00401292
            0x0040129b
            0x0040129c
            0x00000000
            0x0040129c
            0x004011cb
            0x004011dd
            0x004011e5
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x004011eb
            0x004011eb
            0x00401205
            0x0040120a
            0x0040120f
            0x00000000
            0x00000000
            0x00401211
            0x00401216
            0x0040121d
            0x0040121d
            0x0040121f
            0x00401223
            0x00000000
            0x00000000
            0x00401227
            0x0040123d
            0x0040123d
            0x00401246
            0x00401248
            0x00401259
            0x0040125a
            0x0040125b
            0x0040125c
            0x0040125c
            0x00000000
            0x00401248
            0x00401229
            0x0040122c
            0x0040122e
            0x00401231
            0x00000000
            0x00000000
            0x00401233
            0x00401236
            0x0040123b
            0x00000000
            0x00000000
            0x00000000
            0x0040123b
            0x00401241
            0x00401243
            0x00000000
            0x00401261
            0x00401275
            0x0040127a
            0x00401280
            0x00000000
            0x004011eb
            0x00401169
            0x0040116c
            0x0040116e
            0x00401171
            0x00000000
            0x00000000
            0x00401173
            0x00401176
            0x0040117b
            0x00000000
            0x00000000
            0x00000000
            0x0040117b
            0x00401181
            0x00401183
            0x00000000
            0x004012a1
            0x004012b1
            0x004012b8
            0x004012c1
            0x004012c5
            0x004012cf
            0x00000000

            APIs
            • #141.MSI(00000002,00000000,?,00000000,?,00401F0E,?,?,?,?,00000002,00000000,?,?,00000000,_MSIExecute), ref: 00401011
            • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00010008,00000002,00000002,00000000,?,00000000,?,00401F0E,?,?,?,?,00000002), ref: 00401052
            • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00401F0E,?,?,?,?,00000002,00000000), ref: 00401085
            • #93.MSI(?,?,?,?,?,00401F0E,?,?,?,?,00000002,00000000,?,?,00000000,_MSIExecute), ref: 0040119B
            • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00030019,?,?,?,?,?,?,00401F0E,?,?,?,?,00000002), ref: 004011B9
            • RegEnumValueA.ADVAPI32 ref: 004011E1
            • #144.MSI(?,?,?,?,?,?,?,?,?,?,00401F0E,?,?,?,?,00000002), ref: 0040125C
            • RegEnumValueA.ADVAPI32 ref: 0040127E
            • #33.MSI(?,INSTALL,?,?,?,00401F0E,?,?,?,?,00000002,00000000,?,?,00000000,_MSIExecute), ref: 00401292
            • #8.MSI(?,?,INSTALL,?,?,?,00401F0E,?,?,?,?,00000002,00000000,?,?,00000000), ref: 0040129C
            • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000,?,?,?,00401F0E), ref: 004012C9
            Strings
            • INSTALL, xrefs: 0040128C
            • Software\National Instruments\Common\Installer\Pending\Packages, xrefs: 0040101B
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: Enum$OpenValue$#141#144
            • String ID: INSTALL$Software\National Instruments\Common\Installer\Pending\Packages
            • API String ID: 1673989077-4187696605
            • Opcode ID: 508e0019067645cabf854cedd48ae2c5c99ffa88a9228ada605aeab4d9a9d5a4
            • Instruction ID: 49950ebe7a4143e8449bb4f34a74d1fba4a62074bb019eec2100c2f3fe430e4f
            • Opcode Fuzzy Hash: 508e0019067645cabf854cedd48ae2c5c99ffa88a9228ada605aeab4d9a9d5a4
            • Instruction Fuzzy Hash: 7881D4716043446BD324DB208C91FBBB7E9EBD4314F444A2DFA9AF72D0EA74AA08C755
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 473 4025f0-402646 call 402930 RegOpenKeyExA 476 4028e4-4028f0 473->476 477 40264c-402678 RegEnumKeyExA 473->477 477->476 478 40267e-402758 RegOpenKeyExA 477->478 479 4028b5-4028de RegEnumKeyExA 478->479 480 40275e-40277c RegEnumKeyExA 478->480 479->476 479->478 481 4028b0 480->481 482 402782-402830 call 401950 480->482 481->479 485 402832-402837 482->485 486 402885-4028aa RegEnumKeyExA 482->486 487 40283e-402844 485->487 486->481 486->482 488 402862-402864 487->488 489 402846-402848 487->489 492 402867-402869 488->492 490 40284a-402852 489->490 491 40285e-402860 489->491 490->488 493 402854-40285c 490->493 491->492 492->486 494 40286b-402878 492->494 493->487 493->491 495 40287d call 401b10 494->495 496 402882 495->496 496->486
            C-Code - Quality: 80%
            			E004025F0(void* __ecx, void* __eflags) {
            				int _t55;
            				int* _t58;
            				int _t76;
            				void* _t91;
            				intOrPtr* _t94;
            				int* _t104;
            				unsigned int _t106;
            				signed int _t107;
            				int* _t140;
            				unsigned int _t142;
            				signed int _t143;
            				intOrPtr _t167;
            				intOrPtr _t168;
            				intOrPtr _t185;
            				intOrPtr _t186;
            				void* _t247;
            				void* _t248;
            				void* _t249;
            				void* _t250;
            				void* _t251;
            				void* _t252;
            				void* _t253;
            				intOrPtr* _t254;
            				char _t255;
            				int _t256;
            				void* _t257;
            				void* _t258;
            				void* _t259;
            				void* _t263;
            				void* _t264;
            				void* _t265;
            				void* _t267;
            				void* _t270;
            				void* _t271;
            				void* _t273;
            
            				E00402930(0x213c, __ecx);
            				_t55 = memcpy(_t257 + 0x114c, "Software\\National Instruments\\Common\\Installer", 0xb << 2);
            				_t258 = _t257 + 0xc;
            				asm("movsw");
            				asm("movsb");
            				memset(_t258 + 0x117b, _t55, 0x1f4 << 2);
            				_t259 = _t258 + 0xc;
            				asm("stosb");
            				_t58 = RegOpenKeyExA(0x80000002, _t259 + 0x114c, 0, 0x10008, _t259 + 0x1c);
            				if(_t58 != 0) {
            					L17:
            					return 0;
            				}
            				_t104 =  *(_t259 + 0x1c);
            				 *(_t259 + 0x24) = _t58;
            				_t255 = 0x800;
            				 *(_t259 + 0x30) = 0x800;
            				if(RegEnumKeyExA(_t104, 0, _t259 + 0x58, _t259 + 0x20, _t58, _t58, _t58, _t58) != 0) {
            					goto L17;
            				} else {
            					goto L2;
            				}
            				do {
            					L2:
            					asm("repne scasb");
            					_t106 =  !(_t104 | 0xffffffff);
            					_t247 = _t259 + 0x114c - _t106;
            					_t107 = _t106 >> 2;
            					memcpy(_t247 + _t107 + _t107, _t247, memcpy(_t259 + 0x94c, _t247, _t107 << 2) & 0x00000003);
            					asm("repne scasb");
            					_t248 = "\\";
            					asm("repne scasb");
            					memcpy(_t259 + 0x94c - 1, _t248, 0 << 2);
            					_t263 = _t259 + 0x24;
            					memcpy(_t248 + 0x175b75a, _t248, 0);
            					_t264 = _t263 + 0xc;
            					asm("repne scasb");
            					_t249 = _t264 + 0x48;
            					asm("repne scasb");
            					memcpy(_t263 + 0x94c - 1, _t249, 0 << 2);
            					_t265 = _t264 + 0xc;
            					memcpy(_t249 + 0x175b75a, _t249, 0);
            					asm("repne scasb");
            					_t250 = "\\Products";
            					asm("repne scasb");
            					memcpy(_t265 + 0x94c - 1, _t250, 0 << 2);
            					_t267 = _t265 + 0x18;
            					memcpy(_t250 + 0x175b75a, _t250, 0);
            					_t259 = _t267 + 0xc;
            					if(RegOpenKeyExA(0x80000002, _t259 + 0x954, 0, 0x10008, _t267 + 0x14) != 0) {
            						goto L16;
            					}
            					 *(_t259 + 0x10) = _t255;
            					_t140 =  *(_t259 + 0x14);
            					_t256 = 0;
            					if(RegEnumKeyExA(_t140, 0, _t259 + 0x30, _t259 + 0x10, 0, 0, 0, 0) != 0) {
            						L15:
            						_t255 = 0x800;
            						goto L16;
            					} else {
            						goto L4;
            					}
            					do {
            						L4:
            						asm("repne scasb");
            						_t142 =  !(_t140 | 0xffffffff);
            						_t251 = _t259 + 0x94c - _t142;
            						_t143 = _t142 >> 2;
            						memcpy(_t251 + _t143 + _t143, _t251, memcpy(_t259 + 0x14c, _t251, _t143 << 2) & 0x00000003);
            						asm("repne scasb");
            						_t252 = "\\";
            						asm("repne scasb");
            						memcpy(_t259 + 0x14c - 1, _t252, 0 << 2);
            						_t270 = _t259 + 0x24;
            						memcpy(_t252 + 0x175b75a, _t252, 0);
            						_t271 = _t270 + 0xc;
            						asm("repne scasb");
            						_t253 = _t271 + 0x20;
            						asm("repne scasb");
            						memcpy(_t270 + 0x14c - 1, _t253, 0 << 2);
            						memcpy(_t253 + 0x175b75a, _t253, 0);
            						_t273 = _t271 + 0x18;
            						_t91 = E00401950(_t273 + 0x150, 0x80000002, _t273 + 0x150, "LaunchedByUpgrade", _t271 + 0x1958);
            						_t259 = _t273 + 0x10;
            						if(_t91 != 0) {
            							goto L14;
            						}
            						_t254 = "True";
            						_t94 = _t259 + 0x194c;
            						while(1) {
            							_t185 =  *_t94;
            							_t167 = _t185;
            							if(_t185 !=  *_t254) {
            								break;
            							}
            							if(_t167 == 0) {
            								L10:
            								_t94 = 0;
            								L12:
            								if(_t94 == 0) {
            									E00401B10(0x80000002, _t259 + 0x14c, "LaunchedByUpgrade");
            									_t259 = _t259 + 0xc;
            								}
            								goto L14;
            							}
            							_t186 =  *((intOrPtr*)(_t94 + 1));
            							_t168 = _t186;
            							if(_t186 !=  *((intOrPtr*)(_t254 + 1))) {
            								break;
            							}
            							_t94 = _t94 + 2;
            							_t254 = _t254 + 2;
            							if(_t168 != 0) {
            								continue;
            							}
            							goto L10;
            						}
            						asm("sbb eax, eax");
            						asm("sbb eax, 0xffffffff");
            						goto L12;
            						L14:
            						_t140 = _t259 + 0x1c;
            						_t256 = _t256 + 1;
            						 *(_t259 + 0x30) = 0x800;
            					} while (RegEnumKeyExA( *(_t259 + 0x14), _t256, _t259 + 0x30, _t140, 0, 0, 0, 0) == 0);
            					goto L15;
            					L16:
            					_t104 = _t259 + 0x1c;
            					_t76 =  *((intOrPtr*)(_t259 + 0x18)) + 1;
            					 *(_t259 + 0x30) = _t76;
            					 *(_t259 + 0x2c) = _t255;
            				} while (RegEnumKeyExA( *(_t259 + 0x38), _t76, _t259 + 0x58, _t104, 0, 0, 0, 0) == 0);
            				goto L17;
            			}






































            0x004025f5
            0x00402611
            0x00402611
            0x00402613
            0x00402615
            0x00402622
            0x00402622
            0x00402624
            0x0040263e
            0x00402646
            0x004028e7
            0x004028f0
            0x004028f0
            0x0040264c
            0x00402659
            0x00402668
            0x00402670
            0x00402678
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0040267e
            0x0040267e
            0x00402691
            0x00402693
            0x00402699
            0x0040269b
            0x004026b0
            0x004026ba
            0x004026c0
            0x004026c9
            0x004026d1
            0x004026d1
            0x004026df
            0x004026df
            0x004026e8
            0x004026ee
            0x004026f7
            0x004026ff
            0x004026ff
            0x0040270d
            0x00402717
            0x0040271d
            0x00402726
            0x0040272e
            0x0040272e
            0x0040273a
            0x0040273a
            0x00402758
            0x00000000
            0x00000000
            0x0040275e
            0x00402762
            0x00402766
            0x0040277c
            0x004028b0
            0x004028b0
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00402782
            0x00402782
            0x00402795
            0x00402797
            0x0040279d
            0x0040279f
            0x004027b4
            0x004027be
            0x004027c4
            0x004027cd
            0x004027d5
            0x004027d5
            0x004027e3
            0x004027e3
            0x004027ec
            0x004027f2
            0x004027fb
            0x00402803
            0x00402812
            0x00402812
            0x00402826
            0x0040282b
            0x00402830
            0x00000000
            0x00000000
            0x00402832
            0x00402837
            0x0040283e
            0x0040283e
            0x00402840
            0x00402844
            0x00000000
            0x00000000
            0x00402848
            0x0040285e
            0x0040285e
            0x00402867
            0x00402869
            0x0040287d
            0x00402882
            0x00402882
            0x00000000
            0x00402869
            0x0040284a
            0x0040284d
            0x00402852
            0x00000000
            0x00000000
            0x00402854
            0x00402857
            0x0040285c
            0x00000000
            0x00000000
            0x00000000
            0x0040285c
            0x00402862
            0x00402864
            0x00000000
            0x00402885
            0x0040288f
            0x00402899
            0x0040289e
            0x004028a8
            0x00000000
            0x004028b5
            0x004028bf
            0x004028c9
            0x004028cc
            0x004028d5
            0x004028dc
            0x00000000

            APIs
            • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00010008,?,?,00000000,?,?,00401CDF), ref: 0040263E
            • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00401CDF), ref: 00402674
            • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00010008,?,?,?,00401CDF), ref: 00402750
            • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00401CDF), ref: 00402778
            • RegEnumKeyExA.ADVAPI32 ref: 004028A6
            • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000,?,?,00401CDF), ref: 004028DA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: Enum$Open
            • String ID: LaunchedByUpgrade$Software\National Instruments\Common\Installer$True$\Products
            • API String ID: 2886760741-1382438492
            • Opcode ID: 0b87adefa8f7891526eb2dd9f598246a54f3ecd23cfcbf4dcb29304336524394
            • Instruction ID: ce648c286ffc9d302242233de15ff693b37da1de6674104268b0460e64f32da7
            • Opcode Fuzzy Hash: 0b87adefa8f7891526eb2dd9f598246a54f3ecd23cfcbf4dcb29304336524394
            • Instruction Fuzzy Hash: C58115326047045BD728CA348C11BBBB6DAFBC4360F558B2EF96AD72C0EEB49D09C245
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 497 402560-402568 498 4025e6-4025eb 497->498 499 40256a 497->499 500 40256b-4025df #95 #144 * 2 #33 #8 call 402d88 499->500 503 4025e1-4025e5 500->503
            C-Code - Quality: 52%
            			E00402560() {
            				char _v4;
            				intOrPtr _v12;
            				intOrPtr _v24;
            				intOrPtr _v36;
            				intOrPtr _v44;
            				void* __ecx;
            				intOrPtr _t7;
            				intOrPtr _t9;
            				intOrPtr _t11;
            				intOrPtr _t17;
            				intOrPtr _t21;
            				void* _t23;
            
            				_t7 =  *0x40cbb0; // 0x0
            				if(_t7 == 0) {
            					return _v4;
            				} else {
            					do {
            						_push( &_v4);
            						_push(_t7);
            						L0040291E();
            						_t17 =  *0x40cbb0; // 0x0
            						_t9 = _v12;
            						_push(_t17 + 0x28);
            						_push("REMOVE");
            						_push(_t9);
            						L0040290C();
            						_push("true");
            						_push("NIUPDMGR");
            						_push(_v24);
            						L0040290C();
            						_push("INSTALL");
            						_push(_v36);
            						L00402906();
            						_t21 = _t9;
            						_push(_v44);
            						L00402900();
            						_t11 =  *0x40cbb0; // 0x0
            						 *0x40cbb0 =  *((intOrPtr*)(_t11 + 0x12c));
            						E00402D88( *((intOrPtr*)(_t11 + 0x12c)), _t11);
            						_t7 =  *0x40cbb0; // 0x0
            						_t23 = _t23 + 4;
            					} while (_t7 != 0);
            					return _t21;
            				}
            			}















            0x00402561
            0x00402568
            0x004025eb
            0x0040256a
            0x0040256b
            0x0040256f
            0x00402570
            0x00402571
            0x00402576
            0x0040257c
            0x00402583
            0x00402584
            0x00402589
            0x0040258a
            0x00402593
            0x00402598
            0x0040259d
            0x0040259e
            0x004025a7
            0x004025ac
            0x004025ad
            0x004025b2
            0x004025b8
            0x004025b9
            0x004025be
            0x004025ca
            0x004025d0
            0x004025d5
            0x004025da
            0x004025dd
            0x004025e5
            0x004025e5

            APIs
            • #95.MSI(00000000,00401F09,Software\National Instruments\Common\Installer,?,0040254D,?,?,00401F09,?,?,?,?,00000002,00000000), ref: 00402571
            • #144.MSI(00401F09,REMOVE,-00000028,00000000,00401F09,Software\National Instruments\Common\Installer,?,0040254D,?,?,00401F09,?,?,?,?,00000002), ref: 0040258A
            • #144.MSI(00401F09,NIUPDMGR,true,00401F09,REMOVE,-00000028,00000000,00401F09,Software\National Instruments\Common\Installer,?,0040254D,?,?,00401F09), ref: 0040259E
            • #33.MSI(00401F09,INSTALL,00401F09,NIUPDMGR,true,00401F09,REMOVE,-00000028,00000000,00401F09,Software\National Instruments\Common\Installer,?,0040254D,?,?,00401F09), ref: 004025AD
            • #8.MSI(00401F09,00401F09,INSTALL,00401F09,NIUPDMGR,true,00401F09,REMOVE,-00000028,00000000,00401F09,Software\National Instruments\Common\Installer,?,0040254D), ref: 004025B9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: #144
            • String ID: INSTALL$NIUPDMGR$REMOVE$Software\National Instruments\Common\Installer$true
            • API String ID: 754210601-1166942411
            • Opcode ID: cd85fedb005425671ccf931c4fce29cd49bdcc985c8d352f6bf11b9a998eca0e
            • Instruction ID: dfc41c33e4421ac4dad408e2e39661ee159591aadb481dedaf0fe2846f03e2d0
            • Opcode Fuzzy Hash: cd85fedb005425671ccf931c4fce29cd49bdcc985c8d352f6bf11b9a998eca0e
            • Instruction Fuzzy Hash: 0B011AF5304204ABC204EB65EE96E2B73A8AB88744B14467FF445B72C1C6B8E910975D
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 517 403e2c-403e5a 518 403ea2-403ea5 517->518 519 403e5c-403e76 LCMapStringW 517->519 520 403eb7-403ebf 518->520 521 403ea7-403eb4 call 404050 518->521 522 403e80-403e92 LCMapStringA 519->522 523 403e78-403e7e 519->523 525 403ec1-403ed9 LCMapStringA 520->525 526 403ede-403ee1 520->526 521->520 527 403e98 522->527 528 403fba 522->528 523->518 530 403fbc-403fcd 525->530 526->528 531 403ee7-403eea 526->531 527->518 528->530 532 403ef4-403f18 MultiByteToWideChar 531->532 533 403eec-403ef1 531->533 532->528 534 403f1e-403f52 call 402930 532->534 533->532 534->528 538 403f54-403f6b MultiByteToWideChar 534->538 538->528 539 403f6d-403f86 LCMapStringW 538->539 539->528 540 403f88-403f8c 539->540 541 403fce-404004 call 402930 540->541 542 403f8e-403f91 540->542 541->528 549 404006-40401c LCMapStringW 541->549 543 403f97-403f9a 542->543 544 404049-40404b 542->544 543->528 546 403f9c-403fb4 LCMapStringW 543->546 544->530 546->528 546->544 549->528 550 40401e-404023 549->550 551 404025-404027 550->551 552 404029-40402c 550->552 553 40402f-404043 WideCharToMultiByte 551->553 552->553 553->528 553->544
            C-Code - Quality: 61%
            			E00403E2C(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, signed int _a32) {
            				signed int _v8;
            				intOrPtr _v20;
            				short* _v28;
            				int _v32;
            				short* _v36;
            				short* _v40;
            				int _v44;
            				void* _v60;
            				int _t61;
            				int _t62;
            				int _t82;
            				int _t83;
            				int _t88;
            				short* _t89;
            				int _t90;
            				void* _t91;
            				int _t99;
            				intOrPtr _t101;
            				short* _t102;
            				int _t104;
            
            				_push(0xffffffff);
            				_push(0x4091c8);
            				_push(E004058E4);
            				_push( *[fs:0x0]);
            				 *[fs:0x0] = _t101;
            				_t102 = _t101 - 0x1c;
            				_v28 = _t102;
            				_t104 =  *0x40cbc4; // 0x1
            				if(_t104 != 0) {
            					L5:
            					if(_a16 > 0) {
            						_t83 = E00404050(_a12, _a16);
            						_pop(_t91);
            						_a16 = _t83;
            					}
            					_t61 =  *0x40cbc4; // 0x1
            					if(_t61 != 2) {
            						if(_t61 != 1) {
            							goto L21;
            						} else {
            							if(_a28 == 0) {
            								_t82 =  *0x40cd44; // 0x0
            								_a28 = _t82;
            							}
            							asm("sbb eax, eax");
            							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12, _a16, 0, 0);
            							_v32 = _t88;
            							if(_t88 == 0) {
            								goto L21;
            							} else {
            								_v8 = 0;
            								E00402930(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
            								_v28 = _t102;
            								_v40 = _t102;
            								_v8 = _v8 | 0xffffffff;
            								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
            									goto L21;
            								} else {
            									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
            									_v44 = _t99;
            									if(_t99 == 0) {
            										goto L21;
            									} else {
            										if((_a9 & 0x00000004) == 0) {
            											_v8 = 1;
            											E00402930(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
            											_v28 = _t102;
            											_t89 = _t102;
            											_v36 = _t89;
            											_v8 = _v8 | 0xffffffff;
            											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
            												goto L21;
            											} else {
            												_push(0);
            												_push(0);
            												if(_a24 != 0) {
            													_push(_a24);
            													_push(_a20);
            												} else {
            													_push(0);
            													_push(0);
            												}
            												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
            												if(_t99 == 0) {
            													goto L21;
            												} else {
            													goto L30;
            												}
            											}
            										} else {
            											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
            												L30:
            												_t62 = _t99;
            											} else {
            												goto L21;
            											}
            										}
            									}
            								}
            							}
            						}
            					} else {
            						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
            					}
            				} else {
            					_push(0);
            					_push(0);
            					_t90 = 1;
            					if(LCMapStringW(0, 0x100, 0x4091c4, _t90, ??, ??) == 0) {
            						if(LCMapStringA(0, 0x100, 0x4091c0, _t90, 0, 0) == 0) {
            							L21:
            							_t62 = 0;
            						} else {
            							 *0x40cbc4 = 2;
            							goto L5;
            						}
            					} else {
            						 *0x40cbc4 = _t90;
            						goto L5;
            					}
            				}
            				 *[fs:0x0] = _v20;
            				return _t62;
            			}























            0x00403e2f
            0x00403e31
            0x00403e36
            0x00403e41
            0x00403e42
            0x00403e49
            0x00403e4f
            0x00403e54
            0x00403e5a
            0x00403ea2
            0x00403ea5
            0x00403ead
            0x00403eb3
            0x00403eb4
            0x00403eb4
            0x00403eb7
            0x00403ebf
            0x00403ee1
            0x00000000
            0x00403ee7
            0x00403eea
            0x00403eec
            0x00403ef1
            0x00403ef1
            0x00403f01
            0x00403f11
            0x00403f13
            0x00403f18
            0x00000000
            0x00403f1e
            0x00403f1e
            0x00403f29
            0x00403f2e
            0x00403f33
            0x00403f36
            0x00403f52
            0x00000000
            0x00403f6d
            0x00403f7f
            0x00403f81
            0x00403f86
            0x00000000
            0x00403f88
            0x00403f8c
            0x00403fce
            0x00403fdd
            0x00403fe2
            0x00403fe5
            0x00403fe7
            0x00403fea
            0x00404004
            0x00000000
            0x0040401e
            0x00404021
            0x00404022
            0x00404023
            0x00404029
            0x0040402c
            0x00404025
            0x00404025
            0x00404026
            0x00404026
            0x0040403f
            0x00404043
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00404043
            0x00403f8e
            0x00403f91
            0x00404049
            0x00404049
            0x00000000
            0x00000000
            0x00000000
            0x00403f91
            0x00403f8c
            0x00403f86
            0x00403f52
            0x00403f18
            0x00403ec1
            0x00403ed3
            0x00403ed3
            0x00403e5c
            0x00403e5c
            0x00403e5d
            0x00403e60
            0x00403e76
            0x00403e92
            0x00403fba
            0x00403fba
            0x00403e98
            0x00403e98
            0x00000000
            0x00403e98
            0x00403e78
            0x00403e78
            0x00000000
            0x00403e78
            0x00403e76
            0x00403fc2
            0x00403fcd

            APIs
            • LCMapStringW.KERNEL32(00000000,00000100,004091C4,00000001,00000000,00000000,00000103,00000001,00000000,?,0040791C,00200020,00000000,?,00000000,00000000), ref: 00403E6E
            • LCMapStringA.KERNEL32(00000000,00000100,004091C0,00000001,00000000,00000000,?,0040791C,00200020,00000000,?,00000000,00000000,00000001), ref: 00403E8A
            • LCMapStringA.KERNEL32(00000000,?,00000000,00200020,0040791C,?,00000103,00000001,00000000,?,0040791C,00200020,00000000,?,00000000,00000000), ref: 00403ED3
            • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,0040791C,00200020,00000000,?,00000000,00000000), ref: 00403F0B
            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,0040791C,00200020,00000000,?,00000000), ref: 00403F63
            • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,0040791C,00200020,00000000,?,00000000), ref: 00403F79
            • LCMapStringW.KERNEL32(00000000,?,0040791C,00000000,0040791C,?,?,0040791C,00200020,00000000,?,00000000), ref: 00403FAC
            • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,0040791C,00200020,00000000,?,00000000), ref: 00404014
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: String$ByteCharMultiWide
            • String ID:
            • API String ID: 352835431-0
            • Opcode ID: 0c596748202a3eddf1d5a0b06d3c10d613593d99b733e4a5b267f4a1943aee9a
            • Instruction ID: 7dd35e4937cfe867b94b6630c1cb782b3b6b1bc1d16b24702c671f263f72be81
            • Opcode Fuzzy Hash: 0c596748202a3eddf1d5a0b06d3c10d613593d99b733e4a5b267f4a1943aee9a
            • Instruction Fuzzy Hash: BE516DB190020AEFCF218F55DD45AAF7FB9FB48751F10416AF914B12A0C3398E11DBA9
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 584 4059f5-405a03 585 405a08-405a0a 584->585 586 405a17-405a23 585->586 587 405a0c-405a15 585->587 588 405b45-405b47 586->588 589 405a29-405a31 586->589 587->585 587->586 590 405a37-405a39 589->590 591 405b1f-405b3f call 404bc0 GetStdHandle WriteFile 589->591 592 405a48-405a4e 590->592 593 405a3b-405a42 590->593 591->588 592->588 595 405a54-405a6a GetModuleFileNameA 592->595 593->591 593->592 597 405a6c-405a7e call 4073b0 595->597 598 405a7f-405a97 call 404bc0 595->598 597->598 603 405ac2-405b1d call 4073b0 call 4073c0 * 3 call 407ab8 598->603 604 405a99-405abf call 404bc0 call 407b50 598->604 603->588 604->603
            C-Code - Quality: 96%
            			E004059F5(void* __edi, long _a4) {
            				char _v164;
            				char _v424;
            				int _t17;
            				long _t19;
            				signed int _t42;
            				long _t47;
            				void* _t48;
            				signed int _t54;
            				void** _t56;
            				void* _t57;
            
            				_t48 = __edi;
            				_t47 = _a4;
            				_t42 = 0;
            				_t17 = 0x40a6d8;
            				while(_t47 !=  *_t17) {
            					_t17 = _t17 + 8;
            					_t42 = _t42 + 1;
            					if(_t17 < 0x40a768) {
            						continue;
            					}
            					break;
            				}
            				_t54 = _t42 << 3;
            				_t2 = _t54 + 0x40a6d8; // 0x74000000
            				if(_t47 ==  *_t2) {
            					_t17 =  *0x40cbbc; // 0x0
            					if(_t17 == 1 || _t17 == 0 &&  *0x40a2f4 == 1) {
            						_t16 = _t54 + 0x40a6dc; // 0x409474
            						_t56 = _t16;
            						_t19 = E00404BC0( *_t56);
            						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
            					} else {
            						if(_t47 != 0xfc) {
            							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
            								E004073B0( &_v424, "<program name unknown>");
            							}
            							_push(_t48);
            							_t49 =  &_v424;
            							if(E00404BC0( &_v424) + 1 > 0x3c) {
            								_t49 = E00404BC0( &_v424) +  &_v424 - 0x3b;
            								E00407B50(E00404BC0( &_v424) +  &_v424 - 0x3b, "...", 3);
            								_t57 = _t57 + 0x10;
            							}
            							E004073B0( &_v164, "Runtime Error!\n\nProgram: ");
            							E004073C0( &_v164, _t49);
            							E004073C0( &_v164, "\n\n");
            							_t12 = _t54 + 0x40a6dc; // 0x409474
            							E004073C0( &_v164,  *_t12);
            							_t17 = E00407AB8( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
            						}
            					}
            				}
            				return _t17;
            			}













            0x004059f5
            0x004059fe
            0x00405a01
            0x00405a03
            0x00405a08
            0x00405a0c
            0x00405a0f
            0x00405a15
            0x00000000
            0x00000000
            0x00000000
            0x00405a15
            0x00405a1a
            0x00405a1d
            0x00405a23
            0x00405a29
            0x00405a31
            0x00405b22
            0x00405b22
            0x00405b2d
            0x00405b3f
            0x00405a48
            0x00405a4e
            0x00405a6a
            0x00405a78
            0x00405a7e
            0x00405a85
            0x00405a87
            0x00405a97
            0x00405ab2
            0x00405aba
            0x00405abf
            0x00405abf
            0x00405ace
            0x00405adb
            0x00405aec
            0x00405af1
            0x00405afe
            0x00405b14
            0x00405b1c
            0x00405a4e
            0x00405a31
            0x00405b47

            APIs
            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00405A62
            • GetStdHandle.KERNEL32(000000F4,00409474,00000000,?,00000000,00000000), ref: 00405B38
            • WriteFile.KERNEL32(00000000), ref: 00405B3F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: File$HandleModuleNameWrite
            • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
            • API String ID: 3784150691-4022980321
            • Opcode ID: 02692b244cd9942594826770e8fc2afffe04d85090e4ef8d3ba242c7dcf24cde
            • Instruction ID: 23e955dc117f7f4d732d766e8e7b040844b507a3c5c2886e212b5708fc255f4f
            • Opcode Fuzzy Hash: 02692b244cd9942594826770e8fc2afffe04d85090e4ef8d3ba242c7dcf24cde
            • Instruction Fuzzy Hash: E331C072A00208AFEF20A6609D85F9B777CEB85304F14057BF944B61C1E678BA41CF2A
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 619 40533a-405353 620 405355-40535b GetEnvironmentStringsW 619->620 621 405388-40538b 619->621 622 405369-405373 GetEnvironmentStrings 620->622 623 40535d-405367 620->623 624 405391-405393 621->624 625 405412-405415 621->625 626 405463 622->626 627 405379-405383 622->627 623->624 629 4053a1-4053a6 624->629 630 405395-40539b GetEnvironmentStringsW 624->630 625->626 628 405417-405419 625->628 631 405465-40546b 626->631 627->628 632 405427-40542b 628->632 633 40541b-405425 GetEnvironmentStrings 628->633 634 4053b6-4053d3 WideCharToMultiByte 629->634 635 4053a8-4053ad 629->635 630->626 630->629 636 405437-405447 call 404c3b 632->636 637 40542d-405430 632->637 633->626 633->632 639 4053d5-4053e2 call 404c3b 634->639 640 405407-405410 FreeEnvironmentStringsW 634->640 635->635 638 4053af-4053b4 635->638 646 405449-40544b 636->646 647 40544d-405455 call 4074a0 636->647 637->637 642 405432-405435 637->642 638->634 638->635 639->640 648 4053e4-4053f3 WideCharToMultiByte 639->648 640->631 642->636 642->637 649 405458-405461 FreeEnvironmentStringsA 646->649 647->649 651 405403 648->651 652 4053f5-4053ff call 404ced 648->652 649->631 651->640 652->651
            C-Code - Quality: 98%
            			E0040533A() {
            				int _v4;
            				int _v8;
            				void* __ecx;
            				intOrPtr _t7;
            				CHAR* _t9;
            				WCHAR* _t17;
            				int _t20;
            				char* _t24;
            				int _t32;
            				void* _t34;
            				CHAR* _t36;
            				WCHAR* _t38;
            				void* _t39;
            				int _t42;
            
            				_t7 =  *0x40cd1c; // 0x1
            				_t32 = 0;
            				_t38 = 0;
            				_t36 = 0;
            				if(_t7 != 0) {
            					if(_t7 != 1) {
            						if(_t7 != 2) {
            							L27:
            							return 0;
            						}
            						L18:
            						if(_t36 != _t32) {
            							L20:
            							_t9 = _t36;
            							if( *_t36 == _t32) {
            								L23:
            								_t41 = _t9 - _t36 + 1;
            								_t39 = E00404C3B(_t9 - _t36 + 1);
            								if(_t39 != _t32) {
            									E004074A0(_t39, _t36, _t41);
            								} else {
            									_t39 = 0;
            								}
            								FreeEnvironmentStringsA(_t36);
            								return _t39;
            							} else {
            								goto L21;
            							}
            							do {
            								do {
            									L21:
            									_t9 =  &(_t9[1]);
            								} while ( *_t9 != _t32);
            								_t9 =  &(_t9[1]);
            							} while ( *_t9 != _t32);
            							goto L23;
            						}
            						_t36 = GetEnvironmentStrings();
            						if(_t36 == _t32) {
            							goto L27;
            						}
            						goto L20;
            					}
            					L6:
            					if(_t38 != _t32) {
            						L8:
            						_t17 = _t38;
            						if( *_t38 == _t32) {
            							L11:
            							_t20 = (_t17 - _t38 >> 1) + 1;
            							_v4 = _t20;
            							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
            							if(_t42 != _t32) {
            								_t24 = E00404C3B(_t42);
            								_pop(_t34);
            								_v8 = _t24;
            								if(_t24 != _t32) {
            									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
            										E00404CED(_t34, _v8);
            										_v8 = _t32;
            									}
            									_t32 = _v8;
            								}
            							}
            							FreeEnvironmentStringsW(_t38);
            							return _t32;
            						} else {
            							goto L9;
            						}
            						do {
            							do {
            								L9:
            								_t17 =  &(_t17[1]);
            							} while ( *_t17 != _t32);
            							_t17 =  &(_t17[1]);
            						} while ( *_t17 != _t32);
            						goto L11;
            					}
            					_t38 = GetEnvironmentStringsW();
            					if(_t38 == _t32) {
            						goto L27;
            					}
            					goto L8;
            				}
            				_t38 = GetEnvironmentStringsW();
            				if(_t38 == 0) {
            					_t36 = GetEnvironmentStrings();
            					if(_t36 == 0) {
            						goto L27;
            					}
            					 *0x40cd1c = 2;
            					goto L18;
            				}
            				 *0x40cd1c = 1;
            				goto L6;
            			}

















            0x0040533c
            0x0040534b
            0x0040534d
            0x0040534f
            0x00405353
            0x0040538b
            0x00405415
            0x00405463
            0x00000000
            0x00405463
            0x00405417
            0x00405419
            0x00405427
            0x00405429
            0x0040542b
            0x00405437
            0x0040543a
            0x00405442
            0x00405447
            0x00405450
            0x00405449
            0x00405449
            0x00405449
            0x00405459
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0040542d
            0x0040542d
            0x0040542d
            0x0040542d
            0x0040542e
            0x00405432
            0x00405433
            0x00000000
            0x0040542d
            0x00405421
            0x00405425
            0x00000000
            0x00000000
            0x00000000
            0x00405425
            0x00405391
            0x00405393
            0x004053a1
            0x004053a4
            0x004053a6
            0x004053b6
            0x004053c2
            0x004053c9
            0x004053cf
            0x004053d3
            0x004053d6
            0x004053dd
            0x004053de
            0x004053e2
            0x004053f3
            0x004053f9
            0x004053ff
            0x004053ff
            0x00405403
            0x00405403
            0x004053e2
            0x00405408
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x004053a8
            0x004053a8
            0x004053a8
            0x004053a9
            0x004053aa
            0x004053b0
            0x004053b1
            0x00000000
            0x004053a8
            0x00405397
            0x0040539b
            0x00000000
            0x00000000
            0x00000000
            0x0040539b
            0x00405357
            0x0040535b
            0x0040536f
            0x00405373
            0x00000000
            0x00000000
            0x00405379
            0x00000000
            0x00405379
            0x0040535d
            0x00000000

            APIs
            • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402E17), ref: 00405355
            • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402E17), ref: 00405369
            • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402E17), ref: 00405395
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402E17), ref: 004053CD
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402E17), ref: 004053EF
            • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402E17), ref: 00405408
            • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402E17), ref: 0040541B
            • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00405459
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: EnvironmentStrings$ByteCharFreeMultiWide
            • String ID:
            • API String ID: 1823725401-0
            • Opcode ID: f19a99ff4713c6d544640b14826f8a800b419b294664069da8b919beace3420c
            • Instruction ID: f5d1fb30065e4e99422916f370ee633051d001f7a377a72650744cc46438cf83
            • Opcode Fuzzy Hash: f19a99ff4713c6d544640b14826f8a800b419b294664069da8b919beace3420c
            • Instruction Fuzzy Hash: DF315CB24046616FD7203F759CC467B769CE684355719043BF941F3281E6784C828FAE
            Uniqueness

            Uniqueness Score: -1.00%

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 656 401300-40135e call 402930 #141 RegOpenKeyExA 659 401364-40138f RegEnumValueA 656->659 660 401437-401457 call 401b50 656->660 659->660 661 401395-4013b9 call 401950 659->661 666 401409-401431 RegEnumValueA 661->666 667 4013bb-4013c0 661->667 666->660 666->661 668 4013c4-4013ca 667->668 669 4013e8-4013ea 668->669 670 4013cc-4013ce 668->670 671 4013ed-4013ef 669->671 672 4013d0-4013d8 670->672 673 4013e4-4013e6 670->673 671->666 675 4013f1-401406 DeleteFileA call 401460 671->675 672->669 674 4013da-4013e2 672->674 673->671 674->668 674->673 675->666
            C-Code - Quality: 81%
            			E00401300(void* __ecx, void* __eflags, char _a260, void _a323, char _a2308) {
            				char _v0;
            				void* _v4;
            				int _v8;
            				int _t27;
            				void* _t36;
            				intOrPtr* _t39;
            				intOrPtr _t52;
            				intOrPtr _t54;
            				intOrPtr _t59;
            				intOrPtr _t60;
            				int _t66;
            				intOrPtr* _t68;
            				void* _t70;
            				void* _t72;
            
            				E00402930(0x110c, __ecx);
            				_push(0);
            				_push(2);
            				L00402918();
            				_t27 = memcpy( &_a260, "Software\\National Instruments\\Common\\Installer\\Pending\\Deletes", 0xf << 2);
            				asm("movsw");
            				asm("movsb");
            				memset( &_a323, _t27, 0x1f0 << 2);
            				_t72 = _t70 + 0x18;
            				asm("stosb");
            				if(RegOpenKeyExA(0x80000002,  &_a260, 0, 0x30019,  &_v4) != 0) {
            					L13:
            					E00401B50(0x80000002,  &_a260);
            					return 0;
            				}
            				_t66 = 0;
            				_v8 = 0x800;
            				if(RegEnumValueA(_v4, 0,  &_a2308,  &_v8, 0, 0, 0, 0) != 0) {
            					goto L13;
            				} else {
            					goto L2;
            				}
            				do {
            					L2:
            					_t36 = E00401950( &_a260, 0x80000002,  &_a260,  &_a2308,  &_v0);
            					_t72 = _t72 + 0x10;
            					if(_t36 != 0) {
            						goto L12;
            					}
            					_t68 = 0x40cba0;
            					_t39 =  &_v0;
            					while(1) {
            						_t59 =  *_t39;
            						_t52 = _t59;
            						if(_t59 !=  *_t68) {
            							break;
            						}
            						if(_t52 == 0) {
            							L8:
            							_t39 = 0;
            							L10:
            							if(_t39 != 0) {
            								DeleteFileA( &_v0);
            								E00401460( &_v0,  &_v0);
            								_t72 = _t72 + 4;
            							}
            							goto L12;
            						}
            						_t60 =  *((intOrPtr*)(_t39 + 1));
            						_t54 = _t60;
            						_t16 = _t68 + 1; // 0x1c000000
            						if(_t60 !=  *_t16) {
            							break;
            						}
            						_t39 = _t39 + 2;
            						_t68 = _t68 + 2;
            						if(_t54 != 0) {
            							continue;
            						}
            						goto L8;
            					}
            					asm("sbb eax, eax");
            					asm("sbb eax, 0xffffffff");
            					goto L10;
            					L12:
            					_t66 = _t66 + 1;
            					_v8 = 0x800;
            				} while (RegEnumValueA(_v4, _t66,  &_a2308,  &_v8, 0, 0, 0, 0) == 0);
            				goto L13;
            			}

















            0x00401305
            0x0040130d
            0x0040130f
            0x00401311
            0x00401329
            0x0040132b
            0x0040132d
            0x0040133a
            0x0040133a
            0x0040133c
            0x0040135e
            0x00401437
            0x00401444
            0x00401457
            0x00401457
            0x00401368
            0x00401383
            0x0040138f
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00401395
            0x00401395
            0x004013af
            0x004013b4
            0x004013b9
            0x00000000
            0x00000000
            0x004013bb
            0x004013c0
            0x004013c4
            0x004013c4
            0x004013c6
            0x004013ca
            0x00000000
            0x00000000
            0x004013ce
            0x004013e4
            0x004013e4
            0x004013ed
            0x004013ef
            0x004013f6
            0x00401401
            0x00401406
            0x00401406
            0x00000000
            0x004013ef
            0x004013d0
            0x004013d3
            0x004013d5
            0x004013d8
            0x00000000
            0x00000000
            0x004013da
            0x004013dd
            0x004013e2
            0x00000000
            0x00000000
            0x00000000
            0x004013e2
            0x004013e8
            0x004013ea
            0x00000000
            0x00401409
            0x00401420
            0x00401425
            0x0040142f
            0x00000000

            APIs
            • #141.MSI(00000002,00000000,?,00000000,?,00401F13,?,?,?,?,00000002,00000000,?,?,00000000,_MSIExecute), ref: 00401311
            • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00030019,?,00000002,00000000,?,00000000,?,00401F13,?,?,?,?,00000002), ref: 00401356
            • RegEnumValueA.ADVAPI32 ref: 0040138B
            • DeleteFileA.KERNEL32(?,00000000,00000000,?,00401F13,?,?,?,?,00000002,00000000,?,?,00000000,_MSIExecute), ref: 004013F6
            • RegEnumValueA.ADVAPI32 ref: 0040142D
            Strings
            • Software\National Instruments\Common\Installer\Pending\Deletes, xrefs: 0040131B
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: EnumValue$#141DeleteFileOpen
            • String ID: Software\National Instruments\Common\Installer\Pending\Deletes
            • API String ID: 1860468242-3474610832
            • Opcode ID: 49200111c47614191c1c913c117ed154e51594bd0dcc61e412c8cec2aa7c494d
            • Instruction ID: 4cee3991e40c4eecdb6b5eef90a7c1883e2643512e231d1e6629c6e2b075dda9
            • Opcode Fuzzy Hash: 49200111c47614191c1c913c117ed154e51594bd0dcc61e412c8cec2aa7c494d
            • Instruction Fuzzy Hash: 7731F4715043456AE320DB61DC56FE777ECEBC9704F00483DFA85A72D1E674A908C7A6
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E00401B70(void* _a4, char* _a8) {
            				char _v256;
            				int _v260;
            				void* _v264;
            				int _v268;
            				long _t21;
            				int _t36;
            				char* _t37;
            				void* _t38;
            
            				_t38 =  &_v268;
            				_t37 = _a8;
            				_t36 = 0;
            				_v268 = 0;
            				if(_t37 == 0 || lstrlenA(_t37) == 0 || RegOpenKeyExA(_a4, _t37, 0, 0x10008,  &_v264) != 0) {
            					L15:
            					return _v268;
            				} else {
            					while(1) {
            						_v260 = 0x100;
            						_t21 = RegEnumKeyExA(_v264, 0,  &_v256,  &_v260, 0, 0, 0, 0);
            						if(_t21 == 0x103) {
            							break;
            						}
            						if(_t21 != 0) {
            							L8:
            							if(_t36 == 0) {
            								continue;
            							} else {
            							}
            						} else {
            							_t36 = E00401B70(_v264,  &_v256);
            							_t38 = _t38 + 8;
            							if(_t36 == 0) {
            								continue;
            							} else {
            								_v268 = 0xb;
            								goto L8;
            							}
            						}
            						L13:
            						RegCloseKey(_v264);
            						if(_t36 != 0) {
            							goto L15;
            						} else {
            							return 0;
            						}
            						goto L16;
            					}
            					if(RegDeleteKeyA(_a4, _t37) != 0) {
            						_v268 = 0xb;
            					} else {
            						_t36 = 0;
            					}
            					goto L13;
            				}
            				L16:
            			}











            0x00401b70
            0x00401b77
            0x00401b7f
            0x00401b83
            0x00401b87
            0x00401c53
            0x00401c5f
            0x00401bbe
            0x00401bc5
            0x00401bde
            0x00401be6
            0x00401bed
            0x00000000
            0x00000000
            0x00401bf1
            0x00401c13
            0x00401c15
            0x00000000
            0x00000000
            0x00401c17
            0x00401bf3
            0x00401c02
            0x00401c04
            0x00401c09
            0x00000000
            0x00401c0b
            0x00401c0b
            0x00000000
            0x00401c0b
            0x00401c09
            0x00401c38
            0x00401c3d
            0x00401c46
            0x00000000
            0x00401c49
            0x00401c52
            0x00401c52
            0x00000000
            0x00401c46
            0x00401c2a
            0x00401c30
            0x00401c2c
            0x00401c2c
            0x00401c2c
            0x00000000
            0x00401c2a
            0x00000000

            APIs
            • lstrlenA.KERNEL32(?,Software\National Instruments\Common\Installer\Pending\Packages), ref: 00401B8E
            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00010008,?), ref: 00401BB0
            • RegEnumKeyExA.ADVAPI32 ref: 00401BE6
            • RegDeleteKeyA.ADVAPI32(?,?), ref: 00401C22
            • RegCloseKey.ADVAPI32(00000000), ref: 00401C3D
            Strings
            • Software\National Instruments\Common\Installer\Pending\Packages, xrefs: 00401B7E
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: CloseDeleteEnumOpenlstrlen
            • String ID: Software\National Instruments\Common\Installer\Pending\Packages
            • API String ID: 160701936-3519911799
            • Opcode ID: 08ed81a6e89716a66f9e10773704c3c1ee419a6b8b4fbe0481c92490c3ca3641
            • Instruction ID: 26463612cd68223f97519849fa56928548d6ad9440911f79b871d1bae7eaac7c
            • Opcode Fuzzy Hash: 08ed81a6e89716a66f9e10773704c3c1ee419a6b8b4fbe0481c92490c3ca3641
            • Instruction Fuzzy Hash: 1421A4316483146BE320DB50DC40FEBB7A8BB84B44F04892DFA44A6290D378E9448BD6
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 78%
            			E00406005(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, signed int _a28) {
            				int _v8;
            				intOrPtr _v20;
            				short* _v28;
            				short _v32;
            				int _v36;
            				short* _v40;
            				void* _v56;
            				int _t31;
            				int _t32;
            				int _t37;
            				int _t43;
            				int _t44;
            				int _t45;
            				void* _t53;
            				short* _t60;
            				int _t61;
            				intOrPtr _t62;
            				short* _t63;
            
            				_push(0xffffffff);
            				_push(0x409500);
            				_push(E004058E4);
            				_push( *[fs:0x0]);
            				 *[fs:0x0] = _t62;
            				_t63 = _t62 - 0x18;
            				_v28 = _t63;
            				_t31 =  *0x40cd28; // 0x1
            				if(_t31 != 0) {
            					L6:
            					if(_t31 != 2) {
            						if(_t31 != 1) {
            							goto L18;
            						} else {
            							if(_a20 == 0) {
            								_t44 =  *0x40cd44; // 0x0
            								_a20 = _t44;
            							}
            							asm("sbb eax, eax");
            							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
            							_v36 = _t37;
            							if(_t37 == 0) {
            								goto L18;
            							} else {
            								_v8 = 0;
            								E00402930(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
            								_v28 = _t63;
            								_t60 = _t63;
            								_v40 = _t60;
            								E004062F0(_t60, 0, _t37 + _t37);
            								_v8 = _v8 | 0xffffffff;
            								if(_t60 == 0) {
            									goto L18;
            								} else {
            									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
            									if(_t43 == 0) {
            										goto L18;
            									} else {
            										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
            									}
            								}
            							}
            						}
            					} else {
            						_t45 = _a24;
            						if(_t45 == 0) {
            							_t45 =  *0x40cd34; // 0x0
            						}
            						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
            					}
            				} else {
            					_push( &_v32);
            					_t61 = 1;
            					if(GetStringTypeW(_t61, 0x4091c4, _t61, ??) == 0) {
            						if(GetStringTypeA(0, _t61, 0x4091c0, _t61,  &_v32) == 0) {
            							L18:
            							_t32 = 0;
            						} else {
            							_t31 = 2;
            							goto L5;
            						}
            					} else {
            						_t31 = _t61;
            						L5:
            						 *0x40cd28 = _t31;
            						goto L6;
            					}
            				}
            				 *[fs:0x0] = _v20;
            				return _t32;
            			}





















            0x00406008
            0x0040600a
            0x0040600f
            0x0040601a
            0x0040601b
            0x00406022
            0x00406028
            0x0040602b
            0x00406034
            0x00406074
            0x00406077
            0x004060a0
            0x00000000
            0x004060a6
            0x004060a9
            0x004060ab
            0x004060b0
            0x004060b0
            0x004060c0
            0x004060ca
            0x004060d0
            0x004060d5
            0x00000000
            0x004060d7
            0x004060d7
            0x004060e4
            0x004060e9
            0x004060ec
            0x004060ee
            0x004060f4
            0x00406109
            0x0040610f
            0x00000000
            0x00406111
            0x00406120
            0x00406128
            0x00000000
            0x0040612a
            0x00406132
            0x00406132
            0x00406128
            0x0040610f
            0x004060d5
            0x00406079
            0x00406079
            0x0040607e
            0x00406080
            0x00406080
            0x00406092
            0x00406092
            0x00406036
            0x00406039
            0x0040603c
            0x0040604c
            0x00406066
            0x0040613a
            0x0040613a
            0x0040606c
            0x0040606e
            0x00000000
            0x0040606e
            0x0040604e
            0x0040604e
            0x0040606f
            0x0040606f
            0x00000000
            0x0040606f
            0x0040604c
            0x00406142
            0x0040614d

            APIs
            • GetStringTypeW.KERNEL32(00000001,004091C4,00000001,00000000,00000103,00000001,00000000,0040791C,00200020,00000000,?,00000000,00000000,00000001), ref: 00406044
            • GetStringTypeA.KERNEL32(00000000,00000001,004091C0,00000001,?,?,00000000,00000000,00000001), ref: 0040605E
            • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,0040791C,00200020,00000000,?,00000000,00000000,00000001), ref: 00406092
            • MultiByteToWideChar.KERNEL32(0040791C,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,0040791C,00200020,00000000,?,00000000,00000000,00000001), ref: 004060CA
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406120
            • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406132
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: StringType$ByteCharMultiWide
            • String ID:
            • API String ID: 3852931651-0
            • Opcode ID: 6df0727473b5a51b53047544994c7303b82f0cb6f11507240f823e59cf71d536
            • Instruction ID: e796571bc55046769d5a8142dbfd278b0b201e9dfb0b5f4ab069ec6108e6418f
            • Opcode Fuzzy Hash: 6df0727473b5a51b53047544994c7303b82f0cb6f11507240f823e59cf71d536
            • Instruction Fuzzy Hash: 43416B72A00219EFDF119F54CD85EAB7B79FF08314F114536F952B6291C2398960DBA8
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 99%
            			E0040546C() {
            				signed int* _t35;
            				signed int* _t37;
            				long _t42;
            				signed int _t44;
            				signed int _t45;
            				int _t46;
            				void* _t48;
            				void** _t52;
            				int _t53;
            				int _t54;
            				signed int* _t55;
            				int _t57;
            				void** _t58;
            				signed char _t60;
            				signed int _t62;
            				void* _t66;
            				void* _t69;
            				signed int _t70;
            				int* _t71;
            				signed int* _t72;
            				void** _t73;
            				int _t74;
            				intOrPtr* _t75;
            				void* _t76;
            
            				_t72 = E00404C3B(0x100);
            				if(_t72 == 0) {
            					E00402E89(0x1b);
            				}
            				 *0x40ddc0 = _t72;
            				 *0x40dec0 = 0x20;
            				_t1 =  &(_t72[0x40]); // 0x100
            				_t35 = _t1;
            				while(_t72 < _t35) {
            					_t72[1] = _t72[1] & 0x00000000;
            					 *_t72 =  *_t72 | 0xffffffff;
            					_t72[1] = 0xa;
            					_t55 =  *0x40ddc0; // 0x790488
            					_t72 =  &(_t72[2]);
            					_t35 =  &(_t55[0x40]);
            				}
            				GetStartupInfoA(_t76 + 0x10);
            				__eflags =  *((short*)(_t76 + 0x42));
            				if( *((short*)(_t76 + 0x42)) == 0) {
            					L25:
            					_t57 = 0;
            					__eflags = 0;
            					do {
            						_t37 =  *0x40ddc0; // 0x790488
            						__eflags =  *(_t37 + _t57 * 8) - 0xffffffff;
            						_t73 = _t37 + _t57 * 8;
            						if( *(_t37 + _t57 * 8) != 0xffffffff) {
            							_t32 =  &(_t73[1]);
            							 *_t32 = _t73[1] | 0x00000080;
            							__eflags =  *_t32;
            							goto L37;
            						}
            						__eflags = _t57;
            						_t73[1] = 0x81;
            						if(_t57 != 0) {
            							asm("sbb eax, eax");
            							_t42 =  ~(_t57 - 1) + 0xfffffff5;
            							__eflags = _t42;
            						} else {
            							_t42 = 0xfffffff6;
            						}
            						_t69 = GetStdHandle(_t42);
            						__eflags = _t69 - 0xffffffff;
            						if(_t69 == 0xffffffff) {
            							L33:
            							_t73[1] = _t73[1] | 0x00000040;
            						} else {
            							_t44 = GetFileType(_t69);
            							__eflags = _t44;
            							if(_t44 == 0) {
            								goto L33;
            							}
            							_t45 = _t44 & 0x000000ff;
            							 *_t73 = _t69;
            							__eflags = _t45 - 2;
            							if(_t45 != 2) {
            								__eflags = _t45 - 3;
            								if(_t45 == 3) {
            									_t73[1] = _t73[1] | 0x00000008;
            								}
            								goto L37;
            							}
            							goto L33;
            						}
            						L37:
            						_t57 = _t57 + 1;
            						__eflags = _t57 - 3;
            					} while (_t57 < 3);
            					return SetHandleCount( *0x40dec0);
            				}
            				_t46 =  *(_t76 + 0x44);
            				__eflags = _t46;
            				if(_t46 == 0) {
            					goto L25;
            				}
            				_t74 =  *_t46;
            				_t75 = _t46 + 4;
            				__eflags = _t74 - 0x800;
            				_t58 = _t74 + _t75;
            				if(_t74 >= 0x800) {
            					_t74 = 0x800;
            				}
            				__eflags =  *0x40dec0 - _t74; // 0x20
            				if(__eflags >= 0) {
            					L18:
            					_t70 = 0;
            					__eflags = _t74;
            					if(_t74 <= 0) {
            						goto L25;
            					} else {
            						goto L19;
            					}
            					do {
            						L19:
            						_t48 =  *_t58;
            						__eflags = _t48 - 0xffffffff;
            						if(_t48 == 0xffffffff) {
            							goto L24;
            						}
            						_t60 =  *_t75;
            						__eflags = _t60 & 0x00000001;
            						if((_t60 & 0x00000001) == 0) {
            							goto L24;
            						}
            						__eflags = _t60 & 0x00000008;
            						if((_t60 & 0x00000008) != 0) {
            							L23:
            							_t62 = _t70 & 0x0000001f;
            							__eflags = _t62;
            							_t52 = 0x40ddc0[_t70 >> 5] + _t62 * 8;
            							 *_t52 =  *_t58;
            							_t52[1] =  *_t75;
            							goto L24;
            						}
            						_t53 = GetFileType(_t48);
            						__eflags = _t53;
            						if(_t53 == 0) {
            							goto L24;
            						}
            						goto L23;
            						L24:
            						_t70 = _t70 + 1;
            						_t75 = _t75 + 1;
            						_t58 =  &(_t58[1]);
            						__eflags = _t70 - _t74;
            					} while (_t70 < _t74);
            					goto L25;
            				} else {
            					_t71 = 0x40ddc4;
            					while(1) {
            						_t54 = E00404C3B(0x100);
            						__eflags = _t54;
            						if(_t54 == 0) {
            							break;
            						}
            						 *0x40dec0 =  *0x40dec0 + 0x20;
            						__eflags =  *0x40dec0;
            						 *_t71 = _t54;
            						_t10 = _t54 + 0x100; // 0x100
            						_t66 = _t10;
            						while(1) {
            							__eflags = _t54 - _t66;
            							if(_t54 >= _t66) {
            								break;
            							}
            							 *(_t54 + 4) =  *(_t54 + 4) & 0x00000000;
            							 *_t54 =  *_t54 | 0xffffffff;
            							 *((char*)(_t54 + 5)) = 0xa;
            							_t54 = _t54 + 8;
            							_t66 =  *_t71 + 0x100;
            						}
            						_t71 =  &(_t71[1]);
            						__eflags =  *0x40dec0 - _t74; // 0x20
            						if(__eflags < 0) {
            							continue;
            						}
            						goto L18;
            					}
            					_t74 =  *0x40dec0; // 0x20
            					goto L18;
            				}
            			}



























            0x0040547d
            0x00405482
            0x00405486
            0x0040548b
            0x0040548c
            0x00405492
            0x0040549c
            0x0040549c
            0x004054a2
            0x004054a6
            0x004054aa
            0x004054ad
            0x004054b1
            0x004054b6
            0x004054b9
            0x004054b9
            0x004054c5
            0x004054cb
            0x004054d1
            0x0040559c
            0x0040559c
            0x0040559c
            0x0040559e
            0x0040559e
            0x004055a3
            0x004055a7
            0x004055aa
            0x004055f9
            0x004055f9
            0x004055f9
            0x00000000
            0x004055f9
            0x004055ac
            0x004055ae
            0x004055b2
            0x004055be
            0x004055c0
            0x004055c0
            0x004055b4
            0x004055b6
            0x004055b6
            0x004055ca
            0x004055cc
            0x004055cf
            0x004055e8
            0x004055e8
            0x004055d1
            0x004055d2
            0x004055d8
            0x004055da
            0x00000000
            0x00000000
            0x004055dc
            0x004055e1
            0x004055e3
            0x004055e6
            0x004055ee
            0x004055f1
            0x004055f3
            0x004055f3
            0x00000000
            0x004055f1
            0x00000000
            0x004055e6
            0x004055fd
            0x004055fd
            0x004055fe
            0x004055fe
            0x00405616
            0x00405616
            0x004054d7
            0x004054db
            0x004054dd
            0x00000000
            0x00000000
            0x004054e3
            0x004054e5
            0x004054ed
            0x004054ef
            0x004054f2
            0x004054f4
            0x004054f4
            0x004054f6
            0x004054fc
            0x00405550
            0x00405550
            0x00405552
            0x00405554
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00405556
            0x00405556
            0x00405556
            0x00405558
            0x0040555b
            0x00000000
            0x00000000
            0x0040555d
            0x00405560
            0x00405563
            0x00000000
            0x00000000
            0x00405565
            0x00405568
            0x00405575
            0x0040557c
            0x0040557c
            0x00405586
            0x0040558b
            0x00405590
            0x00000000
            0x00405590
            0x0040556b
            0x00405571
            0x00405573
            0x00000000
            0x00000000
            0x00000000
            0x00405593
            0x00405593
            0x00405594
            0x00405595
            0x00405598
            0x00405598
            0x00000000
            0x004054fe
            0x004054fe
            0x00405503
            0x00405508
            0x0040550d
            0x00405510
            0x00000000
            0x00000000
            0x00405512
            0x00405512
            0x00405519
            0x0040551b
            0x0040551b
            0x00405521
            0x00405521
            0x00405523
            0x00000000
            0x00000000
            0x00405525
            0x00405529
            0x0040552c
            0x00405532
            0x00405535
            0x00405535
            0x0040553d
            0x00405540
            0x00405546
            0x00000000
            0x00000000
            0x00000000
            0x00405548
            0x0040554a
            0x00000000
            0x0040554a

            APIs
            • GetStartupInfoA.KERNEL32(?), ref: 004054C5
            • GetFileType.KERNEL32(00000800), ref: 0040556B
            • GetStdHandle.KERNEL32(-000000F6), ref: 004055C4
            • GetFileType.KERNEL32(00000000), ref: 004055D2
            • SetHandleCount.KERNEL32 ref: 00405609
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: FileHandleType$CountInfoStartup
            • String ID:
            • API String ID: 1710529072-0
            • Opcode ID: 4d0a87635a71bc100e93ef1a3503b7406ac1b6dd741926a9af404e56fddfbd9c
            • Instruction ID: be1d450bb453904f90e15e56e6295578546755ba505af13f1bdcd1710e757b59
            • Opcode Fuzzy Hash: 4d0a87635a71bc100e93ef1a3503b7406ac1b6dd741926a9af404e56fddfbd9c
            • Instruction Fuzzy Hash: 18514471A04A019BD7208B28CD487673BA2EB11321F19463AE4A6FB2E1D378DC49CF59
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E00406D42() {
            				void* _t25;
            				intOrPtr* _t28;
            				void* _t42;
            				void* _t43;
            				void* _t45;
            				void* _t55;
            
            				if( *0x40aa10 != 0xffffffff) {
            					_t43 = HeapAlloc( *0x40dda4, 0, 0x2020);
            					if(_t43 == 0) {
            						goto L20;
            					}
            					goto L3;
            				} else {
            					_t43 = 0x40aa00;
            					L3:
            					_t42 = VirtualAlloc(0, 0x400000, 0x2000, 4);
            					if(_t42 == 0) {
            						L18:
            						if(_t43 != 0x40aa00) {
            							HeapFree( *0x40dda4, 0, _t43);
            						}
            						L20:
            						return 0;
            					}
            					if(VirtualAlloc(_t42, 0x10000, 0x1000, 4) == 0) {
            						VirtualFree(_t42, 0, 0x8000);
            						goto L18;
            					}
            					if(_t43 != 0x40aa00) {
            						 *_t43 = 0x40aa00;
            						_t25 =  *0x40aa04; // 0x40aa00
            						 *(_t43 + 4) = _t25;
            						 *0x40aa04 = _t43;
            						 *( *(_t43 + 4)) = _t43;
            					} else {
            						if( *0x40aa00 == 0) {
            							 *0x40aa00 = 0x40aa00;
            						}
            						if( *0x40aa04 == 0) {
            							 *0x40aa04 = 0x40aa00;
            						}
            					}
            					_t3 = _t42 + 0x400000; // 0x400000
            					_t4 = _t43 + 0x98; // 0x98
            					 *((intOrPtr*)(_t43 + 0x14)) = _t3;
            					_t6 = _t43 + 0x18; // 0x18
            					_t28 = _t6;
            					 *((intOrPtr*)(_t43 + 0xc)) = _t4;
            					 *(_t43 + 0x10) = _t42;
            					 *((intOrPtr*)(_t43 + 8)) = _t28;
            					_t45 = 0;
            					do {
            						_t55 = _t45 - 0x10;
            						_t45 = _t45 + 1;
            						 *_t28 = ((0 | _t55 >= 0x00000000) - 0x00000001 & 0x000000f1) - 1;
            						 *((intOrPtr*)(_t28 + 4)) = 0xf1;
            						_t28 = _t28 + 8;
            					} while (_t45 < 0x400);
            					E004062F0(_t42, 0, 0x10000);
            					while(_t42 <  *(_t43 + 0x10) + 0x10000) {
            						 *(_t42 + 0xf8) =  *(_t42 + 0xf8) | 0x000000ff;
            						_t16 = _t42 + 8; // -4088
            						 *_t42 = _t16;
            						 *((intOrPtr*)(_t42 + 4)) = 0xf0;
            						_t42 = _t42 + 0x1000;
            					}
            					return _t43;
            				}
            			}









            0x00406d4d
            0x00406d69
            0x00406d6d
            0x00000000
            0x00000000
            0x00000000
            0x00406d4f
            0x00406d4f
            0x00406d73
            0x00406d89
            0x00406d8d
            0x00406e68
            0x00406e6e
            0x00406e79
            0x00406e79
            0x00406e7f
            0x00000000
            0x00406e7f
            0x00406da5
            0x00406e62
            0x00000000
            0x00406e62
            0x00406db2
            0x00406dd2
            0x00406dd4
            0x00406dd9
            0x00406ddc
            0x00406de5
            0x00406db4
            0x00406dbb
            0x00406dbd
            0x00406dbd
            0x00406dc9
            0x00406dcb
            0x00406dcb
            0x00406dc9
            0x00406de7
            0x00406ded
            0x00406df3
            0x00406df6
            0x00406df6
            0x00406df9
            0x00406dfc
            0x00406dff
            0x00406e02
            0x00406e09
            0x00406e0b
            0x00406e15
            0x00406e16
            0x00406e18
            0x00406e1b
            0x00406e1e
            0x00406e2a
            0x00406e32
            0x00406e3b
            0x00406e42
            0x00406e45
            0x00406e47
            0x00406e4e
            0x00406e4e
            0x00000000
            0x00406e56

            APIs
            • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,004057D2), ref: 00406D63
            • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,004057D2), ref: 00406D87
            • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,004057D2), ref: 00406DA1
            • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,004057D2), ref: 00406E62
            • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,004057D2), ref: 00406E79
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: AllocVirtual$FreeHeap
            • String ID:
            • API String ID: 714016831-0
            • Opcode ID: 6d35afcb99616ca62a44109434c7cc2ecaff5e90a0b812881487d6a1f7da1a31
            • Instruction ID: 0d9470b2a50c3aec7e09f4b155c7d6950836918d4a78a481512e9248562b7c91
            • Opcode Fuzzy Hash: 6d35afcb99616ca62a44109434c7cc2ecaff5e90a0b812881487d6a1f7da1a31
            • Instruction Fuzzy Hash: AE31DE716407019FD3209F28DE44B62B7A0EB44754F12823AE16BB76E0E778A864CB8D
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E00407F8B(signed int _a4, void* _a8, long _a12) {
            				void _v5;
            				signed int _v12;
            				long _v16;
            				long _t74;
            				signed int _t77;
            				intOrPtr _t83;
            				signed char _t84;
            				signed char _t86;
            				long _t87;
            				void _t89;
            				signed char _t91;
            				char _t99;
            				long _t102;
            				void _t103;
            				intOrPtr* _t105;
            				void* _t106;
            				signed char* _t107;
            				long _t109;
            				signed int _t112;
            				signed char _t114;
            				long _t115;
            				void* _t116;
            				signed int _t118;
            				signed int _t120;
            				signed char* _t121;
            				void* _t122;
            				void* _t123;
            
            				_t118 = _a4;
            				_t123 = _t118 -  *0x40dec0; // 0x20
            				if(_t123 >= 0) {
            					L44:
            					 *0x40cbcc =  *0x40cbcc & 0x00000000;
            					 *0x40cbc8 = 9;
            					L45:
            					return _t74 | 0xffffffff;
            				}
            				_t77 = _t118 >> 5;
            				_t120 = (_t118 & 0x0000001f) << 3;
            				_t105 = 0x40ddc0 + _t77 * 4;
            				_t74 =  *((intOrPtr*)(0x40ddc0 + _t77 * 4)) + _t120;
            				_t114 =  *((intOrPtr*)(_t74 + 4));
            				if((_t114 & 0x00000001) == 0) {
            					goto L44;
            				}
            				_v12 = _v12 & 0x00000000;
            				_t116 = _a8;
            				_t106 = _t116;
            				if(_a12 == 0 || (_t114 & 0x00000002) != 0) {
            					L11:
            					return 0;
            				} else {
            					if((_t114 & 0x00000048) != 0) {
            						_t103 =  *((intOrPtr*)(_t74 + 5));
            						if(_t103 != 0xa) {
            							_a12 = _a12 - 1;
            							 *_t116 = _t103;
            							_t106 = _t116 + 1;
            							_v12 = 1;
            							 *((char*)( *_t105 + _t120 + 5)) = 0xa;
            						}
            					}
            					if(ReadFile( *( *_t105 + _t120), _t106, _a12,  &_v16, 0) != 0) {
            						_t83 =  *_t105;
            						_t115 = _v16;
            						_v12 = _v12 + _t115;
            						_t31 = _t120 + 4; // 0x4
            						_t107 = _t83 + _t31;
            						_t84 =  *((intOrPtr*)(_t83 + _t120 + 4));
            						if((_t84 & 0x00000080) == 0) {
            							L43:
            							return _v12;
            						}
            						if(_t115 == 0 ||  *_t116 != 0xa) {
            							_t86 = _t84 & 0x000000fb;
            						} else {
            							_t86 = _t84 | 0x00000004;
            						}
            						 *_t107 = _t86;
            						_t87 = _a8;
            						_a12 = _t87;
            						_t109 = _v12 + _t87;
            						_v12 = _t109;
            						if(_t87 >= _t109) {
            							L42:
            							_v12 = _t116 - _a8;
            							goto L43;
            						} else {
            							while(1) {
            								_t89 =  *_a12;
            								if(_t89 == 0x1a) {
            									break;
            								}
            								if(_t89 == 0xd) {
            									if(_a12 >= _t109 - 1) {
            										_a12 = _a12 + 1;
            										if(ReadFile( *( *_t105 + _t120),  &_v5, 1,  &_v16, 0) != 0 || GetLastError() == 0) {
            											if(_v16 == 0) {
            												goto L36;
            											}
            											if(( *( *_t105 + _t120 + 4) & 0x00000048) == 0) {
            												if(_t116 != _a8 || _v5 != 0xa) {
            													E00405B48(_a4, 0xffffffff, 1);
            													_t122 = _t122 + 0xc;
            													if(_v5 == 0xa) {
            														goto L38;
            													}
            													goto L36;
            												} else {
            													L34:
            													 *_t116 = 0xa;
            													goto L37;
            												}
            											}
            											_t99 = _v5;
            											if(_t99 == 0xa) {
            												goto L34;
            											}
            											 *_t116 = 0xd;
            											_t116 = _t116 + 1;
            											 *((char*)( *_t105 + _t120 + 5)) = _t99;
            											goto L38;
            										} else {
            											L36:
            											 *_t116 = 0xd;
            											L37:
            											_t116 = _t116 + 1;
            											L38:
            											_t109 = _v12;
            											if(_a12 < _t109) {
            												continue;
            											}
            											goto L42;
            										}
            									}
            									_t102 = _a12 + 1;
            									if( *_t102 != 0xa) {
            										 *_t116 = 0xd;
            										_t116 = _t116 + 1;
            										_a12 = _t102;
            										goto L38;
            									}
            									_a12 = _a12 + 2;
            									goto L34;
            								}
            								 *_t116 = _t89;
            								_t116 = _t116 + 1;
            								_a12 = _a12 + 1;
            								goto L38;
            							}
            							_t121 =  *_t105 + _t120 + 4;
            							_t91 =  *_t121;
            							if((_t91 & 0x00000040) == 0) {
            								 *_t121 = _t91 | 0x00000002;
            							}
            							goto L42;
            						}
            					}
            					_t74 = GetLastError();
            					_t112 = 5;
            					if(_t74 != _t112) {
            						if(_t74 != 0x6d) {
            							_t74 = E00407C4E(_t74);
            							goto L45;
            						}
            						goto L11;
            					}
            					 *0x40cbc8 = 9;
            					 *0x40cbcc = _t112;
            					goto L45;
            				}
            			}






























            0x00407f93
            0x00407f97
            0x00407f9d
            0x00408168
            0x00408168
            0x0040816f
            0x00408179
            0x00000000
            0x00408179
            0x00407fa8
            0x00407fab
            0x00407fae
            0x00407fbc
            0x00407fbe
            0x00407fc4
            0x00000000
            0x00000000
            0x00407fca
            0x00407fce
            0x00407fd5
            0x00407fd7
            0x00408040
            0x00000000
            0x00407fde
            0x00407fe1
            0x00407fe3
            0x00407fe8
            0x00407fea
            0x00407fed
            0x00407ff1
            0x00407ff4
            0x00407ffb
            0x00407ffb
            0x00407fe8
            0x00408017
            0x00408053
            0x00408055
            0x00408058
            0x0040805b
            0x0040805b
            0x0040805f
            0x00408065
            0x00408163
            0x00000000
            0x00408163
            0x0040806d
            0x00408078
            0x00408074
            0x00408074
            0x00408074
            0x0040807a
            0x0040807c
            0x00408082
            0x00408085
            0x00408089
            0x0040808c
            0x0040815d
            0x00408160
            0x00000000
            0x00408092
            0x00408092
            0x00408095
            0x00408099
            0x00000000
            0x00000000
            0x004080a1
            0x004080b2
            0x004080d2
            0x004080e8
            0x004080f8
            0x00000000
            0x00000000
            0x00408101
            0x00408119
            0x0040812d
            0x00408132
            0x00408139
            0x00000000
            0x00000000
            0x00000000
            0x00408121
            0x00408121
            0x00408121
            0x00000000
            0x00408121
            0x00408119
            0x00408103
            0x00408108
            0x00000000
            0x00000000
            0x0040810a
            0x0040810f
            0x00408110
            0x00000000
            0x0040813b
            0x0040813b
            0x0040813b
            0x0040813e
            0x0040813e
            0x0040813f
            0x0040813f
            0x00408145
            0x00000000
            0x00000000
            0x00000000
            0x0040814b
            0x004080e8
            0x004080b7
            0x004080bb
            0x004080c3
            0x004080c6
            0x004080c7
            0x00000000
            0x004080c7
            0x004080bd
            0x00000000
            0x004080bd
            0x004080a3
            0x004080a5
            0x004080a6
            0x00000000
            0x004080a6
            0x0040814f
            0x00408153
            0x00408157
            0x0040815b
            0x0040815b
            0x00000000
            0x00408157
            0x0040808c
            0x00408019
            0x00408021
            0x00408024
            0x0040803e
            0x00408048
            0x00000000
            0x0040804d
            0x00000000
            0x0040803e
            0x00408026
            0x00408030
            0x00000000
            0x00408030

            APIs
            • ReadFile.KERNEL32(?,?,00000000,?,00000000,?,00000000), ref: 0040800F
            • GetLastError.KERNEL32 ref: 00408019
            • ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 004080E0
            • GetLastError.KERNEL32 ref: 004080EA
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: ErrorFileLastRead
            • String ID:
            • API String ID: 1948546556-0
            • Opcode ID: bcf1fc3162e821494b40b79ecc53eb5289275d8b310e8188a77bafa3dcefda27
            • Instruction ID: 814d9c423af25b8fe7558b6c9e014a0a86926036ed26ad7d6aacf5dd9dc40a04
            • Opcode Fuzzy Hash: bcf1fc3162e821494b40b79ecc53eb5289275d8b310e8188a77bafa3dcefda27
            • Instruction Fuzzy Hash: 1D619030A04285DFDB118F58DA84BAA7BB0AF12344F1540BFD4D1BB3D2DB79994ACB09
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E00405BE2(long _a4, void* _a8, long _a12) {
            				intOrPtr* _v8;
            				long _v12;
            				long _v16;
            				intOrPtr _v20;
            				void _v1048;
            				signed char _t58;
            				void** _t64;
            				intOrPtr _t67;
            				char* _t72;
            				long _t79;
            				signed char* _t83;
            				signed int _t84;
            				char _t90;
            				struct _OVERLAPPED* _t94;
            				long _t96;
            				signed int _t99;
            				void* _t102;
            
            				_t84 = _a4;
            				_t102 = _t84 -  *0x40dec0; // 0x20
            				if(_t102 >= 0) {
            					L30:
            					 *0x40cbcc =  *0x40cbcc & 0x00000000;
            					 *0x40cbc8 = 9;
            					L31:
            					return _t58 | 0xffffffff;
            				}
            				_t83 = 0x40ddc0 + (_t84 >> 5) * 4;
            				_t99 = (_t84 & 0x0000001f) << 3;
            				_t5 = _t99 + 4; // 0x21c
            				_t58 =  *((intOrPtr*)( *_t83 + _t5));
            				if((_t58 & 0x00000001) == 0) {
            					goto L30;
            				}
            				_t94 = 0;
            				_v12 = 0;
            				_v20 = 0;
            				if(_a12 != 0) {
            					if((_t58 & 0x00000020) != 0) {
            						E00405B48(_t84, 0, 2);
            					}
            					_t64 =  *_t83 + _t99;
            					if((_t64[1] & 0x00000080) == 0) {
            						if(WriteFile( *_t64, _a8, _a12,  &_v16, _t94) == 0) {
            							_a4 = GetLastError();
            						} else {
            							_a4 = _t94;
            							_v12 = _v16;
            						}
            						L17:
            						_t67 = _v12;
            						if(_t67 != _t94) {
            							return _t67 - _v20;
            						}
            						if(_a4 == _t94) {
            							L26:
            							_t58 =  *_t83;
            							if(( *(_t58 + _t99 + 4) & 0x00000040) == 0) {
            								L28:
            								 *0x40cbc8 = 0x1c;
            								 *0x40cbcc = _t94;
            								goto L31;
            							}
            							_t58 = _a8;
            							if( *_t58 == 0x1a) {
            								goto L3;
            							}
            							goto L28;
            						}
            						_t58 = 5;
            						if(_a4 != _t58) {
            							_t58 = E00407C4E(_a4);
            						} else {
            							 *0x40cbc8 = 9;
            							 *0x40cbcc = _t58;
            						}
            						goto L31;
            					}
            					_v8 = _a8;
            					_a4 = _t94;
            					if(_a12 <= _t94) {
            						goto L26;
            					} else {
            						goto L8;
            					}
            					do {
            						L8:
            						_t72 =  &_v1048;
            						while(_v8 - _a8 < _a12) {
            							_v8 = _v8 + 1;
            							_t90 =  *_v8;
            							if(_t90 == 0xa) {
            								_v20 = _v20 + 1;
            								 *_t72 = 0xd;
            								_t72 = _t72 + 1;
            							}
            							 *_t72 = _t90;
            							_t72 = _t72 + 1;
            							if(_t72 -  &_v1048 < 0x400) {
            								continue;
            							} else {
            								break;
            							}
            						}
            						_t96 = _t72 -  &_v1048;
            						if(WriteFile( *( *_t83 + _t99),  &_v1048, _t96,  &_v16, 0) == 0) {
            							_a4 = GetLastError();
            							break;
            						}
            						_t79 = _v16;
            						_v12 = _v12 + _t79;
            					} while (_t79 >= _t96 && _v8 - _a8 < _a12);
            					_t94 = 0;
            					goto L17;
            				}
            				L3:
            				return 0;
            			}




















            0x00405beb
            0x00405bef
            0x00405bf7
            0x00405d76
            0x00405d76
            0x00405d7d
            0x00405d87
            0x00000000
            0x00405d87
            0x00405c07
            0x00405c0e
            0x00405c13
            0x00405c13
            0x00405c19
            0x00000000
            0x00000000
            0x00405c1f
            0x00405c24
            0x00405c27
            0x00405c2a
            0x00405c35
            0x00405c3b
            0x00405c40
            0x00405c45
            0x00405c4b
            0x00405d27
            0x00405d3a
            0x00405d29
            0x00405d2c
            0x00405d2f
            0x00405d2f
            0x00405cdb
            0x00405cdb
            0x00405ce0
            0x00000000
            0x00405d71
            0x00405ce9
            0x00405d4a
            0x00405d4a
            0x00405d51
            0x00405d5f
            0x00405d5f
            0x00405d69
            0x00000000
            0x00405d69
            0x00405d53
            0x00405d59
            0x00000000
            0x00000000
            0x00000000
            0x00405d59
            0x00405ced
            0x00405cf1
            0x00405d42
            0x00405cf3
            0x00405cf3
            0x00405cfd
            0x00405cfd
            0x00000000
            0x00405cf1
            0x00405c57
            0x00405c5a
            0x00405c5d
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00405c63
            0x00405c63
            0x00405c63
            0x00405c69
            0x00405c77
            0x00405c7a
            0x00405c7f
            0x00405c81
            0x00405c84
            0x00405c87
            0x00405c87
            0x00405c88
            0x00405c8a
            0x00405c9b
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00405c9b
            0x00405ca5
            0x00405cc2
            0x00405d0d
            0x00000000
            0x00405d0d
            0x00405cc4
            0x00405cc7
            0x00405cca
            0x00405cd9
            0x00000000
            0x00405cd9
            0x00405c2c
            0x00000000

            APIs
            • WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,00000000,?), ref: 00405CBA
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: FileWrite
            • String ID:
            • API String ID: 3934441357-0
            • Opcode ID: 3126eda6c66cf7021a399f3889b83985f5a3297c5181f391af0d08c149974852
            • Instruction ID: afddacc0e3fb58388a404dd5e623b8fc1900d40c0f82758334153a2d0457c854
            • Opcode Fuzzy Hash: 3126eda6c66cf7021a399f3889b83985f5a3297c5181f391af0d08c149974852
            • Instruction Fuzzy Hash: 3151A071904A08EFDB15CF68D988AAA7BB0FF41340F20857BE816BB2D1D7349A40CF58
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 81%
            			_entry_(void* __ebx, void* __edi, void* __esi) {
            				CHAR* _v8;
            				intOrPtr* _v24;
            				intOrPtr _v28;
            				struct _STARTUPINFOA _v96;
            				intOrPtr _v100;
            				intOrPtr _v104;
            				intOrPtr _v108;
            				unsigned int _t15;
            				signed int _t26;
            				signed int _t34;
            				intOrPtr _t50;
            
            				_push(0xffffffff);
            				_push(0x409140);
            				_push(E004058E4);
            				_push( *[fs:0x0]);
            				 *[fs:0x0] = _t50;
            				_push(__esi);
            				_v28 = _t50 - 0x58;
            				_t15 = GetVersion();
            				 *0x40cbe0 = 0;
            				_t34 = _t15 & 0x000000ff;
            				 *0x40cbdc = _t34;
            				 *0x40cbd8 = _t34 << 8;
            				 *0x40cbd4 = _t15 >> 0x10;
            				if(E0040578C(_t34 << 8, 0) == 0) {
            					E00402EAE(0x1c);
            				}
            				_v8 = 0;
            				E0040546C();
            				 *0x40e108 = GetCommandLineA();
            				 *0x40cbb4 = E0040533A();
            				E004050ED();
            				E00405034();
            				E00404D56();
            				_v96.dwFlags = 0;
            				GetStartupInfoA( &_v96);
            				_v104 = E00404FDC();
            				_t53 = _v96.dwFlags & 0x00000001;
            				if((_v96.dwFlags & 0x00000001) == 0) {
            					_t26 = 0xa;
            				} else {
            					_t26 = _v96.wShowWindow & 0x0000ffff;
            				}
            				_v100 = E00401C60(0, GetModuleHandleA(0), 0, _v104, _t26);
            				E00404D83(_t28);
            				_v108 =  *((intOrPtr*)( *_v24));
            				return E00404E58(0, _t53,  *((intOrPtr*)( *_v24)), _v24);
            			}














            0x00402d96
            0x00402d98
            0x00402d9d
            0x00402da8
            0x00402da9
            0x00402db4
            0x00402db6
            0x00402db9
            0x00402dc3
            0x00402dcb
            0x00402dd1
            0x00402ddc
            0x00402de5
            0x00402df5
            0x00402df9
            0x00402dfe
            0x00402dff
            0x00402e02
            0x00402e0d
            0x00402e17
            0x00402e1c
            0x00402e21
            0x00402e26
            0x00402e2b
            0x00402e32
            0x00402e3d
            0x00402e40
            0x00402e44
            0x00402e4e
            0x00402e46
            0x00402e46
            0x00402e46
            0x00402e61
            0x00402e65
            0x00402e71
            0x00402e7d

            APIs
            • GetVersion.KERNEL32 ref: 00402DB9
              • Part of subcall function 0040578C: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402DF2,00000000), ref: 0040579D
              • Part of subcall function 0040578C: HeapDestroy.KERNEL32 ref: 004057DC
            • GetCommandLineA.KERNEL32 ref: 00402E07
            • GetStartupInfoA.KERNEL32(?), ref: 00402E32
            • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402E55
              • Part of subcall function 00402EAE: ExitProcess.KERNEL32 ref: 00402ECB
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
            • String ID:
            • API String ID: 2057626494-0
            • Opcode ID: 1d1c61a8bcdf1391a0eb9b6b8233aee60818611d067d62f8d555ab9d415b9677
            • Instruction ID: 3e2574021304d9b383fc53e0004625e206804d84ff9b631f25f23f276a0b25a0
            • Opcode Fuzzy Hash: 1d1c61a8bcdf1391a0eb9b6b8233aee60818611d067d62f8d555ab9d415b9677
            • Instruction Fuzzy Hash: 7E21B2B18406149FDB04AFA2DD4AA6E7BB9EF44704F10413FF904BB2E1DB784800CB98
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 92%
            			E00403AE3(void* __ebx, void* __edi) {
            				char _v17;
            				signed char _v18;
            				struct _cpinfo _v24;
            				char _v280;
            				char _v536;
            				char _v792;
            				char _v1304;
            				void* _t43;
            				char _t44;
            				signed char _t45;
            				void* _t55;
            				signed int _t56;
            				signed char _t64;
            				intOrPtr* _t66;
            				signed int _t68;
            				signed int _t70;
            				signed int _t71;
            				signed char _t76;
            				signed char _t77;
            				signed char* _t78;
            				void* _t81;
            				void* _t87;
            				void* _t88;
            
            				if(GetCPInfo( *0x40ded8,  &_v24) == 1) {
            					_t44 = 0;
            					do {
            						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
            						_t44 = _t44 + 1;
            					} while (_t44 < 0x100);
            					_t45 = _v18;
            					_v280 = 0x20;
            					if(_t45 == 0) {
            						L9:
            						E00406005(1,  &_v280, 0x100,  &_v1304,  *0x40ded8,  *0x40e104, 0);
            						E00403E2C( *0x40e104, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x40ded8, 0);
            						E00403E2C( *0x40e104, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x40ded8, 0);
            						_t55 = 0;
            						_t66 =  &_v1304;
            						do {
            							_t76 =  *_t66;
            							if((_t76 & 0x00000001) == 0) {
            								if((_t76 & 0x00000002) == 0) {
            									 *(_t55 + 0x40df00) =  *(_t55 + 0x40df00) & 0x00000000;
            									goto L16;
            								}
            								 *(_t55 + 0x40e001) =  *(_t55 + 0x40e001) | 0x00000020;
            								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
            								L12:
            								 *(_t55 + 0x40df00) = _t77;
            								goto L16;
            							}
            							 *(_t55 + 0x40e001) =  *(_t55 + 0x40e001) | 0x00000010;
            							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
            							goto L12;
            							L16:
            							_t55 = _t55 + 1;
            							_t66 = _t66 + 2;
            						} while (_t55 < 0x100);
            						return _t55;
            					}
            					_t78 =  &_v17;
            					do {
            						_t68 =  *_t78 & 0x000000ff;
            						_t56 = _t45 & 0x000000ff;
            						if(_t56 <= _t68) {
            							_t81 = _t87 + _t56 - 0x114;
            							_t70 = _t68 - _t56 + 1;
            							_t71 = _t70 >> 2;
            							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
            							_t88 = _t88 + 0x18;
            						}
            						_t78 =  &(_t78[2]);
            						_t45 =  *((intOrPtr*)(_t78 - 1));
            					} while (_t45 != 0);
            					goto L9;
            				}
            				_t43 = 0;
            				do {
            					if(_t43 < 0x41 || _t43 > 0x5a) {
            						if(_t43 < 0x61 || _t43 > 0x7a) {
            							 *(_t43 + 0x40df00) =  *(_t43 + 0x40df00) & 0x00000000;
            						} else {
            							 *(_t43 + 0x40e001) =  *(_t43 + 0x40e001) | 0x00000020;
            							_t64 = _t43 - 0x20;
            							goto L22;
            						}
            					} else {
            						 *(_t43 + 0x40e001) =  *(_t43 + 0x40e001) | 0x00000010;
            						_t64 = _t43 + 0x20;
            						L22:
            						 *(_t43 + 0x40df00) = _t64;
            					}
            					_t43 = _t43 + 1;
            				} while (_t43 < 0x100);
            				return _t43;
            			}


























            0x00403b00
            0x00403b06
            0x00403b0d
            0x00403b0d
            0x00403b14
            0x00403b15
            0x00403b19
            0x00403b1c
            0x00403b25
            0x00403b5e
            0x00403b7d
            0x00403ba1
            0x00403bc9
            0x00403bd1
            0x00403bd3
            0x00403bd9
            0x00403bd9
            0x00403bdf
            0x00403bfa
            0x00403c0c
            0x00000000
            0x00403c0c
            0x00403bfc
            0x00403c03
            0x00403bef
            0x00403bef
            0x00000000
            0x00403bef
            0x00403be1
            0x00403be8
            0x00000000
            0x00403c13
            0x00403c13
            0x00403c15
            0x00403c16
            0x00000000
            0x00403bd9
            0x00403b29
            0x00403b2c
            0x00403b2c
            0x00403b2f
            0x00403b34
            0x00403b38
            0x00403b3f
            0x00403b47
            0x00403b51
            0x00403b51
            0x00403b51
            0x00403b54
            0x00403b55
            0x00403b58
            0x00000000
            0x00403b5d
            0x00403c1c
            0x00403c23
            0x00403c26
            0x00403c44
            0x00403c59
            0x00403c4b
            0x00403c4b
            0x00403c54
            0x00000000
            0x00403c54
            0x00403c2d
            0x00403c2d
            0x00403c36
            0x00403c39
            0x00403c39
            0x00403c39
            0x00403c60
            0x00403c61
            0x00403c67

            APIs
            • GetCPInfo.KERNEL32(?,00000000), ref: 00403AF7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: Info
            • String ID: $
            • API String ID: 1807457897-3032137957
            • Opcode ID: 4263b0e6052e216f1f80c24dc0ce66833b2b90fc2c1d1942979e66f1bc3d2df2
            • Instruction ID: 36ae0489fdf4b74d1d941eed9f8272e445ce0b54ef1ae1ad796fd5ae7e3c824f
            • Opcode Fuzzy Hash: 4263b0e6052e216f1f80c24dc0ce66833b2b90fc2c1d1942979e66f1bc3d2df2
            • Instruction Fuzzy Hash: A1415D324042981AFB119B64CD4DBEB7FAD9B01705F1404F6D246FB1D3C2794B58C7AA
            Uniqueness

            Uniqueness Score: -1.00%

            C-Code - Quality: 100%
            			E00406B96() {
            				signed int _t15;
            				void* _t17;
            				void* _t19;
            				void* _t25;
            				signed int _t26;
            				void* _t27;
            				intOrPtr* _t29;
            
            				_t15 =  *0x40cd74; // 0x0
            				_t26 =  *0x40cd64; // 0x0
            				if(_t15 != _t26) {
            					L3:
            					_t27 =  *0x40cd78; // 0x0
            					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
            					_t17 = HeapAlloc( *0x40dda4, 8, 0x41c4);
            					 *(_t29 + 0x10) = _t17;
            					if(_t17 == 0) {
            						L6:
            						return 0;
            					}
            					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4);
            					 *(_t29 + 0xc) = _t19;
            					if(_t19 != 0) {
            						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
            						 *_t29 = 0;
            						 *((intOrPtr*)(_t29 + 4)) = 0;
            						 *0x40cd74 =  *0x40cd74 + 1;
            						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
            						return _t29;
            					}
            					HeapFree( *0x40dda4, 0,  *(_t29 + 0x10));
            					goto L6;
            				}
            				_t2 = _t26 * 4; // 0x50
            				_t25 = HeapReAlloc( *0x40dda4, 0,  *0x40cd78, _t26 + _t2 + 0x50 << 2);
            				if(_t25 == 0) {
            					goto L6;
            				}
            				 *0x40cd64 =  *0x40cd64 + 0x10;
            				 *0x40cd78 = _t25;
            				_t15 =  *0x40cd74; // 0x0
            				goto L3;
            			}










            0x00406b96
            0x00406b9b
            0x00406ba7
            0x00406bd9
            0x00406bd9
            0x00406bef
            0x00406bf2
            0x00406bfa
            0x00406bfd
            0x00406c29
            0x00000000
            0x00406c29
            0x00406c0c
            0x00406c14
            0x00406c17
            0x00406c2d
            0x00406c31
            0x00406c33
            0x00406c36
            0x00406c3f
            0x00000000
            0x00406c42
            0x00406c23
            0x00000000
            0x00406c23
            0x00406ba9
            0x00406bbe
            0x00406bc6
            0x00000000
            0x00000000
            0x00406bc8
            0x00406bcf
            0x00406bd4
            0x00000000

            APIs
            • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,0040695E,?,?,?,00000100,?,00000000), ref: 00406BBE
            • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,0040695E,?,?,?,00000100,?,00000000), ref: 00406BF2
            • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,0040695E,?,?,?,00000100,?,00000000), ref: 00406C0C
            • HeapFree.KERNEL32(00000000,?,?,00000000,0040695E,?,?,?,00000100,?,00000000), ref: 00406C23
            Memory Dump Source
            • Source File: 00000000.00000002.276697016.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.276692305.0000000000400000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276705308.0000000000409000.00000002.00020000.sdmp Download File
            • Associated: 00000000.00000002.276709204.000000000040A000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276713028.000000000040C000.00000004.00020000.sdmp Download File
            • Associated: 00000000.00000002.276716924.000000000040F000.00000002.00020000.sdmp Download File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_niPie.jbxd
            Similarity
            • API ID: AllocHeap$FreeVirtual
            • String ID:
            • API String ID: 3499195154-0
            • Opcode ID: 86b487cbfbf799463fb22a320ee0a1c0c95520022bb1745eb356e20d29b1aff0
            • Instruction ID: 4c989a440f945cc000f33b170c4bb47da851f3c59be8127188450c4fc32ec534
            • Opcode Fuzzy Hash: 86b487cbfbf799463fb22a320ee0a1c0c95520022bb1745eb356e20d29b1aff0
            • Instruction Fuzzy Hash: B1115830200601EFE7218F29EE85D22BBB6FF857207104B3AE5A6F61B0D371A855CB08
            Uniqueness

            Uniqueness Score: -1.00%