Play interactive tour

Edit tour

Windows Analysis Report niPie.exe

Overview

General Information

Sample Name:	niPie.exe
Analysis ID:	502665
MD5:	601fda01efb1a22e18a19793158b51fe
SHA1:	925f30c4a425c133915ee92dd4c0900f31536c04
SHA256:	5020bbc58ef082a5ac8e42e394c4235e88b9c5bd1ed3cdc126a24a649997ebf3
Infos:
Most interesting Screenshot:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Uses 32bit PE files

Found evasive API chain (may stop execution after accessing registry keys)

Sample file is different than original file name gathered from version info

Contains functionality to dynamically determine API calls

Found large amount of non-executed APIs

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Classification

Process Tree

System is w10x64

niPie.exe (PID: 6404 cmdline: 'C:\Users\user\Desktop\niPie.exe' MD5: 601FDA01EFB1A22E18A19793158B51FE)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: niPie.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: niPie.exe

Static PE information: certificate valid

Source: C:\Users\user\Desktop\niPie.exe

Code function: 0_2_00401460 RegEnumValueA,FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

0_2_00401460

Source: niPie.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: niPie.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: niPie.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: niPie.exe	String found in binary or memory: http://s.symcd.com06
Source: niPie.exe	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: niPie.exe	String found in binary or memory: http://s2.symcb.com0
Source: niPie.exe	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: niPie.exe	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: niPie.exe	String found in binary or memory: http://sf.symcd.com0&
Source: niPie.exe	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: niPie.exe	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: niPie.exe	String found in binary or memory: http://sv.symcd.com0&
Source: niPie.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: niPie.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: niPie.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: niPie.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: niPie.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: niPie.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: niPie.exe	String found in binary or memory: http://www.symauth.com/cps0(
Source: niPie.exe	String found in binary or memory: http://www.symauth.com/rpa00
Source: niPie.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: niPie.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: niPie.exe	String found in binary or memory: https://d.symcb.com/rpa0.

Source: niPie.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: niPie.exe, 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe
Source: niPie.exe	Binary or memory string: OriginalFilenameWinNestInst.exe vs niPie.exe

Source: C:\Users\user\Desktop\niPie.exe

Code function: 0_2_00402100

0_2_00402100

Source: niPie.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\niPie.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: niPie.exe	String found in binary or memory: /install
Source: niPie.exe	String found in binary or memory: /install
Source: niPie.exe	String found in binary or memory: ^@INSTALL\Software\National Instruments\Common\Installer\Pending\PackagesSoftware\National Instruments\Common\Installer\Pending\Deletes...%s\%s%s\.Value-ValueNameKeySoftware\National Instruments\Common\Installer\Pending\Registry\DeleteSoftware\National Instruments\Common\Installer\Pending\Registry\AddSoftware\National Instruments\Common\Installer\Pending\Registry/sREMOVEALL%s %s/remove"/install/test/qMutex FailedNested Install_MSIExecute/qnmSoftware\National Instruments\Common\Installer\Pending/undo%s ,\FeaturesTrueLaunchedByUpgrade\ProductsSoftware\National Instruments\Common\InstallerNIUPDMGRtrue

Source: classification engine

Classification label: clean4.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\niPie.exe

Mutant created: \Sessions\1\BaseNamedObjects\_MSIExecute

Source: niPie.exe

Static PE information: certificate valid

Source: C:\Users\user\Desktop\niPie.exe

Code function: 0_2_00407AB8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00407AB8

Source: C:\Users\user\Desktop\niPie.exe

Code function: 0_2_00402930 push eax; ret

0_2_0040295E

Source: C:\Users\user\Desktop\niPie.exe

Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess

graph_0-3716

Source: C:\Users\user\Desktop\niPie.exe

API coverage: 6.3 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\niPie.exe

Code function: 0_2_00401460 RegEnumValueA,FindFirstFileA,FindNextFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,

0_2_00401460

Source: C:\Users\user\Desktop\niPie.exe

API call chain: ExitProcess graph end node

graph_0-3939

Source: C:\Users\user\Desktop\niPie.exe

Code function: 0_2_00407AB8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00407AB8

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\niPie.exe

Code function: 0_2_00405644 GetVersionExA,GetEnvironmentVariableA,GetModuleFileNameA,

0_2_00405644

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Path Interception	Obfuscated Files or Information1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	System Information Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
niPie.exe	0%	Virustotal	Browse
niPie.exe	0%	Metadefender	Browse
niPie.exe	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.thawte.com/ThawteTimestampingCA.crl0	niPie.exe	false		high
http://www.symauth.com/cps0(	niPie.exe	false		high
http://www.symauth.com/rpa00	niPie.exe	false		high
http://ocsp.thawte.com0	niPie.exe	false	URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	502665
Start date:	14.10.2021
Start time:	08:36:49
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	niPie.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean4.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 97.2%) Quality average: 87.1% Quality standard deviation: 22.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.892836892157124
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	niPie.exe
File size:	73664
MD5:	601fda01efb1a22e18a19793158b51fe
SHA1:	925f30c4a425c133915ee92dd4c0900f31536c04
SHA256:	5020bbc58ef082a5ac8e42e394c4235e88b9c5bd1ed3cdc126a24a649997ebf3
SHA512:	0db9ac45dfa3e4530fa4a945e3cac301e1ee8b26fc2690739741d72e1b7712e205f4bf83463e51c70df141af663ffa54c4e281d93f3bc386487a42eb1778a03c
SSDEEP:	768:gjan8GnhwDHcnrkqAAO8IEwm8iNWTGzvtKsDsoxm3whvI:gjanoDGrkbAO80mhN/ZKsDnmghw
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..)k..zk..zk..z...zh..z...zx..z...zW..z...zc..z2..zl..zk..z,..zm..zo..z...zj..z...zj..zRichk..z................PE..L...j.I>...

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x402d93
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x3E49816A [Tue Feb 11 23:04:10 2003 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	8fcbb82d712dc622f705d3815ebb3266

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	4/11/2016 5:00:00 PM 7/12/2019 4:59:59 PM
Subject Chain	CN=National Instruments Corporation, O=National Instruments Corporation, L=Austin, S=Texas, C=US
Version:	3
Thumbprint MD5:	1C8D1A5469552A41DE716974A986D673
Thumbprint SHA-1:	70B8BA3A50BCDBAD1DC2C86C6DEB1D78215EA111
Thumbprint SHA-256:	4750C8643DF6099EA03EB3ADA1157EEFC149A3BAC6DBB31760A4DC0AFC41C007
Serial:	61C3329855F6476CFCB4FCF359E55909

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00409140h
push 004058E4h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [00409094h]
xor edx, edx
mov dl, ah
mov dword ptr [0040CBE0h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0040CBDCh], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0040CBD8h], ecx
shr eax, 10h
mov dword ptr [0040CBD4h], eax
xor esi, esi
push esi
call 00007FAF40B425EFh
pop ecx
test eax, eax
jne 00007FAF40B3FC5Ah
push 0000001Ch
call 00007FAF40B3FD05h
pop ecx
mov dword ptr [ebp-04h], esi
call 00007FAF40B422BAh
call dword ptr [00409090h]
mov dword ptr [0040E108h], eax
call 00007FAF40B42178h
mov dword ptr [0040CBB4h], eax
call 00007FAF40B41F21h
call 00007FAF40B41E63h
call 00007FAF40B41B80h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0040908Ch]
call 00007FAF40B41DF4h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007FAF40B3FC58h
movzx eax, word ptr [ebp-2Ch]
jmp 00007FAF40B3FC55h
push 0000000Ah
pop eax
push eax
push dword ptr [ebp-64h]
push esi
push esi
call dword ptr [00409088h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804
[LNK] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x9bc0	0x72	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9548	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf000	0xa20	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xe000	0x3fc0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7722	0x8000	False	0.566650390625	COM executable for DOS	6.39486324672	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0xc32	0x1000	False	0.376708984375	data	4.52160108025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x410c	0x3000	False	0.0714518229167	data	0.996089583315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xf000	0xa20	0x1000	False	0.26318359375	data	4.15843705735	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_DIALOG	0xf130	0xa0	data	English	United States
RT_STRING	0xf1d0	0x144	data	German	Germany
RT_STRING	0xf314	0x132	data	English	United States
RT_STRING	0xf448	0x150	data	French	France
RT_STRING	0xf598	0xd8	data	Japanese	Japan
RT_VERSION	0xf670	0x3b0	data	English	United States

Imports

DLL	Import
KERNEL32.dll	ReleaseMutex, WaitForSingleObjectEx, CreateThread, Sleep, lstrlenA, FindFirstFileA, FindNextFileA, FindClose, RemoveDirectoryA, CreateMutexA, ExitProcess, GetCurrentProcess, UnhandledExceptionFilter, FlushFileBuffers, ReadFile, CloseHandle, LoadLibraryA, GetProcAddress, SetStdHandle, HeapReAlloc, VirtualAlloc, GetStringTypeW, GetStringTypeA, SetFilePointer, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, DeleteFileA, GetCPInfo, GetACP, GetOEMCP, WideCharToMultiByte, MultiByteToWideChar, LCMapStringA, LCMapStringW, HeapAlloc, HeapFree, TerminateProcess, GetLastError, GetFileType, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, RtlUnwind, WriteFile
USER32.dll	SendMessageA, SetDlgItemTextA, MessageBoxA, EndDialog, LoadStringA, DialogBoxParamA
ADVAPI32.dll	RegOpenKeyExA, RegEnumKeyExA, RegEnumValueA, RegCloseKey, RegQueryValueExA, RegSetValueExA, RegDeleteValueA, RegCreateKeyExA, RegDeleteKeyA
Msi.dll

Exports

Name	Ordinal	Address
RFL_RegSetBinary	2	0x401aa0
_RFL_RegGetBinary@20	1	0x401a70

Version Infos

Description	Data
LegalCopyright	Copyright 2002-2017. All Rights Reserved.
InternalName	WinNestInst
FileVersion	17.5.0.170
CompanyName	National Instruments
PrivateBuild
LegalTrademarks
Comments
ProductName	National Instruments UM Satellite
SpecialBuild
ProductVersion	17.5.0
FileDescription	WinNestInst
OriginalFilename	WinNestInst.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
German	Germany
French	France
Japanese	Japan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: niPie.exe PID: 6404 Parent PID: 5668

General

Start time:	08:37:56
Start date:	14/10/2021
Path:	C:\Users\user\Desktop\niPie.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\niPie.exe'
Imagebase:	0x400000
File size:	73664 bytes
MD5 hash:	601FDA01EFB1A22E18A19793158B51FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: niPie.exe PID: 6404 Parent PID: 5668 niPie.exeCOMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.3%
Total number of Nodes:	617
Total number of Limit Nodes:	17

Executed Functions

Function 00401C60, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 34%

			E00401C60(void* __esi, intOrPtr _a4, intOrPtr _a12) {
				void _v259;
				char _v260;
				char _v268;
				void _v519;
				char _v520;
				long _v524;
				struct _SECURITY_ATTRIBUTES _v536;
				char _v548;
				char* _v556;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v576;
				void* _t43;
				void* _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				void* _t49;
				void* _t51;
				void* _t52;
				void* _t57;
				void* _t60;
				struct HWND__* _t61;
				void* _t64;
				void* _t66;
				void* _t68;
				void* _t70;
				void* _t71;
				void* _t73;
				long _t75;
				void* _t90;
				char _t92;
				void* _t107;
				void* _t108;
				void* _t110;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t116;
				void* _t117;
				void* _t118;
				void* _t119;
				void* _t122;

				_t107 = __esi;
				_t92 =  *0x40cba0; // 0x0
				_v520 = _t92;
				memset( &_v519, 0, 0x40 << 2);
				asm("stosw");
				asm("stosb");
				_v260 = _t92;
				memset( &_v259, 0, 0x40 << 2);
				asm("stosw");
				asm("stosb");
				_t106 = _a12;
				E00402D46(_a12, "%s ",  &_v520);
				_t87 =  &_v520;
				_t43 = E00402BD8( &_v520,  &_v520, "/undo");
				_t113 = _t110 + 0x2c;
				_t124 = _t43;
				if(_t43 != 0) {
					_t44 = E00402BD8( &_v520,  &_v520, "/qnm");
					_t114 = _t113 + 8;
					__eflags = _t44;
					if(__eflags != 0) {
						_t88 =  &_v536;
						 *0x40cba8 = _a4;
						_v536.nLength = 0xc;
						_v536.lpSecurityDescriptor = 0;
						_v536.bInheritHandle = 1;
						_t46 = CreateMutexA( &_v536, 0, "_MSIExecute"); // executed
						__eflags = _t46;
						 *0x40cba4 = _t46;
						if(_t46 != 0) {
							_t75 = WaitForSingleObjectEx(_t46, 0xffffffff, 0);
							__eflags = _t75;
							if(_t75 != 0) {
								MessageBoxA(0, "Mutex Failed", "Nested Install", 0);
							}
						}
						_t47 = E00402BD8(_t88,  &_v520, "/q");
						_t115 = _t114 + 8;
						__eflags = _t47;
						if(_t47 != 0) {
							_t73 = E00402BD8(_t88,  &_v520, "/qnm");
							_t115 = _t115 + 8;
							__eflags = _t73;
							if(_t73 != 0) {
								_t88 =  &_v524;
								CreateThread(0, 0, E004020E0, 0, 0,  &_v524); // executed
							}
						}
						_t48 = E00402BD8(_t88,  &_v520, "/test");
						_t116 = _t115 + 8;
						__eflags = _t48;
						if(_t48 != 0) {
							_push(0);
							_push(2);
							L00402918();
							_t49 = E00402BD8(_t88,  &(_v536.bInheritHandle), "/install");
							_t117 = _t116 + 8;
							__eflags = _t49;
							if(_t49 == 0) {
								_t68 = E00402B65(_t106, 0x22);
								_t122 = _t117 + 8;
								__eflags = _t68;
								if(_t68 == 0) {
									_t68 = E00402B65(_t106, 0x20);
									_t122 = _t122 + 8;
								}
								_push(_t107);
								_t108 = E00402B4E(_t68);
								_t70 = E00402ACE(_t88, _t108, "\"");
								_t117 = _t122 + 0xc;
								__eflags = _t70;
								if(_t70 != 0) {
									 *((char*)(_t70 + _t108)) = 0;
								}
								_t71 =  &_v548;
								_push(_t71);
								_push(_t108);
								L00402912();
								__eflags = _t71;
								if(_t71 == 0) {
									_t88 = _v556;
									_push("INSTALL");
									_push(_v556);
									L00402906();
									_push(_v564);
									L00402900();
								}
							}
							_t51 = E00402BD8(_t88,  &(_v536.bInheritHandle), "/remove");
							_t118 = _t117 + 8;
							__eflags = _t51;
							if(_t51 == 0) {
								_push( &_v268);
								E00402D46(_t106, "%s %s",  &(_v536.bInheritHandle));
								_t118 = _t118 + 0x10;
								_t66 =  &_v548;
								_t88 =  &_v268;
								_push(_t66);
								_push( &_v268);
								L0040291E();
								__eflags = _t66;
								if(_t66 == 0) {
									_push("ALL");
									_push("REMOVE");
									_push(_v556);
									L0040290C();
									_push("INSTALL");
									_push(_v568);
									L00402906();
									_t88 = _v576;
									_push(_v576);
									L00402900();
								}
							}
							_t52 = E00402BD8(_t88,  &(_v536.bInheritHandle), "/s");
							_t119 = _t118 + 8;
							__eflags = _t52;
							if(__eflags == 0) {
								L24:
								E00402100(_t88, __eflags);
								E00401000(_t88, __eflags);
								E00401300(_t88, __eflags);
								E00401590(_t88, __eflags);
							} else {
								_t64 = E00402BD8(_t88,  &(_v536.bInheritHandle), "/q");
								_t119 = _t119 + 8;
								__eflags = _t64;
								if(__eflags == 0) {
									goto L24;
								}
							}
							_t57 = E00402BD8( &(_v536.bInheritHandle),  &(_v536.bInheritHandle), "/q");
							__eflags = _t57;
							if(_t57 != 0) {
								_t60 = E00402BD8( &(_v536.bInheritHandle),  &(_v536.bInheritHandle), "/qnm");
								__eflags = _t60;
								if(_t60 != 0) {
									goto L27;
								}
							}
						} else {
							Sleep(0x7d0);
							L27:
							_t61 =  *0x40cbac; // 0x0
							SendMessageA(_t61, 0x12, 0, 0);
						}
						_t90 =  *0x40cba4; // 0x228
						ReleaseMutex(_t90);
						__eflags = 0;
						return 0;
					} else {
						E00401300( &_v520, __eflags);
						E00401590(_t87, __eflags);
						__eflags = 0;
						return 0;
					}
				} else {
					E00401B50(0x80000002, "Software\\National Instruments\\Common\\Installer\\Pending");
					E004025F0( &_v520, _t124);
					return 0;
				}
			}

0x00401c60
0x00401c66
0x00401c78
0x00401c7c
0x00401c7e
0x00401c80
0x00401c8f
0x00401c96
0x00401c98
0x00401c9a
0x00401c9b
0x00401cad
0x00401cb2
0x00401cbc
0x00401cc1
0x00401cc4
0x00401cc6
0x00401cf5
0x00401cfa
0x00401cfd
0x00401cff
0x00401d23
0x00401d2a
0x00401d2f
0x00401d37
0x00401d3f
0x00401d47
0x00401d4d
0x00401d4f
0x00401d54
0x00401d5b
0x00401d61
0x00401d63
0x00401d73
0x00401d73
0x00401d63
0x00401d83
0x00401d88
0x00401d8b
0x00401d8d
0x00401d99
0x00401d9e
0x00401da1
0x00401da3
0x00401da5
0x00401db7
0x00401db7
0x00401da3
0x00401dc7
0x00401dcc
0x00401dcf
0x00401dd1
0x00401de3
0x00401de5
0x00401de7
0x00401df6
0x00401dfb
0x00401dfe
0x00401e00
0x00401e05
0x00401e0a
0x00401e0d
0x00401e0f
0x00401e14
0x00401e19
0x00401e19
0x00401e1c
0x00401e23
0x00401e2b
0x00401e30
0x00401e33
0x00401e35
0x00401e37
0x00401e37
0x00401e3b
0x00401e3f
0x00401e40
0x00401e41
0x00401e46
0x00401e49
0x00401e4b
0x00401e4f
0x00401e54
0x00401e55
0x00401e5e
0x00401e5f
0x00401e5f
0x00401e49
0x00401e6e
0x00401e73
0x00401e76
0x00401e78
0x00401e85
0x00401e8d
0x00401e92
0x00401e95
0x00401e99
0x00401ea0
0x00401ea1
0x00401ea2
0x00401ea7
0x00401ea9
0x00401eaf
0x00401eb4
0x00401eb9
0x00401eba
0x00401ebf
0x00401ec8
0x00401ec9
0x00401ece
0x00401ed2
0x00401ed3
0x00401ed3
0x00401ea9
0x00401ee2
0x00401ee7
0x00401eea
0x00401eec
0x00401f04
0x00401f04
0x00401f09
0x00401f0e
0x00401f13
0x00401eee
0x00401ef8
0x00401efd
0x00401f00
0x00401f02
0x00000000
0x00000000
0x00401f02
0x00401f22
0x00401f2a
0x00401f2c
0x00401f38
0x00401f40
0x00401f42
0x00000000
0x00000000
0x00401f42
0x00401dd3
0x00401dd8
0x00401f44
0x00401f44
0x00401f50
0x00401f50
0x00401f56
0x00401f5d
0x00401f63
0x00401f6c
0x00401d01
0x00401d01
0x00401d06
0x00401d0b
0x00401d14
0x00401d14
0x00401cc8
0x00401cd2
0x00401cda
0x00401ce8
0x00401ce8

Strings

/undo, xrefs: 00401CB6
INSTALL, xrefs: 00401E4F, 00401EBF
Nested Install, xrefs: 00401D67
Software\National Instruments\Common\Installer\Pending, xrefs: 00401CC8
/remove, xrefs: 00401E68
/test, xrefs: 00401DC1
%s , xrefs: 00401CA7
REMOVE, xrefs: 00401EB4
%s %s, xrefs: 00401E87
/install, xrefs: 00401DF0
Mutex Failed, xrefs: 00401D6C
_MSIExecute, xrefs: 00401D1E
/qnm, xrefs: 00401CEF, 00401D93, 00401F32
ALL, xrefs: 00401EAF

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: EnumOpen
String ID: %s $%s %s$/install$/qnm$/remove$/test$/undo$ALL$INSTALL$Mutex Failed$Nested Install$REMOVE$Software\National Instruments\Common\Installer\Pending$_MSIExecute
API String ID: 3231578192-2645672969
Opcode ID: 5e8f4f860a25c24fe8fdd9723dcc3fe331090434a8b75d4b5ad922a940880f65
Instruction ID: 416d46b3562254dcf8fdf28cb97b855d8bd1d6bfebd8f94a9c40c6f65952fc5b
Opcode Fuzzy Hash: 5e8f4f860a25c24fe8fdd9723dcc3fe331090434a8b75d4b5ad922a940880f65
Instruction Fuzzy Hash: 117127B12443017AE610EB719E47F9F36A85F94749F00083EF944B52D2FABCE51886AF

Uniqueness

Uniqueness Score: -1.00%

Function 00404DA5, Relevance: 4.5, APIs: 3, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00404DA5(void* __esi, int _a4, intOrPtr _a8, char _a12) {
				void* _t6;
				intOrPtr _t7;
				intOrPtr* _t9;
				char _t14;
				intOrPtr _t20;
				intOrPtr _t21;
				void* _t22;
				intOrPtr* _t23;
				void* _t25;
				void* _t30;

				_t22 = __esi;
				_t21 = 1;
				_t25 =  *0x40cc10 - _t21; // 0x1
				if(_t25 == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				_t14 = _a12;
				 *0x40cc0c = _t21;
				 *0x40cc08 = _t14;
				if(_a8 == 0) {
					_t7 =  *0x40ded0; // 0x0
					if(_t7 != 0) {
						_t20 =  *0x40decc; // 0x0
						_push(_t22);
						_t4 = _t20 - 4; // -4
						_t23 = _t4;
						if(_t23 >= _t7) {
							do {
								_t9 =  *_t23;
								if(_t9 != 0) {
									 *_t9();
								}
								_t23 = _t23 - 4;
								_t30 = _t23 -  *0x40ded0; // 0x0
							} while (_t30 >= 0);
						}
					}
					E00404E3E(0x40a018, 0x40a020);
				}
				_t6 = E00404E3E(0x40a024, 0x40a028);
				if(_t14 == 0) {
					 *0x40cc10 = _t21; // executed
					ExitProcess(_a4); // executed
				}
				return _t6;
			}

0x00404da5
0x00404da8
0x00404da9
0x00404daf
0x00404dbc
0x00404dbc
0x00404dc8
0x00404dcc
0x00404dd2
0x00404dd8
0x00404dda
0x00404de1
0x00404de3
0x00404de9
0x00404dea
0x00404dea
0x00404def
0x00404df1
0x00404df1
0x00404df5
0x00404df7
0x00404df7
0x00404df9
0x00404dfc
0x00404dfc
0x00404df1
0x00404e04
0x00404e0f
0x00404e15
0x00404e20
0x00404e2a
0x00404e30
0x00404e36
0x00404e36
0x00404e3d

APIs

GetCurrentProcess.KERNEL32(?,?,00404D90,?,00000000,00000000,00402E6A,00000000,00000000), ref: 00404DB5
TerminateProcess.KERNEL32(00000000,?,00404D90,?,00000000,00000000,00402E6A,00000000,00000000), ref: 00404DBC
ExitProcess.KERNEL32 ref: 00404E36

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 1ce9184cf31c89b0503ddc8e1fc7d02da94ccca4b73070f3db8ca45870c343ee
Instruction ID: d067ad56b7422b1f12ee169717fbc2c8c9a16e46116dcc55f471bcf15b00e788
Opcode Fuzzy Hash: 1ce9184cf31c89b0503ddc8e1fc7d02da94ccca4b73070f3db8ca45870c343ee
Instruction Fuzzy Hash: 560180B1604301DBDA219F59EE8861A7BA5FBD1350B20413BF645771E0CB799C84CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040578C, Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040578C(void* __ecx, intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;
				void* _t9;
				void* _t10;
				void* _t12;

				_t12 = __ecx;
				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				_t15 = _t6;
				 *0x40dda4 = _t6;
				if(_t6 == 0) {
					L7:
					return 0;
				} else {
					_t8 = E00405644(_t12, _t15);
					 *0x40dda8 = _t8;
					if(_t8 != 3) {
						__eflags = _t8 - 2;
						if(_t8 != 2) {
							goto L8;
						} else {
							_t10 = E00406D42();
							goto L5;
						}
					} else {
						_t10 = E004064F1(0x3f8);
						L5:
						if(_t10 != 0) {
							L8:
							_t9 = 1;
							return _t9;
						} else {
							HeapDestroy( *0x40dda4);
							goto L7;
						}
					}
				}
			}

0x0040578c
0x0040579d
0x004057a3
0x004057a5
0x004057aa
0x004057e2
0x004057e4
0x004057ac
0x004057ac
0x004057b4
0x004057b9
0x004057c8
0x004057cb
0x00000000
0x004057cd
0x004057cd
0x00000000
0x004057cd
0x004057bb
0x004057c0
0x004057d2
0x004057d4
0x004057e5
0x004057e7
0x004057e8
0x004057d6
0x004057dc
0x00000000
0x004057dc
0x004057d4
0x004057b9

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00402DF2,00000000), ref: 0040579D

Part of subcall function 00405644: GetVersionExA.KERNEL32 ref: 00405663

HeapDestroy.KERNEL32 ref: 004057DC

Part of subcall function 004064F1: HeapAlloc.KERNEL32(00000000,00000140,004057C5,000003F8), ref: 004064FE

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 474817950941fb9feb30d70d4ccabb38241e53c2714eeb091da0a179b8fcc6ee
Instruction ID: b80333c318d8f42bacaf1e3d2714f2e368b36af800cabc9f556d8da5a3cfb0b9
Opcode Fuzzy Hash: 474817950941fb9feb30d70d4ccabb38241e53c2714eeb091da0a179b8fcc6ee
Instruction Fuzzy Hash: DDF06530A50701DADB602B759E8672B3698DF84746F20843BF905F91E1FA788980BD1D

Uniqueness

Uniqueness Score: -1.00%

Function 00404C79, Relevance: 1.5, APIs: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E00404C79(long _a4) {
				intOrPtr _t4;
				void* _t5;
				long _t6;
				long _t9;
				void* _t10;
				void* _t11;
				long _t14;
				long _t16;
				void* _t19;

				_t4 =  *0x40dda8; // 0x1
				_t14 = _a4;
				if(_t4 != 3) {
					__eflags = _t4 - 2;
					if(_t4 != 2) {
						goto L11;
					}
					_t6 = _a4;
					__eflags = _t6;
					if(_t6 == 0) {
						_t16 = 0x10;
					} else {
						_t16 = _t6 + 0x0000000f & 0xfffffff0;
					}
					__eflags = _t16 -  *0x40ca24; // 0x1e0
					if(__eflags > 0) {
						goto L14;
					}
					_t9 = E0040703A(_t11, _t16 >> 4);
					__eflags = _t9;
					if(_t9 == 0) {
						goto L14;
					}
					return _t9;
				} else {
					_t19 = _t14 -  *0x40cd7c; // 0x0
					if(_t19 > 0) {
						L11:
						__eflags = _t14;
						if(_t14 == 0) {
							_t14 = 1;
						}
						_t16 = _t14 + 0x0000000f & 0xfffffff0;
						__eflags = _t16;
						L14:
						_t5 = RtlAllocateHeap( *0x40dda4, 0, _t16); // executed
						return _t5;
					}
					_push(_t14);
					_t10 = E0040688D();
					if(_t10 == 0) {
						goto L11;
					}
					return _t10;
				}
			}

0x00404c79
0x00404c7f
0x00404c86
0x00404c9d
0x00404ca0
0x00000000
0x00000000
0x00404ca2
0x00404ca6
0x00404ca8
0x00404cb4
0x00404caa
0x00404cad
0x00404cad
0x00404cb5
0x00404cbb
0x00000000
0x00000000
0x00404cc3
0x00404cc8
0x00404ccb
0x00000000
0x00404ccd
0x00404cec
0x00404c88
0x00404c88
0x00404c8e
0x00404ccf
0x00404ccf
0x00404cd1
0x00404cd5
0x00404cd5
0x00404cd9
0x00404cd9
0x00404cdc
0x00404ce5
0x00000000
0x00404ce5
0x00404c90
0x00404c91
0x00404c99
0x00000000
0x00000000
0x00404c9c
0x00404c9c

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,00404C5D,000000E0,00404C4A,?,0040547D,00000100,?,00000000), ref: 00404CE5

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1bf8a30c976d370f554eb6e1815b7f352285f2be32f38b688eca5fd3c3194367
Instruction ID: b260cdd2eb4f7a27a84718a31416a646ca1a28bc6ef55e16d09debb9a966a00f
Opcode Fuzzy Hash: 1bf8a30c976d370f554eb6e1815b7f352285f2be32f38b688eca5fd3c3194367
Instruction Fuzzy Hash: C6F0D672A1B1205AFA20A758AD407D73344AF80764F170637FE44BB2D0D338AC91958D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00402100, Relevance: 24.9, APIs: 9, Strings: 5, Instructions: 389
registryCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E00402100(void* __ecx, void* __eflags, int _a4, void* _a8, int _a12, void* _a16, void* _a20, char _a24, char _a64, void _a65, char _a324, char _a584, char _a2632, char _a4680, char _a6728, void _a6775, char _a8776) {
				int _v0;
				int _t80;
				int* _t83;
				int* _t100;
				int _t102;
				void* _t117;
				int _t119;
				intOrPtr* _t121;
				long _t130;
				char _t131;
				int* _t137;
				char* _t138;
				int* _t139;
				int _t144;
				int* _t152;
				unsigned int _t154;
				signed int _t155;
				char* _t188;
				unsigned int _t190;
				signed int _t191;
				signed int _t215;
				signed int _t217;
				signed int _t220;
				char* _t228;
				signed int _t231;
				signed int _t234;
				signed int _t265;
				signed int _t267;
				signed int _t271;
				signed int _t275;
				void* _t362;
				void* _t363;
				void* _t364;
				void* _t365;
				void* _t366;
				void* _t367;
				void* _t368;
				intOrPtr* _t369;
				void* _t370;
				void* _t371;
				void* _t372;
				void* _t374;
				void* _t376;
				void* _t393;

				E00402930(0x2a48, __ecx);
				_t80 = memcpy( &_a6728, "Software\\National Instruments\\Common\\Installer", 0xb << 2);
				asm("movsw");
				asm("movsb");
				memset( &_a6775, _t80, 0x1f4 << 2);
				_t376 = _t374 + 0x18;
				asm("stosb");
				_t83 = RegOpenKeyExA(0x80000002,  &_a6728, 0, 0x10008,  &_a20);
				if(_t83 == 0) {
					_t152 = _a20;
					_a12 = _t83;
					_v0 = 0x800;
					if(RegEnumKeyExA(_t152, 0,  &_a324,  &_v0, _t83, _t83, _t83, _t83) == 0) {
						do {
							asm("repne scasb");
							_t154 =  !(_t152 | 0xffffffff);
							_t362 =  &_a6728 - _t154;
							_t155 = _t154 >> 2;
							memcpy(_t362 + _t155 + _t155, _t362, memcpy( &_a2632, _t362, _t155 << 2) & 0x00000003);
							asm("repne scasb");
							_t363 = "\\";
							asm("repne scasb");
							memcpy( &_a2632 - 1, _t363, 0 << 2);
							memcpy(_t363 + 0x175b75a, _t363, 0);
							asm("repne scasb");
							_t364 =  &_a324;
							asm("repne scasb");
							memcpy( &_a2632 - 1, _t364, 0 << 2);
							memcpy(_t364 + 0x175b75a, _t364, 0);
							asm("repne scasb");
							_t365 = "\\Products";
							asm("repne scasb");
							memcpy( &_a2632 - 1, _t365, 0 << 2);
							memcpy(_t365 + 0x175b75a, _t365, 0);
							_t376 = _t376 + 0x60;
							_t100 = RegOpenKeyExA(0x80000002,  &_a2632, 0, 0x10008,  &_a8);
							if(_t100 == 0) {
								_t188 = _a8;
								_a4 = _t100;
								_v0 = 0x800;
								if(RegEnumKeyExA(_t188, 0,  &_a24,  &_v0, _t100, _t100, _t100, _t100) == 0) {
									do {
										asm("repne scasb");
										_t190 =  !(_t188 | 0xffffffff);
										_t366 =  &_a2632 - _t190;
										_t191 = _t190 >> 2;
										memcpy(_t366 + _t191 + _t191, _t366, memcpy( &_a584, _t366, _t191 << 2) & 0x00000003);
										asm("repne scasb");
										_t367 = "\\";
										asm("repne scasb");
										memcpy( &_a584 - 1, _t367, 0 << 2);
										memcpy(_t367 + 0x175b75a, _t367, 0);
										asm("repne scasb");
										_t368 =  &_a24;
										asm("repne scasb");
										memcpy( &_a584 - 1, _t368, 0 << 2);
										memcpy(_t368 + 0x175b75a, _t368, 0);
										_t117 = E00401950( &_a584, 0x80000002,  &_a584, "LaunchedByUpgrade",  &_a8776);
										_t376 = _t376 + 0x58;
										if(_t117 == 0) {
											_t369 = "True";
											_t121 =  &_a8776;
											while(1) {
												_t265 =  *_t121;
												_t215 = _t265;
												if(_t265 !=  *_t369) {
													break;
												}
												if(_t215 == 0) {
													L10:
													_t121 = 0;
												} else {
													_t275 =  *((intOrPtr*)(_t121 + 1));
													_t215 = _t275;
													if(_t275 !=  *((intOrPtr*)(_t369 + 1))) {
														break;
													} else {
														_t121 = _t121 + 2;
														_t369 = _t369 + 2;
														if(_t215 != 0) {
															continue;
														} else {
															goto L10;
														}
													}
												}
												L12:
												if(_t121 == 0) {
													E00401B10(0x80000002,  &_a584, "LaunchedByUpgrade");
													asm("repne scasb");
													_t217 =  !(_t215 | 0xffffffff);
													_t370 = "\\Features" - _t217;
													_t267 = _t217;
													asm("repne scasb");
													_t220 = _t267 >> 2;
													memcpy( &_a584 - 1, _t370, _t220 << 2);
													memcpy(_t370 + _t220 + _t220, _t370, _t267 & 0x00000003);
													_t376 = _t376 + 0x24;
													if(RegOpenKeyExA(0x80000002,  &_a584, 0, 0x10008,  &_a16) == 0) {
														_t144 = 0;
														_v0 = 0x800;
														_t130 = RegEnumKeyExA(_a16, 0,  &_a4680,  &_v0, 0, 0, 0, 0);
														_t131 =  *0x40cba0; // 0x0
														_a64 = _t131;
														memset( &_a65, 0, 0x40 << 2);
														_t393 = _t376 + 0xc;
														_t228 = 0;
														asm("stosw");
														asm("stosb");
														if(_t130 == 0) {
															do {
																asm("repne scasb");
																_t231 =  !(_t228 | 0xffffffff);
																_t371 =  &_a4680 - _t231;
																_t271 = _t231;
																asm("repne scasb");
																_t234 = _t271 >> 2;
																_t137 = memcpy( &_a64 - 1, _t371, _t234 << 2);
																_t138 = memcpy(_t371 + _t234 + _t234, _t371, _t271 & 0x00000003);
																asm("repne scasb");
																_t372 = ",";
																asm("repne scasb");
																_t139 = memcpy( &_a64 - 1, _t372, 0 << 2);
																memcpy(_t372 + 0x175b75a, _t372, 0);
																_t393 = _t393 + 0x30;
																_t228 =  &_a4680;
																_t144 = _t144 + 1;
																_v0 = 0x800;
															} while (RegEnumKeyExA(_a16, _t144, _t228,  &_v0, _t139, _t138, _t137, 0) == 0);
														}
														E00402000( &_a24,  &_a24,  &_a64);
														_t376 = _t393 + 8;
													}
												}
												goto L17;
											}
											asm("sbb eax, eax");
											asm("sbb eax, 0xffffffff");
											goto L12;
										}
										L17:
										_t188 =  &_a24;
										_t119 = _a4 + 1;
										_v0 = 0x800;
										_a4 = _t119;
									} while (RegEnumKeyExA(_a8, _t119, _t188,  &_v0, 0, 0, 0, 0) == 0);
								}
							}
							_t152 =  &_v0;
							_t102 = _a12 + 1;
							_a12 = _t102;
							_v0 = 0x800;
						} while (RegEnumKeyExA(_a20, _t102,  &_a324, _t152, 0, 0, 0, 0) == 0);
					}
				}
				E00402560();
				return 0;
			}

0x00402105
0x00402121
0x00402123
0x00402125
0x00402132
0x00402132
0x00402141
0x00402154
0x00402158
0x0040215e
0x0040216b
0x00402180
0x0040218c
0x00402192
0x004021a5
0x004021a7
0x004021ad
0x004021af
0x004021c4
0x004021ce
0x004021d4
0x004021dd
0x004021e5
0x004021f3
0x004021ff
0x00402205
0x0040220e
0x00402216
0x00402224
0x0040222e
0x00402234
0x0040223d
0x00402245
0x00402251
0x00402251
0x00402267
0x0040226b
0x00402271
0x00402278
0x0040228a
0x00402296
0x0040229c
0x004022af
0x004022b1
0x004022b7
0x004022b9
0x004022ce
0x004022d8
0x004022de
0x004022e7
0x004022ef
0x004022fd
0x00402306
0x0040230c
0x00402315
0x0040231d
0x0040232c
0x00402340
0x00402345
0x0040234a
0x00402350
0x00402355
0x0040235c
0x0040235c
0x0040235e
0x00402362
0x00000000
0x00000000
0x00402366
0x0040237c
0x0040237c
0x00402368
0x00402368
0x0040236b
0x00402370
0x00000000
0x00402372
0x00402372
0x00402375
0x0040237a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040237a
0x00402370
0x00402385
0x00402387
0x0040239f
0x004023b1
0x004023b3
0x004023be
0x004023c2
0x004023c7
0x004023cc
0x004023cf
0x004023db
0x004023db
0x004023f5
0x004023ff
0x00402414
0x0040241c
0x00402420
0x00402425
0x00402434
0x00402434
0x00402434
0x00402436
0x0040243a
0x0040243b
0x00402441
0x00402451
0x00402453
0x00402458
0x0040245c
0x00402461
0x00402466
0x00402469
0x00402475
0x0040247f
0x00402486
0x0040248f
0x00402497
0x004024a3
0x004024a3
0x004024a9
0x004024b0
0x004024b5
0x004024bf
0x00402441
0x004024d1
0x004024dc
0x004024dc
0x004023f5
0x00000000
0x00402387
0x00402380
0x00402382
0x00000000
0x00402382
0x004024df
0x004024ef
0x004024f3
0x004024fc
0x00402504
0x0040250a
0x0040229c
0x00402296
0x0040251c
0x00402529
0x0040252c
0x00402535
0x00402540
0x00402192
0x0040218c
0x00402548
0x00402559

APIs

RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00010008,?,?,00000000,?,?,00401F09,?,?,?,?,00000002,00000000), ref: 00402154
RegEnumKeyExA.ADVAPI32 ref: 00402188
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00010008,00000000), ref: 00402267
RegEnumKeyExA.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00402292
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00010008,?,?,?,?,00000000,?,?,00401F09), ref: 004023F1
RegEnumKeyExA.ADVAPI32 ref: 0040241C
RegEnumKeyExA.ADVAPI32(?,00000001,?,?,00000000,00000000,00000000,00000000), ref: 004024BD
RegEnumKeyExA.ADVAPI32 ref: 00402508
RegEnumKeyExA.ADVAPI32(?,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 0040253E

Strings

\Features, xrefs: 004023A4
\Products, xrefs: 00402226
Software\National Instruments\Common\Installer, xrefs: 00402113
True, xrefs: 00402350
LaunchedByUpgrade, xrefs: 00402335, 00402394

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: Enum$Open
String ID: LaunchedByUpgrade$Software\National Instruments\Common\Installer$True$\Features$\Products
API String ID: 2886760741-2479498176
Opcode ID: 7dd44f7b7fb6cc3bb412674e3fca0227e08ebc00af2dfe5d1af8e540607f88c2
Instruction ID: e06a848dff5b1de540653e02ba3b4738d837672f7e5830e33102932e8d24d52f
Opcode Fuzzy Hash: 7dd44f7b7fb6cc3bb412674e3fca0227e08ebc00af2dfe5d1af8e540607f88c2
Instruction Fuzzy Hash: C1C102712047042BD728CA388C51BABB7DAFBC4360F144B2DF99AE72D0EEB49D088355

Uniqueness

Uniqueness Score: -1.00%

Function 00407AB8, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E00407AB8(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x40cd58 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x40cd5c; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x40cd60; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x40cd58(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x40cd58 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x40cd5c = GetProcAddress(_t15, "GetActiveWindow");
					 *0x40cd60 = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}

0x00407ab9
0x00407abb
0x00407ac3
0x00407b07
0x00407b07
0x00407b0e
0x00407b12
0x00407b16
0x00407b18
0x00407b1f
0x00407b24
0x00407b24
0x00407b1f
0x00407b16
0x00000000
0x00407b33
0x00407ad0
0x00407ad4
0x00407b3d
0x00000000
0x00407b3d
0x00407ae2
0x00407ae6
0x00407aeb
0x00000000
0x00407aed
0x00407afb
0x00407b02
0x00000000
0x00407b02

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00405B19,?,Microsoft Visual C++ Runtime Library,00012010,?,00409474,?,004094C4,?,?,?,Runtime Error!Program: ), ref: 00407ACA
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00407AE2
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00407AF3
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00407B00

Strings

GetLastActivePopup, xrefs: 00407AF5
MessageBoxA, xrefs: 00407ADC
user32.dll, xrefs: 00407AC5
GetActiveWindow, xrefs: 00407AED

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 26a4fcb85a41a32f21b6f054b90c880790b3519dd8e4857dbe18605639630098
Instruction ID: d07be468ec585ada6f77aa96810e5dc4b75004f387cc811d2131858bc41c197e
Opcode Fuzzy Hash: 26a4fcb85a41a32f21b6f054b90c880790b3519dd8e4857dbe18605639630098
Instruction Fuzzy Hash: 60012172B04311EBCB119FB59DC0E5B7FB8AF88654710053BA540F22A1D778B841DBAE

Uniqueness

Uniqueness Score: -1.00%

Function 00401460, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 101
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00401460(void* __ecx, CHAR* _a4) {
				char _v260;
				char _v520;
				struct _WIN32_FIND_DATAA _v840;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t50;
				char* _t52;
				intOrPtr* _t54;
				CHAR* _t55;
				FILETIME* _t57;

				_t55 = _a4;
				E0040295F(__ecx,  &_v260, "%s\\*.*", _t55);
				_t57 =  &( &_v840->ftLastAccessTime);
				_t50 = FindFirstFileA( &_v260,  &_v840);
				if(_t50 == 0xffffffff) {
					L23:
					RemoveDirectoryA(_t55);
					return 0;
				}
				do {
					_push( &(_v840.cFileName));
					E0040295F( &_v520,  &_v520, "%s\\%s", _t55);
					_t57 = _t57 + 0x10;
					if((_v840.dwFileAttributes & 0x00000010) == 0) {
						DeleteFileA( &_v520);
						goto L21;
					}
					_t52 = ".";
					_t30 =  &(_v840.cFileName);
					while(1) {
						_t46 =  *_t30;
						_t41 = _t46;
						if(_t46 !=  *_t52) {
							break;
						}
						if(_t41 == 0) {
							L8:
							_t30 = 0;
							L10:
							if(_t30 == 0) {
								goto L21;
							}
							_t54 = "..";
							_t31 =  &(_v840.cFileName);
							while(1) {
								_t47 =  *_t31;
								_t42 = _t47;
								if(_t47 !=  *_t54) {
									break;
								}
								if(_t42 == 0) {
									L16:
									_t31 = 0;
									L18:
									if(_t31 != 0) {
										E00401460(_t42,  &_v520);
										_t57 =  &(_t57->dwHighDateTime);
									}
									goto L21;
								}
								_t48 =  *((intOrPtr*)(_t31 + 1));
								_t42 = _t48;
								_t15 = _t54 + 1; // 0x2e00002e
								if(_t48 !=  *_t15) {
									break;
								}
								_t31 = _t31 + 2;
								_t54 = _t54 + 2;
								if(_t42 != 0) {
									continue;
								}
								goto L16;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t30 + 1));
						_t43 = _t49;
						_t12 =  &(_t52[1]); // 0x25000000
						if(_t49 !=  *_t12) {
							break;
						}
						_t30 = _t30 + 2;
						_t52 =  &(_t52[2]);
						if(_t43 != 0) {
							continue;
						}
						goto L8;
					}
					asm("sbb eax, eax");
					asm("sbb eax, 0xffffffff");
					goto L10;
					L21:
				} while (FindNextFileA(_t50,  &_v840) != 0);
				FindClose(_t50);
				goto L23;
			}

0x0040146e
0x0040147d
0x00401482
0x00401498
0x0040149d
0x00401573
0x00401574
0x00401584
0x00401584
0x004014ab
0x004014b6
0x004014be
0x004014c7
0x004014cc
0x00401554
0x00000000
0x00401554
0x004014ce
0x004014d3
0x004014d7
0x004014d7
0x004014d9
0x004014dd
0x00000000
0x00000000
0x004014e1
0x004014f7
0x004014f7
0x00401500
0x00401502
0x00000000
0x00000000
0x00401504
0x00401509
0x0040150d
0x0040150d
0x0040150f
0x00401513
0x00000000
0x00000000
0x00401517
0x0040152d
0x0040152d
0x00401536
0x00401538
0x00401542
0x00401547
0x00401547
0x00000000
0x00401538
0x00401519
0x0040151c
0x0040151e
0x00401521
0x00000000
0x00000000
0x00401523
0x00401526
0x0040152b
0x00000000
0x00000000
0x00000000
0x0040152b
0x00401531
0x00401533
0x00000000
0x00401533
0x004014e3
0x004014e6
0x004014e8
0x004014eb
0x00000000
0x00000000
0x004014ed
0x004014f0
0x004014f5
0x00000000
0x00000000
0x00000000
0x004014f5
0x004014fb
0x004014fd
0x00000000
0x0040155a
0x00401562
0x0040156b
0x00000000

APIs

FindFirstFileA.KERNEL32(?,?,?,00000000,76151C40), ref: 00401492
DeleteFileA.KERNEL32(?,?,?,0040CBA0,?,?,00000000,76151C40), ref: 00401554
FindNextFileA.KERNEL32(00000000,?,?,?,0040CBA0,?,?,00000000,76151C40), ref: 00401560
FindClose.KERNEL32(00000000,?,?,0040CBA0,?,?,00000000,76151C40), ref: 0040156B
RemoveDirectoryA.KERNEL32(?,?,00000000,76151C40), ref: 00401574

Strings

%s\*.*, xrefs: 00401477
%s\%s, xrefs: 004014B8

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: FileFind$CloseDeleteDirectoryFirstNextRemove
String ID: %s\%s$%s\*.*
API String ID: 196174304-1665845743
Opcode ID: 3678cd04db3b0f74ed4aa8336a0d5142d6ab49a620a3df1d3ae3a5551c7a0dae
Instruction ID: a4b4e18218f9134548ffb1cb0adcfa4e2250a669a534c6367b0391c9d43ce764
Opcode Fuzzy Hash: 3678cd04db3b0f74ed4aa8336a0d5142d6ab49a620a3df1d3ae3a5551c7a0dae
Instruction Fuzzy Hash: 4D3106714042456BC3209F749CA49BB7BED9B96314F48493AEC9AA73F1E23E99088319

Uniqueness

Uniqueness Score: -1.00%

Function 00405644, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00405644(void* __ecx, void* __eflags) {
				char _v8;
				struct _OSVERSIONINFOA _v156;
				char _v416;
				char _v4656;
				void* _t24;
				CHAR* _t32;
				void* _t33;
				intOrPtr* _t34;
				void* _t35;
				char _t36;
				char _t38;
				void* _t40;
				char* _t44;
				char* _t45;
				char* _t50;

				E00402930(0x122c, __ecx);
				_v156.dwOSVersionInfoSize = 0x94;
				if(GetVersionExA( &_v156) != 0 && _v156.dwPlatformId == 2 && _v156.dwMajorVersion >= 5) {
					_t40 = 1;
					return _t40;
				}
				if(GetEnvironmentVariableA("__MSVCRT_HEAP_SELECT",  &_v4656, 0x1090) == 0) {
					L28:
					_t24 = E00405617( &_v8);
					asm("sbb eax, eax");
					return _t24 + 3;
				}
				_t44 =  &_v4656;
				if(_v4656 != 0) {
					do {
						_t38 =  *_t44;
						if(_t38 >= 0x61 && _t38 <= 0x7a) {
							 *_t44 = _t38 - 0x20;
						}
						_t44 = _t44 + 1;
					} while ( *_t44 != 0);
				}
				if(E00407A80("__GLOBAL_HEAP_SELECTED",  &_v4656, 0x16) != 0) {
					GetModuleFileNameA(0,  &_v416, 0x104);
					_t45 =  &_v416;
					if(_v416 != 0) {
						do {
							_t36 =  *_t45;
							if(_t36 >= 0x61 && _t36 <= 0x7a) {
								 *_t45 = _t36 - 0x20;
							}
							_t45 = _t45 + 1;
						} while ( *_t45 != 0);
					}
					_t32 = E00407A00( &_v4656,  &_v416);
				} else {
					_t32 =  &_v4656;
				}
				if(_t32 == 0) {
					goto L28;
				}
				_t33 = E00403D70(_t32, 0x2c);
				if(_t33 == 0) {
					goto L28;
				}
				_t34 = _t33 + 1;
				_t50 = _t34;
				if( *_t34 != 0) {
					do {
						if( *_t50 != 0x3b) {
							_t50 = _t50 + 1;
						} else {
							 *_t50 = 0;
						}
					} while ( *_t50 != 0);
				}
				_t35 = E004077D5(_t34, 0, 0xa);
				if(_t35 != 2 && _t35 != 3 && _t35 != 1) {
					goto L28;
				}
				return _t35;
			}

0x0040564c
0x00405659
0x0040566b
0x00405681
0x00000000
0x00405681
0x004056a0
0x00405776
0x0040577a
0x00405784
0x00000000
0x00405786
0x004056a8
0x004056b4
0x004056b6
0x004056b6
0x004056ba
0x004056c2
0x004056c2
0x004056c4
0x004056c5
0x004056b6
0x004056e1
0x004056f8
0x00405704
0x0040570a
0x0040570c
0x0040570c
0x00405710
0x00405718
0x00405718
0x0040571a
0x0040571b
0x0040570c
0x0040572d
0x004056e3
0x004056e3
0x004056e3
0x00405736
0x00000000
0x00000000
0x0040573b
0x00405744
0x00000000
0x00000000
0x00405746
0x00405747
0x0040574b
0x0040574d
0x00405750
0x00405756
0x00405752
0x00405752
0x00405752
0x00405757
0x0040574d
0x0040575f
0x0040576a
0x00000000
0x00000000
0x0040578b

APIs

GetVersionExA.KERNEL32 ref: 00405663
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00405698
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004056F8

Strings

__MSVCRT_HEAP_SELECT, xrefs: 00405693
__GLOBAL_HEAP_SELECTED, xrefs: 004056D2

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: d0bcb2e6f905d7873b2a5bc6778909478e401390e0628133efd947fe4d913409
Instruction ID: 3d048bbab899a3f2371943c2aff4e6104f34cc90a0bd094529bdcc32f6265c7a
Opcode Fuzzy Hash: d0bcb2e6f905d7873b2a5bc6778909478e401390e0628133efd947fe4d913409
Instruction Fuzzy Hash: 44312371901688ADEB3196705C45BEF3768CB02304F6404FBD189F72C2E63A8E899F29

Uniqueness

Uniqueness Score: -1.00%

Function 00401590, Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 255
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E00401590(void* __ecx, void* __eflags, void _a1, char _a2048, void _a2049, char _a4096, char _a6144, void _a6145, char _a8192, void _a8263, char _a10240, void _a10308, void _a12288, void _a12352) {
				char _v0;
				int _v4;
				void* _v8;
				int _t82;
				void* _t122;
				char _t169;
				char _t177;
				int _t211;
				int _t212;
				void* _t214;
				void* _t220;
				void* _t226;
				void* _t229;

				E00402930(0x3808, __ecx);
				_push(0);
				_push(2);
				L00402918();
				memset( &_a12352, memcpy( &_a12288, "Software\\National Instruments\\Common\\Installer\\Pending\\Registry", 0x10 << 2), 0x1f0 << 2);
				memset( &_a10308, memcpy( &_a10240, "Software\\National Instruments\\Common\\Installer\\Pending\\Registry\\Add", 0x11 << 2), 0x1ef << 2);
				_t82 = memcpy( &_a8192, "Software\\National Instruments\\Common\\Installer\\Pending\\Registry\\Delete", 0x11 << 2);
				asm("movsw");
				asm("movsb");
				memset( &_a8263, _t82, 0x1ee << 2);
				_t220 = _t214 + 0x48;
				asm("stosb");
				if(RegOpenKeyExA(0x80000002,  &_a8192, 0, 0x30019,  &_v8) == 0) {
					_t212 = 0;
					_v4 = 0x800;
					if(RegEnumKeyExA(_v8, 0,  &_a4096,  &_v4, 0, 0, 0, 0) == 0) {
						do {
							_t177 =  *0x40cba0; // 0x0
							_a2048 = _t177;
							_v0 = _t177;
							memset( &_a2049, 0, 0x1ff << 2);
							asm("stosw");
							asm("stosb");
							memset( &_a1, 0, 0x1ff << 2);
							asm("stosw");
							asm("stosb");
							E00401950(_v8, _v8,  &_a4096, "Key",  &_a2048);
							E00401950(_v8, _v8,  &_a4096, "ValueName",  &_v0);
							_t122 = E00402A47( &_v0, "-");
							_t229 = _t220 + 0x40;
							if(_t122 == 0) {
								E00401B50(0x80000002,  &_a2048);
								_t220 = _t229 + 8;
							} else {
								E00401B10(0x80000002,  &_a2048,  &_v0);
								_t220 = _t229 + 0xc;
							}
							_t212 = _t212 + 1;
							_v4 = 0x800;
						} while (RegEnumKeyExA(_v8, _t212,  &_a4096,  &_v4, 0, 0, 0, 0) == 0);
					}
				}
				if(RegOpenKeyExA(0x80000002,  &_a10240, 0, 0x30019,  &_v8) == 0) {
					_t211 = 0;
					_v4 = 0x800;
					if(RegEnumKeyExA(_v8, 0,  &_a4096,  &_v4, 0, 0, 0, 0) == 0) {
						do {
							_t169 =  *0x40cba0; // 0x0
							_a6144 = _t169;
							_a2048 = _t169;
							memset( &_a6145, 0, 0x1ff << 2);
							asm("stosw");
							asm("stosb");
							_v0 = _t169;
							memset( &_a2049, 0, 0x1ff << 2);
							asm("stosw");
							asm("stosb");
							memset( &_a1, 0, 0x1ff << 2);
							asm("stosw");
							asm("stosb");
							E00401950(_v8, _v8,  &_a4096, "Key",  &_a6144);
							E00401950(_v8, _v8,  &_a4096, "ValueName",  &_a2048);
							_t154 = _v8;
							E00401950(_v8, _v8,  &_a4096, "Value",  &_v0);
							_t226 = _t220 + 0x54;
							if(_v0 != 0x23) {
								E00401980(0x80000002,  &_a6144,  &_a2048,  &_v0);
								_t220 = _t226 + 0x10;
							} else {
								E00401A00(0x80000002,  &_a6144,  &_a2048, E00402A3C(_t154,  &_a1));
								_t220 = _t226 + 0x14;
							}
							_t211 = _t211 + 1;
							_v4 = 0x800;
						} while (RegEnumKeyExA(_v8, _t211,  &_a4096,  &_v4, 0, 0, 0, 0) == 0);
					}
				}
				E00401B50(0x80000002,  &_a12288);
				return 0;
			}

0x00401595
0x0040159e
0x004015a0
0x004015a2
0x004015c8
0x004015ef
0x00401602
0x00401604
0x00401606
0x00401613
0x00401613
0x00401615
0x00401639
0x00401643
0x00401658
0x00401664
0x0040166a
0x0040166a
0x0040167e
0x00401685
0x00401689
0x0040168b
0x0040168d
0x004016a0
0x004016a7
0x004016a9
0x004016b8
0x004016d4
0x004016e3
0x004016e8
0x004016ed
0x00401718
0x0040171d
0x004016ef
0x00401701
0x00401706
0x00401706
0x00401737
0x0040173c
0x00401746
0x0040166a
0x00401664
0x0040176b
0x00401775
0x0040178a
0x00401796
0x0040179e
0x0040179e
0x004017b2
0x004017b9
0x004017c0
0x004017c2
0x004017c4
0x004017d3
0x004017d7
0x004017d9
0x004017db
0x004017ee
0x004017f5
0x004017f7
0x00401806
0x00401825
0x0040182a
0x00401841
0x0040184a
0x0040184f
0x00401895
0x0040189a
0x00401851
0x00401871
0x00401876
0x00401876
0x004018b4
0x004018b9
0x004018c3
0x0040179e
0x00401796
0x004018d8
0x004018ec

APIs

#141.MSI(00000002,00000000,?,00000000,?,?,00401F18,?,?,?,?,00000002,00000000,?,?,00000000), ref: 004015A2
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00030019,00000000,00000002,00000000,?,00000000,?,?,00401F18), ref: 0040162F
RegEnumKeyExA.ADVAPI32 ref: 00401660
RegEnumKeyExA.ADVAPI32 ref: 00401744

Part of subcall function 00401B10: RegOpenKeyExA.ADVAPI32(?,?,00000000,00000002,?,004023A4,80000002,?,LaunchedByUpgrade,00000000,?,?,00401F09), ref: 00401B23

RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00030019,?,?,?,00401F18,?,?,?,?,00000002,00000000), ref: 00401767
RegEnumKeyExA.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00401792
RegEnumKeyExA.ADVAPI32 ref: 004018C1

Strings

Key, xrefs: 004016B1, 004017FF
Software\National Instruments\Common\Installer\Pending\Registry, xrefs: 004015AC
Value, xrefs: 0040183A
Software\National Instruments\Common\Installer\Pending\Registry\Add, xrefs: 004015CF
Software\National Instruments\Common\Installer\Pending\Registry\Delete, xrefs: 004015F6
ValueName, xrefs: 004016CD, 0040181E

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: Enum$Open$#141
String ID: Key$Software\National Instruments\Common\Installer\Pending\Registry$Software\National Instruments\Common\Installer\Pending\Registry\Add$Software\National Instruments\Common\Installer\Pending\Registry\Delete$Value$ValueName
API String ID: 2386238868-3649169837
Opcode ID: 0bc07cfdd67613d4aaf23d445e10788670e591f35f0d290892056c8f2a16d896
Instruction ID: de9825dd147b1e2ceb3ec80a2ef9a2be02f9c89fdebecb7e69e6a4943e4f0716
Opcode Fuzzy Hash: 0bc07cfdd67613d4aaf23d445e10788670e591f35f0d290892056c8f2a16d896
Instruction Fuzzy Hash: CE816271104385AAE320DA50CC55FEBB7EDEFC8344F00883DF68967191EAB5A609C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 253
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00401000(void* __ecx, void* __eflags, void* _a4, char _a8, int _a12, char _a268, char _a536, char _a796, char _a1048, void _a1056, char _a3104, void _a3168) {
				void* _v0;
				char _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				int* _t61;
				void* _t77;
				int _t79;
				intOrPtr* _t81;
				void* _t89;
				intOrPtr* _t92;
				char* _t101;
				unsigned int _t103;
				signed int _t104;
				intOrPtr _t128;
				intOrPtr _t134;
				intOrPtr _t136;
				intOrPtr _t137;
				intOrPtr _t146;
				intOrPtr _t151;
				intOrPtr _t153;
				intOrPtr _t154;
				int _t183;
				void* _t185;
				void* _t186;
				void* _t187;
				intOrPtr* _t188;
				intOrPtr* _t189;
				void* _t193;
				void* _t195;

				E00402930(0x1428, __ecx);
				_push(0);
				_push(2);
				L00402918();
				memset( &_a3168, memcpy( &_a3104, "Software\\National Instruments\\Common\\Installer\\Pending\\Packages", 0x10 << 2), 0x1f0 << 2);
				_t195 = _t193 + 0x18;
				_t61 = RegOpenKeyExA(0x80000002,  &_a3104, 0, 0x10008,  &_a4);
				if(_t61 != 0) {
					L28:
					E00401B50(0x80000002,  &_a3104);
					return 0;
				}
				_t101 = _a4;
				_a12 = _t61;
				_v0 = 0x800;
				if(RegEnumKeyExA(_t101, 0,  &_a536,  &_v0, _t61, _t61, _t61, _t61) != 0) {
					goto L28;
				}
				do {
					asm("repne scasb");
					_t103 =  !(_t101 | 0xffffffff);
					_t185 =  &_a3104 - _t103;
					_t104 = _t103 >> 2;
					memcpy(_t185 + _t104 + _t104, _t185, memcpy( &_a1056, _t185, _t104 << 2) & 0x00000003);
					asm("repne scasb");
					_t186 = "\\";
					asm("repne scasb");
					memcpy( &_a1056 - 1, _t186, 0 << 2);
					memcpy(_t186 + 0x175b75a, _t186, 0);
					asm("repne scasb");
					_t187 =  &_a536;
					asm("repne scasb");
					memcpy( &_a1056 - 1, _t187, 0 << 2);
					memcpy(_t187 + 0x175b75a, _t187, 0);
					_t77 = E00401950( &_a1056, 0x80000002,  &_a1056, 0x40cba0,  &_a796);
					_t195 = _t195 + 0x58;
					if(_t77 != 0) {
						goto L26;
					}
					_t188 = 0x40cba0;
					_t81 =  &_a3104;
					while(1) {
						_t146 =  *_t81;
						_t128 = _t146;
						if(_t146 !=  *_t188) {
							break;
						}
						if(_t128 == 0) {
							L9:
							_t81 = 0;
							L11:
							if(_t81 == 0) {
								goto L26;
							}
							_push( &_v8);
							_push( &_a796);
							L00402912();
							if(RegOpenKeyExA(0x80000002,  &_a1048, 0, 0x30019,  &_v0) != 0) {
								L25:
								_push("INSTALL");
								_push(_v16);
								L00402906();
								_push(_v24);
								L00402900();
								goto L26;
							}
							_t183 = 0;
							_v12 = 0x800;
							if(RegEnumValueA(_v0, 0,  &_a8,  &_v12, 0, 0, 0, 0) != 0) {
								goto L25;
							} else {
								goto L14;
							}
							do {
								L14:
								_t89 = E00401950( &_a268, 0x80000002,  &_a1048,  &_a8,  &_a268);
								_t195 = _t195 + 0x10;
								if(_t89 != 0) {
									goto L24;
								}
								_t189 = 0x40cba0;
								_t92 =  &_a268;
								while(1) {
									_t151 =  *_t92;
									_t134 = _t151;
									if(_t151 !=  *_t189) {
										break;
									}
									if(_t134 == 0) {
										L20:
										_t92 = 0;
										L22:
										if(_t92 != 0) {
											_push( &_a268);
											_push( &_a8);
											_push(_v16);
											L0040290C();
										}
										goto L24;
									}
									_t153 =  *((intOrPtr*)(_t92 + 1));
									_t136 = _t153;
									_t38 = _t189 + 1; // 0x28000000
									if(_t153 !=  *_t38) {
										break;
									}
									_t92 = _t92 + 2;
									_t189 = _t189 + 2;
									if(_t136 != 0) {
										continue;
									}
									goto L20;
								}
								asm("sbb eax, eax");
								asm("sbb eax, 0xffffffff");
								goto L22;
								L24:
								_t183 = _t183 + 1;
								_v12 = 0x800;
							} while (RegEnumValueA(_v0, _t183,  &_a8,  &_v12, 0, 0, 0, 0) == 0);
							goto L25;
						}
						_t154 =  *((intOrPtr*)(_t81 + 1));
						_t137 = _t154;
						_t24 = _t188 + 1; // 0x28000000
						if(_t154 !=  *_t24) {
							break;
						}
						_t81 = _t81 + 2;
						_t188 = _t188 + 2;
						if(_t137 != 0) {
							continue;
						}
						goto L9;
					}
					asm("sbb eax, eax");
					asm("sbb eax, 0xffffffff");
					goto L11;
					L26:
					_t101 =  &_a536;
					_t79 = _a12 + 1;
					_v0 = 0x800;
					_a12 = _t79;
				} while (RegEnumKeyExA(_a4, _t79, _t101,  &_v0, 0, 0, 0, 0) == 0);
				goto L28;
			}

0x00401005
0x0040100d
0x0040100f
0x00401011
0x00401037
0x00401037
0x00401052
0x0040105a
0x004012d8
0x004012e5
0x004012f8
0x004012f8
0x00401060
0x00401067
0x00401081
0x0040108d
0x00000000
0x00000000
0x0040109a
0x004010ad
0x004010af
0x004010b5
0x004010b7
0x004010cc
0x004010d6
0x004010dc
0x004010e5
0x004010ed
0x004010fb
0x00401107
0x0040110d
0x00401116
0x0040111e
0x0040112d
0x00401141
0x00401146
0x0040114b
0x00000000
0x00000000
0x00401151
0x00401156
0x0040115d
0x0040115d
0x0040115f
0x00401163
0x00000000
0x00000000
0x00401167
0x0040117d
0x0040117d
0x00401186
0x00401188
0x00000000
0x00000000
0x00401199
0x0040119a
0x0040119b
0x004011c1
0x00401288
0x0040128c
0x00401291
0x00401292
0x0040129b
0x0040129c
0x00000000
0x0040129c
0x004011cb
0x004011dd
0x004011e5
0x00000000
0x00000000
0x00000000
0x00000000
0x004011eb
0x004011eb
0x00401205
0x0040120a
0x0040120f
0x00000000
0x00000000
0x00401211
0x00401216
0x0040121d
0x0040121d
0x0040121f
0x00401223
0x00000000
0x00000000
0x00401227
0x0040123d
0x0040123d
0x00401246
0x00401248
0x00401259
0x0040125a
0x0040125b
0x0040125c
0x0040125c
0x00000000
0x00401248
0x00401229
0x0040122c
0x0040122e
0x00401231
0x00000000
0x00000000
0x00401233
0x00401236
0x0040123b
0x00000000
0x00000000
0x00000000
0x0040123b
0x00401241
0x00401243
0x00000000
0x00401261
0x00401275
0x0040127a
0x00401280
0x00000000
0x004011eb
0x00401169
0x0040116c
0x0040116e
0x00401171
0x00000000
0x00000000
0x00401173
0x00401176
0x0040117b
0x00000000
0x00000000
0x00000000
0x0040117b
0x00401181
0x00401183
0x00000000
0x004012a1
0x004012b1
0x004012b8
0x004012c1
0x004012c5
0x004012cf
0x00000000

APIs

#141.MSI(00000002,00000000,?,00000000,?,00401F0E,?,?,?,?,00000002,00000000,?,?,00000000,_MSIExecute), ref: 00401011
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00010008,00000002,00000002,00000000,?,00000000,?,00401F0E,?,?,?,?,00000002), ref: 00401052
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00401F0E,?,?,?,?,00000002,00000000), ref: 00401085
#93.MSI(?,?,?,?,?,00401F0E,?,?,?,?,00000002,00000000,?,?,00000000,_MSIExecute), ref: 0040119B
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00030019,?,?,?,?,?,?,00401F0E,?,?,?,?,00000002), ref: 004011B9
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00401F0E), ref: 004011E1
#144.MSI(?,?,?,?,?,?,?,?,?,?,00401F0E,?,?,?,?,00000002), ref: 0040125C
RegEnumValueA.ADVAPI32(?,00000001,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00401F0E), ref: 0040127E
#33.MSI(?,INSTALL,?,?,?,00401F0E,?,?,?,?,00000002,00000000,?,?,00000000,_MSIExecute), ref: 00401292
#8.MSI(?,?,INSTALL,?,?,?,00401F0E,?,?,?,?,00000002,00000000,?,?,00000000), ref: 0040129C
RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000,?,?,?,00401F0E), ref: 004012C9

Strings

INSTALL, xrefs: 0040128C
Software\National Instruments\Common\Installer\Pending\Packages, xrefs: 0040101B

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: Enum$OpenValue$#141#144
String ID: INSTALL$Software\National Instruments\Common\Installer\Pending\Packages
API String ID: 1673989077-4187696605
Opcode ID: 508e0019067645cabf854cedd48ae2c5c99ffa88a9228ada605aeab4d9a9d5a4
Instruction ID: 49950ebe7a4143e8449bb4f34a74d1fba4a62074bb019eec2100c2f3fe430e4f
Opcode Fuzzy Hash: 508e0019067645cabf854cedd48ae2c5c99ffa88a9228ada605aeab4d9a9d5a4
Instruction Fuzzy Hash: 7881D4716043446BD324DB208C91FBBB7E9EBD4314F444A2DFA9AF72D0EA74AA08C755

Uniqueness

Uniqueness Score: -1.00%

Function 004025F0, Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 273
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E004025F0(void* __ecx, void* __eflags) {
				int _t55;
				int* _t58;
				int _t76;
				void* _t91;
				intOrPtr* _t94;
				int* _t104;
				unsigned int _t106;
				signed int _t107;
				int* _t140;
				unsigned int _t142;
				signed int _t143;
				intOrPtr _t167;
				intOrPtr _t168;
				intOrPtr _t185;
				intOrPtr _t186;
				void* _t247;
				void* _t248;
				void* _t249;
				void* _t250;
				void* _t251;
				void* _t252;
				void* _t253;
				intOrPtr* _t254;
				char _t255;
				int _t256;
				void* _t257;
				void* _t258;
				void* _t259;
				void* _t263;
				void* _t264;
				void* _t265;
				void* _t267;
				void* _t270;
				void* _t271;
				void* _t273;

				E00402930(0x213c, __ecx);
				_t55 = memcpy(_t257 + 0x114c, "Software\\National Instruments\\Common\\Installer", 0xb << 2);
				_t258 = _t257 + 0xc;
				asm("movsw");
				asm("movsb");
				memset(_t258 + 0x117b, _t55, 0x1f4 << 2);
				_t259 = _t258 + 0xc;
				asm("stosb");
				_t58 = RegOpenKeyExA(0x80000002, _t259 + 0x114c, 0, 0x10008, _t259 + 0x1c);
				if(_t58 != 0) {
					L17:
					return 0;
				}
				_t104 =  *(_t259 + 0x1c);
				 *(_t259 + 0x24) = _t58;
				_t255 = 0x800;
				 *(_t259 + 0x30) = 0x800;
				if(RegEnumKeyExA(_t104, 0, _t259 + 0x58, _t259 + 0x20, _t58, _t58, _t58, _t58) != 0) {
					goto L17;
				} else {
					goto L2;
				}
				do {
					L2:
					asm("repne scasb");
					_t106 =  !(_t104 | 0xffffffff);
					_t247 = _t259 + 0x114c - _t106;
					_t107 = _t106 >> 2;
					memcpy(_t247 + _t107 + _t107, _t247, memcpy(_t259 + 0x94c, _t247, _t107 << 2) & 0x00000003);
					asm("repne scasb");
					_t248 = "\\";
					asm("repne scasb");
					memcpy(_t259 + 0x94c - 1, _t248, 0 << 2);
					_t263 = _t259 + 0x24;
					memcpy(_t248 + 0x175b75a, _t248, 0);
					_t264 = _t263 + 0xc;
					asm("repne scasb");
					_t249 = _t264 + 0x48;
					asm("repne scasb");
					memcpy(_t263 + 0x94c - 1, _t249, 0 << 2);
					_t265 = _t264 + 0xc;
					memcpy(_t249 + 0x175b75a, _t249, 0);
					asm("repne scasb");
					_t250 = "\\Products";
					asm("repne scasb");
					memcpy(_t265 + 0x94c - 1, _t250, 0 << 2);
					_t267 = _t265 + 0x18;
					memcpy(_t250 + 0x175b75a, _t250, 0);
					_t259 = _t267 + 0xc;
					if(RegOpenKeyExA(0x80000002, _t259 + 0x954, 0, 0x10008, _t267 + 0x14) != 0) {
						goto L16;
					}
					 *(_t259 + 0x10) = _t255;
					_t140 =  *(_t259 + 0x14);
					_t256 = 0;
					if(RegEnumKeyExA(_t140, 0, _t259 + 0x30, _t259 + 0x10, 0, 0, 0, 0) != 0) {
						L15:
						_t255 = 0x800;
						goto L16;
					} else {
						goto L4;
					}
					do {
						L4:
						asm("repne scasb");
						_t142 =  !(_t140 | 0xffffffff);
						_t251 = _t259 + 0x94c - _t142;
						_t143 = _t142 >> 2;
						memcpy(_t251 + _t143 + _t143, _t251, memcpy(_t259 + 0x14c, _t251, _t143 << 2) & 0x00000003);
						asm("repne scasb");
						_t252 = "\\";
						asm("repne scasb");
						memcpy(_t259 + 0x14c - 1, _t252, 0 << 2);
						_t270 = _t259 + 0x24;
						memcpy(_t252 + 0x175b75a, _t252, 0);
						_t271 = _t270 + 0xc;
						asm("repne scasb");
						_t253 = _t271 + 0x20;
						asm("repne scasb");
						memcpy(_t270 + 0x14c - 1, _t253, 0 << 2);
						memcpy(_t253 + 0x175b75a, _t253, 0);
						_t273 = _t271 + 0x18;
						_t91 = E00401950(_t273 + 0x150, 0x80000002, _t273 + 0x150, "LaunchedByUpgrade", _t271 + 0x1958);
						_t259 = _t273 + 0x10;
						if(_t91 != 0) {
							goto L14;
						}
						_t254 = "True";
						_t94 = _t259 + 0x194c;
						while(1) {
							_t185 =  *_t94;
							_t167 = _t185;
							if(_t185 !=  *_t254) {
								break;
							}
							if(_t167 == 0) {
								L10:
								_t94 = 0;
								L12:
								if(_t94 == 0) {
									E00401B10(0x80000002, _t259 + 0x14c, "LaunchedByUpgrade");
									_t259 = _t259 + 0xc;
								}
								goto L14;
							}
							_t186 =  *((intOrPtr*)(_t94 + 1));
							_t168 = _t186;
							if(_t186 !=  *((intOrPtr*)(_t254 + 1))) {
								break;
							}
							_t94 = _t94 + 2;
							_t254 = _t254 + 2;
							if(_t168 != 0) {
								continue;
							}
							goto L10;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L12;
						L14:
						_t140 = _t259 + 0x1c;
						_t256 = _t256 + 1;
						 *(_t259 + 0x30) = 0x800;
					} while (RegEnumKeyExA( *(_t259 + 0x14), _t256, _t259 + 0x30, _t140, 0, 0, 0, 0) == 0);
					goto L15;
					L16:
					_t104 = _t259 + 0x1c;
					_t76 =  *((intOrPtr*)(_t259 + 0x18)) + 1;
					 *(_t259 + 0x30) = _t76;
					 *(_t259 + 0x2c) = _t255;
				} while (RegEnumKeyExA( *(_t259 + 0x38), _t76, _t259 + 0x58, _t104, 0, 0, 0, 0) == 0);
				goto L17;
			}

0x004025f5
0x00402611
0x00402611
0x00402613
0x00402615
0x00402622
0x00402622
0x00402624
0x0040263e
0x00402646
0x004028e7
0x004028f0
0x004028f0
0x0040264c
0x00402659
0x00402668
0x00402670
0x00402678
0x00000000
0x00000000
0x00000000
0x00000000
0x0040267e
0x0040267e
0x00402691
0x00402693
0x00402699
0x0040269b
0x004026b0
0x004026ba
0x004026c0
0x004026c9
0x004026d1
0x004026d1
0x004026df
0x004026df
0x004026e8
0x004026ee
0x004026f7
0x004026ff
0x004026ff
0x0040270d
0x00402717
0x0040271d
0x00402726
0x0040272e
0x0040272e
0x0040273a
0x0040273a
0x00402758
0x00000000
0x00000000
0x0040275e
0x00402762
0x00402766
0x0040277c
0x004028b0
0x004028b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00402782
0x00402782
0x00402795
0x00402797
0x0040279d
0x0040279f
0x004027b4
0x004027be
0x004027c4
0x004027cd
0x004027d5
0x004027d5
0x004027e3
0x004027e3
0x004027ec
0x004027f2
0x004027fb
0x00402803
0x00402812
0x00402812
0x00402826
0x0040282b
0x00402830
0x00000000
0x00000000
0x00402832
0x00402837
0x0040283e
0x0040283e
0x00402840
0x00402844
0x00000000
0x00000000
0x00402848
0x0040285e
0x0040285e
0x00402867
0x00402869
0x0040287d
0x00402882
0x00402882
0x00000000
0x00402869
0x0040284a
0x0040284d
0x00402852
0x00000000
0x00000000
0x00402854
0x00402857
0x0040285c
0x00000000
0x00000000
0x00000000
0x0040285c
0x00402862
0x00402864
0x00000000
0x00402885
0x0040288f
0x00402899
0x0040289e
0x004028a8
0x00000000
0x004028b5
0x004028bf
0x004028c9
0x004028cc
0x004028d5
0x004028dc
0x00000000

APIs

RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00010008,?,?,00000000,?,?,00401CDF), ref: 0040263E
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00401CDF), ref: 00402674
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00010008,?,?,?,00401CDF), ref: 00402750
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00401CDF), ref: 00402778
RegEnumKeyExA.ADVAPI32 ref: 004028A6
RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000,?,?,00401CDF), ref: 004028DA

Strings

\Products, xrefs: 0040270F
Software\National Instruments\Common\Installer, xrefs: 00402603
True, xrefs: 00402832
LaunchedByUpgrade, xrefs: 0040281B, 00402872

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: Enum$Open
String ID: LaunchedByUpgrade$Software\National Instruments\Common\Installer$True$\Products
API String ID: 2886760741-1382438492
Opcode ID: 0b87adefa8f7891526eb2dd9f598246a54f3ecd23cfcbf4dcb29304336524394
Instruction ID: ce648c286ffc9d302242233de15ff693b37da1de6674104268b0460e64f32da7
Opcode Fuzzy Hash: 0b87adefa8f7891526eb2dd9f598246a54f3ecd23cfcbf4dcb29304336524394
Instruction Fuzzy Hash: C58115326047045BD728CA348C11BBBB6DAFBC4360F558B2EF96AD72C0EEB49D09C245

Uniqueness

Uniqueness Score: -1.00%

Function 00402560, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E00402560() {
				char _v4;
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _v36;
				intOrPtr _v44;
				void* __ecx;
				intOrPtr _t7;
				intOrPtr _t9;
				intOrPtr _t11;
				intOrPtr _t17;
				intOrPtr _t21;
				void* _t23;

				_t7 =  *0x40cbb0; // 0x0
				if(_t7 == 0) {
					return _v4;
				} else {
					do {
						_push( &_v4);
						_push(_t7);
						L0040291E();
						_t17 =  *0x40cbb0; // 0x0
						_t9 = _v12;
						_push(_t17 + 0x28);
						_push("REMOVE");
						_push(_t9);
						L0040290C();
						_push("true");
						_push("NIUPDMGR");
						_push(_v24);
						L0040290C();
						_push("INSTALL");
						_push(_v36);
						L00402906();
						_t21 = _t9;
						_push(_v44);
						L00402900();
						_t11 =  *0x40cbb0; // 0x0
						 *0x40cbb0 =  *((intOrPtr*)(_t11 + 0x12c));
						E00402D88( *((intOrPtr*)(_t11 + 0x12c)), _t11);
						_t7 =  *0x40cbb0; // 0x0
						_t23 = _t23 + 4;
					} while (_t7 != 0);
					return _t21;
				}
			}

0x00402561
0x00402568
0x004025eb
0x0040256a
0x0040256b
0x0040256f
0x00402570
0x00402571
0x00402576
0x0040257c
0x00402583
0x00402584
0x00402589
0x0040258a
0x00402593
0x00402598
0x0040259d
0x0040259e
0x004025a7
0x004025ac
0x004025ad
0x004025b2
0x004025b8
0x004025b9
0x004025be
0x004025ca
0x004025d0
0x004025d5
0x004025da
0x004025dd
0x004025e5
0x004025e5

APIs

#95.MSI(00000000,00401F09,Software\National Instruments\Common\Installer,?,0040254D,?,?,00401F09,?,?,?,?,00000002,00000000), ref: 00402571
#144.MSI(00401F09,REMOVE,-00000028,00000000,00401F09,Software\National Instruments\Common\Installer,?,0040254D,?,?,00401F09,?,?,?,?,00000002), ref: 0040258A
#144.MSI(00401F09,NIUPDMGR,true,00401F09,REMOVE,-00000028,00000000,00401F09,Software\National Instruments\Common\Installer,?,0040254D,?,?,00401F09), ref: 0040259E
#33.MSI(00401F09,INSTALL,00401F09,NIUPDMGR,true,00401F09,REMOVE,-00000028,00000000,00401F09,Software\National Instruments\Common\Installer,?,0040254D,?,?,00401F09), ref: 004025AD
#8.MSI(00401F09,00401F09,INSTALL,00401F09,NIUPDMGR,true,00401F09,REMOVE,-00000028,00000000,00401F09,Software\National Instruments\Common\Installer,?,0040254D), ref: 004025B9

Strings

REMOVE, xrefs: 00402584
INSTALL, xrefs: 004025A7
NIUPDMGR, xrefs: 00402598
Software\National Instruments\Common\Installer, xrefs: 0040256A
true, xrefs: 00402593

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: #144
String ID: INSTALL$NIUPDMGR$REMOVE$Software\National Instruments\Common\Installer$true
API String ID: 754210601-1166942411
Opcode ID: cd85fedb005425671ccf931c4fce29cd49bdcc985c8d352f6bf11b9a998eca0e
Instruction ID: dfc41c33e4421ac4dad408e2e39661ee159591aadb481dedaf0fe2846f03e2d0
Opcode Fuzzy Hash: cd85fedb005425671ccf931c4fce29cd49bdcc985c8d352f6bf11b9a998eca0e
Instruction Fuzzy Hash: 0B011AF5304204ABC204EB65EE96E2B73A8AB88744B14467FF445B72C1C6B8E910975D

Uniqueness

Uniqueness Score: -1.00%

Function 00403E2C, Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E00403E2C(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, signed int _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				int _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x4091c8);
				_push(E004058E4);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x40cbc4; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t83 = E00404050(_a12, _a16);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x40cbc4; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x40cd44; // 0x0
								_a28 = _t82;
							}
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12, _a16, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E00402930(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
									goto L21;
								} else {
									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
									_v44 = _t99;
									if(_t99 == 0) {
										goto L21;
									} else {
										if((_a9 & 0x00000004) == 0) {
											_v8 = 1;
											E00402930(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
											_v28 = _t102;
											_t89 = _t102;
											_v36 = _t89;
											_v8 = _v8 | 0xffffffff;
											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
												goto L21;
											} else {
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
												if(_t99 == 0) {
													goto L21;
												} else {
													goto L30;
												}
											}
										} else {
											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
												L30:
												_t62 = _t99;
											} else {
												goto L21;
											}
										}
									}
								}
							}
						}
					} else {
						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x4091c4, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x4091c0, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x40cbc4 = 2;
							goto L5;
						}
					} else {
						 *0x40cbc4 = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}

0x00403e2f
0x00403e31
0x00403e36
0x00403e41
0x00403e42
0x00403e49
0x00403e4f
0x00403e54
0x00403e5a
0x00403ea2
0x00403ea5
0x00403ead
0x00403eb3
0x00403eb4
0x00403eb4
0x00403eb7
0x00403ebf
0x00403ee1
0x00000000
0x00403ee7
0x00403eea
0x00403eec
0x00403ef1
0x00403ef1
0x00403f01
0x00403f11
0x00403f13
0x00403f18
0x00000000
0x00403f1e
0x00403f1e
0x00403f29
0x00403f2e
0x00403f33
0x00403f36
0x00403f52
0x00000000
0x00403f6d
0x00403f7f
0x00403f81
0x00403f86
0x00000000
0x00403f88
0x00403f8c
0x00403fce
0x00403fdd
0x00403fe2
0x00403fe5
0x00403fe7
0x00403fea
0x00404004
0x00000000
0x0040401e
0x00404021
0x00404022
0x00404023
0x00404029
0x0040402c
0x00404025
0x00404025
0x00404026
0x00404026
0x0040403f
0x00404043
0x00000000
0x00000000
0x00000000
0x00000000
0x00404043
0x00403f8e
0x00403f91
0x00404049
0x00404049
0x00000000
0x00000000
0x00000000
0x00403f91
0x00403f8c
0x00403f86
0x00403f52
0x00403f18
0x00403ec1
0x00403ed3
0x00403ed3
0x00403e5c
0x00403e5c
0x00403e5d
0x00403e60
0x00403e76
0x00403e92
0x00403fba
0x00403fba
0x00403e98
0x00403e98
0x00000000
0x00403e98
0x00403e78
0x00403e78
0x00000000
0x00403e78
0x00403e76
0x00403fc2
0x00403fcd

APIs

LCMapStringW.KERNEL32(00000000,00000100,004091C4,00000001,00000000,00000000,00000103,00000001,00000000,?,0040791C,00200020,00000000,?,00000000,00000000), ref: 00403E6E
LCMapStringA.KERNEL32(00000000,00000100,004091C0,00000001,00000000,00000000,?,0040791C,00200020,00000000,?,00000000,00000000,00000001), ref: 00403E8A
LCMapStringA.KERNEL32(00000000,?,00000000,00200020,0040791C,?,00000103,00000001,00000000,?,0040791C,00200020,00000000,?,00000000,00000000), ref: 00403ED3
MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,0040791C,00200020,00000000,?,00000000,00000000), ref: 00403F0B
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,0040791C,00200020,00000000,?,00000000), ref: 00403F63
LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,0040791C,00200020,00000000,?,00000000), ref: 00403F79
LCMapStringW.KERNEL32(00000000,?,0040791C,00000000,0040791C,?,?,0040791C,00200020,00000000,?,00000000), ref: 00403FAC
LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,0040791C,00200020,00000000,?,00000000), ref: 00404014

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 0c596748202a3eddf1d5a0b06d3c10d613593d99b733e4a5b267f4a1943aee9a
Instruction ID: 7dd35e4937cfe867b94b6630c1cb782b3b6b1bc1d16b24702c671f263f72be81
Opcode Fuzzy Hash: 0c596748202a3eddf1d5a0b06d3c10d613593d99b733e4a5b267f4a1943aee9a
Instruction Fuzzy Hash: BE516DB190020AEFCF218F55DD45AAF7FB9FB48751F10416AF914B12A0C3398E11DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004059F5, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004059F5(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x40a6d8;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x40a768) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x40a6d8; // 0x74000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x40cbbc; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x40a2f4 == 1) {
						_t16 = _t54 + 0x40a6dc; // 0x409474
						_t56 = _t16;
						_t19 = E00404BC0( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E004073B0( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E00404BC0( &_v424) + 1 > 0x3c) {
								_t49 = E00404BC0( &_v424) +  &_v424 - 0x3b;
								E00407B50(E00404BC0( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E004073B0( &_v164, "Runtime Error!\n\nProgram: ");
							E004073C0( &_v164, _t49);
							E004073C0( &_v164, "\n\n");
							_t12 = _t54 + 0x40a6dc; // 0x409474
							E004073C0( &_v164,  *_t12);
							_t17 = E00407AB8( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}

0x004059f5
0x004059fe
0x00405a01
0x00405a03
0x00405a08
0x00405a0c
0x00405a0f
0x00405a15
0x00000000
0x00000000
0x00000000
0x00405a15
0x00405a1a
0x00405a1d
0x00405a23
0x00405a29
0x00405a31
0x00405b22
0x00405b22
0x00405b2d
0x00405b3f
0x00405a48
0x00405a4e
0x00405a6a
0x00405a78
0x00405a7e
0x00405a85
0x00405a87
0x00405a97
0x00405ab2
0x00405aba
0x00405abf
0x00405abf
0x00405ace
0x00405adb
0x00405aec
0x00405af1
0x00405afe
0x00405b14
0x00405b1c
0x00405a4e
0x00405a31
0x00405b47

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00405A62
GetStdHandle.KERNEL32(000000F4,00409474,00000000,?,00000000,00000000), ref: 00405B38
WriteFile.KERNEL32(00000000), ref: 00405B3F

Strings

Runtime Error!Program: , xrefs: 00405AC8
..., xrefs: 00405AB4
Microsoft Visual C++ Runtime Library, xrefs: 00405B0E
<program name unknown>, xrefs: 00405A72

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 02692b244cd9942594826770e8fc2afffe04d85090e4ef8d3ba242c7dcf24cde
Instruction ID: 23e955dc117f7f4d732d766e8e7b040844b507a3c5c2886e212b5708fc255f4f
Opcode Fuzzy Hash: 02692b244cd9942594826770e8fc2afffe04d85090e4ef8d3ba242c7dcf24cde
Instruction Fuzzy Hash: E331C072A00208AFEF20A6609D85F9B777CEB85304F14057BF944B61C1E678BA41CF2A

Uniqueness

Uniqueness Score: -1.00%

Function 0040533A, Relevance: 12.1, APIs: 8, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0040533A() {
				int _v4;
				int _v8;
				void* __ecx;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				void* _t34;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x40cd1c; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E00404C3B(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E004074A0(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E00404C3B(_t42);
								_pop(_t34);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										E00404CED(_t34, _v8);
										_v8 = _t32;
									}
									_t32 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x40cd1c = 2;
					goto L18;
				}
				 *0x40cd1c = 1;
				goto L6;
			}

0x0040533c
0x0040534b
0x0040534d
0x0040534f
0x00405353
0x0040538b
0x00405415
0x00405463
0x00000000
0x00405463
0x00405417
0x00405419
0x00405427
0x00405429
0x0040542b
0x00405437
0x0040543a
0x00405442
0x00405447
0x00405450
0x00405449
0x00405449
0x00405449
0x00405459
0x00000000
0x00000000
0x00000000
0x00000000
0x0040542d
0x0040542d
0x0040542d
0x0040542d
0x0040542e
0x00405432
0x00405433
0x00000000
0x0040542d
0x00405421
0x00405425
0x00000000
0x00000000
0x00000000
0x00405425
0x00405391
0x00405393
0x004053a1
0x004053a4
0x004053a6
0x004053b6
0x004053c2
0x004053c9
0x004053cf
0x004053d3
0x004053d6
0x004053dd
0x004053de
0x004053e2
0x004053f3
0x004053f9
0x004053ff
0x004053ff
0x00405403
0x00405403
0x004053e2
0x00405408
0x00000000
0x00000000
0x00000000
0x00000000
0x004053a8
0x004053a8
0x004053a8
0x004053a9
0x004053aa
0x004053b0
0x004053b1
0x00000000
0x004053a8
0x00405397
0x0040539b
0x00000000
0x00000000
0x00000000
0x0040539b
0x00405357
0x0040535b
0x0040536f
0x00405373
0x00000000
0x00000000
0x00405379
0x00000000
0x00405379
0x0040535d
0x00000000

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402E17), ref: 00405355
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402E17), ref: 00405369
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402E17), ref: 00405395
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402E17), ref: 004053CD
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402E17), ref: 004053EF
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402E17), ref: 00405408
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402E17), ref: 0040541B
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00405459

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: f19a99ff4713c6d544640b14826f8a800b419b294664069da8b919beace3420c
Instruction ID: f5d1fb30065e4e99422916f370ee633051d001f7a377a72650744cc46438cf83
Opcode Fuzzy Hash: f19a99ff4713c6d544640b14826f8a800b419b294664069da8b919beace3420c
Instruction Fuzzy Hash: DF315CB24046616FD7203F759CC467B769CE684355719043BF941F3281E6784C828FAE

Uniqueness

Uniqueness Score: -1.00%

Function 00401300, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113
registryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00401300(void* __ecx, void* __eflags, char _a260, void _a323, char _a2308) {
				char _v0;
				void* _v4;
				int _v8;
				int _t27;
				void* _t36;
				intOrPtr* _t39;
				intOrPtr _t52;
				intOrPtr _t54;
				intOrPtr _t59;
				intOrPtr _t60;
				int _t66;
				intOrPtr* _t68;
				void* _t70;
				void* _t72;

				E00402930(0x110c, __ecx);
				_push(0);
				_push(2);
				L00402918();
				_t27 = memcpy( &_a260, "Software\\National Instruments\\Common\\Installer\\Pending\\Deletes", 0xf << 2);
				asm("movsw");
				asm("movsb");
				memset( &_a323, _t27, 0x1f0 << 2);
				_t72 = _t70 + 0x18;
				asm("stosb");
				if(RegOpenKeyExA(0x80000002,  &_a260, 0, 0x30019,  &_v4) != 0) {
					L13:
					E00401B50(0x80000002,  &_a260);
					return 0;
				}
				_t66 = 0;
				_v8 = 0x800;
				if(RegEnumValueA(_v4, 0,  &_a2308,  &_v8, 0, 0, 0, 0) != 0) {
					goto L13;
				} else {
					goto L2;
				}
				do {
					L2:
					_t36 = E00401950( &_a260, 0x80000002,  &_a260,  &_a2308,  &_v0);
					_t72 = _t72 + 0x10;
					if(_t36 != 0) {
						goto L12;
					}
					_t68 = 0x40cba0;
					_t39 =  &_v0;
					while(1) {
						_t59 =  *_t39;
						_t52 = _t59;
						if(_t59 !=  *_t68) {
							break;
						}
						if(_t52 == 0) {
							L8:
							_t39 = 0;
							L10:
							if(_t39 != 0) {
								DeleteFileA( &_v0);
								E00401460( &_v0,  &_v0);
								_t72 = _t72 + 4;
							}
							goto L12;
						}
						_t60 =  *((intOrPtr*)(_t39 + 1));
						_t54 = _t60;
						_t16 = _t68 + 1; // 0x28000000
						if(_t60 !=  *_t16) {
							break;
						}
						_t39 = _t39 + 2;
						_t68 = _t68 + 2;
						if(_t54 != 0) {
							continue;
						}
						goto L8;
					}
					asm("sbb eax, eax");
					asm("sbb eax, 0xffffffff");
					goto L10;
					L12:
					_t66 = _t66 + 1;
					_v8 = 0x800;
				} while (RegEnumValueA(_v4, _t66,  &_a2308,  &_v8, 0, 0, 0, 0) == 0);
				goto L13;
			}

0x00401305
0x0040130d
0x0040130f
0x00401311
0x00401329
0x0040132b
0x0040132d
0x0040133a
0x0040133a
0x0040133c
0x0040135e
0x00401437
0x00401444
0x00401457
0x00401457
0x00401368
0x00401383
0x0040138f
0x00000000
0x00000000
0x00000000
0x00000000
0x00401395
0x00401395
0x004013af
0x004013b4
0x004013b9
0x00000000
0x00000000
0x004013bb
0x004013c0
0x004013c4
0x004013c4
0x004013c6
0x004013ca
0x00000000
0x00000000
0x004013ce
0x004013e4
0x004013e4
0x004013ed
0x004013ef
0x004013f6
0x00401401
0x00401406
0x00401406
0x00000000
0x004013ef
0x004013d0
0x004013d3
0x004013d5
0x004013d8
0x00000000
0x00000000
0x004013da
0x004013dd
0x004013e2
0x00000000
0x00000000
0x00000000
0x004013e2
0x004013e8
0x004013ea
0x00000000
0x00401409
0x00401420
0x00401425
0x0040142f
0x00000000

APIs

#141.MSI(00000002,00000000,?,00000000,?,00401F13,?,?,?,?,00000002,00000000,?,?,00000000,_MSIExecute), ref: 00401311
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00030019,?,00000002,00000000,?,00000000,?,00401F13,?,?,?,?,00000002), ref: 00401356
RegEnumValueA.ADVAPI32 ref: 0040138B
DeleteFileA.KERNEL32(?,00000000,00000000,?,00401F13,?,?,?,?,00000002,00000000,?,?,00000000,_MSIExecute), ref: 004013F6
RegEnumValueA.ADVAPI32 ref: 0040142D

Strings

Software\National Instruments\Common\Installer\Pending\Deletes, xrefs: 0040131B

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: EnumValue$#141DeleteFileOpen
String ID: Software\National Instruments\Common\Installer\Pending\Deletes
API String ID: 1860468242-3474610832
Opcode ID: 49200111c47614191c1c913c117ed154e51594bd0dcc61e412c8cec2aa7c494d
Instruction ID: 4cee3991e40c4eecdb6b5eef90a7c1883e2643512e231d1e6629c6e2b075dda9
Opcode Fuzzy Hash: 49200111c47614191c1c913c117ed154e51594bd0dcc61e412c8cec2aa7c494d
Instruction Fuzzy Hash: 7731F4715043456AE320DB61DC56FE777ECEBC9704F00483DFA85A72D1E674A908C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00401B70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401B70(void* _a4, char* _a8) {
				char _v256;
				int _v260;
				void* _v264;
				int _v268;
				long _t21;
				int _t36;
				char* _t37;
				void* _t38;

				_t38 =  &_v268;
				_t37 = _a8;
				_t36 = 0;
				_v268 = 0;
				if(_t37 == 0 || lstrlenA(_t37) == 0 || RegOpenKeyExA(_a4, _t37, 0, 0x10008,  &_v264) != 0) {
					L15:
					return _v268;
				} else {
					while(1) {
						_v260 = 0x100;
						_t21 = RegEnumKeyExA(_v264, 0,  &_v256,  &_v260, 0, 0, 0, 0);
						if(_t21 == 0x103) {
							break;
						}
						if(_t21 != 0) {
							L8:
							if(_t36 == 0) {
								continue;
							} else {
							}
						} else {
							_t36 = E00401B70(_v264,  &_v256);
							_t38 = _t38 + 8;
							if(_t36 == 0) {
								continue;
							} else {
								_v268 = 0xb;
								goto L8;
							}
						}
						L13:
						RegCloseKey(_v264);
						if(_t36 != 0) {
							goto L15;
						} else {
							return 0;
						}
						goto L16;
					}
					if(RegDeleteKeyA(_a4, _t37) != 0) {
						_v268 = 0xb;
					} else {
						_t36 = 0;
					}
					goto L13;
				}
				L16:
			}

0x00401b70
0x00401b77
0x00401b7f
0x00401b83
0x00401b87
0x00401c53
0x00401c5f
0x00401bbe
0x00401bc5
0x00401bde
0x00401be6
0x00401bed
0x00000000
0x00000000
0x00401bf1
0x00401c13
0x00401c15
0x00000000
0x00000000
0x00401c17
0x00401bf3
0x00401c02
0x00401c04
0x00401c09
0x00000000
0x00401c0b
0x00401c0b
0x00000000
0x00401c0b
0x00401c09
0x00401c38
0x00401c3d
0x00401c46
0x00000000
0x00401c49
0x00401c52
0x00401c52
0x00000000
0x00401c46
0x00401c2a
0x00401c30
0x00401c2c
0x00401c2c
0x00401c2c
0x00000000
0x00401c2a
0x00000000

APIs

lstrlenA.KERNEL32(?,Software\National Instruments\Common\Installer\Pending\Packages), ref: 00401B8E
RegOpenKeyExA.ADVAPI32(?,?,00000000,00010008,?), ref: 00401BB0
RegEnumKeyExA.ADVAPI32 ref: 00401BE6
RegDeleteKeyA.ADVAPI32(?,?), ref: 00401C22
RegCloseKey.ADVAPI32(00000000), ref: 00401C3D

Strings

Software\National Instruments\Common\Installer\Pending\Packages, xrefs: 00401B7E

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: CloseDeleteEnumOpenlstrlen
String ID: Software\National Instruments\Common\Installer\Pending\Packages
API String ID: 160701936-3519911799
Opcode ID: 08ed81a6e89716a66f9e10773704c3c1ee419a6b8b4fbe0481c92490c3ca3641
Instruction ID: 26463612cd68223f97519849fa56928548d6ad9440911f79b871d1bae7eaac7c
Opcode Fuzzy Hash: 08ed81a6e89716a66f9e10773704c3c1ee419a6b8b4fbe0481c92490c3ca3641
Instruction Fuzzy Hash: 1421A4316483146BE320DB50DC40FEBB7A8BB84B44F04892DFA44A6290D378E9448BD6

Uniqueness

Uniqueness Score: -1.00%

Function 00406005, Relevance: 9.1, APIs: 6, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00406005(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, signed int _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x409500);
				_push(E004058E4);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x40cd28; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x40cd44; // 0x0
								_a20 = _t44;
							}
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E00402930(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E004062F0(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x40cd34; // 0x0
						}
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x4091c4, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x4091c0, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x40cd28 = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}

0x00406008
0x0040600a
0x0040600f
0x0040601a
0x0040601b
0x00406022
0x00406028
0x0040602b
0x00406034
0x00406074
0x00406077
0x004060a0
0x00000000
0x004060a6
0x004060a9
0x004060ab
0x004060b0
0x004060b0
0x004060c0
0x004060ca
0x004060d0
0x004060d5
0x00000000
0x004060d7
0x004060d7
0x004060e4
0x004060e9
0x004060ec
0x004060ee
0x004060f4
0x00406109
0x0040610f
0x00000000
0x00406111
0x00406120
0x00406128
0x00000000
0x0040612a
0x00406132
0x00406132
0x00406128
0x0040610f
0x004060d5
0x00406079
0x00406079
0x0040607e
0x00406080
0x00406080
0x00406092
0x00406092
0x00406036
0x00406039
0x0040603c
0x0040604c
0x00406066
0x0040613a
0x0040613a
0x0040606c
0x0040606e
0x00000000
0x0040606e
0x0040604e
0x0040604e
0x0040606f
0x0040606f
0x00000000
0x0040606f
0x0040604c
0x00406142
0x0040614d

APIs

GetStringTypeW.KERNEL32(00000001,004091C4,00000001,00000000,00000103,00000001,00000000,0040791C,00200020,00000000,?,00000000,00000000,00000001), ref: 00406044
GetStringTypeA.KERNEL32(00000000,00000001,004091C0,00000001,?,?,00000000,00000000,00000001), ref: 0040605E
GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,0040791C,00200020,00000000,?,00000000,00000000,00000001), ref: 00406092
MultiByteToWideChar.KERNEL32(0040791C,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,0040791C,00200020,00000000,?,00000000,00000000,00000001), ref: 004060CA
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406120
GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406132

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 6df0727473b5a51b53047544994c7303b82f0cb6f11507240f823e59cf71d536
Instruction ID: e796571bc55046769d5a8142dbfd278b0b201e9dfb0b5f4ab069ec6108e6418f
Opcode Fuzzy Hash: 6df0727473b5a51b53047544994c7303b82f0cb6f11507240f823e59cf71d536
Instruction Fuzzy Hash: 43416B72A00219EFDF119F54CD85EAB7B79FF08314F114536F952B6291C2398960DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040546C, Relevance: 7.6, APIs: 5, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E0040546C() {
				signed int* _t35;
				signed int* _t37;
				long _t42;
				signed int _t44;
				signed int _t45;
				int _t46;
				void* _t48;
				void** _t52;
				int _t53;
				int _t54;
				signed int* _t55;
				int _t57;
				void** _t58;
				signed char _t60;
				signed int _t62;
				void* _t66;
				void* _t69;
				signed int _t70;
				int* _t71;
				signed int* _t72;
				void** _t73;
				int _t74;
				intOrPtr* _t75;
				void* _t76;

				_t72 = E00404C3B(0x100);
				if(_t72 == 0) {
					E00402E89(0x1b);
				}
				 *0x40ddc0 = _t72;
				 *0x40dec0 = 0x20;
				_t1 =  &(_t72[0x40]); // 0x100
				_t35 = _t1;
				while(_t72 < _t35) {
					_t72[1] = _t72[1] & 0x00000000;
					 *_t72 =  *_t72 | 0xffffffff;
					_t72[1] = 0xa;
					_t55 =  *0x40ddc0; // 0x2180488
					_t72 =  &(_t72[2]);
					_t35 =  &(_t55[0x40]);
				}
				GetStartupInfoA(_t76 + 0x10);
				__eflags =  *((short*)(_t76 + 0x42));
				if( *((short*)(_t76 + 0x42)) == 0) {
					L25:
					_t57 = 0;
					__eflags = 0;
					do {
						_t37 =  *0x40ddc0; // 0x2180488
						__eflags =  *(_t37 + _t57 * 8) - 0xffffffff;
						_t73 = _t37 + _t57 * 8;
						if( *(_t37 + _t57 * 8) != 0xffffffff) {
							_t32 =  &(_t73[1]);
							 *_t32 = _t73[1] | 0x00000080;
							__eflags =  *_t32;
							goto L37;
						}
						__eflags = _t57;
						_t73[1] = 0x81;
						if(_t57 != 0) {
							asm("sbb eax, eax");
							_t42 =  ~(_t57 - 1) + 0xfffffff5;
							__eflags = _t42;
						} else {
							_t42 = 0xfffffff6;
						}
						_t69 = GetStdHandle(_t42);
						__eflags = _t69 - 0xffffffff;
						if(_t69 == 0xffffffff) {
							L33:
							_t73[1] = _t73[1] | 0x00000040;
						} else {
							_t44 = GetFileType(_t69);
							__eflags = _t44;
							if(_t44 == 0) {
								goto L33;
							}
							_t45 = _t44 & 0x000000ff;
							 *_t73 = _t69;
							__eflags = _t45 - 2;
							if(_t45 != 2) {
								__eflags = _t45 - 3;
								if(_t45 == 3) {
									_t73[1] = _t73[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t57 = _t57 + 1;
						__eflags = _t57 - 3;
					} while (_t57 < 3);
					return SetHandleCount( *0x40dec0);
				}
				_t46 =  *(_t76 + 0x44);
				__eflags = _t46;
				if(_t46 == 0) {
					goto L25;
				}
				_t74 =  *_t46;
				_t75 = _t46 + 4;
				__eflags = _t74 - 0x800;
				_t58 = _t74 + _t75;
				if(_t74 >= 0x800) {
					_t74 = 0x800;
				}
				__eflags =  *0x40dec0 - _t74; // 0x20
				if(__eflags >= 0) {
					L18:
					_t70 = 0;
					__eflags = _t74;
					if(_t74 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t48 =  *_t58;
						__eflags = _t48 - 0xffffffff;
						if(_t48 == 0xffffffff) {
							goto L24;
						}
						_t60 =  *_t75;
						__eflags = _t60 & 0x00000001;
						if((_t60 & 0x00000001) == 0) {
							goto L24;
						}
						__eflags = _t60 & 0x00000008;
						if((_t60 & 0x00000008) != 0) {
							L23:
							_t62 = _t70 & 0x0000001f;
							__eflags = _t62;
							_t52 = 0x40ddc0[_t70 >> 5] + _t62 * 8;
							 *_t52 =  *_t58;
							_t52[1] =  *_t75;
							goto L24;
						}
						_t53 = GetFileType(_t48);
						__eflags = _t53;
						if(_t53 == 0) {
							goto L24;
						}
						goto L23;
						L24:
						_t70 = _t70 + 1;
						_t75 = _t75 + 1;
						_t58 =  &(_t58[1]);
						__eflags = _t70 - _t74;
					} while (_t70 < _t74);
					goto L25;
				} else {
					_t71 = 0x40ddc4;
					while(1) {
						_t54 = E00404C3B(0x100);
						__eflags = _t54;
						if(_t54 == 0) {
							break;
						}
						 *0x40dec0 =  *0x40dec0 + 0x20;
						__eflags =  *0x40dec0;
						 *_t71 = _t54;
						_t10 = _t54 + 0x100; // 0x100
						_t66 = _t10;
						while(1) {
							__eflags = _t54 - _t66;
							if(_t54 >= _t66) {
								break;
							}
							 *(_t54 + 4) =  *(_t54 + 4) & 0x00000000;
							 *_t54 =  *_t54 | 0xffffffff;
							 *((char*)(_t54 + 5)) = 0xa;
							_t54 = _t54 + 8;
							_t66 =  *_t71 + 0x100;
						}
						_t71 =  &(_t71[1]);
						__eflags =  *0x40dec0 - _t74; // 0x20
						if(__eflags < 0) {
							continue;
						}
						goto L18;
					}
					_t74 =  *0x40dec0; // 0x20
					goto L18;
				}
			}

0x0040547d
0x00405482
0x00405486
0x0040548b
0x0040548c
0x00405492
0x0040549c
0x0040549c
0x004054a2
0x004054a6
0x004054aa
0x004054ad
0x004054b1
0x004054b6
0x004054b9
0x004054b9
0x004054c5
0x004054cb
0x004054d1
0x0040559c
0x0040559c
0x0040559c
0x0040559e
0x0040559e
0x004055a3
0x004055a7
0x004055aa
0x004055f9
0x004055f9
0x004055f9
0x00000000
0x004055f9
0x004055ac
0x004055ae
0x004055b2
0x004055be
0x004055c0
0x004055c0
0x004055b4
0x004055b6
0x004055b6
0x004055ca
0x004055cc
0x004055cf
0x004055e8
0x004055e8
0x004055d1
0x004055d2
0x004055d8
0x004055da
0x00000000
0x00000000
0x004055dc
0x004055e1
0x004055e3
0x004055e6
0x004055ee
0x004055f1
0x004055f3
0x004055f3
0x00000000
0x004055f1
0x00000000
0x004055e6
0x004055fd
0x004055fd
0x004055fe
0x004055fe
0x00405616
0x00405616
0x004054d7
0x004054db
0x004054dd
0x00000000
0x00000000
0x004054e3
0x004054e5
0x004054ed
0x004054ef
0x004054f2
0x004054f4
0x004054f4
0x004054f6
0x004054fc
0x00405550
0x00405550
0x00405552
0x00405554
0x00000000
0x00000000
0x00000000
0x00000000
0x00405556
0x00405556
0x00405556
0x00405558
0x0040555b
0x00000000
0x00000000
0x0040555d
0x00405560
0x00405563
0x00000000
0x00000000
0x00405565
0x00405568
0x00405575
0x0040557c
0x0040557c
0x00405586
0x0040558b
0x00405590
0x00000000
0x00405590
0x0040556b
0x00405571
0x00405573
0x00000000
0x00000000
0x00000000
0x00405593
0x00405593
0x00405594
0x00405595
0x00405598
0x00405598
0x00000000
0x004054fe
0x004054fe
0x00405503
0x00405508
0x0040550d
0x00405510
0x00000000
0x00000000
0x00405512
0x00405512
0x00405519
0x0040551b
0x0040551b
0x00405521
0x00405521
0x00405523
0x00000000
0x00000000
0x00405525
0x00405529
0x0040552c
0x00405532
0x00405535
0x00405535
0x0040553d
0x00405540
0x00405546
0x00000000
0x00000000
0x00000000
0x00405548
0x0040554a
0x00000000
0x0040554a

APIs

GetStartupInfoA.KERNEL32(?), ref: 004054C5
GetFileType.KERNEL32(00000800), ref: 0040556B
GetStdHandle.KERNEL32(-000000F6), ref: 004055C4
GetFileType.KERNEL32(00000000), ref: 004055D2
SetHandleCount.KERNEL32 ref: 00405609

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 4d0a87635a71bc100e93ef1a3503b7406ac1b6dd741926a9af404e56fddfbd9c
Instruction ID: be1d450bb453904f90e15e56e6295578546755ba505af13f1bdcd1710e757b59
Opcode Fuzzy Hash: 4d0a87635a71bc100e93ef1a3503b7406ac1b6dd741926a9af404e56fddfbd9c
Instruction Fuzzy Hash: 18514471A04A019BD7208B28CD487673BA2EB11321F19463AE4A6FB2E1D378DC49CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00406D42, Relevance: 6.4, APIs: 5, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406D42() {
				void* _t25;
				intOrPtr* _t28;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t55;

				if( *0x40aa10 != 0xffffffff) {
					_t43 = HeapAlloc( *0x40dda4, 0, 0x2020);
					if(_t43 == 0) {
						goto L20;
					}
					goto L3;
				} else {
					_t43 = 0x40aa00;
					L3:
					_t42 = VirtualAlloc(0, 0x400000, 0x2000, 4);
					if(_t42 == 0) {
						L18:
						if(_t43 != 0x40aa00) {
							HeapFree( *0x40dda4, 0, _t43);
						}
						L20:
						return 0;
					}
					if(VirtualAlloc(_t42, 0x10000, 0x1000, 4) == 0) {
						VirtualFree(_t42, 0, 0x8000);
						goto L18;
					}
					if(_t43 != 0x40aa00) {
						 *_t43 = 0x40aa00;
						_t25 =  *0x40aa04; // 0x40aa00
						 *(_t43 + 4) = _t25;
						 *0x40aa04 = _t43;
						 *( *(_t43 + 4)) = _t43;
					} else {
						if( *0x40aa00 == 0) {
							 *0x40aa00 = 0x40aa00;
						}
						if( *0x40aa04 == 0) {
							 *0x40aa04 = 0x40aa00;
						}
					}
					_t3 = _t42 + 0x400000; // 0x400000
					_t4 = _t43 + 0x98; // 0x98
					 *((intOrPtr*)(_t43 + 0x14)) = _t3;
					_t6 = _t43 + 0x18; // 0x18
					_t28 = _t6;
					 *((intOrPtr*)(_t43 + 0xc)) = _t4;
					 *(_t43 + 0x10) = _t42;
					 *((intOrPtr*)(_t43 + 8)) = _t28;
					_t45 = 0;
					do {
						_t55 = _t45 - 0x10;
						_t45 = _t45 + 1;
						 *_t28 = ((0 | _t55 >= 0x00000000) - 0x00000001 & 0x000000f1) - 1;
						 *((intOrPtr*)(_t28 + 4)) = 0xf1;
						_t28 = _t28 + 8;
					} while (_t45 < 0x400);
					E004062F0(_t42, 0, 0x10000);
					while(_t42 <  *(_t43 + 0x10) + 0x10000) {
						 *(_t42 + 0xf8) =  *(_t42 + 0xf8) | 0x000000ff;
						_t16 = _t42 + 8; // -4088
						 *_t42 = _t16;
						 *((intOrPtr*)(_t42 + 4)) = 0xf0;
						_t42 = _t42 + 0x1000;
					}
					return _t43;
				}
			}

0x00406d4d
0x00406d69
0x00406d6d
0x00000000
0x00000000
0x00000000
0x00406d4f
0x00406d4f
0x00406d73
0x00406d89
0x00406d8d
0x00406e68
0x00406e6e
0x00406e79
0x00406e79
0x00406e7f
0x00000000
0x00406e7f
0x00406da5
0x00406e62
0x00000000
0x00406e62
0x00406db2
0x00406dd2
0x00406dd4
0x00406dd9
0x00406ddc
0x00406de5
0x00406db4
0x00406dbb
0x00406dbd
0x00406dbd
0x00406dc9
0x00406dcb
0x00406dcb
0x00406dc9
0x00406de7
0x00406ded
0x00406df3
0x00406df6
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e02
0x00406e09
0x00406e0b
0x00406e15
0x00406e16
0x00406e18
0x00406e1b
0x00406e1e
0x00406e2a
0x00406e32
0x00406e3b
0x00406e42
0x00406e45
0x00406e47
0x00406e4e
0x00406e4e
0x00000000
0x00406e56

APIs

HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,004057D2), ref: 00406D63
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,004057D2), ref: 00406D87
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,004057D2), ref: 00406DA1
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,004057D2), ref: 00406E62
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,004057D2), ref: 00406E79

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 6d35afcb99616ca62a44109434c7cc2ecaff5e90a0b812881487d6a1f7da1a31
Instruction ID: 0d9470b2a50c3aec7e09f4b155c7d6950836918d4a78a481512e9248562b7c91
Opcode Fuzzy Hash: 6d35afcb99616ca62a44109434c7cc2ecaff5e90a0b812881487d6a1f7da1a31
Instruction Fuzzy Hash: AE31DE716407019FD3209F28DE44B62B7A0EB44754F12823AE16BB76E0E778A864CB8D

Uniqueness

Uniqueness Score: -1.00%

Function 00407F8B, Relevance: 6.2, APIs: 4, Instructions: 174
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407F8B(signed int _a4, void* _a8, long _a12) {
				void _v5;
				signed int _v12;
				long _v16;
				long _t74;
				signed int _t77;
				intOrPtr _t83;
				signed char _t84;
				signed char _t86;
				long _t87;
				void _t89;
				signed char _t91;
				char _t99;
				long _t102;
				void _t103;
				intOrPtr* _t105;
				void* _t106;
				signed char* _t107;
				long _t109;
				signed int _t112;
				signed char _t114;
				long _t115;
				void* _t116;
				signed int _t118;
				signed int _t120;
				signed char* _t121;
				void* _t122;
				void* _t123;

				_t118 = _a4;
				_t123 = _t118 -  *0x40dec0; // 0x20
				if(_t123 >= 0) {
					L44:
					 *0x40cbcc =  *0x40cbcc & 0x00000000;
					 *0x40cbc8 = 9;
					L45:
					return _t74 | 0xffffffff;
				}
				_t77 = _t118 >> 5;
				_t120 = (_t118 & 0x0000001f) << 3;
				_t105 = 0x40ddc0 + _t77 * 4;
				_t74 =  *((intOrPtr*)(0x40ddc0 + _t77 * 4)) + _t120;
				_t114 =  *((intOrPtr*)(_t74 + 4));
				if((_t114 & 0x00000001) == 0) {
					goto L44;
				}
				_v12 = _v12 & 0x00000000;
				_t116 = _a8;
				_t106 = _t116;
				if(_a12 == 0 || (_t114 & 0x00000002) != 0) {
					L11:
					return 0;
				} else {
					if((_t114 & 0x00000048) != 0) {
						_t103 =  *((intOrPtr*)(_t74 + 5));
						if(_t103 != 0xa) {
							_a12 = _a12 - 1;
							 *_t116 = _t103;
							_t106 = _t116 + 1;
							_v12 = 1;
							 *((char*)( *_t105 + _t120 + 5)) = 0xa;
						}
					}
					if(ReadFile( *( *_t105 + _t120), _t106, _a12,  &_v16, 0) != 0) {
						_t83 =  *_t105;
						_t115 = _v16;
						_v12 = _v12 + _t115;
						_t31 = _t120 + 4; // 0x4
						_t107 = _t83 + _t31;
						_t84 =  *((intOrPtr*)(_t83 + _t120 + 4));
						if((_t84 & 0x00000080) == 0) {
							L43:
							return _v12;
						}
						if(_t115 == 0 ||  *_t116 != 0xa) {
							_t86 = _t84 & 0x000000fb;
						} else {
							_t86 = _t84 | 0x00000004;
						}
						 *_t107 = _t86;
						_t87 = _a8;
						_a12 = _t87;
						_t109 = _v12 + _t87;
						_v12 = _t109;
						if(_t87 >= _t109) {
							L42:
							_v12 = _t116 - _a8;
							goto L43;
						} else {
							while(1) {
								_t89 =  *_a12;
								if(_t89 == 0x1a) {
									break;
								}
								if(_t89 == 0xd) {
									if(_a12 >= _t109 - 1) {
										_a12 = _a12 + 1;
										if(ReadFile( *( *_t105 + _t120),  &_v5, 1,  &_v16, 0) != 0 || GetLastError() == 0) {
											if(_v16 == 0) {
												goto L36;
											}
											if(( *( *_t105 + _t120 + 4) & 0x00000048) == 0) {
												if(_t116 != _a8 || _v5 != 0xa) {
													E00405B48(_a4, 0xffffffff, 1);
													_t122 = _t122 + 0xc;
													if(_v5 == 0xa) {
														goto L38;
													}
													goto L36;
												} else {
													L34:
													 *_t116 = 0xa;
													goto L37;
												}
											}
											_t99 = _v5;
											if(_t99 == 0xa) {
												goto L34;
											}
											 *_t116 = 0xd;
											_t116 = _t116 + 1;
											 *((char*)( *_t105 + _t120 + 5)) = _t99;
											goto L38;
										} else {
											L36:
											 *_t116 = 0xd;
											L37:
											_t116 = _t116 + 1;
											L38:
											_t109 = _v12;
											if(_a12 < _t109) {
												continue;
											}
											goto L42;
										}
									}
									_t102 = _a12 + 1;
									if( *_t102 != 0xa) {
										 *_t116 = 0xd;
										_t116 = _t116 + 1;
										_a12 = _t102;
										goto L38;
									}
									_a12 = _a12 + 2;
									goto L34;
								}
								 *_t116 = _t89;
								_t116 = _t116 + 1;
								_a12 = _a12 + 1;
								goto L38;
							}
							_t121 =  *_t105 + _t120 + 4;
							_t91 =  *_t121;
							if((_t91 & 0x00000040) == 0) {
								 *_t121 = _t91 | 0x00000002;
							}
							goto L42;
						}
					}
					_t74 = GetLastError();
					_t112 = 5;
					if(_t74 != _t112) {
						if(_t74 != 0x6d) {
							_t74 = E00407C4E(_t74);
							goto L45;
						}
						goto L11;
					}
					 *0x40cbc8 = 9;
					 *0x40cbcc = _t112;
					goto L45;
				}
			}

0x00407f93
0x00407f97
0x00407f9d
0x00408168
0x00408168
0x0040816f
0x00408179
0x00000000
0x00408179
0x00407fa8
0x00407fab
0x00407fae
0x00407fbc
0x00407fbe
0x00407fc4
0x00000000
0x00000000
0x00407fca
0x00407fce
0x00407fd5
0x00407fd7
0x00408040
0x00000000
0x00407fde
0x00407fe1
0x00407fe3
0x00407fe8
0x00407fea
0x00407fed
0x00407ff1
0x00407ff4
0x00407ffb
0x00407ffb
0x00407fe8
0x00408017
0x00408053
0x00408055
0x00408058
0x0040805b
0x0040805b
0x0040805f
0x00408065
0x00408163
0x00000000
0x00408163
0x0040806d
0x00408078
0x00408074
0x00408074
0x00408074
0x0040807a
0x0040807c
0x00408082
0x00408085
0x00408089
0x0040808c
0x0040815d
0x00408160
0x00000000
0x00408092
0x00408092
0x00408095
0x00408099
0x00000000
0x00000000
0x004080a1
0x004080b2
0x004080d2
0x004080e8
0x004080f8
0x00000000
0x00000000
0x00408101
0x00408119
0x0040812d
0x00408132
0x00408139
0x00000000
0x00000000
0x00000000
0x00408121
0x00408121
0x00408121
0x00000000
0x00408121
0x00408119
0x00408103
0x00408108
0x00000000
0x00000000
0x0040810a
0x0040810f
0x00408110
0x00000000
0x0040813b
0x0040813b
0x0040813b
0x0040813e
0x0040813e
0x0040813f
0x0040813f
0x00408145
0x00000000
0x00000000
0x00000000
0x0040814b
0x004080e8
0x004080b7
0x004080bb
0x004080c3
0x004080c6
0x004080c7
0x00000000
0x004080c7
0x004080bd
0x00000000
0x004080bd
0x004080a3
0x004080a5
0x004080a6
0x00000000
0x004080a6
0x0040814f
0x00408153
0x00408157
0x0040815b
0x0040815b
0x00000000
0x00408157
0x0040808c
0x00408019
0x00408021
0x00408024
0x0040803e
0x00408048
0x00000000
0x0040804d
0x00000000
0x0040803e
0x00408026
0x00408030
0x00000000
0x00408030

APIs

ReadFile.KERNEL32(?,?,00000000,?,00000000,?,00000000), ref: 0040800F
GetLastError.KERNEL32 ref: 00408019
ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 004080E0
GetLastError.KERNEL32 ref: 004080EA

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: bcf1fc3162e821494b40b79ecc53eb5289275d8b310e8188a77bafa3dcefda27
Instruction ID: 814d9c423af25b8fe7558b6c9e014a0a86926036ed26ad7d6aacf5dd9dc40a04
Opcode Fuzzy Hash: bcf1fc3162e821494b40b79ecc53eb5289275d8b310e8188a77bafa3dcefda27
Instruction Fuzzy Hash: 1D619030A04285DFDB118F58DA84BAA7BB0AF12344F1540BFD4D1BB3D2DB79994ACB09

Uniqueness

Uniqueness Score: -1.00%

Function 00405BE2, Relevance: 6.1, APIs: 4, Instructions: 139
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BE2(long _a4, void* _a8, long _a12) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				intOrPtr _v20;
				void _v1048;
				signed char _t58;
				void** _t64;
				intOrPtr _t67;
				char* _t72;
				long _t79;
				signed char* _t83;
				signed int _t84;
				char _t90;
				struct _OVERLAPPED* _t94;
				long _t96;
				signed int _t99;
				void* _t102;

				_t84 = _a4;
				_t102 = _t84 -  *0x40dec0; // 0x20
				if(_t102 >= 0) {
					L30:
					 *0x40cbcc =  *0x40cbcc & 0x00000000;
					 *0x40cbc8 = 9;
					L31:
					return _t58 | 0xffffffff;
				}
				_t83 = 0x40ddc0 + (_t84 >> 5) * 4;
				_t99 = (_t84 & 0x0000001f) << 3;
				_t5 = _t99 + 4; // 0x228
				_t58 =  *((intOrPtr*)( *_t83 + _t5));
				if((_t58 & 0x00000001) == 0) {
					goto L30;
				}
				_t94 = 0;
				_v12 = 0;
				_v20 = 0;
				if(_a12 != 0) {
					if((_t58 & 0x00000020) != 0) {
						E00405B48(_t84, 0, 2);
					}
					_t64 =  *_t83 + _t99;
					if((_t64[1] & 0x00000080) == 0) {
						if(WriteFile( *_t64, _a8, _a12,  &_v16, _t94) == 0) {
							_a4 = GetLastError();
						} else {
							_a4 = _t94;
							_v12 = _v16;
						}
						L17:
						_t67 = _v12;
						if(_t67 != _t94) {
							return _t67 - _v20;
						}
						if(_a4 == _t94) {
							L26:
							_t58 =  *_t83;
							if(( *(_t58 + _t99 + 4) & 0x00000040) == 0) {
								L28:
								 *0x40cbc8 = 0x1c;
								 *0x40cbcc = _t94;
								goto L31;
							}
							_t58 = _a8;
							if( *_t58 == 0x1a) {
								goto L3;
							}
							goto L28;
						}
						_t58 = 5;
						if(_a4 != _t58) {
							_t58 = E00407C4E(_a4);
						} else {
							 *0x40cbc8 = 9;
							 *0x40cbcc = _t58;
						}
						goto L31;
					}
					_v8 = _a8;
					_a4 = _t94;
					if(_a12 <= _t94) {
						goto L26;
					} else {
						goto L8;
					}
					do {
						L8:
						_t72 =  &_v1048;
						while(_v8 - _a8 < _a12) {
							_v8 = _v8 + 1;
							_t90 =  *_v8;
							if(_t90 == 0xa) {
								_v20 = _v20 + 1;
								 *_t72 = 0xd;
								_t72 = _t72 + 1;
							}
							 *_t72 = _t90;
							_t72 = _t72 + 1;
							if(_t72 -  &_v1048 < 0x400) {
								continue;
							} else {
								break;
							}
						}
						_t96 = _t72 -  &_v1048;
						if(WriteFile( *( *_t83 + _t99),  &_v1048, _t96,  &_v16, 0) == 0) {
							_a4 = GetLastError();
							break;
						}
						_t79 = _v16;
						_v12 = _v12 + _t79;
					} while (_t79 >= _t96 && _v8 - _a8 < _a12);
					_t94 = 0;
					goto L17;
				}
				L3:
				return 0;
			}

0x00405beb
0x00405bef
0x00405bf7
0x00405d76
0x00405d76
0x00405d7d
0x00405d87
0x00000000
0x00405d87
0x00405c07
0x00405c0e
0x00405c13
0x00405c13
0x00405c19
0x00000000
0x00000000
0x00405c1f
0x00405c24
0x00405c27
0x00405c2a
0x00405c35
0x00405c3b
0x00405c40
0x00405c45
0x00405c4b
0x00405d27
0x00405d3a
0x00405d29
0x00405d2c
0x00405d2f
0x00405d2f
0x00405cdb
0x00405cdb
0x00405ce0
0x00000000
0x00405d71
0x00405ce9
0x00405d4a
0x00405d4a
0x00405d51
0x00405d5f
0x00405d5f
0x00405d69
0x00000000
0x00405d69
0x00405d53
0x00405d59
0x00000000
0x00000000
0x00000000
0x00405d59
0x00405ced
0x00405cf1
0x00405d42
0x00405cf3
0x00405cf3
0x00405cfd
0x00405cfd
0x00000000
0x00405cf1
0x00405c57
0x00405c5a
0x00405c5d
0x00000000
0x00000000
0x00000000
0x00000000
0x00405c63
0x00405c63
0x00405c63
0x00405c69
0x00405c77
0x00405c7a
0x00405c7f
0x00405c81
0x00405c84
0x00405c87
0x00405c87
0x00405c88
0x00405c8a
0x00405c9b
0x00000000
0x00000000
0x00000000
0x00000000
0x00405c9b
0x00405ca5
0x00405cc2
0x00405d0d
0x00000000
0x00405d0d
0x00405cc4
0x00405cc7
0x00405cca
0x00405cd9
0x00000000
0x00405cd9
0x00405c2c
0x00000000

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,00000000,?), ref: 00405CBA

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3126eda6c66cf7021a399f3889b83985f5a3297c5181f391af0d08c149974852
Instruction ID: afddacc0e3fb58388a404dd5e623b8fc1900d40c0f82758334153a2d0457c854
Opcode Fuzzy Hash: 3126eda6c66cf7021a399f3889b83985f5a3297c5181f391af0d08c149974852
Instruction Fuzzy Hash: 3151A071904A08EFDB15CF68D988AAA7BB0FF41340F20857BE816BB2D1D7349A40CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00402D93, Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 81%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				unsigned int _t15;
				signed int _t26;
				signed int _t34;
				intOrPtr _t50;

				_push(0xffffffff);
				_push(0x409140);
				_push(E004058E4);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t50;
				_push(__esi);
				_v28 = _t50 - 0x58;
				_t15 = GetVersion();
				 *0x40cbe0 = 0;
				_t34 = _t15 & 0x000000ff;
				 *0x40cbdc = _t34;
				 *0x40cbd8 = _t34 << 8;
				 *0x40cbd4 = _t15 >> 0x10;
				if(E0040578C(_t34 << 8, 0) == 0) {
					E00402EAE(0x1c);
				}
				_v8 = 0;
				E0040546C();
				 *0x40e108 = GetCommandLineA();
				 *0x40cbb4 = E0040533A();
				E004050ED();
				E00405034();
				E00404D56();
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_v104 = E00404FDC();
				_t53 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t26 = 0xa;
				} else {
					_t26 = _v96.wShowWindow & 0x0000ffff;
				}
				_v100 = E00401C60(0, GetModuleHandleA(0), 0, _v104, _t26);
				E00404D83(_t28);
				_v108 =  *((intOrPtr*)( *_v24));
				return E00404E58(0, _t53,  *((intOrPtr*)( *_v24)), _v24);
			}

0x00402d96
0x00402d98
0x00402d9d
0x00402da8
0x00402da9
0x00402db4
0x00402db6
0x00402db9
0x00402dc3
0x00402dcb
0x00402dd1
0x00402ddc
0x00402de5
0x00402df5
0x00402df9
0x00402dfe
0x00402dff
0x00402e02
0x00402e0d
0x00402e17
0x00402e1c
0x00402e21
0x00402e26
0x00402e2b
0x00402e32
0x00402e3d
0x00402e40
0x00402e44
0x00402e4e
0x00402e46
0x00402e46
0x00402e46
0x00402e61
0x00402e65
0x00402e71
0x00402e7d

APIs

GetVersion.KERNEL32 ref: 00402DB9

Part of subcall function 0040578C: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402DF2,00000000), ref: 0040579D
Part of subcall function 0040578C: HeapDestroy.KERNEL32 ref: 004057DC

GetCommandLineA.KERNEL32 ref: 00402E07
GetStartupInfoA.KERNEL32(?), ref: 00402E32
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402E55

Part of subcall function 00402EAE: ExitProcess.KERNEL32 ref: 00402ECB

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: 1d1c61a8bcdf1391a0eb9b6b8233aee60818611d067d62f8d555ab9d415b9677
Instruction ID: 3e2574021304d9b383fc53e0004625e206804d84ff9b631f25f23f276a0b25a0
Opcode Fuzzy Hash: 1d1c61a8bcdf1391a0eb9b6b8233aee60818611d067d62f8d555ab9d415b9677
Instruction Fuzzy Hash: 7E21B2B18406149FDB04AFA2DD4AA6E7BB9EF44704F10413FF904BB2E1DB784800CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00403AE3, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00403AE3(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x40ded8,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E00406005(1,  &_v280, 0x100,  &_v1304,  *0x40ded8,  *0x40e104, 0);
						E00403E2C( *0x40e104, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x40ded8, 0);
						E00403E2C( *0x40e104, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x40ded8, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x40df00) =  *(_t55 + 0x40df00) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x40e001) =  *(_t55 + 0x40e001) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x40df00) = _t77;
								goto L16;
							}
							 *(_t55 + 0x40e001) =  *(_t55 + 0x40e001) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x40df00) =  *(_t43 + 0x40df00) & 0x00000000;
						} else {
							 *(_t43 + 0x40e001) =  *(_t43 + 0x40e001) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x40e001) =  *(_t43 + 0x40e001) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x40df00) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}

0x00403b00
0x00403b06
0x00403b0d
0x00403b0d
0x00403b14
0x00403b15
0x00403b19
0x00403b1c
0x00403b25
0x00403b5e
0x00403b7d
0x00403ba1
0x00403bc9
0x00403bd1
0x00403bd3
0x00403bd9
0x00403bd9
0x00403bdf
0x00403bfa
0x00403c0c
0x00000000
0x00403c0c
0x00403bfc
0x00403c03
0x00403bef
0x00403bef
0x00000000
0x00403bef
0x00403be1
0x00403be8
0x00000000
0x00403c13
0x00403c13
0x00403c15
0x00403c16
0x00000000
0x00403bd9
0x00403b29
0x00403b2c
0x00403b2c
0x00403b2f
0x00403b34
0x00403b38
0x00403b3f
0x00403b47
0x00403b51
0x00403b51
0x00403b51
0x00403b54
0x00403b55
0x00403b58
0x00000000
0x00403b5d
0x00403c1c
0x00403c23
0x00403c26
0x00403c44
0x00403c59
0x00403c4b
0x00403c4b
0x00403c54
0x00000000
0x00403c54
0x00403c2d
0x00403c2d
0x00403c36
0x00403c39
0x00403c39
0x00403c39
0x00403c60
0x00403c61
0x00403c67

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00403AF7

Strings

, xrefs: 00403B40
, xrefs: 00403B1C

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 4263b0e6052e216f1f80c24dc0ce66833b2b90fc2c1d1942979e66f1bc3d2df2
Instruction ID: 36ae0489fdf4b74d1d941eed9f8272e445ce0b54ef1ae1ad796fd5ae7e3c824f
Opcode Fuzzy Hash: 4263b0e6052e216f1f80c24dc0ce66833b2b90fc2c1d1942979e66f1bc3d2df2
Instruction Fuzzy Hash: A1415D324042981AFB119B64CD4DBEB7FAD9B01705F1404F6D246FB1D3C2794B58C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00406B96, Relevance: 5.1, APIs: 4, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406B96() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x40cd74; // 0x0
				_t26 =  *0x40cd64; // 0x0
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x40cd78; // 0x0
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = HeapAlloc( *0x40dda4, 8, 0x41c4);
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4);
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x40cd74 =  *0x40cd74 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x40dda4, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x50
				_t25 = HeapReAlloc( *0x40dda4, 0,  *0x40cd78, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x40cd64 =  *0x40cd64 + 0x10;
				 *0x40cd78 = _t25;
				_t15 =  *0x40cd74; // 0x0
				goto L3;
			}

0x00406b96
0x00406b9b
0x00406ba7
0x00406bd9
0x00406bd9
0x00406bef
0x00406bf2
0x00406bfa
0x00406bfd
0x00406c29
0x00000000
0x00406c29
0x00406c0c
0x00406c14
0x00406c17
0x00406c2d
0x00406c31
0x00406c33
0x00406c36
0x00406c3f
0x00000000
0x00406c42
0x00406c23
0x00000000
0x00406c23
0x00406ba9
0x00406bbe
0x00406bc6
0x00000000
0x00000000
0x00406bc8
0x00406bcf
0x00406bd4
0x00000000

APIs

HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,0040695E,?,?,?,00000100,?,00000000), ref: 00406BBE
HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,0040695E,?,?,?,00000100,?,00000000), ref: 00406BF2
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,0040695E,?,?,?,00000100,?,00000000), ref: 00406C0C
HeapFree.KERNEL32(00000000,?,?,00000000,0040695E,?,?,?,00000100,?,00000000), ref: 00406C23

Memory Dump Source

Source File: 00000000.00000002.355112483.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.355109618.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355117841.0000000000409000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.355121478.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355125827.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.355130521.000000000040F000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_niPie.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 86b487cbfbf799463fb22a320ee0a1c0c95520022bb1745eb356e20d29b1aff0
Instruction ID: 4c989a440f945cc000f33b170c4bb47da851f3c59be8127188450c4fc32ec534
Opcode Fuzzy Hash: 86b487cbfbf799463fb22a320ee0a1c0c95520022bb1745eb356e20d29b1aff0
Instruction Fuzzy Hash: B1115830200601EFE7218F29EE85D22BBB6FF857207104B3AE5A6F61B0D371A855CB08

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report niPie.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: niPie.exe PID: 6404 Parent PID: 5668

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: niPie.exe PID: 6404 Parent PID: 5668 niPie.exeCOMMON

Execution Graph

Graph

Executed Functions

Function 00401C60, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 232
COMMON

Function 00404DA5, Relevance: 4.5, APIs: 3, Instructions: 49
COMMON

Function 0040578C, Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Function 00404C79, Relevance: 1.5, APIs: 1, Instructions: 46
memoryCOMMON

Function 00402100, Relevance: 24.9, APIs: 9, Strings: 5, Instructions: 389
registryCOMMONCrypto

Function 00407AB8, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMON

Function 00401460, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 101
fileCOMMON

Function 00405644, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
COMMON

Function 00401590, Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 255
registryCOMMON

Function 00401000, Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 253
registryCOMMON

Function 004025F0, Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 273
registryCOMMON

Function 00402560, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 45
COMMON

Function 00403E2C, Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Function 004059F5, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMON

Function 0040533A, Relevance: 12.1, APIs: 8, Instructions: 132
COMMON

Function 00401300, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113
registryfileCOMMON

Function 00401B70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79
registrystringCOMMON

Function 00406005, Relevance: 9.1, APIs: 6, Instructions: 117
COMMON

Function 0040546C, Relevance: 7.6, APIs: 5, Instructions: 143
COMMON

Function 00406D42, Relevance: 6.4, APIs: 5, Instructions: 102
memoryCOMMON

Function 00407F8B, Relevance: 6.2, APIs: 4, Instructions: 174
fileCOMMON

Function 00405BE2, Relevance: 6.1, APIs: 4, Instructions: 139
fileCOMMON

Function 00402D93, Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Function 00403AE3, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Function 00406B96, Relevance: 5.1, APIs: 4, Instructions: 53
memoryCOMMON